Friday, June 24, 2016

If Comcast calls, hang up!

Typically, Comcast doesn't call you unless they are trying to sell you something. Or maybe to survey you following a recent customer service experience. Today's story describes one situation where you definitely do not want to engage a purported Comcast rep who initiates a call with you.

My sister texted me this afternoon to say that someone claiming to be from Comcast called her and told her that her email has been reported as sending spam and pornography from Nigeria, Mexico and New Jersey. The caller had her run a command prompt (as Administrator, no less) and run the netstat command. Here is some sample output from that command:


Anyone who has used netstat knows that the output has a column heading called "Foreign Address." Based on my sister's story, it is clear that scammers are using that information to mislead unsuspecting computer users into thinking their computer is communicating with "foreign" computers. Hogwash.

My sister, who is not a "tekkie," was alert enough to put a halt to things right there, asking the guy to provide proof he is a Comcast employee. Wisely, she asked him to tell her what her account number is. He could not do that and hung up.

This is a very common "setup" that is staged to convince you something is wrong with your computer that you need to fix right away. From here, the hacker normally talks you into remotely accessing your computer, whereby he plants malware, such as a remote access Trojan, a keystroke logger, or ransomware on your computer. Or he gets a credit card number from you to charge you for fixing your problem.

I told my sister she did the right thing but that she needs to stay on her toes going forward because these guys will try again. She said she plans on changing all her passwords immediately, just to be safe. It's a good idea to change your passwords occasionally, so I couldn't agree with her more.

Remember, anyone who phones you to say your computer is infected with a virus or is showing up on their monitors as routing data to foreign countries, or anything similar to that, is a scammer. Hang up!

User: 1 - Hacker: 0.

I love a happy ending.

Wednesday, June 15, 2016

Beware fake charitable organizations asking for your money to help victims

It saddens us all greatly to witness the tragedies that unfolded in the Orlando area this week. As humans, we all want to do what we can to help. Being a good distance away from the scene, often our assistance is provided through funding various support and recovery efforts.
However, be aware that after any large-scale event like this one, often the con artists are the first to set up shop. Don’t give money to just anyone. Instead: 
  • Stay on the alert and be safe online.
  • Be wary of crowd-funding web sites.
  • Be on the lookout for fraudulent charitable organization web pages (check URLs carefully).
  • Validate the organization that you donate to—do your research first; ask how they intend to spend the money.
  • Don’t click links in emails or text messages you receive asking you to give; instead, you navigate to the charity of your choice.
  • Always: check URLs, verify message senders, and think before you click.
For more information and how to avoid being conned, see:

Saturday, June 11, 2016

What to do if your identity is stolen

Yesterday a co-worker discovered that he'd been the victim of identity theft when he determined that an American Express card had been opened in his name and charges were run up to $20,000. He came to me for help.

It is a harrowing place to find yourself. The only way a credit account can be opened in your name is if someone has your name, Social Security Number (SSN) and date of birth. If that's the case, then you have be on your toes for the rest of your life. With your SSN, taxes can be filed in your name, credit can be opened in your name, insurance and medical benefits can be purchased in your name, etc.

In this case, my friend's data had been disclosed through the Premera Blue Cross breach of January 2015. It was not his fault.What do you do if this happens to you?

Your first four tasks:

  • Contact all three credit bureaus to put fraud alerts on your credit and freeze your credit with all three bureaus. It is a good idea to freeze the credit of your spouse and children, as well.
  • Call your local police and make a report. Obtain a copy of the report.
  • Call the bank where the scammer opened an account in your name and report it to the fraud department. 

As for calling the bank involved, know that you may not get very far with it because the perpetrator opened the account with your name and SSN but with different contact information (address, phone, email, etc.). The bank cannot discuss the account with you if they can't validate you as the account holder. Be prepared for this and don't let it frustrate you.

More tips:

Afterward, as an extra precaution, change your user names and passwords on all your sensitive accounts everywhere (banking, insurance, retirement, brokerage, credit bureaus, IRS.gov, TurboTax/Intuit, benefits, payroll, personal email, etc.). It is imperative that you employ unique, strong, long passwords. If two-factor authentication is available, use it.

Remember this forever: The fraudster has your SSN and may sit on that information for years before using it. This is why, in an earlier blog posting, I recommend that you freeze your credit, regardless of whether or not you think your SSN is in someone else's hands. For most of us, I suspect it's only a matter of time before we become victims too. 

In addition to freezing your credit, file your taxes early every year and, I repeat: do not use weak passwords on any online accounts. Make sure your passwords are unique, and don't share them with anyone. 

Tuesday, June 7, 2016

Why you never use the same password on more than one web site

It is a fundamental tenet of user security in 2016 that you do not re-use the same password simultaneously across different web sites and software programs. All the hacker has to do is crack your *one* password to hack all of your accounts. Oh, and he (or she) will.

Here is the latest reported breach caused by password re-use, a mistake made by none other than Mark Zuckerberg, founder of Facebook: Zuckerberg hacking adds to cloud of internet insecurity. Please read it.

The Zuckerberg error is just one example of many prominent people getting hacked because they use a weak password—and, worse, use it across multiple accounts. Use a long, complex password (the longer the better), and guard it like you would all of your liquid assets.

Here is another tip: For accessing your most sensitive data (online banking, insurance, brokerage accounts, medical records, etc.) use a different user name as well. Don't use the same login name that you use for your Gmail, eBay, Blogger, Twitter, Intuit, Facebook and other accounts.

It is never a good idea to use your email name as your banking login name. For example, if your email name is JohnDoe@myemail.com, make your banking login name JohnDoughBoy (or something else easy to remember, hard for others to guess). For extra security, throw in a special character (if allowed).

Another solution is discussed here: First Click: An easy way to quit reusing passwords.

Even Krebs is discusses this week how some online organizations are forcing password resets if they think you are re-using yours elsewhere: Password Re-user? Get Ready to Get Busy