Category Archives: identity theft

Hack-ception: Benign Hacker Rescues 26M Stolen Credit Card Records

There’s something ironic about cybercriminals getting “hacked back.” BriansClub, one of the largest underground stores for buying stolen credit card data, has itself been hacked. According to researcher Brian Krebs, the data stolen from BriansClub encompasses more than 26 million credit and debit card records taken from hacked online and brick-and-mortar retailers over the past four years, including almost eight million records uploaded to the shop in 2019 alone.

Most of the records offered up for sale on BriansClub are “dumps.” Dumps are strings of ones and zeros that can be used by cybercriminals to purchase valuables like electronics, gift cards, and more once the digits have been encoded onto anything with a magnetic stripe the size of a credit card. According to Krebs on Security, between 2015 and 2019, BriansClub sold approximately 9.1 million stolen credit cards, resulting in $126 million in sales.

Back in September, Krebs was contacted by a source who shared a plain text file with what they claimed to be the full database of cards for sale through BriansClub. The database was reviewed by multiple people who confirmed that the same credit card records could also be found in a simplified form by searching the BriansClub website with a valid account.

So, what happens when a cybercriminal, or a well-intentioned hacker in this case, wants control over these credit card records? When these online fraud marketplaces sell a stolen credit card record, that record is completely removed from the inventory of items for sale. So, when BriansClub lost its 26 million card records to a benign hacker, they also lost an opportunity to make $500 per card sold.

What good comes from “hacking back” instances like this? Besides the stolen records being taken off the internet for other cybercriminals to exploit, the data stolen from BriansClub was shared with multiple sources who work closely with financial institutions. These institutions help identify and monitor or reissue cards that show up for sale in the cybercrime underground. And while “hacking back” helps cut off potential credit card fraud, what are some steps users can take to protect their information from being stolen in the first place? Follow these security tips to help protect your financial and personal data:

  • Review your accounts. Be sure to look over your credit card and banking statements and report any suspicious activity as soon as possible.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook

The post Hack-ception: Benign Hacker Rescues 26M Stolen Credit Card Records appeared first on McAfee Blogs.

This Common Mistake You May Be Making Right Now Exposed an Entire Nation to Identity Theft

A routine data project revealed that the personally identifying information of the entire nation of Ecuador might be online for all to see–just like, potentially, your data.

The information included records belonging to deceased citizens and more than 7 million minors. It was discovered by researchers from the security firm vpnMentor while conducting “a wide-scale Web mapping project.”

According to vpnMentor’s report, the ongoing project made the discovery possible by scanning ports “to find known IP blocks.” It then searches for “vulnerabilities in the system that would indicate an open database.” When a compromise is discovered, the company then traces the data back to its source and delivers the bad news.

While the full extent of the damage done here is not clear, it’s sure sounds like a potentially Titanic-meets-iceberg level event.

What We (and the Bad Guys May) Know

The extremely granular personal information of more than 20 million people was exposed. Ecuador’s population is 16.5 million, which means nearly 4 million of the individuals affected may be deceased.

The data included personal and corporate tax ID numbers and bank account information–including current balance in the account, amounts financed, credit types, and the location of a bank branch used by an individual. The same information about family members was also available, as well as how people in the data set were related to each other.

All the essential information needed for account authentication and/or takeover were there, too. A short list of the available data included full name (first, middle, last); gender; date and place of birth; home and work addresses; email addresses; home, work, and cell phone numbers; marital status; date of marriage (where applicable); date of death (where applicable); and the highest level of education achieved.

WikiLeaks founder Julian Assange was even in there, Ecuador’s most famous asylum seeker.

Describing itself as an organization of ethical hackers, vpnMentor said in its statement about the discovery that it never sells, stores, or exposes compromised information, but rather uses the existence of a compromise or leak as a teachable moment.

Teachable Moments Are Expensive

Sponsored by IBM Security and independently conducted by the Ponemon Institute, the 13th-annual Cost of Data Breach Study found that the average per-record cost of a breach was $148 last year. That would put the cost of this compromise at nearly $3 billion.

So, what can we learn from this data debacle? The compromise was caused by–wait for it–a third-party vendor. According to CNN, the breach was found on an unsecured server in Miami, which appeared to be owned by an Ecuadorian consulting and analytics company called Novaestrat. While it remains unclear as to how Novaestrat gained access to the government database, it is presumed that someone currently, or formerly, in the Ecuadorian government handed over the data–no matter the reason–and in the process potentially exposed it to criminals around the world.

The first takeaway should be that you are only as secure as your least secure vendor and/or collaborator. In the realm of cyber-liability, that and three bucks will get you a cup of coffee to sip while you wait for the submarine to the unemployment line at the bottom of Loon Lake.

This sort of mistake keeps happening because people continue to doubt the persistent and pervasive threats we face in the business community and beyond.

It matters because the information exposed in this incident was sufficient for a competent identity thief to commit every imaginable identity-related crime. There’s gold and endless liability in them thar hills of data.

What You Can Do

Practice the 3Ms.

Minimize your exposure: Vet your vendors! Foster a culture where everyone from the mailroom to the boardroom is invested in privacy and data security. Train your employees from their first day and have an ongoing discussion about best security practices. Create a map of information access, and make sure your most sensitive data is only available to those who need to have access and practice proper cybersecurity protocols to keep the data safe. Have a sensible BYOD (Bring Your Own Device) policy, and remind employees about the importance of installing updates on connected devices. Hire a chief information security officer–never leave your security solely to the IT department.

Monitor your networks and your assets: Make sure regular assessments are conducted on the security of all your data assets–and don’t wait for a call from a “white hat” hacker.

Manage the damage: How an organization responds to a breach or compromise is a defining moment. It is crucial that you act urgently, transparently, and empathetically. In order to avoid an extinction-level event, have a robust incident response plan. Have a media plan, and consider putting a crisis management firm on retainer. Game various scenarios and have a team in place to help your clients, as well as both in-house and third-party experts who understand the timing and notification requirements in each state for various regulators, law enforcement officials, insurance companies, employees, and customers. Can your company really afford to roll the dice on cybersecurity?

The post This Common Mistake You May Be Making Right Now Exposed an Entire Nation to Identity Theft appeared first on Adam Levin.

Former American Express employee under investigation for customers’ data abuse

Authorities are investigating an American Express employee for unauthorized access to cardholder information and potentially abuse for fraud.

Authorities launched a criminal investigation on an American Express employee that is suspected to accessed to cardholder information and potentially abused for fraud.

Exposed information includes full name, physical and/or billing address, Social Security numbers, birth dates, and the credit card number.

The suspect is no longer working for the financial organization.

On September 30th, 2019, the financial institution began sending out data breach notifications to the impacted, the notice informed them that the former employee potentially used the data for fraudulent activities, including identity theft and financial frauds.

“It was brought to our attention that personal information, related to your American Express Card account listed above, may have been wrongfully accessed by one of our employees in an attempt to conduct fraudulent activity, including potentially opening accounts at other financial institutions.” reads the data breach notification. “In response, we immediately launched an investigation and are fully cooperating with law enforcement agencies to further their investigation.

American Express is offering free credit monitoring services through Experian Identity Works to impacted customers.

The company is also recommending impacted cardholders to monitor their credit report and statements for any fraudulent activity and report any suspicious activity to their bank.

Pierluigi Paganini

(SecurityAffairs – American Express, cybercrime)

The post Former American Express employee under investigation for customers’ data abuse appeared first on Security Affairs.

Aussies Fear Snakes, Spiders and Getting Hacked

Fears and phobias. We all have them. But what are your biggest ones? I absolutely detest snakes but spiders don’t worry me at all. Well, new research by McAfee shows that cybercriminals and the fear of being hacked are now the 5th greatest fear among Aussies.

With news of data breaches and hacking crusades filling our news feed on a regular basis, many of us are becoming more aware and concerned about the threats we face in our increasingly digital world. And McAfee’s latest confirms this with hackers making their way into Australia’s Top 10 Fears.

According to research conducted by McAfee, snakes are the top phobia for Aussies followed by spiders, heights and sharks. Cybercriminals and the fear of being hacked come in in 5th place beating the dentist, bees, ghosts, aeroplane travel and clowns!

Aussie Top 10 Fears and Phobias

  1. Snakes
  2. Spiders
  3. Heights
  4. Sharks
  5. Hackers/Cybercriminals
  6. The dentist
  7. Bees or wasps
  8. Ghosts
  9. Aeroplane travel
  10. Clowns

Why Do We Have Phobias?

Fears and phobias develop when we perceive that we are at risk of pain, or worse, still, death. And while almost a third of respondents nominated snakes as their number one fear, there is less than one-in-fifty thousand chance of being bitten badly enough by a snake to warrant going to hospital in Australia, according to research from the Internal Medicine Journal.

