Scam Tries to Ruin Your Night Out


Lifehouse performing live at the San Diego County Fair on July 1, 2010. Photo taken at the Del Mar Fairgrounds.

If you have ever tried to buy concert tickets, you know it can sometimes be very difficult. They sell out quickly. But there is always a way to get there, if you really want to go. Concertgoers and fans of other live entertainment will turn to resellers for those tickets if necessary; and scammers know it. Recently, one unlucky theater fan found out that Craigslist might not be the best place to buy tickets to a popular sold-out Broadway show. She paid $350 for tickets to see the show, but when she arrived at the door months later, she found out her tickets were counterfeit.

The best way to avoid being scammed in this way is to always buy tickets from a reputable and well-known service that specializes in selling entertainment tickets. Sites like this have better fraud prevention measures and most of them do allow transfer of tickets. If possible, skip the online purchase and go to the venue directly and get your tickets at the box office.

If the online seller asks you to do a wire transfer or pay with gift cards, move to the next one. That’s a red flag that it may be a scam.

Scammers are getting better and better at making fake tickets look authentic and sometimes it is impossible to tell until you get to the venue and they turn you away. And in some cases, the scammers try a different approach from selling them for what you may feel is highway robbery; they buy a bunch of real tickets, post them for sale at bargain prices, then cancel the transaction or re-transfer them after they receive money. This allows them to either get their tickets paid for or rip off multiple people using the same tickets.

Now, go put on that favorite concert t-shirt, grab those legitimate tickets, and head out the door. When you get to the venue, you will be able to scream for your favorite act rather than run to the hills back home.

© Copyright 2016 Stickley on Security

Flaws in Samsung Smart Home Let Criminals Walk Right Through Your Front Door

Open House Sign in Front of A Brand New Home. Room for your own message at the top of the sign.

Samsung is in the news again, but this time it isn’t with their smart TVs. Security researchers at the University of Michigan found several issues with the Samsung Smart Home automation system. One of them includes allowing a hacker to essentially make keys and walk right in through the front door of your home.

Specifically, the vulnerabilities are with the SmartApps that are used to control the automation system. Two intrinsic design flaws may give someone extended privileges in the apps in that the SmartThings event subsystem doesn’t protect sensitive information that is passed through, such as lock codes. Several proof-of-concept attacks were performed and the most dangerous one, called “backdoor pin code injection attack” is essentially remote lock picking. It captured the unlock PIN and sent it to attackers via text.

How it all started was by sending a link to a user that brought them to the actual SmartThings login page. After entering the user name and password, the flaw in the app allowed the link to redirect the actual credentials to an attacker-controlled address. That gave them the same access as the homeowner.

As so often happens, phishing is how the attack began. So always avoid clicking on links and attachments in email messages, regardless of who it appears sent it. Instead, use a previously bookmarked link or type in the web address manually. It is very easy for a hacker to make an email look like it came from a legitimate source, so always be 100% certain it is safe before clicking. It really is better to get into the habit of typing addresses in separately or using bookmarks.

Samsung has not indicated any timeframe for fixing the issues found by the researchers or if they will be providing a patch at all. Therefore, if you already have this system installed, consider disconnecting critical components such as the door locking capabilities or putting the system into vacation mode. One of the attacks resulted in the researchers disabling that mode.

Although Samsung has put the blame on third-party developers and those clicking the malicious links, at some point it may indeed issue a patch for this. If and when it does, make sure you apply it right away. The same goes for any security or critical updates or patches issued for products that have control capabilities via the Internet. Other examples are for comfort control systems, smart TVs and digital recording systems such as Tivo, solar system monitoring apps, and a whole host of others that are on your home network. All of these are entry points into your home and should be kept updated at all times.

Other results of the proof-of-concept attacks included the ability to secretly plant door lock codes and trigger fake fire alarms. The exploits are not limited to any particular model. In the report, the authors noted that “55% of SmartApps in the store are overprivileged due to the capabilities being too coarse-grained. Moreover, once installed, a SmartApp is granted full access to a device even if it specifies needing only limited access to the device.”  Forty-two percent of the 499 apps tested granted access that was not requested.

Samsung has stated that the issues “would not ever impact our customers because of the certification and code review processes SmartThings has in place to ensure malicious SmartApps are not approved for publication.” However, it also has put in place additional security review requirements for any SmartApps.

© Copyright 2016 Stickley on Security

127 Embarrassing Characters Coming to Your Twitter Feed Soon


It’s happened again. Another social media site is in the news being accused of a network breach. The user names and passwords of well over 32 million Twitter users have been found for sale on the dark web as happened to LinkedIn and MySpace users recently. Some analysts confirmed they were Twitter account credentials. It is uncertain how the information was obtained, but being blamed are both malware and password reuse. Twitter is confident that there has not been a breach of its network.

Be sure to never use the same log on credentials for multiple sites. It’s just a bad idea all around. The reason the credentials get sold are not necessarily because someone wants to mess with your Twitter account, but so many people use the same password for multiple sites that hackers are very often successful at getting into financial accounts with them.

It can be complicated with so many of them that we have to remember, but it is really to your benefit to do it.

Jim Stickley of Stickley on Security recommends creating a single “default” password and adding to it for each site, using the name of the site. For example, if your base passwords is “PASSWORD” and you are going to Yahoo!, your password for that site could become “PASYSWORD” by inserting the first letter of the site into the same spot in your default password. In this case, it’s in the fourth position. However, you could use two of the letters to bookend it as well, such as “YPASSWORDO.”

Stickley is sure to emphasize that “PASSWORD” would be a terrible default password, but it’s merely an example.

If you have to write your passwords down, make sure to keep that list in a separate location from your computer. Either put a paper list in a secured cabinet or drawer or a digital list on a removable drive of some type. If someone does manage to get access to your computer, they could find that file and have access to all of your online accounts as well.

Since Twitter says it has not had a breach, the theory of how the passwords were obtained with malware is from users’ browsers. There is this option to have the browser remember passwords when you type them in. It is suspected that malware somehow made it onto the users’ systems and found those passwords from the browsers. However, this has not been determined as the culprit either.

In any case, Stickley believes saving passwords in the browser is a bad idea and he does not recommend it. Instead, just take the few extra seconds to retype the password into the site each time. It could save you a big headache later and it certainly lowers your risk of becoming a victim and having something embarrassing tweeted to all your followers.

© Copyright 2016 Stickley on Security

Typosquatters Take Advantage of Simple Mistakes to Download Malware

Businessman pushing a search bar on a virtual computer screen. Empty space ready for your web address or keywords.

Simple mistakes really can harm you and typosquatting is one way hackers take advantage of people’s typographical mistakes. Also referred to as domain jacking (or do-jacking), this type of hack is when the cyber criminals intentionally register web domains that are slightly different from something that is well-known and likely to be mistyped at some point. For example, instead of “bank,” the registered site might be bnak in hopes that someone will be in a hurry and mistype the domain when going to their bank’s online site.

These are not the only typosquatting methods used. The site can also be .cm or .om instead of .com. Other prominent examples are twtter or appl and often this trick is employed when phishing email messages are sent out.

Education is critical to avoiding this. Jim Stickley of Stickley on Security says that if your customers are not educated on security, you may be accepting additional and unnecessary risk. The more they are educated, the less likely they will fall victim and that helps everyone.

Recently, it was found that the .om versions of several popular websites, such as Netflix and Citibank were registered in Oman. While sometimes these may be legitimate sites for those companies, they were not in this case. These were intended specifically to install adware malware onto user’s computers. These do-jacked websites would redirect multiples times before displaying an Adobe Flash update dialogue. If the announcement was accepted, malware was installed that advertised software that generated revenue for its author.

If you see a dialogue pop up on your computer, don’t simply click something to get the message to go away. Make sure to read it and choose the desired answer. Don’t fall victim to popup or warning notice fatigue. Hackers are counting on this and will take advantage at every opportunity.

While you’re at it, if you need to update software on your system, use the update feature of the software or go to the developer’s website directly. Dialogue boxes are often used to download malware.

© Copyright 2016 Stickley on Security

10 Years and Counting: Points to Consider as You Approach Retirement


If you’re a decade or so away from retirement, you’ve probably spent at least some time thinking about this major life change. How will you manage the transition? Will you travel, take up a new sport or hobby, or spend more time with friends and family? Should you consider relocating? Will you continue to work in some capacity? Will changes in your income sources affect your standard of living?

When you begin to ponder all the issues surrounding the transition, the process can seem downright daunting. However, thinking about a few key points now, while you still have years ahead, can help you focus your efforts and minimize the anxiety that often accompanies the shift.

Reassess your living expenses

A step you will probably take several times between now and retirement–and maybe several more times thereafter–is thinking about how your living expenses could or should change. For example, while commuting and other work-related costs may decrease, other budget items may rise. Healthcare costs, in particular, may increase as you progress through retirement.

Try to estimate what your monthly expense budget will look like in the first few years after you stop working. And then continue to reassess this budget as your vision of retirement becomes reality. According to a recent survey, 38% of retirees said their expenses were higher than they expected.1 Keeping a close eye on your spending in the years leading up to retirement can help you more accurately anticipate your budget during retirement.

Consider all your income sources

First, figure out how much you stand to receive from Social Security. In early 2016, the average monthly retirement benefit was about $1,300.2 The amount you receive will depend on your earnings history and other unique factors. You can elect to receive
retirement benefits as early as age 62, however, doing so will result in a reduced benefit for life. If you wait until your full retirement age (66 or 67, depending on your birth date) or later (up to age 70), your benefit will be higher. The longer you wait, the larger it will be.3

You can get an estimate of your retirement benefit at the Social Security Administration website, You can also sign up for a my Social Security account to view your online Social Security statement, which contains a detailed record of your earnings and estimates for retirement, survivor, and disability benefits. Your retirement benefit estimates include amounts at age 62, full retirement age, and age 70. Check your statement carefully and address any errors as soon as possible.

Next, review the accounts you’ve earmarked for retirement income, including any employer benefits. Start with your employer-sponsored plan, and then consider any IRAs and traditional investment accounts you may own. Try to estimate how much they could provide on a monthly basis. If you are married, be sure to include your spouse’s retirement accounts as well. If your employer provides a traditional pension plan, contact the plan administrator for an estimate of that monthly benefit amount as well.

Do you have rental income? Be sure to include that in your calculations. Might you continue to work? Some retirees find that they are able to consult, turn a hobby into an income source, or work part-time. Such income can provide a valuable cushion that helps retirees postpone tapping their investment accounts, giving the assets more time to potentially grow. Some other ways to generate extra cash during retirement include selling gently used goods (such as furniture or designer accessories), pet sitting, and participating in the sharing economy–e.g., using your car as a taxi service.

Pay off debt, power up your savings

Once you have an idea of what your possible expenses and income look like, it’s time to bring your attention back to the here and now. Draw up a plan to pay off debt and power up your retirement savings before you retire.

Why pay off debt? Entering retirement debt-free–including paying off your mortgage–will put you in a position to modify your monthly expenses in retirement if the need arises. On the other hand, entering retirement with a mortgage, loan, and credit-card balances will put you at the mercy of those monthly payments. You’ll have less of an opportunity to scale back your spending if necessary.

Why power up your savings? In these final few years before retirement, you’re likely to be earning the highest salary of your career. Why not save and invest as much as you can in your employer-sponsored retirement savings plan and/or IRAs? Aim for maximum allowable contributions. And remember, if you’re 50 or older, you can take advantage of catch-up contributions, which enable you to contribute an additional $6,000 to your 401(k) plan and an extra $1,000 to your IRA in 2016.

Manage taxes

As you think about when to tap your various resources for retirement income, remember to consider the tax impact of your strategy. For example, you may want to withdraw money from your taxable accounts first to allow your employer-sponsored plans and IRAs more time to potentially benefit from tax-deferred growth. Keep in mind, however, that generally you are required to begin taking minimum distributions from tax-deferred accounts in the year you turn age 70½, whether or not you actually need the money. (Roth IRAs are an exception to this rule.)

If you decide to work in retirement while receiving Social Security, understand that income you earn may result in taxable benefits. IRS Publication 915 offers a worksheet to help you determine whether any portion of your Social Security benefit is taxable. If leaving a financial legacy is a goal, you’ll also want to consider how estate taxes and income taxes for your heirs figure into your overall decisions.

Managing retirement income to result in the best possible tax scenario can be extremely complicated. Qualified tax and financial professionals can provide valuable insight and guidance.4

Account for health care

In 2015, the Employee Benefit Research Institute reported that the average 65-year-old married couple would need $213,000 in savings to have at least a 75% chance of meeting their insurance premiums and out-of-pocket health-care costs in retirement. This figure illustrates why health care should get special attention as you plan the transition to retirement.

As you age, the portion of your budget consumed by health-related costs (including both medical and dental) will likely increase. Although original Medicare will cover a portion of your costs, you’ll still have deductibles, copayments, and coinsurance. Unless you’re prepared to pay for these costs out of pocket, you may want to purchase a supplemental Medigap insurance policy. Medigap policies are sold by private health insurers and are standardized and regulated by both state and federal law. These plans cover certain specified services, but offer different combinations of coverage. Some cover all or part of your Medicare deductibles, copayments, or coinsurance costs.

Another option is Medicare Advantage (also known as Medicare Part C), which allows Medicare beneficiaries to receive health care through managed care plans and private fee-for-service plans. To enroll in Medicare Advantage, you must be covered under both Medicare Part A and Medicare Part B. For more information, visit

Also think about what would happen if you or your spouse needed home care, nursing home care, or other forms of long-term assistance, which Medicare and Medigap will not cover. Long-term care costs vary substantially depending on where you live and can be extremely expensive. For this reason, people often consider buying long-term care insurance. Policy premiums may be tax deductible, based on a number of different factors. If you have a family history of debilitating illness such as Alzheimer’s, have substantial assets you’d like to protect, or want to leave assets to heirs, a long-term care policy may be worth considering.5

Ease the transition

These are just some of the factors to consider as you prepare to transition into retirement. Breaking the bigger picture into smaller categories and using the years ahead to plan accordingly may help make the process a little easier.



Broadridge Investor Communication Solutions, Inc. does not provide investment, tax, or legal advice. The information presented here is not specific to any individual’s personal circumstances.

To the extent that this material concerns tax matters, it is not intended or written to be used, and cannot be used, by a taxpayer for the purpose of avoiding penalties that may be imposed by law. Each taxpayer should seek independent advice from a tax professional based on his or her individual circumstances.

These materials are provided for general information and educational purposes based upon publicly available information from sources believed to be reliable—we cannot assure the accuracy or completeness of these materials. The information in these materials may change at any time and without notice.

Non-deposit investment products and services are offered through CUSO Financial Services, L.P. (“CFS”), a registered broker-dealer Member FINRA/SIPC) and SEC Registered Investment Advisor. Products offered through CFS: are not NCUA/NCUSIF or otherwise federally insured, are not guarantees or obligations of the credit union, and may involve investment risk including possible loss of principal. Investment Representatives are registered through CFS. NASA Federal Credit Union has contracted with CFS to make non-deposit investment products and services available to credit union members.


1 2016 Retirement Confidence Survey, Employee Benefit Research Institute.

2 Social Security, Monthly Statistical Snapshot, February 2016.

3 Note that if you work while receiving Social Security benefits and are under full retirement age, your benefits may be reduced until you reach full retirement age.

4 Working with a tax or financial professional cannot guarantee financial success.

5 A complete statement of coverage, including exclusions, exceptions, and limitations, is found only in the LTC policy. It should be noted that carriers have the discretion to raise their rates and remove their products from the marketplace.


Is Social Media Scamming You? Five Popular Scams and How to Avoid Them

Technology Computer Scam Alert Concept

Cyber criminals will use whatever they can think of to try to get your online banking credentials or other information they can sell on the dark web. Here are five ways they use social media to do it and how you can avoid giving up your information, in no particular order.

  1. They use the comments to news articles and popular posts on Facebook by adding their own posts with a conveniently clickable link included. Those who click the link may be taking to fake websites or presented a form for which the user is supposed to enter information. Often the links are accompanied by catchy headlines (click bait) themselves.
  2. They create fake customer service accounts on Twitter, Facebook, LinkedIn, or other social media that pretend to help customer. For example, they may see a Twitter user complaining about not being able to reach a representative. They reply to that user with a post that includes a link to another site where the user is led to believe he or she will get assistance. Unfortunately, the link really is phony and asks for login credentials and/or other sensitive information.
  3. They create social media accounts using names that sound like legitimate companies, such as Netflix and offer discounts. When users click links included in these, they are asked for account information or other details that can be sold.
  4. They use fake online surveys and polls to trick users into inputting information that can be later sold or used for fraud. An example is setting up a realistic news story and asking what users think. A link is included, naturally, but it goes to a fake site where personal information is requested. Often the “surveys” promise a chance to win a fabulous prize.
  5. They pretend to offer live streaming of big events, such as the Olympics or other popular sporting events. Often they attach a link to a posted story about the event that is on Facebook. However, when the included links are clicked, a request for personal information appears claiming the video cannot play until they are entered.

Avoid these scams by not clicking links or putting information into any form that appears as a result of clicking links. If you need to reach your financial institution or other organization for any kind of support, contact them directly using information from their website that you have previously bookmarked. Alternately, type the name of the site into the browser manually.

View any comment posted in social media that claims to help you or offer you something sensational with suspicion. If you want to stream an event, go to the website of a well-known and trusted source to get there, such as the major sports broadcasting companies, media outlets, or television networks.

Use apps that are downloaded from the official app stores for your devices. These are typically put under additional scrutiny for security before being allowed into the app stores. Sideloading, downloading apps from places other than the app stores is not recommended because it introduces additional risk of executing malware on your devices.

As always, make sure all internet-connected devices have anti-malware installed and it is kept updated. Also, keep all your software and operating systems updated with the latest critical and security patches. While these actions don’t guarantee malware won’t be installed or a vulnerability won’t be exploited, they reduce your risk significantly and it’s worth the relatively small effort versus dealing with malware.

© Copyright 2016 Stickley on Security