Just change all your passwords this weekend, okay?

January 31, 2014

The place I am typing this from is predicted to get yet another pile of snow and ice dumped on it this weekend, and I’m guessing most of the people who read this site are in the same situation.

There are some things to do right now to prepare for the impending Snow Event: make sure you’ve got some salt for the driveway, buy seven dozen eggs and a 55-gallon drum of milk (because, you know, you might not be able to leave the house for a whole 30 hours), and get your snowbound entertainments all lined up (The Shining is fun if you’re brave, or you could splurge on kind-of-expensive board games—Settlers of Catan is awesome if you’ve got three or four players available; I’ve heard there’s a football game on Sunday that a few people are interested in, too).

There are some things you can do while you’re stuck indoors, too, and this weekend, make changing every password you’ve got one of them.

See, there’s been another data breach, from Yahoo! this time. They say an “unspecified” number of accounts have been compromised, which probably will end up meaning all of them. Remember how the Target thing went from 40 million to 110 million? So you need to change your Yahoo! passwords, but there will be more major security breakdowns in the near future. There always are. So even if you’re not going to be stuck inside due to inclement weather this weekend, even if you don’t have a single Yahoo! account, it’s time to just change all your passwords.

Make all your passwords long, very random, don’t use real words, use numbers, upper- and lowercase letters, special characters, and do not use the same password for more than one account. Here’s a quick primer that should teach you everything you need to know about choosing a good password:

Bad Password: 123456
Bad Password: password
Bad Password: trustno1
Good Password: 6ZUNFPtjaWZPk$eAafBt8YhP
Good Password: KjV7$y!92#MqKS&YYSaW3MjtRmSPxR

Now, it’s going to be impossible to remember twenty different passwords (or even one) that look like those last two, so you’re going to have to find a way to record them, whether by carefully writing them in a notebook (that you keep in a different room than your computer), or by using a password manager like LastPass or Keeper (both of which will generate those stupid-long passwords for you). It doesn’t matter what method you use, just do it.

It’s a good idea to change passwords regularly, too. I’m even pretty bad about remembering to do it, but it’s a good idea to at least do it a few times a year. Even a super-strong password that would take a brute-force password guessing script a quadrillion years to guess might as well be “123456” as soon as some goofy company decides to keep its entire database of usernames and passwords in plain-text, unencrypted form, and somebody breaks in and gains access to it. This has happened in the past.

Stay vigilant. And warm.


Of data breaches and phishing

January 17, 2014

Pretty much everyone who pays attention to anything is aware that an awful lot* of credit and debit card information was stolen from Target stores by hackers. That card data almost immediately showed up for sale on Internet forums used by cybercriminals.

It is the biggest data breach story to date. A lot of people shop at Target, and even more people shop at Target between Thanksgiving and Christmas.

But, as with everything else, it can’t just stop there. Other scammers have to get their fingers in the pie, too; phishing attacks have begun to surface that mention the Target breach. These messages claim to offer protection from fraud, or ways to see if your card data was one of the compromised few.* And like every other phishing attack, they’re just trying to harvest your account information.

Even if you shopped at Target between November 27 and December 15, 2013; even if you’re really worried; even if you’ve already experienced fraudulent charges…a phishing attack is still a phishing attack. Never trust anyone who contacts you out of the blue and asks for personal or account information, whether by phone, email, text message, telegraph, smoke signal or semaphore.

As for what to do about the actual breach (now that you’re immune to the phishing attacks)? Keep tabs on your credit and debit cards. Get online access to your accounts if you don’t already have it (and use a good, strong password). If your card issuer offers email or text alerts for card activity, sign up for them. If you see something suspicious, report it to the card issuer immediately. Above all, don’t let your guard down when you get emails or text messages the refer to the data breach. Falling for a phishing attack can only make things worse.

*110 million or so.


How law enforcement doesn’t operate: scam alert from the BBB

October 18, 2013

If you live in the United States (I can’t vouch for other countries), there are certain ways in which law enforcement is carried out, and ways in which it generally is not.

Here’s one way law enforcement doesn’t work: if there’s a warrant out for your arrest, they usually don’t call you first and tell you.

Here’s another: if you’re accused of a crime, you can’t pay a fine to avoid charges (if you can, it probably means you’re bribing someone, and they’re accepting the bribe, and you’re both in a lot of trouble, mister. Bribing the police. That’s not right!). The fines (and other consequences) generally happen after you’ve been convicted, which is supposed to occur via due process.

The Better Business Bureau is warning of an active scam that has already claimed several victims. The fraudulent phone calls use spoofed caller ID to extort “fines” from victims, by money orders and prepaid debit cards. They’ve got the full lowdown here, but the proper response is one you’ve seen before: don’t give any money or personal information (even if they have some already—victims have reported the callers having information about loans), hang up, call the real police (because others are likely getting the same calls).

The problem is that such phone calls can incite a moment of panic, and panic makes it hard to think rationally. But if you’re aware that such scams exist, you’ll be able to stop, take a breath, calm down and remember how reality works before you become a victim.


