Reducing Your Risk of Credit Card Fraud

One category credit fraud is when a hacker opens up new credit accounts in your name, runs up the bill and leaves you to deal with the mess.

While in the long run, if you are persistent, the law favors the consumer, it can be a long slog to get it taken care of.  That assumes that you have the time and energy to deal with it.

In the mean time you have to deal with bill collectors and a ding on your credit report (reporting the fraud to the credit bureaus generally helps the credit report problem).

OK, so what is a person to do?

The problem is that there are so many ways to open new credit accounts – banks, retail stores, online stores, cell phone companies and even utilities like water and electric.

One way to help the problem is to establish a credit freeze.  A credit freeze applies to your credit report, not an individual credit card or account.  What is supposed to happen is that after you establish a credit freeze, no one is supposed to be able to get your credit information.  Without that information, responsible creditors will not grant credit.

Since the credit bureaus revenue is controlled by the businesses that ask for your credit information (after all, YOU don’t pay the credit bureau for the privilege of giving out information that has banks not loan money to you, do you), the bureaus don’t want you to freeze your credit.  As a result, they charge you a fee when you put a freeze on your account and another fee when you take it off.  That is, except in a few states where there are laws that say that they have to do that for free.  And, you have to do that for each bureau – Experian, Trans Union and Equifax and even the smaller Innovis,

But wait, as Ron Popeil  (if you are too young to know who he is, Google him) used to say, there is more.

For whatever reason, the mobile phone companies are not asking the big 4 bureaus for your credit, they have created their own exchange, the National Consumer Telecommunications and Utilities Exchange.  This is the organization that some phone carriers and some utilities use instead.  Likely it is cheaper or easier.  This exchange only has payment information for phones and utilities, unlike the bigger bureaus, but their customers must think that is sufficient.

And guess who Runs NCTUE for the carriers and the utilities?  

(drum roll please!)

None other than Equifax, The same Equifax that leaked information on most adults in the United States a few months ago.  Their contract expires in 2020.

You can get a copy of your credit report and “risk score” by calling NCTUE at 866-349-5185 and giving them your social and house number.  If the data verifies, they will mail you a report.

They also offer a separate credit freeze capability on their web site, but, according to Brian Krebs, it is not working right now.  Accident or purposeful?  No one but them knows, but since they only make money if they can sell your info – well you decide.

Sorry, more to deal with!

Information for this post came from Brian Krebs

Hackers Figure Out How to Evade Microsoft’s Advanced Threat Protection

Hackers are always in a cat-and-mouse game with the good guys (and gals) as the hackers try to do us in and the good guys try to swat them away.

Microsoft has an add-on to Office 365 called Advanced Threat Protection or ATP.  One of the things that ATP  does is make links inside emails safer by replacing all of the links with a link to a Microsoft filtering service that reviews the links to make sure that they are not malicious.


There is a bit of a flaw in their process.  In HTML you can split up the URL into a BASE and a RELATIVE link.  When the link is clicked on the two pieces are glued together to make the full web address.

Apparently ATP does not understand that and, at least for now, the bad guys can get through.

Interestingly, Proofpoint also falls for this attack, but Mimecast does not.  GMail does not seem to fall for this attack either.

So what should you do?

First, don’t let users let their guard down just you have some software in place.  Keep training and keep phishing.  

Second, it is probably worthwhile to let your users know that this attack is in the wild and they should be extra careful.

Finally, whine at Microsoft and ask them when they are going to fix the BASESTRIKER vulnerability.  The more people who complain, the faster it will get fixed.

This is one of the good things about the web.  Since this is a service hosted at Microsoft, all they have to do is fix the service in one place and THE ENTIRE POPULATION OF OFFICE 365 USERS ARE PROTECTED.  That’s pretty neat.

And, I bet, that there are some folks in Redmond or Dublin or some place like that working on the problem right now.  It doesn’t seem like it will be hard to fix.  It will likely be fixed soon.

Information for this post came from The Hacker News.

The Challenge of Keeping Users Safe Online

We have trained users to look for a padlock next to a website’s address like it means that you are safe.

Unfortunately, as we all know, it hasn’t quite worked out very well. At least not for us.

Expecting the average user to understand what the padlock means – and doesn’t mean – is unreasonable.  In fact, it is doomed to fail.

For example, if a user is presented with a login screen for, complete with a Netflix logo and a green padlock, are they likely to realize that netfILx is not netfLIx?  Not likely.

What the padlock actually represents is the fact that the conversation is private, not that it is secure.  When SSL (what is behind HTTPS)  was invented, the object was to convince a skeptical public that providing their credit card to buy something online was safe.  The people who created that did not have a crystal ball to help them see what scam artists would do in the future.

While that HTTPS conversation may be private, you may be talking to Satan.

Are we all doomed?

Actually not, but we are dependent on our technology providers to do more than they have done.

As Google’s Emily Schechter says in the article quoted above.

