EU May Propose 24-Hour Breach Notification, Data Privacy Rules
Companies operating in the European Union may be required to disclose data breaches within 24 hours if proposed new rules are approved.
The European Commission will propose several changes to the data protection and privacy rules to protect individual rights and ensure a high level of data protection on Jan. 25. The proposed changes will simultaneously simplify and toughen the current mishmash of rules and policies currently used by the European Union's 27 member countries.
Along with the data breach notification rule, the commission's proposal includes stricter sanctions and would provide national data-protection officials with authority to levy administrative sanctions and fines, such as fining companies a percentage of their global revenue for violating the rules. The proposed changes would overhaul the EU's 17-year-old data protection policies addressing online advertising and social networking sites.
"Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay," EU Justice Commissioner Viviane Reding said at a conference in Munich on Jan. 22, according to Bloomberg.
Symantec Warns pcAnywhere Users Due to Source Code Theft
Symantec has confirmed that pcAnywhere users are at "increased risk" because attackers have stolen source code to the remote control tool.
The saga over Symantec's stolen code took another twist as the company acknowledged that pcAnywhere customers are at risk for man-in-the-middle attacks and new exploits.
The breach actually occurred on Symantec servers in 2006, and attackers stole source code to several Norton security products and the pcAnywhere remote access tool, Symantec confirmed last week. At the time, the company assured customers that there was no risk to the products because the source code was so old and the company had made security improvements over the past six years.
However, upon further investigation, it appears that pcAnywhere customers are at risk, especially if they are not following "general security best practices" to protect the endpoint, network and remote access, as well as properly configuring the remote access tool, Christine Ewing, director of product marketing in the endpoint management group, wrote on the Endpoint Management Community blog Jan. 24. Those customers are susceptible to man-in-the-middle attacks, which can reveal authentication and session information.
"Customers of Symantec's pcAnywhere have increased risk as a result of this incident," Ewing wrote.
The encoding and encryption elements within pcAnywhere are vulnerable to being intercepted in man-in-the-middle attacks, according to a whitepaper addressing the issues in the remote access tool released by Symantec Jan. 25. If attacker manage to obtain the cryptographic key, they would be able to launch unauthorized remote control sessions and access other systems and sensitive data. If the key is using Active Directory credentials, the attackers would be able to access other parts of the network.
The company released a patch fixing three vulnerabilities in the latest version of pcAnywhere, version 12.5, for Windows on Jan. 23. Symantec plans to release additional patches during the week for older versions of pcAnywhere, including versions 12.0 and 12.1. Symantec is also expected to patch more issues in version 12.5. Symantec will keep updating the software until "a new version of pcAnywhere that addresses all currently known vulnerabilities" is released, Ewing said.
Customers should disable pcAnywhere because malicious developers would be able to identify vulnerabilities within the source code and launch new exploits, Symantec said in the whitepaper. The remote access tool should be disabled unless it is vitally needed for business use, and in those situations customers should use the latest version of pcAnywhere with all the relevant patches and "follow the general security best practices," Symantec said.
"At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks," the company said.
Since pcAnywhere is available as a stand-alone product, bundled with other Symantec products and also as part of Altiris-based packages, customers should check to see if the tool is enabled. A remote access component called pcAnywhere Thin Host is also bundled with several backup and security products from Symantec.
The company again asserted that its antivirus and endpoint security products are not at risk. "Our analysis shows that due to the age of the exposed source Symantec antivirus or endpoint security customers, including those running Norton products, should not be in any increased danger of cyber-attacks resulting from this incident," Symantec said in a statement.
The theft was limited to the code for the 2006 versions of Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks, which includes Norton Utilities and Norton GoBack; and pcAnywhere, Symantec said. The Norton Antivirus Corporate Edition code "represents a small percentage" of the code that appeared in the prerelease source for Symantec Antivirus 10.2, which was discontinued in 2007. Symantec Endpoint Protection 11, which replaced Symantec Antivirus Corporate Edition, was based on a separate code branch "that we do not believe was exposed," Symantec said. Customers running Symantec Endpoint Protection 11.x are at "no increased security risk" due to the code theft.
Customers should follow recommended best practices, such as making sure antivirus definitions are up to date and running the latest version of the software. If it makes sense for the organization, Symantec recommends upgrading to the latest version of Symantec Endpoint Protection, which is SEP 12.1 RU1, but there is no rush.
"The code that has been exposed is so old that current out-of-the-box security settings will suffice against any possible threats that might materialize as a result of this incident," Symantec said.
