identity theft

The Story Behind the Sonic Breach

/ destinationscreditunion / Leave a comment

It’s been a rough go of things when it comes to the security of debit and credit card as sonicwell as personal information. The massive Equifax breach has already left many Americans feeling unprotected and insecure while Yahoo experienced yet another breach soon afterward. To top it all off, the popular burger chain Sonic Drive-in announced in late September that its payment portals had been compromised.

Experts estimate that information for millions of cards was hacked from the nearly 3,600 Sonic locations across 45 states. The card numbers and details are now up for sale on the darknet.

Here’s what you need to know about the latest in a long line of nationwide security breaches:

What happened?

The breach became a reality when Sonic’s card processing company reported “unusual activity” on a large number of cards that had been recently used at Sonic. Further investigation uncovered a tremendous data breach with the potential to affect millions of consumers.

Sonic utilizes a single point-of-sale system that is deployed at the majority of its locations. Using sophisticated malware, hackers were able to access the system. The malware copied the information on every card that was swiped in the payment terminal, and then sent it back to the hackers.

The hackers then put this information up for sale online, where buyers can use the card details to rack up huge bills, empty accounts or even steal victims’ identities.

While Sonic was quick to share this basic information with the public, it can be months before more details are known and shared with concerned customers.

This breach is similar to the one that hit Wendy’s last year, lasting nine months and affecting 300 restaurants. It took that long to determine the issue and resolve it because many of Wendy’s locations are franchises. Approximately 90% of Sonic’s joints are franchises as well, thus adding to the delay.

Who was affected?

Anyone who’s used a debit or credit card at any of Sonic’s locations during the last year may have been a victim in the breach. It is still unclear exactly how many customers were affected by the breach, though it is estimated that there may be as many as five million victims in this malware attack.

While most cards with compromised info were linked to activity at one of Sonic’s locations, it is possible that other companies’ security systems were also breached.

How did Sonic react to the attack?

Sonic has announced that it will offer all customers 24 months of complimentary fraud protection through Experian’s IdentityWorks program.

Sonic was also quick to hire third-party forensic experts to help investigate the attack and identify the hackers. They have also promised to research ways for improving their current system to better protect customers in the future.

How can you protect yourself from this and all future data breaches?

1.)   Find out if you were affected: If you’re a regular, or even an occasional, Sonic customer, find out if you were affected by the breach. Review your recent account information on all your cards. If you spot suspicious activity, alert your card issuer and place a freeze on your account. You can also place a fraud alert with the credit bureaus. This will warn creditors that you’ve recently been targeted in a hack, alerting them to verify that anyone seeking credit in your name is actually you. Lastly, accept Sonic’s offer of two years of free fraud protection.

2.)   Use fraud protection: Even if you haven’t been affected by this breach, it’s a good idea to sign up for fraud protection. These services don’t usually come free, although, in light of its recent data breach, Equifax is now offering a full year of protection with their TrustedID program, free of charge. Fraud protection services will ease the stress of monitoring your credit for fraudulent activity and unusual behavior.

3.)   Monitor your accounts: It’s always wise to keep a sharp eye on your money – and that means more than just checking that your wallet is safe. Review all checking account activity several times a week to determine whether your account information or debit card has been hacked or stolen. Also, never throw away a credit card statement without carefully reviewing it to be sure every transaction belongs to you. Additionally, it’s wise to shred such paperwork rather than throwing it in the trash. Finally, request a credit report from the three major credit reporting agencies once a year to see if anyone is using your name to rack up a huge bill or take out a generous loan.

4.)   Set up alerts: You can receive notice about suspicious activity almost as soon as they happen by signing up for alerts. Place a maximum transaction amount on your credit and debit card so a thief won’t get away with a huge purchase. You can also limit your transactions to a specific area or region of the country so long-distance hacking won’t work.

Your Turn: How do you protect yourself from data breaches? Share your best tips with us in the comments!

SOURCES:
https://thepointsguy.com/2017/09/credit-card-security-breach-sonic/ 
https://www.google.com/amp/s/amp.usatoday.com/story/708850001/  https://www.google.com/amp/s/www.cnbc.com/amp/2017/10/04/sonic-shares-dip-on-news-of-payment-breach.html 
https://www.google.com/amp/s/amp.businessinsider.com/report-sonic-security-breach-could-affect-millions-2017-9

Equifax Breach: What Happened And How Can You Protect Yourself?

/ destinationscreditunion / Leave a comment

On September 8, 2017, Equifax, one of the major credit reporting agencies, announced a 8480c-hackerbreach from mid-May through July 2017.  During this period, hackers accessed people’s names, social security numbers, birth dates, addresses, drivers license numbers, and credit card numbers.

Equifax has set up a Web site — https://www.equifaxsecurity2017.com — that anyone concerned can visit to see if they may be impacted by the breach. The site also lets consumers enroll in TrustedID Premier, a 3-bureau credit monitoring service (Equifax, Experian and Trans Union) which also is operated by Equifax.

According to Equifax, when you begin, you will be asked to provide your last name and the last six digits of your Social Security number. Based on that information, you will receive a message indicating whether your personal information may have been impacted by this incident. Regardless of whether your information may have been impacted, the company says it will provide everyone the option to enroll in TrustedID Premier. The offer ends Nov. 21, 2017.

