Yet another major retailer has been hit with a breach of its payment system. This one has been in the news but the scope and scale of the breach has just been announced.
This breach is at Michaels the large arts and crafts retailer. Michaels corporation also owns the Aaron Brothers stores and the breach also affected payments at these stores.
How big is the breach? Michaels just announced on April 17th that its investigation found that payment accounts of nearly 3 million payment cards could be involved. What makes this worse is that Michaels announced back in January that it had found suspicious activity but waited until now to reveal the full impact.
Tracy Kitten has an excellent article discussing both the scope of the breach as well as Michaels very delayed news are discussed (www.bankinfosecurity.com; “Michaels: Why So Long to Report Breach?”). Equally important for consumers, that article has a link to the list of Michaels and Aaron Brothers stores that are affected by the breach. Anyone who has shopped at any of these stores from early May 2013 through January 2014 will want to go to the article to see the stores that are affected.
Also, anyone who has shopped at a Michaels and/or Aaron Brothers store should start — and keep — checking credit card and bank statements for suspicious charges. Suspicious charges need to be contested immediately.
The Heartbleed bug is causing major problems for people. There’s been loads of press coverage about the bug, its impact, and the fact that people have to immediately change their passwords for affected websites. What’s been harder to find, however, is which websites have been affected so people know which passwords to change.
Jose Pagliery published a very helpful article providing just this type of information (“Change these passwords right now”; money.cnn.com; April 11th). In his article, Mr. Pagliery provides three categories of companies that responded to date to CNN’s questions about their respective websites. He lists companies who’ve patched their websites; those that didn’t need to do so; and finally, companies from whom he and CNN have not yet heard.
The four companies who’ve reported patching their websites are: Google, YouTube and Gmail; Facebook; Yahoo, Yahoo Mail, Tumblr, Flickr; OKCupid; and Wikipedia. Mr. Pagilery writes that people can now change passwords for these sites.
The even better news Mr. Pagliery includes is the longer list of 20 companies who either don’t use the affected software or use a different version of it. To date, this category includes:
- Financial institutions: Bank of America, Capital One, Chase, Citibank, HSB, PNC, U.S. Bank, Wells Fargo, E*Trade , Charles Schwab, Fidelity,Scottrade, TD Ameritrade; Vanguard and PayPal;
- Social media: LinkedIn and Twitter;
- Microsoft including Hotmail and Outlook;
- AOL and Mapquest.
Mr. Pagliery lists a third category of companies from whom he and CNN have not yet heard. He lists those companies under the heading “Don’t change these passwords yet (still unclear, no response)”. Those companies are: American Express; Apple, iCloud and iTunes; and Healthcare.gov.
More companies need to start alerting their customers about whether their websites were affected; whether they’ve been patched; and whether customers can safely change their passwords. I’ve gotten emails from several of the companies I use saying that they don’t use the affected software. I’m glad to be getting those emails but wish more companies were being that pro-active.
Experian is a credit bureau whose credit reports are used by countless companies, agencies and individuals. The personal and financial information Experian collects about individuals is among the most sensitive data and should be given the highest security protections.
So it is extremely troubling to learn that one of the companies owned by Experian sold consumer information to Hieu Minh Ngo, a Vietnamese national, who was running an online identity theft service out of his home in Vietnam. Who broke this news? Brian Krebs in October 2013 in one of his exclusive investigations. Now Mr. Krebs has a follow-up story with even more details about Mr. Ngo’s crimes (krebsonsecurity.com; “U.S. States Investigating Breach at Experian”; April 3rd).
As Mr. Krebs reported, Mr. Ngo pled guilty last month to the identity theft crime. The magnitude of his theft is staggering.
Mr. Krebs read the court proceedings. He reports that Mr. Ngo sold personal and financial information to more than 1,300 customers between 2007 and 2013. Moreover, Mr. Krebs reveals that Mr. Ngo “…tricked an Experian subsidiary into giving him direct access to personal and financial data on more than 200 million Americans.” (see Mr. Krebs article). The information Mr. Ngo bought came from Court Ventures, a company Experian bought in March 2012 — but Mr. Ngo was stealing the personal data for nearly ten months after the Experian purchase of that company.
Now an investigation’s been launched by multiple U.S. States into the Experian breach. Mr. Krebs can and should be, thanked for his tireless efforts. But the real and lingering question is: what is Experian doing to tighten its oversight of its’ subsidiary companies?
