Carders cashing out on Magstrip Cards

Two thousand credit card payment terminals stand to become infected with malware called Trinity point of sales.

2CTen million credit cards were stolen by hackers, called Fin6, who may end up scoring $400 million. The cards were stolen from retail and hospitality businesses. If each card sells for $21 on secret carder shops, you can see how the hackers will rake in hundreds of millions of dollars.

As you may know, the U.S. is gradually switching over to chip cards. But it will be a while—a very long while—before magnetic strip cards are non-existent in America. Until then, these types of cards remain a favorite target for cyber thieves.

The methods that Fin6 used are technical, but suffice it to say, these hackers are pros. At this point, there has not been any way to stop this hacking group.

This is yet another example of the inherent vulnerability of the magnetic strip card, which, unlike in other industrialized nations, continues to be the main type of credit card in use in the U.S.

Protect yourself:

  • Go to “alerts/notifications” at your bank/cards website and sign up for emails/texts for every charge made.
  • Download your bank/cards mobile app and sign up for emails/texts for every charge made.
  • Check your statements frequently.
  • Federal law protects you from unauthorized charges made with your credit card number but you still have to dispute the charges.
  • In the event the credit card is in a thief’s hands, you’ll be liable, but only for a maximum of $50, provided you report the problem to the credit card company. However, in many cases a “zero liability” policy may kick in.
  • Debit cards fall under a different federal law than credit cards. Regulation E, the Electronic Fund Transfer Act, says after two days, you could be liable for up to $50. After 2 days liability jumps to 500.00. Beyond 60 days, you could be liable for all unauthorized transactions. Otherwise, federal rules are on the bank’s side.
  • Beyond 60 days, there’s likelihood you’ll never see your money again.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Don’t mess with this Pint Sized Woman

April Marchessault got attacked just after midnight inside her bathroom. At 5-1, she wasn’t intimidated by the 5-7, 200 pound man. Edgardo Montes, 47, got his clock thoroughly cleaned.

1SDHe was charged with breaking and entering and intent to rape, plus other charges. It all began when April took out the trash, reports eagletribune.com. She left the back door open. What are the odds that this formerly convicted rapist just happened to be out there? Well, it happened. Never leave doors unlocked!

She went into the bathroom to clean the sink. Edgardo crept up from behind and wrapped his arms around her chest so hard she couldn’t turn around. But when he tried to force her face into the sink, she kind of hulked out.

April turned around and pushed him back, but somehow he struck her in the jaw. She pushed him again and pulled his shirt off (which was already partially pulled up to conceal his face). He headed for the back door but April got there first, pushing him out. Then she started beating him, making him fall down some steps.

“I ran down the stairs and I kept hitting him in the face and head with my fist,” says the Massachusetts woman. “I was stomping on his knee.” She “kept hitting him” as he was trying to get up. April then began hitting him in the head repeatedly with a trash can.

Edgardo was so beaten he couldn’t get up, and by then, April’s father stood guard over him while waiting for the police. Amazingly, April’s three young sons slept through everything.

Points of Interest

  • April has no martial arts training; what enabled her was anger and wit.
  • Martial arts training, however, can reprogram a woman’s way of thinking so that if she’s ever assaulted, she could maintain her wits and think tactically rather than in a panicked state.
  • Never leave your doors unlocked even for a moment, especially at night. It takes just seconds to lock the door right behind you after you re-enter your home!

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures

Hacking Humans is Painfully Easy

Hackers can take over someone’s life in a matter of hours. Just ask Patsy Walsh.

11DThough she is not a tech savvy person, the grandmother of six did have a Facebook account, and that was all the hackers needed to take over her life. By using methods such as click baiting, the act of convincing someone to click on a fake link, and then gathering information, the hackers were able to use this info to get into other accounts, and eventually hacked things such as her power of attorney form, Social Security information and learned how to open her garage door and her home.

How did they do this? Mrs. Walsh used the same password for all accounts and did not use recommended security measures.

Fortunately, Mrs. Walsh’s life wasn’t ruined. Instead, this hacking was set up by the New York Times and a private company made up of “ethical hackers”, yes there is such a thing, to show just how easy it is to gain access to someone’s digital life.

Computers Are Gold Mines of Important Information

When the team of ethical hackers gained access to Mrs. Walsh’s computer, they found a number of malicious programs running in the background. Examples include InstallBrain, a program that will download programs on demand, and programs such as SlimCleaner, SearchProtect and FunWebProducts, which can spy on Internet searches, change home pages and gather information through click baiting. More than likely she downloaded some lame tool bar that added all this bloatware. Keep in mind, Mrs. Walsh was only visiting sites such as Google and Facebook, sites that most of us visit several times a day.

