Most individuals recognize the need for taking steps to enhance the security and privacy of certain types of online transactions. Maybe it’s when they shop online or conduct financial transactions (e.g., banking, paying credit cards).
But what about emails? Are individuals even thinking about the same security and privacy issues when sending or responding to emails? We’ve gotten so accustomed to the ease of emails that these same issues might not even be considered.
That’s the point of a very helpful April 17th article by Ross McKerchar. His article talks about the fact that individuals might assume that their emails are protected or can’t be read by others or are not susceptible to being spoofed (nakedsecurity.sophos.com; “Practical IT: What you need to know about email encryption”). As he writes, those are incorrect assumptions. Mr. McKerchar writes about three options for encrypting emails. As he notes, however, these options are not equally easy to use and individuals might need assistance in using any one of them.
His article is worth reading to learn about the three available options; understand their respective advantages; and then decide if one of them might be worth implementing.
Another excellent resource is a Federal Trade Commission (FTC) video. It’s called “Hacked Email: What to do” and can be found on the FTC’s website.
Vacation season has started and that often means rushing to get everything done before heading out. It also means remembering that the vacation season gives criminals even more opportunities to steal personal information. I’ve written several blogs over the years about the ways in which this can happen and the precautions individuals should take before and during vacations.
Rather than re-posting my prior blogs, I’m recommending an excellent article by John Zorabedian that pulls together several of the key steps that travelers should take. For example, he reminds travelers to use caution when using public Wi-Fi spots and to turn off geo-tagging and geolocation on phones and other devices. His April 20th article is titled “5 online privacy and security tips for travelers” and can be found at: http://www.nakedsecurity.sophos.com.
The tips in Mr. Zorabedian’s article are important, should be followed and are easy to do. Don’t let criminals ruin your vacation by helping them know where you are, what you’re doing and gaining access to other personal and sensitive information.
Graham Cluley reports on a multi-national, multi-agency takedown of the Simda botnet that is thought to have infected around 770,000 PCs around the world (www.grahamcluley.com; “A quick way to tell if your PC was infected by the Simda botnet”; April 14th).
Mr. Cluley’s article reports that Kaspersky has created an online test allowing individuals to see if their PC had been infected; the test checks the individual’s IP address against the database of infected IP addresses that the security experts had found. How did these PCs get infected? Mr. Cluley cites a Kaspersky blog that reports the Simda botnet initially got into the PCs through vulnerabilities that individuals hadn’t patched. It could also have been inserted via fraud malware that got installed.
Just another reminder, Mr. Cluley urges, that individuals need to update operating systems and third-party software (e.g., Flash, Adobe Reader) with the most current security fixes. He notes that doing so “…is an essential part of protecting your computer from attack and should be done alongside running up-to-date anti-virus software.”
More often these days, patients find their doctors entering information into laptops during their exams. Why is this happening? Electronic health records (EHR) are being mandated. There are many who believe EHRs will lead to faster and more efficient medical care. Doctors will be able to more quickly exchange medical information about patients, resulting in better diagnoses. Patients, it is argued, can access their records via portals thus giving them more information on a “real time” basis.
While many patients may value the positive aspects of exchanging EHRs between and among doctors, they still have privacy and security concerns. As Marianne Kolbasuk McGee recently wrote, patients do worry about with whom their medical data is being shared and whether their data will still be kept private once the EHRs are shared (www.govinfosecurity.com; “Records Exchange Raises Privacy Worries”; April 4th).
Ms. McGee’s article reported on the findings of a new survey done in California of 800 consumers with the results published in the April edition of the Journal of the American Medical Informatics Association. That survey “…found that more than half of California consumers believe that EHRs worsen information privacy and nearly 43 percent believe they worsen security.”
What can be done? Ms. McGee includes ideas from medical and health experts. For example, Devore Culver, Executive Director and CEO of HealthInfoNet, Maine’s statewide health information exchange (HIE) said that HIEs and healthcare providers should tell patients very clearly and openly about such key issues as who will get their data and how it will be used.
EHRs aren’t going away. They contain highly sensitive information so patients should be told exactly how this information will be shared; with whom; and how it will be protected once exchanged between and among providers.
People hope, and want to believe, that searching for health and medical information online is private and protected. That likely is a false and dangerous hope.
Pam Baker wrote an article highlighting recent research into this very issue (www.nuviun.com; “The gaping privacy hole in healthcare data is not where you think”; March 16th). Her article discusses the companies and entities that are tracking and analyzing online and mobile applications used by individuals for researching medical and health issues. She reports that this information is often mined by 3rd parties.
What is especially important is the research by Mr. Timothy Libert about which Ms. Baker wrote. Mr. Libert is a doctoral student at the University of Pennsylvania. He analyzed over 80,000 webpages on healthcare websites and found that “nine out of ten visits result in personal health information being leaked to third parties, including online advertisers and data brokers.” Mr. Libert’s research results were shared with Brian Merchant on Mr. Merchant’s Motherboard blog.
But it’s not just data miners who use this healthcare information. As reported, it’s also such reputable groups as governments, non-profits and universities.
