Here Come the Travel Scammers

By Robert McGarvey

As sure as we are now – in fits and starts – getting back on the road, scammers, flimflam artists, and thieves are right behind us and now they have an edge because many of us have lost our instincts when it comes to being suspicious of what might be criminal activity.

Eighteen months ago most of us would have have spotted a travel related scam before it bit us but now we are fresh innocents and you can bet the hucksters are hungry for our dough.

Matters are so sinister that the Better Business Bureau has rushed out a warning headlined: BBB Scam Alert: Beware of hotel scams.

Time for a refresher on road smarts.

Phishing.  Enormously popular with criminals today is telephone phishing where, usually, the scam is that “this is the front desk, there’s a problem with your credit card, could you give us the number again?”  Often the call comes in fairly late at night so you may be drowsy too and in PJs.  Give over the number and expiration date and, oh, will you verify the spelling of your name?  And that will present the criminal with a credit card that can put to immediate use buying gift cards and other cash equivalents.

The antidote: No matter how late at night it is, say you will be down to the front desk in a few minutes and hang up.  At this point you have three options: Do nothing whatsoever, just assume the call was a scam. Or actually go down to the desk and don’t be surprised if the staff has no clue about this issue with your card. Or call the front desk and ask, is there a question about my credit card?

Food Scams.  This actually is a new one on me but it makes perfect sense.  The BBB explains how it works: “Make sure the menus left in the hotel room are authentic…. Scammers will distribute fake menus to rooms with phone numbers that connect the caller to them instead of the hotel or a real business. They will collect the callers credit card information over the phone then never deliver food.”

I salute the cleverness of the criminals.  Make up a flyer, insert fake quotes (“the best pastrami in Phoenix,” Pete Wells NYTimes), and for sure calls will come in.

Word of caution: before ordering with a restaurant unknown to you, check Yelp to see if it in fact exists. While you are at it, skim the reviews.  I personally find Yelp of hit or miss utility – but it will definitely help you detect a restaurant that does not really exist. And you may even get some useful insights about the joint’s quality or lack.  (Hint: there is no great pastrami in Phoenix. The nearest is Langer’s in LA.)

Fake WiFi: They are called “rogue access points” and what this refers to are WiFi networks with names like “Free + Fast WiFi” or “Your Hotel’s Best WiFi.”  The problem is that a tech savvy criminal can spend maybe $100 and create a WiFi hotspot that exists mainly to collect personal information from users, possibly to download malware to their computers.

This is very bad and, as I said, it is also very cheap for the crook to perpetrate.  It often surfaces at meetings, convention centers, airports and, definitely, hotels especially public areas.  How to detect it? Usually it is very slow but, hey, isn’t that the norm for hotel WiFi even when we are paying to access it?

My advice is this: don’t use hotel WiFi or airport Wifi at all.  Ever. I use a hotspot that I create with my phone. (In Android, go to SETTINGS/Network and Internet/Hotspot. Similar works on iPhone)  It takes literally seconds to create, in most cases its speed is comparable to that of a hotel network (sometimes faster), and, yeah, in many cell plans you will pay a few bucks for data in a two hour session but that is money well spent if it keeps you out of the clutches of these cyber criminals.

This all sounds simple? It is. But criminals also know we are out of training and no longer instantly see risks when before we would have.  

Just remember: they are out to grab your money and if we have lost our cautions we are easy prey.  Stay alert, stay safe, safe travels. 

Why Hotel Cybersecurity Is Still A Problem and It Is Getting Worse

By Robert McGarvey

For probably two decades I have covered hotel data breaches.  Everything from the Trump hotels to the Hard Rock has been breached and truth to tell I doubt that there is a single large hotel group that has never been breached.  If there is I don’t know it.

Bet on this: there will be more breaches in the hotel business and soon.  A perfect set of circumstances makes this a safe bet.  Hotel revenues were near zero for 18 months and that meant, for sure, cybersecurity spend was also near zero.  If money was getting spent it was on better ways to sanitize hotels in the pandemic in order to lure guests back.