In contrast, McAfee’s analysis of more than 108 billion potential online threats between October and December 2018, identified 202 million of these threats as genuine risks. With a global population of 7.5 billion, that means there is approximately a one in 37 chance of being targeted by cybercrime. Now while this is not a life-threatening situation, these statistics show that chance of us being affected by an online threat is very real.

What Are Our Biggest Cyber Fears?

According to the research, 82% of Aussies believe that being hacked is a growing or high concern. And when you look at the sheer number of reported data breaches so far this year, these statistics make complete sense. Data breaches have affected Bunnings staff, Federal Parliament staff, Marriott guests, Victorian Government staff, QLD Fisheries members, Skoolbag app users and Big W customers plus many more.

Almost 1 in 5 (19%) of those interviewed said their top fear at work is doing something that will result in a data security breach, they will leak sensitive information or infect their corporate IT systems.

The fear that we are in the midst of a cyberwar is another big concern for many Aussies. Cyberwar can be explained as a computer or network-based conflict where parties try to disrupt or take ownership of the activities of other parties, often for strategic, military or cyberespionage purposes. 55% of Aussies believe that a cyberwar is happening right now but we just don’t know about it. And a fifth believe cyber warfare is the biggest threat to our nation.

What Can We Do to Address Our Fear of Being Hacked?

Being proactive about protecting your online life is the absolute best way of reducing the chances of being hacked or being affected by a data breach. Here are my top tips on what you can now to protect yourself:

  1. Be Savvy with Your Passwords

Using a password manager to create unique and complex passwords for each of your online accounts will definitely improve your online safety. If each on your online accounts has a unique password and you are involved in a breach, the hacker won’t be able to use the stolen password details to log into any of your other accounts.

  1. Stop AutoFill on Chrome

Storing your financial data within your browser and being able to populate online forms quickly within seconds makes the autofill function very attractive however it is risky. Autofill will automatically fill out all forms on a page regardless of whether you can see all the boxes. You may just think you are automatically entering your email address into an online form however a savvy hacker could easily design an online form with hidden boxes designed to capture your financial information. So remove all your financial information from Autofill. I know this means you will have to manually enter information each time you purchase but your personal data will be better protected.

  1. Think Before You Click

One of the easiest ways for a cybercriminal to compromise their victim is by using phishing emails to lure consumers into clicking links for products or services that could lead to malware, or a phoney website designed to steal personal information. If the deal seems too good to be true, or the email was not expected, always check directly with the source.

  1. Stay Protected While You Browse

It’s important to put the right security solutions in place in order to surf the web safely. Add an extra layer of security to your browser with McAfee WebAdvisor.

  1. Always Connect with Caution

I know public Wi-Fi might seem like a good idea, but if consumers are not careful, they could be unknowingly exposing personal information or credit card details to cybercriminals who are snooping on the network. If you are a regular Wi-Fi user, I recommend investing in a virtual private network or (VPN) such as McAfee’s Safe Connect which will ensure your connection is completely secure and that your data remains safe.

While it is tempting, putting our head in the sand and pretending hackers and cybercrime don’t exist puts ourselves and our families at even more risk! Facing our fears and making an action plan is the best way of reducing our worry and stress. So, please commit to being proactive about your family’s online security. Draw up a list of what you can do today to protect your tribe. And if you want to receive regular updates about additional ways you can keep your family safe online, check out my blog.

‘till next time.

Alex x

 

 

 

The post Aussies Fear Snakes, Spiders and Getting Hacked appeared first on McAfee Blogs.

5 Digitally-Rich Terms to Define and Discuss with Your Kids

online privacy

Over the years, I’ve been the star of a number of sub-stellar parenting moments. More than once, I found myself reprimanding my kids for doing things that kids do — things I never stopped to teach them otherwise.

Like the time I reprimanded my son for not thanking his friend’s mother properly before we left a birthday party. He was seven when his etiquette deficit disorder surfaced. Or the time I had a meltdown because my daughter cut her hair off. She was five when she brazenly declared her scorn for the ponytail.

The problem: I assumed they knew.

Isn’t the same true when it comes to our children’s understanding of the online world? We can be quick to correct our kids when they fail to exercise the best judgment or handle a situation the way we think they should online.

But often what’s needed first is a parental pause to ask ourselves: Am I assuming they know? Have I taken the time to define and discuss the issue?

With that in mind, here are five digitally-rich terms dominating the online conversation. If possible, find a few pockets of time this week and start from the beginning — define the words, then discuss them with your kids. You may be surprised where the conversation goes.

5 digital terms that matter

Internet Privacy

Internet privacy is the personal privacy that every person is entitled to when they display, store, or provide information regarding themselves on the internet. 

Highlight: We see and use this word often but do our kids know what it means? Your personal information has value, like money. Guard it. Lock it down. Also, respect the privacy of others. Be mindful about accidentally giving away a friend’s information, sharing photos without permission, or sharing secrets. Remember: Nothing shared online (even in a direct message or private text) is private—nothing. Smart people get hacked every day.
Ask: Did you know that when you go online, websites and apps track your activity to glean personal information? What are some ways you can control that? Do you know why people want your data?
Act: Use privacy settings on all apps, turn off cookies in search engines, review privacy policies of apps, and create bullet-proof passwords.

Digital Wellbeing

Digital wellbeing (also called digital wellness) is an ongoing awareness of how social media and technology impacts our emotional and physical health.

Highlight: Every choice we make online can affect our wellbeing or alter our sense of security and peace. Focusing on wellbeing includes taking preventative measures, making choices, and choosing behaviors that build help us build a healthy relationship with technology. Improving one’s digital wellbeing is an on-going process.
Ask: What do you like to do online that makes you feel good about yourself? What kinds of interactions make you feel anxious, excluded, or sad? How much time online do you think is healthy?
Act:
Digital wellness begins at home. To help kids “curb the urge” to post so frequently, give them a “quality over quantity” challenge. Establish tech curfews and balance screen time to green time. Choose apps and products that include wellbeing features in their design. Consider security software that blocks inappropriate apps, filters disturbing content, and curbs screen time.

Media Literacy

Media literacy is the ability to access, analyze, evaluate, and create media in a variety of forms. It’s the ability to think critically about the messages you encounter.

Highlight: Technology has redefined media. Today, anyone can be a content creator and publisher online, which makes it difficult to discern the credibility of the information we encounter. The goal of media literacy curriculum in education is to equip kids to become critical thinkers, effective communicators, and responsible digital citizens.
Ask: Who created this content? Is it balanced or one-sided? What is the author’s motive behind it? Should I share this?  How might someone else see this differently?
Act: Use online resources such as Cyberwise to explore concepts such as clickbait, bias, psychographics, cyberethics, stereotypes, fake news, critical thinking/viewing, and digital citizenship. Also, download Google’s new Be Internet Awesome media literacy curriculum.

Empathy

Empathy is stepping into the shoes of another person to better understand and feel what they are going through.

Highlight: Empathy is a powerful skill in the online world. Empathy helps dissolve stereotypes, perceptions, and prejudices. According to Dr. Michelle Borba, empathetic children practice these nine habits that run contrary to today’s “selfie syndrome” culture. Empathy-building habits include moral courage, kindness, and emotional literacy. Without empathy, people can be “mean behind the screen” online. But remember: There is also a lot of people practicing empathy online who are genuine “helpers.” Be a helper.
Ask: How can you tell when someone “gets you” or understands what you are going through? How do they express that? Is it hard for you to stop and try to relate to what someone else is feeling or see a situation through their eyes? What thoughts or emotions get in your way?
Act:  Practice focusing outward when you are online. Is there anyone who seems lonely, excluded, or in distress? Offer a kind word, an encouragement, and ask questions to learn more about them. (Note: Empathy is an emotion/skill kids learn over time with practice and parental modeling).

Cyberbullying

Cyberbullying is the use of technology to harass, threaten, embarrass, shame, or target another person online.

Highlight: Not all kids understand the scope of cyberbullying, which can include spreading rumors, sending inappropriate photos, gossiping, subtweeting, and excessive messaging. Kids often mistake cyberbullying for digital drama and overlook abusive behavior. While kids are usually referenced in cyberbullying, the increase in adults involved in online shaming, unfortunately, is quickly changing that ratio.
Ask: Do you think words online can hurt someone in a way, more than words said face-to-face? Why? Have you ever experienced cyberbullying? Would you tell a parent or teacher about it? Why or why not?
Act: Be aware of changes in your child’s behavior and pay attention to his or her online communities. Encourage kids to report bullying (aimed at them or someone else). Talk about what it means to be an Upstander when bullied. If the situation is unresolvable and escalates to threats of violence, report it immediately to law enforcement.

