Of data breaches and phishing

January 17, 2014

Pretty much everyone who pays attention to anything is aware that an awful lot* of credit and debit card information was stolen from Target stores by hackers. That card data almost immediately showed up for sale on Internet forums used by cybercriminals.

It is the biggest data breach story to date. A lot of people shop at Target, and even more people shop at Target between Thanksgiving and Christmas.

But, as with everything else, it can’t just stop there. Other scammers have to get their fingers in the pie, too; phishing attacks have begun to surface that mention the Target breach. These messages claim to offer protection from fraud, or ways to see if your card data was one of the compromised few.* And like every other phishing attack, they’re just trying to harvest your account information.

Even if you shopped at Target between November 27 and December 15, 2013; even if you’re really worried; even if you’ve already experienced fraudulent charges…a phishing attack is still a phishing attack. Never trust anyone who contacts you out of the blue and asks for personal or account information, whether by phone, email, text message, telegraph, smoke signal or semaphore.

As for what to do about the actual breach (now that you’re immune to the phishing attacks)? Keep tabs on your credit and debit cards. Get online access to your accounts if you don’t already have it (and use a good, strong password). If your card issuer offers email or text alerts for card activity, sign up for them. If you see something suspicious, report it to the card issuer immediately. Above all, don’t let your guard down when you get emails or text messages the refer to the data breach. Falling for a phishing attack can only make things worse.

*110 million or so.


Alert for businesses: beware of fake BBB complaint emails

January 18, 2013

I received an email recently that highlights the importance of business owners and employees being aware of various types of fraud activity:

From: Better Business Bureau <[redacted]@newyork.bbb.org>
Subject: Case #28475466
Owner/Manager

The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.

As a neutral third party, the Better Business Bureau can help to resolve the matter. Often complaints are a result of misunderstandings a company wants to know about and correct.

In the interest of time and good customer relations, please provide the BBB with written verification of your position in this matter by January 17, 2013. Your prompt response will allow BBB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.

The Better Business Bureau develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.

We encourage you to print this complaint (attached file), answer the questions and respond to us.

We look forward to your prompt attention to this matter.

Sincerely,

BBB Serving Metropolitan New York, Long Island and the Mid-Hudson Region

There was a 102KB file attached to the message named “Complaint Case  #28475466.zip”. Except for the fact that it appeared to come from a Better Business Bureau office a thousand miles away, it looked pretty legitimate.

However, looks can be very deceiving.

According to a report from Cisco, the attachment is an executable file that contains malicious code. They don’t specify what that malware is, but given the nature of the message I would guess it’s designed to log keystrokes or use some other method to steal online banking credentials from businesses. Once they’ve got account numbers and passwords, they wire thousands of dollars out of payroll, expense and other accounts, then use their network of (unwitting and witting) money mules to launder the ill-gotten funds.

So here’s the lesson today: if you receive a message like the one above, do not under any circumstances open the attached file. If you think there might be a legitimate complaint from the Better Business Bureau, contact them directly. It’s a general rule, but in this case it applied more specifically to business owners and their employees.


IC3 annual report for 2011 released

May 11, 2012

The Internet Crime Complaint Center (IC3), a collaborative effort between the National White Collar Crime Center (NW3C) and the FBI, has released its 2011 Internet Crime Report. You can view or download the document here (this requires a PDF reader…if you don’t have one, I recommend Foxit).

It can be somewhat dry reading (fancy title page notwithstanding), but it includes some interesting data. The number of complaints received by the IC3 topped 300,000 for the third year running, a 3.4% increase over 2010 (but still down from the peak in 2009).

Work-at-home scams continue to be one of the top fraud types reported, though FBI impersonation scams brought in large numbers as well. I have some questions about this statistic, though: is the ratio of FBI impersonation fraud to other types reported to the IC3 genuinely reflective of their overall ratio “in the wild” (that is, including examples not reported), or is the incidence of this particular type of fraud being reported much higher than for other types because, if you get an FBI impersonation fraud email and you know it’s a scam, if you run a Google search on the scam, it’s going to direct you to the IC3 or FBI websites, where you’re asked to report it to the IC3?

I may be splitting statistical hairs here, but I’ve got an email address that gets just about every spam, scam and 419 email in the world (lucky me, eh?), and I’ve only seen one or two actual FBI impersonation messages over the past few years. Work-at-home schemes, on the other hand, simply run riot in my spam folder.

In any case, it’s a good overview of what schemes are currently most active, and at a mere 26 pages, it’s nowhere near as dull as most government documents.


So what’s the deal with RFID chips in plastic cards?

May 7, 2012

You may have seen news reports or read articles online about credit and debit cards that contain RFID (Radio Frequency Identification) chips. These devices are used to make it possible to use a card without swiping it through a reader (those Speedpass things at the gas station use this technology).

However, according to some sources, it’s possible for thieves to use electronic devices to steal the information on these chips without your consent, by simply passing close enough to your wallet to be within range. On one hand, retailers who sell aluminum wallets would have you believe that the only way to protect yourself is to purchase their wares. But they sort of have a vested interest in making you believe that, right?

On the other hand, an actual occurrence of thieves using this method to access credit or debit cards has never been reported. On the other other hand (we’re up to three hands, if you’re keeping track), if someone’s information was stolen through a handheld RFID reader, they wouldn’t really have a way to pinpoint it as the way their information was compromised. After all, tons of fraud and identity theft victims simply have no idea how the crime occurred.

Here’s something that might make you feel safer, though: one piece of information RFID chips don’t transmit is the verification code (the three digits on the back of the card). Without this, the rest of the information transmitted would be of very little use to a thief. Some businesses may allow a transaction without this information, but most do not. Also, newer RFID chips aren’t readable except from very close up, and many are encrypted as well.

But here’s a fairly foolproof way to be safe: carry more than one RFID chip-enabled card. Together they create a jumble of information that is utterly worthless to thieves. Alternatively, you could just carry no cards at all, but let’s face it: these days, that may not be the most convenient option.

Or I suppose you could buy one of those aluminum wallets. Some of them at least look sort of cool. If you’re on a budget, you could just wrap all your cards in aluminum foil, but you might get people asking you where your tinfoil hat is.


How to sell a car

August 10, 2011

Okay, misleading title; I’m not going to lay out a big pile of tips for putting a car up for sale or any of that jazz. There are a lot of different channels out there, from online auction sites, online classifieds, Auto Trader publications and newspaper classifieds to just parking the ol’ heap on the front lawn with a sign that says “$850 O.B.O.” Pick one or several and run with it.

I’m actually only going to offer one little tip for keeping yourself safe from fraud:

When you’re selling a car to someone else, do not sign over the title, hand over the keys or otherwise let the car out of your control until you have cash in your hand.

Cashier’s check? Counterfeits are everywhere, so wait until that check has been verified as legitimate.

Personal check? NO. Just…NO.

Cash? Great! You still should check for counterfeit bills, though.

The quickest way I can think of to do all of the above? Meet the buyer at your bank or credit union. Whatever s/he hands you, take it directly into the building and make a deposit.


Follow

Get every new post delivered to your Inbox.

Join 197 other followers