Cyber criminals, like all predators, target the weak.

Besides, cyber insecurity is a perennial industry problem. Hoteliers resist expenditures that do not contribute to the bottomline and the average hotelier sees cybersecurity as a cost, not as investment that could contribute to the bottomline.

This is why I strongly urge hotel guests to never use a debit card (protections against fraudulent use are weaker than with a credit card) and to use a credit card with a very low credit limit. If need be, ask a bank to issue a card with, say, a $2000 limit. $1000 if you think you can navigate within that budget.  Probably if a credit card of yours is stolen in a hotel data breach and put to use by crooks you will eventually be made whole.  But my advice is to try to minimize the damage by using a card with limited spending ability.

Note: you usually won’t know for many months that a credit card of yours has been scooped up in a hotel data breach.  These breaches often go undetected by the hotel for years and once discovered, hotels are reluctant to go broadly public with the info.  The massive Starwood breach – involving some 500 million consumers – was not disclosed until late 2018.

Assume any card you give a hotel is likely to be breached and behave accordingly.

By now you are probably looking for proof that in fact hotels are wretched at cybersecurity. NordPass, which makes password management software, recently looked into password sophistication across many industries and, no surprise, hospitality fared poorly.

NordPass collected its data by looking into known breaches and eyeballing the passwords that had surfaced. The researchers looked into 15,603,438 breaches and broke down the resulting data into 17 different industries.

Remember this, a company website is only as secure as the passwords used by employees who access it.  If employees use passwords that are easy for crooks to guess, the site security is nil.

Here are the top 10 most used passwords among hospitality employees, according to NordPass’s digging:

password

123456

Company name123 *

Company name*

Company name*

Hello123

Company name 1*

Company name*

company name*

company name1*

NordPass offered this explanatory gloss about the recurring company name password: “This password is a company name or a variation of it (e.g. Company name2002). We are not naming the exact company.”

Commented NordPass, “The hospitality industry had the most passwords that were the company’s name or its variation.”

That list of hospitality passwords is gravely disturbing.  Wrote TechRepublic: “Some of the weak passwords uncovered seem almost comical, but this trend has serious ramifications. Weak passwords are actually one of the leading vulnerabilities that lead to data breaches.”

Know that how cybercriminals hack a company site is they send a bot to it and the bot is scripted to try common passwords. Like what? Like, well, password, which is a perennial top ten most used password.  Hackers use the common password lists to script their bots of course and in hospitality the employees obligingly seem to use such lists to pick their own passwords and, astonishingly, the company websites are not programmed to reject their use,

According to NordPass, only 29% of hospitality industry employees use unique passwords (which is something like Ma!yo#Cty908& – the sort of password usually generated by any decent password management tool).

More than two thirds of hospitality industry employees reuse passwords across multiple accounts which is another big no no.  

Call this a huge fail on the part of hospitality.  

Just don’t say it is surprising and don’t believe ir will be fixed soon.

CU 2.0 Episode 158 Jack Henry Experts Talking Fraud Trends and Credit Union Vulnerabilities

by Robert McGarvey

Newsflash: ask the experts and they will tell credit union executives that a tidal wave of fraud very likely will be crashing into them and soon.

Why? For the past year criminals have been kept busy attempting to cash in on the various federal and state government pandemic related relief programs such as PPP loans.  That money is drying up so they are casting their eyes in search of new targets and you just may have a bullseye on your back.

That’s why you need to hear this wide ranging conversation with two Jack Henry fraud and financial crimes experts, Rene Perez and Nat Southern.

This is a conversation about crime trends and also about crime trends that remain largely ignored.

A big trend for instance is that as financial institutions, especially the big ones, have toughed their perimeter defenses, criminals have shifted focus and are eyeing credit union members for vulnerabilities – which they very often will find.

