When it comes to financial matters, technology is a double-edged sword: Although it’s made it easier for us to purchase things and access our accounts, it’s extended those same benefits to scammers and thieves, giving them new ways to hijack people’s personal and financial information.
Asheville is no more immune from con artists and hackers than anywhere else, says cyber security expert Daniel McCauley, who co-founded the annual BSides Asheville information security conference.
“I don’t think we’re special, in the sense of not being a target for cybersecurity threats,” he says. “There’s a good startup scene, a lot of [software/IT] developers and graphic designers, but I’ve noticed — not by anyone’s fault — the lack of focus on the security side of things.”
As of last month, the Asheville Police Department had already received 145 reports of fraud this year, 38 of which involved credit cards. That’s more than half the total number of credit card fraud cases reported in 2015.
Today’s savvy scammers have a whole host of increasingly sophisticated techniques to quickly steal information and drain bank accounts. To combat these crimes, IT professionals, law enforcement personnel and government officials are encouraging consumers and businesses to remain vigilant at transaction points and take other steps to safeguard themselves from the threat of online hackers.
Realizing that someone has co-opted your financial or personal information can come as a nasty shock. Asheville resident Wes Cordell says he regularly checks his bank accounts each week to stay on budget. But a few months back, he noticed “a huge disparity” in his checking account.
“About $500 was missing,” he recalls. “Sometimes I get off budget, but I actually hadn’t had time to get out as much as I normally do [that week].” Luckily, Cordell contacted his bank, the Telco Community Credit Union, immediately and was able to clear up the issue.
“They had my money back in my account before I could even get back to my office,” he says. “I left work in a panic, and not 30 minutes later, I was completely at ease. [They were] really helpful.”
Others have experienced more difficulty in clearing fraudulent activity, however. Asheville entrepreneur Benji Boessel says he found out that his information had been harvested when he received a Citibank debit card in the mail that he’d never signed up for. Boessel says he contacted Citibank to find out details about who may have accessed his account, but the bank was reluctant to divulge information. Even worse, the thief had set up his own security measures.
“I needed to answer the personal questions to get into the account, such as ‘What is your mother’s maiden name?’” he recalls. “How on earth would I know the hacker’s mother’s maiden name?”
After six additional calls to various Citibank departments, Boessel finally got the bogus account shut down. But while running a credit history report, available to consumers for free three times a year, he discovered another startling fact: “Someone opened a $15,000 credit card with Capitol One,” he reveals. “I called them — luckily there was no balance yet, so I shut down the account and reported it as fraud.”
After that, Boessel put a 90-day freeze on his credit file, to prevent outside access. But while the freeze is free, it’s temporary, and Boessel plans to reinstate it after the three months are up. “Why would I ever want my credit file open to creditors in the first place?” he asks. “It should always be frozen unless I unlock it to apply for credit myself.”
Shifting the risk
Browse online forums such as Reddit and you’ll probably find conversations alleging that a particular business was where someone had their financial information stolen. To a certain extent, says McCauley, they may be correct.
“I would not rule out particular locations in town that could have been compromised,” he says. “”Without further forensic network investigations, you cannot really rule that possibility out.”
But the specific ways that thieves can evade a business’s security measures have evolved dramatically in recent years. And though there are still instances of an unscrupulous bartender or server stealing payment information, they’re not as common as one might think, according to Detective Kyle Thiel of the Hendersonville Police Department.
Often, the problem is with the actual credit card reader or the database where financial information is stored. The recent introduction of EMV technology, which embeds a chip in the credit card, has made transactions more secure, says McCauley, but many businesses have been slow to adopt the system. And this despite the fact that as of last October, most merchants who haven’t made the switch are now liable in cases of fraud, under the terms of a “payment network liability shift” mandated by credit card companies. (For businesses with gas pumps, the deadline is October 2017.)
“You still see businesses without chip and PIN, or they have it but it’s not set up,” he notes. “As a company, you’re taking on liability. You acknowledge the risk, yet you haven’t activated the ability to mitigate that.” Business owners, he continues, “need to be proactive, educate themselves and pass that along to employees.”
Trouble at the pump
More recently, scammers have turned their attention to gas pumps and other unmanned points of transaction, says Thiel. Colloquially known as “skimming,” the procedure involves physically installing a device on the face of an ATM or gas pump that then collects and saves each user’s credit card information.
Criminals, the detective explains, “look for vulnerabilities. … They figure out what kind of system it is, [put the skimmer] over the actual card reader, and it looks the same.”
After a day or two, the thieves remove the device, harvest the data and sell it to counterfeiters who produce fake credit cards. The complex network behind these operations often makes it difficult for local and even federal authorities to track down the culprits.
“These groups — a lot of them — seem to be from out of state,” Thiel reveals. Hendersonville police recently released a public warning regarding the use of First Citizens Bank ATMs, which Thiel says are the latest to be targeted. “A few years back it was SunTrust, and a few years before that it was Wells Fargo. They find these banks they can latch onto and really hammer down on it.”