McAllen insurance agent indicted on charges of mail fraud and ID theft
From a Jan. 26 news release issued by the U.S. Attorney's Office for the Southern District of Texas:
McALLEN, Texas – A McAllen area insurance agent has been indicted on multiple counts of mail fraud and aggravated identity theft arising from a scheme to defraud several private insurance companies offering Medicare Advantage plans and other insurance products, United States Attorney Kenneth Magidson announced today.
San Juana Lopez, 59, of Edinburg, Texas, was charged with five counts of mail fraud and three counts of aggravated identity theft in a federal indictment, returned under seal Tuesday, Jan. 24, 2012. The indictment was unsealed this morning upon her arrest by federal agents at her residence and she is expected to make an initial appearance in federal court later this morning before U.S. Magistrate Judge Dorina Ramos.
According to the indictment, from 2007 through 2008, Lopez worked for a San Antonio, Texas, insurance agency, selling Medicare Advantage insurance plans. These plans provide Medicare beneficiaries with the option to receive their benefits through a wide variety of private managed care plans, rather than through the traditional Medicare program. The indictment alleges Lopez obtained identifiers of beneficiaries through a variety of illegal means and used the identifiers to enroll the beneficiaries in a Medicare Advantage plan offered by Care Improvement Plus - a Baltimore, Md., insurance company - without the authorization or knowledge of the beneficiaries. Lopez received thousands in commissions as a result of the false enrollments.
The indictment further alleges that only a few days after being suspended by Care Improvement Plus, Lopez entered into a sales agent agreement with United Funeral Directors Benefit Life Insurance Company (United), of Richardson, Texas, which offered pre-need funeral contracts allowing insured individuals to pre-plan and pre-fund funeral expenses. According to the indictment, soon after becoming an agent for United, Lopez began enrolling numerous individuals in United’s pre-need funeral insurance policy without their authorization or knowledge. The indictment alleges Lopez used bank account information belonging to unsuspecting United clients, whom she had previously enrolled, to make premium payments on the false policies. Lopez received thousands of dollars in commissions from United in connection with the alleged fraud.
Each count of mail fraud carries a sentence of up to 20 years in federal prison without parole and a $250,000 fine upon conviction. Lopez also faces a mandatory two-year prison term for each count of aggravated identity theft which must be served consecutive to any prison sentence imposed on the underlying charges.
The investigation leading to the charges was conducted by the U.S. Department of Health and Human Services–Office of Inspector General and the U.S. Secret Service. Assistant United States Attorney Greg Saikin is prosecuting the case.
An indictment is a formal accusation of criminal conduct, not evidence.
A defendant is presumed innocent unless convicted through due process of law.
Malware Poses as Google+ Plug-In
Spammers are cashing in on the popularity of Google+ by sending out fake emails inviting users to try out Google+ Hangouts by downloading a malicious file posing as a Google+ Hangout plug-in.
The fraudulent email advertises Google+ Hangouts as “the most popular online meeting service,” which is apparently true, according to a recent article from Lifehacker.
The fake Google+ plug-in promises to make you “look and sound your best with high quality audio and video,” apparently an effort to fool G+ users into believing that the free Web conferencing feature can be juiced. Malware City reports that clicking the link won’t install a Google+ plug-in but downloads an executable file instead.
Despite concerns about privacy, there have been few threats that specifically target the Google+ network since its launch. The company has promised to prevent brand squatting and other nuisance behaviors, but G+ specific malware and attacks have been far and few between. That may change, however, as the size of the nascent social network continues to grow.
ID theft scam in NY has victims in 30 states
Two New York women are accused of scamming $75,000 from victims in 30 states by posting phony Craigslist ads for nonexistent jobs and apartments.
A Long Island prosecutor has announced identity theft charges against the woman and her niece.
Nassau County District Attorney Kathleen Rice said Thursday a grand jury filed grand larceny and other charges against the pair earlier this week. Her spokesman said the women will be arraigned at a later date. Defense attorneys did not immediately respond to calls for comment.
Prosecutors say the pair posted online ads and then asked responders to provide personal information, including Social Security numbers.
The women then allegedly used the information to file more than 250 phony tax returns, obtain bank loans and credit cards in the victims’ names.
Timeshare Marketing Scams
Timeshare owners across the country are being scammed out of millions of dollars by unscrupulous companies that promise to sell or rent the unsuspecting victims’ timeshares. In the typical scam, timeshare owners receive unexpected or uninvited telephone calls or e-mails from criminals posing as sales representatives for a timeshare resale company. The representative promises a quick sale, often within 60-90 days. The sales representatives often use high-pressure sales tactics to add a sense of urgency to the deal. Some victims have reported that sales representatives pressured them by claiming there was a buyer waiting in the wings, either on the other line or even present in the office.
