Play Along at Home: Fake Target ‘Order Confirmation” Email

December 8, 2014

Here’s a picture of a fake “Order Confirmation” email I received recently. How many clues can you spot that indicate something is not quite right?

2014-12-08-spam-01

Here’s what comes up if you hover the mouse over the word “link”:

2014-12-08-spam-02

 

How many fraud indicators did you find?

Here are the ones I found:

  1. Very vague subject line: if this were an actual delivery confirmation, the subject line would usually refer to it in some way. It wouldn’t just say “Order Info.”
  2. The “From” information: support@yummy.cookiesmadeeasy.com is not a Target email address.
  3. The logo is wrong. No bullseye anywhere.
  4. “As Thanksgiving nears…” Thanksgiving was a couple weeks ago. Wrong holiday, dummies.
  5. The (attempted) conversational tone of the email: if you had an actual order to pick up, the email would begin with this information. Whichever holiday is approaching is absolutely irrelevant (for the store) to the fact that they’ve got merchandise they want you to pick up as soon as possible.
  6. The excruciatingly bad grammar. Go ahead, read it out loud. It’s beyond horrid.
  7. This isn’t even how in-store pickup orders work…the customer chooses which store to have their purchase shipped to, and that’s where it goes. That’s the only place it goes. You don’t just go to any random location because they don’t ship one to every single store when an order comes in.
  8. And what happens if I don’t “pick it” within four days? Again, not how online orders work.
  9. The stores aren’t called “Target.com.”
  10. When you get a real order confirmation email, the order information is almost always included in the message. You don’t have to click a link to get to it.
  11. Speaking of links: makingteamsrock.com? Not a Target website.
  12. “Always yours, Target.com.” Pretty sure they don’t refer to themselves as “Target.com.” Or use “Always yours” as a closing.
  13. Not one single item in the “privacy policy” line at the bottom is an actual link.

So, I found thirteen. Did you catch any that I didn’t?


Strong Passwords: They’re Not Just for Online Banking Anymore

November 18, 2014

I’ve talked about the importance of strong passwords many times before. You can find several articles with this site’s search feature, or you can just read this quick rundown:

  1. Short, single word or short-word-and-a-number passwords are bad
  2. Passwords like “123456” and “password” are very, very bad.
  3. Passwords that are over 16 characters and consist of garbled strings of letters, numbers and special characters are good (“*#&uE9efh09efIUN98E(Ubdf%%23r” for example)
  4. Never use the same password for more than one website, and use a password storage program like Lastpass to help you maintain your sanity

Whenever I bring up passwords, though, I’m almost always talking about things like online banking, social networks, email accounts, and other websites where your credentials need to be kept confidential. What I don’t often bring up are all the THINGS that are now Internet-enabled.

Things like thermostats, interior lights and security cameras. Hot tubs, televisions. Garage door openers.rosie

The idea, of course, is to bring the vision of The Jetsons into the real world. We want to walk into a room and have the thermostat know we like it to be 73 degrees during the afternoon but 76 at night. We want to be able to check our security cameras from our phones while we’re on vacation. I personally want a black ’82 Trans Am with a self-aware cybernetic logic module (and a snarky sense of humor) that can jump over walls from a dead standstill, so I can go around punching out bad guys in tan leather jackets who have been poisoning horses or whatever.

But when your THINGS are connected to the Internet, you might face some new security and privacy issues. Many of these devices are pre-set with a default password (or have a username and password as an OPTION, in the case of older products), and if you don’t change the default (or set a password in the first place), anyone who knows the default password could manipulate them remotely. They could run up your utility bills or open your garage door from the other side of the globe. If your security cameras are remotely accessible and you don’t set a password, or leave it set to the default, someone could spy on you in your home. Or set up a website collecting hacked cameras from around the world so anyone on the Internet can watch.

So what applies to websites applies to your Internet-enabled appliances and other devices: use a good password for everything, and never leave a new device’s password set to the factory default (or neglect to set one up, if it’s optional). There are too many people who know how to access them.


Your card information has been stolen

October 10, 2014

Okay, so I can’t say for certain that you specifically have had your debit or credit card information stolen in a retail data breach.

But let me ask two questions:

  • Do you have a debit/credit card?
  • Do you ever use it to buy things in a store or restaurant?

If you answered YES to those, most likely one or more of your cards has been accessed during a data breach at some point.

