Checklist 132: Soup, Salad, and a Security Breach
Do you eat at restaurants? Do you use a phone? Do you even, dare we ask… go shopping? Then boy, do we have an episode for you this week! These might sound like mundane questions, but with this week’s stories, we’ll see that sometimes that’s all you need to do to end up exposed to threats against your security and privacy. That’s not to frighten you, though — after all, knowledge is the best defense against these threats. We’re not only telling you about what’s happened already but how you can protect yourself proactively into the future. We’re doing all that and more as we tick the following items off our list:
- Soup, Salad, and a Security Breach
- Eight of the Most Common Phone Scams Around
- A Smallish Price for a Gigantic Scam
We’re trying to help you safeguard your daily activities this week on The Checklist. Let’s not waste any more time, as we’ll dive right into our first story for this week. If you’re a fan out of eating out, beware — some establishments may have given you more than just your meal.
Soup, Salad, and a Security Breach
Have you eaten at any of the following restaurants in the past year?
- Buca di Beppo
- Earl of Sandwich
- Planet Hollywood
- Chicken Guy!
- Tequila Taqueria
Well, if you did, you might want to keep a close eye on your credit card statements and credit reports for a while. Earl Enterprises, the parent company which owns and operates those six restaurant chains, recently released a statement warning customers of a data breach. They had recently learned, the company said, of a “data security incident” which potentially involved the theft of customer payment data.
How did that go down? Based on the company’s investigation into the matter, it seems that some unsavory individuals managed to find a way to dump malware onto the POS (point of sale) computers at a range of different Earl Enterprises locations. The company says that the malware was in place and potentially harvesting credit card numbers from May 23 in 2018 all the way up to March 19 of this year, 2019.
The company’s response has proven most interesting. While Earl Enterprises said that it was engaging with security experts to learn how to stop the issue from recurring and to prevent future breaches, it also included a range of suggestions for what potentially affected consumers can do to protect themselves. In other words, it’s a bit like the company saying, “We’re fine now — but you’re on your own.” That being said, the suggestions they included for consumers, including immediately inspecting payment card statements for unusual charges, is all good advice. If you’ve eaten at one of these restaurants, or if you’re concerned about identity theft in general, here’s what you can do.
As stated, review your transaction data regularly — even daily can be a good idea. The sooner you notice potentially fraudulent charges, the sooner you can take corrective action. If you do notice a problem, contact your issuing bank immediately; the phone number is usually on the back of your card. If you catch these issues in time, you’ll practically never have to pay for the fraud.
Check your credit report regularly to watch for accounts or debts you don’t recognize. You can easily purchase a report from one of the big three credit agencies, but you are also legally entitled to one free report (from each agency) per year. AnnualCreditReport.com is the best legitimate way to request your free report. If you think your credit was compromised, you can file for a freeze with the credit agencies, which will prevent any ne’er-do-wells from taking out loans or opening new lines of credit in your name.
There are also fraud alerts, which are less severe than a freeze, and can be a better choice if you plan on buying a house or a car soon. Banks that see accounts flagged with this alert are legally required to take further steps to verify your identity. While this may result in a bit of extra hassle for you, it also means that any of the bad guys out there won’t be able to follow through on their schemes to defraud you.
You should always remain vigilant in checking your credit and transaction info, even when you don’t suspect that you’ve had a breach. While the data stolen in the attack on Earl Enterprises may not make its way into unscrupulous hands right away, many credit cards are valid for five or six years at a time — so it’s not unreasonable to think someone might sit on that treasure trove for a while. Stay alert!
Eight of the Most Common Phone Scams Around
Our phones are essential parts of our lives today — but they’re also a vector for security and privacy vulnerabilities that we carry around everywhere with us. That was part of the thrust of a recent piece run by Business Insider on eight of the “most sophisticated phone scams” currently making the rounds. While it’s easy to think that phone scams are something “other people” fall for, and more along the lines of the kind of thing we’d need to warn our parents or grandparents about, it’s a problem for everybody. In fact, the Federal Trade Commission studied the issue and announced their findings in 2017’s annual summary of consumer complaints.
In that report, the FTC said that 40% of people in their 20s reported losing money to a scam, compared to just 18% of people aged 70+. In nearly three-quarters of all the fraud cases brought to the FTC, the scam victims were initially contacted by phone. The FTC identified caller ID spoofing as one of the biggest reasons many people fall for these scams, as it is much easier to make it appear as though a call is coming from a number you can likely trust.
Let’s put the brakes on for a second. How does spoofing even work? Chances are good you’ve encountered one of these spoofed calls — the number often has your local area code and perhaps even the first three digits of your own phone number. There are many ways to do it; some require lots of money to get started, while other methods can give you access to spoofing for just 20 cents per call. VoIP — or Internet phone calling (Voice-over-IP) — is also one of the most common spoofing methods, and some VoIP providers even allow you to set your own phone number.
So, knowing that our phones are a vector for vulnerability and knowing that the bad guys have more opportunities than ever to try and trick us, it’s worth diving in to the different scams and methodologies identified in the Business Insider piece. What do we need to watch out for these days?
