Card Skimming

Card skimming is one of the fastest growing fraud schemes. Thieves attach skimmers to ATMs, gas pumps, point-of-sales (POS) systems and other places people swipe their credit and debit cards. Once in place, this sneaky bit of electronics steals the magnetic strip information from your card. The thieves use this information to clone your card, and once they have a clone, they can drain your bank account, or run up huge bills and trash your credit before you even know it. That’s one reason credit card companies and stores are switching to EMV cards.

Here is a good article about different types of skimmers.

https://www.komando.com/tips/278304/how-to-spot-and-avoid-credit-card-skimmers/all

Skimmers have been found all around Indiana. Below are links to some news articles where they have been found recently.

http://fox59.com/2017/06/21/credit-card-skimmers-found-at-teachers-credit-union-locations/

http://wishtv.com/2016/04/22/card-skimmer-found-in-atm-machine-in-broad-ripple/

Just recently a skimming scheme was busted in Hancock county.

http://fox59.com/2017/06/28/credit-card-skimming-group-with-ties-to-multiple-states-arrested-in-hancock-county/

How can you detect and avoid having your credit card skimmed at the ATM or gas pump?

1. Inspect The Card Reader And The Area Near The PIN Pad

Many banks and merchants realize that skimming is on the rise and will often post a picture of what the real device is supposed to look like so you will see that there is something attached that is not supposed to be there if a skimmer is present.

Of course, a card skimmer could put a fake picture over the real picture so this isn’t a fail-safe way to spot a skimmer.

To see what some skimmers look like check out these examples of card skimmers so you’ll have an idea of what to look for.

Most skimming devices are designed to be temporarily affixed to the ATM or gas pump so they can be easily retrieved by the bad guys once they’ve collected a batch of cardholder data.

If you think the scanning device doesn’t look like it matches the machine’s color and style, it might be a skimmer.

2. Look At Other Nearby Gas Pumps or ATM Card Readers to See if They Match The One You Are Using.

Unless skimmers are running a large operation, they probably are only skimming at one gas pump at a time at the station you are using. Look at the pump next to yours to see if the card reader and setup look different. If they do then you might have just spotted a skimmer.

3. Trust Your Instincts. If in Doubt, Use Another Pump or ATM Somewhere Else.

Our brains are excellent at recognizing things that seem out of place. If you get a sense that something looks off about the ATM you are about to use, you might be better off using one that you feel more comfortable with.

4. Avoid Using Your PIN Number at the Gas Pump.

When you pay at the pump with your debit/credit card, you usually have the option to use it as a credit or a debit card. It’s best to choose the credit option that allows you to avoid entering your PIN in sight of a Card Skimmer camera. Even if there is not a card skimmer camera in sight someone could be watching you enter your PIN and could subsequently mug you and take your card to the nearest ATM to withdraw some cash.

When you use it as a credit card you usually only have to enter your billing ZIP code as verification which is much safer than putting in your PIN.

5. Keep an Eye on Your Accounts

If you suspect that you might have had your card skimmed. Keep an eye on your account balance and report any suspicious activity immediately.

(https://www.lifewire.com/how-to-avoid-credit-card-skimmers-2487770)

 

EMV

Everyone by now has seen or has a debit/credit card with a chip on it. These are called EMV cards which stands for Europay, MasterCard and Visa. EMV is a global standard for credit cards that uses computer chips to authenticate (and secure) chip-card transactions.

Here are 2 great videos that explain what EMV is and why we have it.

How does EMV address payments fraud?
First, the EMV chip card includes a secure microprocessor chip that can store information securely and perform cryptographic processing during a payment transaction. Chip cards carry security credentials that are encoded by the card issuer at personalization. These credentials, or keys, are stored securely in the EMV card’s chip and are impervious to access by unauthorized parties. These credentials therefore help to prevent card skimming and card cloning, one of the common ways magnetic stripe cards are compromised and used for fraudulent activity.

Second, in an EMV chip transaction, the card is authenticated as being genuine, the cardholder is verified, and the transaction includes dynamic data and is authorized online or offline, according to issuer-determined risk parameters. As described above, each of these transaction security features helps to prevent fraudulent transactions.

Third, even if fraudsters are able to steal account data from chip transactions, this data cannot be used to create a fraudulent transaction in an EMV chip or magnetic stripe environment, since every EMV transaction carries dynamic data.
(https://www.securetechalliance.org/publications-emv-faq/)

Social Media

There are 7.34 billion people in the world and 2.3 billion of them are on social media. It is estimated that social media by 2018 will have 2.5 billion users.

So when you share items on social media you are sharing with a lot people. Things we share on social media are out the for everyone to see and they are out there forever. Here is a list of things you should consider when posting to social media.

