In this issue:
- 5 steps to hack-proofing your smartphone
- Emerging threats: Holiday shopping tips and Netflix scam
- Savvy Cybersecurity quick links
- Cybersecurity shorts: Dell customer service website hacked, the emotional impact of identity theft, a new Medicare scam, and much more
- Software updates
Dear Mastering Your Money Blog Reader,
Welcome to you November Savvy Cybersecurity newsletter. As we officially enter the holiday season, it's important to be on the lookout for scams, hacks, and frauds. Here are some typical holiday scams to be aware of:
1. Charity scams: 'Tis the season for giving—but be sure you know where you are contributing before donating any money. During this time of the year, many scammers will set up fake charities for a good cause but will use the donations fraudulently. Before donating, definitely research the charity to make sure it is legitimate.
2. Gift card scams: Fraudsters have a lot of success with this simple scam during the holiday season: They write down gift-card information from unsold cards on store racks. Then, once the gift cards are bought and activated—they use the information to shop with them online. This scam can be tricky to combat, but if possible only buy gift cards from official retailers in the store or online.
3. Holiday shopping phishing emails: Be on the lookout for emails advertising deals that seem too good to be true--or ask for your personal information. During the holiday shopping season, hackers will send phishing emails advertising sales that can download malware on your machine or steal private data. Remember the E.M.A.I.L. Rule (Examine message and inspect link) and delete any emails that seem at all questionable.
Read on to learn more about the cybersecurity happenings this month including:
- Uber's data breach and cover up
- A tip for protecting your bank account
- Medicare scams making the rounds
- And much more
5 steps to hack-proofing your smartphone
Imagine having trouble with your smartphone. You contact your carrier for help, but they say you’re no longer a customer, and that you recently transferred your phone account to another carrier!
Welcome to the central act in a growing cybersecurity threat—mobile account takeover.
Consider the story of Tiffany and Kevin Bennett, who suffered this new form of identity theft.
One day, Tiffany received an email from her mobile phone company saying the password on the mobile account had been changed. She shares the account with her husband, Kevin, and figured that he must have changed the password, so she ignored the email alert.
A few hours later, however, Tiffany could no longer send or receive any messages. When Kevin tried to call her phone number it rang—but not on Tiffany’s phone.
What happened? Someone hacked into the Bennett’s mobile phone account and forwarded Tiffany’s number to a new phone. All of her calls and texts were being forwarded to this number, too.
The hacker was then able to enroll one of the Bennett’s credit cards, bought on the black market, in Apple Pay. When the credit card company texted the verification code to Tiffany’s number, the hacker received it instead. With access to their credit card, the imposter was able to spend hundreds of the Bennett’s dollars.
Eventually, the Bennetts got back their money and control of Tiffany’s phone number, but the entire process was stressful and time-consuming.
How did this happen? The Bennetts were missing a crucial security feature on their mobile phone account—a PIN.
1. Set a PIN on your phone carrier mobile account
The most important thing you can do to stop mobile account takeover is to protect your account with a PIN. Here, we are not talking about setting a PIN or passcode on your physical device, but rather on your account with your mobile carrier.
When you add a PIN to your account, no changes can be made without that PIN. It’s essentially like freezing your credit—until the freeze is lifted, no changes or new devices can be added.
This blocks hackers from accessing information in your account, adding a new device to your plan, or forwarding your number to a new number (like what happened to the Bennetts)—all parts of complex, growing frauds.
Anytime you log into your account online, call your carrier, or visit a physical store, you will be prompted to enter your PIN. You can set this feature up online or over the phone. It only takes a few minutes, but adds strong security. Remember, don’t use a PIN that is easy to guess like your birth date or the last four digits of your phone number.
2. Protect your smartphone or tablet with a passcode
Recently, Symantec performed a study and dropped 50 unprotected smartphones in public spaces to see what would happen. The results were eye-opening.
They discovered that 89% of people who found one of these phones opened personal apps such as online banking. Sixty percent opened social media and email apps and 57% tried to open a passwords file. And while 50% of the finders tried to contact the owner of the phone, half of them also took a dive into the owner’s personal life.
Adding a passcode to your device may seem like a simple approach yet one-quarter of smartphone owners do not lock their device.
If you use an iPhone, you have a few passcode options: a four-digit code, a six-digit code, or a custom alphanumeric code. The six-digit or custom alphanumeric codes are the most secure choices. You can enable or change your passcode through Settings, where you select Touch ID & Passcode.