Timeshare owners who agree to sell are told that they must pay an upfront fee to cover anything from listing and advertising fees to closing costs. Many victims have provided credit cards to pay the fees ranging from a few hundred to a few thousand dollars. Once the fee is paid, timeshare owners report that the company becomes evasive—calls go unanswered, numbers are disconnected, and websites are inaccessible.
In some cases, timeshare owners who have been defrauded by a timeshare sales scheme have been subsequently contacted by an unscrupulous timeshare fraud recovery company as well. The representative from the recovery company promises assistance in recovering money lost in the sales scam. Some recovery companies require an up-front fee for services rendered, while others promise no fees will be paid unless a refund is obtained for the timeshare owner. The IC3 has identified some instances where people involved with the recovery company also have a connection to the resale company, raising the possibility that timeshare owners are being scammed twice by the same people.
If you are contacted by someone offering to sell or rent your timeshare, the IC3 recommends using caution. Listed below are tips you can use to avoid becoming a victim of a timeshare scheme:
- Be wary if a company asks you for up-front fees to sell or rent your timeshare.
- Read the fine print of any sales contract or rental agreement provided.
- Check with the Better Business Bureau to ensure the company is reputable.
To obtain more information on Internet schemes, visit www.LooksTooGoodToBeTrue.com.
Anyone who believes they have been a victim of this type of scam should promptly report it to the IC3’s website at www.IC3.gov. The IC3’s complaint database links complaints together to refer them to the appropriate law enforcement agency for case consideration.
Six Charged in Scheme to Use Identities of Dead People to Get Tax Refunds
According to the indictment, between April 15, 2009, to at least August 2011, Muaad Salem, Fahim Sulieman, Hanan Widdi, Najeh Widdi, Hazem Woodi and Daxesj Patel and other unknown co-conspirators allegedly defrauded the United States by filing false and fraudulent tax returns, many in the names of recently deceased taxpayers, and directing refunds to controlled locations in the state of Florida.
The indictment further alleges that the U.S. Treasury checks generated by the false and fraudulent returns would then be sent by the U.S. mail to co-conspirators in Ohio who would sell and distribute the checks for negotiation at various businesses and banking institutions.
“The theft of anyone’s identity is a serious offense, but stealing the identities of the recently departed to defraud all the other taxpayers is particularly egregious,” said Steven M. Dettelbach, the U.S. Attorney for the Northern District of Ohio.
“Identity theft that leads to tax fraud threatens both individual U.S. citizens and the U.S. government,” said John A. DiCicco, Principal Deputy Assistant Attorney General of the Justice Department's Tax Division. “The Justice Department and the IRS will continue to cooperate in investigating and prosecuting these crimes to the fullest extent of the law. In our technology-driven society, this simply must be a top priority.”
The following individuals were charged with conspiracies to defraud the United States and to commit mail fraud:
Muaad Salem, age 33, of Akron, Ohio;
Hazem Woodi, age 31, of North Olmsted, Ohio;
Najeh Widdi, age 45, of Cleveland;
Fahim Suleiman, age 46, of Lutz, Fla.;
Daxesj Patel, age 35, of Canton, Ohio; and
Hanan Widdi, age 38, of Cleveland.
The six are also charged with three counts of mail fraud and two counts of aggravated identity theft. In addition to the other charges, Patel is separately charged with two counts of making a false claim against the United States and with making a false statement to law enforcement officials investigating the crimes.
“The IRS is aggressively pursuing those who steal others’ identities in order to file false returns,” said Steven Miller, IRS Deputy Commissioner for Services and Enforcement. “Our cooperative work with the U.S. Attorney’s Office will help protect taxpayers in Northern Ohio from being victimized by identity theft. The IRS is taking additional steps this tax season to further prevent, detect and resolve identity theft cases as soon as possible.”
“This case is an example of the FBI and IRS working together to aggressively pursue and investigate those organized criminal enterprises that commit identity theft and fraudulent activities in the United States costing the taxpayers of this country millions of dollars,” said Stephen D. Anthony, Special Agent in Charge of the FBI’s Cleveland office.
“IRS Criminal Investigation has made investigating refund fraud and identity theft a top priority,” stated Darryl Williams, Special Agent in Charge, IRS-Criminal Investigation, Cincinnati Field Office. “Filing fraudulent tax returns in the names of other individuals may result in significant harm to those individuals whose identities were stolen, as well as a monetary loss against the U.S. Treasury.”
