Broker Check
February Savvy Cybersecurity Notes

February Savvy Cybersecurity Notes

February 22, 2017

In this issue:

  • “Cardless ATM” technology leads to major fraud
  • Emerging threats: Netflix and Gmail phishing attacks
  • Cybersecurity shorts: Tax refund delays, the danger of a peace-sign selfie, a WhatsApp scam, and much more  
  • Software updates

Read on to learn more about:

  • A dangerous Netflix phishing scheme
  • How your TV can get infected with ransomware
  • A flaw in medical devices
  • And much more

 “Cardless ATM” technology leads to major fraud

Kristina Markula’s Cancun vacation may have left her feeling refreshed—but a fraud left her bank account dry. Markula returned home to find nearly $3,000 missing.

According to her conversation with security expert Brian Krebs, Markula tried to log into her Chase banking app while on vacation via the hotel Wi-Fi but was denied access. Thinking it was because she was in a new location, she continued her vacation without worry.

However, when she returned home to San Francisco, Markula still could not access her account. She called Chase and was told to visit her nearest branch with two forms of ID. At the bank, the teller informed her that someone had added a new phone number to her account, changed the contact email address, and withdrew $2,900 using a new Chase ATM technology that does not require an ATM card.

These “cardless ATMs” work when customers approach a machine equipped with the technology. They open their banking app and choose the amount to withdraw. They are given a code to enter into the ATM instead of their PIN. If the code is entered correctly, money is dispensed. Customers never present an ATM card or enter a PIN.

Because the thief had added his phone number to Markula’s account, the app linked that number to her account, allowing him to take out thousands from the ATM.

Originally, she was denied reimbursement from Chase. However, after media publicity got involved, Chase acknowledged the fraud and corrected her account. Markula was just one victim of a group that took advantage of this technology. Six men from Miami, Florida were arrested for a “multi-state crime spree” that targeted these ATMs around the country.

According to Krebs, Chase is working on ways to make this technology more secure. In the meantime, make sure you have two-factor authentication set up on your online banking account. This protection will inhibit scammers from logging into your account and making changes such as adding a new mobile number. You should also sign up for text or email alerts with your bank. With this technology, you’ll be alerted anytime money leaves your account.

You can read more about this scam and Kristina Markula’s story here.

Emerging threats

Netflix users beware: New phishing scheme is after credit card information. Netflix subscribers have reported an uptick in email messages asking them to update their membership information through a fake Netflix login page. The page asks for personal information such as their name and address as well as their credit card information and Social Security number. After they enter the information, they are directed back to the real Netflix homepage. If you receive an email like this, do no click on any link but instead go to Netflix directly and check your account information.

Sophisticated Gmail phishing scam is making the rounds. The email contains what appears to be a PDF attachment that can be viewed via Google Drive. The attachment, however, is an image and when clicked leads users to a fake Google login page which asks for their username and password. After they enter that information, the hacker can log into their account and send emails to their contacts. The hackers also use similar subject lines and attachments that the "sender" has sent before so those receiving the email are not suspicious. Remember to think before you click and be sure to enable two-factor authentication on your Gmail account.


Cybersecurity shorts

Ransomware hits LG Smart TVs. Software engineer Darren Cauthon encountered this ransomware strain on Christmas Day after his wife downloaded an app to watch a movie. While watching, the movie froze, so they rebooted their TV. A ransomware notice appeared on the screen demanding $500. Cauthon contacted LG and was given the factory reset information to reset the TV without having to pay the ransom. You can learn more about the scam and directions for defeating the ransomware here.

Delays likely for 2016 tax returns, according to the IRS. A new law passed by Congress requires delays for refunds that claim earned-income tax credit or a child tax credit. This delay allows the IRS to match information on the filed tax return with employee W-2 data and was designed to decrease fraud. The first round of refunds is expected to go out on February 27.

Security flaw discovered in St. Jude Medical heart device.According to the Homeland Security Department, the implantable heart device could be controlled by a hacker. Security patches will be sent to devices with a transmitter at home over the next few months, however, researchers say the patch does not fix all of the issues. While no attack has been seen yet, users should research other options.

Hello Kitty database breach exposes over three million. Sanrio, Hello Kitty's parent company, was originally notified of the breach in December of 2015, but did not believe any data was stolen. This month, however, the database of 3.3 million users was posted online. Information includes names, birthdates, password hint questions and answers, and more.

Los Angeles Community College District (LACDD) pays $28,000 in ransomware attack. The school district was hit with a ransomware virus at the end of last month and agreed to pay the ransom after determining it would not be able to recover the data on its own. The attack shut down internet access, email, and voicemail systems until the ransom was paid.

WhatsApp scam promises free internet without Wi-Fi. Users have reported receiving messages promising free internet access if they forward the message to 13 friends. The link, however, leads to a site that offers subscriptions or third party apps. Purchasing these programs will give money to the hackers and will not get you free internet. If you receive one of these messages, delete it. 

Phishing links found on Amazon listings from merchant Sc-Elegance. These links offer deals on "used-like new" electronics. After adding the item to your cart, you will be told the item is no longer available and will be contacted by the seller directly. The link in the email will appear to lead to an Amazon payment page but is really a fake page used by the phisher to collect your information. Remember: Do not provide your information to Amazon merchants outside the website.

Autofill feature on browsers could lead to identity theft, security experts say. Hackers can take advantage of this feature by creating forms asking for information such as name and address. However, what the user doesn't know is that there are hidden fields asking for more information that the feature fills in automatically. You can learn how to turn that feature off here.

Can your peace sign selfie put your identity at risk? According to researchers, new smartphone camera technology is so good that it could potentially pick up your fingerprint in a photo taken within 3 meters. With the possible future of biometric technology—where our fingerprints are our passwords—those selfie peace signs could be dangerous.

Consider changing your Amazon Alexa's name for security reasons. Experts have voiced concern that unauthorized users in hearing distance of your Alexa could communicate with the device. As of now, Amazon only offers the "wake" words Alexa, Computer, Amazon, or Echo. You can learn how to change your device's name here.

Software updates

Adobe: Adobe released an emergency update this month fixing issues in Adobe Flash and Adobe Reader. Many of the updates are considered critical—some vulnerabilities allow hackers to install malware on a computer via drive-by download attacks. Flash users should update to version and make sure their browsers are updated as well. Adobe Reader DC users should be running 15.023.20053 or 15.006.30279. Acrobat XI and Reader X1 should be using version 11.0.19.

Apple: iPhone and iPad users must update to iOS version 10.2.1. This update closes over ten security issues—many of which are serious. The update affects iOS apps which currently allow hackers to take control of your device. Your iPhone or iPad should prompt you to update on your own but you can check for updates by going to Settings, General, Software Update or by connecting your device to your computer and updating through iTunes. Mac users should also update to the newest version of macOS Sierra, 10.12.13. Apple Watch users should be running watchOS 3.0.3 and Apple TV devices should be updated to 10.1.1.

Microsoft: Microsoft released updates closing around 15 security holes in Windows, Office, and Edge this month. As per Microsoft's new policy, all updates will need to be downloaded at once. Your device should prompt you to update and you can learn more here.