What can consumers do about data breaches?

Home Depot, come on down. You are the next contestant on The Security Is Not Right!

Okay, so maybe that’s not confirmed just yet, and Home Depot is staying sort of quiet because they don’t want everybody to stop buying things from them, but Krebs has a pretty good hunch, and his hunches usually turn out to be right. Like Dumbledore.

But even if it turns out the breach was from somewhere else, it still leaves a question hanging in the air: what do we, as consumers, do about point-of-sale data breaches?

The first step is to not freak out about identity theft. I’ve always maintained this distinction, and it’s very relevant here: the theft of debit or credit card information is NOT the same thing as identity theft.

With your card credentials, thieves can make fraudulent charges (at least until your card processor realizes what’s going on and blocks transactions). Without your Social Security number and date of birth, they’re not going to be able to open new accounts or any of the other actions associated with identity theft.

[Optional Cynical Rant: This also goes to show something about the corporations hit by these data breaches: when they so-magnanimously promise they’re going to give all their customers “twelve months of FREE identity theft protection” against any identity theft that results from the data breach, they already know they won’t have to deliver anything, because nobody is going to have their identity stolen with just a card number, expiration date, security code and their name. You can’t commit identity theft with only those details.]

Okay, so you’re not freaking out about identity theft, but you’re still freaking out about the possibility of fraudulent charges. You have my permission to do so. Fraudulent charges are, at best, still a major irritant that can cause you to be late paying bills and other hassles. You don’t want them to happen at all if you can help it.

You could stop paying with cards altogether, sure. Start carrying cash for every single transaction. Like grampaw done. But remember that cash has its own set of disadvantages. If you lose it, it’s gone. If someone steals it, it’s gone. You can’t buy anything online with it. You can’t buy anything on credit with it. Heck, it’s dirty.

So if that’s not your favorite option, what’s left?

Being vigilant.

(Like I’ve been saying for years.)

First, don’t give your information to someone just because they ask, whether in person, by telephone, email, text message, instant message, semaphore, telegraph or cave painting. That’s RULE ONE for the prevention of all forms of fraud.

Second, for every card you have, credit or debit, have online access and check it regularly. Your debit cards are issued by your credit union or bank—they will be happy to set you with online banking. Use a good password, follow RULE ONE, and check your accounts regularly. Sometimes they will catch fraud first, sometimes you will.

If you’ve shopped at a store that has its customers’ data compromised, look through your account history online and make note of when you used your card at that retailer, and be extra-watchful.

Third, be prepared if you’ve used a card at a retailer that was compromised. Have another form of payment handy, because if your card issuer detects possible fraud, they will probably deactivate the affected card immediately. If they don’t have a chance to notify you, and you’re already trying to make a purchase with that card, your transaction could be declined. And if you were trying to buy something important (like, I dunno….GAS) you could end up stranded (or at least white-knuckling it while you drive home on fumes…I’m not going to confirm whether I speak from harrowing personal experience or not).

Don’t freak out, follow RULE ONE, be vigilant and be prepared. That’s what you can do about data breaches as a consumer.

Further reading/sources:

Talking to children about fraud prevention

I’ve been doing fraud and identity theft presentations for adults and high school and middle school students for several years now, but recently I realized I’d never presented to elementary school-aged kids, and had nothing prepared if the opportunity would arise.

Kids need to know this stuff, too. Sure we can all say, “Well, the parents shouldn’t let them on a computer without constant supervision in the first place,” but that’s not how it generally works in reality. Kids end up downloading things and talking to strangers and everything in between, and they work fast. You look away for five minutes because staring at a kid playing Minecraft in the name of “constant supervision” is one of the most boring things human beings are capable of doing, and suddenly your browser’s homepage has been hijacked and some weirdo knows your phone number.

So they need to learn, but what to tell them, and how to present it in a way they’ll understand?

I’ve been working on those questions while trying to come up with a fraud prevention presentation for the elementary school crowd, or at least the 3rd through 5th grade set. I’ve narrowed down a few things that I think are important:

1. Everything you see online was put there by a person

Kids trust everything and everyone. When they go online, they assume everything exists by benevolent magic. Show them a “Click here for free _____!” popup with Mario on it and they’re going to install anything it asks them to. What they need to understand is that everything they see was made by a person they don’t know and can’t see, and that not every one of those people are good. People lie because they make money tricking children.

2. Popup windows are not to be trusted

A popup window is probably bad news, especially if it offers free games, powerups for games, or prizes. Kids will accept anything if you tell them it’s a prize. Ask the tiny blue plastic mug I won at the school carnival in 1984. I still had that thing five years later.

