Posts

Should You Worry About Contactless Credit Card NFC Skimming

If you have a contactless card, you might have worries about skimming. A contactless card or “frictionless” or “tap and go” is a card that has technology in it that allows payment over secure wireless like Apple Pay, Android Pay etc. Basically, this is where a criminal literally digitally pickpockets you by scanning things like your debit card or passport. What’s scary about this is that anyone can get an app for their phone that will allow them to skim. Is there protection for this? Maybe.

But before you freak out, you probably don’t even have a contactless card. Very few cards deployed in the USA are contactless, so that sleeve you use doesn’t protect you from anything. Now if you are overseas or even in Canada, then look at your card and if there is a WiFi looking logo on there, you have contactless.

The way that the bad guys skim this information is by using RFID, or radio-frequency identification. There are RFID signal jammers out there, but the question is this: do they work and are they necessary?

RFID Signal Blockers

If you put some time into it, you will find a number of RFID signal blockers on the market. Some of these are small and slip right into your wallet. Others are passport sized. There are also RFID signal blocker wallets on the market.

The Test

A blogger recently put these RFID signal blockers to the test…on the London Underground, one of the most crowded places in the world, especially during rush hour. He set up the test by asking one person to place a debit card in their pocket, and then another person used a mobile phone with an RFID signal scanner. The result was that the phone could scan and record the number on the debit card and the expiration date, simply by holding the phone really close to the pocket.

The blogger took the test a step further and tried to block these signals with RFID blocking technology. Even though the experiment was very unscientific, the blogger found that the blocker stopped the skimming.

Protecting Yourself

There are some things you can do to protect yourself from this. First, check your passport. It should have a chip in it. This chip is in all US passport that have been released since 2007. Now, someone can still take information from your passport using RFID skimming, but they have to actually be on the page where the photo is, and it’s pretty rare that they would have access to that.

You can also use a shielding device. They can certainly work, and some people have even found great results by using tinfoil. This will further help to protect your accounts.

Finally, even if you are using an RFID shielding device, make sure that you are checking your statements for anything suspicious. This is especially the case if you often find yourself in crowded places, like the subway.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

10 Ways to Prevent Holiday Shopping Scams

The winter holidays: a time for festivities and … fraud-tivities.

Gift Card Grab

Never, ever enter your credit card or other sensitive information to claim a gift card that comes via email.

Never Buy Over Public WiFi

Shopping over public WiFi means your credit card, bank account or login data could get picked up by a cyber thief. Use a VPN.

Coupon Cautious

If a coupon deal seems too good to be true, then assume it is. End of story. Next.

Password Housekeeping

  • Change the passwords for all your sensitive accounts.
  • No two passwords should be the same.
  • Passwords should be a random salad of upper and lower case letters, numbers and symbols – at least 12 total.
  • A password manager can ease the hassle.

Two Step Verification

  • A login attempt will send a one-time numerical code to the user’s phone.
  • The user must type that code into the account login field to gain access.
  • Prevents unauthorized logins unless the unauthorized user has your phone AND login credentials.

Think Before You Click

  • Never click links that arrive in your in-box that supposedly linking to a reputable retailer’s site announcing a fantastic sale.
  • Kohl’s, Macy’s, Walmart and other giant retailers don’t do this. And if they do, ignore them.
  • So who does this? Scammers. They hope you’ll click the link because it’ll download a virus.
  • The other tactic is that the link will take you to a mock spoofed site of the retailer, lure you into making a purchase, and then a thief will steal your credit card data.

Bank and Credit Card Security

  • Find out what kind of security measures your bank has and then use them such as caps on charges or push notifications.
  • Consider using a virtual credit card number that allows a one-time purchase. It temporarily replaces your actual credit card number and is worthless to a thief.

Job Scams

Forget the online ad that promises $50/hour or $100 for completing a survey. If you really need money then get a real job.

Monthly Self-Exam

For financial health: Every month review all your financial statements to see if there is any suspicious activity. Even an unknown charge for $1.89 is suspicious, because sometimes, crooks make tiny purchases to gage the account holder’s suspicion index. Report these immediately.

Https vs. http

  • The “s” at the end means the site is secure.
  • Do all your shopping off of https sites.
  • In line with this, update your browser as well.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

How to Protect You Frequent Flier Miles NOW

Social Security numbers and credit card numbers are not the only types of data that hackers are after. Now, they are looking at frequent flyer accounts, and they are stealing reward miles, and then selling them online.

How do Hackers Steal Frequent Flyer Miles?

As with other types of ID theft, hackers use info that they have illegally obtained to access frequent flyer accounts. With more data breaches happening than ever before, hundreds of millions of records are exposed, and thus, hackers have great access to the personal info they need to get into these accounts.

What do Hackers Do with Frequent Flyer Miles?