In addition, you should closely monitor your accounts with financial institutions.  At Destinations, you can set up a “code” word that you will be asked whenever you call in to perform a transaction.  To do that, log into your Online Banking and go to “Info Center” –> “Personal Information” and click the Edit button.  This will allow you to add a code word.  As an additional security measure, you will receive a message in the e-mail you have on record with Destinations to notify you that personal information has been changed.

As always, you should get your free credit reports from all three credit bureaus at least annually.  You can get them all at once or request each at different times of the year.  To get your free credit reports, go to annualcreditreport.com to get yours.

Beware Of WannaCry Ransomware

/ destinationscreditunion / Leave a comment

On Friday, May 12, an unprecedented Trojan virus spread like wildfire through the 8480c-hackerinternet, creating enormous damage and loss.

The WannaCry ransomware attacked 57,000 computers in more than 150 countries in less than a day.

As its name implies, ransomware works by holding a victim’s data under “ransom.” The virus encrypts the files on an infected computer and holds those files hostage unless the victim pays a ransom, in which case the files are promised to be returned, unharmed.

The WannaCry virus demands a payment of $300 in exchange for decrypting infected files. If the victim doesn’t cough up the money within three days, though, the ransom doubles to $600. If a full week goes by without payment, WannaCry deletes all of the files and they are gone forever.

On Saturday, 22-year-old security researcher Marcus Hutchins became an instant hero when he registered a domain name within the virus’ code in an attempt to track its spread, unintentionally slowing its progress.

Unfortunately, though, Hutchins’s actions did not completely halt the virus. By Monday morning, more than 200,000 systems across the globe were reportedly infected. European countries were hit the hardest. Many large companies were forced to close their doors for several days, as were banks, hospitals and government agencies.

As of now, no one is sure who’s behind the virus. However, most experts believe a group known as “The Equation Group” is utilizing a code written by the National Security Agency to exploit flaws in Microsoft Windows and create the virus.

There is no fix for WannaCry, though cyber-security experts are hard at work trying to decrypt infected files. If your computer is infected, it’s best not to pay the ransom. Instead, restore backup files to your computer or seek help from a professional who specializes in restoring lost data. Paying the ransom doesn’t guarantee the return of your files, and it encourages attackers to infect your computer again.

As always, the best way to protect yourself is to be proactive. Here are 5 steps you can take to keep your computer safe from WannaCry and other ransomware:

1.) Create a backup of your files

If you haven’t already done so, invest in an external hard drive and get into the habit of making regular backups of your data. This will protect your files in case anything happens to your computer, saving you lots of time, money and stress.

You can also subscribe to a cloud backup service and regularly upload your most important data. There are multiple free cloud services you can use, such as Google Drive, Apple iCloud or Dropbox. All of them will store your valuable data (to a size limit) without charging you a penny.

2.) Patch your Windows with Microsoft’s fix

Upon discovering that WannaCry spread through a weakness in Microsoft Windows, the software giant released a fix for the vulnerability. Protect your computer from this virus and other ransomware by using the fix to strengthen your computer’s code.

3.) Update your operating system

While the discovered weakness in Windows now has an appropriate band-aid, no one knows if there are any other flaws that can be exploited for another virus. It’s important to update your OS to the most recent version, preferably to Windows 10, as soon as possible. The more updated your software, the less likely it is that it contains vulnerabilities that can be abused.

4.) Use a firewall

A strong firewall will prevent ransomware from accessing your computer and will guard your online activity. No program or malware will be able to enter your system without your full consent.

Since malware is always evolving, it’s important to update your firewall on a regular basis to ensure protection from the most recent viruses and malware. You can purchase your own firewall or utilize available security measures offered by Windows, being sure to check regularly for updated versions.

5.) Avoid suspicious websites and emails

It’s too easy for hackers to infect your computer. All they need is for you to click on a flashing banner ad on your favorite shopping site and – oops! Malware is installed and it now has access to your entire computer and all your files.

Alternatively, following a link on a random email can infect your computer and destroy all your data. When browsing and checking your emails, always be on guard. Never visit suspicious-looking sites or click on any ads that look shady. Don’t download anything you can’t explain, and never click on links found in emails from people or companies you’re not familiar with. A little bit of caution goes a long way toward protecting your computer.

No one knows when WannaCry will stop circulating the web, but it always pays to be careful. Once you’re infected, restoring your data can be stressful, time-consuming, and costly. Taking steps to protect yourself, though, is painless and simple. By implementing the ideas detailed above, you’ll help keep your computer safe from this and any other ransomwares looking to make a buck off your carelessness. Better to be smart and safe than sloppy and sorry!

Your Turn:What security measures do you take to protect your computer from viruses? Share your best tips with us in the comments!

SOURCES:

http://bgr.com/2017/05/15/wanna-cry-ransomware-virus-windows-wannacry-explainer/ 
http://money.cnn.com/2017/05/13/technology/ransomware-attack-protect-yourself/ 
https://www.google.com/amp/s/www.purevpn.com/blog/how-to-protect-from-ransomware/amp/ 
https://www.google.com/amp/www.bbc.co.uk/news/amp/39920141 
https://www.google.com/amp/amp.usatoday.com/story/101690214/  

How To Keep Your Guard Up Against The Newest Scams

/ destinationscreditunion / Leave a comment

It seems like there’s a new data leak or identity theft trick to be worried about every week. If you’re not informed, you risk becoming a victim. Sitting back and waiting for news about scams to come to you may not be enough. In an ever-changing security climate, you need to stay on top of new threats in personal information security. 

