Do You Have to Pay Income Tax on Hacked Social Security Benefits?

A CPA who spent his career as a personal Financial Specialist is dealing with that question right now.

The CPA, who did not provide his name in the guest blog on the AICPA web site, said that he provided his clients with retirement, tax, estate and other financial advice for decades.

That, however, did not stop him from being the victim of an identity thief.

How he found out that he was a victim was when he received a letter from Social Security congratulating him on starting to take his benefits.  Only problem was, he hadn’t done that.  His plan was to wait until he was 70 to start taking them.

He says that people between the ages of 62 and 70 are at most risk because they are eligible to collect social security.   Those who do not apply until age 66.5 can get up to six months of back benefits, which is what this thief did.  To the tune of $19,236.

Even though he had frozen his credit file with the three credit bureaus, the thief was able to open an account with a major retailer who advertises that that you can open an account for a prepaid debit card with no credit check (based on their web site, that is likely Walmart) since there is no credit risk to Walmart because the card is prepaid.

The thief applied to Social Security, asking for those back benefits and had them sent to the account associated with that prepaid Visa card.  The rest is history.

The CPA thinks the attacker used the Social Security Retirement/Medicare benefit application web site to apply for the benefits.  That site, apparently, does not require you to securely identify yourself.

He says that the attacker applied using a different email address than the one on file, changed one digit on his phone number and applied for benefits paid to this prepaid card.

The one thing the thief could not do on this unsecure web site is change the CPA’s address, so, at least, he did get notified that he had been hacked.

Now the even worse part.

He received a 1099 from Social Security for the benefits that the thief stole.

So now he has to fight with Social Security to prove that it wasn’t him.

Fight with the IRS so that they don’t make him pay taxes on that $19,000 that he never got.

And fight with Medicare because that income put him in a category that would  make him pay more for his medicare insurance.

Isn’t that fun?  The benefit of the Internet.

Information for this post came from the AICPA web site.

Facebooktwitterredditlinkedinmailby feather

Jackpotting ATMs

The feds are beginning to see thieves jackpotting ATMs in the United States.  Until now, reports of ATM jackpotting were limited to other countries.

Jackpotting an ATM is exactly what it sounds like.  The hackers compromise an ATM so that it spits out large amounts of cash.  An ATM in Rhode Island, for example, was emptied of $50,000 this way.

Jackpotting has to be customized to a particular brand and models of ATM since it works by modifying the ATM’s software and needs to be able to figure out how to get the compromised software loaded into the ATM.  In at least one attack, the attackers figure out how to snake a cable into the ATM and change the firmware.  Sometimes the attackers are dressed as ATM technicians to reduce suspicion.  ATMs that are remote and not under video surveillance would be the smartest attack targets, but it seems like at least some thieves do not think that they will be caught.

In one case in Connecticut, two attackers approached an ATM and compromised its software.  Another team them caused the ATM to cough up thousands of dollars.  Unfortunately for the hackers and fortunately for the bank that owned the ATM, the ATM was under video surveillance and the bank called police who apprehended two men.  These guys don’t qualify as very bright as the used the same car, caught on video, that was used to pull the same attack on an ATM of the same bank in a nearby state.  Stupid crooks are always easier to catch.

This appears to be a widespread problem with multiple people executing multiple attacks in multiple countries.  These people, almost certainly, do not know about each other.  Now that this has become somewhat popular, other hackers will try to figure out how to pull off this attack on different models of ATMs.

If you consider that an ATM is basically a PC, usually running an old version of Windows (Windows XP), in a safe, that dispenses money, it is not that surprising that it can be compromised.  Part of the problem is that ATM software does need to be upgraded periodically and is almost always done remotely.  If the hackers are able to exploit whatever mechanism that upgrade capability uses, they can tell the ATM to do whatever they want it to do.

I am sure that every ATM manufacturer is looking at the security of their devices to see if a hacker could compromise it.  But ATMs are in service for years as they are very expensive – some high end devices cost more than a quarter million dollars.  The manufacturers are probably only worried about devices that they currently manufacture and not ones that they built a few years ago.  For those machines, it is up to the machine owner to deal with the risk.

ATMs owned by banks are covered by the bank’s insurance, but privately owned ATMs may not be owned by the owner’s policy.  ATMs located inside a store that is always staffed by clerks, such as a 7-11, are much less attractive for attackers.

It does appear that this attack is not interested in compromising YOUR ATM card;  it works at a much lower level by modifying the ATM’s software.  If the compromise works, the amount of the theft is only limited by the amount of money in the ATM and how much time the thief is will to spend at risk of being captured.  In some attacks, multiple teams visit the ATM over a relatively short period of time so that things look a lot less suspicious.  sometimes it is done over a weekend thinking that the theft is less likely to be noticed until Monday.

Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather

T-Mobile Sued For Lack of Security

I am always skeptical about these lawsuits.  One issue is usually “standing”, but in this case, I don’t think this will be an issue.  Often, if the party being sued thinks they are going to lose, they tend to settle, quietly, with no precedent from a court decision.  In this case, I predict this one may be settled quietly by T-Mobile.  UNLESS, the person filing the lawsuit is more interested in creating a precedent.  We shall see.

OK, here is the story.

Carlos Tapang is suing T-Mobile because someone was able to take over his phone account, transfer it to another carrier and use that new account to compromise his cryptocurrency account to the tune of $20,000 plus.  The good news (not really) is that this occurred when Bitcoin was selling for about $7,000, not the high price of $20,000.

The reason T-Mobile will likely lose if this goes to trial is that T-Mobile said that they would put a PIN on his account, BUT DID NOT.  Ooops.

Also, the hacker socially engineered T-Mobile customer service until one customer service person believed the hacker’s story and allowed him into the account without knowing the proper information.


If this goes to trial and T-Mobile loses – big if – then it could cause the carrier to improve security.  That is part of what they say they want T-Mobile to do.

Tapang was able to recover his phone number – actually, he is lucky.  Many people lose their number permanently.  But it was too late.

While the article doesn’t say, what probably happened is this.

The attacker somehow figured out that he had a cyptocurrency account.  He either knew or guessed that it was tied to his phone number.  This is the typical “two factor” authentication which uses your phone number and a text message .

Using a text message as the second factor is relatively unsecure because if someone is able to get control of your phone number, they can receive the necessary information for a PASSWORD RESET and the TWO FACTOR text message code.  That is probably exactly what the hacker did.  Then  he emptied Tapang’s cryptocurrency wallet.

And, as we see all the time. the cell phone carriers are horrible when it comes to security.  It is hard to train call center employees, especially with the high employee turnover (for some call centers it is more than 100% turnover per year).  And, if security is good and they won’t hand over information, they wind up with upset customers.  On the other hand, if you do turn over the information without proper authentication, you wind up getting sued.  It is a challenge for the carriers because people want convenience over security.  Until is costs them $20,000.

Well, what can you do?

Number one – do set up a PIN on your cellular account and be a pain in the rear until they actually do it. TEST IT!  With Sprint they seem to be very good about the PIN, but if you don’t know it, they will sometimes let you answer other questions – which is bad security.  More than once I had to go into a Sprint retail store and show them my government issued photo ID to get a PIN reset.  THAT will deter most hackers.  Not all, but most.

Second, DO turn on two factor authentication for any account that that you would be upset about if you lost control of and hackers were able to “empty it out” – such as a bank account, brokerage account or cryptocurrency account.


Second, if at all possible, do not use a text message as the second factor.  Use an app on your phone such as Microsoft authenticator, Google authenticator or Authy.  These apps are tied to your device once they are set up and NOT tied to your phone number.  If you phone number is stolen it will not help a hacker steal your money.

But this is up to you.  If you figure that it won’t happen to you, choose convenience.  If you think that it might happen to you and you would be upset if your account was emptied out, then use two factor.  Even though it is less convenient.  Google says that less than 10% of GMail users use two factor.

Information for this post came from The Verge.

Facebooktwitterredditlinkedinmailby feather

Reuters Reports CFPB Will Not Investigate Equifax Breach

As the leadership at the Consumer Finance Protection Bureau  has changed to a more business friendly leader, the new head of the CFPB, Mick Mulvaney is not going to move forward with a full scale probe of how Equifax failed to protect the information of over a hundred million consumers.

The former director, Richard Cordray, ordered an investigation right after the breach.  Since then, the CFPB has not done much to investigate Equifax.

In particular, Mulvaney has not issued any subpoenas and has not gotten any sworn testimony from Equifax executives.

The CFPB also, reportedly, rebuffed offers of help from the Federal Reserve, Federal Deposit Insurance Corporation and Office of the Comptroller of the Currency.

While the President can, likely, tell Mulvaney to back off on Equifax,  every state Attorney General is investigating Equifax.  Those AGs, some Democrats and some Republicans, are beyond the reach of the feds ability to control since they will be looking at whether Equifax broke state and not federal laws.

The FTC is investigating Equifax.  The last time they fined a credit bureau, the amount of the fine was $393,000 – pocket change for a multi billion dollar company.

The CFPB fined credit bureaus over $25 million last year alone, which one would assume, was well known by whoever told the CFPB to not investigate things too hard.

Cordray asked bank regulators to do new exams of all of the credit bureaus.  Last month Mulvaney told the regulators that there would be no new exams.