Mail fraud is punishable by a maximum sentence of 20 years in prison; conspiracy to defraud the United States is punishable by a maximum sentence of 10 years; conspiracy to commit mail fraud, making a false claim against the United States and making a false statement are each punishable by a maximum sentence of five years in prison; aggravated identity theft is punishable by a mandatory sentence of two years incarceration to follow conviction on any other offense.
Defendants also face a fine of up to $250,000 for each count of conviction.
The case was presented to the grand jury by Assistant U.S. Attorney Gary D. Arbeznik following investigation by the Cleveland Division of the FBI, the IRS – Criminal Investigation, and the U.S. Postal Service.
An indictment is only a charge and is not evidence of guilt. The defendants are entitled to a fair trial in which it will be the government’s burden to prove guilt beyond a reasonable doubt
Filmlush.com appears to be a scam
Watch out for filmlush.com.
Many complaints online for this company. My credit card company told me they are located in Great Birtain, although they clearly operate in the United States.
I noticed that a lot of complaints online about filmlush are from people that enter in credit card information for a trial and then they cancel before the end of the trial, or never in click "submit" to finalize the offer but are still charged $39.95.
Top Data Breaches in 2011
2011 was a significant year for data security, with some of the biggest data breaches in our history reported. In 2011, 535 breaches involving 30.4 million sensitive records. This brings the total reported records breached in the U.S. since 2005 to the alarming number of 543 million.
Data breaches of sensitive information, especially Social Security and credit card numbers, make consumers vulnerable to identity theft. According to a 2009 report by Javelin Research & Strategy, individuals are four times more likely to be the victim of identity theft in the year after receiving a data breach notification letter. But even breaches that contain data as seemingly innocuous as names and email address can be used by fraudsters to trick consumers into revealing information that can lead to identity theft.
The following half dozen are the most significant data breaches in 2011:
- Sony PlayStation (April 27) – Sony discovered an external intrusion on PlayStation Network (PSN) and its Qriocity music service around April 19. Sony blocked users from playing online games or accessing services like Netflix and Hulu Plus on April 22. The blockage lasted for seven days. Sony believes criminal hacker(s) obtained names, addresses, email addresses, dates of birth, PSN/Qriocity password and login, and online IDs for multiple users. The attacker may have also stolen users' purchase history, billing address, and password security questions. Over the course of the next several months, Sony discovered that the hackers gained access to 101.6 million records, including 12 million unencrypted credit card numbers.
The Sony breach highlights the importance of password hygiene. Passwords are frequently the only thing protecting our private information from prying eyes. Many websites that store your personal information (for example web mail, photo or document storage sites, and money management sites) require just a user name and password for protection. Password-protected web sites are becoming more vulnerable because often people use the same passwords on numerous sites. One study by Sophos, a security firm, found that more than 30% of users recycle the same password for every site that they access. In this case, the stolen passwords were unencrypted, meaning the criminal could potentially "break in" to other sites if the victims used the same password more than once.
- Epsilon (April 2) – Epsilon, an email service provider for companies, reported a breach that affected approximately 75 client companies. Email addresses and customer names were affected. Epsilon has not disclosed the names of the companies affected or the total number of names stolen. However, millions of customers received notices from a growing list of companies, making this the largest security breach ever. Conservative estimates place the number of customer email addresses breached at 50 to 60 million. The number of customer emails exposed may have reached 250 million.
Compromised email addresses and names may seem innocuous to some, but victims may fall prey to spear phishing. Spear phishing occurs when a criminal sends an email that sounds and looks like it’s from a company the recipient has an account with because it addresses him or her by name. A spear-phishing message might say, "Hello Mr. Anderson, Because of the recent hacking incident affecting some Acme customers, we are asking you to visit this website [URL provided] and update your security settings.” The email tries to convince trusting readers to “bite” on the bait and go to that website, and then divulge other information like Social Security numbers and credit card numbers. The result could be as serious as identity theft.
The Epsilon breach is also significant because it highlights the risk of cloud-based computing systems and the need for greater cloud security measures.
- Sutter Physicians Services (SPS) and Sutter Medical Foundation (SMF) (Nov. 16) - A company-issued desktop computer was stolen from SMF's administrative offices in Sacramento, California, during the weekend of October 15th. Although the data was password protected, it was not encrypted. Approximately 3.3 million patients whose health care provider is supported by SPS had their names, addresses, dates of birth, phone numbers, email addresses, medical record numbers and health insurance plan name exposed. An additional 934,000 SMF patients had dates of services and description of medical diagnoses and/or procedures used for business operations, bringing the total to 4.2 million patients. At least two lawsuits have been filed against Sutter Health. One class-action suit alleges that Sutter Health was negligent in safeguarding its computers and data, and then did not notify the millions of patients whose data went missing within the time required by state law.