Why the landscape changes so fast 

The bad news is that humans have become the weak link in the information chain. Breaking modern encryption algorithms takes high-powered supercomputers months, if not years. Information you intended to send online or over the phone being hijacked by nefarious people is a slim chance. The biggest danger is sending information to people you don’t intend to be the recipients.
That’s why scams crop up so quickly. Humans can be tricked in any number of ways. Scammers can appeal to fear, greed or sentimentality in different forms to trick information out of you. They can also rely on inattention to detail or carelessness. This is because humans have a number of built-in vulnerabilities.
Unlike a computer, you can’t just download the latest anti-virus software to your brain. You can, however, do the next best thing: stay current on evolving cybercrime situations. 
Websites to visit regularly 
The FTC regularly updates its website with phone, email and web-based scams. Its website,  https://www.consumer.ftc.gov/scam-alerts, features several articles a week. As one of the strongest consumer watchdog agencies, it investigates illegal or fraudulent business communications with zeal.  It publishes the results of these investigations in hopes that fewer people will be victims in the future.

You can also pitch in and be a good cyber citizen by reporting scams you see to the FTC. You can report it online using the FTC’s form at this website: https://www.ftccomplaintassistant.govor call their toll-free number at 1-877-FTC-HELP.   1-877-FTC-HELP It’s one way you can make sure scammers are stopped before they really get started. 

The Better Business Bureau (BBB) also maintains a list of scams from criminals posing as businesses here: http://www.bbb.org/council/news-events/lists/bbb-scam-alerts/.  The BBB is a helpful place to look if you’ve received an offer that seems too good to be true. For identity-theft specific scams, the Identity Theft Resource Center maintains a list of schemes to steal personal information. Their website is located at http://www.idtheftcenter.org/ID-Theft-Blog/Scams-Alerts/. 

Games to play 
Keeping up with the latest threats isn’t all work. There are also fun, interactive games you can play! The FTC’s weight loss challenge game tests your knowledge of common weight loss scams. It can be a fun way to start talking with kids about the dangers of online ads. You’ll find it here: https://www.consumer.ftc.gov/media/game-0026-weight-loss-challenge.
If you’re feeling advanced, you can check out Admongo at www.admongo.gov. This creative, sci-fi themed platform introduces the hidden dangers of advertisements. It can also make a great stepping stone into a conversation with kids about caution around advertisements. 
News to follow 
You’re not alone in the effort to protect yourself against fraud. The National Consumer League is a not-for-profit organization with over 100 years of history helping to protect consumers from scammers.It maintains a list of scams and monitors old ones. It also interacts with law enforcement where possible to try to bring scamming groups down.
One of the services the National Consumer League provides is an email list. It sends out alerts whenever a new threat to consumer well-being emerges. In addition to covering scams, it also monitors product recalls, food safety conditions and truth in advertising concerns. It’s a great resource in helping you make smart consumer choices in a market crowded with information. To join the mailing list, just visit their website: www.nclnet.org 
Remember, the computer age brought us wonderful improvements in our quality of life. We can seek entertainment, educate ourselves, and stay in touch with friends and family using a device that fits in your hand. With that greater connectivity comes the need for constant and careful scrutiny of the information that comes across our screens. In this struggle, too, knowing is half the battle.

SOURCES:
http://www.nclnet.org/
https://www.consumer.ftc.gov/media/game-0026-weight-loss-challenge

Brought to you by Destinations Credit Union

What Is The Cloud And Is It Safe?

/ destinationscreditunion / Leave a comment


Why do we use the cloud?