How to spot a disguised link in an email message

October 1, 2013

I’ve written quite a few posts about phishing over the last few years, and I’ve probably been guilty at times of assuming everyone knows what is meant by “mouseover,” or that everyone knows offhand how to spot a disguised link in an email message.

I made this graphic to clarify. The email example here was a run-of-the mill “Your debit card has been deactivated, click here to verify” phishing attack (extremely easy to see through if you happen to NOT have an American Express debit card, which I don’t). Some phishing attacks aren’t as obvious, but the method to spot a disguised link (one that says “americanexpress.com” but actually leads to a look-alike website designed to harvest account numbers, passwords and other personal information) is the same (click the image for actual size):

2013-10-01-mouseover

Not every email program will have this exact same layout, but for the most part the actual link will be seen somewhere near the bottom of the page, on the left.


Credit Card Scam Alert: Ignore that offer from AmTrade International Bank

September 27, 2013

There is a new scam showing up in mailboxes.

It takes the form of an offer for a “secure” credit card, and it targets people with low credit scores or other financial issues.

A “secure” credit card is a credit card where the cardholder puts up some of their own money as collateral against the credit line. It allows lenders to extend credit to higher-risk consumers at a lower annual percentage rate, and can actually be a good tool for rebuilding credit (timely payment of debts makes up a large portion of your credit score). We actually offer a secured credit card here at REGIONAL. They’re a legitimate financial tool.

Except for when they’re used as the basis for a scam.

This one comes from AmTrade International Bank, with an implied connection to Credit One Bank, N.A. (there is none). Victims select a card with either a $1,500 or $3,600 credit limit, and then send in $500 or $900 (respectively) as “collateral” for the credit lines.

And the credit cards never arrive. At its core, this is the simplest form of scam: take money, disappear.

This exact same scam showed up earlier in the year, from Freedom 1st National Bank, which also implied a link to Credit One. In both cases, victims instantly found themselves robbed of either $500 or $900.

If you get offers for pre-approved credit cards in the mail, it is vital to verify all claims before making a purchase decision and sending personal information and money.

In fact, I’ll just put it out there now: don’t respond to unsolicited pre-approved offers for “secure” credit cards, at all.

Also, never just send money to an unknown entity, for any reason.

This scam is going to keep popping up, with different fake banks running it each time, and law enforcement is going be playing whack-a-mole for quite some time. In the meantime, it’s on each of us to look out for ourselves.

Read more:

 


File Under “Things That Were Just a Matter of Time.” New scams using Affordable Care Act to harvest personal information.

August 23, 2013

Okay, so if you live in these United States, you may have heard of a controversial little thing called the Affordable Care Act.

Yeah, okay, before you head to the bottom of the page to sound off, I’ve already turned comments off for this post. I’m not here to express my opinion of the legislation, and I’m not fielding others’, either. Our opinions are irrelevant for the moment. Besides, certain post topics generate TONS of bot-generated spam comments, and I have a hunch this might be one of them (you should’ve seen how many came in when I wrote about Açaí berry scams a few years ago…it was seriously ridiculous).

Here’s all we need to know, and it’s pretty easy to agree upon: The Affordable Care Act is a Thing That Exists. (That’s only a matter of opinion if you’re into really fabric-of-universe-level philosophical discussions.)

And, as a Thing That Exists, it was only a matter of time before someone started up a scam based upon it.

Lo and behold, the FTC is reporting exactly that. Scammers are calling potential victims to “verify” information. For example, “So I see here that your routing number is __________, is that correct? Okay, good, so now we just need your account number…”

Here’s the deal with the Affordable Care Act: if you’re one of the people who is going to need to use the exchanges to obtain insurance, you’re going to be the one contacting them. According to the FTC report, “If someone who claims to be from the government calls and asks for your personal information, hang up. It’s a scam. The government and legitimate organizations you do business with already have the information they need and will not ask you for it.”

That sums it up pretty nicely, both in this specific instance and as a general rule.


2 people are not spying on you

August 13, 2013

Have you seen this (or something similar) show up on a website lately?

I said DON'T click on it!

If you use MyFitnessPal, WeightWatchers Online, YouTube, or any of about a million other sites, chances are that you have.

Here are some things about which you can rest assured:

  • It’s just a stupid banner advertisement
  • It seems to be showing up a lot more often since this whole mess with the NSA started and got everyone paranoid about their online privacy
  • Nobody is spying on you*
  • It probably leads to a website that will infect your computer with spyware, at which point someone will be spying on you
  • Even if it doesn’t, you don’t want what they’re selling
  • It tells EVERYONE they have “2 people” spying on them
  • YouTube, MyFitnessPal, WeightWatchers, etc., have no way of knowing whether anyone is spying on you or not
  • Do not click on it, whatever you do

*Actually, there might be people spying on you. I mean, I have no idea who’s reading this. Spies do exist, right? You might be involved in all kinds of international espionage, sabotage, subterfuge, the works. You might be tuning in to those weird “numbers stations” every night and actually have the key to decode them for all I know. But in that case, you’d probably say, “Two? Ha! More like two hundred!” if you saw this particular ad.


Follow

Get every new post delivered to your Inbox.

Join 208 other followers