We hope these five concepts spark some lively discussions around your dinner table this week. Depending on the age of your child, you can scale the conversation to fit. And don’t be scared off by eye rolls or sighs, parents. Press into the hard conversations and be consistent. Your voice matters in their noisy, digital world.

The post 5 Digitally-Rich Terms to Define and Discuss with Your Kids appeared first on McAfee Blogs.

5 Hidden Hashtag Risks Every Parent Needs Know

Adding hashtags to a social post has become second nature. In fact, it’s so common, few of us stop to consider that as fun and useful as hashtags can be, they can also have consequences if we misuse them.

But hashtags are more than add-ons to a post, they are power tools. In fact, when we put the pound (#) sign in front of a word, we turn that word into a piece of metadata that tags the word, which allows a search engine to index and categorize the attached content so anyone can search it. Looking for advice parenting an autistic child? Then hashtags like #autism #spectrum, or #autismspeaks will connect you with endless content tagged the same way.

Hashtags have become part of our lexicon and are used by individuals, businesses, and celebrities to extend digital influence. Social movements — such as #bekind and #icebucketchallenge — also use hashtags to educate and rally people around a cause. However, the power hashtags possess also means it’s critical to use them with care. Here are several ways people are using hashtags in harmful ways.

5 hidden hashtag risks

Hashtags can put children at risk. Unfortunately, innocent hashtags commonly used by proud parents such as #BackToSchool, #DaddysGirl, or #BabyGirl can be magnets for a pedophile. According to the Child Rescue Coalition, predators troll social media looking for hashtags like #bathtimefun, #cleanbaby, and #pottytrain, to collect images of children. CRC has compiled a list of hashtags parents should avoid using.

Hashtags can compromise privacy. Connecting a hashtag to personal information such as your hometown, your child’s name, or even #HappyBirthdayToMe can give away valuable pieces of your family’s info to a cybercriminal on the hunt to steal identities.

Hashtags can be used in scams. Scammers can use popular hashtags they know people will search to execute several scams. According to NBC News, one popular scam on Instagram is scammers who use luxury brand hashtags like #Gucci or #Dior or coded hashtags such as #mirrorquality #replica and #replicashoes to sell counterfeit goods. Cybercriminals will also search hashtags such as #WaitingToAdopt to target and run scams on hopeful parents.

Hashtags can have hidden meanings. Teens use code or abbreviation hashtags to reference drugs, suicide, mental health, and eating disorders. By searching the hashtag, teens band together with others on the same topic. Some coded hashtags include: #anas (anorexics) #mias (bulimics) #sue (suicide), #cuts (self-harm), #kush and #420 (marijuana).

Hashtags can be used to cyberbully. Posting a picture on a social network and adding mean hashtags is a common way for kids to bully one another. They use hashtags such as #whatnottowear, #losr, #yousuck, #extra, #getalife, #tbh (to be honest) and #peoplewhoshouldoffthemselves on photo captions bully or harass peers. Kids also cyberbully by making up hashtags like #jackieisacow and asking others to use it too. Another hashtag is #roastme in which kids post a photo of themselves and invite others to respond with funny comments only the humor can turn mean very quickly.

When it comes to understanding the online culture, taking the time to stay informed, pausing before you post, and trusting your instincts are critical. Also, being intentional to monitor your child’s social media (including reviewing hashtags) can help you spot potential issues such as bullying, mental health problems, or drug abuse.

The post 5 Hidden Hashtag Risks Every Parent Needs Know appeared first on McAfee Blogs.

Companies Can Have Their Identities Stolen, Too. Here’s What to Do About It.

When Twitter CEO Jack Dorsey’s account was hacked for roughly 20 minutes, we all got a glimpse of corporate identity theft, and why it matters. While the takeover was by no means a major cyberevent (and the account was quickly recovered), the fact remained that the CEO of a major company lost control of his account on a service that he literally controls.

Around the same time, an Instagram phishing scheme was circulating where users were prompted via a spoofed Instagram email to enter their logins and passwords after they were sent a 2-Factor authentication code. Instead of logging into their actual Facebook-hosted accounts, they found themselves on a replica of a legit Instagram page hosted in the Central African Republic. It was exactly the kind of attack that makes hacks like the one perpetrated against Jack Dorsey possible, and, more to the point, it’s why they happen literally every day. 

Need more evidence? How about the unnamed CEO who was recently scammed to the tune of a couple hundred thousand dollars thanks to an audio deepfake that convincingly mimicked the voice of his boss–the CEO of a parent company–including the most subtle nuances of his German accent. The money was wired to Hungary, quickly transferred to Mexico and then dispersed amongst an untraceable number of other accounts. 

Getting hacked is a fact of life, right up there with death and taxes. If you think you’re somehow above this third certainty in life, you’re all the more imperilled.  

I could provide countless other examples, but they all boil down to a lesson that businesses are learning the hard way and what their customers already know: it’s easier to fall prey to identity theft than it is to prevent it. 

The Goals of Business Identity Theft

If stealing an individual’s identity is lucrative, stealing a company’s identity can be the motherlode. Even a midsized company often have in their possession the data of thousands of customers, contacts, and contractors; a single official-looking email can open the door to innumerable types of fraud, both internally and externally. 

The attack doesn’t need to focus directly on monetary prizes: the hijacking of Twitter’s CEO’s account garnered a lot of the wrong kind of publicity–and there is such a thing as bad publicity. In the hacking world, the prestige of making Jack Dorsey look foolish for twenty minutes most likely exceeds an anonymous hack of 100,000 accounts. Reputation is a powerful currency, and compromising the leadership of any company with an online presence represents a potent boost. 

Consider what would happen were someone to hire that hacker to compromise a more important account–for saying’s sake, President Trump’s account. That control could actually affect world markets. The same could be said for hacks of any major leader in the public or private sectors. There is a huge financial upside to such hacking. It is crucial to bear this in mind at every moment of the day, and behave accordingly. 

That said, data leaks, account takeovers and breaches start to look positively quaint in light of the potential sabotage represented by deepfakes. 

People wire money on the basis of a phone call all the time. The harm caused by a phony corporate communication to shareholders or the general public could represent a catastrophic loss of money and confidence. Erratic behavior in the C-Suite can tank stock prices (just ask Elon Musk), and even crudely faked videos have gone viral (just ask Nancy Pelosi or Mark Zuckerberg). 

We’ll be seeing deliberate attempts to damage the reputations of businesses and their leadership as deepfake technology becomes more ubiquitous, and with that in mind it’s time to level up. 

What Businesses Can Do:

My advice for businesses faced with having their identities hijacked is similar to my advice for individuals–practice The Three Ms.

Minimize Your Risk of Exposure: Put resources into training your staff to recognize phishing scams and to practice good cyber hygiene. Vet contractors and vendors based on their security practices to minimize supply chain risk. Consider requiring employees to log in to a VPN (virtual private network), especially if they’re connecting to the company network remotely. It’s often the sloppiest of mistakes that give hackers access to your business. Training and sound cybersecurity policies can fill in the gaps where technology often fails. 

Monitor Everything: Establish a policy at your business about transferring funds; in the era of deepfakes, it’s important to know who is likely to request access to money, and how it should be handled. Always double check by getting confirmation on the phone. All systems can introduce vulnerabilities, especially the introduction of new technology. Create a culture where employees know that if they see something, they will be rewarded for saying something. Cybersecurity is a team sport. 

Manage the Damage: When it comes to a compromise of your company’s identity, honesty is the best policy. Own up to a data breach as quickly as possible (especially if you are subject to the GDPR’s 72 hour requirement), be transparent about lapses in security, and review any policies that allowed the compromise to occur in the first place. Jack Dorsey’s Twitter hack may have been embarrassing, but the company moved quickly to close the security loophole that allowed it to happen. Perhaps most important, have some empathy. Cyber-fails are scary. Remember, your news might be more traumatic for your customers or clients than it is for you, and act accordingly.

 

The post Companies Can Have Their Identities Stolen, Too. Here’s What to Do About It. appeared first on Adam Levin.

Is Your Medical Data Safe? 16 Million Medical Scans Left Out in the Open

Have you ever needed to get an X-ray or an MRI for an injury? It turns out that these images, as well as the health data of millions of Americans, have been sitting unprotected on the internet and available to anyone with basic computer expertise. According to ProPublica, these exposed records affect more than 5 million patients in the U.S. and millions more across the globe, equating to 16 million scans worldwide that are publicly available online.

This exposure affects data used in doctor’s offices, medical imaging centers, and mobile X-ray services. What’s more, the exposed data also contained other personal information such as dates of birth, details on personal physicians, and procedures received by patients, bringing the potential threat of identity theft closer to reality. And while researchers found no evidence of patient data being copied from these systems and published elsewhere, the implications of this much personal data exposed to the masses could be substantial.