There was a time we used to buy furniture to hold our media.  CD racks, DVD racks, photo albums and filing cabinets filled our living rooms, guest room closets and wherever else we could pile them. Even in our cars, we would install massive CD changers to keep our music flowing or carry enormous books of CDs so we could have our tunes while on the open road.  If you try to explain this to young people today, they’ll look at you like you just described preparing your covered wagon rather than a mid-2000s Honda Civic.  If you try to explain audio cassettes, they might just suspect you have a loose screw or two.
Today’s media and data is so small, it might as well not even exist. Using the Apple Music and Spotify libraries as a guideline, every song that’s ever been recorded and released would fit into flash storage drives the size of a 12-ounce can of Crystal Pepsi. Even as our data gets smaller, we make so much more of it that it can get out of hand – much like processor speed, the amount of information the world produces doubles every two years. Some of that information is pictures of kittens and makeup tutorials, but we also produce a lot of data that isn’t nearly that important.
In such a data-driven world, we trust more and more of our lives to the cloud, and often it seems like blind faith.  After all, what is the cloud? How much do you know about it? Are their laws governing the way people use it? Most importantly, have you taken enough steps to protect yourself when all of your information exists on what is, if we’re really honest about it, not much more than a metaphor for the shared hallucination that is modern life? 
Why should I start to care now? 
This week, iPhone users started noticing problems with Safari.  Initially attributed to an iOS update from earlier this month, it is now suspected to be a server-side problem stemming from Apple’s cloud-based syncing with its Safari web browser.  The issue doesn’t affect security, but it demonstrates a critical problem with cloud-based computing, something all of the major tech companies are pushing us toward. And it’s something where we have little control over our online security.
The cloud itself has insinuated itself in a variety of news stories in the last few years, from the theft of intimate photos belonging to Hollywood stars like Jennifer Lawrence to the operation for ending corruption in FIFA. Cloud storage is behind the surge in Amazon’s stock valuation, because they are the largest provider of cloud storage to businesses, including Netflix, the largest private user of bandwidth on the planet. The cloud is the basis for Google’s push into the laptop business via Chromebooks, and by extension, the efforts of a variety of organizations to get low-cost laptops in the hands of less-privileged kids.  It’s even changed Microsoft Office, probably the most ubiquitous piece of software in the world, by forcing Microsoft to create free versions of its Office suite and charge for excess storage of the files you create.
In other words, your investments, your data and the future of law enforcement may be intimately tied to cloud-based computing, and something as simple as a server-side bug can have an enormous ripple effect for millions of users. The issue won’t be going away any time soon, as more people use the web more often on mobile devices, which will eclipse 50% of personal Internet usage in the next few years. These devices rely on storage in the cloud to compensate for smaller on-device storage capabilities and a lack of long-term storage peripherals. 
What is the cloud? 
The cloud is a series of servers which store data that can be accessed by users whenever it’s needed.  This frees up hard drive space while protecting us from data loss due to hardware failure, including a stolen laptop or dropping your phone into the pasta you’re boiling on the stove. It’s not magical, and your information doesn’t live on the Internet in any particularly novel way. Instead of a home video being stored on your local storage, it is stored on someone else’s storage, far away. These server farms are enormous undertakings, and if you’re into mechanical processes and design, they’re also beautiful and fascinating. For example, check out these pictures of Google’s data centers: http://www.google.com/about/datacenters/
How much of my data is stored on the cloud? 
The amount of your information stored on the cloud varies from person-to-person, but if you’re reading this on a device that plugs into a wall at any point, you’ve got at least some data on the cloud.  If you own an iPhone, your device backs up your photos, videos and music to the cloud, in addition to storing periodic backups of your phone.  If you have a web-based email address, like one from Gmail, Yahoo! or AOL, your emails are backed up there as well.  Depending upon which apps you use, your health details, dating history or even your exact current location could be on the cloud as well, possibly being shared with third parties. 
Wait, who can see what? 
For the time being, the government can probably see more of your data than you think. Exact details are fuzzy, and you can make your own moral judgments on homeland security, domestic spying and Edward Snowden. However, if you think the government doesn’t want access, keep in mind that Apple is currently fighting both California and the United States federal government to keep a form of encryption on your data that it can’t break. Apple no longer wants to surrender data to the government, so it has blinded itself from seeing large swaths of your data. The government is less happy about this, because that data might point to potential threats to homeland security. Again, this article isn’t trying to make a moral or political claim. The point is that the government is a third party who wants the ability to look at your data, which represents another point of vulnerability to a malicious attack.
Outside of the government, a lot of the companies that maintain those expensive server farms pay for all of that technology by sharing some or all of your personal information with private businesses.  You should already know that, of course.  If a web service is free to you, then the company providing it makes its money some other way.  If they’re charging you, they still might make money by selling your data.
You’ll never know, because you accepted the terms without reading them. Don’t feel bad, though, we all do that. The iTunes end user license agreement (EULA) is over 20,000 words long, about four times as long as the Constitution of the United States. There are, however, some resources to help you.  For a shortened and simplified version of various EULAs, try tosdr.org, which is a donations-based organization that explains what you’re agreeing to and offers an add-on for your browser so it’s only a click away. 
Is my data safer when it’s in my control? 
That question is up for debate, but usually the answer is no. In most instances, end users are the most vulnerable point of attack for cyber scammers. However, when you have control of your data, you can work to make it safer. When you don’t, you’re trusting someone else with it. To put it another way, Apple Pay, Samsung Pay, and other tokenized payment plans are the safest way to make a purchase because they require your thumbprint, protects your data with single-use encryption that’s worthless to a third party, and doesn’t store your info in the cloud.  Doing your best to emulate those services is a good idea. 
So, what do I do to protect myself from the cloud? 
The easiest solution is to spend some time and some money. Find a single site to store your files, whether it’s with Google, Microsoft, Apple, or Dropbox. Read each of their EULAs and decide for yourself. Then pay them to get as much storage as you need, rather than spreading your files among various services in order to stay under the amount for free storage.
Next, go through and make a list of which sites and services have what information of yours. Determine your level of comfort. Delete what you can live without, move the rest to somewhere you feel safe. Clear out your email inbox whenever you can. Don’t archive private data, like medical records or financial statements, with your email provider. Instead, save them locally on storage you have at home or work, which you can disconnect from the Internet. A 2-terabyte solid state removable storage drive is less than $100 and offers you great protection.  As an added measure, back up your drive in a second location once a month, in case something happens to your house.
Finally, as you move forward, try to think critically about what you’re telling people. If someone can make money off your information, they’ll find a way to do so. The only way to protect your information and that of your family’s is by being vigilant. 
Sources: 
https://tosdr.org/  
http://www.slate.com/articles/technology/technology/2014/11/e
nd_user_license_agreements_does_it_matter_that_we_don_t_read_the_fine_print.html
http://genius.com/Apple-itunes-terms-of-service-annotated  
http://www.theguardian.com/media/pda/2010/aug/02/infographic-data-cloud
http://www.infostor.com/storage-management/worlds-data-doubling-every-two-years-.html

What Should I Look For In My Credit Report?