Stopping the Hackers in Their Tracks

We can all learn lessons from Mrs. Walsh’s experience. Here are some things that she could have done to avoid this from occurring, and things you should do to remain safe:

  • Use a password manager to keep track of long or complicated passwords, and use a different password for every account.
  • Use a two-step authentication service, one that asks for a second password when an unrecognizable machine attempts to access an account.
  • Use automatic updates for services such as browser updates or operating system updates.
  • Wipe the computer clean if necessary, then start employing these new practices.
  • Stop downloading stupid useless tool bars that are often delivery methods for crappy software.
  • Pay attention to what you are downloading and why. Even when you are updating software, look for any checked boxes that install bloatware.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Tax Identity Theft jumps on Payroll Scams

Do you work for a corporation, especially in the U.S.? You may be at risk for tax return fraud.

9DADP is a payroll provider. Hackers were able to acquire tax information of employees of U.S. Bank from ADP. Now, this doesn’t mean that ADP was directly hacked into. Instead, what happened, it seems, their authentication system was flawed and ADP failed to implement a protection strategy for the personal data to keep it safe from prying eyes.

The crooks registered ADP accounts by using the stolen data of the bank employees. These accounts allowed the crooks to get additional W-2 information—enough to commit tax return fraud. In other words, looks like a W-2 gateway was created to file fraudulent tax returns.

If it happened to U.S. Bank and ADP, it can happen many places else.

ADP says that the breach did not originate from their computer network, but where exactly it did come from is not clear at this point, as there are multiple possibilities including the hacking into of a third party service.

The hackers also used a unique company issued URL. This URL is needed to register an ADP account. It is not known at this point in time if the U.S. Bank URL required credentials to gain access to or not, but since this data breach, U.S. Bank has withdrawn plans to further post the URL online. U.S. Bank has also removed their publicly accessible W-2 form from cyberspace.

Despite the data breach, there were only minimal effects to employees and customers of ADP and U.S. Bank. But the minimal adverse outcome is no reason to let your guard down. Next time, the institutions may not be so lucky.

Solution: Fill out the IRS Identity Theft Affidavit ASAP. Here: http://robertsicilian.wpengine.com/wp-content/uploads/2016/06/f14039.pdf

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Hacking Cars Getting Easier and More Dangerous

If your car is in any way connected to the Internet, it can get hacked into. You know it’s only a matter of time before hackers begin infiltrating motor vehicles in droves, being that vehicles are plagued with hundreds to thousands of security vulnerabilities.

11DThis hack is more serious than you think. Drivers and passengers should be aware that “flawed” and compromised vehicles can suddenly be overtaken remotely, forced into shutting down the engine in the middle of a highway or drive the car into other cars.  And it’s not just cars, but 18-wheelers and busloads of people.

In fact, white-hat hackers (the good guys) have even demonstrated that a bad hacker could take control of a motor vehicle, ranging from annoying pranks such as turning on the windshield wipers and radio, to potentially lethal actions like stopping the engine.

Hackers could demand ransom from governments in bitcoins for the return of the vehicles’ control to their drivers. Or, as the Assistant Attorney General for National Safety has indicated, “connected cars are the new battlefield”. Connected cars could be used by terrorist organizations to create havoc on mass scale.  The possibilities are limited by the imagination.

This concern has motivated the FBI, Department of Transportation and the National Traffic Safety Administration to issue a public safety alert, warning consumers to keep their service schedule in order to enable to upgrade cars’ software with remedies to those security vulnerabilities.

Solutions are available and in the works.

  • If your car has any web connecting abilities, do your research for year/make/model. Searched “hacked” along with the cars particulars.
  • Manufacturers that have discovered security vulnerabilities (often because a researcher makes it public) have offered subsequent patches in response. These notices may come in the mail or through a dealership.
  • It’s important to check with your cars manufactures website to determine if a vulnerability exists.
  • A connected vehicle has ECUs: electronic control units. An article in Fortune says Karamba Security’s “Carwall” can detect and thwart cyber attacks. Carwall is like a firewall for your vehicle ECU. It detects anything that’s not permitted to load or run on ECUs.

When the ECU software is being built, security software can be seamlessly embedded, becoming part of the entire process. No change of code, no developers’ know-how, no false positives and no hacks. Problem solved.

Predators hunting Kids on Gaming Sites

As a parent, you may not be crazy about your child spending a lot of time “gaming.” Chances are good that your feelings are fueled by the fact that kids should play outside, be more social, and are getting addicted to tech or maybe the correlation between childhood obesity and excess computer time. It’s not pretty.

12DHowever, there’s another elephant in the room, perhaps squeezing out the obesity threat: the pedophile threat.

Recently on a Long Island college campus, a male student was found to be traipsing through gaming sites that are popular with young boys such as Grand Theft Auto and Minecraft. The 21year old predator, convinced three underage boys to take sexually explicit pictures and send them to him.