To help users lock down their data and protect themselves from fraud and other cyberattacks, we’ve provided the following security tips:

  • Be vigilant about checking your accounts. If you suspect that your data has been compromised, frequently check your bank account and credit activity. Many banks and credit card companies offer free alerts that notify you via email or text messages when new purchases are made, if there’s an unusual charge, or when your account balance drops to a certain level. This will help you stop fraudulent activity in its tracks.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts, alert you of any suspicious activity, and help you to regain any losses in case something goes wrong.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Is Your Medical Data Safe? 16 Million Medical Scans Left Out in the Open appeared first on McAfee Blogs.

New Breach Exposes an Entire Nation: Living and the Dead

A misconfigured database has exposed the personal data of nearly every Ecuadorian citizen, including 6.7 million children.

The database was discovered by vpnMentor and was traced back to Ecuadorean company Novaestra. It contained 20.8 million records, well over the country’s current population of 16 million. The data included official government ID numbers, phone numbers, family records, birthdates, death dates (where applicable), marriage dates, education histories, and work records.

“One of the most concerning parts about this data breach is that it includes detailed information about people’s family members,” stated a blog from vpnMentor announcing the discovery of the leak. “Most concerningly, the leaked data seems to include national identification numbers and unique taxpayer numbers. This puts people at risk of identity theft and financial fraud.”

The leaked data also included financial information for individuals and businesses including bank account status, account balance, credit type, job details, car models, and car license plates.

“The information in both indexes would be as valuable as gold in the hands of criminal gangs,” wrote ZDNet reporter Catalin Cimpanu. “Crooks would be able to target the country’s most wealthy citizens (based on their financial records) and steal expensive cars (having access to car owners’ home addresses and license plate numbers).” 

The exposed database was on a server running Elasticsearch, a software program that enables users to query large amounts of data. Elasticsearch has been involved in several high profile data leaks, mostly due to configuration mistakes. Other recent Elasticsearch leaks included a Canadian data mining firm’s records for 57 million US citizens, a medical database storing the data on 85 percent of Panamanian citizens, and a provincial Chinese government database that contained 90 million personal and business records. 

The post New Breach Exposes an Entire Nation: Living and the Dead appeared first on Adam Levin.

Are Cash Transfer Apps Safe to Use? Here’s What Your Family Needs to Know

cash appsI can’t recall the last time I gave my teenage daughter cash for anything. If she needs money for gas, I Venmo it. A Taco Bell study break with the roommates? No problem. With one click, I transfer money from my Venmo account to hers. She uses a Venmo credit card to make her purchase. To this mom, cash apps may be the best thing to happen to parenting since location tracking became possible. But as convenient as these apps may be, are they safe for your family to use?

How do they work?

The research company, eMarketer, estimates that 96.0 million people used Peer-to-Peer (P2P) payment services this year (that’s 40.4% of all mobile phone users), up from an estimated 82.5 million last year.

P2P technology allows you to create a profile on a transfer app and link your bank account or credit card to it. Once your banking information is set up, you can locate another person’s account on the app (or invite someone to the app) and transfer funds instantly into their P2P account (without the hassle of getting a bank account number, email, or phone number). That person can leave the money in their app account, move it into his or her bank account, or use a debit card issued by the P2P app to use the funds immediately. If the app offers a credit card (like Venmo does), the recipient can use the Venmo card like a credit card at retailers most anywhere. 

Some of the more popular P2P apps include Venmo, Cash App, Zelle, Apple Pay, Google Wallet, PayPal.me, Facebook Messenger, and Snapcash, among others. Because of the P2P platform’s rapid growth, more and more investors are entering the market each day to introduce new cash apps, which is causing many analysts to speculate on need for paper check transactions in the future.

Are they safe?

While sending your hard-earned money back and forth through cyberspace on an app doesn’t sound safe, in general, it is. Are there some exceptions? Always. 

Online scam trends often follow consumer purchasing trends and, right now, the hot transaction spot is P2P platforms. Because P2P money is transferred instantly (and irreversibly), scammers exploit this and are figuring out how to take people’s money. After getting a P2P payment, scammers then delete their accounts and disappear — instantly

In 2018 Consumer Reports (CR) compared the potential financial and privacy risks of five mobile P2P services with a focus on payment authentication and data privacy. CR found all the apps had acceptable encryption but some were dinged for not clearly explaining how they protected user data. The consumer advocacy group ranked app safety strength in this order: Apple Pay, Venmo, Cash App, Facebook Messenger, and Zelle. CR also noted they “found nothing to suggest that using these products would threaten the security of your financial and personal data.”

While any app’s architecture may be deemed safe, no app user is immune from scams, which is where app safety can make every difference. If your family uses P2P apps regularly, confirm each user understands the potential risks. Here are just a few of the schemes that have been connected to P2P apps.

cash apps

Potential scams

Fraudulent sellers. This scam targets an unassuming buyer who sends money through a P2P app to purchase an item from someone they met online. The friendly seller casually suggests the buyer “just Venmo or Cash App me.” The buyer sends the money, but the item is never received, and the seller vanishes. This scam has been known to happen in online marketplaces and other trading sites and apps.

Malicious emails. Another scam is sending people an email telling them that someone has deposited money in their P2P account. They are prompted to click a link to go directly to the app, but instead, the malicious link downloads malware onto the person’s phone or computer. The scammer can then glean personal information from the person’s devices. To avoid a malware attack, consider installing comprehensive security software on your family’s computers and devices.

Ticket scams. Beware of anyone selling concert or sporting event tickets online. Buyers can get caught up in the excitement of scoring tickets for their favorite events, send the money via a P2P app, but the seller leaves them empty-handed.

Puppy and romance scams. In this cruel scam, a pet lover falls in love with a photo of a puppy online, uses a P2P app to pay for it, and the seller deletes his or her account and disappears. Likewise, catfish scammers gain someone’s trust. As the romantic relationship grows, the fraudulent person eventually asks to borrow money. The victim sends money using a P2P app only to have their love interest end all communication and vanish.  

P2P safety: Talking points for families

Only connect with family and friends. When using cash apps, only exchange money with people you know. Unlike an insured bank, P2P apps do not refund the money you’ve paid out accidentally or in a scam scenario. P2P apps hold users 100% responsible for transfers. 

Verify details of each transfer. The sender is responsible for funds, even in the case of an accidental transfer. So, if you are paying Joe Smith your half of the rent, be sure you select the correct Joe Smith, (not Joe Smith_1, or Joe Smithe) before you hit send. There could be dozens of name variations to choose from in an app’s directory. Also, verify with your bank that each P2P transaction registers.

Avoid public Wi-Fi transfers. Public Wi-Fi is susceptible to hackers trying to access valuable financial and personal information. For this reason, only use a secure, private Wi-Fi network when using a P2P payment app. If you must use public Wi-Fi, consider using a Virtual Private Network (VPN).

cash apps

Don’t use P2P apps for business. P2P apps are designed to be used between friends and include no-commercial-use clauses in their policies. For larger business transactions such as buying and selling goods or services use apps like PayPal. 

Lock your app. When you have a P2P app on your phone, it’s like carrying cash. If someone steals your phone, they can go into an unlocked P2P app and send themselves money from your bank account. Set up extra security on your app. Most apps offer PINs, fingerprint IDs, and two-factor authentication. Also, always lock your device home screen.

Adjust privacy settings. Venmo includes a feed that auto shares when users exchange funds, much like a social media feed. To avoid a stranger seeing that you paid a friend for Ed Sheeran tickets (and won’t be home that night), be sure to adjust your privacy settings. 

Read disclosures. One way to assess an app’s safety is to read its disclosures. How does the app protect your privacy and security? How does the app use your data? What is the app’s error-resolution policy? Feel secure with the app you choose.

We’ve learned that the most significant factor in determining an app’s safety comes back to the person using it. If your family loves using P2P apps, be sure to take the time to discuss the responsibility that comes with exchanging cash through apps. 

The post Are Cash Transfer Apps Safe to Use? Here’s What Your Family Needs to Know appeared first on McAfee Blogs.

Millions of Car Buyer Records Exposed: How to Bring This Breach to a Halt

Buying a car can be quite a process and requires a lot of time, energy, and research. What most potential car buyers don’t expect is to have their data exposed for all to see. But according to Threatpost, this story rings true for many prospective buyers. Over 198 million records containing personal, loan, and financial information on prospective car buyers were recently leaked due to a database that was left without password protection.