The security lapse occurred on two levels: both the data itself (being unencrypted) and the physical location (stored in an unsecure location). Although no Social Security numbers or financial information were apparently exposed, all the data elements needed for medical identity theft were included in the stolen records.
- Texas Comptroller's Office (April 11) – Information from three Texas agencies was discovered to be accessible on a public server. Sometime between January and May of 2010, unencrypted data was transferred from the Teacher Retirement Center of Texas, the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas. It ended up on a state-controlled public server as early as April 2010 and was not discovered until March 31, 2011. Sensitive information such as names, Social Security numbers, addresses, dates of birth and driver's license numbers could have been exposed.
A spokesperson from the Texas Comptroller's Office claims that the breach occurred because numerous procedures were not followed. Some employees were fired for their roles in the incident. Approximately two million of the 3.5 million individuals possibly affected were unemployed insurance claimants who may have had their names, Social Security numbers and mailing addresses exposed. The birth dates and driver's license numbers of some of these people were also exposed. Two class action lawsuits have been filed on behalf of the 3.5 million Texans affected by the breach. One such lawsuit seeks a $1,000 statutory penalty for each individual.
Although all breaches of sensitive personal information are serious, the Texas Comptroller breach is particularly significant because individuals generally do not have a choice when providing personal information to a government agency. It is therefore vitally important that government agencies act as responsible stewards of personal data.
- Health Net (March 15) - Nine data servers containing sensitive health information went missing from Health Net's data center in Rancho Cordova, California. The servers contained the personal information of 1.9 million current and former policyholders, compromising their names, addresses, health information, Social Security numbers and financial information.
Not only was Health Net the first massive medical breach of the year, but the company waited three months before notifying affected individuals. The servers were discovered missing in January, but policyholders were not notified until March. The breach highlights the importance of timely notification.
- Tricare Management Activity, Science Applications International Corporation (SAIC) (Sept. 30) - The car theft of backup tapes resulted in the exposure of protected health information from patients of military hospitals and clinics. Uniformed Service members, retirees and their families were affected. Patient data from the military health system dating from 1992 to September 2011 could have been compromised. It included Social Security numbers, addresses, phone numbers, clinical notes, laboratory tests, prescriptions, and other medical information. Four people have filed a $4.9 billion lawsuit over the improper disclosure of active and retired military personnel and family data. The lawsuit would give $1000 to each of the affected individuals. SAIC reported that 5,117,799 people were affected by the breach.
The Tricare/SAIC breach is significant because not only are the victims at risk of medical identity theft, but financial identity theft as well. The breach begs several questions: Why were the backup tapes being transported in an employee’s personal vehicle? And why were those records not encrypted? This breach also illustrates the triple impact of medical breaches. Victims not only suffer the exposure of their sensitive health information; they also are vulnerable to financial identity theft as well as medical identity theft.
It is also significant that two out of six of our top breaches are medical breaches. Data breaches in the healthcare industry are up 32 percent over last year, according to one report. Medical breaches are particularly significant and harmful because of the sensitivity of personal information exposed, in addition to, often, Social Security numbers and dates of birth.
Hackers steal $6.7 million from South African bank
A perfectly planned and coordinated bank robbery was executed during the first three days of the new year in Johannesburg, and left the targeted South African Postbank - part of the nation's Post Office service - with a loss of some $6.7 million.
Unfortunately, the Postbank's fraud detection system hasn't performed as it should, and the crime was discovered only after everyone returned to work after the holiday break. Apparently, it should not come as a surprise - according to a banking security expert, "the Postbank network and security systems are shocking and in desperate need of an overhaul."
The post office and the police have confirmed that the breach happened and that the National Intelligence Agency (NIA) is involved in the investigation. The bank has issued a statement saying that none of its customers' bank accounts were affected by the heist.
Posted on January 17, 2012 at 07:24 PM | Permalink
Opt-Out of online behavioral advertising
The Network Advertising Initiative Opt-Out Tool was developed for the express purpose of allowing consumers to "opt out" of the behavioral advertising delivered by NAI member companies.
The companies that provide advertising for Websites typically gather data about consumers who view their ads. Often, that data is anonymous - linked only to a numbered "cookie" on a user's computer (a cookie is a small file of data that is stored by websites on your computer through your web browser). Advertising networks collect and analyze this data to make a variety of inferences about each consumer's interests and preferences. The result is a profile that attempts to predict the individual consumer's tastes, needs, and purchasing habits. That profile enables the advertising companies' computers to make split-second decisions about how to deliver ads directly targeted to the consumer's specific interests. The Network Advertising Initiative (NAI) refers to this practice as "Online Behavioral Advertising" or "OBA."
