All posts by FPU

Don’t Compromise Your Security for the Sake of Nostalgia

Satirical image of old radio with "Do you remember your childhood Social Security Number?" superimposed.

Lately I’ve noticed a certain type of post circulating on social networks. I don’t know if they have a name, but they generally appeal to a sense of nostalgia. There will be an image of an old telephone with the question, “Do you remember your childhood telephone number?” Another one asks which movie you love that you’ve seen over and over. And people dutifully post their responses to these questions as comments on the post.

Now, here’s the issue: there is a thing called “Knowledge-Based Authentication” (KBA). It is a deeply flawed but still very common online security practice that asks the user to answer a series of multiple-choice questions that supposedly only he or she would know the answer to. Several of the major credit bureaus use it when you place a freeze on your credit through their websites. So you might get a question like:

Which of the following phone numbers have you been associated with?

a. 417-555-3456
b. 322-555-4632
c. 322-555-0989
d. 786-555-3674
e. None of the above

If you responded to a Facebook post about your phone number growing up, there is a small chance you have just put one of your KBA answers out on the public internet.

What about that “movie you’ve seen over and over” question? Have you ever logged into an online account and had to create answers to security questions? These are designed as a line of defense against unauthorized login attempts; if a login from a different computer or location is detected, it will trigger the security questions and prevent further access if they are answered incorrectly.

“What is your favorite movie?” is definitely the type of security question that could be used by a website, and if there’s a movie you’ve seen many times, chances are it’s your favorite. If you answered the post, you may have revealed the answer to one of your security questions to the world. Several celebrities have had their Twitter accounts hacked because they used real, easy-to-find-out answers for their security questions.

Of course, these tiny pieces of information are simply pieces, not the whole puzzle. But the more puzzle pieces are in place, the more you begin to see the whole picture. The less information you put out there, the better – you don’t owe the internet anything. Think before you post any personal information online, even if it seems innocuous or silly on the surface. Anything you reveal can be used against you.

Fraudulent Customer Service Phone Numbers

By now you’ve probably heard about Tech Support Scams, where someone calls you out of the blue and tries to convince you that your computer is infected with a virus, that they have somehow detected it remotely, and that the only way to fix the problem is to hand over money, control of your computer, or both.

It’s one of those scams that can easily be avoided with the question, “Who initiated contact?” If they called you, it’s fraudulent.

But what about when you’re the one initiating contact?

When you need customer service from a large company like Amazon, Facebook or Netflix, it’s important to make sure you’re getting their contact information from a trustworthy source. Internet searches might lead you to a correct number, but the internet is also brimming with hundreds of examples of fraudulent customer service numbers, posted by criminals in hopes that you will call them instead of the legitimate phone number.

What happens if you call a fraudulent number? They may try to get your password information to take over your account and lock you out, they may ask you to reveal credit card or other financial account information, or they may take over your computer (with your help) and install malicious software or commit other crimes.

If you need to contact customer service, make sure you’re getting your information from a reliable source. Don’t trust phone numbers that appear in online forums. If you notice zeros replaced with the letter “O” (1-8OO instead of 1-800, for example), that’s a sure sign of a fraudulent phone number.

With some companies, Facebook being the most prominent example, there simply is no phone number you can call. Any problems have to be resolved using online tools. Every single phone number you see listed on the internet as a Facebook customer service line is false information.

The best way to find customer service contact information is to go directly to the company’s website and look for links like “Help” or “Contact Us.” Sometimes there will be options for help via email or chat and no option for telephone contact, other times the phone number will be front and center. It depends on the company you’re dealing with. In any case, to avoid a massive headache and potential losses to fraud, always make sure you’re getting the number from the official source before you even pick up the phone.

Gas Pump Card Skimmers and How to Avoid Them

Technology is essentially a process of making tasks easier for ourselves. The electric refrigerator was a lot easier to deal with than the icebox, which was a lot simpler than having to can, cure or smoke nearly every single scrap of food you weren’t going to eat in the next day or two. As far as ease-of-use goes, the telephone beat the telegraph by a long shot, and transporting your music collection became a whole lot easier when the iPod took over the world in 2001.

The problem is that technology also makes things easier for criminals, too.

