Loyalty Cards, Frequent Flyer Programs : Hacker’s Treasure

by

Recently the New York Times ran a story about the risks of loyalty programs. Loyalty programs include everything from the virtual punch card at the coffee shop to larger programs like those offered by hotels and airlines.  We tend to hear about the problems with travel-related loyalty programs like the Marriott/Starwood breach and Delta Airlines.

rebecca aldama 692345 unsplash

What’s the Risk?

Your first thought when you hear about these breaches is what about your credit card and personal information like phone number and address?  While that stuff is important, you can always change your credit card numbers.  Most of the time, you aren’t liable for unauthorized purchases from bank accounts or credit cards.

The risk of these loyalty program breaches isn’t just the points, after all, you worked hard to accumulate that free coffee or a free trip around the world.  It’s also about the details these programs can reveal to create more sophisticated hacks.

As an example right here in Lawrence, KS, when we sign up clients for internet service through AT&T, some of the security questions they get asked are:

  1. What is your favorite restaurant?
  2. Where is your favorite place to go on vacation?
  3. What is the name of your youngest sibling?

These are the same type of questions Apple and dozens of other companies ask.  I was asked the same time of questions when signing up for phone service with T-Mobile.  Even if these questions aren’t used directly by hackers, they can be used for targets attacks called spear phishing.  For example, if hackers see that I have a reservation at a hotel, they might call me and say there’s a problem with the card and I need to provide a different credit card.

I’ll admit until I read this article I had “soft” passwords for some of these programs.  I figure Starbucks doesn’t have my credit card, and who would steal a coffee from me?  Cybercrime is cybercrime so they might steal that.  Then I realized my credit card is on file with them and someone could order themselves a gift card.  Ouch.  I’m secure with my Apple iTunes account because it’s a big target for hackers and Apple protects it with things like two-factor authentication.  My Starbucks account is wide open!

What can you do to protect yourself?

First, create unique passwords for absolutely everything.  If it contains personal data, it needs to be protected.  Use a password manager or ask us about the password books we sell (or give away if you ask us nicely and mention this post!)

Second, consider enabling two-factor authentication everywhere you can.  That’s the system where they text you or call you to verify who you are.  If you aren’t sure how to do that, please ask us!

Finally, read your statements and emails.  Sure, you get tons of those, but the only way you can catch a breach is to be vigilant.  Take for example those Starbucks emails.  Those always go into my junk email because I don’t go there that often.  I always shop local for coffee, but sometimes Starbucks is all they have, especially at airports.  After reading this article, I’m now working to unsubscribe from promotional emails from loyalty programs, but make sure emails about account balance and activities don’t go into spam.  Again, if you need help setting this up for yourself, we do email management all the time for clients.

Although it doesn’t make the nightly news, your free pizza, coffee, and airline trips are the latest thing hackers are attacking.  They’re not just stealing your points, but stealing information they can use for more sophisticated attacks.

Biggest Online Security Threat is You

by

Security Stock 11081We can put the best antivirus on your computer (Malwarebytes), but ultimately they’re ineffective you work around them. It’s not just phishing attempts. There’s a whole bunch of reasons humans mess everything up.

Phishing is Getting More Sophisticated

Most of us know not to click that link pretending to be from Amazon or our local bank.  Phishing emails used to have telltale signs like broken English and generic greetings like “Dear Customer.”  Scammers have upped their game.

Last summer a massive attack used Google’s document sharing system to trick users into clicking a link.  I consider myself pretty sophisticated but I fell for it on one of my accounts.  I do product reviews and just assumed it was a press release.  I often get those through Google Docs.

The Wall Street Journal (paid article) explains the seven deadly sins of why we click that link:

  • Confidence: ‘Trust us, this is normal.’
  • Greed: ‘Get your cheap pills here!’
  • Urgency: ‘The boss says hurry up and click.’
  • Fear: ‘Your PC is infected! Click to fix’.
  • Shame: ‘Click here to see what everybody is saying about you.’
  • Lust: ‘Psst! Check out these nude celebs.’
  • Sloth: ‘Didn’t update your OS? Thanks!’”

That article talks about how major companies and politicians got snared by one of these sins. All you need is one person to make a mistake to infect a whole company

Two-Factor Authentication (2FA) isn’t Enough

We love 2FA.  That’s the system that texts you when an unknown login attempt happens and let you approve it.  Hackers use the above sings to get you to disable it.