Perez says a trigger for this is that many financial institutions have simply gotten very sophisticated, often in response to prodding from regulators.

But he adds that he talks with maybe 10 small financial institutions a week that are still doing a lot of their fraud work on paper, with humans doing the reporting.,

That increasingly is just not adequate, not when smart criminals enter the battle.

You will also hear a phrase – “willful blindness.” That’s a term regulators are using to describe an institution’s failure to detect fraud perpetrated by insiders or perhaps by friends or community leaders.  

This is not a technical conversation.  It is more in the nature of cops and robbers and what you need to know about the robbers who want to steal your credit union’s money.

Listen up.

Like what you are hearing? Find out how you can help sponsor this podcast here. Very affordable sponsorship packages are available. Email rjmcgarvey@gmail.com

And like this podcast on whatever service you use to stream it. That matters.

CU 2.0 Podcast Episode 145 Robert Siciliano on Ransomware and Who Do You Trust?

 PSCU called it a growing credit union threat.  CUNA Mutual called it one of the fastest growing malware threats. Security company Arctic Wolf has said there was a 520% increase in ransomware and phishing attacks in the banking sector between March and June 2020.  NCUA has even issued a punchlist of steps to take to protect against ransomware attacks.

Color me surprised.  I had thought ransomware – where hackers “lock” a site or a database and demand a ransom to unlock it – was a thing of the past.  Data redundancy in the cloud had eliminated the threat, I thought.

I was wrong.

Crooks are nimble and in today’s iteration of ransomware, yes, the site still is locked – but before that happens the crook makes a point to copy key files.  Tell the crooks you won’t play ball, or simply ignore their demands, and they up the ante by posting a sample of their data theft on publicly viewable sites. Imagine if the Social Security numbers of 10,000 of your members suddenly sprout up online. How ugly is that?

Would you pay to avoid that?

Crooks also know that increasing numbers of credit unions have what amounts to ransomware insurance coverage and they also know how much the insurers will pay.

Don’t underestimate them.  Brilliant hackers they are not necessarily – some in fact simply use ransomware kits they buy online – but here is what it takes to defeat them: recognizing that security is a 24/7, 365 days a year job, says Robert Siciliano, a longtime cybersecurity expert who works with many organizations to help them raise their defenses.

It is not being paranoid, believing we are under continuing attacks, insists Siciliano in this podcast.  It is just being prudent

This is not a podcast overloaded with technical jargon.  What it is is a podcast intended to light a fire under all of us because we need that zeal if we intend to win, says Siciliano.

Listen up.

Like what you are hearing? Find out how you can help sponsor this podcast here. Very affordable sponsorship packages are available. Email rjmcgarvey@gmail.com

And like this podcast on whatever service you use to stream it. That matters.

Find out more about CU2.0 and the digital transformation of credit unions here. It’s a journey every credit union needs to take. Pronto.

The Fintech Super Highway to Startup Riches

by Robert McGarvey

Want to know a magic trick to wrapping your arms around startup wealth? One word is the superhighway to startup riches today: fintech.

What’s that? It’s companies that blend financial services money matters with high tech, and this is the moment for that marriage. Forever banking has been a high touch sector — lots of human to human interaction — but buckle up; the sector now is riding a tech rocket to provide better services, faster and typically at a lower cost. The pandemic is the fuel for this, as more people do much of their banking digitally. Yes, the pandemic will end, but most experts now believe the changes it has brought to financial services will persevere because we have grown to plain prefer them. Why drive to an ATM to deposit a check when you can just take a photo with your phone?

Create a startup that makes our financial lives better, and it just might become a wealth machine.

Case in point: Stripe, a payments startup primarily focused on ecommerce. In mid-March, the company jumped to a $95 billion valuation and is now the “most valuable startup in the United States,” per The New York Times….

It’s worth noting that Stripe has been around since 2010, but only now has its valuation gone stratospheric. But those riches are why interest in fintechs has soared, and they come in a rainbow of shades nowadays.

