Archives for posts with tag: Brian Krebs

Due to a technical error, this update was published yesterday without the body of the blog.

——————————

I previously shared Brian Krebs’ story about a major data breach at numerous hotels under the InterContinental Hotels Group (IHG). Mr. Krebs reported that on Friday, February 3rd, IHG confirmed that the breach had happened at 12 hotels around the United States. As he reported, IHG said the data that was stolen is from credit cards used at the restaurants and bars at these hotels but not from credit cards used at the front desks of the hotels.

Mr. Krebs has included a list of the 12 hotels in his article which I urge everyone to read since the IHG parent company includes Holiday Inns among many other brands (https://krebsonsecurity.com/2017/02/intercontinental-confirms-breach-at-12-hotels).

Anyone who has stayed at one of the listed hotels needs to be extra diligent in checking credit card statements for any suspicious activities.

 

 

The 4+ million current and former federal employees whose OPM personal data has been hacked are just the latest group to be worrying about identity theft.  So a recent article by Brian Krebs could not be more timely.  Mr. Krebs has written a terrific piece on the various options that individuals can take to try and prevent themselves from becoming identity theft victims.  While there are no guarantees about any option being foolproof, his recommendations are ones to learn about and then decide whether to use (www.krebsonsecurity.com; “How I Learned to Stop Worrying and Embrace the Security Freeze”; June 8th).

One of his key points is the difference between putting a “fraud alert” or a “security freeze” on credit reports.  A “security freeze” is the stronger tool since “freezing” a credit report means it can’t be viewed or pulled by potential creditors without the individual giving specific consent.  Is it free to do so?  That depends on 2 key factors: has the individual been an identity theft victim? and what are the requirements for the State in which the individual lives.  Some States require a $10.00 or more fee if the individual hasn’t been an identity theft victim.

A  link to a list of the States with their respective requirements can be found in Mr. Krebs’ article.  Additionally, that requirement will pop up when filling out a “freeze” form online with Equifax, Experian and TransUnion.  Once an individual does so, the fee amount for the State in which the individual resides will come up.  These requests can also be done in writing and those details can be found on the website for the 3 credit agencies just mentioned.

It would be great if these “freezes” could be done for free before becoming an identity theft victim.  Is it worth the money to do so before that reality?  My answer is “yes” but everyone has to decide for himself.

I’ve previously alerted consumers to check the ATM machines at their financial institutions to see if criminals have inserted “skimmers” into them.  In fact, I’ve gone into my financial institutions and asked the managers if they had heard about these types of “skimmers” and whether they periodically check for them.  These “skimmers” will read and steal the credit and debit card information on cards inserted into ATM “skimmers.”

Now Brian Krebs has written about another version of this scam — “skimmers” that are attached to gas pumps.  These “skimming” devices are stealing customers’ debit card information (www.krebsonsecurity; “Foiling Pump Skimmers With GPS”; May 4th).

Mr. Krebs advises that consumers don’t need to be as worried about the gas pump “skimmers” as they should be about those inserted into ATM machines.  However, he does say that consumers who use debit cards to pay for their gas could have their card information compromised; using a credit card is a better practice when paying for gas.

Also, he has an excellent resource for consumers who want to learn more about skimmers and protecting their personal financial information.  It’s titled “All About Skimmers” and can be found on his website.

The hacking at the U.S. Target stores is almost beyond comprehension in its magnitude and impact.  The “who” and “how” may never be known but what is known is that the millions of credit and debit cards used at Target have been stolen — and that the personal and financial information of those consumers are at risk.

Brian Krebs broke this story and has continued with his investigation.  He’s already found out that the financial information is being used on non-U.S. cards (www.krebsonsecurity.com; “Non-US Cards Used At Target Fetch Premium”).  Mr. Krebs often is the first to learn about these types of breaches and his blog is worth reading regularly.

Affected consumers can’t wait to hear from their credit card companies or financial institutions before taking pro-active steps to protect themselves. What should affected consumers do?  Tony Bradley outlines the steps concisely in a recent blog (blogs.cssonline.com; “5 things you should do to protect yourself from Target data breach”).

As Mr. Bradley outlines, consumers should:

  1. Monitor your credit and bank accounts: this is true for any breach but there are reports about victims already seeing unauthorized credit card charges or bank account withdrawals using the stolen debit card information;
  2. Contact your bank or card provider: don’t wait to see if you hear from them; let them know you used your card at Target and that your financial information has likely been stolen;
  3. Put a lock on your credit file: Mr. Bradley suggests contacting one of the credit agencies (e.g., Experian, Equifax) and ask for a security freeze; the freeze prevents the credit agency from releasing your credit report without your express consent;
  4. Cancel and replace your cards: this may not prevent some misuse of the stolen financial information but it can limit the impact of ongoing theft;
  5. Use lower credit cards instead of a debit card:  this is sound advice under any scenario; as Mr. Bradley notes, a lower credit amount puts less money at risk.  I’d add that credit cards have statutory protection (Reg E) so that consumers reporting the loss or theft of a credit card are only responsible for $50.00 of charges.  Debit cards do not have the same legal protection which could mean more of a financial loss to the consumer.

