Loyalty Cards, Frequent Flyer Programs : Hacker’s Treasure

by

Recently the New York Times ran a story about the risks of loyalty programs. Loyalty programs include everything from the virtual punch card at the coffee shop to larger programs like those offered by hotels and airlines.  We tend to hear about the problems with travel-related loyalty programs like the Marriott/Starwood breach and Delta Airlines.

rebecca aldama 692345 unsplash

What’s the Risk?

Your first thought when you hear about these breaches is what about your credit card and personal information like phone number and address?  While that stuff is important, you can always change your credit card numbers.  Most of the time, you aren’t liable for unauthorized purchases from bank accounts or credit cards.

The risk of these loyalty program breaches isn’t just the points, after all, you worked hard to accumulate that free coffee or a free trip around the world.  It’s also about the details these programs can reveal to create more sophisticated hacks.

As an example right here in Lawrence, KS, when we sign up clients for internet service through AT&T, some of the security questions they get asked are:

  1. What is your favorite restaurant?
  2. Where is your favorite place to go on vacation?
  3. What is the name of your youngest sibling?

These are the same type of questions Apple and dozens of other companies ask.  I was asked the same time of questions when signing up for phone service with T-Mobile.  Even if these questions aren’t used directly by hackers, they can be used for targets attacks called spear phishing.  For example, if hackers see that I have a reservation at a hotel, they might call me and say there’s a problem with the card and I need to provide a different credit card.

I’ll admit until I read this article I had “soft” passwords for some of these programs.  I figure Starbucks doesn’t have my credit card, and who would steal a coffee from me?  Cybercrime is cybercrime so they might steal that.  Then I realized my credit card is on file with them and someone could order themselves a gift card.  Ouch.  I’m secure with my Apple iTunes account because it’s a big target for hackers and Apple protects it with things like two-factor authentication.  My Starbucks account is wide open!

What can you do to protect yourself?

First, create unique passwords for absolutely everything.  If it contains personal data, it needs to be protected.  Use a password manager or ask us about the password books we sell (or give away if you ask us nicely and mention this post!)

Second, consider enabling two-factor authentication everywhere you can.  That’s the system where they text you or call you to verify who you are.  If you aren’t sure how to do that, please ask us!

Finally, read your statements and emails.  Sure, you get tons of those, but the only way you can catch a breach is to be vigilant.  Take for example those Starbucks emails.  Those always go into my junk email because I don’t go there that often.  I always shop local for coffee, but sometimes Starbucks is all they have, especially at airports.  After reading this article, I’m now working to unsubscribe from promotional emails from loyalty programs, but make sure emails about account balance and activities don’t go into spam.  Again, if you need help setting this up for yourself, we do email management all the time for clients.

Although it doesn’t make the nightly news, your free pizza, coffee, and airline trips are the latest thing hackers are attacking.  They’re not just stealing your points, but stealing information they can use for more sophisticated attacks.

Ignore That Email: Nobody is Spying On You

by

We posted this on Facebook a few weeks ago, but it’s worth mentioning here again.  An email has been going around the past few months. It takes some different forms but generally follows the same pattern:

  1.  Someone “hacked” you and has your password
  2. They’ve been monitoring you
  3. They’ll send your information to all your contacts
  4. To prevent this send them bitcoin

I even got that email.  I gotta say when you see your password in an email right there it’s scary.

All Mailboxes Found 18 matches for search 2018 11 18 14 46 36

All Mailboxes Found 18 matches for search 2018 11 18 14 47 21

“Subject:  dave@calldrdave.com has password (my password). Password must be changed

Hello!

I’m a programmer who cracked your email account and device about half year ago.

You entered a password on one of the insecure site you visited, and I catched it.

Your password from dave@calldrdave.com on moment of crack: (my password)

Of course you can will change your password, or already made it.”

As well as

“Subject:  dave – (my password)

It seems that, (mypassword), is your password. You may not know me and you are probably wondering why you are getting this e-mail, right?

actually, I setup a malware on the adult vids (porno) web-site and guess what, you visited this site to have fun (you know what I mean). While you were watching videos, your internet browser started out functioning as a RDP (Remote Desktop) having a keylogger which gave me accessibility to your screen and web cam. after that, my software program obtained all of your contacts from your Messenger, FB, as well as email.

How Did They Get Your Password?