If it hasn’t happened yet, it will. This is the world we live in right now.

Perhaps raising the stakes for retailers would help—I was not aware until recently that, for the most part, merchants bear none of the financial burden when their security practices lead to a massive data breach that exposes ten of millions of consumers’ card data to bad people. So they continue to allow single-authentication access to their point-of-sale machines, continue to use “password1″ and “abc123″ as their access codes, continue to just leave things as they are, because there is no reason not to.

So who pays for your replacement card? Who reimburses you for those fraudulent charges? Your bank or credit union do.

And then you pay for them, because this is a hard-and-fast rule of financial institutions: when they lose money, they will try to recover it from another source. So maybe a loan rate creeps up by a twentieth of a point, or a fee that used to be $2 is now $2.50. These may be tiny changes, but they still represent money you could have kept in your pocket.

Of course, financial institutions can be hacked, too. It happens. And those institutions pay for card reissue and reimbursement when it does. But it’s so much easier to mount a point-of-sale hack. Data breaches wouldn’t be such a common problem if it was too difficult—despite the word “hacker,” these criminals are not geniuses. There are too many of them.

The Credit Union National Association (CUNA) has mounted a campaign called “Stop the Data Breaches.” It’s worth a look.

Shouldn’t retailers bear some responsibility for data security, with as much consumer data as they handle every second?

It seems fair.


The IRS doesn’t tell you to load up MoneyPak cards

September 26, 2014

Today’s post is real simple:

If you get a phone call from someone claiming to represent the IRS, informing you of all the trouble you’re in due to unpaid taxes, you are almost definitely dealing with a scammer.

If the next thing they tell you is “don’t tell anyone” and “go load up a bunch of MoneyPak cards and call me back and give me the card information,” you are DEFINITELY, without any shadow of a doubt, dealing with a scammer.

The correct response is to hang up the phone. This latest round of IRS telephone scams appears to involve particularly aggressive callers, but remember: it’s just a voice on a phone. They can’t freeze your assets or confiscate your property because they’re not the IRS.

You can report the fraud at http://www.treasury.gov/tigta/ if you feel like it, but the main thing is: hang up the phone.

Source:

http://www.ic3.gov/media/2014/140925.aspx


What can consumers do about data breaches?

September 5, 2014

Home Depot, come on down. You are the next contestant on The Security Is Not Right!

Okay, so maybe that’s not confirmed just yet, and Home Depot is staying sort of quiet because they don’t want everybody to stop buying things from them, but Krebs has a pretty good hunch, and his hunches usually turn out to be right. Like Dumbledore.

But even if it turns out the breach was from somewhere else, it still leaves a question hanging in the air: what do we, as consumers, do about point-of-sale data breaches?

The first step is to not freak out about identity theft. I’ve always maintained this distinction, and it’s very relevant here: the theft of debit or credit card information is NOT the same thing as identity theft.

With your card credentials, thieves can make fraudulent charges (at least until your card processor realizes what’s going on and blocks transactions). Without your Social Security number and date of birth, they’re not going to be able to open new accounts or any of the other actions associated with identity theft.

[Optional Cynical Rant: This also goes to show something about the corporations hit by these data breaches: when they so-magnanimously promise they’re going to give all their customers “twelve months of FREE identity theft protection” against any identity theft that results from the data breach, they already know they won’t have to deliver anything, because nobody is going to have their identity stolen with just a card number, expiration date, security code and their name. You can’t commit identity theft with only those details.]

Okay, so you’re not freaking out about identity theft, but you’re still freaking out about the possibility of fraudulent charges. You have my permission to do so. Fraudulent charges are, at best, still a major irritant that can cause you to be late paying bills and other hassles. You don’t want them to happen at all if you can help it.

You could stop paying with cards altogether, sure. Start carrying cash for every single transaction. Like grampaw done. But remember that cash has its own set of disadvantages. If you lose it, it’s gone. If someone steals it, it’s gone. You can’t buy anything online with it. You can’t buy anything on credit with it. Heck, it’s dirty.

So if that’s not your favorite option, what’s left?

Being vigilant.

(Like I’ve been saying for years.)

First, don’t give your information to someone just because they ask, whether in person, by telephone, email, text message, instant message, semaphore, telegraph or cave painting. That’s RULE ONE for the prevention of all forms of fraud.