Android users also have multiple options. You can choose from a lock pattern, a four to seventeen digit code, or a password. And while some people like the lock screen option, many security experts warn that it is not the most secure option—someone could guess the pattern by the fingerprints on your screen. Instead, choose the password or a long code. Again, this can be done through the Settings feature.
3. Activate ‘find my phone’ feature
If your phone is lost or stolen, you’ll be glad you put a passcode on it. But you’ll also want a way to try to get your phone back.
Both Apple and Android phones have built-in features that allow you to track your phone, remotely turn off and lock your device, and even delete the data stored on your device.
For Apple users, this is called Find my iPhone and it is pre-installed on any iPhone running iOS 7 or higher. You can enable it by going to Settings, iCloud, and enable Find my iPhone.
Android users can activate Find My Device on their phone or tablet. To turn this feature on, go to Settings, Google Settings, and then Security.
Note that for both types of devices, you’ll need to activate location services for the feature to work.
4. Update software and apps
Often, people are reluctant to update their phone software because they don’t want a new operating system that changes the phone’s interface. But these updates usually are not cosmetic—more often they close known security vulnerabilities. Putting off the update because you don’t want your messages app to change is putting your security at risk.
And the operating system is not the only program that you need to keep updated. All of your apps need to be updated as well. Hackers can find their way into your phone through security holes in outdated apps, so be sure you are updating all of your apps regularly.
And also take note that you should only download apps from the official App stores for your device. Apps outside of these stores are not checked for malware or privacy settings and may compromise your privacy and security.
5. Back up your phone regularly
Another important action you need to do regularly is to back your phone up to two places—the Cloud and your computer.
The reason you want to regularly back up your phone is so that if something does happen—you download malware or your phone is hacked—you can do a factory reset and essentially erase your phone while knowing your data is safe in two other places. Once you clear your phone, you can download your data from a backup.
To back up your phone to your computer, connect your phone via USB and follow the instructions on your screen.
iPhone users that have enabled iCloud can back up to the Cloud automatically every time the phone is plugged in and connected to Wi-Fi. iPhone users should back up to their computer every so often as well. To do so, physically plug your phone into your computer using the USB charging cord and open iTunes. You will be guided through the process.
Android users can link their phone to their Google account for automatic backups through the Settings folder. To create a backup on your computer, connect your phone using a USB cable and copy your phone’s SD card into a folder on your desktop.
Take action now
Take these key actions now to protect your smartphone from the hackers. As with all cybersecurity choices, you need to decide the level of security you want for your device. Implementing all of these options will give you the best protection, but even choosing just a few will significantly boost your security.
Netflix scam making the rounds fools savvy computer users too. Be on the lookout for emails appearing to be from Netflix which say that your account has been suspended due to credit card validation issues. According to experts, the email looks very official and directs recipients to a fake Netflix page that asks for login credentials and other personal information such as payment card data. Netflix reminds users that they will never ask for personal information via email.
Be aware of scams and frauds while holiday shopping this season. As always, scammers will be busy this season trying to trick consumers into divulging personal information or falling for frauds. But there are some actions you can take to help prevent a cybersecurity incident. For example, shopping with a credit card can provide you with more protection. If a deal seems too good to be true, do some research to confirm it is legitimate. And as always, don't enter your credit card information over free public Wi-Fi when shopping online.
Uber covers up breach impacting 57 million customers and drivers. Hackers gained access to Uber data in October of 2016—including email addresses and phone numbers of 50 million passengers and personal data of seven million drivers. Uber paid the hackers $100,000 to keep the breach secret and delete the stolen data. Uber also found the hackers and asked them to sign nondisclosure agreements. In doing so, the company may have violated a Federal Trade Commission rule that stops companies from destroying hack information and data that could be useful in investigations.
Nearly one-third of U.S. consumers worry about falling victim to identity theft in the next five years according to a new study by Generali Global Assistance. The study also found that ninety percent believe that falling victim to identity theft would have a significant impact on their lives. You can read more about the study here.
Dell customer support website hacked for a month this summer. The site, DellBackupandRecoveryCloudStorage.com links to a program installed on nearly all Dell computers called "Dell Backup and Recovery Application." This website and software help Dell users restore their computers to the factory default if there is a problem with the device. The website, however, was accessed by hackers who pushed malware onto machines. It is unclear whether any Dell customers were harmed by this hack.