3. A “virus” is a type of program that hurts your computer, phone or tablet

I’m still working on how to explain this one, but the gist is that the people who make things for you to download sometimes hide other programs inside it, and these can hurt your computers and devices, or even steal money from you.

4. Keep your passwords secret!

Parents need to know their kids’ passwords, but the kids need to know NOT to let anyone else know them. Not even their best friend. Not someone who asks for it really nicely. Nobody.

So this is a work in progress right now, but those four points seem like something a kid would be able to understand if explained properly. I’m sure I’ll rework some of these and add to it, but it’s a starting point.

 

New phishing attack poses as PayPal email…

…and it’s convincing.

I mean, I hate to sound almost impressed by some cruddy email scammer, but as far as “click here to log in and verify your account” phishing attempts go, this one is devoid of broken English, and uses information taken from a recent data breach at eBay to ratchet up the realism by using the target’s actual name. If there is a spectrum of phishing attacks that ranges from “laughable” to “frighteningly realistic,” this one falls much closer to the latter than the former.

The Consumerist blog has a full article that discusses it in greater detail. I strongly suggest you read it. In the example they use, the recipient only used that email address for eBay and PayPal, which added to the realism. It’s a good idea to have separate email addresses used only for online transactions because it helps weed out phishing (if you get a message on your OTHER account that supposedly comes from PayPal, you know it’s fake right away). However, as soon as there is a data breach, your specific-purpose email address can be targeted as well. My guess is that this guy is going to start seeing a ton of spam hitting his eBay/PayPal-only email, and he’ll have to abandon it for a new one.

At its core, this phishing attack was just another “click here to verify” attempt, but by using data from a breach, its success rate is bound to be higher than usual. It’s why you can never stop paying close attention to everything you click on.

Heartbleed is the name of a bug, not a virus

The Heartbleed Bug was a major story not that long ago. Lists of affected websites circulated with instructions to change your passwords if you had accounts at those websites.

In the whirlwind of online news articles, a lot of jargon got tossed around that the average computer user may not be familiar with, and any time there is a knowledge gap, scammers can and do take advantage of it. Spam emails began to circulate claiming to include a Heartbleed removal tool that was, naturally, a malicious program itself. The attachment, if opened, installed a keylogger on victims’ computers, which could transmit sensitive information to criminals. Symantec has a fine article about this particular attack.

Of course, if you’re an old hack hand at Computer Stuff like myself, you already knew that Heartbleed was a bug affecting servers, not a virus. But not everybody is familiar with all these terms, so I decided it would be useful to explain some of these concepts in layman’s terms.

DATA is digital information. If you’re looking at a website, your computer is taking data and presenting it in a readable, watchable, or listenable way. You’re looking at data, which happens to be mostly in text form, right now. When you have an account at Amazon or Facebook (for example), your username and password are part of your personal data, which is the stuff you don’t want being accessed by anyone but yourself. Websites keep this kind of data on servers that use various software to make it (hopefully) impossible to access by unauthorized people.

SERVER is a big computer where data is stored. When you watch a video on YouTube, the digital information that makes up that video is stored on an incredibly large computer, which transmits that data to your computer, which turns it into a video you can watch. Companies such as Facebook and Google have multiple servers that fill entire buildings. Your employer may have a smaller server that looks like a regular desktop computer, which hold all the business’s customer data, and only employees have access to it. Same concept, different scale.

OpenSSL is a particular type of server software that was affected by the Heartbleed bug. You know how your desktop computer runs Windows or MacOS, and your phone runs Android or iOS? OpenSSL is pretty much the same type of thing for servers. Your home computer uses Windows or MacOS to do home computer things, some (but not all) servers use OpenSSL to do server things, like store huge customer databases.

BUG is a flaw in a piece of software. You know how sometimes you download some goofy free app on your phone, and it works for a few seconds then crashes? That app has a bug that makes it function improperly. In the case of Heartbleed, the bug was a security flaw that potentially opened up account information (such as encrypted passwords) to hackers.

ENCRYPTED data has been scrambled in a way that unauthorized persons cannot access it. Servers don’t just store your username and password in text form because it would be too easy for someone to just steal the file and open it. They use complicated methods to make sure that, even if someone got the file, they wouldn’t be able to read it. (At least, this is how it would always work in a world without security bugs like Heartbleed; this is why you had to change your passwords at affected sites after the bug was fixed.)

HACKER: a person who breaks into computer networks. This in and of itself does not make them bad…many are actually hired to break in, in order to highlight security flaws so they can be fixed. Some use their skill for criminal purposes.

These are pretty simplistic explanations, but I think it’s important to at least have a concept of what these terms mean, so that when you read an article that says “security bug affecting servers running OpenSSL versions etc…” you can at least understand that they’re talking about software you’re NOT running on your home computer, and to ignore any emails offering a fix because Heartbleed wasn’t a virus in the first place.