/ destinationscreditunion / Leave a comment


The beginning of the year is a time of resolutions and renewal.  Even if you’re not the kind of person who hits the gym with renewed vigor come January, getting those post-holiday credit card statements can get your heart racing. That’s why the beginning of the year is a great time to check in on your financial standing and make sure you weren’t the victim of holiday fraud and that your credit is in good shape.

Now is a great time to get a copy of your credit report and go over it with a fine-toothed comb.  It’ll help you keep on top of your finances, let you know if you should refinance your debt at a lower interest rate and give you an idea of how to use your upcoming tax refund (if you are getting one) this year. 

Question:  Why should I want to see my credit report?

Answer:  For a lot of our members, the idea of reading their own credit report seems daunting. There’s a lot of information, a lot of numbers, and it could be bad news. It can be a reminder of past embarrassments and, even at its best, it seems like homework. But, the value of going over your credit report is enormous. You can find errors and correct them, discover what you need to do to get your credit score as high as possible and understand what factors are affecting it, potentially saving thousands of dollars on any mortgage funding, auto loans or credit cards you get this year. 

Question:  Do I still need my credit report if I know my credit score?

Answer:  While it’s important to know your credit score, a single number doesn’t have as big an effect on your finances as some people think. Financial institutions want to see your whole financial picture before deciding on a loan. Your credit score can be a handy way to summarize your credit history, but it can also vary from agency to agency, often by significant margins. Also, if you want to improve your credit score, you’re going to need to see what’s actually on your report so you can take steps toward improving it. In other words, getting one of those free credit reports is not likely to be all you need to check up on your credit. 

Question:  How do I get my credit report?

Answer:  Visit AnnualCreditReport.com, because in a world of online scams, the best choice is the one recommended by the government’s Consumer Finance Protection Bureau (CFPB). You’re entitled to a free copy of your credit report every year, and AnnualCreditReport.com will give you a copy of your report from each of the three credit bureaus. 

Question:  Now that I’ve got it, what should I look for?

Answer:  The first thing to do is make sure every account is familiar to you. Make sure there’s nothing outstanding on which you’re not currently making payments, and that there’s nothing in default. Remember to check balances as well. Just because the bureau is right that you have an account, it doesn’t mean they’re right in how much you owe or your account standing. 

Question:  Should I challenge everything?

Answer:  There are websites suggesting you challenge everything on your credit report, even if it’s a valid charge, in the hopes that you’ll get lucky and won’t have to pay someone. Those websites are not trustworthy. It is illegal to file a false complaint, and even if it weren’t, it’s incredibly immoral. Bottom line: It’s not worth committing fraud in the hopes that a credit agency or someone to whom you owe money drops the ball on paperwork.

Challenge every mistake, though. If you’re not sure what a charge is, call to find out. Make sure you follow up with every mistake you challenge, too. You shouldn’t be paying for or be penalized for charges you didn’t incur. 

Question:  How do I dispute an error on my credit report?

Answer:  Contact the credit reporting agency that reports the error and the company that claims you owe it money. Make sure to send copies of any supporting documents you have, but don’t send the originals, because you might need those later. While any company that corrects a mistake on your behalf is required to tell all of the reporting agencies, they may not follow through. After all, if they made a mistake when reporting the first time, they may make a mistake a second time. Be sure to follow up if necessary. 

If you need help in improving your credit, take that credit report and call Accel, our financial counseling partner.  It’s free, unlimited financial counseling for members of Destinations Credit Union.

Sources: 
http://www.consumerfinance.gov/askcfpb/312/when-should-i-review-my-credit-report.html  

http://www.consumerfinance.gov/askcfpb/314/how-do-i-dispute-an-error-on-my-credit-report.html 
http://www.consumerfinance.gov/askcfpb/311/how-do-i-get-a-copy-of-my-credit-report.html

Rogue Access Points

/ destinationscreditunion / Leave a comment


We’ve all been there.  It’s been a long day of shopping at the mall, or waiting in an airport, or driving across the country, and we finally get a chance to pull out our phones or laptops and look for WiFi. Good news: You’ve found one that doesn’t require a password!  Free WiFi saves the day. You click accept and head to your favorite place to watch videos of kittens, or whatever people normally do on the Internet … we mostly watch kittens.

There’s just one problem: what if that free WiFi was a trap?  One of the cleverest phishing scams out there right now is built on the lure of free WiFi using rogue access points, and it has enough variations to stay ahead of the security teams at Apple, Samsung, Microsoft and our own security for one simple reason: The soft spot in your security is you. 