It is hard for hackers to use these miles on their own because often, the travel has to be booked in the name of the owner. However, it is very easy to transfer these miles to other accounts or to use the miles to purchase other rewards. Usually, no ID is needed for a transfer like this. This is also difficult to track because hackers use the dark web and VPNs to remain anonymous.

Hackers also sell these miles, and they catch a pretty penny. For airlines like British Airways, Virgin Atlantic, and Delta, they can get hundreds, or even thousands of dollars for their work.

In addition to transferring these miles from one account to another, hackers are also selling the account’s login information. Once someone buys this, they can now get into the owner’s account and do what they want with the miles.

Protecting Your Frequent Flyer Miles

There are some things that you can do to protect your frequent flyer miles. You should check your frequent flyer accounts regularly using your airlines mobile app. Change all your airline passwords and never re-use passwords and set up a different password for each account.

Other things that you can do include the following:

  • Protect your personal information by making sure every online account has a unique and difficult to guess password.
  • Use a dark web scan. This will show you if any personal information is out on the dark web.
  • If you do find that your miles have been stolen, it also is probable that your personal information has been compromised, too. Monitor your credit report and check it often for anything that looks odd. This is a big sign of an issue.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Carders cashing out on Magstrip Cards

Two thousand credit card payment terminals stand to become infected with malware called Trinity point of sales.

2CTen million credit cards were stolen by hackers, called Fin6, who may end up scoring $400 million. The cards were stolen from retail and hospitality businesses. If each card sells for $21 on secret carder shops, you can see how the hackers will rake in hundreds of millions of dollars.

As you may know, the U.S. is gradually switching over to chip cards. But it will be a while—a very long while—before magnetic strip cards are non-existent in America. Until then, these types of cards remain a favorite target for cyber thieves.

The methods that Fin6 used are technical, but suffice it to say, these hackers are pros. At this point, there has not been any way to stop this hacking group.

This is yet another example of the inherent vulnerability of the magnetic strip card, which, unlike in other industrialized nations, continues to be the main type of credit card in use in the U.S.

Protect yourself:

  • Go to “alerts/notifications” at your bank/cards website and sign up for emails/texts for every charge made.
  • Download your bank/cards mobile app and sign up for emails/texts for every charge made.
  • Check your statements frequently.
  • Federal law protects you from unauthorized charges made with your credit card number but you still have to dispute the charges.
  • In the event the credit card is in a thief’s hands, you’ll be liable, but only for a maximum of $50, provided you report the problem to the credit card company. However, in many cases a “zero liability” policy may kick in.
  • Debit cards fall under a different federal law than credit cards. Regulation E, the Electronic Fund Transfer Act, says after two days, you could be liable for up to $50. After 2 days liability jumps to 500.00. Beyond 60 days, you could be liable for all unauthorized transactions. Otherwise, federal rules are on the bank’s side.
  • Beyond 60 days, there’s likelihood you’ll never see your money again.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Gemaltos’ “EMV For a Week Challenge,” starts now!

As part of Gemalto’s #ChipAwayAtFraud campaign, I’m being tasked with numerous tasks, some tacky, some essential to living. Gemalto, one of the world’s leaders in digital security, wants a real-world take on the EMV card experience. Which includes the security benefits EMV cards presents. You know EMV; it’s the “chip” credit card that by now, you should have. EMV by the way stands for Euro/MasterCard/Visa. The Euro part essentially means that’s where the card was first deployed.

1CIf you don’t have a chip card by now get on the phone, call your bank and in your loudest, angriest voice scream at them and politely ask why they haven’t sent you one yet.

You, Mr. and Mr.’s credit card holder should support for the new technology in your community by explaining it to people, and encourage its use.

As a Gemalto campaigner I’m deploying two articles, one introductory (this one) and one “wrap-up” piece, detailing my experience during the challenge.

The Challenge:

Complete All Ten Tasks First and Win $400 to a Charity of Your Choice: My Charity is Boston Children’s Hospital

  1. Get coffee at a local (not chain) coffee shop
  2. Make any purchase at a big-box store
  3. Get a meal inside a fast food restaurant
  4. Buy a magazine at a gas station
  5. Get $50 worth of groceries
  6. Buy a tacky t-shirt
  7. Get someone special a bouquet of flowers
  8. Hit a tourist attraction in your town
  9. Buy office supplies for your coworker(s)
  10. Mail us a postcard from your local post office

Easy. Let the games begin!

20 Security Tips For Overseas Travelers With Credit Cards

Thinking of bringing a credit card with you on your travels? You can end up in a jam: You just treated your extended family to fine dining in France. Time to pay; your credit card is declined.

2CIf you try to make a purchase overseas, your credit card company might think it’s fraudulent, since it would appear anomalous, relative to your usual, U.S. purchases.