Mashable reports on an NSA analysis of how people get tricked into turning off their protection.  All you really need is to take the typical phishing a bit further.  I know every time my system does updates my bank thinks I’m on a new system because the browser is updated.  I go ahead and put in my special code to gain access.  I could easily be tricked into giving up my second factor.

We’re Not Dumb, But Scammers are Smart

Although I’ve come close, I’ve never gotten taken in by one of these scams.  I’d chalk that up to luck rather than skill.

A few stories I read made me feel slightly better that I’m not dumb.  One refers to a New York Supreme Court Judge taken for over one million dollars. Southern Oregon University was taken for $1.9 million.

You’d think Google and Facebook are smart enough to avoid getting taken.  Nope. Both were victims of a scam that raked in $100 million.  With the combined power of these two companies and their sophisticated systems, I feel kinda helpless against it.

Cisco, a computer networking company, tried to train employees not to click links in a unique way.  It sent them phishing emails to see who would click. Sneaky, but it worked

It Doesn’t Need to Be Email

We’re all protective of our emails, but sometimes the threats come in the old-fashioned way.  This link explains how someone from Starbucks was tricked into sending money.  Scams like this rely on the seven sins mentioned earlier.  Security has to be on everyone’s mind and not just focused on how the threats come in.

How to Prevent It

The obvious first line of defense is computer security.  We can help with that. Not just antivirus, but making sure you’ve got the latest security patches.  Beyond that, you have to be extremely skeptical.  This article sums it up best:

“There’s often a misconception that everyone needs to be a security expert — but that’s not the case. Security is not everyone’s day job, but ultimately, often all users need to have a mentality of caution — they have to be mindful of what they’re doing, and be aware that their actions on corporate equipment, and can be far-reaching.”

When in doubt, don’t click the link.  Pick up the phone and call someone directly!

Photo by Hivint

Keyloggers and What You Need to Know

by

keyloggers

Last year, Lawrence was hit with it’s first reported keylogger attack at KU.  It’s a problem sweeping the country.  The problem in Lawrence is mild compared to some schools.

For example, one student changes his grades 90 times in a 21-month period along with five of his friends.  That article explains why schools are a target.

“Keyloggers are cheap, they’re easy, and the targets – schools and universities – too often have paltry budgets for equipment, software and skilled administrators.”

While I’m sure KU has upped their security since then, it just takes one mistake for a hacker to install a keylogger.  Free State and Lawrence High School should be on alert as students applying to colleges might try to do this.

With all these attacks, the patterns are the same

  1.  Someone uses a public computer to enter in grades or
  2. They fail to notice something attached to their computer

If you’re responsible for entering in people’s grades, do it on your own private computer.  If you see something unusual connected to the computer, don’t put in your password.  Instead call your IT department.  If you can’t call them, call us!

Photo by Robbert van der Steeg

Security Thwarted Through Forgetfulness

by

USB Flash Drive in the Shape of a Card Catalog Drawer

I forget where my keys or wallet is all the time.  I’ve got Tile to help me with that.  I always know where my laptop is though.  Forgetful people can ruin the best security measures.

For example, a lost USB flash drive in London caused a massive panic and Heathrow Airport.  That drive had critical security information.  Of course, the drive wasn’t password protected and encrypted (like my laptop is!)

Lost hardware is more common than you think.  For example, Washington State University lost a hard drive and had to inform over 1 million people their identity was at risk.

It’s easy to set passwords on flash drives, hard drives, laptops and desktops.  Just give us a call —  we’ll show you how.  Unless, of course, you want to be in the headlines like these people!  I guess it’s fortunate they didn’t name the people who lost the drives.

Photo by slgckgc

Computer Security For Business Owners

by

Secure Data Cyber Security If you own your own business, you’re responsible for your company’s computer security.  When there’s a breach, it’s your name in the newspaper.  We can help protect you, but ultimately it comes down to the business owner.

This blog post does an excellent job of giving bite-sized (or tweetable) tips from a non-technical perspective.  That best tip is the last one:

“Keep asking ‘What Else Can We Do?’”

Just like everything in your business, protection is an ongoing struggle.  New threats and new technologies call for new methods of protection.  We’re here to help!

