Posts Tagged ‘IT security tips’

Dude, You’re Getting … Hacked

Wednesday, January 20th, 2016

Could Your Computer Make You A Target For Fraudsters?

Dell Computer Hack | Rea & Associates | Ohio CPA Firm

Learn how to keep your computer safe from this new scam.

There is a new scam making the rounds and if you have a Dell computer you could be at risk.

KnowBe4 recently published a blog informing users of the newest security issue, which has apparently left owners of Dell computers vulnerable to scammers who have been able to capture their computer’s unique tag ID (the unique sticker on your desktop or laptop) from Dell’s database.

Read Also: WARNING: Tis The Season To Practice Safe Online Shopping Habits

Fraudsters proceed to call potential victims and attempt to gain access to their personal computer by claiming that there is a problem with their computer – the stolen information is then used to establish credibility. Once the fraudster convinces their victim to grant them remote access to their desktop or laptop to “fix” the problem, the scam is complete and the security of your personal information has been compromised. In other words, your personal information (such as credit card numbers, banking information, Social Security number, contact information, etc.) is no longer personal.

Dell has said that the company is investigating the issue but, at this time, offers little to no explanation for the alleged breach. Rather, the company is quick to point customers to this October 2, 2015 post advising of tech support phone scams.

According to the KnowBe4 blog post, this scam is similar to a Microsoft tech support scam where fraudsters call PC users with a similar request – to be allowed to gain remote access to a computer to fix an alleged problem.

“End-users gullible enough to give access to their workstations (usually via remote software), are billed hundreds of dollars on their credit card but the scammers, of course, don’t fix anything – in some cases their PC’s are infected with ransomware until they pay up.”

Protect Yourself

This is a great time to educate yourself and your employees about ways to keep your company’s data, computers and other devices safe. For example, if you do get a suspicious call, refrain from providing any information to the caller. Instead, insist that you will call them back. When you do return the call, use a phone number you know to be accurate or visit the company’s website for the phone number. Never call back the number that shows up on your caller ID. Another way to determine if the number is legit is to search the number in Google. This is a fairly accurate way to determine the validity of the call.

Have you been a victim of identity theft? Read on to start recovering today.

It seems that a new scam pops up every week. Fortunately, education and a little common sense is the key to your ensuring your safety.

Would you like help putting controls in place to protect your business from becoming victimized by a opportunistic hacker? Email Rea & Associates and request to speak with a member of our IT audit team. For more tips and insight, take a look at the related articles below,

By Steve Roth, IT Director (New Philadelphia office)

Want more security tips for your business, check out these posts:

Stop Criminals From Hijacking Your Identity With These Top 5 ID Theft Prevention Posts

Then And Now: Data Security In America Since The Target Breach

Who Is That Email Really From?

Share Button

Then And Now: Data Security In America Since The Target Breach

Wednesday, December 16th, 2015
Data Breach - Ohio CPA Firm

The Target breach symbolizes the moment when the threat of personal data security violations became mainstream in America; and today, we don’t think about fraud in terms of if it will happen – it’s when it will happen.

It’s hard to remember a time when reports of data breaches, ransomware attacks and business email compromises (BEC) weren’t part of our daily lives. In fact, not so long ago we were pretty content to believe that the controls companies had in place were enough to protect us from the invisible threat of hackers and cyber criminals. But that was just a dream – and it wasn’t long before that dream manifested into a nightmarish scenario for one of the nation’s largest retailers.

Read Also: Businesses Beware: Sloppy Data Security Could Cost You

Two years ago, cyber criminals gained access to the point-of-sale systems belonging to Target. Authorities later learned that the hacker(s) gained access to about 11 GB worth of data (including highly-sensitive personal and credit card information). When the dust settled, about 70 million consumers nationwide were left vulnerable to identity theft and credit card fraud. This magnitude of this breach was huge and, as a result, companies everywhere made an effort to buckle down and implement a slew of “best practices.” But what has really changed since December 2013?

What Have We Learned From Target?

The Target breach symbolizes the moment when the threat of personal data security violations became mainstream in America; and today, we don’t think about fraud in terms of if it will happen – it’s when it will happen. But instead of becoming more vigilant about data security practices, it appears as though consumers have chosen a more desensitized reaction. These days we are content with trusting the credit card companies to notify us of any suspicious activity occurring on our account rather than implementing safer payment practices in our daily lives.