Robocalls: Otherwise known as automated phone calls, they’re cheap to place in large numbers, and they’re easy to make; according to the New York Times, robocallers reach millions of people every day, and most telecom providers say there’s little they can do to stop them. Computer programs dial through large volumes of numbers, peddling various scams and hoping to get a few bites. Some of the most common scams include callers claiming there’s been a problem with your credit card, an offer of a loan at 0% interest, or discussions of student loan forgiveness. The good news: there’s an easy antidote to this problem. It’s the old maxim, “if it sounds too good to be true, it probably is.” Always be very suspicious of calls that come out of the blue and claim to offer a pie in the sky.
IRS Scams: These are a problem year-round, but now through the summer is the time to watch out for these in particular as Tax Day comes and goes. You’ll receive a call from a person who claims to be an agent for the IRS, saying that you have problems with your taxes and demanding that you pay immediately or face arrest (or even deportation). The IRS has issued numerous warnings about these scams — this is not the way that taxes work! Never do anything with a person over the phone and verify with the IRS directly by contacting them through IRS.gov if you suspect a call may have been legitimate.
Grandparent Scams: Used for targeting older victims, the person on the phone will call an older individual and pretend to be their grandchild; sometimes, people impersonate friends as well. They share an elaborate story about how they’re in trouble and need money fast to get out of the situation, such as being stranded in a foreign country. The goal is to bamboozle victims into wiring sums of money to the scammers. It’s an increasingly common type of scam, especially when the scammers can equip themselves with stolen personal information to make every call sound more legitimate. Stay in touch with your family and warn them of scams such as this one.
Free Cruise Scams: Formerly a primarily spam-based scam, phone scammers still call people claiming they’ve won a free cruise. All you need to do to access your prize, of course, is to punch in your credit card number. Didn’t enter a contest? It’s probably fake. Most prize notifications aren’t going to take place this way; just don’t give out credit card info to random callers on the phone.
Disaster Exploitation Scams: In the wake of natural disasters, it’s not uncommon for big charities to solicit donations publicly to help those affected. Scammers seize upon this opportunity, calling random numbers to ask for a donation. Again, they try to get you to give up your credit card info on the line; don’t do it. If you want to donate, go directly to your preferred charity’s website and give to them that way.
Unsolicited Tech Support: You get a phone call, and the voice on the other end of the line says you have a virus on your computer — would you like help to remove it? The scammers then talk the user into giving them remote access to the machine, at which point they may install malware or simply bilk the recipient out of funds necessary for “fixing” an imaginary problem. Remember, no one is going to call you about malware on your computer — that’s your responsibility. Don’t listen to these tech support calls, simply hang up!
The final two scams are similar in nature to the IRS scam, but instead of claiming you owe taxes, they’ll demand you pay up on a delinquent utility bill, or to pay a fine for missing jury duty. Again, just hang up; this isn’t how the system works. Watch out for texting scams, too, which will arrive as an SMS message saying your bank has put out a fraud alert on your account. They usually ask you to reply with your card number and PIN — don’t!
Bottom line: be reasonably skeptical, and when you’re not sure, confirm with the real organization that they called you.
A Smallish Price for a Gigantic Scam
We’ll wrap up today with an annoying story from Bleeping Computer: Office Depot and affiliate Support.com have received a hefty fine from the state of California for fraudulent business practices. Fines of $25 million and $10 million were levied against the companies for apparently lying to consumers about whether their computers had malware infections before tricking them into paying for unnecessary remediation services. The FTC will take the money and use it to provide refunds to those affected by the fake process.
Here’s what went down: a user would bring their computer in for a diagnostic to determine issues. Workers would then ask the owner some standard questions, such as whether the user was experiencing pop-up ads, frequent crashes, or slow operation. Answering “yes” to any of these questions led the worker to tell the visiting user that they had malware and required a fix, even if there was no infection whatsoever. According to the FTC, these repair services cost hundreds of dollars.
Those are all actual, real issues, of course, which makes this ploy even more devious. What if you are experiencing those problems, though? Visit an authorized repairer, not a big box store such as Office Depot or Best Buy — you’ll be better off with a business trusted by the manufacturer.
One final word for today. Most of our listeners are probably savvy enough to know that when you have trouble with your Mac, you should go to an Apple Store or an Authorized Service Provider for a professional assessment of your machine. What about your mom or dad, or your aunts, uncles, and even cousins? They may not know to take the same steps that you do, so listen out and help them out if any trouble arises. While you may not want to be “the tech support guy” (or gal), you can at least point them in the right direction.
Whether you’re running a Mac or a PC, do be sure that you run antivirus software. MacScan 3 by SecureMac is just one option you might choose. Whatever choice you do make, running a well-reviewed and reputable antivirus program is a must-do in today’s digital world. While it may seem obvious enough, we believe it bears repeating.
With that, we’ll wrap up our discussion for this week and bring this episode to a close. Remember, you can always head into The Checklist Archives to find complete show notes and audio recordings for this episode, last week’s episode, and every other edition of the show going all the way back to the very first episode. It’s a fast and easy way to catch up on everything you need to know about the latest in security news.