23andme…and you….and some relatives….

[kbasa]

All that makes sense.
I wonder if approaching all three credit reporting agencies and posting (with them) all your important information is a good thing?
Seems like the credit reporting agencies, knowing that they have ALL the important information, would be a prime, consistent target for hackers?

OM

It's happened in the past, I believe to Equifax. One of the best things you can do is put a lock on your credit so that nobody can use your identity to apply for loans in your name, a common vector for theft.

You can reach out to Equifax, etc. and request they lock you down. You can call or you can usually do it from their website or if you use something like LifeLock or other identity protection tools.

Mine is always locked in all three reporting agencies. That's a good first step against unauthorized use of your credit profile.

FWIW, tools like LifeLock monitor the dark web and will alert you if your information shows up there. That's a good thing to know, IMHO and can provide you with accounts or the like that need hardening. If my email pw was up there, I'd be swapping that now and ensuring that 2FA was in place so that they couldn't gain access.

 

[Omega Man]

It's happened in the past, I believe to Equifax. One of the best things you can do is put a lock on your credit so that nobody can use your identity to apply for loans in your name, a common vector for theft.

You can reach out to Equifax, etc. and request they lock you down. You can call or you can usually do it from their website or if you use something like LifeLock or other identity protection tools.

Mine is always locked in all three reporting agencies. That's a good first step against unauthorized use of your credit profile.

FWIW, tools like LifeLock monitor the dark web and will alert you if your information shows up there. That's a good thing to know, IMHO and can provide you with accounts or the like that need hardening. If my email pw was up there, I'd be swapping that now and ensuring that 2FA was in place so that they couldn't gain access.

More good information.

BCBS (Blue Cross Blue Shield) here in Mass just had a breech. Seems that their (owned) subsidiary had on their FTP (file transfer protocol) server.
A little search found some distressing numbers-

How many healthcare data breaches in 2023?
In total, the health care sector reported 480 data breaches during the first three quarters of 2023, according to the report. This represents a stark contrast to the 373 breaches recorded for the entire year of 2022, emphasizing the escalating frequency and scale of these cyberattacks.

Ugly statistics.

OM

 

[kbasa]

More good information.

BCBS (Blue Cross Blue Shield) here in Mass just had a breech. Seems that their (owned) subsidiary had on their FTP (file transfer protocol) server.
A little search found some distressing numbers-

How many healthcare data breaches in 2023?
In total, the health care sector reported 480 data breaches during the first three quarters of 2023, according to the report. This represents a stark contrast to the 373 breaches recorded for the entire year of 2022, emphasizing the escalating frequency and scale of these cyberattacks.

Ugly statistics.

OM

Unsecured FTP servers? WTF? I work with the documents that are the most secret and important documents companies may own and we require two factor authentication on our FTP, including special SFTP accounts we set up for specific projects.

FTPs tend to live in the space called the DMZ, where there is public exposure, but usually no way to get through that and into the internal data structures. Picture it like the border with N. Korea. I see your barracks over there, but I can't get past that and it's the same on your end. You can see it, but probably can't get to it and definitely shouldn't be able to get past it if you do get to it. I'd suspect that the breach was focused on harvesting documents that were being shared with an external party and that the folks that built the FTP didn't do much to secure that specific FTP site or folder.

Leaving an FTP up after it's fulfilled its need is another vector to allow unwanted access, in my opinion, especially one of those "Here, I'll throw one up for you. Ready for the user and pw?" and they just create it on the fly, no security and then completely forget about it after the need is over.

Note that the breaches may vary considerably in terms of what has happened. It could be that someone had free range of all data structures or it could be that someone broke into an FTP and got 6 docs that were someone's lab results or something. All breaches are not equivalent in terms of damage and what needs remediation, but they are all reported. I'd probably want to see some nuance about what was revealed in the breach, the extent of the breach and what might be accomplished with the compromised records, but that's just my personal opinion.

In my experience, and I'm certainly not a data security professional, the biggest threat isn't the random break in of our data, but succumbing to a phishing attempt. It could be a spear phish, in which case they've specifically identified you and are trying to get YOUR information. Or it could be something like those "we've just charged your account for $400 for Geek Squad" or "your amazon account is on hold, please log in to settle your account and reinstate it." People fall for those ALL THE TIME. Best example: What happened in Vegas last month when the Aria and a couple other hotels got ransomware. It started with a phone call and the caller was able to get the person on the other end to let them into the environment.

So, beware of phishing spam. Beware of a "social hack" where someone calls and represents themselves as someone they aren't to get your information. Get called by your bank? Ask for employee numbers, a case number and call them back on a known good support line. If you're at the grocery store or convenience store, try to use secure pay systems like ApplePay that won't expose your credit card information like swiping will.

It's not all that hard to stay safe, but it's very easy to get taken advantage of if one isn't vigilant. Ask yourself: "Who is this asking?", "Why are they talking to me?", "How can I validate their identity?"