Google has already started to do more and they plan to continue doing more.

Rather than, for example, putting a padlock next to a website name saying it is secure when it is not, how about putting the message NOT SECURE next to its name.  After all, no one is going to try and con you into falsely thinking their website is not secure, hence you are playing the hacker’s game against them.  Google has already started doing this and as long as you and I understand what all that means, it will likely work better.

Another example of giving users a negative indicator of trust is when when you go to a website and get a message that says YOUR CONNECTION IS NOT PRIVATE.  No one would lie and say that.

How about if you try to visit a website and instead you got a bright red screen with a message that says DECEPTIVE SITE AHEAD?  You are probably going to think more carefully about visiting that site than if you don’t see a little green padlock.

Even the extended Validation, or EV, HTTPS certificate is far from perfect.  We saw this recently with Stripe.  As a test, a researcher got an EV certificate for a fake Stripe website because while the real Stripe was incorporated in Delaware, the fake Stripe, did exist, but was incorporated in a different state.  Would a hacker have to spend more money, take more time and be more committed to pull this off than some?  Yes.  But it is far from impossible.

On the other hand, a bright red screen with squawking ducks telling you to, err, DUCK!, is much more likely to get your attention, unlikely to be faked and much less likely for the average user to get fatigued about.  Or fall for the bad guy.

Google Chrome, the majority browser, is already working on these things.  They don’t think this is simple, but they have admitted what we all know  – that what we are doing now is not working.  The bad guys are winning.

So look for more negative indicators of trust and heed their warning.

Information for this post came from Troy Hunt.

Friday News for May 4, 2018

U.K.’s High Court Gives the U.K. Gov 6 Months to Fix Law

Privacy in the U.K. is a bit of wishful thinking.  Besides having the most public surveillance cameras in the world (Wikipedia says there is one camera for every 14 people in the country), the government has attempted to kill privacy in other ways.  The courts have struck down the now expired Data Retention and Investigatory Powers Act (DRIPA), but, until now, has not ruled on the replacement law for it affectionately known as the Snooper’s Charter.  Now the U.K. High Court has said that law is incompatible with the EU Charter of Fundamental Rights.  The government asked for a year to come up with a way around this ruling, possibly by creating a new law, but possibly not.  The government is suggesting that they are only keeping data for serious crimes by redefining a serious crime as any crime where it is POSSIBLE that the person, if convicted, COULD be sentenced to 6 months in jail.  That might include repeated jay-walking.    The court said you have 6 months to fix the law or the court will consider your inaction a serious crime.  Meanwhile, more challenges to the Snooper’s Charter are being filed (Source: The Register).

Why Did Atlanta Spend $5M Instead of Paying $50k in Ransom?

Atlanta was hit by a ransomware attack last month that knocked the city pretty much into the 1940s, technology wise.  The Attacker asked for $50,000 in ransom to unlock the files, but instead, the city chose not to pay and has reportedly spent $5M recovering from the attack – so far.  In fairness, the city likely did things after the attack that they should have done 5 years ago, but it is money they would not have spent if were not for the attack.

Fast forward to last week.  The school district of Leominster, MA, northwest of Boston, was hit by a ransomware attack.  While the details are sketchy, the distict says they had no choice other than to pay the ransom.  I guess this means that they didn’t have backups of systems, didn’t have a disaster recovery plan, didn’t have an incident response plan and didn’t have a business continuity plan.    I wish this was unusual, but it is not.  The population of Leominster is 41,000.  Attackers are targeting municipalities and even states (the Colorado Department of Transportation was down for the count for at least a week or two after an attack) because they know that, compared to private industry, the public sector’s cyber security posture is even worse.  Paula Deacon, the Leominster Schools Superintendent said “we paid the ransom through a bitcoin system and are now awaiting to be fully restored”.  They, apparently, paid the ransom last week and are still waiting.  I have a bad feeling about this.  Usually, if the files are going to be unlocked, it happens right away (Source:  CBS Boston).

Google to Shut Down Google Link Shortener Goo.Gl

Unlike some of the Google services that they have abandoned in the past, this one is going to be gracefully shut down but as of this month, the wind down is starting.  Google says that it is used too much by scammers trying to hid malicious links using their shortener.  They also say that you can use their competitor if you still need a link shortener.  But for users, this is just a reminder that clicking on any link shortener is a bit like playing Russian Roulette – you have no idea whether the link you are clicking on is malicious or not (Source: Google Blog).

“Massive” Flaw in Schneider Electric SCADA Control Software Gives Hackers Full Control Over Critical Infrastructure

“Full control” is the hacker’s nirvana and the IT team’s worst nightmare.  In this case, the software controls oil and gas production, water plants, manufacturing and similar facilities and, with full control, the hackers could do anything from shutting it down to, possibly, with enough motivation, blowing it up.  There are caveats, but still, it is scary.  Given the FBI warning last month about state sponsored hacking of critical infrastructure, this is concerning.  And, I bet, there are hundreds or thousands of Schneider installations that have not been and will not be patched (Source: Tech Republic).