Consumers could not protect themselves against the Target hacking but they can try and protect themselves from its fallout by following the above advice.

Many people are enjoying using Skype as it makes communications more personal and immediate.  What Skype users might not know, and what I’ve just learned, is that Skype also makes users Internet addresses visible to the world.  I learned about this in Brian Krebs’ recent article (krebsonsecurity.com; “Privacy 101:Skype Leaks Your Location”).

In his article, Mr. Krebs includes a screen shot of one of these services. It’s called “Anonymous Resolver” and Mr. Krebs describes how someone using this service  (or similar services or tools) can find and display the Internet address most recently used by a particular Skype account.  He cautions that this type of service will “…work regardless of any privacy settings the target user may have selected within the Skype program’s configuration panel.”   So what could happen? Mr. Krebs notes that someone’s Internet connection could be subject to attacks and that there could be even more serious consequences (e.g., being able to follow where someone is going).

I’m not suggesting people stop using Skype, but only that they should understand, as Mr. Krebs explains, the privacy implications when doing so.

During this holiday season, many of us want to be helpful to others.  But scammers and thieves only want to take advantage of this feeling of goodwill so we need to be even more diligent during the holidays.

The Philadelphia Federal Credit Union has started a public awareness campaign to remind people to be very wary of a number of fraudulent schemes.  And from the “a picture is worth a thousand words” approach, they’ve posted the alerts on posters in their branches.  Brian Krebs has the poster on his blog and I encourage you to go to his blog, read the poster and maybe even print it out to have as a handy, ready reminder (see, Krebsonsecurity.com; “All Banks Should Display A Warning Like This”, November 30).

What are some of the warnings?  Here are just a few and the rest can be found on Mr. Krebs blog:

  1. Be wary of cashing or depositing a check you received for a lottery you never entered; or for a work at home program; or for a commission for accepting funds through your bank or PayPal;
  2. Be wary if you’ve been asked to wire Western Union or Money Gram for some of the funds to someone or to send money overseas;
  3. Be wary if you’ve responded to an email asking that you confirm, update or provide your account information.

All of these excellent awareness tips apply equally to any of your accounts —whether at a bank, credit union or any others you might have.  You could be getting scammed out of money as well as your personal and financial information that’s even more lucrative for the scammers and thieves.

Being pro-active about protecting your private information will help make this an even happier, safer holiday season for you.

There have been several alerts over the last few days about the latest “zero-day exploit” that has, or could, hit users.  I say “has” because some of the articles indicate that the attacks by the scammers have already taken place.

Eric Romang is a security researcher who’s credited in numerous articles for having found the flaw.  He said the security hole allows scammers and attackers to use a Trojan back door to get onto the Internet Explorer browser on the soon-to-be victim’s computer.  This latest Trojan back door is known as “Poison Ivy” — and that it’s versions 7, 8 and 9 of Internet Explorer used on Windows XP, Vista and Windows 7 that are vulnerable.

If the attacker’s successful, he can then run whatever code he wants on the captured computer; can add and/or delete files; and/or can change registry values. People are being advised to avoid using Internet Explorer and use other browsers (e.g., Chrome, Foxfire, Safari, Opera) until Microsoft issues a patch to fix this vulnerability.  In fact, the German government advised users to stop using Internet Explorer because of this “zero-day” threat.

The articles also report that Rapid7, a security firm, is currently working on a module so users (commercial as well as consumers) can test to see if their computers are vulnerable.  It’s reported that Rapid7 is also working on a counter-measure but no details are yet available about that.

This is “poison ivy” you need to know about right now!  Use a different browser and do read all or any of these excellent articles for more details about the technical steps you can take: Brian Krebs (www.krebsonsecurity.com; “Internet Explorer Users: Please Read This”); Graham Cluley (nakedsecurity.sophos.com; “Threat level goes HIGH, as Microsoft readies fix for critical Internet Explorer security hole”); Nancy Owano (http://phys.org/news267161325.html; “Internet Explorer users are warned against Poison Ivy”).

I’m not a fan, at all, of the “misery loves company” school of thinking. So it’s no comfort to know that my LinkedIn password might be among the millions that was just hacked.

The news reports said that LinkedIn would be sending emails to affected account holders with the steps to take.  A key warning was not to follow a link in an email since that could be a scammer.