1. Why this?

Ask yourself why you’re choosing to share before posting. What is the intention behind the post? It might be to share an important idea, or it could be to make an old boyfriend jealous. Taking a brief pause and really doing some self-inquiry before posting will slow down your process, which is a great practice for being more mindful and less impulsive.

2. Who will see this?

Taking a moment to reflect on who will see your post will help you to discern whether the post is appropriate or beneficial to your social standing. You may have to consider whether your accounts are private or public, or whether it’s a business or personal profile. A post that’s intended for family will also be seen by all of your other followers, so you’ll want to be aware of this before sharing.

3. Would I want this on the front page of the New York Times?

As much as we trust the internet and social media, when you post something it’s out there. If you make the presumption that everything you post could potentially be front-page news, you can really get a sense of what you’re willing to expose. We are a sensationalized culture, and anything shared online is considered fair game. Don’t live in denial that a private account is truly private.

4. How will others feel when they see this? 

This is a great question for tapping into a moment of empathy or for being more sensitive. We often post without realizing that there are many people seeing what we’re sharing beyond the people we are holding in mind. Becoming aware of how your post will affect the broader culture may shift what you share.

5. What do I expect?

One of the most depressing moments for many social media posters is not getting a “like.” If you’re expecting people to approve or value your post, then be prepared for disappointment. Getting clear about your expectations before posting is another great way to discern between valuable posts and posts intended for improving your own self-worth.

(http://www.healthyway.com/content/5-questions-to-ask-yourself-before-posting-to-social-media)

Before you post anything online, think to yourself, would I want my boss or family to see this? If not, don’t post it. Even if you post something and delete it, doesn’t mean that someone didn’t take a screenshot of it before you had the chance to remove it.

Below are some recommended ways to protect your password security and privacy on social media.

  Change your password every few months.

  • Don’t use the same password on all the sites you visit.
  • Don’t use a word from the dictionary.
  • Select strong passwords, with 10 or more characters, that can’t easily be guessed.
  • Think of a meaningful phrase, song or quote and turn it into a complex password using the first letter of each word.
  • Randomly add capital letters, punctuation or symbols.
  • Substitute numbers for letters that look similar (for example, substitute “0” for “o” or “3” for “E”).
  • Never give your password to others or write it down.
  1. Sign out of your account after you use a publicly shared computer.
  2. Manage your account information and privacy settings from your Settings & Privacy
  3. Keep your antivirus software up to date.
  4. Don’t put your email address, home address, or phone number in your profile’s Summary.
  5. Only connect to people you know and trust, or those you have trustworthy common connections with.
  6. Consider turning two-step verification on for your account if available

Wi-Fi Hotspot Tips

Do you feel as though your favorite mobile device has become an appendage of your body, leaving you uncomfortable without it? Are you constantly checking in with your online social network for the latest updates? If so, then you have undoubtedly gone to the corner coffee shop and used their free Internet. You probably went about your business, as usual, checking your emails and maybe even indulging in some online shopping.

After taking into account the average consumer’s contestant Internet usage as well as the fact that people are persistently on-the-go, it is not surprising that Wi-Fi has gone from a luxury to a necessity. Whether you’re at the local coffee shop, a hotel or the airport, you expect to be able to stay connected. However, connecting on-the-go may come at a price.

A common type of attack involving public Wi-Fi is the “man-in-the-middle” attack. Here attackers create their own networks and pose as public Wi-Fi networks, intercepting all of the data flowing between unsuspecting users and the public network. Since all traffic is going through the fraudulent network device, it’s incredibly easy for the hackers to see everything, including data transmitted over encrypted HTTPS connections.

To stay safe when traveling or just down at the local coffee shop follow these tips.

1. Verify Your Access Point: Check with personnel at the hotel, airport or other current hot spot before you log into their network; have them confirm that you are actually connecting to their access point. Hackers can set up fake Wi-Fi hotspots in public places to access your information, e-mails and passwords without your knowledge. When you’re in a public place that offers Wi-Fi you may notice multiple networks available to join. Let’s say that you’re at Panera and see “Panera” and “Free_Panera” networks and automatically think, ‘I want the free Wi-Fi’. This network may be an ad hoc spot, a Wi-Fi hotspot set up in a public place used to steal transmitted data. If you are banking online or sending work e-mails from this fake hotspot, a hacker can see and steal your information.

2. Use Up-to-Date Security Software: Security software can detect malicious code, like a virus or a worm, and prevents it from harming your computer. Make sure you have the latest version of this software protecting your private information.

3. Keep Your Firewall Turned On: A firewall helps to protect your computer from hackers. While firewall software is prepackaged on some operating systems, it may need to be purchased separately for your computer.

