Broker Check
April Savvy Cybersecurity Notes

April Savvy Cybersecurity Notes

May 05, 2017

In this issue:

  • Your Email Address: The Weak Link in Your Security
  • Savvy Cybersecurity Update: FASFA tool
  • Emerging Threat: Health Savings Account Fraud
  • Cybersecurity shorts: LinkedIn phishing emails, InterContinental hotel breach grows, hackers rob a bank via the Internet, and more
  • Software updates

Your Email Address: The Weak Link in Your Security

Take a second and think about how many times per day you enter your email address to log into an account that is not your email. How many emails do you get from retailers alerting you to a big sale? A lot.

We're quick to give away our email address to get information or deals—but is it putting our security at risk?

Yes, because every time we enter our email address into a database, we are handing a crucial window into our lives over to companies that often have questionable security practices.

According to a study done by security firm BreachAlarm, 41% of people who check their email address against a database of known hacked email accounts discover that their account has been compromised in a data breach. Mobile identity company Telesign found that two in five people have had an account hacked and a password stolen.

Our commonly used email addresses and passwords are out there for sale on the black market. When companies get hacked, your email address is exposed. And often your password is stolen along with it. But even if it's not, there's another easy way for hackers to break in to your email account.

They can use the password reset feature. In many cases, you can reset a password and access an email account by correctly answering security questions. More often than not, these questions can easily be answered by information found on the Internet. For example, "Where did you go to high school?" can be discovered by a quick visit to your Facebook page or a Google search.

Anatomy of an email hack

Once thieves are in your email account, they have the keys to your digital life.

A break-in of your primary email address exposes various aspects of your life. For one, your private life is unmasked: your correspondence, names, addresses, phone numbers, appointments, messages, passwords, photos, and more are in the hands of a hacker.

Social media activity is at risk—your Facebook, Instagram, Twitter, and Pinterest accounts can all be accessed via your email.

Your medical history also becomes public. Many insurance companies send notifications via email about new claims and payments. Clicking on a link in an email from your health insurance provider can give a hacker enough information to commit medical identity theft--a rising threat.

And we're not done yet. A hacked email account can also uncover sensitive business information such as internal documents, salary records, competitive intelligence, and client notes. Any work you've done with a non-profit or in your community can be found as well.

Most dangerous: If your online bank, brokerage, or other financial accounts are linked to your personal email address, hackers now have a path to your money. Once they control your email account, they can hijack your bank account by performing a password reset and then start transferring money.

As you can see, your email account is a digital version of you. Unauthorized access gives the thief enough information to impersonate you and commit frauds that affect all areas of your life.

Keeping hackers away from your money

In order to protect your most sensitive financial accounts, you need to reduce your digital footprint by creating a secret email address. This email will only be used for your financial accounts—credit cards, brokerage banks—reducing the chance that it will get swept up in the next data breach.

Using a secret email address for your financial accounts is a key recommendation in the book Hack- Proof Your Life Now! The New Cybersecurity Rules: Protect your email, computers, and bank accounts from hacks, malware, and identity theft.

When you create your secret email address, you do not want it to include any revealing information such as your first name, last name, initials, or birth date in your username.

You also want to choose the stronger security features to protect this account. Many email providers have begun phasing out password recovery questions because the answers can often be found by searching on the Internet. If you can, choose a recovery phone number for password reset. With this option, a code will be sent to your mobile phone and you will need to provide that code in order to complete the password reset.

Be sure to keep this secret email separate from your primary email address. Doing so will help you maintain secrecy and reduce the chances that a hacker can gain access to your finances.

Savvy Cybersecurity Update

One hundred thousand people affected by hacked FASFA/IRS tool. Last month, news broke that a popular IRS tool was taken offline due to security issues. The tool was used by students applying for financial aid via the Free Application for Federal Student Aid (FASFA) to access their parent's tax return information when applying for aid. Now, the IRS has stated that hackers were able to access information on 10,000 taxpayers who used the tool before it was shut down. As a result, nearly 8,000 fraudulent tax returns were paid out and another 14,000 were blocked. The removal of the tool has had a detrimental effect on students applying for financial aid.

Emerging Threat: Health Savings Account Fraud

Do you protect your Health Savings Account (HSA) like your bank account? You should.

Fraudsters are targeting  these accounts as more and more people become eligible for HSAs. At the end of 2016, Devenir Research found that there were over 20 million HSA accounts holding $37 billion in assets. Gaining access gives the hacker a lucrative award.

So how can they get into your account? The crooks scrounge the black market for something called "fullz" which are full profiles of your personally identifiable information. Scammers put together these profiles by combining information stolen through various data breaches.

This information is either sold to someone else for $80 to $100 or the hacker uses it to break into your HSA account and transfer they money out. The fraud tends to go unnoticed as many people do not regularly check their HSA balance or transaction history.

Security experts warn that this threat is on the rise. To protect yourself, treat your HSA as you do other important monetary accounts. Protect it with a strong password and check your account regularly for any suspicious activity.

Cybersecurity Shorts

Facebook introduces more secure password recovery method at F8 developer conference. The new system, called Delegated Account Recovery gets rid of the unsafe security questions and password reset links. Instead, on apps associated with Facebook, you can prove your identity with a code sent to your phone or even by completing a Social CAPTCHA where you identify photos of your friends within a time period. Github has been using the technology through Facebook since January, and now Facebook has shared the code with the public. 

Fake Apple support team looks to steal iCloud credentials. Apple customers have received calls from scammers asking for iCloud usernames and passwords and other personal information. The scammers are taking advantage of false claims that millions of iCloud accounts had been compromised. If you receive a call claiming to be from Apple that asks for personal information, hang up.

Hackers rob bank via the Internet. A group of cyber thieves targeted a Brazilian bank and discovered a way to get the online banking credentials of all its customers. All of the bank's online accounts were rerouted to fake web pages that appeared to be part of the bank's website. Customers were unaware of the hack and entered the username and password which the criminals then used to drain money out of their accounts.

LinkedIn phishing emails make the rounds targeting job seekers. The emails appear to come from LinkedIn and ask the recipient to upload a cover letter for a job opportunity. Clicking on the link brings them to a third-party site where they can upload the document. In reality, that information goes to a scammer.

InterContinental Hotel breach grows—affecting more than 1,000 properties. The breach, which was discovered in December 2016, was first thought to only affect 12 properties. Now the hotel chain believes that cash registers at over 1,000 locations were compromised with malware used to steal payment card data.

Dallas emergency system hacked, causing over 150 sirens to go off at midnight. Residents thought their city was under attack when all the emergency sirens went off simultaneously. In reality, hackers had gotten into the system and set the alarms off. The sirens rang for about an hour and a half before they could be shut down.

Thousands of popular Android apps discovered teaming up to gather personal data. According to experts, it is easy to detect when one app is leaking information, but it is very difficult to detect information loss when two apps are working together. Researchers at Virginia Tech found a way to uncover these apps and discovered more than 20,000 pairs that were working together to expose user information.

Tech-savvy? You're at greater risk of falling victim to identity theft. A study by IT training company CBT Nuggets found that those who are confident in their computer use are 18% more likely to become an identity theft victim. Only 3.7% of those surveyed followed all of the basic security requirements while 40% were "too lazy" or found it to be "too inconvenient." These basic security requirements include using a VPN and using unique passwords, among others.

Forty percent of U.S. adults report being more cautious with their personal email address in response to the Democratic National Committee hack that took place during the 2016 presidential election. Respondents say they think twice about the information that they share over email. However, the majority have not taken other cybersecurity steps such as using "private mode" on their browser.

Gamestop.com may be the latest data breach victim. The video game retailer is investigating a possible breach of its website that may have exposed customer payment card information along with other data. A third party notified Gamestop after discovering data being sold online. It is believed that payment card numbers, expiration dates, names, addresses, and security codes were exposed between September, 2016 and February, 2017.

The way you hold your phone may be a security hazard.Newcastle University researchers discovered that sensors on the devices can be accessed by some apps and websites. These malicious programs can download sensor data—which includes your passcode and anything typed on your device. Using this data, researchers were able to guess four-digit Android pins correctly within five tries.

Shoney's restaurant chain suffers data breach. Over 30 locations had point-of-sale equipment infected with malware beginning in December of 2016. Payment card numbers, cardholder names, expiration date, and security codes were exposed in the breach. You can see a list of affected restaurants here.

Software Updates

Adobe: This month Adobe released an update for Adobe Flash closing seven security holes. If you use Flash, be sure to update to version v.25.0.0.148 and update your browsers as well. If you do not use Flash on a regular basis, it may be worth uninstalling the program as it is notoriously buggy. You can learn more about the update here.

Adobe also issued updates for Photoshop, Adobe Reader, and Acrobat packages that close nearly 50 vulnerabilities. You can learn more and access the update here.

Apple: iPhone and iPad users should be running iOS 10.3.1, an update released just a few days after the release of 10.3. The newest update closes a vulnerability that would allow hackers to access your phone via Wi-Fi. You can learn more about the update here.

Microsoft: Microsoft released patches this month closing nearly 50 different security vulnerabilities. These updates affect Internet Explorer, Microsoft Edge, Windows Office, Visual Studio, and more. Some of the security issues, including holes in Microsoft Word, are already being exploited so you must update immediately. Microsoft should prompt you to update automatically but you can learn more here.

If you are stilling using Windows Vista, be sure to update to a new operating system before the end of April. This is the last month Microsoft will be supporting the now ten-year-old operating system.