The 4+ million current and former federal employees whose OPM personal data has been hacked are just the latest group to be worrying about identity theft. So a recent article by Brian Krebs could not be more timely. Mr. Krebs has written a terrific piece on the various options that individuals can take to try and prevent themselves from becoming identity theft victims. While there are no guarantees about any option being foolproof, his recommendations are ones to learn about and then decide whether to use (www.krebsonsecurity.com; “How I Learned to Stop Worrying and Embrace the Security Freeze”; June 8th).
One of his key points is the difference between putting a “fraud alert” or a “security freeze” on credit reports. A “security freeze” is the stronger tool since “freezing” a credit report means it can’t be viewed or pulled by potential creditors without the individual giving specific consent. Is it free to do so? That depends on 2 key factors: has the individual been an identity theft victim? and what are the requirements for the State in which the individual lives. Some States require a $10.00 or more fee if the individual hasn’t been an identity theft victim.
A link to a list of the States with their respective requirements can be found in Mr. Krebs’ article. Additionally, that requirement will pop up when filling out a “freeze” form online with Equifax, Experian and TransUnion. Once an individual does so, the fee amount for the State in which the individual resides will come up. These requests can also be done in writing and those details can be found on the website for the 3 credit agencies just mentioned.
It would be great if these “freezes” could be done for free before becoming an identity theft victim. Is it worth the money to do so before that reality? My answer is “yes” but everyone has to decide for himself.
Over the last few days, there have been numerous media sources reporting the major security flaw and security risks in Samsung mobile devices. I urge anyone who has a Samsung mobile device to keep posted on this matter. I read the NowSecure blog on this issue and they have a list as of June 16th of impacted devices by carrier with the status of their security patch status ((www.nowsecure.com; go to the “How to Detect It” subheading in the blog titled”Samsung Keyboard Security Risk Disclosed: Over 600M+ Devices Worldwide Impacted”). In a nutshell: NowSecure, a security research firm, has found a security flaw in the Samsung keyboard that could impact over 600 million Samsung mobile devices. One report, by Graham Cluley, describes the flaw as including Samsung’s latest device, the GalaxyS6 iPhone (www.hotforsecurity.com; “Samsung Galaxy phones at risk from massive security flaw”; June 17). As Mr. Cluley and others have warned, the flaw could allow hackers to gain access remotely to a Samsung device and allow the hackers to spy through the camera or the microphone, to track the Samsung user’s physical location via GPS, to install malicious applications, to steal information or even to listen in on the user’s messages and voice calls — all without the user’s knowledge. Samsung is reporting that it believes it has a possible patch for the problem and that the patch has been deployed to carriers. However, per Mr. Cluley, it is difficult for mobile device users to know whether their carrier has patched the problem. Again, another reason to check the NowSecure website for updates.
LastPass is a cloud-based password security site so reports that it was breached are particularly troubling. The breach happened on Friday, June 12th but LastPass only sent alerts to account users on Monday, June 15th. And from what Steven J. Vaughan-Nichols reported, not all LastPass account owners have received email notifications (zdnet.online.com; “Password site LastPass warns of data breach”; June 15).
In his article, Mr. Vaughan-Nichols quotes from the June 15th blog post by Joe Siegrist, the CEO of LastPass. I read Mr. Siegrist’s blog post and urge all LastPass account users to read it (blog.lastpass.com June 15). Mr. Vaughan-Nichols quotes from Mr. Siegrist’s blog in which he asserts that LastPass has no evidence that “encrypted user vault data was taken, nor that LastPass user accounts were accessed.” LastPass is, per Mr. Siegrist’s blog, requiring all account users to update their master password. They are not requiring or telling users to charge their site passwords because encrypted data wasn’t taken.
However, as Mr. Vaughan-Nichols reported, the LastPass servers are overloaded by account users trying to make the needed changes.
Let’s hope that the “good news” reported by Mr. Siegrist holds true.
Facebook announced in a June 1st blog that it will be gradually rolling out a new email feature for its users. The feature will allow Facebook users to add public keys to their Facebook profile. What is the feature and what will these keys do?