But you’re not going to open attachments in any unsolicited emails, anyway, are you? If nothing else, remember this First Principle: “If you didn’t ask for it, don’t click on it.”

Don’t use your debit card for online transactions

Even if you’re the type that eschews credit cards on philosophical or financial grounds, if you do any online shopping at all, a credit card is still safer than using a debit card.

Think about this: fraud exists; more than ever lately, we’ve seen how bad people can break into networks and steal card credentials. If you use a debit card on a website that gets hacked, the thieves now have a direct link to your bank account.

And while most financial institutions offer debit cards with zero liability for fraud, what do you do for cash while you wait for the dispute to be resolved? Your whole account could be tied up for weeks (and you won’t have a debit card for everyday, non-online purchases).

Credit cards eliminate that, and their fraud resolution procedures are usually faster.

Of course, some people don’t like credit cards because of the revolving debt trap, but it just takes self-discipline: make your purchase online with a credit card, then pay it off as soon as the charges show up. You just can’t spend more than you can afford to pay in cash, which is how your debit card would have worked anyway, right?

Aaaaaand it’s time to change every password in the universe again…

Have you ever experienced déjà vu?

Have you ever experienced déjà vu?

Sorry. Couldn’t resist.

ANYWAY, doesn’t it seem like not too long ago that I told you to go ahead and change all your passwords, because data breaches (like the ones that hit Target Sally Beauty Experian) will be a common thing for quite some time?

Oh yeah. It was.

So now we have the Heartbleed bug, which affects websites running certain versions of OpenSSL on their servers. I won’t get into the technical details, mostly because I don’t know one thing about OpenSSL, but the effect for you, the Internet user and person-who-logs-into-websites, is this: about two-thirds of the entire Internet is/was affected by this vulnerability, and your login/password information could have been stolen over the past couple years or so.

Yes, this is very, very big.

So whattaya do about it? You change passwords after sites patch its OpenSSL software. Most sites are moving pretty quickly to install the patch, but some haven’t been as forthcoming when it comes to telling their users to change their passwords. Right now, this moment, go change the following passwords, if you have accounts there:

  • Facebook
  • Google/Gmail/YouTube
  • Yahoo!
  • OKCupid

Those are the big ones that were definitely using the vulnerable version of OpenSSL, and have now been patched. Change ’em now!

Amazon, Twitter, and some other big sites, however, are safe. They were never running the vulnerable software.

Of course, there are also countless other websites that were, so you need to check those out as well. You can enter a web address at https://lastpass.com/heartbleed and find out if it a site is affected. If you get anything but a “No” on the result page, you need to change your password, but try to find out if the site has been patched first. If you change it before they patch it, your account could still be vulnerable (and, if the site forces a password change later, you’ll just have to do it all over again).

And use strong passwords, too. I don’t have to tell you that, though, do I?

Overpayment scams affect businesses, too

I thought I was onto some clever application of the “duck test” for the title of this post, about how “if it looks like a scam and quacks like a scam,” but I really couldn’t make it sound anything other than monstrously insane, so I dropped it and went with the title you see above.

Anyway, the old repayment scam has been explained a thousand times here, there and everywhere. You’re selling something on Craigslist (for example), and a buyer contacts you, usually from out of state. They send their payment, but instead of $200, it’s a cashier’s check for $3,200. “Cash it and use the extra for shipping, then wire the rest back to me,” they say when you contact them.

What happens next is fairly predictable: you cash the check, send the item, wire the excess money (thousands of dollars) to someone, then find out a week later that it was a counterfeit check and that you’re on the hook for the loss caused to your financial institution.

But did you know that scammers also target businesses with the same tactic?

And if you’re a business owner, you might fall for it because what might strike you as suspicious during a private sale might seem less so in a business context. I’ve heard of several cases where retail businesses, attorneys and rental property owners have been victimized by this scam.

However, the principle applies in every context, whether in a person-to-person or a business transaction: if someone sends you a cashier’s check and tells you to cash it and wire money back to them, you’re almost always dealing with a con artist.

This is why I don’t use ad-blocking plugins: so I can point out stuff like this

Today I checked out the weather forecast at Weather.com, mostly to confirm my suspicions that yes, this winter is going to be eternal and that it’s never going to rise above four degrees for the rest of my life.

(Okay, the actual forecast wasn’t that bad, and it’s actually going to get a little warmer very soon, but still.)

I noticed this banner ad in the right-side column where Weather.com usually puts them (among other locations):

2014-02-12-junkware

Looks important, don’it? Like your security software is telling you something is wrong, right?

