Google Bug Exposes Data Of 52+ Million Users

You don’t hear Google Plus (Google+) in the news often and soon, you probably won’t hear it at all. That’s because it’s shutting down. Google announced in October that it was going to do this because of a bug in one of its developer tools. It has since found another one during routing testing. This one affects roughly 52.5 million Google+ users, both consumer and enterprise customers. So, sometime around April of 2019, as opposed to in August when it was previously scheduled, we can all say farewell to this particular social media platform.

This bug didn’t expose passwords or financial information, but it did show the developers that use the API in question the full names, email addresses, ages, occupations, skills, birth dates, genders, photos, and other information that was entered into Google+.

If you have a Google+ profile, it’s recommended you delete it completely. You can do this by going into your account and under “settings,” you can click to delete it under “Account.” Read all the fine print and terms though. Some of your Google Account details will be affected, but others won’t. For example, your photos are archived, unless you posted a photo in a comment. Those are deleted. Your comments are deleted, but your contacts are not.

As with any account online that you’re not using, delete it whenever possible. In this case, you won’t have the option to use it once Google puts the kibosh on it. So, just delete it now and get rid of what information you can so it’s not out there lingering. This may not really matter in the end, but it’s better to be safe than sorry.

Also, any account that you have online has some amount of information on you that will never go away. You lose control over your posts, photos, links, etc. when they are shared. Always keep that in mind when putting anything on the Internet, in social media, or even when filling in forms online.

In this case, Google does not believe that the developers that had access to the information exposed in this API even knew they had that access or that it was misused in any way. The developers that used that API also only had access for six days before the bug was discovered.

Stickley on Security
January 9, 2019

PayPal Phishing Scams Gaining Sophistication

PayPal phishing schemes are fairly common these days. Many, or even most of them are generic in nature. In other words, they don’t target a specific person or group. They are merely crafted in such a way that they can be sent to a large number of people at one time as spam. However, sometimes they arrive as if they could actually be from PayPal and are specific or somehow related to the recipient. This is called spear-phishing, because the attacker has some information which he can spear his target specifically. This tactic is more likely to result in success for the phisher.

Spear-phishing campaigns are on the increase and the use of PayPal as the bait is increasing in sophistication with each new campaign. Cisco researchers have found several versions of imposter PayPal web sites that are so well done, they can trick even the most phishing-savvy person into falling for the scams behind them.

What is making it even more problematic is that these phony websites are actually legitimately registered, sometimes even with actual security certificates attached. Many, such as one of the primary ones used –– are registered through a site called Wix. A list of many of the other fake ones is listed here:

– helpcenter-paypal-rosolution[.]pepitoheyashi[.]ga
– paiiypal[.]com
– paypal-secure-account-information[.]reikitrainingjourney[.]com
– paypal[.]com[.]user[.]accounts[.]lwproductions[.]net
– paypalcomcgibinwebscrcmdloginsubmitdispatch58z8duft875dl80al[.]planetevents[.]co[.]in
– paypalupdate[.]uploadppl[.]com
– paypaluserupdateinfoforupaypalnowclosedbypaypal[.]bodybuildingexercise[.]org
– update[.]paypal[.]com[.]kgreendesigns[.]co[.]za
– www[.]paypal[.]com-webapps-cgi-bin-webscr-login-access[.]com

Unfortunately, the fake sites use the color schemes, text styles, and images from the actual PayPal site, making them nearly impossible to detect. Some have also registered with very popular and legitimate hosts, such as CyrusOne LLC, which also hosts CarFax and Dell. However, there are some ways to tell if one is trying to trick you:

– Check the website name in the address bar. It should be “” and have the “https” in front, as well as the secured site text and lock icon. If you’re using the U.S. site, it may even display as “” and the “us” may be changed to the country for the site you’re using. For the German site, the “us” in that URL is replaced with “de,” for example.

– Check for the little country flag in the lower corner of the site. As of time of writing, it’s in the lower right corner as you scroll down the site. If the site is in the U.S., that flag will be the U.S. flag.

– If you see anything prior to the “.com” other than the word “paypal,” or anything prior to the word “paypal,” it is likely fake. In other words, the only thing that should be between the dots is the word “paypal,” followed immediately by the “.com.”

– The green text, the lock, and the “https” are all positive, though not always definitive indicators of the legitimate site.

Some of these phishing sites actually try to get users to enter credentials other than the ones for PayPal. A common one attempts to spoof an Apple credential verification page. However, Apple and PayPal are not related, so an Apple login page should not show up.

Another site uses Spanish language but targets English speakers. If the text is in another language, those behind it are most definitely up to no good.

It’s likely more of these sites and those using other well-known companies will be popping up in the future. If you need to verify credentials or check something in your account for any online account, go directly to a bookmarked link or type in the address manually, being careful not to make typos. Then login there to do your sanity checks or to make changes. Don’t click on links in email messages to do this, even if you think they may be real. It’s just safer not to.

Stickley on Security
January 11, 2019

How to Remove Credit Report Errors in Three Steps

What do you do when you spot an inaccuracy on your credit report? Take steps to dispute it. Because of the Fair Credit Reporting Act, cleaning up your own credit report is usually quick and easy. Credit reporting agencies (often called credit bureaus) should only report accurate and current information.

Step One – Obtain Your Credit Reports

To know exactly what is happening with your credit, check the reports from all the major credit bureaus – TransUnion, Equifax, and Experian. The information on each report may vary because not all creditors report to every bureau. You may receive a free report from each company once per year from Annual Credit Report Request Service, or you may obtain them from the bureaus directly for a fee:

Annual Credit Report Request Service

P.O. Box 2002
Allen, TX 75002

2 Baldwin Place, P.O. Box 1000
Chester, PA 19022

P.O. Box 740241
Atlanta, GA 30374

Step Two – Know What Can Be Removed

You can’t get rid every negative notation from your file – credit bureaus are obligated to report all credit and debt information as long as it is correct and timely. So what can be removed?

-Wrong information. If the report lists incorrect information, such as an account you never opened, someone else’s name, or a judgment for a lawsuit you were never a part of, you can have it permanently purged from your record.

-Duplicate information. While an account can sometimes show up multiple times, you may want to have your report list it just once. This can prevent lenders from believing you have more debt or credit problems than you actually do.

-Old, negative information. In most cases, negative information, even when accurate, won’t haunt you forever. Your credit report may reflect lawsuits, judgments, liens, foreclosures, a Chapter 13 bankruptcy (from the filing date), late payments, and charged-off accounts for seven years. Chapter 7 bankruptcy will be evident for ten years from the date of filing. Child support arrearage and default notations for student loans, though, can be reported until satisfied.

Step Three – Dispute Inaccuracies

If you do spot errors or items that should have aged off your report, it is time to take action:

-File the dispute with the bureau. You may make your dispute on the company’s website, over the phone, or by mail. In all cases you’ll have to provide your personal identification and a description of what is wrong, and what the correct information is. If you have any documents that support your case (such as copies of cashed checks that confirm you paid an account), include those as well.

-Wait 30 days. After you file your dispute, the bureau has 30 days to investigate the matter, and a dispute notation will show up on your report. The creditor will have this time to verify the information, and if they can’t prove it’s accurate, the bureau will stop reporting it. When the bureau completes the investigation they will send you a written report covering what they found, and an updated copy of your credit report if it resulted in any change.

In the majority of cases, removing inaccuracies is that simple. However, if the investigation results in no change, contact the creditor by phone and/or mail and explain why the information is incorrect and that you want them to report the accurate information. Include copies of supporting documents (a statement showing a zero balance, for example), if you have them. The creditor may not continue to report unproven information.

Finally, if the situation still doesn’t get resolved to your satisfaction (or if the negative information is correct but you have a good reason for why it happened), consider writing a letter of explanation to add to your report. In one hundred words or less, you can explain your side of a credit problem. Write the note clearly, include supportive facts, and send it to the bureaus to be attached to your report. This “100-word statement” could make a positive difference to whoever is reading the report.


To Consolidate or Not to Consolidate…What’s the Best Move for Your Student Loans?

For more and more people, student loans are a fact of life. While there’s no magic bullet to wiping them out, loan consolidation can give you access to different payment options.

When you consolidate your federal loans, the government pays off your balances and substitutes them with one consolidation loan.

Consolidation Versus Refinance

We should point out that consolidation only applies to federal loans. Refinancing, on the other hand, is a different process. It refers to private loans and occurs when you replace your student loans with a loan offered by a bank or credit union, for example.

Refinancing might be appealing if your new interest rate is lower than what you’re paying now. However, approval is more difficult, as you’ll need to have good credit.

For the purposes of this article, we’ll be discussing consolidation only.

Pros and Cons

If you’re thinking about consolidating, here are some important factors to keep in mind.

Reasons to Consolidate:

-You might be able to access special repayment plans

With certain types of loans, consolidation comes with benefits such as income-driven repayment. This tethers your loan payments to your income, and forgives your federal loan balances after 20 or 25 years.

You may also become eligible for Public Loan Forgiveness. Under this program, the government excuses your loan balance after 120 payments, as long as you work a public service job.


If you have multiple loans with different lenders, consolidating makes your life easier. Plus, keeping track of different lines of credit can be tricky, and increases your risk of missing a payment.

Reasons to Keep Your Loans Separate:

-Consolidating won’t save you money

When you consolidate your federal loans, the government gives you a new interest rate based on the weighted average of all your loans’ interest rates. In other words, you won’t be paying less interest. In fact…

-You’ll probably pay more in interest

Consolidated loans are typically extended over a longer period than other kinds of loans. That means, unless you increase your payments, you’ll be spending more money over the life of the loan.


Three Smart Financial Moves for Furloughed Workers

Approximately 800,000 employees are living without a paycheck due to the government shutdown. That means scores of people may be struggling to pay mortgages, keep up with student loans, or even put food on the table for their families. Even if you are able to survive on savings, the fear of losing income with no end in sight can be overwhelming.

Fortunately, there are steps you can take to keep up with your financial obligations during this difficult time. Check out these three important tips:

1. Apply for Unemployment

Furloughed employees are eligible to receive financial assistance during the shutdown. If you haven’t done so already, apply for unemployment benefits. You won’t receive your normal compensation, but some additional cash can help you pay your bills.

To learn more about what you can expect from unemployment insurance as a furloughed worker, visit this government resource.

2. Review Your Budget

With money being tighter than usual, it’s a great time to re-examine how you spend your cash. Most importantly, review discretionary expenses. Do you eat out often? Go to the movies or shop frequently? These are areas where you should cut back in order to keep up with loan payments and any other obligations.

You also want to avoid dipping into your savings if possible. The shutdown might go on longer than expected, and you may eventually need to access your rainy day fund for necessary expenses.

3. Consider Temporary, Part-Time Work

Depending on your situation, you may need income sooner than later.

It might feel awkward to start a new job knowing that you’re going back to your full-time position eventually. However, these days many people participate in the so-called “gig economy.” This refers to part-time jobs that you’re able to control on your own terms, such as driving for a ride-share company. It could be the perfect solution while you wait to return to work.

Being furloughed isn’t easy, but if you take advantage of your unemployment options, re-prioritize your budget, and explore temporary work solutions, you increase your chances of staying financially secure until you receive your regular paycheck again.


Is Your Award Flight A Flight To Nowhere? Keeping Your Frequent Flyer Miles Safe

With all of the concerns about having your identity and financial data hacked, cyber criminals have been silently chipping away at something not on most people’s radar. Hackers are reportedly siphoning frequent flyer loyalty club miles from traveler accounts and then selling them to the highest bidder on the dark web. As we’re literally traveling for the holidays and down the information super highway, all the signs are pointing to the fact that if there’s a buck to be made with any type of cyber thievery, a hacker has already thought of it. Such is the case with airline travel and the perks that go with it, known as travel hacking.

A recent study by Comparitech takes a closer look at travel hacking and just how it’s done. Hackers transfer stolen airline miles into another commodity like gift cards for local merchants such as restaurants, rental cars, and hotel upgrades. Using airline miles for flights and hotels requires identification that hackers and those who purchase the points on the dark web can’t provide, so it’s much easier to make bank by turning those miles into something anyone can use. Although points can be resold for what they are on the black market, point values fluctuate depending on the airline, with the average price being one to two cents per mile. A purchase of 100,000 flyer miles retails on the dark web for about $1,500 in Bitcoin, with Delta SkyMiles and British Airways as the two most popular travel hacking resale points.

At the core of travel hacking is the lack of security inherent in the rewards systems. Whether it’s a data breach or an email phishing attack, login credentials are easily stolen–especially with accounts not using multi-step verification for identity purposes. Along with poor verification protocols, the fact is most travelers don’t keep a close eye on their travel points, especially if they travel infrequently. Most airlines have rules against selling miles, but not against giving them to friends or family members. Without strict enforcement of those rules, airlines often find the difference between selling and giving points is blurred and therefore much easier to overlook.

Keeping your travel miles as safe as can be requires regular monitoring of your account, much in the way we now know to regularly check our credit reports for suspicious activity. Vigilance may be the first step, but there are other ways to back that up that careful monitoring.

– Don’t take a pass on passwords. Keep those travel rewards where they belong by using unique, long passwords that change on a regular basis. There’s always the option to use a password manager for help. Just keep in mind that if your password manager account is breached, so are all of your passwords. That said, using one of those is better than using the same password for multiple accounts.

– Never use email to store or send account numbers or passwords to someone who legitimately needs access to them. Emails get hacked, so it’s always safer to pick up the phone and give the information directly to the intended recipient.

– Don’t toss your boarding pass. Shred it to bits after you’ve confirmed your loyalty points. The bar code on boarding passes contains a wealth of information, including your frequent flyer account number.

– Consider using apps that keep all your travel data handy and alert you to any changes in your account. Just do the research to find one that is legitimate before downloading and never sideload. Get those from the official app store.

– Don’t let your luggage tag give you away. Leave your frequent flyer account number off of the tag–the less your account number is put out in public viewing, the safer it will be.

Stickley on Security
Published December 29, 2018