Here’s how phishing on rogue access points works:  The scammer will set up a wireless router offering free Internet, often marked “Free WiFi,” “ATT WiFi,” or “Starbucks.”  Would you be suspicious of those networks?  Many people just look for the strongest “free” network, while most of the rest of us look for a name we trust.  How paranoid do you have to be to not connect to Starbucks WiFi at the mall?  Once you connect, though, they have a variety of ways to get any information they want off your phone or laptop. 

Even scarier, some scammers are using programs that tell your phone that the name of the free wireless available from the scammer’s router is whatever name your phone is looking for, so it can even connect automatically while in your pocket.  You can get phished over your phone just by walking in the wrong area. 

Once you’re on their network, they have a variety of ways to steal your info, from just grabbing your session cookies to using keystroke monitors to get logins and passwords, to the traditional phishing technique of creating dummy sites that look like Facebook or major credit card websites to prompt you for your info. 

Here’s what you can do to stay safe: 

  1. Turn off your WiFi unless you’re at home or work.  I know, I know. The only thing worse than mobile network data speed is mobile data network pricing.  Well, maybe mobile network customer service. Unfortunately, all that WiFi you grab every day can be dangerous.  Even if you’re not running into rogue access points, you’ve still got to hope that the coffee shop or burger joint actually pays attention to the security of their wireless router, which few even think to do.  Even those businesses that do think about security rarely spend money on it – rarely are they bringing in a professional. No, they’re asking a minimum wage employee to “take care of it” because “you’re young and good at computers.”  On a related note, isn’t it odd that coffee shops don’t spend more time thinking about their WiFi?  Isn’t that a core business at this point? 
  2. Even then, make sure your home and work WiFi are safe. Endpoint security, like Norton antivirus, is not as effective as it once was, simply because there are so many more points of vulnerability than there were a few years back.  We’ll have an extended look at securing your WiFi network in a future installment, but for today, set up your password with WPA2 Enterprise encryption.  If your router does not support it, it’s time for a new router. 
  3. Rename your home network something like “This Public WiFi is UNSAFE.”  It might sound weird, but if a scammer tries to use software to tell your phone the name of his network is the same as your home network, your phone will tell you it’s connected to “This Public WiFi is UNSAFE” and you can get off of it. 
  4. Apps are your friend.  Most apps, including ours, use HTTPs security, rather than HTTP. This can actually stop some of the tactics many scammers use.  Remember, they don’t want to beat the best security; they want to do as little work as possible and beat those unwary souls who rely on the worst security.  A simple step up is enough to keep many scammers at bay. 
  5. Get an app that prevents rogue access.  Depending on your operating system (OS), you have different options, but search your app store.  It’s worth the trouble and $4.99. 

Sources:

http://www.wikihow.com/Secure-Your-Wireless-Home-Network      

https://www.reddit.com/r/AskReddit/comments/3v98uz/what_are_the_best_computer_hackers_able_to_do/ 

http://networkengineering.stackexchange.com/questions/123/how-do-you-prevent-rogue-wireless-access-points-on-a-network 
http://www.inc.com/security/articles/200801/accesspoints.html 

The Google Drive Scam Is Back. Why Do We Share Our Info With Strangers?

/ destinationscreditunion / Leave a comment

In July, a group of phishers used Google Drive to lure unsuspecting people into offering up their personal information. This month, a similar scam involving the online employment service, Monster.com, surfaced using Google Drive as its front.  Isn’t particularly fancy – if you’re a regular reader of this space you’ll know the most effective scams rarely look like the last half hour of “The Sting” or “Ocean’s 11” – but it has been effective.

The scam works by creating a false job offering for which applicants share their resume in the hopes of scoring an interview.  Unfortunately, there is no job. They’re just phishing for data.  The more recent version creates an application on Google Drive, which is shared with the victim, who enters their information manually and often gets malware or spyware in return.  The newer version still steals information in the most low-tech way possible: by getting the victim to fall for a lie. But it also includes the high-tech angle of the malware or other malicious scripts, which can scrape the victim’s computer for data in the future.

Google is working to improve its SSL security (a high-tech security protocol whose weakness is the source of this scam), and has been doing so for most of the year.  The ugly secret regarding the tech giant in 2015 is that, at the same time they’ve been setting records on Wall Street – including the largest single-day jump in a company’s value in the history of the universe – they’ve had real problems with their technology.  In addition to the weakness of their SSL protocol, they’ve sworn to fix the bugginess and slow speeds of their Chrome browser, which was once the definition of sleek speed. They also were publically called out over the summer for the cataclysmic failure of GMail’s spam filter, which was letting significantly more spam through while also marking legitimate messages for deletion.  Those failures, coupled with the unpopular new user interface on several of their iOS products and some bugginess complaints regarding Inbox should leave most readers concerned.

If you can’t trust Google, who can you trust? 

More important than this specific scam or Google’s rough 2015 is the larger question the Google Drive scams have raised.  We regularly share more information online than would normally be prudent, and we often take for granted that a large company must has security that’s top-notch.  We might think back to a customer service issue and assume that a positive experience with one branch of the company reflects positively on the whole operation.  But what do we really know?  Here’s a quick rundown of things that might scare you:

Think about all of the information on your resume.  Does it have your contact info?  Your home address? How much information could be gleaned from it, particularly if a scammer were to place that information next to any other information you may not know they have?  How many times have you shared your resume online?  It may be time to make your resume more secure.

