Thankful for Hard-Working Information Security Professionals

 

Fraudsters, criminals and con artists are often ballyhooed for their ingenuity and cleverness. Less praise, however, is given to the good guys - the information security and privacy professionals down in the trenches working hard to protect the rest of us from those crafty criminals.
 

This month, I'd like to express my gratitude for each of these hard-working individuals who often sacrifice their own free time to patch up, reinforce and otherwise reconfigure our security measures to keep us and our data safe.

 

Thank you so very much for your tireless efforts!
  


 
In a battle older than the pilgrims, good and evil continue to butt heads. Read on for ways to avoid the latest scams, tricks and schemes.

Nobody Writes Anymore

 

If you're like me, you often long for a good "old fashioned" letter and are pleasantly surprised when one shows up in your mailbox! But keep your guard up, as phishing artists are counting on people like us to hungrily gobble up their hand-written correspondence.

 

One such scam arrives via postal mail with your address scrolled in pen by an actual human being, making it intriguing enough to open. (Tellingly, however, there is no return address.) Inside, you'll find what will seem to be a recognizable corporate logo, such as US Airlines, at the top of the letter in an effort to mimic a similarly-named official company letterhead.  The letter, which may be typed, will claim you have won two round trip tickets and need to call the enclosed number to claim them.

 

If you are duped into calling, the person on the other end of the line will ask for information they should not need, such as your social security number or a credit card. Do not give this information away!

 

What to do if you receive a scam letter

 

There are two things you can do to help catch the criminals behind these carefully crafted letters:

 

1) If the letter carries the logo of a legitimate company, forward it to the actual company. Many organizations have an email address on their website with contact information for reporting potential scams and other types of privacy problems; and

  

2) Submit your story to the FBI using this form, as well as to the FTC following these directions.  

Never Too Young to be Scammed


Young children have become increasingly at risk for identity theft. In fact, ID   theft among victims age five and younger has doubled - just since 2011. According to the 2012 Child Identity Theft report from AllClear ID, children are 35 times more likely to be victims of identity theft than adults.
 
The impact of identity theft on a child's life can be devastating, affecting the ability to get a loan, scholarship, apartment, credit card or job. For specific ways to protect your child's identity, read the Federal Trade Commission (FTC) fact sheet, "Safeguard Your Child's Future." It contains instructions for checking your child's credit report, placing an initial fraud alert, requesting a credit freeze, and filing a report with the FTC.
 

Avoid Getting Ripped Off at the ATM

Thanks to my good friend and Tips reader Alec for pointing me to this great article! Crooks around the globe are using new (and improving) technology to steal your information right at the ATM - and right under your nose.

 
With a variety of devices - from tiny surveillance cameras to look-alike keypads to card readers - these criminals are able to get at your account number, your PIN and really any other kind of details they'd like (even what you look like or the kind of car you drive).

 
Because these criminals are no dummies, they often target ATMs off the beaten path, in places rarely checked by the network operator or without much traffic or people around. If you must use an ATM in a desolate location, be aware of anything that looks hinky. That scratched up card reader or loose keypad may just be evidence of a planted skimming device. Abandon the machine and try to find another. Quite a few financial institutions have built mobile apps designed to help you locate ATMs. Consider downloading one (from the financial institution itself!) if you need to find ATMs in out-of-the-way locations.

  

Bookstore Breach

 
The most recent skimming report is yet another example of how even widely recognized and reputable companies are vulnerable to attack. Just last month, Barnes & Noble cust omers may have had their credit or debit card information stolen - directly from Barnes & Nobles' own point-of-sale (POS) terminals.

At 63 Barnes & Noble stores, criminals planted bugs in the PIN pads, allowing credit card and PIN numbers to be captured. Turns out the criminals apparently brazenly modified the PIN pads on-site, right in the store!