I didn’t want to wait for an email alert and you shouldn’t either.  I changed my password ASAP last night and want to share the top 5 tips for being able to do so quickly.

The first 2 tips come from my experience last night. The others come from Vicente Silveira’s June 6th blog.  I just picked 3 of his tips and the rest are included in his blog which can be found at Brian Krebs’ blog (www.krebsonsecurity.com).

So here are tips for changing your password asap:

1. I could access my LinkedIn account so didn’t have to login with my password.  I went to the bottom of the home page, hit “Help” and found the FAQ about “Change Your Password.”

2. I hit that FAQ, was able to go to the “Settings” page and changed my password.  I did so by following Mr. Silveira’s tips.  You get to those tips by first accessing his June 6th blog and then going to the link included at the bottom of that first blog.

Here are 3 of Mr. Silveira’s tips for a stronger password:

3. Have a password of, at least, 10 characters. That might be obvious but many of us were schooled in the “8 character” password approach.

4. Randomly include cap letters, punctuation and symbols throughout the password.

5. Substitute numbers for letters that look similar (ex: 3 for the letter E).

Mr. Silveria’s tips might be obvious to many of you but I found all of them helpful reminders of how to craft stronger passwords.

The Wikimedia Foundation issued an important alert on May 14th on its blog (blog.wikimedia.org).  The scammers have figured out a way to worm their way — literally — onto our computers using fake ads on the Wikipedia website.  Philippe Beaudette, Director of Community Advocacy for the Wikimedia Foundation, wrote the blog to alert Wikipedia’s users.

I read Mr. Beaudette’s blog which is very helpful.  He wrote that Wikipedia only posts ads for non-profit fundraising efforts.  So if you’re using Wikipedia and see ads that seem to be from for-profit businesses, there’s a decent chance that your web browser’s been infected with malware or spyware.  How would this happen?  The malware and spyware’s being delivered through an unfortunately cleverly disguised browser extension that’s designed to run across multiple web browsers and operating systems.

The extension affecting Wikipedia is called “IWantThis!” and you don’t want it!.  Brian Krebs (www.krebsonsecurity.com) has also written about “IWantThis!” and even went to its website.  He wrote that the website is deceptively well done as it makes it sound as if “IWantThis!” is just a harmless plugin that occasionally overlays ads on 3rd party websites and helps users share product information or online shipping wish lists with other readers.  What it really does is infect your computer and capture it.

Mr. Beaudette wrote that the “IWantThis!” extension is affecting Google Chrome users but that it’s capable of being installed across multiple web browsers including Mozilla Firefox and Internet Explorer.

What happens if you’ve installed it already?  Here are Mr. Beaudette’s helpful steps to remove it:

  1. Open the options menu via the “pipe-wrench” icon on the top right and choose “Settings”;
  2. Open the “Extensions” panel and there should be a list of the extensions that are installed on your computer; and
  3. Remove an “Extension” by clicking the “Remove” button next to an item.
Bottom line?  Don’t install anything unless you went and looked for it.

We’re not out of the woods on this one yet.  As I’ve previously written, the breach of credit and debit card accounts at Global Payments, Inc. was originally thought to have only gone back to June 2011.  That was bad news, especially given the uncertainty around the exact number of accounts that were breached.

In its April 1st announcement, Global Payments said only 1.5 million accounts were affected; advisories had gone out to Visa and MasterCard alerting them so they could, in turn, send advisories to their issuing banks.  Sometime in May, Global Payments sent an updated alert to Visa and MasterCard about potentially more accounts being affected since they said the breach could have been occurring since March 2011.

Now it looks as if the breach started back in January 2011 — and that nearly 7 million credit and debit card accounts could have been exposed.  That’s a magnitude so much greater than Global Payments is admitting.  In fact, on May 15th, Visa and MasterCard sent, respectively, another alert to their issuing banks to warn them to be on the look out for fraud.  Those alerts were likely generated by Visa and MasterCard when Global Payments told them that the breach could go back to January 2011.  This disclosure was made by Tracy Kitten in a May 16th article for BankInfoSecurity.com (“Global Breach Date Now Jan. 2011”) and reported by Brian Krebs at his KrebsonSecurity.com.

We might have felt reassured that our card accounts weren’t affected since the breach was so old by now.  Not true as Avivah Litan, a fraud analyst at Gartner Research, has stated.  The potential fraud can still happen given this ever expanding time period.

What does this mean in practical terms?  It means that our private financial information could still be at risk.  We need to keep vigilant about reading our credit card and bank statements.  Immediately contact your card issuing bank if you see anything that looks suspicious.  And read anything that comes from your bank as it could be an updated alert about your credit and/or debit card accounts.