It’s tempting to question what these boys were thinking, that they would so freely take and send sexually explicit images of themselves to a complete stranger. But the predator played a numbers game in his trolling quest, finding three vulnerable victims and convincing them that he was “Allison Denario” and ask for the photos.

He’d then pose as Allison’s furious boyfriend. Of course, in real life, an angry boyfriend would normally demand that the photos stop. But “Allison”’s boyfriend told the boys his father was a cop or FBI agent. This angry cyber stranger demanded the boys perform sex acts on camera or he’d snitch on them for sending Allison the images. So. Flipping. Dark.

Well, Mt Predators little game was short-lived and he was charged with child pornography.

For Parents

  • Get an activated security suite for the computer before any game playing begins.
  • Create long strong passwords. Please, no 123Gamer or Jayson14. So a long strong password might be a phrase ImaHugeStarWarsfan or a nonsensical jumble like gowkg850(4)2.
  • Before any game playing, check its Entertainment Rating Software Board’s rating.
  • Protecting your kids is more than just great passwords and online security features. Make your children feel that they won’t be judged or blown off by you if they report something peculiar or suspicious.
  • Teach your kids how to make these reports, about “catching the bad guy in real life.” Feel free to refer to the bad guy as a predator, not just “bully.” Many kids think of “bullies” as other kids who call each other names online. But if a child is old enough to play on gaming sites, they’re old enough to be taught about adult male cybersexual predators and how they pose as young girls.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Technology and Home Security wed

Gone is the day when, while out on a romantic evening with your special someone, you suddenly realize you forgot to turn on your house alarm. You spend the rest of the long evening fretting about this.

2HNowadays, all you need do is whip out your smartphone and activate the alarm. You can even view the interior and exterior of your property in realtime with smarthome security cameras. And rest assured, if someone breaks in while your eyes are glued to the big movie screen, you’ll get a vibration alert.

We are getting closer and closer to a Jetson’s lifestyle; you know, George Jetson, the cartoon character who lives in the future? The Jetson household includes a female-looking robot dressed as a maid.

Robots

A house robot is no longer the thing of science fiction. Google is working on creating a robot that will help protect the house (and cleaning it is already being done with a Roomba). One of the tasks this robot would be able to do is prevent false alarms with the home security system. “What can be conceived can be achieved,” so the saying goes.

Laser Beams

  • Laser beams have been in existence for a while, that can detect motion and set off an alarm.
  • But this technology has much room for advancement in the security world and is growing.

More Advancements

  • Like an airplane on autopilot, your home’s security system will one day truly be on autopilot, with you at the helm no matter where you are.
  • But remember, robots, laser beams and other forms of technology will never replace common sense. You can have the most state-of-the-art technology working to protect your house, car, boat, even your person (with smartphone apps that can sense an unintentional fall, or with one touch of a button, summon an emergency response and give out your GPS coordinates) – but all this may mean zilch if you’re not wearing a seatbelt or if you’re texting while driving. Or if you’re climbing up on the rails of the cruise ship you’re on.
  • So even though the war against home intruders is closing in on them, sometimes our greatest enemy is oneself.
  • In the meantime, take advantage of what the booming home security market has to offer. Home security companies typically offer free consultations.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Mortgage Scams plague Homeowners and Agents

There are things you should know before you purchase your next house—even if you foresee that being years away. Take note of what’s in this article—and keep the notes where you’ll never forget where they are.

3BA hacker could fool you into thinking he’s your agent and trick you into sending him money—which you’ll never get back. It’s so bad the FTC even sent an alert warning consumers that Real Estate Agents email accounts are getting hacked.

  • Let’s say your Realtor’s name is Bill Baker.
  • Bill Baker’s e-mail account gets hacked.
  • The hacker observes Baker’s correspondences with his clients—including you.
  • Ahhh, the hacker sees you have an upcoming closing.
  • The hacker, posing as Bill Baker, sends you an e-mail, complete with instructions on where to wire your closing funds.
  • You follow these instructions.
  • But there’s one last step: kissing your money goodbye, as it will disappear into an untraceable abyss overseas.
  • This scam can also target your escrow agent.

It’s obvious that one way to prevent this is to arrange a home purchase deal where there are zero closing costs.

The scam is prevalent, perhaps having occurred thousands of times. It was just a matter of time until scammers recognized the opportunity to target real estate agents and their clients.

The lax security defenses of the real estate industry haven’t helped. Unlike the entire financial industry who have encrypted communications, the real estate industry is a hodgepodge of free e-mail accounts and unprotected communications.

In addition:

  • Realtors, so often on the go and in a hurry, frequently use public Wi-Fi like at coffee houses.
  • Anyone involved in a real estate transaction can be hacked, such as lawyers.

