With these hard economic times it makes sense that more people are looking to sell items on Craig's list or other online yard-sale or auction sites. For the most part you are safe so long as you observe a few of the following safety tips.
A person may try to contact you with the following scam: "Hey I noticed you are selling yyyy item, the crazy thing is that I have a cashier's check but it's $100 more than what you're asking for. If you're willing to cash the check, and give me the remaining amount I would be glad to buy your item."
The cashier's check is counterfeit, and by the time the bank figures this out you are out the $100 deposit, the item you were selling, and the amount that you paid to the scammer.
Tip: When selling from Craig's List or other classified advertisement, deal in cash only unless it is absolutely someone you trust. Cashier's checks cost about $2 - $5 there's no reason why a person could not cut a check for the exact amount. Even then, you should arrange for the check to clear (Up to three weeks) before giving your item over to the buyer. Cash is always better.
Ebay: a few days before your auction ends you receive an email "I will be willing to pay you double what you are asking if you close the auction and use a different pay site to purchase your auction. This can also work in reverse where you bid on an item and the person offers to end the auction early if you use a different pay site. Paypal insures your purchases against fraud, if you use a different payment site you could very well be out of your item and your money.
Tip: Always pay or collect payment via trusted and guaranteed methods. Check your credit card terms to see how much they restore if you are the target of fraud. The major credit card companies give 100% back with a few conditions. If you pay with a regular debit card, you may lose out. If you fear you are the target of a fraudulent purchase, don't hesitate to contact your credit card company. The sooner you catch it, the faster the process goes. I've personally been through the process three times.
1/27/09
Yet another Phishing alert
NCUA brings us news that there are scammers out there trying to take advantage of Instability concerns of the Federal Reserve(PDF). Ignore any NCUA / FED official looking letters, they apparently contain links that will attempt to install malware on your system. Remember to share this information with your friends.
1/26/09
Social engineering attacks in full-force 2009
2009 may very well become known as the year of fraud. Within only the last month we've watched as big name twitter accounts were compromised, recent worm attack, and any number of phishing attempts.
I say this not to scare you, just to recommend that everyone keep their SINRR tuned up and ready.
How do you prevent these recent attacks?
Knowledge is power. Make sure that your systems have the latest updates to protect from worm vulnerabilities. I know this isn't a catch-all, but you'd be surprised at how much damage control this helps with when a new worm springs up.
Keep an ear to various news sites. I personally go to about three or four consumer related security sites on a weekly basis. I was alerted to the NCUA scam by a co-worker, and from time to time I pass important information to colleagues just to keep them in the know.
If you click a link and it asks for you to log in, double-check the link at the top of your browser. Phishing starts with the redirection of your personal information to a place you don't want it to go. Always double-check your urls to make sure you aren't somewhere than where you expect to be. Especially if you've already logged in, and are once again being asked for a password.
When in doubt, don't give your information out. Ask yourself whether or not convenience is worth the time and expense it takes to recover your identity.
I say this not to scare you, just to recommend that everyone keep their SINRR tuned up and ready.
How do you prevent these recent attacks?
Knowledge is power. Make sure that your systems have the latest updates to protect from worm vulnerabilities. I know this isn't a catch-all, but you'd be surprised at how much damage control this helps with when a new worm springs up.
Keep an ear to various news sites. I personally go to about three or four consumer related security sites on a weekly basis. I was alerted to the NCUA scam by a co-worker, and from time to time I pass important information to colleagues just to keep them in the know.
If you click a link and it asks for you to log in, double-check the link at the top of your browser. Phishing starts with the redirection of your personal information to a place you don't want it to go. Always double-check your urls to make sure you aren't somewhere than where you expect to be. Especially if you've already logged in, and are once again being asked for a password.
When in doubt, don't give your information out. Ask yourself whether or not convenience is worth the time and expense it takes to recover your identity.