The database belonged to Dealer Leads, a company that gathers information on prospective buyers through a network of targeted websites. These targeted websites provide car-buying research information and classified ads for visitors, allowing Dealer Leads to collect this information and send it to franchise and independent car dealerships to be used as sales leads. The information collected included records with names, email addresses, phone numbers, physical addresses, IP addresses, and other sensitive or personally identifiable information – 413GB worth of this data, to be exact. What’s more, the exposed database contained ports, pathways, and storage info that cybercriminals could exploit to access Dealer Lead’s deeper digital network.

Although the database has been closed off to the public, it is unclear how long it was left exposed. And while it’s crucial for organizations to hold data privacy to the utmost importance, there are plenty of things users can do to help safeguard their data. Check out the following tips to help you stay secure:

  • Be vigilant about checking your accounts. If you suspect that your data has been compromised, frequently check your accounts for unusual activity. This will help you stop fraudulent activity in its tracks.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Millions of Car Buyer Records Exposed: How to Bring This Breach to a Halt appeared first on McAfee Blogs.

How To Practise Good Social Media Hygiene

Fact – your social media posts may affect your career, or worse case, your identity!

New research from the world’s largest dedicated cybersecurity firm, McAfee, has revealed that two thirds (67%) of Aussies are embarrassed by the content that appears on their social media profiles. Yikes! And just to make the picture even more complicated, 34% of Aussies admit to never increasing the privacy on their accounts from the default privacy settings despite knowing how to.

So, next time these Aussies apply for a job and the Human Resources Manager decides to ‘check them out online’, you can guess what the likely outcome will be…

Proactively Managing Social Media Accounts Is Critical For Professional Reputation

For many Aussies, social media accounts operate as a memory timeline of their social lives. Whether they are celebrating a birthday, attending a party or just ‘letting their hair down’ – many people will document their activities for all to see through a collection of sometimes ‘colourful’ photos and videos. But sharing ‘good times’ can become a very big problem when social media accounts are not proactively managed. Ensuring your accounts are set to the tightest privacy settings possible and curating them regularly for relevance and suitability is essential if you want to keep your digital reputation in-tact. However, it appears that a large proportion of Aussies are not taking these simple steps.

McAfee’s research shows that 28% of Aussies admit to either never or not being able to recall the last time they checked their social media timeline. 66% acknowledge that they have at least one inactive social media account. 40% admit that they’ve not even thought about deleting inactive accounts or giving them a clear-out and concerningly, 11% don’t know how to adjust their privacy settings! So, I have no doubt that some of the Aussies that fall into these groups would have NOT come up trumps when they were ‘checked out online’ by either their current or future Human Resources Managers!!

What Social Media Posts Are Aussies Most Embarrassed By?

As part of the research study, Aussies were asked to nominate the social media posts that they have been most embarrassed by. Here are the top 10:

  1. Drunken behaviour
  2. Comment that can be perceived as offensive
  3. Wearing an embarrassing outfit
  4. Wardrobe malfunction
  5. In their underwear
  6. Throwing up
  7. Swearing
  8. Kissing someone they shouldn’t have been
  9. Sleeping somewhere they shouldn’t
  10. Exposing themselves on purpose

Cybercriminals Love Online Sharers

As well as the potential to hurt career prospects, relaxed attitudes to social media could be leaving the door open for cybercriminals. If you are posting about recent purchases, your upcoming holidays and ‘checking-in’ at your current location then you are making it very easy for cybercriminals to put together a picture of you and possibly steal your identity. And having none or even default privacy settings in place effectively means you are handing this information to cybercriminals on a platter!!

Considering how much personal information and images most social media accounts hold, it’s concerning that 16 per cent of Aussies interviewed admitted that they don’t know how to close down their inactive social media accounts and a third (34%) don’t know the passwords or no longer have access to the email addresses they used to set them up – effectively locking them out!

What Can We Do To Protect Ourselves?

The good news is that there are things we can do TODAY to improve our social media hygiene and reduce the risk of our online information getting into the wrong hands. Here are my top tips:

  1. Clean-up your digital past. Sift through your old and neglected social media accounts. If you are not using them – delete the account. Then take some time to audit your active accounts. Delete any unwanted tags, photos, comments and posts so they don’t come back to haunt your personal or professional life.

  1. Lockdown privacy and security settings. Leaving your social media profiles on the ‘public’ setting means anyone who has access to the internet can view your posts and photos whether you want them to or not. While you should treat anything you post online as public, turning your profiles to private will give you more control over who can see your content and what people can tag you in.

 

  1. Never reuse passwords. Use unique passwords with a combination of lower and upper case letters, numbers and symbols for each one of your accounts, even if you don’t think the account holds a lot of personal information. If managing all your passwords seems like a daunting task, look for security software that includes a password manager.

 

  1. Avoid Sharing VERY Personal Information Online. The ever-growing body of information you share online could possibly be used by cybercriminals to steal your identity. The more you share, the greater the risk. Avoid using your full name, date of birth, current employer, names of your family members, your home address even the names of your pets online – as you could be playing straight into the hands of identity thieves and hackers.
  1. Think before you post. Think twice about each post you make. Will it have a negative impact on you or someone you know now or possibly in the future? Does it give away personal information that someone could use against you? Taking a moment to think through the potential consequences BEFORE you post is the best way to avoid serious regrets in the future.

 

  1. Employ extra protection across all your devices. Threats such as viruses, identity theft, privacy breaches, and malware can all reach you through your social media. Install comprehensive security software to protect you from these nasties.

 

If you think you (or one of your kids) might just identify with the above ‘relaxed yet risky’ approach to managing your social media, then it’s time to act. Finding a job is hard enough in our crowded job market without being limited by photos of your latest social gathering! And no-one wants to be the victim of identity theft which could possibly affect your financial reputation for the rest of your life! So, make yourself a cuppa and get to work cleaning up your digital life! It’s so worth it!!

Alex xx

 

 

The post How To Practise Good Social Media Hygiene appeared first on McAfee Blogs.

3 Things You [Probably] Do Online Every Day that Jeopardize Your Family’s Privacy

Even though most of us are aware of the potential risks, we continue to journal and archive our daily lives online publically. It’s as if we just can’t help it. Our kids are just so darn cute, right? And, everyone else is doing it, so why not join the fun?

One example of this has become the digital tradition of parents sharing first-day back-to-school photos. The photos feature fresh-faced, excited kids holding signs to commemorate the big day. The signs often include the child’s name, age, grade, and school. Some back-to-school photos go as far as to include the child’s best friend’s name, favorite TV show, favorite food, their height, weight, and what they want to be when they grow up.

Are these kinds of photos adorable and share-worthy? Absolutely. Could they also be putting your child’s safety and your family’s privacy at risk? Absolutely.

1. Posting identifying family photos

Think about it. If you are a hacker combing social profiles to steal personal information, all those extra details hidden in photos can be quite helpful. For instance, a seemingly harmless back-to-school photo can expose a home address or a street sign in the background. Cyber thieves can zoom in on a photo to see the name on a pet collar, which could be a password clue, or grab details from a piece of mail or a post-it on the refrigerator to add to your identity theft file. On the safety side, a school uniform, team jersey, or backpack emblem could give away a child’s daily location to a predator.

Family Safety Tips
  • Share selectively. Facebook has a private sharing option that allows you to share a photo with specific friends. Instagram has a similar feature.
  • Private groups. Start a private Family & Friends Facebook group, phone text, or start a family chat on an app like GroupMe. This way, grandma and Aunt June feel included in important events, and your family’s personal life remains intact.
  • Photo albums. Go old school. Print and store photos in a family photo album at home away from the public spotlight.
  • Scrutinize your content. Think before you post. Ask yourself if the likes and comments are worth the privacy risk. Pay attention to what’s in the foreground or background of a photo.
  • Use children’s initials. Instead of using your child’s name online, use his or her initials or even a digital nickname when posting. Ask family members to do the same.

2. Using trendy apps, quizzes & challengesfamily privacy

It doesn’t take much to grab our attention or our data these days. A survey recently conducted by the Center for Data Innovation found that 58 percent of Americans are “willing to share their most sensitive personal data” (including medical and location data) in return for using apps and services.

If you love those trendy face-morphing apps, quizzes that reveal what celebrity you look like, and taking part in online challenges, you are likely part of the above statistic. As we learned just recently, people who downloaded the popular FaceApp to age their faces didn’t realize the privacy implications. Online quizzes and challenges (often circulated on Facebook) can open you up to similar risk.

Family Safety Tips

  • Slow down. Read an app’s privacy policy and terms. How will your content or data be used? Is this momentary fun worth exchanging my data?
  • Max privacy settings. If you download an app, adjust your device settings to control app permissions immediately.
  • Delete unused apps. An app you downloaded five years ago and forgot about can still be collecting data from your phone. Clean up and delete apps routinely.
  • Protect your devices. Apps, quizzes, and challenges online can be channels for malicious malware. Take the extra step to ensure your devices are protected.

