Tag Archives: Financial Fraud Prevention

Lyft will have to tell drivers how much they can truly earn, with evidence

Posted on by

Lyft has agreed to to tell its drivers how much they can truly earn on the ride-hailing platform — and back it up with evidence — as part of its settlement for a lawsuit filed by the US Justice Department and the Federal Trade Commission. The lawsuit accused the company of making "numerous false and misleading claims" in the advertisements it released in 2021 and 2022, when the demand for rides recovered following COVID-19 lockdowns in the previous years. Lyft promised drivers up to $43 an hour in some locations, the FTC said, without revealing that those numbers were based on the earnings of its top drivers. 

The rates it published allegedly didn't represent drivers' average earnings and inflated actual earnings by up to 30 percent. Further, the FTC said that Lyft "failed to disclose" that information, as well as the fact that the amounts it published included passengers' tips. The company also promised in its ads that drivers will get paid a set amount if they complete a certain number of rides within a specific timeframe. A driver is supposed to make $975, for instance, if they complete 45 rides over a weekend. 

Lyft allegedly didn't clarify that it will only pay the difference between the what the drivers' earn and its promised guaranteed earnings. Drivers thought they were getting those guaranteed payments on top of their ride payments as a bonus for completing a specific number of rides. The FTC accused Lyft of continuing to make "deceptive earnings claims" even after it sent the company a notice of its concerns in October 2021, as well. 

Earlier this month, the company launched an earnings dashboard that showed the estimated hourly rate for each ride, along with the driver's daily, weekly and yearly earnings. But under the settlement, Lyft will have to explicitly tell drivers how much their potential take-home pay is based on typical, instead of inflated, earnings. It has to take tips out of the equation, and it has to to clarify that it will only pay the difference between what the drivers get from rides and its guaranteed earnings promise. Finally, it will have to pay a $2.1 million civil penalty. 

This article originally appeared on Engadget at https://www.engadget.com/transportation/lyft-will-have-to-tell-drivers-how-much-they-can-truly-earn-with-evidence-120011572.html?src=rss

Lyft will have to tell drivers how much they can truly earn, with evidence

Posted on by

Lyft has agreed to to tell its drivers how much they can truly earn on the ride-hailing platform — and back it up with evidence — as part of its settlement for a lawsuit filed by the US Justice Department and the Federal Trade Commission. The lawsuit accused the company of making "numerous false and misleading claims" in the advertisements it released in 2021 and 2022, when the demand for rides recovered following COVID-19 lockdowns in the previous years. Lyft promised drivers up to $43 an hour in some locations, the FTC said, without revealing that those numbers were based on the earnings of its top drivers. 

The rates it published allegedly didn't represent drivers' average earnings and inflated actual earnings by up to 30 percent. Further, the FTC said that Lyft "failed to disclose" that information, as well as the fact that the amounts it published included passengers' tips. The company also promised in its ads that drivers will get paid a set amount if they complete a certain number of rides within a specific timeframe. A driver is supposed to make $975, for instance, if they complete 45 rides over a weekend. 

Lyft allegedly didn't clarify that it will only pay the difference between the what the drivers' earn and its promised guaranteed earnings. Drivers thought they were getting those guaranteed payments on top of their ride payments as a bonus for completing a specific number of rides. The FTC accused Lyft of continuing to make "deceptive earnings claims" even after it sent the company a notice of its concerns in October 2021, as well. 

Earlier this month, the company launched an earnings dashboard that showed the estimated hourly rate for each ride, along with the driver's daily, weekly and yearly earnings. But under the settlement, Lyft will have to explicitly tell drivers how much their potential take-home pay is based on typical, instead of inflated, earnings. It has to take tips out of the equation, and it has to to clarify that it will only pay the difference between what the drivers get from rides and its guaranteed earnings promise. Finally, it will have to pay a $2.1 million civil penalty. 

This article originally appeared on Engadget at https://www.engadget.com/transportation/lyft-will-have-to-tell-drivers-how-much-they-can-truly-earn-with-evidence-120011572.html?src=rss

The FBI arrested an Alabama man for allegedly helping hack the SEC’s X account

Posted on by

A 25-year-old Alabama man has been arrested by the FBI for his alleged role in the takeover of the Securities and Exchange Commission's X account earlier this year. The hack resulted in a rogue tweet that falsely claimed bitcoin ETFs had been approved by the regulator, which temporarily juiced bitcoin prices.

Now, the FBI has identified Eric Council Jr. as one of the people allegedly behind the exploit. Council was charged with conspiracy to commit aggravated identity theft and access device fraud, according to the Justice Department. While the SEC had previously confirmed that its X account was compromised via a SIM swap attack, the indictment offers new details about how it was allegedly carried out.

According to the indictment, Council worked with co-conspirators who he coordinated with over SMS and encrypted messaging apps. These unnamed individuals allegedly sent him the personal information of someone, identified only as “C.L,” who had access to the SEC X account. Council then printed a fake ID using the information and used it to buy a new SIM in their name, as well as a new iPhone, according to the DoJ. He then coordinated with the other individuals so they could access the SEC’s X account, change its settings and send the rogue tweet, the indictment says. 

The tweet from @SECGov, which came one day ahead of the SEC’s actual approval of 11 spot bitcoin ETFS, caused bitcoin prices to temporarily spike by more than $1,000. It also raised questions about why the high profile account wasn’t secured with multi-factor authentication at the time of the attack. “Today’s arrest demonstrates our commitment to holding bad actors accountable for undermining the integrity of the financial markets,” SEC Inspector General Jeffrey said in a statement.

The indictment further notes that Council allegedly performed some seemingly incriminating searches on his personal computer. Among his searchers were: "SECGOV hack," "telegram sim swap," "how can I know for sure if I am being investigated by the FBI," "What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them," "what are some signs that the FBl is after you,” “Verizon store list," "federal identity theft statute," and "how long does it take to delete telegram account," the indictment says.

This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/the-fbi-arrested-an-alabama-man-for-allegedly-helping-hack-the-secs-x-account-193508179.html?src=rss

Data breach of Fidelity leaks 77,000 customers’ personal data

Posted on by

Another breach of a huge financial institution has leaked the personal information of thousands of customers to the public. TechCrunch reported that an unidentified hacker obtained 77,009 customers’ personal data from the asset management firm Fidelity Investments.

A filing by Maine’s attorney general posted yesterday revealed that the unidentified third party obtained the information in mid-August using two phony customer accounts. It’s not yet known how these accounts were used to access customer data. Fidelity said in a letter to its customers that it discovered the breach on August 19. The letter also said that the unidentified party did not access customers’ Fidelity accounts but after Fidelity completed its review, it confirmed that customers’ personal data had been breached.

The New Hampshire attorney general’s office filed a second data breach notice yesterday revealing another “data security incident” of Fidelity Investments’ customer data. The notice says the unauthorized third party obtained access to “an internal database that houses images of documents pertaining to Fidelity customers” by submitting fake requests for access also on August 19. The second data breach did not provide unwanted access to any customer accounts or funds and the leaked information only “related to a small subset of Fidelity’s customers.”

If you believe your data has been obtained by unwanted parties or is part of a data leak, the Federal Trade Commission recommends putting a freeze and fraud alerts on your credit reports and personal bank and credit card accounts. You can also report any identity theft incidents at IdentityTheft.gov or by calling 1-877-438-4338.

This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/data-breach-of-fidelity-leaks-77000-customers-personal-data-214248985.html?src=rss

Comcast says 230,000 customers affected by debt collection data breach

Posted on by

Comcast is warning that hackers stole the personal data of more than 230,000 customers during a ransomware attack on a third-party debt collector, according to a court filing. The bad actors targeted a Pennsylvania-based debt collection agency called Financial Business and Consumer Solutions (FBCS.)

The attack occurred back in February, but Comcast claims that FBCS initially said that the incident didn’t involve any customer data. FBCS changed its tune by July, when it notified Comcast that customer information had been compromised, according to reporting by TechCrunch.

All told, 237,703 subscribers were impacted by the breach. The attackers were thorough, scooping up names, addresses, Social Security numbers, dates of birth, Comcast account numbers and ID numbers. Comcast says the stolen data belongs to customers who signed up with the company “around 2021.” It also says it has stopped using FBCS for the purposes of debt collection.

“From February 14 and February 26, 2024, an unauthorized party gained access to FBCS’s computer network and some of its computers,” the filing states. “During this time, the unauthorized party downloaded data from FBCS systems and encrypted some systems as part of a ransomware attack.”

No group has stepped forward to claim credit for the incident. FBCS has only referred to the attacker as an “unauthorized actor.” The debt collection agency was hit hard by this attack, with Comcast customers being just one group of victims. The company says more than four million people were impacted and that the cybercriminals accessed medical claims and health insurance information, in addition to standard identification data. 

To that end, medical debt-purchasing company CF Medical confirmed that 600,000 of its customers were involved in the breach. Truist Bank also confirmed it was affected by the attack.

It’s notable that this incident primarily impacts debtors, opening them up to potential scams. Chris Hauk, consumer privacy advocate at Pixel Privacy, told Engadget that “the bad actors that get their paws on this information may use it to pose as debt relief agencies, which many turn to as a way out of their situation, meaning many of the involved debtors may be defrauded out of large sums of money, something they can ill-afford.”

In other words, keep an eye out for suspicious phone calls, emails and texts. This is good advice for anyone, and not just debtors who had data stored with FBCS. After all, it was revealed that hackers stole more than 2.7 billion records from American consumers earlier this year, which likely includes data on everyone who lives in the country.

This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/comcast-says-230000-customers-affected-by-debt-collection-data-breach-184554728.html?src=rss

Bitcoin ATM scams have cost Americans over $10 million per month this year

Posted on by

The Federal Trade Commission has published a report that aims to warn people about Bitcoin ATM (or BTM) scams, which have apparently increased tenfold from 2020 to 2023. Americans had lost $65 million to fraud losses involving BTMs within the first six months of this year alone, and the actual amount may be a lot more than that, since most scams go unreported. Further, losses due to BTM scams have been exceptionally high, with people reporting a median loss of $10,000 over the past six months. 

In most of the BTM scams reported, the bad actors impersonated government and business entities, as well as tech support representatives. Almost half of the instances reported started with a phone call, though some victims were fooled by fake security warnings from online ads, pop-ups and emails from scammers pretending to be from Microsoft or Apple. 

Some scammers pretend to be government agents or employees from utility providers, for instance, and tell people that they have to settle their bills by paying through a nearby BTM. Others pretend to be feds or bank agents and scare would-be victims into believing that their accounts are being targeted by hackers, so they have to transfer their money to a "secure account." Those are just some examples of how the bad actors can fool their victims. 

According to the commission's warning, scammers tend to send their targets to specific BTM locations, showing that they prefer some operators over others. Those preferences have changed over time, though, likely due to the fraud prevention measures crypto companies introduce to their systems. Whatever operator the scammer chooses, they send QR codes to their victims, since BTMs typically require depositors to scan one linked to the recipient's account. Those QR codes, of course, send money straight to the scammers' wallets. 

As you can guess, most of the BTM scam victims are older people. The FTC says $46 million of the total losses involving BTMs in the first half of 2024 — that's 71 percent of the overall amount — came from people over 60. If you take BTMs out of the equation, most of the losses from cryptocurrency fraud were reported by people between 18 and 59 years old who fell victim to fake investment opportunities. 

If you have an older person in your life, it's best to warn them about potential BTM scams before they get targeted, because recovering the money they lose from these schemes would most likely be impossible. In addition, it may be time for all BTM operators, as well as the supermarkets, convenience stores and other locations where the machines are installed, to post warnings next to BTMs about these scams. 

This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/bitcoin-atm-scams-have-cost-americans-over-10-million-per-month-this-year-140031675.html?src=rss

National Public Data confirms breach that exposed Americans’ social security numbers

Posted on by

A data dump that contains 2.7 billion records of personal information for people living in the US, including their Social Security Numbers, have recently been leaked online. The data dump's contents were linked to National Public Data, a company that scrapes information from non-public sources and sells it for background checks. Now, the company has confirmed that it did have "a data security incident" wherein people's names, emails, addresses, phone numbers, social security numbers and mailing addresses had been stolen. 

National Public Data's wording in its Security Incident report is a bit a vague and convoluted, but it did blame the security breach on a third-party bad actor. It said that the bad actor "was trying to hack into data in late December 2023" and that "potential leaks of certain data" took place in April 2024 and summer 2024, indicating that the hacker had successfully infiltrated its system. In April, a threat actor known as USDoD tried to sell 2.9 billion records of people living in the US, UK and Canada for $3.5 million. It claimed that it stole the information from National Public Data. Since then, the records have been leaked in chunks online with the more recent one being more comprehensive and containing more sensitive information. 

The company said it worked with law enforcement to review potentially affected records and will "try to notify" individuals "if there are further significant developments applicable" to them. It also said that it published the notice so that those who were potentially affected can take action. The company is advising people to monitor their financial accounts for fraudulent transactions, and it's also encouraging them to get free credit reports and to put a fraud alert on their file. 

The National Public Data is already facing a proposed class action lawsuit that was filed in early August by a plaintiff who received a notification from their identity theft protection service that their personal information was posted on the dark web. They argued that the company failed "to properly secure and safeguard the personally identifiable information that it collected and maintained as part of its regular business practices." 

This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/national-public-data-confirms-breach-that-exposed-americans-social-security-numbers-100046695.html?src=rss

Hackers may have leaked the Social Security Numbers of every American

Posted on by

Several months after a hacking group claimed to be selling nearly 3 billion records stolen from a prominent data broker, much of the information appears to have been leaked on a forum. According to Bleeping Computer, the data dump includes 2.7 billion records of personal info for people in the US, such as names, Social Security Numbers, potential aliases and all physical addresses they are known to have lived at.

The data, which is unencrypted, is believed to have been obtained from a broker called National Public Data. It's said that the business assembles profiles for individuals by scraping information from public sources and then sells the data for the likes of background checks and looking up criminal records. (A proposed class-action suit was filed against National Public Data over the breach earlier this month.)

In April, hacking collective USDoD attempted to sell 2.9 billion records it claimed was stolen from the company and included personal data on everyone in the US, UK and Canada. The group was looking for $3.5 million for the whole 4TB database, but since then chunks of the data have been leaked by various entities.

Previous leaks included phone numbers and email addresses, but those reportedly weren't included in the latest and most comprehensive dump. As such, you won't be able to check whether your information has been included in this particular leak by punching your email address into Have I Been Pwned?

The data includes multiple records for many people, with one for each address they are known to have lived at. The dump comprises two text files that amount to a total of 277GB. It's not really possible for any independent body to confirm that the data includes records for every person in the US, but as Bleeping Computer points out, the breach is likely to include information on anyone who is living in the country.

The publication states that several people confirmed the information that the dump has on them and their family members (including some dead relatives) is accurate, but in other cases some SSNs were associated with the wrong individuals. Bleeping Computer posits that the information may have been stolen from an old backup as it doesn't include the current home address for the people whose details its reporters checked against the data.

In any case, it's worth taking some steps to protect yourself against any negative repercussions from the leak, such as fraud and identity theft. Be extra vigilant against scammers and phishing attacks that look to obtain access to your online accounts. 

Keep an eye on credit reports to see if there has been any fraudulent activity on your accounts and inform credit bureaus Experian, Equifax and TransUnion if so. You can ask the bureaus to put a freeze on your credit files to stop anyone else opening a bank account, taking out a loan or obtaining a credit card under your name.

You can sign up for services that offer identity fraud protection and remove your personal information from the public web to reduce the chances that you'll be negatively impacted. However, such services often charge a fee.

Be sure to use two-factor authentication wherever possible (preferably with you obtaining codes from an authenticator app rather than SMS). And, as always, we highly recommend having a password manager, never reusing the same login credentials for different services and regularly changing the password on your most sensitive accounts.

This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/hackers-may-have-leaked-the-social-security-numbers-of-every-american-150834276.html?src=rss

Match Group, Meta, Coinbase and more form anti-scam coalition

Posted on by

Scams are all over the internet, and AI is making matters worse (no, Taylor Swift didn't giveaway Le Creuset pans, and Tom Hanks didn't promote a dental plan). Now, companies such as Match Group, Meta and Coinbase are launching Tech Against Scams, a new coalition focused on collaboration to prevent online fraud and financial schemes. They will "collaborate on ways to take action against the tools used by scammers, educate and protect consumers and disrupt rapidly evolving financial scams."

Meta, Coinbase and Match Group — which owns Hinge and Tinder — first joined forces on this issue last summer but are now teaming up with additional digital, social media and crypto companies, along with the Global Anti-Scam Organization. A major focus of this coalition is pig butchering scams, a type of fraud in which a scammer tricks someone into giving them more and more money through trusting digital relationships, both romantic and platonic in nature. 

Tech Against Scams will also rely on the different reaches of the internet each member inhabits to get a fuller picture of threats and best practices. "Tech companies across industries collaborating with each other is essential for preventing criminal activity, and ultimately helps online platforms stay ahead of, and develop effective solutions for, various types of financial crimes," Yoel Roth, Match Group's VP of Trust and Safety, said in a statement. "As we work to make it harder for scammers to defraud people, we will also continue investing in new technologies to help disrupt fraud and scams faster, and get people the support and resources they need."

This article originally appeared on Engadget at https://www.engadget.com/match-group-meta-coinbase-and-more-form-anti-scam-coalition-145346680.html?src=rss

DuckDuckGo unveils a $10 Privacy Pro plan with a no-log VPN

Posted on by

Many web browser companies offer VPNs these days, including Google, Mozilla and Opera. DuckDuckGo is the latest to join the fray, with a Privacy Pro plan that includes three services. Along with a VPN, you'll get personal information removal and identity theft restoration services for $10 per month or $100 per year. The subscription is only available in the US for now. The Privacy Pro features are built directly into the DuckDuckGo browser, so you won't need to install separate apps.

DuckDuckGo says it won't keep VPN logs in order to help maintain user privacy. As such, it says it has "no way to tie what you do while connected to the DuckDuckGo VPN to you as an individual — or to anything else you do on DuckDuckGo, like searching." DuckDuckGo is using the open-source WireGuard protocol to encrypt your traffic and route it through VPN servers. As it stands, the company has VPN servers across the US, Europe and Canada. It plans to add more over time.

Screenshot of DuckDuckGo's VPN feature.
DuckDuckGo

One subscription will cover up to five desktop and mobile devices. Rather than using an account, you'll have a random ID that you'll need to keep safe. If you wish, you can add an email address for easier authorization across devices. Still, you won't need to hand over any personally identifiable information to DuckDuckGo — the company is using Stripe, Google Play and the Apple App Store to handle payments.

DuckDuckGo's focus on protecting user privacy extends to the personal information removal tool, which removes details such as your full name, home address and birthday from people search sites and data broker services. The details you provide during the setup process stay on your device and requests to remove your personal information start directly from your desktop (for now, you need a Windows or Mac computer to set up and manage the personal information removal tool).

DuckDuckGo says this is a first for a service of its ilk, as your details aren't stored on remote servers. To help it build the tool, DuckDuckGo bought data removal service Removaly in 2022. The personal information removal service will regularly re-scan people search sites and data brokers to see if your info pops up again, and deal with it accordingly.

As for the identity theft restoration service, DuckDuckGo will connect you with an advisor from Iris, its partner, if your identity is stolen. The advisor will help with restoring any stolen accounts and financial losses, as well as fixing your credit report. Moreover, they can help you cancel and replace important documents such as your driver’s license, bank cards and passport. Iris can also provide you with a cash advance if you're far from home and stuck due to identity theft. 

Again, you won't have to provide any of your personal information up front. You'll only need to provide an advisor with those details if you need help after having your identity stolen.

Expanding privacy protections through these services is a logical way for DuckDuckGo to try and boost its bottom line. Privacy Pro seems reasonably priced compared to some of the alternatives too — Mozilla's personal information removal service alone costs $9 per month.

This article originally appeared on Engadget at https://www.engadget.com/duckduckgo-unveils-a-10-privacy-pro-plan-with-a-no-log-vpn-120007653.html?src=rss