There was a time when a thief who wanted to install a skimmer on a gas pump card reader had to place the device, which tended to look “wrong” in the first place, over the dispenser’s actual card reader, hide out and hope nobody noticed it, then return to the scene of the crime to retrieve the device and the data contained therein.

But now, if they’re high-tech, thieves can attach the skimmer (which is a lot smaller and easier to conceal) and then use Bluetooth to obtain the data in real-time from a few hundred feet away, and no need to return to the pump. If they’re really high-tech, they can install a skimmer than uses SMS technology to send the data as a text message to anywhere in the world. The crook placing the device can just be a hired contractor.

At some point, it gets frustrating. What can I tell you to help you avoid getting your card data skimmed at a gas pump? The original deadline to equip dispensers with chip card readers was pushed back from 2017 to 2020, so we’ve got at least three more years of magnetic stripe readers being the norm, and that’s assuming they don’t find a way to push back the deadline yet again, which they almost certainly will.

I could tell you to inspect the pump for anything that seems out-of-place, or to use the pumps nearest the station, since the installer’s main goal is generally to not be seen. Never run your debit card as “debit” (i.e., never enter your PIN). Use only well-lit, well-maintained dispensers. Et cetera. But those are stopgap measures at best.

No, the only thing I can tell you is this: forget about pay-at-the-pump. Pretend it never existed. Go inside the station to pay for your gas. It involves more walking. It takes longer. It’s more of a pain, less convenient. They’ve got lots of tempting, terrible-for-you food in there. But the risks of having your card skimmed are much lower. Shop around to see which stations have a chip-enabled terminal inside, and only buy from those stations. It’s really the best option at this point.

How to Freeze Your Credit

The recent Equifax data breach exposed the personal identifying information of at least 143 million U.S. consumers, which has led to a wider interest in placing a “security freeze” on credit reports (a.k.a. “freezing your credit”).

A security freeze prevents new credit accounts from being opened using your personal information, unless you lift the freeze in advance of applying for credit. This is accomplished using a PIN that either you or the credit bureaus create when placing the original freeze. This means that a freeze can stop an identity thief from creating new lines of credit, even if they already have all of your information.

A credit freeze is an important tool in preventing one type of identity theft, but does not prevent existing accounts from being accessed with stolen credentials, fraudulent credit or debit card transactions, employment or medical identity theft, or the filing of fraudulent tax returns. In other words, even after you place a security freeze, you still have to remain aware of the risks of identity theft.

There are three major credit bureaus and one minor. Here is where to go for each one, as well as some notes (information is accurate as of 10/2/2017, but websites may be updated in the future):

TransUnion: https://www.transunion.com/credit-freeze/place-credit-freeze2

Notes: use the “Click to initiate freeze process” link (last item under the “How Do I Decide What to Do?” table). Note that a “lock” is different from a freeze; what you want is a freeze. TransUnion requires you to create an account with a password, then you can place the freeze and create your PIN. To temporarily lift the freeze, log in at https://freeze.transunion.com.

Experian: http://experian.com/freeze

Notes: Experian is probably the easiest of the four to use, with the “Add a security freeze” option prominently displayed. You can create your own PIN, or have the site generate one for you. You can also choose whether to print your receipt or have it emailed to you. Double-check that your email address is correct if you choose this option! Visit the same site to temporarily lift the freeze.

Equifax: https://www.freeze.equifax.com

Notes: creates a “one-time PDF” which contains your PIN (the site generates it for you). Make sure you’ve got a PDF reader installed beforehand so you can view the file (Adobe and Foxit are popular free choices). Visit the same site to lift a freeze.

Innovis: https://www.innovis.com/personal/securityFreeze

Notes: Innovis sends your PIN via postal mail around 10 business days after you place the freeze. To lift the freeze, visit the same website and follow the instructions.

One Easy Rule for Avoiding Investment Fraud

I read about a phony investment scam recently. This one didn’t even have the sophistication of a pyramid or Ponzi scheme. The pitch basically consisted of this: “Give us $800 now, and later you’ll get up to $3,000 for being an early investor.”

I’m not even sure how much detail it went into beyond that.

And sure, it’s easy to spot such an obvious scam…from the outside. But real people fell for it. There was something about the approach that sounded appealing and legitimate. I say it all the time: nobody is 100% immune to fraud.