3. Unintentionally posting personal details

Is it wrong to want an interesting Facebook or Instagram profile? Not at all. But be mindful you are painting a picture with each detail you share. For instance: It’s easy to show off your new dog Fergie and add your email address and phone number to your social profile so friends can easily stay in touch. It’s natural to feel pride in your hometown of Muskogee, to celebrate Katie Beth‘s scholarship and Justin‘s home run. It’s natural to want to post your 23rd anniversary to your beloved Michael (who everyone calls Mickey Dee) on December 15. It’s also common to post about a family reunion with the maternal side of your family, the VanDerhoots.

family privacyWhile it may be common to share this kind of information, it’s still unwise since this one paragraph just gave a hacker 10+ personal details to use in figuring out your passwords.

Family Safety Tips

  • Use, refresh strong passwords. Change your passwords often and be sure to use a robust and unique password or passphrase (i.e., grannymakesmoonshine or glutenfreeformeplease) and make sure you vary passwords between different logins. Use two-factor authentication whenever possible.
  • Become more mysterious. Make your social accounts private, use selective sharing options, and keep your profile information as minimal as possible.
  • Reduce your friend lists. Do you know the people who can daily view your information? To boost your security, consider curating your friend lists every few months.
  • Fib on security questions. Ethical hacker Stephanie Carruthers advises people who want extra protection online to lie on security questions. So, when asked for your mother’s maiden name, your birthplace, or your childhood friend, answer with Nutella, Disneyland, or Dora the Explorer.

We’ve all unwittingly uploaded content, used apps, or clicked buttons that may have compromised our privacy. That’s okay, don’t beat yourself up. Just take a few hours and clean up, lockdown, and streamline your social content. With new knowledge comes new power to close the security gaps and create new digital habits.

The post 3 Things You [Probably] Do Online Every Day that Jeopardize Your Family’s Privacy appeared first on McAfee Blogs.

Expect More Spam Calls and SIM-Card Scams: 400 Million Phone Numbers Exposed

As much as I love this one friend of mine, nothing is private when we’re together. You probably have a friend like this. The relationship is really great so you stay friends despite all, but this particular friend simply cannot know something about you without sharing it with others no matter how hard you try to get them to understand it’s totally uncool. 

Facebook Is an Open Book

They did it again this week with news that 419 million records, including phone numbers and user IDs, were scraped from Facebook and stored in a database that was just sitting online accessible to anyone who might like to peruse it. More than 130 million of those compromised by the discovery were American users. Another 18 million were UK users. A whopping 50 million hailed from Vietnam. 

Facebook later claimed about half that number were affected, or 220 million records. 

The information is at least a year old, which was when Facebook stopped allowing developers to have user phone numbers. So, we can call this a Facebook privacy facepalm legacy attack. It’s a sad state of Facebook privacy news fatigue that the urge is so strong to create privacy fail sub-categories—but there you have it. Introducing the legacy fail. 

Why It Matters

Some of the information out there was granular enough to allow a variety of scams, but the most serious is SIM-card swapping scams, where a criminal, armed with enough information about you, and most crucially your phone number, arranges to have your number moved to a phone in the criminal’s possession. 

Once the number has been transferred, the criminal has control of any accounts that are identified by caller ID (including many financial institutions) as well as any accounts protected by two-factor authentication. It is believed this was the method used to recently hack Jack Dempsey’s Twitter account. 

What You Can Do

Assume that you are a target, and tighten your protections. Your phone provider will have tips on the best practices to avoid SIM-card attacks, and common sense can be your guide regarding any unexpected phone calls, and practice the Three Ms:

Minimize your exposure. Don’t authenticate yourself to anyone unless you are in control of the interaction, don’t over-share on social media, be a good steward of your passwords, safeguard any documents that can be used to hijack your identity, and freeze your credit.

Monitor your accounts. Check your credit report religiously, keep track of your credit score, review major accounts daily if possible. (You can check two of your credit scores for free every month on Credit.com.) If you prefer a more laid back approach, see No. 5 above.

Manage the damage. Make sure you get on top of any incursion into your identity quickly and/or enroll in a program where professionals help you navigate and resolve identity compromises–oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions and employers.

The post Expect More Spam Calls and SIM-Card Scams: 400 Million Phone Numbers Exposed appeared first on Adam Levin.

7 Questions to Ask Your Child’s School About Cybersecurity Protocols

Just a few weeks into the new school year and, already, reports of malicious cyberattacks in schools have hit the headlines. While you’ve made digital security strides in your home, what concerns if any should you have about your child’s data being compromised at school?

There’s a long and short answer to that question. The short answer is don’t lose sleep (it’s out of your control) but get clarity and peace of mind by asking your school officials the right questions. 

The long answer is that cybercriminals have schools in their digital crosshairs. According to a recent report in The Hill, school districts are becoming top targets of malicious attacks, and government entities are scrambling to fight back. These attacks are costing school districts (taxpayers) serious dollars and costing kids (and parents) their privacy.


Prime Targets

According to one report, a U.S. school district becomes the victim of cyberattack as often as every three days. The reason for this is that cybercriminals want clean data to exploit for dozens of nefarious purposes. The best place to harvest pure data is schools where social security numbers are usually unblemished and go unchecked for years. At the same time, student data can be collected and sold on the dark web. Data at risk include vaccination records, birthdates, addresses, phone numbers, and contacts used for identity theft. 

Top three cyberthreats

The top three threats against schools are data breaches, phishing scams, and ransomware. Data breaches can happen through phishing scams and malware attacks that could include malicious email links or fake accounts posing as acquaintances. In a ransomware attack, a hacker locks down a school’s digital network and holds data for a ransom. 

Over the past month, hackers have hit K-12 schools in New Jersey, New York, Wisconsin, Virginia, Oklahoma, Connecticut, and Louisiana. Universities are also targeted.

In the schools impacted, criminals were able to find loopholes in their security protocols. A loophole can be an unprotected device, a printer, or a malicious email link opened by a new employee. It can even be a calculated scam like the Virginia school duped into paying a fraudulent vendor $600,000 for a football field. The cybercrime scenarios are endless. 

7 key questions to ask

  1. Does the school have a data security and privacy policy in place as well as cyberattack response plan?
  2. Does the school have a system to educate staff, parents, and students about potential risks and safety protocols? 
  3. Does the school have a data protection officer on staff responsible for implementing security and privacy policies?
  4. Does the school have reputable third-party vendors to ensure the proper technology is in place to secure staff and student data?
  5. Are data security and student privacy a fundamental part of onboarding new school employees?
  6. Does the school create backups of valuable information and store them separately from the central server to protect against ransomware attacks?
  7. Does the school have any new technology initiatives planned? If so, how will it address student data protection?

The majority of schools are far from negligent. Leaders know the risks, and many have put recognized cybersecurity frameworks in place. Also, schools have the pressing challenge of 1) providing a technology-driven education to students while at the same time, 2) protecting student/staff privacy and 3) finding funds to address the escalating risk.

Families can add a layer of protection to a child’s data while at school by making sure devices are protected in a Bring Your Own Device (BYOD) setting. Cybersecurity is a shared responsibility. While schools work hard to implement safeguards, be sure you are taking responsibility in your digital life and equipping your kids to do the same. 

 

The post 7 Questions to Ask Your Child’s School About Cybersecurity Protocols appeared first on McAfee Blogs.

How to Spring Clean Your Digital Life

With winter almost gone, now is the perfect time to start planning your annual spring clean. When we think about our yearly sort out, most of us think about decluttering our chaotic linen cupboards or the wardrobes that we can’t close. But if you want to minimise the opportunities for a hacker to get their hands on your private online information then a clean-up of your digital house (aka your online life) is absolutely essential.

Not Glamourous but Necessary

I totally accept that cleaning up your online life isn’t exciting but let me assure you it is a must if you want to avoid becoming a victim of identity theft.

Think about how much digital clutter we have accumulated over the years? Many of us have multiple social media, messaging and email accounts. And don’t forget about all the online newsletters and ‘accounts’ we have signed up for with stores and online sites? Then there are the apps and programs we no longer use.

Well, all of this can be a liability. Holding onto accounts and files you don’t need exposes you to all sorts of risks. Your devices could be stolen or hacked or, a data breach could mean that your private details are exposed quite possibly on the Dark Web. In short, the less information that there is about you online, the better off you are.

Digital clutter can be distracting, exhausting to manage and most importantly, detrimental to your online safety. A thorough digital spring clean will help to protect your important, online personal information from cybercriminals.

What is Identity Theft?