• The simplest answer is to never use an email provided log in link.
• If someone calls you "from your bank", collect a case or ref. number from the caller and call your bank directly. If they just hang up, you know you've been targeted and should be careful.
• Don't open attachments you didn't expect and even with that, Word, PDF, Excel and other file types can have one extension on the file, but actually contain embedded macros or scripts that can plant data on your devices.
• Do not respond to spam texts, especially unexpected requests from payment apps like Cash. Block the requestor and report them as spam immediately.

It doesn't take a lot to stay safe, but if you don't do anything, you will have a far higher risk of getting your identity swiped, while your information and data get stolen too. It will be painful and expensive to recover so it's important to evaluate any email as a potential threat if it asks you to log in, references an invoice for a charge you never incurred, as well as attachments to email or texts you didn't expect.

If you're called on the phone, from say Microsoft, know that entities like the IRS, Microsoft and Google just aren't ever going to call you and you're being actively phished. And if you ever get a call from "support" and they want to install TeamViewer or other screen sharing tools, they are trying to take control of your computer and all your data.

Usual red flags about "we need gift cards" and other weirdness ought to be inferred in my comments, as well.

 

[Omega Man]

Seems like one of the latest “hack diversions” it popping up with those QR codes. Seem like restaurants and room service menus and related are using QR codes and skipping a “printed” menu.
I know that ads on TV are asking to scan the code off the TV screen.

OM

 

[classicvw]

I agree that putting a lock on your credit is the way to go nowadays. Seems there’s too many breaches too often.

A few years ago my wife’s identity was stolen when someone lifted her drivers license out of her purse. Either happened at a morning stop at a 7-11 or they got into her office at the hospital. (She’s in the building but out of the office in patient rooms or meeting with patient families about half the day)
My wife is a short, blonde Caucasian, and a large, African American woman used her PHOTO drivers license to get a temporary Home Depot credit card. (You think the HD cashiers were stupid or in on it? I say in on it). That person then went to three different Home Depots and at each store bought everything needed to remodel a bathroom. Tile, fixtures, etc. we only discovered this when Target called us at home that evening and asked if we were in their store opening a credit account there. We weren’t. That set off alarms. We already have a HD credit account and asked HD why they’d let someone who already had an account open another one? HD told us one person can have up to four of their credit accounts!

Well, we weren’t liable for the charges, but it took over a year to straighten everything out, and we have two copy paper boxes filled with all the correspondence she had to do to clear it up. Saying it was a nightmare would be an understatement.

This is also the season for scammers. Just the other day my wife received a text message saying they were TD bank’s fraud department asking if we were buying $275 of merchandise at a WalMart in another state. She only replied “No” wasn’t asked for any other info but was told she’d be contacted later by a fraud investigator. Nothing further was heard from them.

 

[kbasa]

Seems like one of the latest “hack diversions” it popping up with those QR codes. Seem like restaurants and room service menus and related are using QR codes and skipping a “printed” menu.
I know that ads on TV are asking to scan the code off the TV screen.

OM

Yeah. I think it's a case of "know your source" for that stuff. If you point it at a link that should be Macy's and it says something else in the caption under the QR code, you know what not to do. Not sure how Android devices work, but in an iOS device, it'll frame the QR code, then give you the URL. If you configure your browser to not allow you into sites without a certificate, that's also helpful.

In restaurants, you may see something like Square or Toast or something as the URL as those entities will sell a POS and e-commerce/banking package that the restaurant can set up easily. So don't be too surprised there, tons of small businesses and restaurants will use Square to set up a web presence since they're already using them for credit card billing.

But consider how these kind of hacks could occur. Someone prints some codes on Avery label stock and sticks them on the exterior of a window display with "Want to Know More?" They put up a sign at a public event that promises an agenda or site map. So you want to be careful. If I was at the county fair and the URL in my camera while scanning the QR said www.sonomacounty.gov/countfair, then I'd feel confident. If it came back with www.main.daveshackersite.com, well, that's probably a site I ought to skip and, if I want to be a good citizen, go back with a Sharpie and draw a scribble on that QR.

 

[powwow]

It's happened in the past, I believe to Equifax. One of the best things you can do is put a lock on your credit so that nobody can use your identity to apply for loans in your name, a common vector for theft.

You can reach out to Equifax, etc. and request they lock you down. You can call or you can usually do it from their website or if you use something like LifeLock or other identity protection tools.

Mine is always locked in all three reporting agencies. That's a good first step against unauthorized use of your credit profile.

FWIW, tools like LifeLock monitor the dark web and will alert you if your information shows up there. That's a good thing to know, IMHO and can provide you with accounts or the like that need hardening. If my email pw was up there, I'd be swapping that now and ensuring that 2FA was in place so that they couldn't gain access.

Mine as well. I've had both mine and my wife's locked down for years. It's an easy process and if you need to open them, you have the option of just doing it for a specific period of time (ie just for a day). It's probably one of the best and simplest things you can do to protect yourself.

 

[Omega Man]

Here is the thread on the Equifax breech- https://forums.bmwmoa.org/showthrea...a-breach-143-million-people-could-be-affected



OM

 

[Omega Man]

………and let’s add Xfinity to the list-

Around 36 million affected.


https://www.cbsnews.com/news/xfinity-hack-customers-usernames-passwords/



OM