Maybe Waiting to Deploy Patches Isn’t a Good Idea

Companies often wait a couple of weeks up to a month before deploying new patches as patches sometimes break things and waiting is good way to make sure that they break someone else’s system, but that strategy does have some flaws.

According to the SANS Institute, they were hacked within hours of making the honeypot server live.  They say that hackers started going after the Oracle Weblogic bugs immediately after it was announced on April 18th.

SANS says patch fast or plan to recover.

You wait at your own peril (Source: The Register).

EU’s GDPR May Cause Challenges For Businesses

According to a survey conducted by storage software vendor Veritas,  2 in 5 or 40% of what the EU calls “data subjects” (and what the rest of us call people) plan to request businesses to tell them what data they have  within the first six months after the GDPR goes into effect later this month.

Even if the 40% turns out to be 10%, that is going to be an amazing hardship for businesses.

Under GDPR, businesses have about 30 days to provide that information.  They need to figure out which John Smith is requesting the data, on what systems (local, in the cloud and with vendors) they have that person’s data, collect and format that data in a manner that is consistent with the GDPR requirements and deliver it.  All within less than 30 days.

Which companies have to deal with GDPR?

In general, companies that collect data on EU people – customers or just people who visit their website.

Different companies face different risks.  The companies at the highest risk are those located in Europe.  Those are followed by ones that have operations (business units) in Europe.  At the lowest risk are companies based in the U.S. who may interact with a few EU data subjects.

Other responses from the survey include:

  • 56% plan to approach financial firms with data privacy requests
  • 48% plan to approach social media firms
  • 46% plan to approach retailers
  • 24% plan to approach employers and
  • 21% plan to approach healthcare providers
  • 65% of those who plan to contact these businesses will ask for access to the data those companies have
  • 71% of those who contact businesses will ask them to delete the data

Information for this post came from .

Based on that, what should you do?

First, if you live in the US, this doesn’t apply to you unless a company chooses to voluntarily do that.

BUT, if you are a business and you have customers in the EU or have a division in the EU and you have not already started working complying with the rules, you likely will not be able to comply by the May 25th deadline.

What we don’t know is what the EU regulators plan to do.

Given there are tens of millions (or more) of businesses, the odds of any one business getting zapped are low.

UNLESS someone or more than one complains about you to the regulator.

And we don’t know how many resources each regulator plans to allocate to this process.

It will certainly be interesting to watch.  Unless you are the one that the regulator picks on.


Small Business Needs to be Concerned About Cyber Security

In the wake of all of the breaches that we read about on an almost daily basis, large companies have begun to take the cybersecurity threat seriously.  While they are far from perfect, far from secure, they are way more secure than they were even 5 years ago.

What that means is that big businesses are harder to attack.  The hackers understand this so they are moving on to the small and medium size businesses.  While these businesses don’t have as many records to steal, they do have some things that make them attractive to crooks.   While this list is a generalization, it applies in most cases:

  • They typically do not have an in house cyber security staff
  • They often don’t even have in house IT
  • They do not have sophisticated security logging solutions
  • They almost never have a security alerting system
  • And, many times, they are vendors to bigger companies – an easy way in to those larger companies.

The Target breach started with a small HVAC (refrigeration) repair vendor outside of Pittsburgh.  The Home Depot breach started with a small vendor that provides credit card machines at self checkout lanes in some Home Depot stores.  Those businesses had been compromised for months while the hackers waited for the right moment.

Given that, what can or should small businesses do?

The first thing is to understand that they are not immune from attack.  While we don’t have good statistics, numbers seem to indicate that more than a third of attacks hit small businesses.

While Target can afford to spend $200 million and 3 years to recover, small businesses are in trouble if they have to spend even one million dollars.

Some of the measures that you can take to reduce your risk include:

Train your employees

People are a major cause of breaches.  Clicking on a malicious link, opening an infected email, connecting to malicious WiFi can all be the start of a breach.  If employees use their personal phone or computer to access company resources then training needs to include that as well.

Pick good/strong passwords

The two most common passwords in many breaches are password and 123456.   Needless to say, those are not good choices.  

Use Two Factor Authentication

Using two factor authentication like a one time text message code, makes stealing passwords almost useless.  It may take 10 seconds longer to log in, but it also may keep the bad guys out.

Don’t Forget About Paper – Shred it

There is still lots of paper and paper with sensitive info.  Shred it before disposing of it.

Buy Data Breach Insurance

Even today, data breach insurance is relatively affordable.  It is way more affordable than writing a check for even $50,000, never mind writing a check for a million.  Since data breach insurance varies from policy to policy, it is important to make sure that you get the right coverage, too.

These are just some suggestions,  Most of them don’t cost very much.  Make it harder for the bad guys.  

Contact us for more recommendations.

Information for this post came from Newsblaze.