Still, I wasn’t going to write a whole article about this particular scheme because there really wasn’t anything to write about, but it did make me think, “Is there some kind of basic rule that people can use to filter out schemes like this?” The victims were approached with an (alleged) investment opportunity that sounded good, sent their money, and never got a dime back.

And there it was: they were approached.

They weren’t looking for something to invest in. Somebody approached the victims, out of the blue, with the promise of large, guaranteed returns.

Large, guaranteed returns are suspicious enough, but think about how investing really works in the real world: unless you’re a venture capitalist, nobody is ever going to simply approach you out of nowhere with something to invest in. If you want to invest for profit, you’ve got to find your own opportunities. You can hire a firm to help, or strike out on your own, but there’s never really been a case where, “Hey stranger, give me money and I guarantee you’ll get all of it back, many times over, in return” has turned out to be a legitimate offer. People don’t just share money with strangers. They don’t even share it with friends most of the time.

So here’s your one easy rule:

Be very suspicious of any investment opportunity where you did not initiate contact.

This touches on affinity fraud, too, where someone will use shared membership in a group to build trust in order to sell fraudulent investments. This often happens in churches, where a member of a congregation will present materials relating to an investment that later turns out to be nothing more than a scam.

You can ask other questions, too. Is the person selling this investment licensed to do so? Does the offer make sense vis-à-vis how the world actually functions? Why are you, of all people, being given this opportunity? Are the promises being made just a little too amazing? Is the seller hitting the “I’m just like you” note a little too hard? Is there a shadowy, mysterious “they” that supposedly doesn’t want you to know about the investment? Are they talking about “guaranteed” returns?

All of these questions can help you filter out an investment scam, but if you stop at the point a stranger is making a too-good-to-be-true offer, you can avoid fraud from the outset. It doesn’t apply to every case (because nothing applies to every case), but it’s a pretty good start. If someone is presenting an out-of-the blue investment opportunity, that’s your first red flag.

Things You Didn’t Win: the BMW Lottery

I found this gem in my junk folder the other day. Apparently they’re trying to come up with something other than the usual Microsoft Lottery business, but all this amounts to is a different paint job on an old scam. I guess we’re supposed to think, “Well, that thing about the Microsoft Lottery may have been a scam…but this is totally different! They’re giving me a car, too!”

From: Mr Brian Kelly <info@u.s.a.org>
Subject: BMW LOTTERY DEPARTMENT

BMW LOTTERY DEPARTMENT
5070 WILSHIRE BLVD
LOS ANGELES. CA 90036
UNITED STATES OF AMERICA.
EMAIL: Bell4glenn@usa.com
Help Line:+1-850-396-4184

NOTE: If you received this message in your SPAM/BULK folder, that is because of the restrictions implemented by your Internet Service Provider, we (BMW) urge you to treat it genuinely.

Dear Winner,

This is to inform you that you have been selected for a prize of a brand new 2016/2017 Model BMW X5 SUV and a Check of $3,500,000.00 USD from the international balloting programs held on the 2nd section in the UNITED STATE OF AMERICA.

Description of prize vehicle;
The X5 has enough luxurious space for everybody. Rear Comfort seats with enhanced foam padding offer 3” of forward/backward movement, putting passengers in the perfect position to utilize a DVD drive and two optional 10.2” LCD screens. An optional third row seat offers extended capacity, and includes its own
climate control.

Options: With one of BMW’s largest cargo spaces, you’ll find it hard to run out of anything. The X5’s rear seats split 40/20/40, folding away to convert 35.8 cubic feet of trunk space in to a full 76.7 cubic feet. Details like two cargo rails, four fastening points, a tensioning strap, and a rear cargo net add enough function to store it all.

The optional Wi-Fi Hotspot keeps you connected to everything you love whether you’re on-the-go or far off the beaten path. Included with the Wi-Fi Hotspot, a Wireless Charging Pocket will keep you
fully charged anywhere the road may lead.

The selection process was carried out through random selection in our computerized email selection system (ESS) from a database of over 250,000 email addresses drawn from all the continents of the world which you were selected.

The BMW Lottery is approved by the British Gaming Board and also Licensed by the International Association of Gaming Regulators (IAGR). To begin the processing of your prize you are to contact our fiduciary claims department for more information as regards procedures to the claim of your prize.

Name: Mr.Glenn Bell
Email: Bell4glenn@usa.com

Contact him by providing him with your secret pin code Number
BMW:255125HGDY03/23.