These third-party advertising companies employ cookie and 1x1 pixel.gif (web beacon) technology to measure and improve the effectiveness of ads for their clients. To do so, these companies may use anonymous information about your visits to many websites. This information can include: date/time of banner ad shown, their cookie, and IP address among the data that is collected. This information can also be used for online preference marketing purposes. Information about your visits to such Web sites may be used to provide ads about goods and services of interest to you (or that they think are of interest to you based on your past web browsing).
Using the Opt-Out Tool, you can examine your computer to identify those member companies that have placed an advertising cookie file on your computer. To opt out of an NAI member's behavioral advertising program, simply check the box that corresponds to the company from which you wish to opt out. Alternatively, you can check the box labeled "Select All" and each member's opt-out box will be checked for you. Next click the "Submit" button. The Tool will automatically replace the specified advertising cookie(s) and verify your opt-out status.
Opting out of a network does not mean you will no longer receive online advertising. It does mean that the network from which you opted out will no longer deliver ads tailored to your Web preferences and usage patterns.
The opt-outs are specific to every browser so you must run the tool for every browser you use. The opt-outs will only remain in effect as long as the opt-out cookies it places into your browser's storage still exist. So if you get a new computer, uninstall your browser or delete all the browser cookies, you will have to run the Opt-Out Tool again.
EFF Raises Privacy Concerns About AOL Instant Messenger
The new preview version of AOL Instant Messenger raised privacy concerns for us when it was first introduced, first because it started storing more logs of communications and second, because it apparently scanned all private IMs for URLs and pre-fetched any URLs found in them. We met with AOL to discuss how these features work and why the company should take greater care with your data, and we’re happy to say that AOL is promising to make some important changes as a result, especially in response to our second concern.
However, we still recommend that AIM users do not switch to the new version, as it introduces important privacy-unfriendly features. Unfortunately, AOL's moves are in keeping with a general trend toward more pervasive cloud-based services in which your personal chat data is centrally stored in plain text and an easy target for law enforcement and criminals. This shift toward central logging is troubling in many situations, including in chat.
We appreciate AOL's willingness to discuss these changes with us and we're extremely pleased to see AOL taking some steps to safeguard their users' privacy and give better notice, which only becomes more important as the company moves toward providing more cloud-based services. Nevertheless, we think there’s more AOL should do to respect its customers' privacy and to fully inform them about, and get opt-in agreement to, these significant changes.
Bottom line: Because signing onto the new version of AIM permanently changes your account settings to log all conversations to AOL’s servers by default, we recommend that existing AIM users do not upgrade. As always, we recommend users stay safer online by using chat clients that are compatible with OTR.
More at eff.org
BBB Top Ten Scams of 2011
Better Business Bureau investigates thousands of scams every year, from the latest gimmicks to schemes as old as the hills. Our new Scam Source (www.bbb.org/scam) is a comprehensive resource on scam investigations from BBBs around the country, with tips from BBB, law enforcement and others. You can sign up to receive our Scam Alerts by email, and you can also be a scam detective yourself by reporting scams you’ve discovered. We’ve divided scams up into nine major categories and picked the top scam in each, plus our Scam of the Year.
Top Job Scam
BBB sees lots of secret shopper schemes, work-from-home scams, and other phony job offers, but the worst job-related scam can dash your hopes and steal your identity. Emails, websites and online applications all look very professional, and the candidate is even interviewed for the job (usually over the phone) and then receives an offer. In order to start the job, however, the candidate has to fill out a “credit report” or provide bank information for direct deposit of their “paychecks.” The online forms are nothing more than a way to capture sensitive personal data – Social Security number, bank accounts, etc. – that can easily be used for identity theft. And, of course, there is no job, either.
Top Sweepstakes and Lottery Scam
Sweepstakes and lottery scams come in all shapes and sizes, but the bottom line is almost always this: You’ve won a whole lot of money, and in order to claim it you have to send us a smaller amount of money. Oh, and keep this confidential until we’re ready to announce your big winnings. This year’s top sweepstakes scam was undoubtedly the email claiming to be from Facebook founder Mark Zuckerberg announcing that the recipient was the winner of $1 million from the popular social networking site. These kinds of scams often use celebrities or other famous names to make their offer seem more genuine. If you aren’t sure, don’t click on the link but instead go directly to the homepage of the company mentioned. If they are really giving away $1 million, there will be some kind of announcement on their website. But don’t waste too much time looking.