Let’s take a capsule view of three different fintech startups: Nav.it, which focuses on financial health; DoubleCheck, a new toolset for lessening the damage done by an overdraft; and Breach Clarity, which scores data breaches by how truly severe they are and who is likely to be most impacted.

Continued at StartUp Savant

Do You Know Where Your Frequent Flier Miles Are? The Big, Bad SITA Breach

By Robert McGarvey

Word of warning: be sure to check and keep checking your many airline miles, at every carrier, because they just may be in the hands of cyber crooks.

Another big travel related data beach is why.

The victim is a company called SITA and if you haven’t heard of it, join the club.  But SITA is a big data processor for many carriers and in a March 4th release it said: “SITA confirms that it was the victim of a cyber-attack, leading to a data security incident involving certain passenger data that was stored on SITA Passenger Service System (US) Inc. servers. Passenger Service System (US) Inc. (‘SITA PSS’) operates passenger processing systems for airlines.”

My favorite sentence in this otherwise uninformative statement is this: “This was a highly sophisticated attack.”

Trust me: you will never see a breach announcement that says, “The attack was the kind dreamed up by especially dumb 8th graders.”  Nope.  The attackers always are arch criminals and card carrying Mensa members.

Right.

But this SITA attack, the little we know about it even a month later, is ugly business especially for those of us who covet and collect airline miles.

On which carriers? Damn near all. Some 90% of the planet’s air carriers are said to use SITA.  The company handles many reservations and ticketing. 

Other than saying there was a serious “data security incident” on February 24 the company tells us bupkis. Company spokesperson Edna Ayme-Yahil told TechCrunch zip, for instance.

Travel Weekly got a little bit more info: “In a statement, SITA spokeswoman Edna Ayme-Yahil declined to say how many airlines have been impacted by the breach. The company also didn’t provide many details on the type of data compromised, but it did note that the data includes some personal data of airline customers, including frequent flyer account data.”

Ayme-Yahil also told Travel Weekly: “Each affected airline has been provided with the details of the exact type of data that has been compromised, including details of the number of data records within each of the relevant data categories.”

That mum’s the word posture is the norm in breaches but it is maddeningly unhelpful to possible victims who have no idea what was stolen, if the theft in fact impacts their data and what, if anything, they should do about it.

But various SITA customers – among them: United and American airlines – have been sounding alarms with a particular focus on loyalty programs.

United specifically said some customer Star Alliance data was affected, but it stressed that MileagePlus data were not touched.

American said it did not use SITA but some frequent flier data passed through the system so that loyalty points accrued on other carriers could be accounted.

Lufthansa, meantime, said 1.35 million Miles and More members were impacted.

Singapore Air has said the breach may have affected as many as 580,000 people in its loyalty programs.

Even FinnAir says 200,000 of its loyalty members were impacted.

Skift summed up the carnage: “More than two million travelers enrolled in the frequent flier programs of at least ten airlines had some of their data hacked, according to messages they received recently from the carriers.”

That’s a punch in the face.

Even worse is that we don’t really know what data was lifted.

The still worse news is that it is on you to protect yourself and we simply must proceed as though the hackers got away with our account numbers and log in info – precisely what they would need to steal the miles and sell them on the dark web or convert them into easily sold goods (iPhones are extraordinarily popular).  

The worst news is that, sigh, there is nothing different now: our loyalty programs are and have been easy pickings for criminals.  I wrote about an American breach in 2015, ditto a United breach.  I could have written the same story many more times but why bother when there is nothing new to say?

I wrote about the Sita breach- after waiting almost a month in the vain hope for more info – simply because of its breadth (just about every carrier you and I use is involved) which is inversely proportional to how much we know about it, which is a teaspoonful of worrisome uncertainties.

Protect yourself, don’t trust the carriers.  That is the bottomline.