1/21/09
Large scale credit card attack exposed
As many of you may have heard by now, Heartland Payment Systems has released news that it ha been the target of an attack in 2008. What does this really mean to a regular person? A payment processor is a company that works as a middle-man between credit card transactions and financial institutions. When you swipe your card at a restaurant it likely goes through a third party validation process before Visa or the debit card companies collect the money from your account for the transaction. It is basically the person who says "Hi there, this person wants to give money for this item/service, let's make a deal!" what that also means is that a large volume of credit card information gets sent to Heartland's servers for processing.
Software targeted specifically to lift magnetic stripe data made its way into their transaction servers and began to send this data to a third party. Because proper reporting mechanisms weren't in place, the company had no idea this information was being beamed to another location. As such, it is estimated that 100 million transactions have been lifted. This is quite a bit more than the estimated 94 million accounts compromised by TJX.
Should you be worried? Luckily track data on credit cards doesn't give out much information. Really the only thing that is on your magnetic stripe is the account number and some other bits of information processors need to create a transaction. Essentially they can duplicate your credit card. What they don't have is your PIN, the verification code on the back of the card, or any personal information more than your name and possibly address.
Your course of action? Watch your purchase statements closely on any of your credit/debit cards. If you see transactions you didn't authorize call your bank/credit card company and have them freeze your account immediately. If a transaction from your card number was logged, Heartland is likely notifying your issuer and you may see a new card created in the near future.
Often times these card numbers are sold, and it could be months before someone even attempts to pull money from the account. A new card issued to you, will remedy the situation.
Software targeted specifically to lift magnetic stripe data made its way into their transaction servers and began to send this data to a third party. Because proper reporting mechanisms weren't in place, the company had no idea this information was being beamed to another location. As such, it is estimated that 100 million transactions have been lifted. This is quite a bit more than the estimated 94 million accounts compromised by TJX.
Should you be worried? Luckily track data on credit cards doesn't give out much information. Really the only thing that is on your magnetic stripe is the account number and some other bits of information processors need to create a transaction. Essentially they can duplicate your credit card. What they don't have is your PIN, the verification code on the back of the card, or any personal information more than your name and possibly address.
Your course of action? Watch your purchase statements closely on any of your credit/debit cards. If you see transactions you didn't authorize call your bank/credit card company and have them freeze your account immediately. If a transaction from your card number was logged, Heartland is likely notifying your issuer and you may see a new card created in the near future.
Often times these card numbers are sold, and it could be months before someone even attempts to pull money from the account. A new card issued to you, will remedy the situation.
1/6/09
30 Minute Security -- Phishing
Phishing has been around for quite some time now. I don't have a lead on the early history of phishing, but academically I'm sure I'll learn where it originated just to have an anecdote to talk about in class. Phishing is the use of social engineering paired with technology in its simplest form.
The Con:
It's 7:30am and you log on to your email for the first time in the morning. Your head is fuzzy from all the partying you did the night before and the screen comes to you in a blur. You see a new e-mail from your bank marked urgent and all caps IMPORTANT NOTICE ABOUT YOUR ACCOUNT! This very authentic email notifies you that your bank has closed your account due to a security incident. You are shocked and immediately click the link on the web site or call the number. You are so distraught about your account (I have to go grocery shopping, I need the co-pay for my medical today, I have bills to pay!) that you don't notice that the redirected web page takes you to an unrelated site, or the shady foreign accent you hear over the phone (most call centers are outsourced anyway right?). In order to "authenticate" you, they ask for your SSN, Address, Mother's Maiden name, credit card number, pin, ID number from the back of your card.
"Thank you sir, your account has been reactivated." is all you hear, or when you click submit to the page, perhaps you get a 404 not found error. You've just had your identity stolen.
How it works:
This type of social engineering attempt plays on your fears of change and hectic lifestyle. There is nothing more inconvenient than all your finances screeching to a halt, and not having access to your money. This is exactly the atmosphere the fraudster wants to create. You bypass some level of logic when you are in panic mode, and don't stop to verify the telephone number or web site address before entering your information in order to get your money back.
How to fight this con:
When you see an E-mail message that disturbs you to this extent, sit back from your computer and first take a deep breath. The important part of determining if an email is legitimate is taking a few steps before acting on instinct.