Retailers and credit card companies, on the other hand, have worked hard to make it more difficult for hackers to access their customer data. Since the breach, Target has:

  • Installed EMV compliant point-of-sale (POS) terminals in all stores to allow for transactions to be processed using a token instead of actual credit card numbers.
  • Joined two cybersecurity threat-sharing organizations in order to share and retrieve valuable information concerning data breaches and the source of those breaches.
  • Implemented more stringent firewall rules and governance procedures.
  • Constantly monitors and logs system activity.
  • Applied whitelisting technology, an administrative process that allows only preapproved applications to execute in a system, on the store’s POS systems.
  • Disabled or placed limited access on vendor accounts.
  • Deployed 2-factor authentication.
  • Established password vaults and required the use of more complex passwords.
  • Thoroughly reviewed and revised its process on how to determine which employees and contractors would have access to consumer data.

With the exception of the first two points, the measures Target has taken since its 2013 data breach are considered best practices, which means that if your business doesn’t have these security measures in place, you shouldn’t wait any longer. And, with regard to EMV technology, most businesses were expected to install and activate the new technology before Oct. 1, 2015 to avoid liability for losses resulting from fraudulent transactions.

A Moving Target

As long as there are fraudsters willing to pay for stolen names, addresses, credit card numbers and expiration dates, phone numbers, email addresses, dates of birth, Social Security numbers, etc., there will be cyber criminals looking for a way to hack into your company’s system to gain access to your consumer data or intellectual property. But if you are really serious about keeping your data safe, there are additional measures you can take.

1. Reinforce Your Firewall

Firewalls should be securely configured and continuously monitored. There are many providers that perform 24-7 firewall monitoring services to protect your company from attacks and or to alert you to signs of a possible breach. Moreover, providers are also coupling these services with the use of whitelists or blacklists, which triggers an immediate response if a potential threat is identified. Another great reinforcement for companies with experienced IT staff, would be the implementation of SIEM (Security Information and Event Management) or IDS (Intrusion Detection System) software.

2. Take Your VIP List Seriously

Not everybody should have access to your company’s domain – especially outside groups, and you should take care to review your employee and vendor access accounts routinely. The 2013 Target breach was a result of a breach that was intended for one of Target’s vendors. But, once in, the hacker was able to work his way into the Target Vendor Portal and infiltrate the Target POS systems.

3. Don’t Take Your Passwords For Granted

While doing so, be sure to verify that these credentials, in particular, require complex passwords, a limit on the number of attempts allowed before automatically disabling the account, and that they are required to be changed regularly. (Believe it or not, the most common password continues to be “123456” – proving that we are still not learning from past mistakes.)

By: Joe Welker, CISA (New Philadelphia office)

Check out these articles for more data security best practices

Malware Threat Spreads To Smart Phones

Who Is That Email Really From?

Could Your Company Be Ransomware’s Next Victim?

Share Button

Beware Of Small Business Wire Transfer Scam

Thursday, January 29th, 2015

Late last week, the Federal Bureau of Investigation (FBI) issued a wire transfer scam alert for all small businesses in the United States. According to the FBI alert, between October 2013 and December 2014 a total of 1,198 complaints from U.S.- based companies were received dealing with wire transfer scams. Losses from these incidents totaled more than $179 million. The FBI also reports that the scams can follow a Ransomware incident, and may involve a fraudster contacting a vendor and requesting a change of payment to an alternate fraudster-controlled bank account.

How To Mitigate This Type of Scam

If you’re a small business owner, you may be at risk for this kind of scam. The FBI recommends the following mitigation steps for these types of scams:

  • Keep all of your anti-virus software up-to-date.
  • Educate your workforce about security best practices.
    • Be sure that any changes to payments via electronic transfer are verified with an employee of the bank and at a phone number that you utilize for assistance.
    • Don’t use alternate phone numbers provided via email or by a bank representative contacting you.
    • Always call the institution back and verify that you are communicating with your bank.
  • Monitor all of your business’s financial transactions on a daily basis. Suspected electronic fraud must be reported in a single business work day.
  • Use two-party authorization access to complete all wire transfer transactions.
  • Utilize biometric authentication to verify the identity of authorized users.
  • Use online bank portals that require strong fraud controls to complete all wire transfer transactions.

You can find more information about the FBI’s scam alert here. This site also provides detailed samples of how the scams will be run against unsuspecting businesses.

If you have any specific questions about how this scam might impact you or if would like more information on IT security best practices, email Rea & Associates.

By Joe Welker, CISA (New Philadelphia office)

Related Articles

Could A Cyber-Attack Cripple Your Business In 2015? 

How Prepared Is Your Business For A Potential IT Disaster? 

New Form of Malware Catching Retailers Off Guard

 

Share Button