The many faces of fraud
Skimming may be an easy and popular way to steal information, but it’s only one of many methods criminals are using these days to hack databases or persuade you to give them sensitive personal information.
On July 1, the Asheville Citizen-Times reported on fraudsters posing as Duke Energy employees who tricked several local business owners into giving them financial information by threatening to cut off power to their businesses if they didn’t comply.
And that’s only the tip of the iceberg, says Celeste Collins, executive director of OnTrack WNC. Her organization recently hosted North Carolina Secretary of State Elaine Marshall and several other speakers at a regional summit on elder fraud.
If scammers “would just take this great creative energy and use it for good,” Collins points out, “what kind of world would we live in?”
A pamphlet released by the office of North Carolina Attorney General Roy Cooper, titled Scams & Fraud: Protect Yourself —Don’t Be A Target, outlines a dizzying variety of tricks employed by swindlers, ranging from phony emails offering great prizes to crooked contractors and even scammers pretending to be someone’s grandchild in distress.
With comparatively fewer debts and larger savings accounts, the elderly are an inviting target, notes Collins, particularly because they may be less familiar with newer technology and are sometimes vulnerable due to cognitive decline associated with old age.
“One out of every four people who turn 78 will have early-onset dementia,” she notes, citing statistics from the National Consumer Law Center. Scammers, says Collins, “can obtain lists of people who’ve recently turned 78.”
In such cases, she maintains, it’s up to younger relatives and friends to make older folks aware of potential scams. “Older adults can get defensive if they’ve done something that’s not very wise,” adds Collins. Learning about the latest swindles and sharing that information with loved ones before a hustler strikes “helps them not feel singled out.”
The sheer number and diversity of scams can make protecting yourself seem like an impossible task. But staying vigilant about how and where you access your financial information can help protect consumers and businesses alike, says Collins.
“Passwords on devices are huge,” she says. “Put a password on your device, and make sure it’s strong: ‘12345’ or, my favorite one, ‘letmein,’ don’t cut it.”
Don’t access your sensitive information on public networks like Starbucks, advises McCauley, who also stresses the value of keeping operating systems patched and up to date.
“That’s a very effective way to essentially reduce that your attack service surface,” he says. “Operating system updates and application updates are generally accessible via a web browser; it’s very rare that you need proprietary applications for web services anymore.”
And if a chip card reader isn’t available, Thiel advises residents to physically inspect the equipment first. If the card reader looks newer than the rest of the machine, is slightly off kilter or comes off when you pull on it, it’s probably a skimmer.
“We’ve encouraged the public to start tugging on the card readers a little bit before using them,” he explains. “I know a lot of us are in a hurry, but when you walk up to it, just take a look. Once you put [your card] in there and start entering your information, they’ve got it.”
Reclaiming your identity
For those who believe they’ve been the victim of credit card fraud or identity theft, the APD’s website (http://goo.gl/9E1QAq) offers step-by-step instructions and a variety of resources. Contacting your financial institution immediately freezes your account, protecting it from further fraudulent charges and beginning the process of reversing any purchases that have already occurred.
Some folks stop there, but Thiel says it’s also important to contact law enforcement. “It needs to be investigated. Once you get done talking to the bank, you should report it to the law enforcement agency in whatever juristiction you’re in.”
Still, the best way to prevent fraud in all its forms, most experts and law enforcement personnel agree, is simply to rely on common sense. “Some of us use our electronics so robotically,” notes Collins. “You have to do something to interrupt that pattern. If it sounds too good to be true, it probably is.”
For businesses, taking the time to modify the default settings on transaction programs and keeping technology up to date with the current patches is often enough to discourage most attacks, says McCauley. “An attacker’s going to take the path of least resistance for most non-targeted attacks. If you make it time-consuming enough, that alone will most likely dissuade them. They may have limited resources as well.”
Old habits die hard
In the wake of high-profile hacking activity, large corporations and online companies have beefed up digital security. But despite all the current risks, most consumers probably won’t drastically change their habits anytime soon, says McCauley. And while no one wants to be a target of identity theft, he continues, in most cases, it’s not devastating.
“It’s an inconvenience, but it’s very rare that their whole financial situation is wiped out because of this,” he reports. “They’re going to get a card reissued; they’re going to get those transactions reversed. It’s just time-consuming.”
Neither Cordell nor Boessel says he’s significantly changed his spending habits since being targeted by scammers. “You can’t walk around to every business that accepts cards wondering if your identity is going to be stolen,” Cordell maintains. “Just be smart about the way you spend, and make sure that card readers and ATMs aren’t compromised by inspecting them both visually and physically.”
McCauley, meanwhile, strongly encourages business owners and entrepreneurs who can’t afford to hire a full-time IT team to take advantage of such cyber security resources as the local conference he organizes each year. The next BSides Asheville event takes place Friday, July 22 until Saturday, July 23 at Mojo Coworking in downtown Asheville. More information is available at bsidesasheville.com.
“It’s gut-wrenchingly hard to stay secure using your own personal computer, let alone securing a business network,” McCauley maintains. “That’s what we’re trying to do with the BSides conferences: bring current and relevant security discussion to Asheville.”