4. Disable Automatic Connections: Before you leave your home or office, make sure your computer is not set to automatically connect to unknown networks. Otherwise, you could be connecting to a hacker’s network and not even know it!

5. Disable File Sharing: When you are not using a trusted network, make sure your computer’s file sharing function is not turned on. Better yet, turn your computer off when you are not using it. When your computer is off, hackers cannot connect to your computer.

6. Download With Caution: Even your up-to-date anti-virus software may not protect you from some of the things you may download from the Internet. So, never open an e-mail attachment from someone you don’t know, and be wary of forwarded attachments, even from people you do know.

7. Be Aware of People Around You: When you’re using Wi-Fi in a high-traffic environment, make sure to keep an eye open for any suspicious characters in the area. If something doesn’t feel right, it’s probably not.

8. Avoid software updates while you’re traveling: If you absolutely must perform a software update, verify the update is legitimate by visiting the vendor’s website and social media platform.

9. Utilize two-factor authentication on services that support it: Two-factor authentication(2FA) requires you to log in with a username and password, as usual, but also requires that you enter a code sent to your mobile device. Two-factor authentication greatly reduces the likelihood of someone being able to impersonate you just by using your username and password. Many popular social media sites have enabled 2FA for users to use. Such as Facebook, LinkedIn, and Twitter. Also banking institutions have established 2FA on their sites.

10. Use Mobile Hotspot Instead: Instead of public Wi-Fi networks, you can use your mobile device as a mobile Internet hotspot. Most iPhone and Android devices have this feature built-in. Connecting your laptop to Wi-Fi through your phone or mobile device means you avoid the risks associated with public Wi-Fi. Using a mobile hotspot requires a password, so it’s impossible for anyone else to eavesdrop on your connection unless they have physical access to your phone or the password.

https://techyuga.com/beware-of-free-wifi-hackers/

https://koolspan.com/beware-of-fake-wifi-hotspots/

Mobile Security Tips

Mobile devices are a part of our life. Just imagine your day without a mobile phone. Consider that there are more than 5 billion mobile devices used on the world amongst 7 billion people. People use their devices to stay in touch, take pictures, shop, bank, listen to music, and socialize. In addition, they store personal and business information on them. As a number of phones grow, security risks will increase too. Mobile security can be compromised due to design flaws, vulnerabilities, failures in any mobile applications, viruses, spyware, malware and other threats.

Here is a list of some tips on keeping your mobile devices safe. (http://www.webopedia.com/TERM/M/mobile_security_best_practices.html)

1. User Authentication
Restricting access to the device by requiring user authentication. Most mobile devices can be locked with a screen lock, password or personal identification number (PIN), but these measures are typically turned off by default. By requiring authentication before a mobile device can be accessed, the data on the device is protected in case of accidental loss or theft of the mobile device. Ensure the use of a powerful password in order to make it more difficult for a potential thief to access the device.

2. Update Your Mobile OS with Security Patches
Keep the mobile operating system and its apps up to date. Mobile operating systems like Apple’s iOS, Google’s Android platform and Microsoft’s Windows Phone provide regular updates to users that resolve security vulnerabilities and other mobile security threats, as well as provide additional security and performance options and features to users. These upgrades aren’t always updated automatically, so mobile devices users may need to turn on automatic updates or update their phones and apps manually on a regular basis.

3. Regularly Back Up Your Mobile Device
Ensure the mobile device’s data is regularly backed up. By backing up a device to another hard drive or to the cloud, the data can be restored in the event the device gets damaged or is lost or stolen. A backup utility or app that runs automatically on a specified schedule is recommended for keeping the backed-up data as current as possible.

If have an iPhone enable iCloud backups. https://support.apple.com/en-us/HT203977

If you have an Android phone use the Android backup service. https://www.howtogeek.com/140376/htg-explains-what-android-data-is-backed-up-automatically/

If you have a Windows phone here is a link on how to setup its tracking feature. https://support.microsoft.com/en-in/help/11585/windows-phone-find-a-lost-phone

5. Enable Remote Data Wipe as an Option
Ensure a remote data wipe option is available on the device in case the device is stolen or lost. Apple’s Find My iPhone app, for example, offers a remote data wiping option in addition to the ability to find the iPhone if it’s lost.

Here is a link for Apple users on how to enable it on all Apple devices. https://support.apple.com/en-us/HT205362

For Android users here is a link to learn how to use the google services or third-party app. https://www.androidcentral.com/how-track-android-phone

For Windows phone users here is the link. https://support.microsoft.com/en-US/help/11579/microsoft-account-find-lost-phone-device

6. Disable Wi-Fi and Bluetooth When Not Needed
Limit the potential for access by hackers through Wi-Fi or Bluetooth by disabling these connectivity options when not needed.

