This Is What A Social Security Scam Sounds Like


Earlier this month, the FTP warned about a growing scam: people pretend to be from the Social Security Administration (SSA) and try to get your Social Security number or your money. That scam is now growing exponentially. To compare: in 2017, we heard from 3,200 people about SSA imposter scams, and those people reported losing nearly $210,000. So far THIS year: more than 35,000 people have reported the scam, and they tell us they’ve lost $10 million.

Here’s what one of those scam calls sound like:

Scammers are saying your Social Security number (SSN) has been suspended because of suspicious activity, or because it’s been involved in a crime. Sometimes, the scammer wants you to confirm your SSN to reactivate it. Sometimes, he’ll say your bank account is about to be seized – but he’ll tell you what to do to keep it safe. (Often, that involves putting your money on gift cards and giving him the codes – which, of course, means that your money is gone.)

Oh, and your caller ID often shows the real SSA phone number (1-800-772-1213) when these scammers call – but they’re faking that number. It’s not the real SSA calling.

Here's what to know:

  • Your Social Security number is not about to be suspended. You don’t have to verify your number to anyone who calls out of the blue. And your bank accounts are not about to be seized.

  • SSA will never call to threaten your benefits or tell you to wire money, send cash, or put money on gift cards. Anyone who tells you to do those things is a scammer. Every time.

  • The real SSA number is 1-800-772-1213, but scammers are putting that number in the caller ID. If you’re worried about what the caller says, hang up and call 1-800-772-1213 to speak to the real SSA. Even if the wait time is long, confirm with the real SSA before responding to one of these calls.

  • Never give any part of your Social Security number to anyone who contacts you. Or your bank account or credit card number.

If you get one of these calls, tell the FTC at

New Facebook Bug Exposed 6.8 Million Users Photos to Third-Party Apps


Facebook's latest mishap — a programming bug in Facebook website accidentally gave 1,500 third-party apps access to the unposted Facebook photos of as many as 6.8 million users.

Facebook today quietly announced that it discovered a new API bug in its photo-sharing system that let 876 developers access users' private photos which they never shared on their timeline, including images uploaded to Marketplace or Facebook Stories.

"When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories," Facebook said.

What's worse? The bug even exposed photos that people uploaded to Facebook but chose not to post or didn't finish posting it for some reason.

The flaw left users' private data exposed for 12 days, between September 13th and September 25th, until Facebook discovered and fixed the security blunder on the 25th September.

"Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers. The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos," Facebook said.


The social media giant has started notifying impacted users of the flaw through an alert on their Facebook timeline that their photos may have been exposed, which will direct them to its Help Center page with more information.

Facebook also says the social media network will soon be rolling out "tools for app developers that will allow them to determine which people using their app might be impacted by this bug."

Facebook also assures its users that the company will be working with app developers to delete copies of photos that they were not supposed to access.

Cyber Security Worst Practices – 8 Must-Break User Habits


People can be a business’s greatest asset, but they can also be its biggest cyber security liability. Cyber criminals are drawn to the path of least resistance and, when compared to today’s highly advanced security solutions, that’s often what users represent.

Using data collected in Dell Technologies’ End User Security Survey, our team has compiled a list of eight all too common cyber security worst practices.

Accessing confidential data over public Wi-Fi. The risks of connecting to unsecured public Wi-Fi are plentiful and yet the message hasn’t connected with users. Despite the ease with which attackers can use these services to execute man-in-the-middle attacks, users continue to lean on public Wi-Fi. In fact, in Dell’s survey, 46% of respondents admitted to not just using public Wi-Fi, but using it to access company data.

Conducting work via personal email. IT teams can restrict the flow of information into and out of their company over corporate email. Personal email, however, is a different story. Yet, very nearly half (49%) of those surveyed said they conduct business using their personal accounts. This effectively shuts out those in IT tasked with keeping users and company data secure.

Emailing confidential data to those outside the company. Employees’ bad email behavior goes beyond blurring the lines between personal accounts and business workloads. Just under half (45%) acknowledged emailing sensitive files outside the organization. Even though controls exist for managing how data is handled, the risk of misuse remains high.

Taking information with them when they go. Far too often, when an employee leaves a company, he or she doesn’t do so empty-handed. Instead, 35% say it is routine to take data with them when they leave. While the exact nature of the data exiting end users are helping themselves to wasn’t specified, employers would likely prefer it to stay in-house.

Putting their faith (and company data) in over-the-counter cloud. For some users, Shadow IT has become a way of life. More than half (56%) said they use publicly available tools including Dropbox and Google Drive for storage and collaboration. It’s unknown whether or not they are aware of the dangers of this approach.

Seeing security as “somebody else’s problem.” First the good news: According to Dell’s research, 65% of employees see security as their duty. They believe it is up to them to educate themselves on threats and behave responsibly. What enters this into the domain of cyber security worst practices is the fact that 35% still see themselves as removed from their company’s security challenges.

Suffering from security overconfidence. Confidence is good, but too much can be hazardous. Dell’s study found just 22% of employees are worried that, someday, they might cause a cyber-attack or some other security disaster. In truth, any employee, regardless of position or age, could become a victim.

Failing to take training to heart. The majority of those Dell surveyed (63%) are required by their employers to attend cyber security readiness training. However, some are struggling to apply those lessons. Just under one-in-five (18%) engaged in unsafe behaviors post-training without realizing what they were doing was wrong. Furthermore, 24% knew their actions were unsafe, but carried on anyway.

500 Million Marriott Guest Records Stolen in Data Breach


The world's biggest hotel chain Marriott International disclosed that unknown hackers compromised guest reservation database its subsidiary Starwood hotels and walked away with personal details of about 500 million guests.

Starwood Hotels and Resorts Worldwide was acquired by Marriott International for $13 billion in 2016. The brand includes St. Regis, Sheraton Hotels & Resorts, W Hotels, Westin Hotels & Resorts, Aloft Hotels, Tribute Portfolio, Element Hotels, Le Méridien Hotels & Resorts, The Luxury Collection, Four Points by Sheraton and Design Hotels.

The incident is believed to be one of the largest data breaches in history, behind 2016 Yahoo hacking in which nearly 3 billion user accounts were stolen.

The breach of Starwood properties has been happening since 2014 after an "unauthorized party" managed to gain unauthorized access to the Starwood's guest reservation database, and had copied and encrypted the information.

Marriott discovered the breach on September 8 this year after it received an alert from an internal security tool "regarding an attempt to access the Starwood guest reservation database in the United States."

On November 19, the investigation into the incident revealed that there was unauthorized access to the database, containing "guest information relating to reservations at Starwood properties on or before September 10, 2018."

The stolen hotel database contains sensitive personal information of nearly 327 million guests, including their names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, genders, arrival and departure information, reservation date, and communication preferences.

What's worrisome? For some users, stolen data also includes payment card numbers and payment card expiration dates.

But, according to Marriott, "the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128)." Attackers need two components to decrypt the payment card numbers, and "at this point, Marriott has not been able to rule out the possibility that both were taken."

"The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property," the company said in a statement.

Marriott confirmed that its investigation into the incident only identified unauthorized access to the separate Starwood network and not the Marriott network. It has also begun informing potentially impacted customers of the security incident.

The hotel company has begun notifying regulatory authorities and also informed law enforcement of the incident and continues to support their investigation.

Since the data breach falls under European Union's General Data Protection Regulation (GDPR) rules, Marriott could face a maximum fine of 17 million pounds or 4 percent of its annual global revenue, whichever is higher, if found breaking any of these rules.

US Postal Service Left 60 Million Users Data Exposed For Over a Year


The United States Postal Service has patched a critical security vulnerability that exposed the data of more than 60 million customers to anyone who has an account at the website.

The U.S.P.S. is an independent agency of the American federal government responsible for providing postal service in the United States and is one of the few government agencies explicitly authorized by the United States Constitution.

The vulnerability is tied to an authentication weakness in an application programming interface (API) for the USPS "Informed Visibility" program designed to help business customers track mail in real-time.

The attacker could have pulled off email addresses, usernames, user IDs, account numbers, street addresses, phone numbers, authorized users and mailing campaign data from as many as 60 million USPS customer accounts.

USPS Ignored Responsible Disclosure For Over a Year

The unnamed researcher reportedly discovered and responsibly reported this vulnerability last year to the Postal Service, who ignored it and left its users’ data exposed until last week when a journalist contacted USPS on behalf of the researcher. After that, the Portal Service addressed the issue within just 48 hours

USPS Responds by Saying:

"We currently have no information that this vulnerability was leveraged to exploit customer records. Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law."