You are also advised to provide him with the under listed information as soon as possible:

1. Name In Full :
2. Residential Address :
3. Nationality :
4. Age :
5. Sex
6. Occupation :
7. Direct Phone :
8. Present Country :
9. Email address :
10. BMW Winning Code:BMWLOTTERY577648/001

Please you are to provide him with the above listed details as soon as possible so he can begin with the processing of your prize winnings.

Congratulations again from all our staff and thank you for being part of our promotional program.

Mrs. Rachael Adams.

THE DIRECTOR PROMOTIONS
BMW LOTTERY DEPARTMENT
UNITED STATES OF AMERICA

Interestingly, the physical address listed is for an actual BMW dealership in Beverly Hills. I wonder how many weird letters they’ve received from people who opted to print out the requested information and mail it, instead of using email as instructed.

I think my favorite detail is the “NOTE” right at the beginning; “If this was in your junk email folder, it’s YOUR fault. Not the fact that this is the very definition of junk.”

As always, there is only one correct response, which is to ignore and delete.

Nothing New Under the Sun: The Walmart Cashback Hoax Lives

There are some hoaxes that just keep. Coming. BACK.

They’re like slasher-movie villains. “Oh, so you strapped him to a small nuclear warhead, which you then detonated inside a warehouse full of knives and lava? Well, here he is again…bigger and stronger than ever! Sequel number six, comin’ atcha!”

The “Bill Gates is giving money away to strangers” hoax recently went full Jason Voorhees, and according to my site traffic another slice of antique Internet alarmist lore has begun to resurface: the idea that Walmart cashiers all over the country are requesting $20 or $40 cash back on card transactions without telling the customer, and pocketing the money.

This so-called “scam warning” dates back to 2004, and made resurgences in 2009 and 2013. A quick online search shows that it’s making the rounds again in 2017. If you think of them as sequels, it makes this year’s version Walmart Cashback Scam Hoax IV: The Final Chapter, I guess.

(Only it’s never really the final chapter, is it? Watch for Walmart Cashback Scam Hoax V: A New Beginning in 2021 or so. By 2030 we’ll be on Bill Gates’ Free Money Vs. Walmart Cashback Hoax. And then a reboot after that…)

Here’s the whole problem with the warning: there is only one person who can request cash back during a transaction at Walmart, and it’s the customer, by pressing the correct button on the card swipe terminal. There is no secret “cash back” button on the register itself.

From Snopes.com:

We investigated a number of different WalMart stores in different areas…[i]n not one single case did we find a store with a checkout system that allowed cashiers to initiate cash back transactions on customers’ cards on their own, without any involvement, knowledge, or approval on the customer’s part. There was simply no way for a cashier working at any of these businesses to surreptitiously place a cash back charge on a customer’s card and furtively pocket the money, all without the customer’s requesting or knowing about it.

So why are so many people convinced they’ve been defrauded by greasy cashiers? Snopes again:

In every case of customers’ complaining about getting cash back from credit/debit card purchases without having requested it that we were able to track down, the cause turned out to be that those customers didn’t pay close enough attention to the prompts on the card processing keypads or simply pressed the wrong keys by mistake.

Nobody likes to admit they made a mistake, do they? “There’s no way I pressed a button I didn’t intend to. I’m perfect. It was that mean ol’ cashier.”

Also, the typical Walmart cashier has more cameras pointed at them than a blackjack table at a casino. It would be an impressive feat of close-up magic indeed to be able to pull off this alleged scheme, even by reaching over and pressing the buttons on the swipe terminal for the customer. And if a cashier was doing that over and over, you can bet somebody would notice.

Furthermore, it fails the most basic test of all: the cashiers actually handed the correct cash back amount to the customer. From Snopes (last one, I promise):

[I]n nearly every one of those cases it was verifiable that the complaining customers had in fact been handed the appropriate amount of cash back by their cashiers (even though they insisted they hadn’t requested it).

Now, I’ll admit I haven’t seen everything this world has to offer, but I have yet to come across a scam where the basic mechanic is, “I’m going to let you keep the money that’s already yours, and then I get nothing.” Most real scams have a profit motive.