7. Don’t Fall for Phishing Schemes
Avoid potential phishing schemes and malware threats by avoiding clicking on links or opening e-mail attachments from untrusted sources, as they may be from a fraudulent source masquerading as a friend or legitimate company.

8. Avoid All Jailbreaks
Jailbreaking is the process of removing software restrictions put into place on devices that run the operating system. To remain secure ensure that the phone remains locked down. While jailbreaking a smartphone can enable the user to run unverified or unsupported apps, many of these apps carry security vulnerabilities. In fact, many of security exploits only affect jailbroken phones.

9. Add a Mobile Security App
Research and select a reputable mobile security app that extends the built-in security features of the device’s mobile operating system. Well-known third-party security vendors such as Lookout, Avast, Kaspersky, and Symantec offer mobile security apps for iOS, Android and Windows Phone

HIPAA

HIPPA stands for Health Insurance Portability and Accountability Act. HIPPA was legislation that was enacted in 1996. It is a set of regulations issued by the US Department of Health and Human Services to help insure the privacy and security of individual identifiable health information..

PII is information which can be used to distinguish or trace an individual’s identity, such as their name, social security number (SSN), biometric records, etc. alone or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

PHI is defined as any individually identifiable health information that is explicitly linked to a particular individual and health information which can allow individual identification. PHI also includes many common identifiers as name, address, birth date, and social security number.

HIPPA includes privacy, security and breach notification rules that protect the privacy and security of health information and provide individuals with certain rights to their health information.

The Privacy Rule, which sets national standards for when protected health information (PHI) may be used and disclosed.

The Security Rule, which specifies safeguards that covered entities and their business associates must implement to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI)

Confidentiality (only the right people see it)
Integrity (the information is what it is supposed to be there have been no unauthorized alterations)
Availability (the right people see it when it’s needed)

The Breach Notification Rule, which requires Urology of Indiana to notify affected individuals, U.S. Department of Health & Human Services (HHS), and in some cases, the media of a breach of unsecured PHI

Hackers and adversaries are constantly seeking PII and PHI for the purpose of committing health insurance fraud, identity theft, and other financial crimes. As an employee, you are a target because you have access to what the cybercriminals are looking for PII, PHI, financial, personnel, and patient medical information.

Business Email Compromise (BEC)

Business Email Compromise (BEC) is an exploit in which the attacker spoofs the owner’s identity to defraud the company or its employees, customers or partners of money. This year there were 3 well known businesses in Indianapolis that fell victim to this type of attack.

http://fox59.com/2017/01/31/every-scottys-brewhouse-employee-affected-by-data-breach-scammer-gets-copy-of-all-w-2-forms/
http://wishtv.com/2017/02/09/monarch-beverage-falls-victim-to-phishing-scam-employees-w-2-forms-compromised/
http://fox59.com/2017/02/20/scammers-get-w-2-forms-of-american-senior-communities-employees-in-latest-phishing-incident/

The video link below will discuss further about BEC. Click cancel on the error message that pops up after clicking the link.

CyberSecurity video produced by Phishme

Ransomware

Ransomware is a type of malicious software that blocks access to the victim’s data and threatens to publish or delete it until a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique, in which it encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented extortion attack, recovering the files without the decryption key is an intractable problem. Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the “WannaCry worm”, traveled automatically between computers without user interaction.

Starting from around 2012 the use of ransomware scams has grown internationally. In June 2013, security software vendor McAfee released data showing that it had collected more than double the number of samples of ransomware that quarter than it had in the same quarter of the previous year.[8] CryptoLocker was particularly successful, procuring an estimated US $3 million before it was taken down by authorities, and CryptoWall was estimated by the US Federal Bureau of Investigation (FBI) to have accrued over $18m by June 2015.

(https://en.wikipedia.org/wiki/Ransomware)

The video link below will discuss ransomware further. Click cancel on the error message that pops up after clicking the link.

CyberSecurity video produced by Phishme

Phishing

Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.

The video link below will discuss what phishing is and how to protect yourself from being a victim. Click cancel on the error message that pops up after clicking the link.

CyberSecurity video produced by Phishme

Malware

Malware is short for “malicious software.” It includes viruses and spyware that get installed on your computer or mobile device without your consent. These programs can cause your device to crash and can be used to monitor and control your online activity. Here is video from Dell about what is malware.

CyberSecurity Awareness

Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. Security awareness is knowledge combined with attitudes and behaviors that serve to protect our information assets. Being cybersecurity aware means you understand what the threats are and you take the right steps to prevent them.

The video from link below will discuss general cybersecurity awareness. Click cancel on the error message that pops up after clicking the link.

CyberSecurity video produced by Phishme