Do you sell on eBay?  Buyers can request the listed email and delivery address for sellers once they make a bid.  If you list a high-value item and your home address is listed, what’s to stop someone from breaking into your home and stealing it? You’re not using your work email, are you?  What’s to stop a buyer from using that address to tell your boss about what you’re selling or raise a complaint about how you handled a transaction?

Are you on a dating website?  Hopefully, the Ashley Madison hack was enough to convince you to protect your data and be careful what you share with strangers.  Unfortunately, most of the conversation around the hack focused on the tawdry details about the site, suggesting a more traditionally moral site could never be hacked.

Remember, Christian Rudder, the founder of OKCupid, wrote an entire book about how valuable the data you provide them is.  His thesis was that he had better data about your behavior than all of the scholars writing about human relationships, because you were honest.  In interviews, the founder of Ashley Madison said the same thing:  No one will be honest about sex or infidelity, so only they understood us with our guards down.  How much is our romantic data worth to scammers?

It’s important to think about what you put online and how you can reveal less of yourself.  It’s also important to make sure you protect yourself if your identity or data gets breached.  If you think you might have been the victim of a scam or online data theft, let us know immediately so we can help you get things back to normal.  The sooner we know, the sooner we can protect you.  You can call us at 410-663-2500.

Sources: 
http://www.npr.org/2014/05/15/312815895/gary-kremen-founder-of-match-com
http://www.bbc.com/news/business-26613909
http://phishing.vcu.edu/2015/10/08/job-application-scam-1082015/
http://www.ibtimes.com/google-drive-hack-phishing-campaign-targets-gmail-users-fake-ssl-encryption-2025926

Check Fraud & Swiss Cheese

/ destinationscreditunion / Leave a comment


Just about every article you read about fraud, security and identity theft is based on the idea that with increased technology comes increased security.  In fact, we do everything we can to bring as much cutting edge technology to your defense as possible. Unfortunately, some of the greatest vulnerabilities in your security come from low-tech attacks.

Think about it this way: A dedicated criminal wanting to get into your checking account has to spend thousands of dollars on an RFID skimmer, a device to crack your PIN, and other technological marvels out of a “Mission: Impossible” movie, but when they get access, our fraud protection kicks in after only a very small expenditure.  So, why would a criminal spend thousands of dollars when they could get the same benefits from spending $5 on a blunt object with which to threaten you physically? Why steal RFID signals out of the air when you can pick pockets and shop online?  Why go high-tech and hassle with all our security experts when a criminal can go low-tech and wait for you to slip up?

It helps to think of your financial security as a metaphorical block of Swiss cheese.  Every layer of security may have a few holes, just like every step you take to protect yourself has holes.  The idea is that, if we put enough layers of cheese on top of each other, we can make sure that none of the holes go all the way through the cheese, leaving you vulnerable.  In that spirit, we’ve identified a low-tech hole in the cheese, and we’re putting down another layer.  We’d like to make sure you put down some cheese, too.

Check fraud is still a major problem, and it could get worse as EMV chips and software security make ATM and point of sale transactions more secure.  Check fraud is an umbrella term for a variety of strategies scammers use, ranging from creating blank checks on computer software to stealing and using old checkbooks.  Your checkbook is a source of fraud vulnerability for many of these strategies, but the ways to protect yourself are fairly simple. 

1.) Treat your checkbook like cash.  The easiest thing to do is to just not give thieves access to your checks.  You wouldn’t put an envelope of cash in your mailbox with the flag up, would you?  Then don’t do it with a utility check.  If you’re going to mail a check, drop it into a blue USPS box on your way to work.  You can also see what’s available to pay online.  Our online services are really impressive, and if you set up an automatic payment through us or use our online banking, you never have to mail a check again.

 2.) Balance your checkbook every month.  It may seem like a chore, but balancing your checkbook is the easiest way to make sure you’re the only one spending your money.  We have special buttons built into our online account view to make this as easy as possible. If you want a little personal guidance, come talk to us and we’ll walk you through the process.  It’s easier than it looks. If it takes you forever every month, you might not be using all of our features! Call Destinations Credit Union at 410-663-2500 and we’ll help you make the process much easier. 

3.)  Destroy your old checkbooks and order new ones regularly.  For whatever reason, you might have found yourself with old checks lying around.  Maybe you were running low on checks and ordered a new checkbook but decided not to finish the old one  because they came so quickly. Maybe you’ve moved and didn’t bother to finish the set with your old address. If that’s the case, destroy them.  It’s worth the cost of a checkbook or the effort of a few minutes at the office shredder to keep from leaving yourself vulnerable. Also, don’t put your driver’s license number on the checks when you order them.  It might take a few extra minutes at the register, but that inconvenience is a lot worse for a scammer holding your checkbook than it is for you.  If you need to order a new checkbook, you can do it here:  https://orderpoint.deluxe.com/personal-checks/home.htm. 