It was only a matter of time before scammers pounced on the tragedy of the missing Malaysian Airlines plane to exploit for illegal purposes. The Better Business Bureau (BBB) just issued a scam alert yesterday about the numerous scams already out there (firstname.lastname@example.org; “Fake Malaysian Airline News Used as Scam Click Bait”, April 1st). The terrible bait is that the scams allegedly show exclusive footage of the missing plane and/or of passengers being found.
This scam, like other scams, could arrive via different methods and in multiple versions. BBB has learned about the scam being sent on Facebook and reports it could also come on Twitter, through other social media as well as emails.
What will the scam look like? BBB reports two of the most popular versions, so far, are the following:
- A Facebook post, for example, reading”Video of Malaysia MH 370 Plane Found in Bermuda Triangle. Passengers Alive.” or,
- A social media post or email reading “[NEWS FLASH] Missing Plane Has Been Found.”
What happens next? As the BBB “alert” warns, there is a link in the message directing people to click on it. The link is allegedly a news site but anyone clicking on the link will go to an unfamiliar 3rd party website. That link could do one of several of the following:
- A pop up could appear directing people to “update your video player.” Don’t hit “OK” — what’s getting “played” is anyone who does so. It’s malware, not a new software version, that will be downloaded.
- A message could appear directing people to take a survey before viewing the video. Again, don’t do it! Clicking on the survey link could mean people are sharing personal information that could make them vulnerable to identity theft. An even stronger possibility is that doing so will send personal information to the scammers who will sell it to spammers or others.
How can you know if a message is a scam or legitimate? The BBB alert suggests people hover their mouse over the link to see where it might lead. Again, only hover, don’t click it. The BBB alert also has links to the respective Facebook and Twitter instructions for reporting scams to them.
People are hoping for some concrete news about this missing plane. Scammers are counting on it so we have to guard against our natural instincts to learn more and be careful before opening any seemingly legitimate news flashes.
This is a “heads up” for people who use Rich Text (RTF) files. Brad Chacos reported recently that hackers are using “poisoned” RTF files to gain control of consumers’ PCs (www.csoonline; “Just previewing email can give attackers control of your PC, Microsoft warns”; March 25, 2014).
Per Mr. Chacos article, Microsoft issued a warning on March 24th about the newly discovered Microsoft Word vulnerability. Hackers send “poisoned” RTF files and gain access to PCs when consumers simply access or preview these files. The hackers then gain remote access of the PCs and will have the same rights as the PC user.
Mr. Chacos writes that Microsoft has said it’s only aware of limited, targeted attacks against Word 2010. However, he notes that the RTF vulnerability is found in Word 2013, Word 2013 RT, Word 2007, Word 2003, Microsoft Office for Mac 2011 and related programs (e.g., Word Automation Services on Microsoft SharePoint Server).
As he noted, Microsoft has released a fix that neutralized the exploit but it’s one that not everyone will want to use. The fix bars all RTFs. In his article, Mr. Chacos describes several workarounds for people who either can’t, or don’t want to stop, using the RTF format. These are very useful tips for people who still need to use RTFs but don’t want to fall victim to the hackers.
The Federal Trade Commission (FTC) is responsible for administering the Children’s Online Privacy Protection Rule (COPPA Rule). The COPPA Rule imposes privacy requirements on operators of commercial websites and online services that are directed to children under the age of 13, or general audience websites and online services that knowingly collect personal information from children under the age of 13. These requirements include posting comprehensive privacy policies on their respective sites, notifying parents about their information practices and getting parental consent before collecting, using or disclosing any personal information from children under the age of 13.
The COPPA Rule also has a “safe harbor” provision whose purpose is encouraging increased industry self-regulation in the area of protecting children’s privacy online. Using the “safe harbor” provision, industry groups and commercial website operators can ask the FTC to approve self-regulatory guidelines that implement the above-described COPPA Rule protections.
The Internet Keep Safe Coalition (iKeepSafe) has submitted a proposal to the FTC for a program to be evaluated under the “safe harbor” provision. The FTC will be publishing a Federal Register notice very soon to seek public comment on their proposal. The key issues on which the FTC has said it seeks public comments are whether the iKeepSafe proposed program has protections that are the same or greater than called for in the COPPA Rule; whether it has effective mechanisms for assessing website and online service operations compliance; whether the incentives for operators’ compliance with the guidelines are effective; and whether it provides adequate means for addressing and resolving consumer complaints.
The comment period will be open until April 21st. I encourage people interested in, and concerned about, children’s online privacy to take a look at the iKeepSafe proposal and submit any comments or concerns you might have.
This is an ASAP alert about a spam court notice email that I literally just got. It’s a phony email that appears to be coming from the “Clerk to the Court” in Anaheim, California. It comes with a link that claims it’s a “copy of the court notice” and says the recipient should “read it thoroughly.” Do not open the link!