With Clarity Against ID Theft: New Assessment Tool Aims to Limit Post-Breach Damage

by Robert McGarvey

Breach Clarity, a startup headed up by onetime Javelin Strategy + Research co-founder Jim Van Dyke, could help cybersecurity journalists, bloggers, and PR professionals write more clearly about data breaches.

Breaches are commonplace. There are four significant ones per day, says Van Dyke.

They often affect financial information, such as bank account or credit card data, protected health records, personally identifiable information (PII), or intellectual property.

In 2020, the total number of records exposed in reported breaches exceeded 37 billion, a 141% increase over 2019. This number doesn’t even include yet 2020 data breaches reported in Q1 2021.

But what does that mean for individual consumers and their personal data in each case? “The biggest challenge breach victims face,” says Eva Velasquez, CEO of the nonprofit Identity Theft Resource Center (ITRC), “is understanding the risks associated with a particular breach, and what steps they should take next.”

Data breach press releases from lawyers, for lawyers


Ask any cybersecurity journalist what they do not like about data breach press releases of, say, financial services firms or health care providers, and the answer is: everything.

Continued at Cybersecurity Writers blog

Stop Blaming the Victims of Identity Theft

by Robert McGarvey

The recent Harris Poll numbers are a splash of icy water on our faces: three in five Americans believe identity theft will likely cause them financial loss in the next year.

That is a finding of a poll done for the American Institute of CPAs.

That number is up from the 50% who in 2018 said they feared a likely loss due to identity theft.

Partly, the jump seems to be pandemic related—there just are a lot more online scams in the internet ether—and partly, too, it’s because all of us are shopping online much more than we had, also because of the pandemic.

Immediately, too, blaming fingers are pointed at consumers. How dumb are we? How do we let this happen?

Continued at CU2.0

Breach Clarity Wants to Rewrite How Organizations Talk about Their Breaches

By Robert McGarvey

Breach Clarity, a startup from onetime Javelin Strategy + Research co-founder Jim Van Dyke, is about to change how organizations talk about their data breaches – with a loud emphasis on increased transparency, reduced opacity.

Breaches are commonplace. There are four significant ones daily, says Van Dyke. But that does not mean the public knows much about them. Ask any cybersecurity journalist what they do not like about organizational breach press releases and the short answer is everything. That is because opacity – saying as little as possible and offering few details – is the operating philosophy. 

One fact: confused and frightened consumers want more facts about breaches and how they are impacted.

Scoring the Severity of a Breach

Enter Breach Clarity which aims to do three things that are game changing: it scores a breach on its severity, from 1 to 10; it tells an individual what he/she needs to do to protect himself if caught up in a specific breach; and it will soon offer a score of an individual’s risk of being a fraud victim with scores ranging from 1 to 100.

As for the action items Breach Clarity suggests, they will be specific to a particular breach and to an individual. Some breaches set up some individuals for IRS fraud, for instance. Others set up some individuals for new account fraud. Still others often will lead to attempts at account takeovers.  There is no cookie cutter advice. Customization and personalization are what Breach Clarity aims to deliver.

A fourth thing may be even more game changing: Van Dyke, whose Javelin claimed many mega banks as clients, is marketing Breach Clarity as a value add for credit unions to offer to their members.  He already claims one customer – BCU (formerly Baxter Credit Union), the nation’s 56th largest with around $4 billion in assets.  

According to Van Dyke, although BCU is offering Breach Clarity as a free tool to members, it nonetheless forecasts a 5X ROI.  How? Reduced fraud losses – financial institutions, says Van Dyke, absorb the bulk of the losses due to data breaches and the hope is that an informed membership will be better able to take steps early to minimize fraud.  

Van Dyke also says there will be a reduction in member calls for help to call centers – and financial institutions relate that after heavily reported breaches they are swamped with SOS calls.  Fewer calls mean lower costs.

Phase 2 of Breach Clarity’s marketing plan is to expand the focus to national and large regional banks.