The company is working with law enforcement and media to get the word out so customers who shopped at these stores are aware of the danger. If you receive word that a store you shopped in has been the victim of a skimming attack, call your bank immediately. They may advise something as simple as changing your PIN. In other cases, they may shut down and reissue your card. Yes, it may be bothersome, but stopping the fraudsters before they do more damage will be worth the comparatively minimal inconvenience.
Control Your Facebook Feed

In the U.S., we are about to elect our 45th president. It's an extremely exciting time, and one that makes us all grateful to have the freedom to vote for our leaders. At the same time, spirits and passions are running high, causing many of our "friends" to air their opinions (and sometimes their political outbursts) on Facebook.
If you're tired of seeing your overzealous friends continuously posting hateful blurbs or perpetuating silly untruths, outrageous claims and other bologna about the candidates, here's how you can block specific types of posts from appearing in your feed.

1. Navigate to your friend's Facebook profile.
2. Hover over the "Friends" button.
3. Click "Settings."
4. Uncheck any post types driving you crazy (e.g. Life Events, Status Updates, Photos, Games, Comments & Likes, Music & Videos and Other Activity)
5. You can also unclick "Show in News Feed" if you don't want to see any of that particular Friend's posts, yet you don't want to "unfriend" him or her.
 
After the election, you can easily reverse the changes, putting things back to normal. It's a win-win: You get to keep your friend (they won't know you've filtered them), and they get to exercise their right to free speech.

And Speaking of Facebook...

 

There is a new phishing scheme targeting Facebook users. Falsely notifying the user of a blocked account via email, the scam attempts to get victims clicking - leading them straight to a malicious website that will steal their information.
 

See below for example this current social engineering attempt. 
 


 

If you get an email like this, simple delete and never click anything! Optionally, before deleting you can forward the email to the Facebook security team so they can fight against such scams. 

 Cybercriminals Come A Callin' 

One afternoon, a stranger called my home and said there had been complaints in my area about malicious code damaging operating system software (very high tech stuff!). He wanted my permission to remotely check my operating system for impact.
 
How ironic that I would get a call from a cybercriminal during Cyber Security Awareness Month (October)! 

Clearly this man had no idea who he had phoned. At one point he asked me: See that little blinking thing? That is where your letters show up when you type. Look at that please, ma'am.
 
Curious as to where this was going, I decided to play dumb, gathering as much information about him and his organization as possible along the way. At one point I even got him to give up his phone number by telling him I had to call him back from a different phone nearer the computer. (I have to admit, it was fun to play super sleuth.) 

He went on to walk me through a series of steps where the eventuality was to enter "eventvwr" in the command line. Then, in what I can only guess was an attempt to inspire my confidence in him, the caller read me my computer's CLSID number (which, as I understand, is the same on all late-model Microsoft operating systems... but that's not something the average Joanne is likely to know).
 
After that, we were off to the races, and he asked me to enter a URL, visiting what I can only assume was a site intended to load up my computer with hacker software, designed to grab all my sensitive information, perhaps even download software capable of detecting my keystrokes. 
 
Needless to say, I did not visit the site. But I did record it... and it's all posted on my blog if you'd like to read more. You'll also find information there from commenters who've also received similar calls, some just recently. 
 
Please be on the lookout for this scam! It seems they are increasing their calls and refining their scam lines. Falling for what is a pretty convincing reason from these crooks could be easy to do.
 

Already Hurricane Sandy Scams
 

My thoughts and prayers go out to all those impacted by Hurricane Sandy. It is sad to see criminals already compounding the pain with scams. Please beware of the following:

 

Scammed in Sandy's Aftermath

 

10 Tips For Donating Smart

 

Warning about Post-Sandy Scams

 

 

Term of the month

 

"ATM Skimmer"

 

A device crooks attach to ATM machines, an ATM skimmer is used to collect data from credit, debit or ATM cards. The crooks then use the information to commit various types of identify fraud, such as making purchases or withdrawing cash from your bank account. Some even use the stolen information to produce counterfeit cards.

 

ATM skimmers are increasingly being found on bank ATM machines, gas station payment machines and other types of public cash withdrawal machines. There are also handheld ATM skimmers that crooks in restaurants and other businesses use when taking cards for payment.

 

 

Of the many things for which I am grateful, my community of colleagues and the readers of this Tips message are definitely included.

 

I wish you a blessed Thanksgiving and a very safe and happy fall season!

 

 Rebecca
Rebecca Herold, CISSP, CIPP
/US/IT, CISM, CISA, FLMI
The Privacy Professor�
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564, Business: 515.996.2199