Warning for romantics, data breach at CafePress web site and a caution on banking apps
Welcome to Cyber Security Today. It’s Wednesday August 7th. I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanada.com.
You can search for almost anything on the Internet, so why not try to find your true love there? Some do. But the FBI this week warned the Internet is also being used for romance fraud. Scammers are tricking people into creating an online friendship and then a trusting relationship. Then come requests: I need some money to finish a project or launch a business. Darling, can you send me some cash? Can you buy me an airline ticket? Can you buy me this product or open a bank account for me? Last year more than 18,000 people told the FBI’s Internet Crime Complaint Center they were victims of confidence or romance fraud, with more than $362 million in losses. Be warned: Victims may not merely be sending money to a scoundrel. They may also be laundering money for criminals.
Don’t send money, credit card numbers, bank account information or social security numbers to anyone unless you verify their identity. Don’t rely on a photograph on an online site — it could be taken from anywhere. Beware of anyone online who says meeting you is “destiny” or “fate.” Beware of people who tell inconsistent or flamboyant stories. Beware of people who have a sudden crisis and pressure you for money.
Have you ever bought something from CafePress, a custom T-Shirt and merchandise site? Recently you may have been asked to reset your password. Sounds innocent, right? Nope. According to the news site Bleeping Computer, that reset is needed because earlier this year CafePress was hacked. Information like names and passwords on some 23 million purchasers was stolen. Those who logged into CafePress through sites like Amazon and Facebook — about half of the users — had their data protected. And while CafePress scrambled the passwords of the rest of its subscribers, security researchers say the way it was done could be broken. So, CafePress users, make sure you reset your passwords.
Here’s a deal: Pay someone to unlock your phone so you can use it on any network. Well, it may not be a deal. The U.S. has charged a man from Pakistan with being part of a conspiracy to bribe AT&T employees over five years to help secretly unlock cellphones. The gang allegedly paid bribes totaling roughly $1 million to have over 2 million devices fraudulently unlocked. When you buy a phone from a carrier usually it’s locked to their network until the end of the service contract. So an unlocked phone is valuable because it can be used on almost any network around the world. The goal of this con was to get AT&T customers to pay the criminals to have their phones unlocked so they could switch to another carrier.
According to a news report the accused man was arrested in Hong Kong and extradited to the U.S. last week.
Finally, I’ve told you several times about the importance of using strong passwords, and not using the same password over and over. Well, a column this week by security writer Brian Krebs is a reminder how important that is. This is particularly true if you bank online and use financial aggregation sites like Mint, Plaid, Yodlee and others. These third-party sites helpfully let you see your combined financial information from several sources, including your bank. But they may also increase the risk criminals can see all that information as well if they don’t have top-notch security. That’s because criminals are increasingly hacking banks and using stolen username and password credentials they get to try to get into third party financial sites. Then criminals see information like your balance and transactions so they can impersonate you. Your first protection is never re-use passwords. Now, some banks do offer two-factor authentication service as extra login protection. Two-factor authentication means when you log in you also get sent a four or six-digit code, usually as a text or phone message, to also enter. But the article points out some third party financial services companies don’t offer two-factor authentication. Worse, some turn two-factor authentication off with the banks’ permission. That’s because the bank accepts the login from the financial service as a security feature. The lesson to consumers is be careful subscribing to third party financial services that also link to your bank. Make sure neither the bank nor the aggregator take any security shortcuts. The lesson to banks and financial aggregators is don’t use shortcuts.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.