Further furthermore, many of the stories claim the customer was using a credit card. They specifically mention it because the overage would “count as a cash advance.” The problem is, as far as I know, you can only request cash back with a debit card during a retail purchase. Whatever those self-proclaimed victims thought was happening, it wasn’t that. Which may explain why this thing has gone (and continues to go) so viral: people see the warning, then something unusual happens during a purchase (an item rang up incorrectly, the cashier didn’t know the PLU for parsnips offhand, their debit card gets denied for insufficient funds) and they try to retro-fit their experience onto the thing they read earlier. “Yeah, that happened to me, too!”

Here’s one more clue that you’re looking at a hoax: the warning is often accompanied by the same image of a receipt from 2013, but it always happened “recently” to “someone I know.” All the receipt proves is that someone selected $40 as their cash back amount when prompted by the card terminal one day four years ago. There is nothing about it that proves a crime was committed.

Here’s the original article, of which I have pasted whole chunks into this article: http://www.snopes.com/fraud/atm/cashback.asp

Avoiding Fraudulent Debt Collectors

Debt collection generally works like this: a creditor who can’t devote the necessary time and resources needed to recover funds from old delinquent loans sells those debts to a collection agency, often for pennies on the dollar, to cut their losses a little. That agency, which now owns the debt, contacts consumers and tries to negotiate at least partial repayment.

Naturally, there are also con artists posing as debt collectors, attempting to obtain money, personal information, or both from victims. There are also collection agencies who stray from established, legal methods in order to collect legitimate debts. Here are six warning signs to watch for.

They’re trying to collect on a debt you don’t owe

Unscrupulous collectors will sometimes contact people with the same name as the actual debtor, or even settle for someone with a similar name. An outright scam artist might simply invent a debt out of thin air, or threaten random people in hopes that someone will pay out of sheer terror. In any case, never agree to pay a debt you don’t owe. Ask for a written validation notice. If they refuse, that’s a sign of trouble. Get as much information as you can about the agency, and report them to the FTC.

Important Note: collection calls for debts you didn’t incur can also be a signal that you have been a victim of identity theft. If you’ve received such a call, it may be time to check your credit report if you have not done so recently, to look for anything that shouldn’t be there.

They’re threatening you with arrest, lawsuits, or violence

For the most part, debt collectors are allowed to inform you that you owe a debt, provide proof that you owe it, state to whom the debt is owed, and present options for payment. They are not allowed to threaten you with arrest or legal action, and they’re especially not allowed to threaten physical harm to you or those around you.

They’re demanding personal information

Even if you actually owe money, there is no reason for them to ask for personal identifying information or account numbers over the phone. It’s one of the core rules of fraud and identity theft prevention: never reveal personal information to a stranger who contacted you out of the blue.

They won’t give you any information

If the caller won’t tell you the name of the agency, to whom the debt is owed, or anything else about whom he or she represents, be very suspicious. A legitimate collector will be transparent about these things, presumably because they want to actually collect on delinquent debts and stay in business, instead of being shut down by the FTC.

They’re calling in the middle of the night

This applies to a lot of other types of calls, but if they’re calling you before 8:00 a.m. or after 9:00 p.m., you have every reason to suspect either a scam or a rogue debt collector. There are rules about when they can contact you by phone. It’s kind of like putting yourself on the Do Not Call registry; if they’re already violating one rule, what else are they up to?

They keep calling after you’ve told them not to

Even if you’ve got a legitimate debt, you can still tell a collector to stop contacting you about it. Usually you will have to provide this request in writing, but once you do, they’re supposed to knock it off. Of course, if they won’t even provide an address to send said request to in the first place, you already know something is fishy.

Resources

Learn more about debt collection scams:

Report a debt collector to the FTC:

File a complaint with the Indiana Attorney General’s Office:

Hard Knocks: Student Loan Relief Scams

Congratulations, it’s time to pay off your student loans!

Most people in the U.S. exit postsecondary education with at least some student loan debt, and sometimes paying those loans off can present problems. While there are well-established paths to reducing the burden of a large student loan balance, there are also plenty of con artists waiting to take your money and make things even more difficult. Here are a few things to watch out for.

Upfront Fees

It is not illegal per se to charge a fee for services, such as consolidating your federal student loans, that you can do on your own for free, in much the same way that it’s not illegal to charge a fee for tax preparation.

