A conman you should listen to

Passwords for more than 6 million LinkedIn accounts were leaked by hackers this past week, and just after that was announced, there was a leak of more than 1.5 million eHarmony user passwords. The strong advice from security experts: Change your passwords now.
Here’s the scoop: you should change your passwords for these accounts, and if those passwords were used on any other accounts, you need to change those, too. Run, don’t walk, to change passwords if any of those accounts are related to your financial data.
Creating and managing passwords is a nuisance for many, but it is one of your first defenses against preventing identity theft and illegal access to your important accounts. It’s something you should take seriously.
Here are some security tips:

  • Ideally, you should use separate passwords for each account. At the very least, create and memorize unique, separate, and strong passwords for your banking and your email accounts, and any other accounts that have financially sensitive information. Do not re-use those passwords on other sites. That way, you would limit damage and exposure if one account is compromised.
  • Take the time to learn about and create strong passwords. Microsoft Security Center offers simple advice on creating strong passwords, as well as a secure password checker, a tool that you can use to test the strength of a password.
  • Make it a routine practice to change passwords regularly, particularly for key accounts. At a minimum, do it twice a year at daylight savings when you change your fire alarm batteries.
  • Avoid storing credit card information online. Enter it in every time when making a purchase. Today’s convenience might be tomorrow’s headache.
  • Never enter a password into an email or a site you have clicked through an email. Phishing can be very convincing. Instead, if you get a notice from a bank or some other account, go directly to the website from your browser and sign in there.
  • Consider a password managing service. While we can’t make a recommendation for a specific service, some popular ones frequently cited on tech forums include LastPass, KeePass, and 1Password. These have different features and benefits, and help solve the problem of remembering and storing passwords. While there are free versions of password management services, this seems important enough to consider paying an annual service fee for.

See our other posts on ID theft and scams.

Brace yourself: Here come the tax time phishing scams

It’s that time of year again … it’s so predictable you could almost set your watch by it: Tax season email scams. Thieves are pretty smart and can create a convincing-looking phony email – don’t fall for their traps. Clicking on a phony or “phish” mail could result in a computer virus, lost money, or a stolen identity. And guess what? It’s not just computer newbies who fall for these scams: smart, experienced people can be tricked too.
First rule of thumb, right from the IRS:

The IRS does not initiate contact with taxpayers by email to request personal or financial information. This includes any type of electronic communication, such as text messages and social media channels.

All unsolicited email claiming to be from either the IRS or any other IRS-related components such as the Office of Professional Responsibility or EFTPS, should be reported to phishing@irs.gov.

Here’s a guide from the IRS with more information about recognizing and reporting phishing and other fraudulent solicitations.
Second rule of thumb: Never send sensitive financial information via email – it is not secure. This includes social security numbers or PIN numbers, passwords and other access information for credit cards, banks or other financial accounts.
Third rule of thumb: If you get an email request to update your password or to enter an account number, password, or other identifiable information, DO NOT click on a link or reply. Instead, go directly to the site of the organization that is asking for the update and sign in to your account. If there is a request for updated information, you will find it there.
Fourth rule of thumb: Never enter any financial or account information on a site unless you are sure it is secure. How can you tell? Look for the “s” – most websites are preceded by https:// – secure websites use https:// – that one little letter makes all the difference. Most browsers will also show a little icon of a padlock right in the address bar beside the web address. You can’t always trust a web page graphic promising security since these can be faked – look for the website address and the padlock in the address bar.
For more, see our past posts:
How Can I Securely Send Sensitive Tax Docs to My Tax Preparer?
Don’t get hooked by tax-time phishing!

Learning from the Experts: Car Thieves and Their Tricks

The Wall Street Journal features a fascinating article on Unlocking the Secrets of a Car Thief (may require site registration). It reminded us of a similar article on Edmunds.com: Confessions of a Car Thief, which interviewed a reformed professional thief.
According to the WSJ article, here’s the good news: The FBI reports that car theft has been declining for the last seven years. In 2010, the last full year f data, auto theft declined by 7.4%. But that still represents nearly three-quarters of a million cars stolen in 2010. Experts think that new technology has made it harder to steal cars than it was in the old “screwdriver theft days” of yore.
But here’s the bad news: Professionals can almost always find a way. The article notes that “It can take less than 19 seconds for a reasonably strong, savvy car thief to break through the security systems that are supposed to stop someone from shifting or steering a luxury SUV.” And Robert Hartwig of the Insurance Information Institute points out that recovery rates are dropping. Theft rings use flatbed trucks and high-tech tools to swiftly seize cars and move them for resale or to chop shops for parts.
The best thing you can do to prevent theft is to make things less appealing by providing obstacles. There are a variety of theft devices and technologies ranging from inexpensive steering wheel locks to alarms to subscription based vehicle tracking systems.
Here’s another relatively inexpensive way to protect your car that is touted by law enforcement professionals: VIN etching, or permanently etching your Vehicle Identification Number (VIN) into the windows of your automobile. Many states offer free programs or you can order a variety of inexpensive kits online that you can find with a simple search for “VIN ETching.” Many insurers offer discounts on auto insurance for cars that have VIN etching — check with your local insurance agent to find out about this and other available discounts for auto theft prevention devices and measures.
We looked at the VIN etching program available through the Massachusetts Governor’s Auto Theft Strike Force, which offers the service for $10 – you can learn more at 781-393-1201. And another anti-theft measure we noted in Massachusetts: If you give information that leads to the arrest of a car thief, or the location of a chop shop, you could receive a confidential cash reward of up to ten thousand dollars ($10,000.00). All you need to do is call 1-800-HOT-AUTO.
For more tips and ideas, see the Insurance Information Institute’s article on Preventing Carjacking / Theft

FBI fraud alert: warnings about new scams via phones and social networks

Whether it’s via new media like social networks or “old school” technology like your home phone, don’t let your guard down. The FBI recently has issued warning about two scams that are surfacing.
Denial of service phone attacks
The FBI has issued a warning about a new phone scam which uses telephone denial-of-services (d.o.s.) attacks to overwhelm victims’ cell phones and land lines with thousands of calls. This diversionary tactic ties up service to give criminals time to empty out the victim’s bank or brokerage accounts. Prior to the phone attack, the criminal would have obtained the victim’s bank account numbers and password, either via malware that the victim has inadvertently downloaded or via information the victim gave out on the phone or in response to e-mail phishing. The subsequent DOS attack serves both as a distraction, and also prevents a victim from calling to make account changes to protect their accounts.
Social networking scam: your friend is stranded
Scammers send notices to your Facebook or Twitter contact list posing as you and telling your contacts that you are stranded after a robbery (or some similar calamity) and that you need help quickly. Of course, the requested help is urgent and would be in the form of cash. To avoid being taken in by such a scam, be alert and aware and simply verify any pleas for help before acting on them. And if you think your account has been hacked and that false messages are being sent to your contacts, post a note on your page alerting your friends and family that your account may be compromised and to ignore any such messages.
To protect yourself from these and other scams, the FBI suggests:

  • Implement security measures for all financial accounts by placing fraud alerts with the major credit bureaus if you believe they were targeted by a TDoS attack or other forms of fraud
  • Use strong passwords for all financial accounts and change them regularly
  • Obtain and review your annual credit report for fraudulent activity
  • If you are a target of a TDoS attack, immediately contact your financial institutions, notify your telephone provider, and promptly report it to the IC3 website at: www.IC3.gov

Other resources

Careful what you Tweet – crooks could be using social networks, too

Millions of people are sharing real time activities with friends, family and colleagues through online social networks like Twitter and Facebook. If you are one among those millions, be aware that there may be some other parties that find your tweets fascinating, too … such as your local burglar. Recently, an active social networker Twittered about his trip only to find his home had been burglarized while he was away. While this could be coincidence, the victim thinks that it might be related to his public postings – and the news media seems to think so too – see a newsclip about the robbery.
There are likely to be many more reports of this incident since it is being heavily tweeted and it seems to have piqued the “mainstream” media’s interest, too. Although the media likes to hype stories about crimes related to online activity, these types of opportunistic crimes have been going on long before social networks existed. Wiley burglars are often known to target funeral goers based on obituaries printed in newspapers or after seeing families pack the car for a trip. With basic precautions, social networking may be no more unsafe than other “real world” activities. In fact, increasingly, social networks are being harnessed by citizens and police departments to help solve crimes.
So while this incident shouldn’t be blow out of proportion, it should serve as a cautionary tale of the potential downside of real-time transparency in social networks – particularly if you’ve attracted a following of people that you don’t know very well – or at all. Take sensible precautions and think twice about what and when you share – and with whom.
It’s also a wise to take home security precautions when you plan to be away on vacation – there are definite steps you can take to reduce the likelihood of your being victimized. And while nothing can take away the feeling of violation that happens after a burglary, being insured properly can help you to financially recover from a loss. If you have work equipment, antiques, or valuable collections, talk to your insurance agent about whether you need an endorsement or a rider to expand the coverage limits of your existing policy.