Broker Check
June Savvy Cybersecurity Notes

June Savvy Cybersecurity Notes

August 02, 2017

In this issue:

  • Three moves to hack-proof your finances
  • Emerging threat: Global ransomware attack, Fireball malware, and North Korean threat
  • Savvy Cybersecurity quick links
  • Cybersecurity shorts: Internet-of-things danger, Kmart breach, cybersecurity threats faced by HNW investors, and more
  • Software updates

If you have some extra time on your hands this summer, consider doing an audit of your cybersecurity practices. A good place to start is by taking our quiz online at

See where you score and then plan to take action to better your security. You can start by hack-proofing your finances with our tips below.

Read on to learn more about that and:

  • A data breach affecting 200 million Americans
  • The amount of time it takes for a company to discover a breach
  • And more

Three moves to hack-proof your finances

Back in 2013, 40 million Target shoppers were notified that their payment card information was stolen by hackers in one of the most infamous data breaches ever. The following year, 50 million Home Depot shoppers received the same alert. Last year, there were 980 reported data breaches exposing over 35 million personal records—many including payment card information and Social Security numbers.

It's likely that your information was exposed in one of these many breaches. But not all is lost. Adopt these three Hack-Proof resolutions to keep your money and credit safe.

  1. Create a Secret Email Address for Your Financial Accounts

Our personal email addresses have become a key to our lives on the Internet. We enter them into countless databases when we sign up for newsletters, create new accounts, and order items online. We don't think twice about it.

But if we use that same email address for our online banking and credit card accounts, we're putting our finances in danger. If one of those various databases is hacked we're essentially handing half of our financial account credentials over to the hackers.

Make the hackers' job harder by creating a "financial-only" email address that you use just for your online financial accounts. This secret email should not reveal anything about you. Make your username (the part before the @ sign) something generic that does not reference your name, initials, or other identifying information. Of course, create a strong password and use two-step verification on your account.

  1. Set Text or Email Alerts for Bank Accounts and Credit Cards

What if you could know exactly when money was leaving your accounts like the banks and credit card companies do?  You could catch fraud as it is happening and limit your losses.

You can do this, actually. The majority of major banks and credit cards allow you to sign up for text or email alerts that are sent to you anytime money leaves your account or a charge is pushed through. If you receive an alert for a purchase or withdrawal that you did not make, you know right away to contact your financial institution and alert them of the fraud.

To enable these instant alerts on your account, log in or create an online account at your bank and credit card companies. If you have trouble finding the alert settings on your account, contact your institution's customer service for assistance.

Often, you determine the dollar amount that triggers an alert. For example, you can choose to get notified only for charges that exceed $200. It's best, however, to set that dollar amount as low as possible. Thieves commonly test accounts with small purchases and the sooner you catch them, the less damage they can do.

  1. Put a Security Freeze on Your Credit Files

One of the best ways to protect your credit and finances is by freezing your credit file. By default, our credit files at the big three credit bureaus—Experian, Equifax, and TransUnion—are set to open. That makes it easier for you to obtain new credit, but it also leaves a dangerous hole in your security.

A credit freeze, also known as a security freeze, closes that hole by locking your credit file with a PIN that only you know. In order to apply for new credit or access your credit file, the freeze needs to be lifted with that PIN. This is more secure than the credit monitoring that most companies offer after a breach. Credit monitoring will simply alert you after credit has been opened in your name—you still have to clean up the mess. A credit freeze stops that from happening.

To freeze your credit, you need to contact all three of the credit bureaus—Experian, Equifax, and TransUnion. The price of a credit freeze varies per state but is usually around $10. Freezing your credit at all three bureaus will cost $30. This fee is waived for proven identity theft victims and more states are beginning to offer the service to everyone for free.

These three actions should take you less than an hour to complete and will significantly improve your financial defense against the scams, hacks, and frauds that plague us all. Even if your financial data is swept up in the next data breach, your accounts will be protected.

Emerging Threats

Second wave of WannaCry? Global cyberattack hits dozens of firms. Yesterday, reports of a ransomware attack similar to WannaCry made news. By early morning, Ukraine had been hit hard by the attack. The state power distributor, an airport, the central bank, two postal services, and the metro system were affected. In addition, Britain’s advertising agency WPP was hit as well as Russian oil producer Rosneft and Danish. The malware, Petya, infects computers through a Microsoft exploit. To protect your devices be sure your software is up-to-date and that you have installed the MS17-010 patch.

Fireball malware has infected millions of computers worldwide. Researchers at security firm CheckPoint say that one in five corporate networks are suffering from the malware—5.5 million devices in the United States. The malware originates from a digital marketing company in China called Rafotech. When a device is infected with the malware, the user’s browser and default search engine are switched to fake platforms. These platforms can track the user’s private information. The malicious code also gives Rafotech the ability to install further malware on the machines, although that has not happened yet. If you believe you are infected, restore your web browser to the default setting. 

United States Computer Emergency Readiness Team issues alert to businesses regarding North Korean cyber threats. US-CERT, along with DHS and the FBI, are urging all businesses to keep software up to date to defend against these threats, specifically Adobe Flash and Microsoft Silverlight.

Cybersecurity Shorts

Ninety-four percent of security professionals are concerned that unsecured Internet-of-things devices could lead to a catastrophic event, according to a report from the Ponemon Institute and the Shared Assessments Program.  Over three-quarters of respondents believe this attack could happen in the next two years. Even with these concerns, almost half say that their organization is not prepared to defend against such an attack and two-thirds don’t evaluate the security practices of third parties they work with.

Attention Kmart shoppers: You may be the victim of a data breach. Kmart stores are currently investigating payment systems that may have been infected with malicious software. At this time, Kmart does not believe that any information besides credit card numbers was compromised.

OneLogin password manager suffers serious data breach. The service, which allows users to store their password information in the cloud, reported that data was accessed by an unauthorized user. Among the data stolen was the decryption key that would give hackers access to users’ passwords. OneLogin has contacted those impacted by the breach, but insiders say they left out information about the stolen decryption process. At a minimum, affected users should change their master password and all other passwords stored in the system.

GOP contractor leaks data on 200 million voters.Deep Root Analytics had stored 25 terabytes of data in a password-free Amazon cloud account. The files included information such as names, addresses, RNC ID, and positions on nearly 50 different issues such as how likely they were to vote for Obama in 2012. The files were exposed between June 1 and June 14.

Thirty-eight days: The median amount of time it takes for a business to discover a security breach. A study done by Aberdeen Group and McAfee found that in half of successful data breaches, the malicious activity went on for six weeks without notice. Even more shocking, detection took up to four years for the other half of breaches. However, experts say that businesses can reduce the impact of breaches by 70% if they discover the hack early on.

High-net-worth clients face unique cybersecurity threats. For example, many HNW individuals own the latest technology, including smart home devices like security systems, smart lighting, smart heating, and more. While these devices make life more convenient, they bring security risks, as they can be hacked. Be sure your HNW clients understand that in terms of security, they need to treat these devices as they would a computer and keep the software updated always. In fact, many experts recommend cybersecurity insurance for HNW clients.

NSA document reveals details of Russia’s cyberattack in days leading up to 2016 election. News organization, The Intercept, received the documents from an NSA employee that detailed the months-long effort Russian intelligence took to compromise U.S. voting infrastructure. The document shows that over 100 election officials and a voting software supplier were hit with a spear-phishing attack which, when fully executed, could give hackers control of the system. At this point, the NSA stresses that they do not know the results of the attack, although it is clear that the attack went further than originally thought.

Nine out of ten financial and payment professionals believe that payment fraud will become an even bigger threat in the next three yearsaccording to a survey by TD Bank. Currently, more than half of respondents say that either their organization or one of their clients suffered a cybersecurity incident in the last 12 months. The most prevalent attack was business email compromise or CEO fraud. But it’s not all negative—these professionals believe that automating payments processing could offer a greater defense.

Malware used to cause power outage discovered. Two separate cybersecurity firms believe they have found the malware that was responsible for the December 2016 Ukraine power outage. They warn that this malware could possibly be used to attack other infrastructure. The firms have alerted governments and infrastructure companies of the malware, with tips on how to protect networks.

Southern Oregon University transfers $1.9 million to hackers in a business email compromise attack. A university employee received a phishing email that appeared to be from a construction company  the university had hired to build  a student recreation center and pavilion. The university wired the money, believing it was paying the company for the job--but instead the money was sent to hackers.

Girl Scouts introduce new cybersecurity badge. The organization has partnered with Palo Alto Networks to create programs for the Scouts. Younger members will learn about privacy and protecting their information online, while older members will focus on coding and becoming ethical hackers. The badges are a result of Girl Scout members asking for more computer science education.

Software Updates

Adobe: Critical patches for Adobe Flash Player and Shockwave Player were released this month. Both of these programs are notoriously buggy and are not used on many sites anymore. If you do not need these programs, we recommend removing them from your devices. If you do, be sure to keep them updated. Flash users should be running version Shockwave should be updated to

Microsoft: Microsoft released an update this month closing nearly 100 security issues. More than a quarter of the flaws are serious and would allow a hacker to control an infected device. In fact, one issue is so critical that Microsoft released a patch for Windows XP—even though they no longer support the operating system. Microsoft should alert you to update automatically but you can learn more here.