However, any upfront fee for help with student loan repayment is a sure sign of a scam. Don’t pay for anything in advance, and even if they’re not charging an upfront fee, look at what they are charging compared to what you’re actually getting in return. Is it worth it? Do your research on every company you’re considering working with.

Debt Elimination

There are not many ways to have your student loan debt erased completely, and if you’re reading this you already don’t qualify for the primary one (death). Also, if you were taken in by a for-profit college that used falsified job placement numbers to lure students, there may be programs that might help. There are a few other options that apply to very specific cases. Other than those, with very few exceptions, once you have student loan debt, it’s yours until you pay it off. Bankruptcy won’t even touch it.

This means anyone advertising student loan elimination or forgiveness is trying to scam you. There is no way to pay a company a fee in exchange for your student loan debt disappearing. All you’ll end up doing is losing money and ruining your credit.

High Pressure Tactics

If you’re being told that an offer is only good for a certain amount of time, or being pressured in any other way by a salesperson, that’s a sign of a scam. There are no limited-time-only offers when it comes to student debt relief. They don’t hold blowout sales on this stuff.

What You Can Do

You can consolidate your federal student loans, adjust your repayment schedule, defer your repayment period and more yourself, for free, through the Federal Student Aid Office of the Department of Education. If you have private student loans, you can contact those lenders for options as well. There is no compelling need to pay anyone to do these things for you, unless you choose to do so and know what you’re getting into before agreeing to anything. Again, do your research.

One of the best resources for detailed information on student loan repayment is the Federal Student Aid Office website (https://studentaid.ed.gov). It also features specific information on avoiding scams (https://studentaid.ed.gov/sa/types/scams).

 

 

Strong Passwords and Where to Store Them

There was a time when you only really saw hackers in movies, and often they were the good guys. Sometimes you’d even get a montage of a hacker typing away while a driving, synth-heavy pop tune played. But today hackers are a major, persistent threat, and your passwords are your first line of defense against intrusions.

Make Your Passwords Complex

The days of using Fox Mulder’s X-Files password “trustno1” for everything are long gone. It’s still one of the most-used passwords, and even a novice hacker would be able to crack it with little trouble (possibly just by guessing it). Other extremely common passwords include “password,” “abc123,” “monkey” and “password1.”

The time has come for your passwords to be long, nonsensical strings of letters (upper and lowercase), digits, and special characters.

How Secure Is My Password? is on online tool you can use to compare different types of passwords (I’d still recommend against entering your actual passwords into the site, just because). Type a password into the box and the site will tell you how long it would take a computer script to hack it. Compare these screenshots from the site for these passwords:

trustno1:

$e4!gQ%pgeuXR3Fc:

Going longer than 16 characters can push that number of years into the octillions, nonillions and decillions, but one trillion years is probably plenty. Keep in mind that the website above is sponsored by Dashlane, a password manager program (I’ll get to those shortly).

Don’t Reuse Passwords

Don’t use the same password for multiple websites or apps. Hackers who gain access to one username and password combination will attempt to use that same combination on other sites, especially financial accounts and sites where additional personal information might be obtained. If your login information for some discussion board you haven’t used for months is compromised, and you’ve used that same username/password combination for all your online banking activities, the hackers probably aren’t as interested in posing as you on the message board as they are in trying your credentials out on a few of the larger bank or credit card websites.

Don’t Let Passwords Get Stale

You also need to change your passwords every so often – twice a year is a good start. Data breaches have happened recently (the Cloudflare bug earlier this year, for example) that exposed millions of users’ information. It’s a good practice to regularly create new passwords for all the sites you use (and even the ones you don’t use as often).

Use a Password Manager

Use long, complicated passwords, use a different one for every site, change them all the time – okay, but how are you supposed to remember them?

A password manager is a program (usually a browser plug-in for desktop and laptop computers, or an app for tablets and phones) that stores your passwords and can automatically fill in your login information on sites. Your passwords are kept safe with up-to-date encryption technology, and you only have to remember a single master password. These programs can also automatically generate strong passwords that will stump a brute-force attack.

There are a lot of different password managers to choose from, and many have both free and paid versions. Lastpass is one of the most popular, and the Premium version is only $12 per year. Dashlane is highly-rated, but at $40 the price is a little steeper. PCMag has two articles that give a nice rundown of the best ones, both free and premium, and their features: