Monday, November 23, 2015

Cunning payment card fraud, or just a random glitch?

I have a strange tale to tell. I am sharing it here because I honestly don't know if it represents a simple computer glitch on the part of a bank or payment processor, or it it represents a breakthrough in payment card fraud. I have intentionally kept the dates and amounts approximate rather than exact, and am not doxxing the other party in this event, but otherwise what follows is a reasonably detailed sequence of events.

In early September, a charge I did not recognize appeared on my Chase credit card. I figured my card number had been taken in the latest Point of Sale card breach, so called Chase to report the fraudulent use. I expected they would identify it as fraud, close my account, and issue me a new card, as has happened 3 or 4 times in the past few years.

As I have written before, this type of fraud doesn't really bother me much - it's a bit annoying, but I've taken a few steps to limit any real consequences to me. This guide to financial fraud prevention explains what I do, and what I recommend my readers do too. By purchasing with credit cards and never debit cards, setting up transaction alerts by email or text message, and keeping a fraud alert on my credit report, I ensure that any card fraud is the bank's problem and not my problem.

Today's tale begins with an aforementioned transaction alert.

Tuesday, November 17, 2015

Schlotzsky's: Funny name, serious sandwich, poor privacy

I had a hankering 4 @Schlotzskys. Then I remembered the loyalty app demands too many perms. Guess I'll have to settle 4 a lesser sandwich...

When I began writing this post, I did not know how it would end. My hope was it would become a story of a privacy issue acknowledged and a restaurant modifying its customer loyalty app to respect its customers' privacy. Thus far, 5 months after initially reporting this, the Schlotzsky's "Lotz4Me" mobile loyalty app remains an egregious invasion of privacy beyond any loyalty app I have seen in the past.

Those not from the Texas may not recognize the name Schlotzsky's. For that matter, you might not even know how to pronounce the name. That's OK. The chain that originated in downtown Austin makes a fantastic hot sandwich on fresh sourdough buns. Since the first restaurant opened in 1971, the chain has grown to some 350 locations - mostly in the southern and southwestern US (well over half are in Texas).

They are great at making food.

They are not so good at choosing digital products.

Wednesday, November 11, 2015

Free Disney World Tickets? Nah, it's another Facebook scam (Part 2)

Some of this article appeared on this blog a few weeks ago; it has been updated with more examples, as well as some investigation into the possible motivations for such scams.

Disney is giving away hundreds of tickets to Disneyland and Walt Disney World! All you have to do is like a page on Facebook and share it with your friends!

Or not.

My friends and family know I am in the cyber security field, so often ask me questions or send suspicious things my way for my opinion. And occasionally, they send things my way not realizing they've been hooked by a scam. The week before Halloween a friend shared what appeared to be a drawing for Disney theme park tickets. At the time I grabbed a few screen captures and pointed out a few things that led me to believe it was a scam, but left it at that.

In the time since then, I've seen about a half dozen similar scams and figured perhaps it's time for a more thorough discussion of what is going on, as well as possible motivations for the scammers.

Tuesday, October 27, 2015

Ten years after the accident

Ten years after the accident

There are points in time, where the rest of life can be defined as "before" and "after." October 27, 2005 was such a date in the life of my family. It is the date on which I was reminded we have no guarantee of tomorrow. I share this story each October to remind readers how precious each day is.

Saturday, October 24, 2015

Free Disney World Tickets? Nah, it's another Facebook scam

For more examples, as well as a walk-through of a particular scam, and some investigation into possible motivations for the scammers, see this follow-up story.

Yesterday, someone created a fake "Walt Disney World Epcot." Facebook community. Yes, complete with the period at the end of the name. In 24 hours, it has gained some 900 likes and innumerable shares. That might have something to do with a fraudulent offer and a deadline of tomorrow:

Sharing this post --won't-- win you tickets to Disney World.

Thursday, October 8, 2015

DNS: a simple way to stop malicious web traffic

DNS-based web filtering is an easy and highly-effective component of network security. Since most web browsing - including the malicious sort - relies on DNS to translate human-readable domain names into Internet addresses, DNS is a natural choke point.

This post was first published in September, 2014. It has been updated for October, 2015's Cyber Security Awareness Month. DNS-based web filtering is an easy and highly-effective component of network security. Since most web browsing - including the malicious sort - relies on DNS to translate human-readable domain names into Internet addresses, DNS is a natural choke point.

If you are reading this, chances are you made use of a Domain Name System, or DNS. Don't panic! 

Putting aside for a moment the possibility that you are reading a printout, you are more than likely reading this on a digital device. Perhaps you clicked a link in search results, or on another web site, or in an email from a friend. You might have clicked a post in Facebook, Twitter, Pinterest or Instagram (I'm not sure any of my pictures are worthy of the latter two, but I suppose it's possible). Maybe this blog is syndicated to your RSS feed. Or maybe you typed the URL into your web browser directly or used a bookmark. 

Regardless of the source, your browser did not just yell out on the Internet, "show me the Security for Real People blog." Instead, it referred to a DNS, a network phone book of sorts, to translate the human-readable web site name or URL into an address it could travel to.

Whois David?

My Photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.