Step 1: Is it even a bank account you have? Phishers send out a massive email to a list of people that they've culled online. Many of these e-mails tend to target public entities because email addresses are posted on the public web site. If your address exists somewhere on the WWW, it's safe to say it will be farmed and you will be targeted by emails like these until the end of time. If it's not even a bank you have an account under, that's the first clue that the email is a scam.
Step 2: If it is your bank, ask yourself why an e-mail was their first communication to you. Something as serious as an account closure will usually warrant a phone call, a letter via postal service, and possibly not even a notification until you use your card, find it expired, and you are forced to contact the bank on your own. You should never call or click links provided in emails that ask for personal information. Instead use the 1-800 number on the back of the card, or use the contact information provided by the bank when you open your account.
Step 3: Don't give out all your information unless you are positive you are talking to the correct people. All companies will have to verify that you are who you say you are, but usually they won't ask you for super sensitive information. Perhaps last four of your social, or secret questions you set up when you created your account. One good verification question, is how much you paid on your last monthly statement. A legitimate place should never ask you for your full information.
The big thing in this situation is not to act on impulse. Step back from the situation and ask yourself how you can shape it to what feels comfortable to you.
The Con:
It's 7:30am and you log on to your email for the first time in the morning. Your head is fuzzy from all the partying you did the night before and the screen comes to you in a blur. You see a new e-mail from your bank marked urgent and all caps IMPORTANT NOTICE ABOUT YOUR ACCOUNT! This very authentic email notifies you that your bank has closed your account due to a security incident. You are shocked and immediately click the link on the web site or call the number. You are so distraught about your account (I have to go grocery shopping, I need the co-pay for my medical today, I have bills to pay!) that you don't notice that the redirected web page takes you to an unrelated site, or the shady foreign accent you hear over the phone (most call centers are outsourced anyway right?). In order to "authenticate" you, they ask for your SSN, Address, Mother's Maiden name, credit card number, pin, ID number from the back of your card.
"Thank you sir, your account has been reactivated." is all you hear, or when you click submit to the page, perhaps you get a 404 not found error. You've just had your identity stolen.
How it works:
This type of social engineering attempt plays on your fears of change and hectic lifestyle. There is nothing more inconvenient than all your finances screeching to a halt, and not having access to your money. This is exactly the atmosphere the fraudster wants to create. You bypass some level of logic when you are in panic mode, and don't stop to verify the telephone number or web site address before entering your information in order to get your money back.
How to fight this con:
When you see an E-mail message that disturbs you to this extent, sit back from your computer and first take a deep breath. The important part of determining if an email is legitimate is taking a few steps before acting on instinct.
Step 1: Is it even a bank account you have? Phishers send out a massive email to a list of people that they've culled online. Many of these e-mails tend to target public entities because email addresses are posted on the public web site. If your address exists somewhere on the WWW, it's safe to say it will be farmed and you will be targeted by emails like these until the end of time. If it's not even a bank you have an account under, that's the first clue that the email is a scam.
Step 2: If it is your bank, ask yourself why an e-mail was their first communication to you. Something as serious as an account closure will usually warrant a phone call, a letter via postal service, and possibly not even a notification until you use your card, find it expired, and you are forced to contact the bank on your own. You should never call or click links provided in emails that ask for personal information. Instead use the 1-800 number on the back of the card, or use the contact information provided by the bank when you open your account.
Step 3: Don't give out all your information unless you are positive you are talking to the correct people. All companies will have to verify that you are who you say you are, but usually they won't ask you for super sensitive information. Perhaps last four of your social, or secret questions you set up when you created your account. One good verification question, is how much you paid on your last monthly statement. A legitimate place should never ask you for your full information.
The big thing in this situation is not to act on impulse. Step back from the situation and ask yourself how you can shape it to what feels comfortable to you.