So before you leave for your trip:

  • Back up credit card data. It’s always important to have a backup of your card data, both online and in print. Photocopy each card and carry with you or store in your luggage. The Carbonite mobile app lets you access your backed-up data from anywhere in the world.
  • Review your auto drafts and consider these when traveling to avoid maxing out the card.
  • All your cards should be signed.
  • Get a “data plan” and make sure your credit card company’s e-mail and phone numbers actually work.
  • See if your company will issue you a chip-n-pin card, since this technology is widespread in foreign countries.
  • Memorize the PIN and make sure it’s enabled for foreign ATM withdrawals.
  • Install the credit card company’s mobile application so that you can be alerted to any suspicious issues.
  • Gift cards and debit cards should be authorized for international use.
  • Set your phone up for international use.
  • Activate the feature in your card account that alerts you every time the card is used.
  • Alert the credit card company when you’ll be overseas so they can monitor your purchases.
  • Store the company’s 800 and non-800 numbers in your phone.
  • Also make sure you have their e-mail address.
  • The card(s) numbers should be documented in hardcopy.
  • Find out if the card has a foreign transaction fee.
  • Know the to-be-visited country’s phone dialing patterns.

While on your trip:

  • Never give anybody your card for a purchase unless you can see everything they’re doing.
  • At ATMs, carefully punch in the keypad numbers; you may not get too many chances to get the PIN correct.
  • Save all receipts and inspect them. Use your computer or phone and secure Wi-Fi to monitor your account online. This can be done with Hotspot Shield, which will encrypt all transmissions.

Know that your card company will never request highly personal information such as your Social Security number. If anyone contacts you with such requests, it’s a scam.

Robert Siciliano is an expert in personal privacy, security and identity theft. Learn more about Carbonite Personal plans. See him discussing identity theft prevention. Disclosures.

Is It Fraud or are You just Crazy?

What would you rather have happen to you? A Russian ring of hackers has infiltrated your computer and smartphone and is hell-bent on taking control of your finances, social media life, even the smart gadgets in your house…OR…you’ve just been diagnosed with paranoid psychosis, and in fact, nobody’s out to harm you at all.

12DIn a day and age where it’s become increasingly easy for hackers to hijack your credit card and bank accounts, spy on your baby by hacking into the baby-cam and spy on you via your laptop’s camera … the line between paranoia and real-life spying has become very muddled.

Unfortunately, there isn’t a day that goes by that someone contacts me completely convinced they are being spied on. Maybe they are, most likely they are not. Especially when they begin to explain how every device they own and seems to know everything about them and so on. The likelihood of a hacker having control over their TV is pretty small.

For example, 30 years ago if someone said, “Someone is watching me through my computer,” we’d just assume that person was delusional and needed some medication. Nowadays, we’re apt to immediately think, “Put tape on your laptop’s camera hole!”

So how can we weed out the crazies from the true victims? Just because your laptop has a camera hole doesn’t mean you can’t be imagining that your ex-spouse is spying on you through it.

Many claims of fraud or victimization are real, and many are deliberately made up for financial gain (e.g., faking back pain after a fender bender) or are the result of mental illness.

Sometimes, it’s obvious when the claim is fraudulent or the result of being “crazy.” In fact, the tip-offs that it’s mental illness at play are more obvious than when it’s fraud, since the con artist can be quite skilled.

A general rule of thumb is to look at the simplicity—or lack thereof—of the case. Is the claimed cause simple or convoluted?

For example, you hear a crash, race into the living room and see that your favorite vase—which is located near the bottom of the staircase—has been broken to smithereens. Near the vase is a basketball. At the top of the staircase are your two young sons with scared looks on their faces.

They cough up an explanation: “We were in the living room reading. The basketball was on the floor. A gust of wind blew through the window so hard that it tossed the basketball into the vase. We thought you’d blame us so we ran up the stairs.”

Common sense must be used in determining the most probable cause of an event. This holds for parents, claims adjustors, detectives and juries at a trial. The best judge views things through the lens of simplicity.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Fear of Fraud trumps Terrorism

Okay, what’s more likely? Getting bombed … or some punk racking up charges on your credit card?

11DThe yearly Crime Poll says that two-thirds of the respondents were edgy about data breaches involving their credit cards, as well as their computer and smartphones getting hacked—far more so than being robbed or taken hostage.

It’s easier to thwart a mugger or burglar than it is to thwart cybercrime. Just because you never click links inside e-mail messages doesn’t mean a cybercriminal won’t still figure out a way to nab you.

Interestingly, many people who’ve been digitally victimized don’t even bother filing a police report, says the survey. But a much higher percentage of burglary and mugging victims will.