Woman claims her identity has been stolen over ten times since the Equifax breach. Katie Van Fleet of Seattle says that in the months following the Equifax hack she has received letters from multiple retailers thanking her for an application for credit. However, she has not applied for a credit card at any of them. Van Fleet has now filed a class-action lawsuit against Equifax blaming its breach for the identity theft.
Adding a verbal passcode to your online bank account provides extra security—but only if the bank follows the rules. A verbal passcode is something you can set up with your bank and it requires that the customer service representative ask you for that passcode before divulging any account information. Security writer Brian Krebs has discovered, however, that many banks do not follow protocol. He called his financial institution and told the representative that he had forgotten his PIN—and he was still given his account information. Eventually, Krebs moved his accounts to an institution that better protects his identity and recommends that you do the same.
Identity theft causes more than drained bank accounts, according to research from the Identity Theft Resource Center. The group surveyed nearly 200 identity theft victims on the aftermath of fraud and discovered that 75% of respondents were severely distressed over having their identity stolen. Eighty percent felt frustrated and 56% were angry. Over half of respondents were afraid for their financial future and many described having problems getting credit cards and loans since the theft.
Canadian company Verticalscope.com suffers data breach affecting 2.7 million user accounts. This is the second time in two years that the web discussion forum company has been breached—the first exposing 45 million user accounts. The hack was discovered by Alex Holden of Hold Security when he saw hackers selling access to Verticalscope.com online. Verticalscope.com users should change their passwords for the site and any other site that shared the same password.
Forrester Research predicts more ransomware and IoT attacks in 2018. The firm believes that we will specifically see more IoT (Internet of Things) attacks next year that are led by financial motivation. They also see cybersecurity issues hitting the U.S. 2018 midterm elections due to insecure voting machines and hacks at Equifax and the Republican National Committee that leaked important personal information. You can see all of Forrester Research's predictions here.
Want to improve employee cybersecurity? Make it simpler. Studies show making cybersecurity policies that are easier to understand and implement can increase overall cybersecurity. For example, many companies require that employees create complex passwords and change them regularly. However, changing your password does not offer greater security and causes people to create weaker passwords.
Account takeover fraud continues to rise according to the Global Fraud Index released by PYMNTS and Signifyd. The data showed that account takeover fraud grew 45% in the second quarter of 2017 and cost merchants $3.3 billion. This type of fraud occurs when hackers gain access to your existing bank or credit card account and make fraudulent purchases. One cause of this spike may be the increase in data breaches over the past year.
Medicare scam targets seniors during the open enrollment period. The Federal Trade Commission warns of scams that trick seniors into paying for a replacement Medicare card; they also try to obtain personal information like Social Security numbers. The Centers for Medicare and Medicaid services remind consumers that there is no cost for the new cards being provided by the agency and that you will never be asked for personal information to get your new card.
Retailer Forever 21 investigates data breach at certain stores. The company says that credit card information may have been stolen at specific store locations between March and October 2017 due to malfunctioning encryption.
Fallen for a Western Union scam? Relief may be available. The Federal Trade Commission has set up a special fund for those who lost money in scams involving Western Union between January 1, 2004 and January 19, 2017. Those affected can file a claim here before February 12, 2018.
Adobe: This month Adobe released patches for over 60 security vulnerabilities in products including Flash Player, Photoshop, Adobe Reader, and Shockwave. You can read more about the update and download updates here.
Microsoft: Nearly 50 security holes were patched in this month's Microsoft patch bundle affecting Windows and Office products. Four of the flaws were previously disclosed and are considered serious. You can read more about the updates here. Your devices should prompt you to update automatically.
WordPress: WordPress users should update their websites immediately to WordPress version 4.8.3. This new version closes a serious security vulnerability that was discovered last month. The update released in WordPress version 4.8.2. however, did not fully fix the vulnerability. You can download the update here.
Apple: Mac users running High Sierra must update their devices immediately to patch a flaw that allows anyone root access to your machine without a password. Check your device for the update. Apple will automatically update machines running the latest version of High Sierra beginning this afternoon.
If you've enjoyed this blog Join Our Weekly Newsletter, or want more information. Please email us at firstname.lastname@example.org or http://masteringyourmoney.com/