It seems like every day I listen to the news, I hear about another hack. From Applebee’s to Yahoo, there’s a company for every letter of the alphabet that’s been breached. A hacker stole your password from one of these companies.  If you use your password more than one place, that’s how they got it.

Fortunately, I use a password manager called 1Password.  Although I avoid reusing passwords for important stuff, I’ll be lazy and do it for some websites.  In my case, I could trace it to Angie’s List.  I had to sign up for my business and I didn’t’ think I’d use it much.  That’s why I used a throw-away password.

What Can You Do to Prevent This?

You can’t prevent someone from hacking another system.  I mean when Equifax gets hacked, that just shows you how vulnerable we all are.  The best you can do is mitigate the damage.

Stop Reusing Passwords

I get it. Passwords are hard to keep track off.  As I said, I use 1Password.  We can help you set that up.  We also have a more manual option:  A password book.  We sell these for $7.50, although you can get one free by joining our Wellness Program.  That lets you use a unique password and keep track of them.

Get a Reliable Antivirus

If you’re on a Mac, you probably don’t have an antivirus.  If you’re on a PC you might be using the free one that comes with Windows.

We used to take the approach good enough is, well, good enough. If you haven’t had any problems with your computer, stick with what you got.  With so many threats out there, we’re finding basic protection isn’t enough.  A professional paid antivirus provides not just added security but peace of mind.  We recommend Malwarebytes.  Fortunately, we’re able to sell it at a discount.  Normally it’s $40, but we can sell it for $35 to existing clients.

When you get an email like this, just run a scan to get that peace of mind.

Don’t Pay Scammers/Let Them Keep the Money

We deal with tech support scams all the time.  Some clients are so embarrassed they decide to let the criminals keep the money. These criminals then use the money to attack other victims.  If we cut off the stream of money and don’t make this profitable, they’ll stop doing it.  Okay maybe not stop, but at least make them work harder!

As a reminder, clients who are part of our wellness program get unlimited phone and email support for questions like these.  When they get any suspicious emails, they just call us rather than give money to a scammer.

Full text of the emails:

“It seems that, (my password), is your password. You may not know me and you are probably wondering why you are getting this e-mail, right?

actually, I setup a malware on the adult vids (porno) web-site and guess what, you visited this site to have fun (you know what I mean). While you were watching videos, your internet browser started out functioning as a RDP (Remote Desktop) having a keylogger which gave me accessibility to your screen and web cam. after that, my software program obtained all of your contacts from your Messenger, FB, as well as email.

What did I do?

I backuped phone. All photo, video and contacts.

I created a double-screen video. 1st part shows the video you were watching (you’ve got a good taste haha . . .), and 2nd part shows the recording of your web cam.

Exactly what should you do?

Well, in my opinion, $500 is a fair price for our little secret. You’ll make the payment by Bitcoin (if you do not know this, search “how to buy bitcoin” in Google).

BTC Address:

(It is cAsE sensitive, so  copy and paste it)

Important:

You have one day in order to make a payment. (I’ve a unique pixel in this e mail, and at this moment I know that you have read through this email message). If I do not get the BitCoins, I will certainly send out your video recording to all of your contacts including relatives, coworkers, and so on. Having said that, if I receive the payment – I’ll destroy the video immediately. If you need evidence, reply with “Yes!” and I will certainly send out your video recording to your 6 contacts. It is a non-negotiable offer, that being said don’t waste my personal time and yours by responding to this message.”

And

“Hello!

I’m a programmer who cracked your email account and device about half year ago.

You entered a password on one of the insecure site you visited, and I catched it.

Your password from dave@calldrdave.com on moment of crack: (mypassword)

Of course you can will change your password, or already made it.

But it doesn’t matter, my rat software update it every time.

Please don’t try to contact me or find me, it is impossible, since I sent you an email from your email account.

Through your e-mail, I uploaded malicious code to your Operation System.

I saved all of your contacts with friends, colleagues, relatives and a complete history of visits to the Internet resources.

Also I installed a rat software on your device and long tome spying for you.

You are not my only victim, I usually lock devices and ask for a ransom.

But I was struck by the sites of intimate content that you very often visit.

I am in shock of your reach fantasies! Wow! I’ve never seen anything like this!

I did not even know that SUCH content could be so exciting!

So, when you had fun on intime sites (you know what I mean!)

I made screenshot with using my program from your camera of yours device.

After that, I jointed them to the content of the currently viewed site.

Will be funny when I send these photos to your contacts! And if your relatives see it?

BUT I’m sure you don’t want it. I definitely would not want to …

I will not do this if you pay me a little amount.

I think $855 is a nice price for it!

I accept only Bitcoins.

My BTC wallet:

If you have difficulty with this – Ask Google “how to make a payment on a bitcoin wallet”. It’s easy.

After receiving the above amount, all your data will be immediately removed automatically.

My virus will also will be destroy itself from your operating system.

My Trojan have auto alert, after this email is looked, I will be know it!

You have 2 days (48 hours) for make a payment.

If this does not happen – all your contacts will get crazy shots with your dirty life!

And so that you do not obstruct me, your device will be locked (also after 48 hours)

Do not take this frivolously! This is the last warning!

Various security services or antiviruses won’t help you for sure (I have already collected all your data).

Here are the recommendations of a professional:

Antiviruses do not help against modern malicious code. Just do not enter your passwords on unsafe sites!

I hope you will be prudent.

Bye.

Has Your Password Been Stolen?

by

Authenticity required passwordWith all the recent and continuing breaches, one thing we learned is you can’t rely on a company to tell you.  Breaches are reported months and sometimes years later.

If you’d like to check if yours was stolen, the website “Have I been pwned” helps.  All you do is put in your username or email address (no passwords!)  It then tells you what hacks you’ve been a victim of.  I was only the victim of seven on one email address.  I consider that lucky.

Fortunately, I use a password manager.  All those passwords on those sites were unique, so I was safe.  We help clients all the time setup password managers.  It’s easy and saves you time and hassle.  All you do is remember the password to your password manager and it takes care of everything else.

Photo by liako

Beware of Browsers That Fill Stuff In

by

A few years back, companies realized we often fill out the same things over again on webforms.  They thought “Hey, why don’t we keep track of that stuff for you?”  That idea was great, but hackers have exploited it.

Keys on Keyboard

As this article points out,  hackers have taken advantage of the idea.  They can trick Safari and Google Chrome into releasing confidential information.  Ouch.  We stopped recommending auto-fill years ago.

Instead, we recommend a password manager like LastPass or 1Password. These are less susceptible to hackers.  They’ll track your passwords for you, which is nice instead of using the same password on multiple websites. They’ll also create new passwords when needed, so no trying some variant of your old one.  Best of all, they’ll fill in your contact information on a website.  I love that feature.  You can even set up those fill-ins for multiple people.  One for you, and one for your significant other.

Here’s a little tip I use when filling out paper forms (like at the doctor’s office).  I keep a few pre-addressed mailing labels with me.  When filling out forms, I just put the sticker on the name/address field.  Saves me some time, especially since I have horrible handwriting.

Photo by IntelFreePress

FOLLOW US

Testimonials

  • Matt was on time, fixed the problem, explained what he had done, asked questions about my use of the computer, and treated me respectfully even though I know so little about computers. Read More
    Janet
    Via Get Five Stars
  • Perfect, could not have been better, will call again. Read More
    Dave Evans
    via Get Five Stars
  • Our computer was getting old and giving us a lot of trouble. Dr.Dave helped us purchase a new computer directly from Dell which saved us quite a bit of money. When the new computer arrived, he installed it and added the necessary security all at a very reasonable price Read More
    Geneva Tucker
    via Google Reviews
  • Dr. Dave is always prompt, knowledgeable, and very helpful. He knows his stuff, and is a very pleasant person to talk to about your computer needs. He's fantastic! I especially recommend him for Apple/Mac owners. Read More
    Karen Roberts
    via Google Reviews
  • Very smart guys; high level of quality; efficient service. Read More
    Ron Guerin
    via Google Reviews
  • Dave and Co. are great. They have rapidly solved every problem we've presented to them, show up right on time, and are pleasant and professional. I trust them completely Read More
    Charles Higginson
    via Google Reviews
  • very dedicated to help you with computer problems, questions, or personal challenges with technology. Efficient, effective, and experienced technician. Read More
    Mary
    Get Five Stars
  • Is always very helpful. Read More
    Dan
    Get Five Stars
  • Was prompt. Listened to my questions. Solved the problems. Thanks Read More
    Sue
    Get Five Stars
  • Absolutely Outstanding. Competent and Caring. Thanks a Million. Read More
    Bernie
    Get Five Stars