Second, for every card you have, credit or debit, have online access and check it regularly. Your debit cards are issued by your credit union or bank—they will be happy to set you with online banking. Use a good password, follow RULE ONE, and check your accounts regularly. Sometimes they will catch fraud first, sometimes you will.

If you’ve shopped at a store that has its customers’ data compromised, look through your account history online and make note of when you used your card at that retailer, and be extra-watchful.

Third, be prepared if you’ve used a card at a retailer that was compromised. Have another form of payment handy, because if your card issuer detects possible fraud, they will probably deactivate the affected card immediately. If they don’t have a chance to notify you, and you’re already trying to make a purchase with that card, your transaction could be declined. And if you were trying to buy something important (like, I dunno….GAS) you could end up stranded (or at least white-knuckling it while you drive home on fumes…I’m not going to confirm whether I speak from harrowing personal experience or not).

Don’t freak out, follow RULE ONE, be vigilant and be prepared. That’s what you can do about data breaches as a consumer.

Further reading/sources:


Talking to children about fraud prevention

August 7, 2014

I’ve been doing fraud and identity theft presentations for adults and high school and middle school students for several years now, but recently I realized I’d never presented to elementary school-aged kids, and had nothing prepared if the opportunity would arise.

Kids need to know this stuff, too. Sure we can all say, “Well, the parents shouldn’t let them on a computer without constant supervision in the first place,” but that’s not how it generally works in reality. Kids end up downloading things and talking to strangers and everything in between, and they work fast. You look away for five minutes because staring at a kid playing Minecraft in the name of “constant supervision” is one of the most boring things human beings are capable of doing, and suddenly your browser’s homepage has been hijacked and some weirdo knows your phone number.

So they need to learn, but what to tell them, and how to present it in a way they’ll understand?

I’ve been working on those questions while trying to come up with a fraud prevention presentation for the elementary school crowd, or at least the 3rd through 5th grade set. I’ve narrowed down a few things that I think are important:

1. Everything you see online was put there by a person

Kids trust everything and everyone. When they go online, they assume everything exists by benevolent magic. Show them a “Click here for free _____!” popup with Mario on it and they’re going to install anything it asks them to. What they need to understand is that everything they see was made by a person they don’t know and can’t see, and that not every one of those people are good. People lie because they make money tricking children.

2. Popup windows are not to be trusted

A popup window is probably bad news, especially if it offers free games, powerups for games, or prizes. Kids will accept anything if you tell them it’s a prize. Ask the tiny blue plastic mug I won at the school carnival in 1984. I still had that thing five years later.

3. A “virus” is a type of program that hurts your computer, phone or tablet

I’m still working on how to explain this one, but the gist is that the people who make things for you to download sometimes hide other programs inside it, and these can hurt your computers and devices, or even steal money from you.

4. Keep your passwords secret!

Parents need to know their kids’ passwords, but the kids need to know NOT to let anyone else know them. Not even their best friend. Not someone who asks for it really nicely. Nobody.

So this is a work in progress right now, but those four points seem like something a kid would be able to understand if explained properly. I’m sure I’ll rework some of these and add to it, but it’s a starting point.

 


New phishing attack poses as PayPal email…

June 27, 2014

…and it’s convincing.

I mean, I hate to sound almost impressed by some cruddy email scammer, but as far as “click here to log in and verify your account” phishing attempts go, this one is devoid of broken English, and uses information taken from a recent data breach at eBay to ratchet up the realism by using the target’s actual name. If there is a spectrum of phishing attacks that ranges from “laughable” to “frighteningly realistic,” this one falls much closer to the latter than the former.

The Consumerist blog has a full article that discusses it in greater detail. I strongly suggest you read it. In the example they use, the recipient only used that email address for eBay and PayPal, which added to the realism. It’s a good idea to have separate email addresses used only for online transactions because it helps weed out phishing (if you get a message on your OTHER account that supposedly comes from PayPal, you know it’s fake right away). However, as soon as there is a data breach, your specific-purpose email address can be targeted as well. My guess is that this guy is going to start seeing a ton of spam hitting his eBay/PayPal-only email, and he’ll have to abandon it for a new one.

At its core, this phishing attack was just another “click here to verify” attempt, but by using data from a breach, its success rate is bound to be higher than usual. It’s why you can never stop paying close attention to everything you click on.


Follow

Get every new post delivered to your Inbox.

Join 210 other followers