Yeah, well, it’s not. It’s an advertisement. Good thing the ONLY indication is the little Google AdWords logo in the upper right corner, eh?

Now, I don’t know exactly what this advertisement leads to, but as far as I’m concerned, they’re using deception to trick people into clicking on it. That makes me think of ransomware, because it’s almost the exact technique used by makers of that type of malicious software. Click on it and you may find your computer locked down until you pay $80 or more to some crook.

I wish I could issue “just never click on anything” as a general rule, but it’s sort of hard to use the Internet without clicking on something now and then. I would suggest this, though: if you see an ad like this on a major website, click on that little triangle AdWords logo (click carefully…you don’t want to click on the ad itself!) and use the submission form to tell Google about it. Google’s AdWords system is great because it allows access to online advertising for businesses of all sizes, but that wide-openness also means a lot of scammers get their greasy little banner ads through. It’s like those “work at home” scans in the old print newspapers, only a couple hundred million times larger in scope.

Just change all your passwords this weekend, okay?

The place I am typing this from is predicted to get yet another pile of snow and ice dumped on it this weekend, and I’m guessing most of the people who read this site are in the same situation.

There are some things to do right now to prepare for the impending Snow Event: make sure you’ve got some salt for the driveway, buy seven dozen eggs and a 55-gallon drum of milk (because, you know, you might not be able to leave the house for a whole 30 hours), and get your snowbound entertainments all lined up (The Shining is fun if you’re brave, or you could splurge on kind-of-expensive board games—Settlers of Catan is awesome if you’ve got three or four players available; I’ve heard there’s a football game on Sunday that a few people are interested in, too).

There are some things you can do while you’re stuck indoors, too, and this weekend, make changing every password you’ve got one of them.

See, there’s been another data breach, from Yahoo! this time. They say an “unspecified” number of accounts have been compromised, which probably will end up meaning all of them. Remember how the Target thing went from 40 million to 110 million? So you need to change your Yahoo! passwords, but there will be more major security breakdowns in the near future. There always are. So even if you’re not going to be stuck inside due to inclement weather this weekend, even if you don’t have a single Yahoo! account, it’s time to just change all your passwords.

Make all your passwords long, very random, don’t use real words, use numbers, upper- and lowercase letters, special characters, and do not use the same password for more than one account. Here’s a quick primer that should teach you everything you need to know about choosing a good password:

Bad Password: 123456
Bad Password: password
Bad Password: trustno1
Good Password: 6ZUNFPtjaWZPk$eAafBt8YhP
Good Password: KjV7$y!92#MqKS&YYSaW3MjtRmSPxR

Now, it’s going to be impossible to remember twenty different passwords (or even one) that look like those last two, so you’re going to have to find a way to record them, whether by carefully writing them in a notebook (that you keep in a different room than your computer), or by using a password manager like LastPass or Keeper (both of which will generate those stupid-long passwords for you). It doesn’t matter what method you use, just do it.

It’s a good idea to change passwords regularly, too. I’m even pretty bad about remembering to do it, but it’s a good idea to at least do it a few times a year. Even a super-strong password that would take a brute-force password guessing script a quadrillion years to guess might as well be “123456” as soon as some goofy company decides to keep its entire database of usernames and passwords in plain-text, unencrypted form, and somebody breaks in and gains access to it. This has happened in the past.

Stay vigilant. And warm.

Of data breaches and phishing

Pretty much everyone who pays attention to anything is aware that an awful lot* of credit and debit card information was stolen from Target stores by hackers. That card data almost immediately showed up for sale on Internet forums used by cybercriminals.

It is the biggest data breach story to date. A lot of people shop at Target, and even more people shop at Target between Thanksgiving and Christmas.

But, as with everything else, it can’t just stop there. Other scammers have to get their fingers in the pie, too; phishing attacks have begun to surface that mention the Target breach. These messages claim to offer protection from fraud, or ways to see if your card data was one of the compromised few.* And like every other phishing attack, they’re just trying to harvest your account information.

Even if you shopped at Target between November 27 and December 15, 2013; even if you’re really worried; even if you’ve already experienced fraudulent charges…a phishing attack is still a phishing attack. Never trust anyone who contacts you out of the blue and asks for personal or account information, whether by phone, email, text message, telegraph, smoke signal or semaphore.

As for what to do about the actual breach (now that you’re immune to the phishing attacks)? Keep tabs on your credit and debit cards. Get online access to your accounts if you don’t already have it (and use a good, strong password). If your card issuer offers email or text alerts for card activity, sign up for them. If you see something suspicious, report it to the card issuer immediately. Above all, don’t let your guard down when you get emails or text messages the refer to the data breach. Falling for a phishing attack can only make things worse.

*110 million or so.

Stay vigilant.