The new feature is OpenPGP public keys — using these creates “end to end” encryption notification emails sent by Facebook to the user’s preferred email accounts. Facebook is implementing this feature so the content of email notifications from Facebook to the user can be encrypted for greater privacy and security.
As noted in the blog, users will be able to update their own public key using a desktop browser. The blog also includes a link to an Electronic Frontier Foundation resource that offers an introduction on using OpenPGP technology.
The public key management can’t yet be supported on mobile devices although Facebook said in its blog that it’s investigating ways to enable this.
Facebook users will want to read this June 1st announcement and keep alert for its implementation.
There has been widespread coverage of the massive IRS hack. The hack of the IRS “Get Transcript” tool on the IRS website has affected 104,000 individuals. As reported in numerous accounts, the thieves who hacked this system stole information about prior tax refunds. They then used that information in combination with other personal information they likely already had (e.g., people’s names, SSNs, dates of births). As Jonnelle Marte reported in The Washington Post, after hacking the “Get Transcript” tool, the thieves now have even more personal information (“A year of credit monitoring won’t put risk to rest”; May 30th; A8).
While the IRS will be flagging the persons who’s transcripts were stolen, they will also be contacting them. Those 104,000 individuals will be offered free credit reporting. As Lisa Rein reports in The Washington Post, the IRS will also be contacting 100,00 other people — those are people whose returns weren’t hacked but whose personal information the thieves might have (“How the breach of IRS tax returns is part of a much bigger problem facing taxpayers”; May 29).
The risks of identity theft for the individuals whose tax return information was stolen is very real. People have to remember that the IRS will contact them through letters not emails. Why is this important? Because the hackers now have enough information to send scam emails pretending to be from a credit agency, or even the IRS, and be asking for even more personal information under the guise of needing this to help the affected individuals.
RadioShack’s bankruptcy could have had terrible and lasting impacts on consumers. RadioShack had been proposing to include consumers’ personally identifiable information as part of its trademark and intellectual property. However, as reported by Truman Lewis, a coalition of State Attorneys General from 38 States fought the inclusion of the consumer data as part of the bankruptcy sale (www.consumeraffairs.com/news_index/privacy.html; “Bankruptcy court agrees to protect RadioShack customer data”; May 21st).
As Mr. Lewis reported, the State Attorneys General reached a settlement under which the vast majority of the consumer data will be destroyed. Equally important, he wrote that “…no credit or debit card account numbers, social security numbers, dates of birth or even phone numbers will be transferred.” The Bankruptcy Court approved there settlement terms — all of which is an important result for RadioShack customers. RadioShack had in its files, as Mr. Lewis noted, 8.5 million customer email addresses. The new owners of all of RadioShack’s assets will only be able to keep a limited percentage of those email addresses. Whose email addresses will be included in the sale? Mr. Lewis reports that those will only be for customers who had asked for product information within the last 2 years — and General Wireless, the new owner, will be contacting those customers and provided the chance to opt out of future General Wireless communications.
General Wireless also has agreed not to sell or share of the RadioShack customer information it is obtaining with any other entity.
This settlement is an important victory for consumers thanks to the strong actions by these 38 State Attorneys General.
I’ve written previously about the growing use of electronic health records (EHRs). Some of this growth is driven by Administration mandates while some can be attributed to the enhanced patient care perceived by medical and health professionals.
Using EHRs does allow patients and their medical professionals faster access to personal patient health information. However, this type of patient information is among the most sensitive that exists. So making sure that the EHRs are protected optimally is, and should be, a key consideration for their creation and usage.
As Marianne Kolbasuk McGee recently reported, these issues are receiving increased congressional attention (www.healthcareinfosecurity.com; “Senate Scrutinizes EHR Interoperability”; May 5th). The Senate Committee on Health, Education, Labor and Pensions has created a working group that will be examining multiple EHRs related issues. These topics include improving the ways in which EHRs operate; looking at ways in which to improve more secure health information exchange between and among vendors, healthcare providers and the EHR systems; and making EHRs easier to use by health and medical professionals.