I found the general number for the Administrative Office for the Orange County Superior Court. I told the staff member in that office who answered the phone that I’d gotten this email and she immediately said “is that the one with the N# number?” I said yes and she said “it’s a spam”. She asked that I forward it to her which I’ve already done.
If you get one, it’s a fake and forward it to JAG@occourts.org. The following is the entire email so you’ll know what to watch out for.
- It comes in with the url of:Clerk to the Court<email@example.com
- The line under that address reads: Notice of appearance in court N#2512
- The next line is the date: March 17, 2014, 12:54 PM
The body of the message is as follows:
Notice to appear,
Hereby you are notified that you have been scheduled to appear for your hearing that will take place in the court of Anaheim in May 27, 2014 at 11:30 a.m.
Please, kindly prepare and bring the documents related to this case to court on the date mentioned above.
The copy of the court notice is attached to this letter. Please, read it thoroughly.
Note: If you do not attend the hearing the judge may hear the case in your absence.
Yours very truly,
Clerk to the Court.
And then there’s the link to the phony “Notice of appearance.” Again, do not open the link!
The person with whom I spoke said they’d already gotten 20 calls about this email.
I just got an email allegedly from Verizon Customer support. It’s spam and I want to alert Verizon email customers about it.
The subject line is “Verizon Webmail: Security Alert” and the message reads as follows:
“Dear Verizon Customer<Security@Verizon.net>
Your Verizon Email Account will be suspended in a short while as your spam quota has become full.
Click here to clean your spam quota now and avoid suspension.”
Don’t do it! I suspected this was spam because the email looked like a cut and paste job. There were none of the Verizon logos (e.g., no red banner, no swoosh) and the closing line was “Regards,” followed by the word “Copyright”, then a ? inside a diamond shape followed by 2014 Verizon!Inc. All rights reserved.
I just confirmed with a Verizon technical staff member that there’s nothing wrong with my email account. I forwarded this spam email to the Verizon division responsible for these issues. If you get this spam email, forward it to firstname.lastname@example.org as Verizon needs to hear from its customers about these issues.
I’ve written before about the ways in which some stores are using shoppers’ WiFi enabled smartphones to track their movements through aisles and departments. Nordstrom was doing so last year but stopped after receiving countless complaints to the signs posted in stores alerting customers about this practice.
But Nordstrom’s response hasn’t stopped other brick-and-mortar stores from starting to track customers’ movements in their stores. So what can consumers do? Well, the obvious is turning off the WiFi on their smartphones. But it’s easy for consumers to forget to do so and some consumers don’t want to disconnect WiFi.
Moreover, many customers aren’t even aware that their smartphones are being used as tracking devices. One Maryland legislator is trying to address this issue. Amrita Jayakumar recently reported that Delegate Sam Arora has introduced a bill that, if enacted, would require stores to post very visible and prominent signs alerting customers that their physical movements are being tracked (“Privacy advocates push back on stores’ tracking”; The Washington Post; A12; March 8th). Delegate Arora’s proposed bill is just beginning its legislative journey so may or may not become law anytime soon.
There’s another option for consumers who don’t want to be tracked via their smartphones. That option is provided by the Future of Privacy Forum (FPF). FPF has created a registry allowing consumers to opt out from having their smartphones monitored. The FPF registry is a Do Not Track-type registry. FPF’s website homepage has detailed information about the registry, the stores involved and the steps for signing up. All of this information is posted under the title of “Mobile Location Analytics” (www.futureof privacy.org).
An email went out last week over the name of Mike Perlis, Chief Executive Officer of Forbes to the million plus people whose Forbes.com accounts and passwords were hacked. Mine arrived on February 24th and outlined the steps for changing my password.
Here are the steps that were outlined in case you haven’t gotten the email yet, or just want to start a Forbes.com account:
- Go to http://www.forbes com;
- Go to the login which will be on the top right hand corner;
- Click on the red “Need to reset your password?” “Click here” link;
- In that “reset your password” window, enter your email; the security characters that will be displayed; and then click “Submit”;
- Check your email inbox for a message from Forbes with instructions on how to proceed;
- Click on the link in the email to launch “Reset Your Password” web browser window;
- Create and enter a new password that should be a minimum of 8 characters including 1 Capital letter, 1 small letter and 1 number; and
- Click “Done” on the “Your Password Has Been Changed”screen.
I’m going to create a new Forbes.com password but haven’t done so yet. I just want to let some time pass and make sure there aren’t reports of problems and/or new issues before doing so.