Maybe that’s because 1) They know it will be easier to catch the thug, and 2) It’s way more personal when a masked man jumps you on the street and hits you with a brick, versus some phantom from cyberspace whose body you never see, voice you never hear, hands you never feel—even though they drain your bank account dry.

But which would you rather have? An ER visit with a concussion and broken nose from the mugger, or a hacked credit card? The Fair Credit Billing Act allows you to dispute unauthorized charges on your card statement and get other things straightened out. And until you pay the whopping bill, your account isn’t robbed.But if someone hacks into your debit card, they can wipe out your checking account in a flash.

The good news is that often, cyberthieves test the waters of the stolen data by making initially small purchases…kind of like a would-be mugger feeling out a potential victim by initially asking her for the time or “accidentally” bumping into her.

A credit card can have varying levels of alerts that can notify the holder of suspicious activity. An example is a charge over $1,000 nets a text message to the holder about this. However, if you set a much lower threshold, you’ll know sooner that the data or card was stolen. Don’t wait till the thief makes a huge charge to be alerted. The lower that threshold, the sooner the card company will contact you and then initiate mitigation.

You know how to prepare for a mugger (pepper spray, self-defense lessons, etc.), but how do you protect your credit and debit cards?

  • Check your credit card statements thoroughly.
  • Don’t put off contacting the company over a suspicious charge.
  • All of your devices should require a password to log on.
  • Use encryption for all of your devices.
  • Always use your bank’s ATM, never a public kiosk.
  • Never let an employee take your card out of your sight.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Chip and PIN, will It save Us?

Many Americans, says a recent survey by Gallup, worry about a data breach connected to the use of their credit cards. Interestingly, many people use a credit card for everything under the sun: even just a soda and bag of chips from the convenience mart. The more you use a credit card, the more likely it will be compromised by cyber thieves.

1CThe magnetic stripe technology for credit cards makes them so “hackable.” One way to help prevent credit card crimes is to implement a chip-and-PIN technology. It’s been touted as a sure way to keep crime at bay. But is it what it’s cracked up to be? After all, how could the thief, holding your credit card, know your PIN?

The magnetic stripe contains account information. This can easily be copied with a thief’s tools such as a skimming device. A chip card uses a microprocessor that’s embedded. This makes the account information non-accessible to a hacker during any point of a sales transaction.

There are additional features to chip technology that tie into keeping fraud away:

  • Every time the card is used is recorded.
  • A cryptogram lets banks view the data flow.

Chip technology will be coming out in 2015 for the States, and experts are very confident that this transition will choke a lot of life out of card fraudsters. The transition will cost around $8 billion—if done correctly. And this “roll-out phase” won’t happen overnight, either.

There has been credit card fraud involving chip technology. Here’s how it happened: The crooks stole account information from magnetic stripes via skimming. The transactions were then done EMV style, then the criminals picked up traffic from an authentic EMV chip transaction. Next, the thieves put the information they’d skimmed into the transaction, and pulled off their crime.

In short, chip-and-pin technology is not without the element of human error; EMV can still be implemented poorly. As for that human error, this happened not too long ago with Canadian banks. They were struck with a big financial loss because the counter data and cryptograms were not being checked efficiently.

We can have a really great thing here—if it’s implemented in a smart way. What good is an advancement in technology if it’s carelessly employed?

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

The Credit Card Fraud Mob Boss

There once was a guy named Albert Gonzalez who dressed like a woman—but not because he got off on this, but because he wanted to conceal his actual appearance while he used a ream of phony cards to steal money from an ATM in 2003. A cop noticed the activity and didn’t quite buy the disguise.

2CThe police officer nabbed the thin, disheveled Gonzalez, and it turned out he possessed a computer at his New Jersey home loaded with stolen card data. He was also a moderator for Shadowcrew.com, a site for cybercriminals on how to hone their skills.

Gonzalez wasn’t arrested, but instead, the 22-year-old, who was unfortunately a drug addict at the time, was so smart at his craft that he was hired by the Secret Service. They even paid his living expenses. Over time he got off drugs and looked healthier and became clean shaven.

With his help, the Secret Service caught over a dozen Shadowcrew members. Gonzalez then moved to his hometown of Miami, at the urging of his superiors, in the name of evading revengeful Shadowcrew members who might suspect him of being the leak to the government.

Gonzalez became a paid informant for the Secret Service in 2006. He spoke at conferences and seminars and was seemingly living the life.

But while he aided the Secret Service, he led a criminal team that cracked into 180 million payment-card accounts of major corporate databases, among them being Target, JCPenney, OfficeMax and TJ Maxx.

“The sheer extent of the human victimization caused by Gonzalez and his organization is unparalleled,” his chief prosecutor said. What a shame: A genius who used his talents to live a life of crime.

Gonzalez was sentenced to two consecutive 20-year terms, the longest for any U.S. cybercriminal.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.