Identity theft is a serious crime that can have devastating consequences for its victims. It occurs when a person’s personal information is stolen to be used primarily for financial gain. A detailed set of personal details is often all a hacker needs to access bank accounts, apply for loans or credit cards and basically destroy your credit rating and reputation.

How To Do a Digital Spring Clean

The good news is that digital spring cleaning doesn’t require nearly as much elbow grease as scrubbing down the microwave! Here are my top tips to add to your spring-cleaning list this year:

  1. Weed Out Your Old Devices

Gather together every laptop, desktop computer, tablet and smartphone that lives in your house. Now, you need to be strong – work out which devices are past their use-by date and which need to be spring cleaned.

If it is finally time to part ways with your first iPad or the old family desktop, make sure any important documents or holiday photos are backed up in a few places (on another computer, an external hard drive AND in cloud storage program such as Dropbox and or iCloud) so you can erase all remaining data and recycle the device with peace of mind. Careful not to get ‘deleting’ confused with ‘erasing,’ which means permanently clearing data from a device. Deleted files can often linger in a device’s recycling folder.

  1. Ensure Your Machines Are Clean!

It is not uncommon for viruses or malware to find their way onto your devices through outdated software so ensure all your internet-connected devices have the latest software updates including operating systems and browsers. Ideally, you should ensure that you are running the latest version of apps too. Most software packages do auto-update but please take the time to ensure this is happening on all your devices.

  1. Review and Consolidate Files, Applications and Services

Our devices play such a huge part in our day to day lives so it is inevitable that they become very cluttered. Your kids’ old school assignments, outdated apps and programs, online subscriptions and unused accounts are likely lingering on your devices.

The big problem with old accounts is that they get hacked! And they can often lead hackers to your current accounts so it’s a no-brainer to ensure the number of accounts you are using is kept to a minimum.

Once you have decided which apps and accounts you are keeping, take some time to review the latest privacy agreements and settings so you understand what data they are collecting and when they are collecting it. You might also discover that some of your apps are using far more of your data than you realised! Might be time to opt-out!

  1. Update Passwords and Enable Two-Factor Authentication

As the average consumer manages a whopping 11 online accounts – social media, shopping, banking, entertainment, the list goes on – updating our passwords is an important ‘cyber hygiene’ practice that is often neglected. Why not use your digital spring cleaning as an excuse to update and strengthen your credentials?

Creating long and unique passwords using a variety of upper and lowercase numbers, letters and symbols is an essential way of protecting yourself and your digital assets online. And if that all feels too complicated, why not consider a password management solution? Password managers help you create, manage and organise your passwords. Some security software solutions include a password manager such as McAfee Total Protection.

Finally, wherever possible, you should enable two-factor authentication for your accounts to add an extra layer of defense against cyber criminals. Two-factor authentication is where a user is verified by opt-out password or one-off code through a separate personal device like a smart phone.

Still not convinced? If you use social media, shop online, subscribe to specialist newsletters then your existence is scattered across the internet. By failing to clean up your ‘digital junk’ you are effectively giving a set of front door keys to hackers and risking having your identity stolen. Not a great scenario at all. So, make yourself a cuppa and get to work!

Til Next Time

Alex xx

 

 

 

 

The post How to Spring Clean Your Digital Life appeared first on McAfee Blogs.

Lights, Camera, Cybersecurity: What You Need to Know About the MoviePass Breach

If you’re a frequent moviegoer, there’s a chance you may have used or are still using movie ticket subscription service and mobile app MoviePass. The service is designed to let film fanatics attend a variety of movies for a convenient price, however, it has now made data convenient for cybercriminals to potentially get ahold of. According to TechCrunch, the exposed database contained 161 million records, with many of those records including sensitive user information.

So, what exactly do these records include? The exposed user data includes 58,000 personal credit cards and customer card numbers, which are similar to normal debit cards. They are issued by Mastercard and store a cash balance that users can use to pay so they can watch a catalog of movies. In addition to the MoviePass customer cards and financial information numbers, other exposed data includes billing addresses, names, and email addresses. TechCrunch reported that a combination of this data could very well be enough information to make fraudulent purchases.

The database also contained what researchers presumed to be hundreds of incorrectly typed passwords with user email addresses. With this data, TechCrunch attempted to log into the database using a fake email and password combination. Not only did they immediately gain access to the MoviePass account, but they found that the fake login credentials were then added to the database.

Since then, TechCrunch reached out to MoviePass and the company has since taken the database offline. However, with this personal and financial information publicly accessible for quite some time, users must do everything in their power to safeguard their data. Here are some tips to help keep your sensitive information secure:

  • Review your accounts. Be sure to look over your credit card and banking statements and report any suspicious activity as soon as possible.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

And, as always, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Lights, Camera, Cybersecurity: What You Need to Know About the MoviePass Breach appeared first on McAfee Blogs.

Dorms, Degrees, and Data Security: Prepare Your Devices for Back to School Season

With summer coming to a close, it’s almost time for back to school! Back to school season is an exciting time for students, especially college students, as they take their first steps towards independence and embark on journeys that will shape the rest of their lives. As students across the country prepare to start or return to college, we here at McAfee have revealed new findings indicating that many are not proactively protecting their academic data. Here are the key takeaways from our survey of 1,000 Americans, ages 18-25, who attend or have attended college:

Education Needs to Go Beyond the Normal Curriculum

While many students are focused on classes like biology and business management, very few get the proper exposure to cybersecurity knowledge. 80% of students have been affected by a cyberattack or know a friend or family member who has been affected. However, 43% claim that they don’t think they will ever be a victim of a cybercrime in the future.

Educational institutions are very careful to promote physical safety, but what about cyber safety? It turns out only 36% of American students claim that they have learned how to keep personal information safe through school resources. According to 42% of our respondents, they learn the most about cybersecurity from the news. To help improve cybersecurity education in colleges and universities, these institutions should take a certain level of responsibility when it comes to training students on how they can help keep their precious academic data safe from cybercriminals.

Take Notes on Device Security

Believe it or not, many students fail to secure all of their devices, opening them up to even more vulnerabilities. While half of students have security software installed on their personal computers, this isn’t the case for their tablets or smartphones. Only 37% of students surveyed have smartphone protection, and only 13% have tablet protection. What’s more, about one in five (21%) students don’t use any cybersecurity products at all.

Class Dismissed: Cyberattacks Targeting Education Are on the Rise

According to data from McAfee Labs, cyberattacks targeting education in Q1 2019 have increased by 50% from Q4 2018. The combination of many students being uneducated in proper cybersecurity hygiene and the vast array of shared networks that these students are simultaneously logged onto gives cybercriminals plenty of opportunities to exploit when it comes to targeting universities. Some of the attacks utilized include account hijacking and malware, which made up more than 70% of attacks on these institutions from January to May of 2019. And even though these attacks are on the rise, 90% of American students still use public Wi-Fi and only 18% use a VPN to protect their devices.

Become a Cybersecurity Scholar

In order to go into this school year with confidence, students should remember these security tips:

  • Never reuse passwords. Use a unique password for each one of your accounts, even if it’s for an account that doesn’t hold a lot of personal information. You can also use a password manager so you don’t have to worry about remembering various logins.
  • Always set privacy and security settings. Anyone with access to the internet can view your social media if it’s public. Protect your identity by turning your profiles to private so you can control who can follow you. You should also take the time to understand the various security and privacy settings to see which work best for your lifestyle.
  • Use the cloud with caution. If you plan on storing your documents in the cloud, be sure to set up an additional layer of access security. One way of doing this is through two-factor authentication.
  • Always connect with caution. If you need to conduct transactions on a public Wi-Fi connection, use a virtual private network (VPN) to keep your connection secure.
  • Discuss cyber safety often. It’s just as important for families to discuss cyber safety as it is for them to discuss privacy on social media. Talk to your family about ways to identify phishing scams, what to do if you may have been involved in a data breach, and invest in security software that scans for malware and untrusted sites.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Dorms, Degrees, and Data Security: Prepare Your Devices for Back to School Season appeared first on McAfee Blogs.

Capital One Data Breach: How Impacted Users Can Stay More Secure

Capital One is one of the 10 largest banks based on U.S. deposits. As with many big-name brands, cybercriminals see these companies as an ideal target to carry out large-scale attacks, which has now become a reality for the financial organization. According to CNN, approximately 100 million Capital One users in the U.S. and 6 million in Canada have been affected by a data breach exposing about 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, and 80,000 bank account numbers, and more.

According to the New York Post, the alleged hacker claimed the data was obtained through a firewall misconfiguration. This misconfiguration allowed command execution with a server that granted access to data in Capital One’s storage space at Amazon. Luckily, Capital One stated that it “immediately fixed the configuration vulnerability.”