1/1/09
Good guys vs. Bad guys
I came across a really good read this morning as I browsed through my Wired magazine. The article itself is pretty long, and filled with the kind of stuff that keeps a security guy awake at night. I read the article and proceeded to take my first "strive to lose some weight for New Years" walk, with the story fresh in my mind and I began to mix pieces of the article around to determine what was eating at me, and what I wanted to get out of reading the story. Ultimately I thought about how the guy in the article, Max Butler started out making $100/hr helping companies secure their networks.
I've always viewed computer security along the same lines as a serial killer profiler. In order to be a hacker, you ultimately have to think like a hacker. This includes using the same tools and methodologies of hacking. Now I'm not saying that FBI profilers go around killing people, but you really have to climb into the mind of a criminal to understand how and why they do what they do.
Ever since I stumbled on fraud prevention I knew that helping protect people is what I wanted to do. So I am drawn to these articles that make you toss and turn at night wondering if your finances are safe. Here we have an example of a person who found computer security interesting, but moved over to the dark side. The article dives a bit into the psychology of the guy, so maybe something about the environment that he was raised in caused him to bridge the gap between security and felony.
While walking I visualized my path along side Max Butler's path. I could see two parallel roads that we both walk. Making sure things are safe and secure. As I approach the white picket fence of completion, there's no urge to jump over the roadblock and break into the house at the end of the road. The good guys and bad guys follow the same path, but the major difference is that the good guys are content with the destination and results. Whereas with the bad guys there's always more to push, further to go.
Does jail time really work as a deterrent from fraud? It's hard to say. I've had many bad days at work where I've thought that the total lack of responsibilities in jail would seem like a vacation. Granted it's not the best environment, I'd stick out like a sore thumb, and I'm sure the food is terrible. But for us people who are constantly on alert and questioning other people's motives and actions, breaking away for a chunk of years would feel like a vacation. Once again to use the serial killer metaphor again, deep down inside there's a need to be caught and punished for their actions.
I enjoyed the article and it was fun to work it around in my mind a bit to help me understand the bad guy vs. good guy scene. Interestingly enough, the more I learn the better I can help others protect themselves. It's a crazy world we live in.
Have a happy and fraud-free New Year, with the economy the way it is cyber crime is going to reach record highs. It's all about making sure you aren't a low hanging fruit.
I've always viewed computer security along the same lines as a serial killer profiler. In order to be a hacker, you ultimately have to think like a hacker. This includes using the same tools and methodologies of hacking. Now I'm not saying that FBI profilers go around killing people, but you really have to climb into the mind of a criminal to understand how and why they do what they do.
Ever since I stumbled on fraud prevention I knew that helping protect people is what I wanted to do. So I am drawn to these articles that make you toss and turn at night wondering if your finances are safe. Here we have an example of a person who found computer security interesting, but moved over to the dark side. The article dives a bit into the psychology of the guy, so maybe something about the environment that he was raised in caused him to bridge the gap between security and felony.
While walking I visualized my path along side Max Butler's path. I could see two parallel roads that we both walk. Making sure things are safe and secure. As I approach the white picket fence of completion, there's no urge to jump over the roadblock and break into the house at the end of the road. The good guys and bad guys follow the same path, but the major difference is that the good guys are content with the destination and results. Whereas with the bad guys there's always more to push, further to go.
Does jail time really work as a deterrent from fraud? It's hard to say. I've had many bad days at work where I've thought that the total lack of responsibilities in jail would seem like a vacation. Granted it's not the best environment, I'd stick out like a sore thumb, and I'm sure the food is terrible. But for us people who are constantly on alert and questioning other people's motives and actions, breaking away for a chunk of years would feel like a vacation. Once again to use the serial killer metaphor again, deep down inside there's a need to be caught and punished for their actions.
I enjoyed the article and it was fun to work it around in my mind a bit to help me understand the bad guy vs. good guy scene. Interestingly enough, the more I learn the better I can help others protect themselves. It's a crazy world we live in.
Have a happy and fraud-free New Year, with the economy the way it is cyber crime is going to reach record highs. It's all about making sure you aren't a low hanging fruit.
Subscribe to:
Posts (Atom)