Mr. Libert’s wrote about his research results in an article titled “Privacy Implications of Health Information Seeking on the Web”. It can be found in the March 15th issue of “Communication of the ACM.” There was a February 15th press release about Mr. Libert’s research and article. That press release is titled “Your Privacy Online: Health Information at Serious Risk of Abuse” and can be found at http://www.asc.upenn.edu.
Mr. Libert’s research underscores the dangers for individuals by leaked health information. There can be embarrassment, job and/or credit discrimination and identity theft.
His findings remind all of us to be especially careful about our online research into such a sensitive area as health.
Venmo is a mobile payments application that is especially popular with young adults. Why? Because it allows them to send cash fast and directly to a friend’s bank accounts.
However, in Venmo’s case, fast is not necessarily better — especially in light of serious security flaws. A number of articles have appeared recently detailing the flaws and unhappy consequences. Mike Isaac and John Zorabedian have particularly helpful articles. Their articles can be found, respectively at: bits.blogs.nytimes.com (“Venmo Was Ordered in July by California Regulators to Address Security Issues”; February 27); and nakedsecurity.sophos.com (“Venmo mobile payment service under fire for security carelessness”; March 3).
What are some of the problems? Both articles cover the basics which include the fact that Venmo had been using only an email and Twitter account but didn’t have a customer support line. Mr. Zorabedian recounts the story of one Venmo user who had $2,850.00 stolen from his bank account. How could this happen? In part, Mr. Zorabedian writes, because the Venmo application has no security against unauthorized account access.
In his post, Mr. Isaac reports that Venmo claims to have implemented “…companywide best practices and programs and user privacy, security, customer service and fraud loss management.” However, Mr. Isaac reports that Venmo is still under ongoing supervision by the California regulators.
Have these important improvements been made? Maybe but Venmo should be used very cautiously until there’s concrete proof that strong security and privacy features have been added.
The Federal Trade Commission’s (FTC) Division of Consumer & Business Education (Division) pro-actively helps consumers learn about and, hopefully avoid, a variety of scam artists. Carol Kando-Pineda, Counsel to the Division, has just published a list describing the “top 10 imposter scams” that consumers have reported to the FTC. While many appear obvious, it is always useful to be refreshed about the scams since they often vary with each version. The March 2nd article by Ms. Kando-Pineda is titled “The Grate Pretenders” and can be found at: http://www.consumer.ftc.gov.
What are some of the top imposter scams? The number 1 position is held by scammers impersonating IRS agents. They call or email consumers, frighten them by saying the consumer owes back taxes or that there’s a problem with the consumer’s tax return. The goal? Getting the consumer to provide personal and financial information allegedly to pay the owed taxes or correct the return.
Other “top 10″imposter cons include:
- “You’ve won the prize”: the scammer claims to be from Publishers Clearinghouse. What’s the scam? The winner only has to pay a processing fee in order to collect the prize;
- “I’m an official with ….” fill in the government agency. It could be, for example, a scammer claiming to be from one of the agencies handling health issues. The scammer says he works for Medicare or in an office administering the Affordable Health Care Act. The caller threatens the consumer with lost medical benefits unless the consumer provides personal information or fees.
These are just a few of the FTC’s “top 10 imposter scams”. Ms. Kando-Pineda’s article is well worth taking the time to be reminded about the variety of “imposter scams” that are out there.
The Better Business Bureau (BBB) issued an alert on February 21st about a reoccurring scam. As BBB notes in its alert, this type of customer survey scam comes back often, with slight variations each time. And each time, the scammers count on consumers being too busy to stop and realize the only “reward” is the personal and financial information the scammers will get.
This scam comes via an email announcing either “Your Reward Points are Expiring. Claim Now!” or”Your eBalance Points are Expiring Soon!” (firstname.lastname@example.org; “It’s Back! Survey Scam Strikes Again”). As BBB explains, consumers will be tricked into believing this is a legitimate email as the scammers use the name of a well-known store; the BBB alert notes that stores as well-known as Macy’s, Walgreens and others have been used in these types of scams.
The consumer getting this email may, in fact, shop at the store named by the scammers. There’s a link in the email asking the consumer to take the attached survey and tell the store about his recent shopping experience there. The reward for doing so? A promise of $100.00 or more in “bonus-points” for just completing the survey.
Don’t open the link because doing so can result in many outcomes but none are good. While the survey might be real, the consumer gets ads for products once the survey is done. Or else, the survey is really a phishing scam that asks the consumer for banking and credit card information. Or once opened, the survey link downloads malware to the consumer’s computer.
The BBB alert contains 4 tips for spotting a survey scam:
- Email has consumer’s personal information: while the scam email looks as if it’s personalized, the consumer has never signed up for emails from this particular company;
- Act ASAP: the scam email tells the consumer to act immediately or else something terrible will happen;
- Bad grammar, typos: the BBB alert contains a warning I’ve previously noted –that being, that scammers are getting better all the time at copying a company’s logo, name and email format. But incorrect wording, bad grammar, typos and awkward phrasing are among the tip-offs that the email is a scam; and
- Hover over the URLs: As BBB notes, while the hyperlinked text will say one thing, the link itself will point the consumer somewhere else. A consumer who hovers over the links can see if they lead to the business or company’s official website or some variation of the domain name.
The best tip? When in doubt, don’t open the link!