Preventing the Scam

  • Eliminate e-mail as a correspondence conduit—at least as far as information on closings and other sensitive information.
  • On the other hand, you may value having “everything in writing,” and e-mail provides a permanent record. In that case, use encrypted email or some setup that requires additional login credentials to gain access to the communication.
  • For money-wiring instructions, request a phone call. And make this request over the phone so that the hacker doesn’t try to pose as your Realtor over the phone.
  • Any e-mailed money instructions should be confirmed by phone—with the Realtor and the bank to send the money to.
  • Get verification of the transfer ASAP. If you suspect a scam, have the receiving bank freeze any withdrawal attempt of the newly deposited funds—if you’ve reached the bank in time, that is.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Anonymous Begins a 30 Day Assault Against Central Banks

“Anonymous” is an activist hacking group that has recently boasted that it will engage in 30 days of cyber assaults against “all central banks,” reports an article on cnbc.com.

2DAnd their bite is as big as their bark, as this announcement came soon after several major banks around the world were struck—and Anonymous proudly claimed credit. The banks that were apparently breached by Anonymous include:

  • Bangladesh Central Bank
  • National Bank of Greece
  • Qatar National Bank

Anonymous put up their plans on a YouTube video: a “30-day campaign against central banks around the world.” The hacking group calls their endeavor Operation Icarus, bragging about how they crumbled the Bank of Greece with a denial of service attack.

Anonymous has stated that it will target the following financial institutions:

  • Visa
  • MasterCard
  • Bank for International Settlements
  • London Stock Exchange
  • And of course, “all central banks” and “every major banking system”

Anonymous has a real gripe against banks, because they further state, “We will not let the banks win,” continues the report at cnbc.com. The hacking group wants everyone to know that their operation will be “one of the most massive attacks” ever committed in Anonymous’s history.

The article adds that another media outlet, Gulf News, reports that the hackers who infiltrated Qatar National Bank attacked yet another bank and intend on making the stolen data public for this second attack—very soon. It’s possible that this leaked data will be used for ransom.

For you, every day bank customer, don’t worry about any of this, BUT, always pay close attention to bank activity and make sure all transactions have been authorized by you. Sign up for alerts and notifications via text and email so you see every transaction in real-time.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Phishing Protection 101

Phishing-type e-mails are designed to trick the recipient into either downloading a virus (which then gives the hacker remote control of the computer) or revealing enough information for the thief to open credit cards in the victim’s name, get into their bank account, etc.

13DThere are many ways the crook can trick the victim. Here are telltale signs:

  • The message wants you to “verify” or “confirm” your password, username or other sensitive information.
  • And why must you do this? Because “suspicious activity” has been detected on your account, or, your account “is at risk for being compromised.”
  • Your name may or may not be in the message. Always be suspect.
  • Financial institutions will never ask you to enter your login information in an email and be suspect on a website.
  • Another ploy is the subject line: There’s a sense of urgency, such as, “Your account is about to be suspended.” A business will contact you by phone or snail mail if there’s a problem.
  • Even if the e-mail seems to have come from your boss at work and addresses you by name, and includes a link…realize that a hacker is capable of learning enough about someone from their LinkedIn page and Facebook to then convincingly impersonate someone they know.

Links in E-mails

  • Typically there’s a link (when there’s not, there’s a malicious attachment).
  • Never click links inside e-mails even if the sender seems to be your employer, health plan carrier or other enterprise you’ve done business with.
  • Hover the mouse over the link. If the URL is different than what’s there, assume it’s a scam.
  • Generally, only click links in emails when you have to actually click the link to verify an email address once you have just signed up for a new website.

Additional Telltale Signs

  • Just weird stuff. For example, a person who edits for a living receives an unexpected e-mail explaining there’s an attachment that needs to be proofread; wow, a paying gig!
  • Not so fast. The accompanying letter is very poorly constructed, including misspellings of common words, and includes very irrelevant information, such as “I’m a single mom with three wonderful kids.” Why would THIS be included in a legitimate proofreading job?
  • Yet how did the scammer know you’re an editor? Because the crook’s software somehow found your e-mail on the editing gig site you registered with two years ago.
  • The subject line says you’ve won something, or you’ll lose something.
  • If you go to a website and don’t see your site key (if you registered with one), leave. But you shouldn’t have gone to the website in the first place!
  • Always beware of emails purportedly from FedEx, UPS, Amazon, Ebay or anything in your spam folder.

Embrace the idea of deleting reams of UNREAD e-mails without having opened them. If a subject line has you worried, such as “You owe back taxes” or “Your shipment was lost,” then phone the appropriate personnel to see if this is true.

If you suspect you’ve been scammed:

  • Log into whatever account might be compromised and check messages, contact customer service.
  • Place a fraud alert on your credit if your SSN was exposed.
  • Update your security software; run a full system scan.
  • If you revealed any login information, change that account’s login data.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.