This breach serves as a reminder that users and companies alike should do everything in their power to keep personal information protected. If you think you might have been affected by this breach, follow these tips to help you stay secure:

  • Check to see if you’ve been notified by Capital One. The bank will notify everyone who was affected by the breach and offer them free credit monitoring and identity protection services. Be sure to take advantage of the services and check out the website Capital One set up for information on this breach.
  • Review your accounts. Be sure to look over your credit card and banking statements and report any suspicious activity as soon as possible. Capital One will allow you to freeze your card so purchases can no longer be made.
  • Change your credentials. Err on the side of caution and change your passwords for all of your accounts. Taking extra precautions can help you avoid future attacks.
  • Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Capital One Data Breach: How Impacted Users Can Stay More Secure appeared first on McAfee Blogs.

Bargain or Bogus Booking? Learn How to Securely Plan Summer Travel

With summertime just around the corner, families are eagerly looking to book their next getaway. Since vacation is so top-of-mind during the summer months, users are bound to come across websites offering cheap deals on flights, accommodations, and other experiences and activities. With so many websites claiming to offer these “can’t-miss deals,” how do you know who to trust?

It turns out that this is a common concern among folks looking for a little summer getaway. According to our recent survey of 8,000 people across the UK, US, Canada, Australia, France, Germany, Spain, and Singapore, 54% of respondents worry about their identity being stolen while booking and purchasing travel and accommodation online. However, 27% don’t check the authenticity of a website before booking their vacation online. Over half of these respondents say that it doesn’t cross their minds to do so.

These so-called “great deals” can be difficult to pass up. Unfortunately, 30% of respondents have been defrauded thanks to holiday travel deals that were just too good to be true. What’s more, 46.3% of these victims didn’t realize they had been ripped off until they arrived at their holiday rental to find that the booking wasn’t actually valid.

In addition to avoiding bogus bookings, users should also refrain from risky online behavior while enjoying their summer holidays. According to our survey, 44.5% of respondents are putting themselves at risk while traveling by not checking the security of their internet connection or willingly connecting to an unsecured network. 61% also stated that they never use a VPN, while 22% don’t know what a VPN is.

Unfortunately, travel-related attacks aren’t limited to just travelers either; hotels are popular targets for cybercriminals. According to analysis conducted by the McAfee Advanced Threat Research team, the most popular attack vectors are POS malware and account hijacking. Due to these attacks, eager vacationers have had their customer payment, credit card data, and personally identifiable information stolen. In order for users to enjoy a worry-free vacation this summer, it’s important that they are aware of the potential cyberthreats involved when booking their trips online and what they can do to prevent them.

We here at McAfee are working to help inform users of the risks they face when booking through unsecured or unreliable websites as well as when they’re enjoying some summertime R&R. Check out the following tips so you can enjoy your vacation without questioning the status of your cybersecurity:

  • Always connect with caution. If you need to conduct transactions on a public Wi-Fi connection, use a virtual private network (VPN) to help keep your connection secure.
  • Think before you click. Often times, cybercriminals use phishing emails or fake sites to lure consumers into clicking links for products or services that could lead to malware. If you receive an email asking you to click on a link with a suspicious URL, it’s best to avoid interacting with the message altogether.
  • Browse with security protection. Use a comprehensive security solution, like McAfee Total Protection, which includes McAfee WebAdvisor that can help identify malicious websites.
  • Utilize an identity theft solution. With all this personal data floating around online, it’s important to stay aware of any attempts to steal your identity. Use an identity theft solution, such as McAfee Identity Theft Protection, that can help protect personally identifiable information from identity theft and fraud.

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Bargain or Bogus Booking? Learn How to Securely Plan Summer Travel appeared first on McAfee Blogs.

4 Tips to Protect Your Information During Medical Data Breaches

As the companies we trust with our data become more digital, it’s important for users to realize how this affects their own cybersecurity. Take your medical care provider, for instance. You walk into a doctor’s office and fill out a form on a clipboard. This information is then transferred to a computer where a patient Electronic Health Record is created or added to. We trust that our healthcare provider has taken the proper precautions to safely store this data. Unfortunately, medical data breaches are on the rise with a 70% increase over the past seven years. In fact, medical testing company LabCorp just announced that it experienced a breach affecting approximately 7.7 million customers.

How exactly did this breach occur? The information was exposed as a result of an issue with a third-party billing collections vendor, American Medical Collection Agency (AMCA). The information exposed includes names, addresses, birth dates, balance information, and credit card or bank account information provided by customers to AMCA. This breach comes just a few days after Quest Diagnostics, another company who worked with AMCA, announced that they too experienced a breach affecting 11.9 million users.

Luckily, LabCorp stated that they do not store or maintain Social Security numbers and insurance information for their customers. Additionally, the company provided no ordered test, lab results, or diagnostic information to AMCA. LabCorp stated that they intend to provide 200,000 affected users with more specific information regarding the breach and offer them with identity protection and credit monitoring services for two years. And after receiving information on the possible security compromise, AMCA took down its web payments page and hired an external forensics firm to investigate the situation.

Medical data is essentially nonperishable in nature, making it extremely valuable to cybercrooks. It turns out that quite a few security vulnerabilities exist in the healthcare industry, such as unencrypted traffic between servers, the ability to create admin accounts remotely, and disclosure of private information. These types of vulnerabilities could allow cybercriminals to access healthcare systems, as our McAfee Labs researchers discovered. If someone with malicious intent did access the system, they would have the ability to permanently alter medical images, use medical research data for extortion, and more.

Cybercriminals are constantly pivoting their tactics and changing their targets in order to best complete their schemes. As it turns out, medical data has become a hot commodity for cybercrooks. According to the McAfee Labs Threats Report from March 2018, the healthcare sector has experienced a 210% increase in publicly disclosed security incidents from 2016 to 2017. The McAfee Advanced Threat Research Team concluded that many of the incidents were caused by failures to comply with security best practices or to address vulnerabilities in medical software.

While medical care providers should do all that they can to ensure the security of their patients, there are steps users can take to help maintain their privacy. If you think your personal or financial information might be affected by the recent breaches, check out the following tips to help keep your personal data secure:

  • Place a fraud alert.If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Freeze your credit.Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection.A solution like McAfee Identify Theft Protection will help you to monitor your accounts, alert you of any suspicious activity, and help you to regain any losses in case something goes wrong.
  • Be vigilant about checking your accounts.If you suspect that your personal data has been compromised, frequently check your bank account and credit activity. Many banks and credit card companies offer free alerts that notify you via email or text messages when new purchases are made, if there’s an unusual charge, or when your account balance drops to a certain level. This will help you stop fraudulent activity in its tracks.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post 4 Tips to Protect Your Information During Medical Data Breaches appeared first on McAfee Blogs.

Attention Graphic Designers: It’s Time to Secure Your Canva Credentials

Online graphic design tools are extremely useful when it comes to creating resumes, social media graphics, invitations, and other designs and documents. Unfortunately, these platforms aren’t immune to malicious online activity. Canva, a popular Australian web design service, was recently breached by a malicious hacker, resulting in 139 million user records compromised.

So, how was this breach discovered? The hacker, who goes by the name GnosticPlayers, contacted a security reporter from ZDNet on May 24th and made him aware of the situation. The hacker claims to have stolen data pertaining to 1 billion users from multiple websites. The compromised data from Canva includes names, usernames, email addresses, city, and country information.

Canva claims to securely store all user passwords using the highest standards via a Bcrypt algorithm. Bcrypt is a strong, slow password-hashing algorithm designed to be difficult and time-consuming for hackers to crack since hashing causes one-way encryption. Additionally, each Canva password was salted, meaning that random data was added to passwords to prevent revealing identical passwords used across the platform. According to ZDNet, 61 million users had their passwords encrypted with the Bcrypt algorithm, resulting in 78 million users having their Gmail addresses exposed in the breach.

Canva has notified users of the breach through email and ensured that their payment card and other financial data is safe. However, even if you aren’t a Canva user, it’s important to be aware of what cybersecurity precautions you should take in the event of a data breach. Check out the following tips:

  • Change your passwords. As an added precaution, Canva is encouraging their community of users to change their email and Canva account passwords. If a cybercriminal got a hold of the exposed data, they could gain access to your other accounts if your login credentials were the same across different platforms.
  • Check to see if you’ve been affected. If you’ve used Canva and believe your data might have been exposed, use this tool to check or set an alert to be notified of other potential data breaches.
  • Secure your personal data. Use a security solution like McAfee Identity Theft Protection. If your information is compromised during a breach, Identity Theft Protection helps monitor and keep tabs on your data in case a cybercriminal attempts to use it.

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Attention Graphic Designers: It’s Time to Secure Your Canva Credentials appeared first on McAfee Blogs.