It’s a different world for your checkbook than it was even a few years ago. Nationally, we’re writing fewer checks in fewer places and many of us don’t carry a checkbook at all.  Across the country, speech teachers are showing “I Have a Dream” to their students and they have to pause the video to explain what a promissory note is and why Dr. King is talking about writing a check for freedom. They may seem old-fashioned, but that’s exactly why they represent such an important vulnerability in your financial security:  They’re just paper and ink.  No chips to crack, no PIN, no online security protocols.  Don’t let your Swiss cheese have holes that go all the way through. Protect yourself from check fraud.
Sources:

http://money.usnews.com/money/personal-finance/articles/2008/05/19/frank-abagnales-tips-on-avoiding-check-fraud
http://www.consumer.ftc.gov/articles/0159-fake-checks#Youandyourbank
http://www.ckfraud.org/ckfraud.html

Your Greatest Strength Might Be Your Greatest Weakness

/ destinationscreditunion / Leave a comment
We’ve all had that moment when we were shopping on eBay at 3 a.m. and spotted the deal of the century -an Omega Speedmaster Moonwatch for just $100? That’s the watch that’s been on the moon! Then we realize the price is too good to be true when we see that our newest find will ship from the other side of the planet and the listing features mysteriously blurry photos that obscure key details. Maybe that Moonwatch spelled Saturday with a “B,” because some scams are really easy to spot.  We’ve all seen the scam and after catching ourselves, we’ve all asked ourselves the same question:  Who falls for this garbage?

From behind a computer screen, spotting a scam is as easy as a stroll in the park on a beautiful Saturbay afternoon.  What investigators have realized is that it gets much tougher when fraud happens in person.  In person, all of those skills we’ve developed online go away and we become easy marks.  

The IRL problem

It’s easy to act differently online.  No one knows us there, so we can make up the life we want to live or act without repercussions. Otherwise calm and decent people can become maniacs online if certain topics come up – from vaccinations to the recent play of the local professional quarterback.  For others, the digital world is a place of exploration and indulgence in hobbies that are unavailable offline, as players of World of Warcraft or the thousands of people who left reviews on Food.com’s recipe for ice cubes can attest.  However we change behind the computer, it’s easy to see that we think of ourselves and others differently while online.  Offline, you wouldn’t constantly harass your friends about a farming game, would you?

The same is true when it comes to scams.  When we sympathize with people, we lose the critical distance we need to spot scammers.  If we can connect with a person, we are far more likely to fall for a scam, and talking to them away from the computer increases that personal connection.  

Think about it this way:  The FTC says the most common forms of scams all involve human interaction, not computers.  The most common form of online identity theft isn’t breaking into your credit union — we’re really good at security — it’s phishing, where scammers convince victims to willingly give up their credit card information.  The most common phone scam is the grandparent scam, in which the bad guys use our natural concern for our family to get money out of us. The most common scam ever might be the basis for the modern home improvement scam: using a hard-luck story or the victim’s greed to convince them to pay up front, then never actually do the work.

How to avoid in-person scams

1.) Be wary of surprises and secrets.  Two things that should tip you off right away are really big surprises and really private secrets.  If you won money in a contest you don’t remember entering, you probably didn’t enter it.  If you’re getting a big payday, but you can’t tell anyone about it, you’re probably not getting a big payday at all.  If a company runs a contest, they want to get publicity. If you’ve got contest winnings coming, that company probably made you put down your email address and a bunch more info.  It probably took a while for them to get all of your data.  You’d remember.  Even in old TV shows they understood that surprises and secrets were a bad sign – if a 1960s sitcom hero inherits a mansion from an uncle they’ve never met, you better believe it’s going to be haunted.

2.) Take your time.  If someone needs you to act quickly, that’s often a clear sign of a scam, particularly if the sudden rush is coupled with a surprise as described above.  Scammers understand the power of groupthink – which is what psychologists call that trend among humans to make worse decisions in groups than by themselves – largely stems from an impending time deadline. By denying you time to catch your breath, scammers are trying to rush you into a bad decision and keep you from getting advice from someone with distance and perspective.

3.)  Try to be a robot.  NPR’s “Planet Money” podcast aired an episode covering the danger of our humanity very well.  In it, a banker named Toby convinced dozens of people to help him perpetrate a large-scale fraud simply by telling them his hard-luck story.  He claims that not one of them turned him down.  The case made in the episode is that for each person who heard the story, the ethical decision to commit a fraud and the rational decision to trust a scammer was completely overwhelmed by our sense of sympathy and injustice. Don’t let that be you.  

Hopefully, you’re not going to have to deal with in-person scammers very often. If you do, be sure to contact the FTC here: https://www.ftccomplaintassistant.gov/#crnt&panel1-1 and the FBI here: http://www.ic3.gov/default.aspx 

If you think you may have been the victim of a scam, identity theft, phishing, or any other security threat, let us know immediately.  The sooner we know, the safer your accounts at the credit union.  You can email us at info@destinationscu.org or call us at 410-663-0859.

Sources:
http://www.food.com/recipe/ice-cubes-420398 
https://www.citizensadvice.org.uk/consumer/protection-for-the-consumer/scams/spotting-and-reporting-scams/how-to-spot-a-scam/ 
https://www.fbi.gov/scams-safety/fraud 
http://tvtropes.org/pmwiki/pmwiki.php/Main/OnOneCondition 

http://www.npr.org/sections/money/2012/04/17/150815268/why-people-do-bad-things