The working group has set an ambitious target goal of making legislative and administrative recommendations by the end of 2015.
Any improvements to the security, privacy and operation of EHRs would be important advancements.
I’ve previously alerted consumers to check the ATM machines at their financial institutions to see if criminals have inserted “skimmers” into them. In fact, I’ve gone into my financial institutions and asked the managers if they had heard about these types of “skimmers” and whether they periodically check for them. These “skimmers” will read and steal the credit and debit card information on cards inserted into ATM “skimmers.”
Now Brian Krebs has written about another version of this scam — “skimmers” that are attached to gas pumps. These “skimming” devices are stealing customers’ debit card information (www.krebsonsecurity; “Foiling Pump Skimmers With GPS”; May 4th).
Mr. Krebs advises that consumers don’t need to be as worried about the gas pump “skimmers” as they should be about those inserted into ATM machines. However, he does say that consumers who use debit cards to pay for their gas could have their card information compromised; using a credit card is a better practice when paying for gas.
Also, he has an excellent resource for consumers who want to learn more about skimmers and protecting their personal financial information. It’s titled “All About Skimmers” and can be found on his website.
As I noted in last week’s blog (“Timely Travel Tips”), the vacation season brings out scammers with increasingly sophisticated scams. Hugo Martin wrote about another type of scam that is snaring unsuspecting victims. This one has to do with bogus hotel websites — and it’s a scam that takes advantage, as Mr. Martin notes, of the small smartphone screens (“Hotel booking scams cost Americans up to $220 million per year”; http://www.latimes.com/business/la-fi-hotel-booking-scam-costing-americans-up-to-220-million-per-year-20150430-story.html; May 3rd).
How does this scam work? Like many website scams, this one starts with a hotel website that looks very legitimate. Mr. Martin spoke with Ms. Maryam Cope, Vice President for Government Affairs for the the American Hotel and Lodging Association; she provided Mr. Martin with much of the background information. Additionally, she told Mr. Martin that many of the sites use the same logos, symbols and emblems as a legitimate hotel. The unsuspecting vacation planner goes onto one of these sites, enters his personal and financial information and then thinks he’s booked a room.
Has the individual booked a room? No, and it’s a reality that might only be evident when he shows up at the hotel. Moreover, As Mr. Martin writes, some of these scam websites will sometimes take a commission or a deposit.
How can someone tell if one of these websites is a scam or legitimate? A key tipoff Mr. Martin notes is the following: the bogus hotel website doesn’t give individuals the option of making special requests, such as for a cot for the room or a room to accommodate someone with physical limitation.
Ms. Cope says the American Hotel and Lodging Association has asked Congress and the Attorney General to look into this problem. The Association estimates that there could be as many as 2 1/2 million travelers scammed each year.
It is very easy to miss something when reading a website on a smartphone. People planning vacations should carefully review a hotel website before booking a reservation. Taking the time to do so can help avoid having a vacation ruined before it’s even started.
Most individuals recognize the need for taking steps to enhance the security and privacy of certain types of online transactions. Maybe it’s when they shop online or conduct financial transactions (e.g., banking, paying credit cards).
But what about emails? Are individuals even thinking about the same security and privacy issues when sending or responding to emails? We’ve gotten so accustomed to the ease of emails that these same issues might not even be considered.
That’s the point of a very helpful April 17th article by Ross McKerchar. His article talks about the fact that individuals might assume that their emails are protected or can’t be read by others or are not susceptible to being spoofed (nakedsecurity.sophos.com; “Practical IT: What you need to know about email encryption”). As he writes, those are incorrect assumptions. Mr. McKerchar writes about three options for encrypting emails. As he notes, however, these options are not equally easy to use and individuals might need assistance in using any one of them.
His article is worth reading to learn about the three available options; understand their respective advantages; and then decide if one of them might be worth implementing.
Another excellent resource is a Federal Trade Commission (FTC) video. It’s called “Hacked Email: What to do” and can be found on the FTC’s website.