Top Social Media/Online Dating Scam
On the Internet, it’s easy to pretend to be someone you are not. Are you really friends with all of your “Friends” on Facebook? Do you have a lot of personal information on a dating site? With so much information about us online, a scammer can sound like they know you. There are tons of ways to use social media for scams, but one this year really stands out because it appeals to our natural curiosity…and it sounds like it’s coming from a friend. Viral videos claiming to show everything from grisly footage of Osama bin Laden’s death to the latest celebrity hijinks have shown up on social media sites, often looking as if they have been shared by a friend. When you click on the link, you are prompted to “upgrade your Flash player,” but the file you end up downloading contains a worm that logs into your social media account, sends similar messages to your friends, and searches for your personal data. The next time you see a sensational headline for the latest viral video, resist the urge to peek.
Top Home Improvement Scam
Always near the top of BBB complaint data are home improvement contractors who often leave your home worse than they found it. They usually knock on your door with a story or a deal – the roofer who can spot some missing shingles on your roof, the paver with some leftover asphalt who can give you a great deal on driveway resealing. Itinerant contractors move around, keeping a step ahead of the law…and angry consumers. The worst are those who move in after a natural disaster, taking advantage of desperate homeowners who need immediate help and may not be as suspicious as they would be under normal circumstances. A large percentage of BBB’s Accredited Businesses are home contractors who want to make sure you know they are legitimate, trustworthy and dependable. Find one at www.bbb.org/search.
Top Check Cashing Scam
Two legitimate companies – Craig’s List and Western Union – are used for an inordinate amount of scamming these days, and especially check cashing scams. Here’s how it works: Someone contacts you via a Craig’s List posting, maybe for a legitimate reason like buying your old couch or perhaps through a scam like hiring you as a secret shopper. Either way, they send you a check for more than the amount they owe you, and they ask you to deposit it into your bank account and then send them the difference via Western Union. A deposited check takes a couple of days to clear, whereas wired money is gone instantly. When the original check bounces, you are out whatever money you wired…and you’re still stuck with the old couch.
Top Phishing Scam
“Phishing” is when you receive a suspicious phone call asking for personal information or an email that puts a virus on your computer to hunt for your data. It’s almost impossible to avoid them if you have a telephone or an email account. But the most pernicious phishing scam this year disguised itself as official communication from NACHA – the National Automated Clearing House Association – which facilitates the secure transfer of billions of electronic transactions every year. The email claims one of your transactions did not go through, and it hopes you react quickly and click on the link before thinking it through. It may take you to a fake banking site “verify” you account information, or it may download malware to infiltrate your computer.
Top Identity Theft Scam
There are a million ways to steal someone’s identity. This one has gotten so prevalent that many hotels are posting warnings in their lobby. Here’s how it works: You get a call in your hotel room in the middle of the night. It’s the front desk clerk, very apologetic, saying their computer has crashed and they need to get your credit card number again, or they must have gotten the number wrong because the transaction won’t go through, and could you please read the number back so they can fix the problem? Scammers are counting on you being too sleepy to catch on that the call isn’t from the hotel at all, but from someone outside who knows the direct-dial numbers for the guest rooms. By the time morning rolls around and you are clear-headed, your credit card has been on a major shopping spree.
Top Financial Scam
In challenging economic times, many people are looking for help getting out of debt or hanging on to their home, and almost as many scammers appear to take advantage of desperate situations. Because the federal government announced or expanded several mortgage relief programs this year, all kinds of sound-alike websites have popped up to try to fool consumers into parting with their money. Some sound like a government agency, or even part of BBB or other nonprofit consumer organization. Most ask for an upfront fee to help you deal with your mortgage company or the government (services you could easily do yourself for free), and almost all leave you in more debt than when you started.
Top Sales Scam
Sales scams are as old as humanity, but the Internet has introduced a whole new way to rip people off. Penny auctions are very popular because it seems like you can get something useful - cameras, computers, etc. – for way below retail. But you pay a small fee for each bid (usually 50₵ to $1.00) and if you aren’t the winner, you lose that bid money. Winners often are not even the top bidder, just the last bidder when time runs out. Although not all penny auction sites are scams, some are being investigated as online gambling. BBB recommends you treat them the same way you would legal gambling in a casino – know exactly how the bidding works, set a limit for yourself, and be prepared to walk away before you go over that limit.