Consumers Want This Help

Van Dyke also says that consumer research done by Breach Clarity found a surprisingly robust appetite for such tools among Gen Z and Millennials.  Interest is also high – and expected – among Baby Boomers.

Where does Breach Clarity get its breach data? Via the non profit Identity Theft Resource Center, says Van Dyke, who sits on the ITRC board.

Eva Velasquez, CEO of ITRC, said: “The ITRC is honored to partner with Breach Clarity and provide more meaningful information to consumers and data breach victims.  The biggest challenge breach victims face is understanding the risks associated with a particular breach, and what steps they should take next.  Breach Clarity, powered by the ITRC’s data breach data, addresses this challenge by providing an intuitive risk score accompanied by essential action steps.  We are proud to be a part of a no-cost solution that brings much needed clarity to the victims of data breaches.”

The analytics that score breaches on severity and generate custom corrective steps are results of Breach Clarity algorithms

Three Steps That Must Be Taken

Here are three steps every organization that suffers a breach needs to take to prepare for demands for more transparency and clarity about breaches:

*Ditch the opacity in breach related press releases.  Aim for more transparency, especially around what data was stolen, over what timeframe. 

*Breached organizations need use cybersecurity writers to polish releases.  By all means, involve lawyers and cybersecurity technicians. But writers specialize in the communication skills that will add much needed transparency.

*Be transparent about the cybersecurity steps that the organization has taken.  Don’t give cyber crooks a road map but do disclose to the public information that will help restore confidence.

###

Hear a half-hour podcast with Jim Van Dyke here.  

CU2.0 Podcast Episode 134 Jim Van Dyke Breach Clarity

by Robert McGarvey

Every day there are four data breaches. And every year literally of billions of dollars are lost in various frauds that are fed by the data stolen in breaches.  Who pays the bulk of that loss? Financial institutions, says Jim Van Dyke, founder of Breach Clarity, an innovative company that wants to shed a bright light on the breaches themselves but also what any given breach means for this consumer.

Generally there’s enormous opacity around breaches. Most organizations are slow to divulge details – and that makes it difficult for a consumer to decide on an appropriate action plan.

Breach Clarity aims to shine a spotlight on the breaches but also to tell consumers what steps they need to take to protect themselves.

Note: this is not a LifeLock type company.  Breach Clarity is about research and personalized prescriptions that in many cases the consumer will take him- or herself, often in association with a participating financial institution.

Key to Breach Clarity is that its business plan involved signing up financial institutions who in turn will offer the service to their customers and members.  It is not a direct to consumer play.

Another key: for now Breach Clarity’s focus is on signing up credit unions in particular.  The member focus, says Van Dyke, makes Breach Clarity a tool that credit unions will want to offer members.

And a benefit is that Breach Clarity may well reduce a credit union’s fraud losses and also call center costs associated with breached members.

The first Breach Clarity customer is BCU (nee Baxter Credit Union).   Check out a recent CUBroadcast show featuring Van Dyke and BCU’s Carey Price.  

BCU forecasts its ROI on Breach Clarity will be 5x.

By the way, if Van Dyke’s name seems familiar it is because it should be. He was a co-founder of Javelin, a strategy and research firm focused on financial services.  In a spot check, I found I cited Javelin research and opinions 61 times when I wrote for CUTimes.  That’s a lot.

Check the Breach Clarity database for credit unions and there are 39 breaches. Is your FI on the list?

Don’ be lulled by that small number, Van Dyke warns.  Few credit unions are breached – buy they still are where much fraud shows up, using data stolen in other breaches.

Listen up.

Like what you are hearing? Find out how you can help sponsor this podcast here. Very affordable sponsorship packages are available. Email rjmcgarvey@gmail.com

And like this podcast on whatever service you use to stream it. That matters.

Find out more about CU2.0 and the digital transformation of credit unions here. It’s a journey every credit union needs to take. Pronto