Photo by perspec_photo88

Should You Get Rid of Old Accounts?

by

Old OneOnline accounts seem to pile up like mismatched socks in a drawer.  Should you delete those extra accounts?

If you’re concerned about security, I say yes.  Even if you use unique passwords everywhere as we recommend, you’re still at risk.  Hackers can use, let’s say, an old Yahoo email address to reset a password on another online account, which is then used for an account you care about.  The less information that’s out there about you, the better.

Some experts though suggest closing an account is a risk.  For example, ghacks reminds us that some providers like Microsoft and Twitter reuse old accounts.  I think those are isolated situations. The risks of hackers getting into old accounts is greater than any danger of reuse.

Photo by 2bmolar

Just Say No to KRACK

by

You’ve probably heard about this new wireless hack called KRACK.  Just what we need after all the frustrations with Equifax! Don’t panic, just be on alert.

Security Stock 11359

Our trusted friends at Malwarebytes did an excellent overview of the likely risks to the average users.  In a nutshell, when a wireless network asks for a password to connect, you assume it’s secure.  And when I mean secure, I mean virtually impenetrable.  Think deadlock along with a chain for good measure.  There’s no way someone’s going to get into your network without lots of work.

With KRACK, your wireless password is more like your standard door lock. Someone with a little skill and the right tools can open the door.

For a home user that means you need to be a little more on alert.  For someone to KRACK your wireless network, they’ll need to be within range.  The odds are you’d see someone in your driveway hacking into your network.  If you live in an apartment or otherwise close to others, they could try to hack in without your knowledge.  The odds of that happening are pretty darn low.  Brute force attacks have always been there.  Just like a door, given enough time, you’ll eventually get in.

Even if they get into your network, they’ll need to keep connected to see anything “juicy.”  Most stuff these days is encrypted along with having a password.  That’s like the safe in your house. The burglar can break into your home but then they need to break into the safe.  So much work!

Here’s what you need to do, which we suggest regardless of KRACK:

  • Keep your computer up to date with security patches.
  • Make sure your anti-virus is up to date and working.  We recommend Malwarebytes.
  • Use unique passwords everywhere.  Don’t reuse the same password on multiple sites.
  • Update your router with security updates and replace it when you can’t get updates.

The tricky part is when you’re in public. Even before KRACK, you needed to be careful.  Even if the password on the network is secure, you never know who is looking over your shoulder or recording you with their mobile phone.  When I’m at a coffee shop, I pretend that anything on my computer or mobile device is showing on every TV in the world.

These tips are what we advise all clients.  Call/Text/Email us or send us a message from the DoctorDave app if you have any questions or need help to protect your stuff.

Photo by Hivint

FOLLOW US

Testimonials

  • Matt was on time, fixed the problem, explained what he had done, asked questions about my use of the computer, and treated me respectfully even though I know so little about computers. Read More
    Janet
    Via Get Five Stars
  • Perfect, could not have been better, will call again. Read More
    Dave Evans
    via Get Five Stars
  • Our computer was getting old and giving us a lot of trouble. Dr.Dave helped us purchase a new computer directly from Dell which saved us quite a bit of money. When the new computer arrived, he installed it and added the necessary security all at a very reasonable price Read More
    Geneva Tucker
    via Google Reviews
  • Dr. Dave is always prompt, knowledgeable, and very helpful. He knows his stuff, and is a very pleasant person to talk to about your computer needs. He's fantastic! I especially recommend him for Apple/Mac owners. Read More
    Karen Roberts
    via Google Reviews
  • Very smart guys; high level of quality; efficient service. Read More
    Ron Guerin
    via Google Reviews
  • Dave and Co. are great. They have rapidly solved every problem we've presented to them, show up right on time, and are pleasant and professional. I trust them completely Read More
    Charles Higginson
    via Google Reviews
  • very dedicated to help you with computer problems, questions, or personal challenges with technology. Efficient, effective, and experienced technician. Read More
    Mary
    Get Five Stars
  • Is always very helpful. Read More
    Dan
    Get Five Stars
  • Was prompt. Listened to my questions. Solved the problems. Thanks Read More
    Sue
    Get Five Stars
  • Absolutely Outstanding. Competent and Caring. Thanks a Million. Read More
    Bernie
    Get Five Stars