Scam of the Year
Yep, it’s us – the BBB phishing scam. Hundreds of thousands, perhaps millions, of people have gotten emails that very much look like an official notice from BBB. The subject line says something like “Complaint Against Your Business,” and the instructions tell the recipient to either click on a link or open an attachment to get the details. If the recipient does either, a malicious virus is launched on their computer…a virus that can steal banking information, passwords and other critical pieces of information needed for cyber-theft. BBB is working with security consultants and federal law enforcement to track down the source of these emails, and has already shut down dozens of hijacked websites. Anyone who has opened an attachment or clicked on a link should run a complete system scan using reputable anti-virus software. If your computer is networked with others, all machines on the network should be scanned, as well
Hacking group releases 75,000 names of Stratfor subscribers
Hackers released another batch of data on Thursday pilfered from Stratfor Global Intelligence, a widely used research and analysis company whose website was attacked last weekend. The data purports to be the names and credit-card numbers of people who have purchased research from Stratfor plus hundreds of thousands of user names and e-mail addresses used to register with the website.
The hackers, believed to be part of the Anonymous movement, described the data on Pastebin, then provided several links to websites hosting the information. They noted that some 50,000 of the e-mail addresses released end in ".mil" or ".gov." The data comprises 75,000 names, credit card numbers and MD5 hashes, or cryptographic representations, of passwords for people who have paid Stratfor for research.
The group also said the data contains 860,000 user names, e-mail addresses and MD5 hashes for passwords for anyone who has registered on Stratfor's website.
From IDG News Service
Privacy Rights Clearinghouse Launches Online Complaint Center
The Privacy Rights Clearinghouse (PRC) is proud to announce the launch of an interactive online complaint center designed to serve as a clearinghouse for consumer privacy complaints. This builds upon our 19-year history of troubleshooting consumers’ complaints and questions regarding a wide variety of information privacy issues, including background checks, debt collection, data breaches, financial information, and online data brokers. The PRC's staff will review and respond to every complaint, providing individuals with information and strategies to address their problem.
The impetus for the development of the online complaint center was the 2009 KnowPrivacy study, conducted by graduate students in the Masters program at the UC-Berkeley School of Information as well as the Law School at UC-Berkeley. The study found that consumers are concerned about data collection and want greater control over their personal information, but don't know whom to complain to. This presents a significant challenge given the important role that consumer complaints can play regarding the shaping of public policy.
The new online complaint center acts as a clearinghouse for privacy-related complaints by offering consumers a central point of contact. Complaints submitted to the PRC will be forwarded upon the consumer’s request to the appropriate governing body. Further, by acting as a magnet for privacy complaints, our goals are to:
- Empower Consumers. There are many avenues for consumers to voice complaints, but few that actually respond with personalized information. The PRC's staff will review and respond to every complaint, providing individuals with information and strategies to address their problem. We also offer individuals the opportunity to escalate the complaint to the media, public authorities, and, if appropriate, attorneys.
- Educate the Public Policy Process. As an education and advocacy organization, the PRC understands the important role consumer complaints play in fostering regulatory and legislative change. The online complaint center will enable us to identify trends and publish reports on key privacy-related issues that are of concern to individuals. By sharing this information with the Federal Trade Commission and other regulators at the state and federal level, public authorities can gain a richer understanding of the consumer privacy landscape.
The online complaint center, available at www.privacyrights.org/complaint, simplifies the complaint process into four main sections:
- Who are you? Consumers can choose to remain anonymous or provide their name and contact information. The only information we require is the consumer's email address and state so that we can properly respond to the complaint. Contact information will not be shared unless the individual chooses to share the complaint with government agencies, lawyers or the media.
- Whom/what are you complaining about? We ask the consumer to identify whom/what the complaint is about: a company or organization, a government agency or a person. If the complaint is about a company or organization, the site has an interactive “smart” feature that can auto-fill company information.
- What is your complaint? Consumers have the ability to describe their complaint in detail, attach supporting documents and add "tags" to categorize the complaint.
- Review and submit your complaint. Before submitting the complaint, consumers have an opportunity to review the entire complaint and make any necessary changes. There is also an option to print or email a copy of the complaint.
The PRC staff review all complaints and email a personalized response to the consumer within one to two business days. If the individual chooses to share the complaint with government agencies, we forward the complaint to the appropriate governing body.
The online complaint center also offers a registration feature. Those users who wish to register can login at anytime to update contact information, access previously submitted complaints, see staff responses to each complaint, and add new information to a complaint. Registration is completely optional and can be pseudonymous.
We invite you to celebrate a new year for privacy by exploring the online complaint center and sharing the site with your friends and family. Any feedback can be emailed to email@example.com.