The crux of this may be the dispute between the Democrats and Republicans on what authority the CFPB actually has.  That has been the subject of a seven year long court battle.  TransUnion said that the CFPB has no authority to examine the credit bureaus over cyber security issues and that certainly is possible.

That being said, 50 Attorneys General, all of whom have political aspirations, should be able to effectively get Equifax’s attention.

Congress, for its part, has done nothing to increase the oversight of the credit bureaus since the breach, even though months have passed.  That should not seem like much of a surprise for a Congress that can’t even fund the government for more than a couple of weeks at a time.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather

Friday Quick Notes

Breaking from my usual theme of one day, one story, here are a few quick notes for you to ponder over the weekend.

In a story that no one saw coming, Adobe is going to patch a critical zero day flaw, being exploited in the wild.  Next Week.  In fairness to Adobe, they do have to develop, package and test the fixes, so it does take some time, but it doesn’t take the hackers as long to exploit the problem.

I thought I had uninstalled Flash on my machines but after the announcement today I looked and it was back again.  I don’t remember reinstalling it, so maybe some Microsoft update installed them.  Find details on the zero day here.  As of yesterday, this was being exploited in Korea, but likely, as of tomorrow, it will be worldwide.

People like to beat up Google and Android as not being as safe as iPhones and in fairness, beating them up is fun and often accurate.  Still Google is sensitive to being criticized.  They just announced that they removed 700,000 apps from the Google store in 2017.  That’s a lot.  In fact it is up 70% from the year before.  While nothing is perfect, pulling 700,000 apps is a lot of work.  Read the details here.  In an even more encouraging statistic, 99% of the apps were removed before anyone could download and install them.  They also identified 100,000 malicious developers and blocked them from the Google store. Go Google!

Researchers have found a new flaw in Oracle’s Micros point of sale or POS system that is used by 200,000 restaurants and 30,000 hotels in 180 countries.  There is a patch for it, but as we discovered with the Equifax breach, people don’t always install patches.  In the case of restaurants and hotels, when, exactly, do you want to take down your point of sale system to patch it?  The result is that many of these systems will never be patched.  Read the details here.  Note that this site may require you to create a free account.

In a move that I would label “Its about time”, starting March 1, 2018, Microsoft’s anti malware tool will bully the bullies.  Those software tools that claim to have detected a virus and for only $99 or whatever they will remove it for you – Microsoft will label them malware and fix the problem for – by deleting those apps.  Yeah, Microsoft.  Read the details here.

Cybersecurity researchers at Ben Gurion University of the Negev say that medical imaging devices like CT scanners are at risk.  Risk of killing patients if a hacker wanted to, by hacking the PC that controls it and changing the radiation level. Hackers could also hold the imaging devices ransom  – taking them out of service until the ransom is paid or the hospital figures out some other solution.  Apparently, the ransom thing has already happened;  the killing part has only happened to a mannequin.  At least that people are willing to fess up to.  Read the story here.


Facebooktwitterredditlinkedinmailby feather

The Challenge of Meltdown and Spectre

The twins bugs of Meltdown and Spectre are a once in a career event for security pros.

Most bugs are found quickly – these have been around for 20+ years.

Most bugs affect one hardware platform like Intel or AMD or are not related to any specific hardware device.  Spectre affects every modern computing processor from the highest end Intel chip to the ARM chips powering all phones.

Most bugs affect one operating system such as Windows or iOS.  These bugs affect Windows, MacOS, Linux and other operating systems.

Finally, most bugs are relatively easily fixed once they are found.  Spectre requires, basically, new chip designs to truly fix them.

Worse yet, researchers wrote about these problems in 1992.  At the time people figured this was too  hard to exploit so no one would try.  We have already seen proof of concept exploits on the web.

In general, the Meltdown bug is fixable in software;  to completely fix Spectre requires changes to the hardware, but software changes will make exploiting Spectre more difficult.

I am pretty diligent about applying patches, so I figured I was protected at least against Meltdown and possibly against Spectre.

Today I installed InSpectre (available at ) .  After running it, I received this message (note there is a lot of explanatory commentary when you scroll down):

I was pretty surprised.

I checked to see if I had any pending updates and I did not.  I looked at the updates that had been installed and the January cumulative update had not been installed, but I could not see any reason why.

I eventually did find a link to download it manually and was able to install it.  The install went perfectly and did not exhibit any of the negative symptoms (like a blue screen of death) that some users had experienced early on.

After installing the patch, I ran InSpectre again and got this message:

So I guess I am making progress, but it is not complete.

This free utility written by long time security industry expert Steve Gibson is free on his web site; you might want to see if you are really protected.  Or not.


Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed