Scammers

Michelle Singletary, a personal finance journalist at the Washington Post, has recently run a series of articles about people who've been scammed out of their retirement savings. These links are no doubt behind a paywall, but here they are anyway:

• Can you get your money back after a scam? Ask Michelle Singletary.
  
• A scammer impersonated a real FBI agent. It cost 13 victims $2.9 million.
  
• The banks warned her it could be a con. The scammer’s influence was stronger.
  
• Enter the ‘ether,’ where scammers weaponize your emotions
  
• She believed she was an FBI ‘asset.’ The scam drained her life’s savings.

Almost all Washington Post articles conclude with a comments section, but not these except for the last. I suspect that the reason might be that when the Post ran a column by a woman (ironically a financial adviser) who had been scammed in a very similar way, more than half of the comments (mine was one of them) excoriated her for being such an idiot.The scammers these articles are about are very clever and their schemes are very elaborate. They pretend to be real people whose identity can be verified online, in this case beginning with an FBI agent. The FBI agent gains their trust, convinces them their retirement savings are in danger, and that they must place their savings in government protection.I know I would never fall for something like this. Earlier this year a nurse from my doctor's office called needing information (I no longer recall the details), and I said I couldn't provide that information because she called me and not the other way around. I said I could call her back so that I knew she was from the doctor's office, and she provided a number. I checked the number against the numbers for my doctor's office and there was no match. I said I couldn't trust that number, that I would only talk with her if I knew it was a number I could trust, which were the numbers I had in my contacts list for my doctor's office. She told me I could call the main number but that it might take a while before they could switch me to her given that she moved around quite a bit in the building. But I wasn't going to take any chances, so I called the number for my doctor's office, and it did take a while to finally get switched to her. The call was genuine. I added the number she used to the list of numbers for my doctor's office.If someone claiming to be an FBI agent called me I would respond in the same way. I don't have any numbers for the FBI, but I would ask them to provide me a public central number for the FBI that I could verify online.In my experience it's very hard to convince scammers that you're a likely victim. I've recently become a target for Medicare scammers. I get several calls a day. If I'm in need of a break then I entertain myself by seeing how long I can keep them on the line. I've learned many things I shouldn't say else they will immediately hang up. Most are innocent things such as, "Who did you say you were with again?" <click> or "What did you say your name was again?" <click> When they ask, "Do you have Medicare Part A and Part B?" definitely do not answer, "Do you?" <click>As you're riding them along there are certain answers you shouldn't give. When they ask your age, do not say "84." I'm have no idea why, but that's outside their target demographic. Do not say you're not interested in Medicare Advantage plans. When they ask for your Social Security number do not say that you don't give out personal information over the phone. Make up a fake one, else they'll hang up on you.Returning to the Post articles, I'm amazed at the ignorance and naïveté. Once the scam victims are convinced that their retirement savings are in danger, they are then enlisted in an effort to catch the thieves. They are told everything must be kept very much on the hush-hush, else the thieves will become aware that the FBI is closing in. They can't trust anyone, not their friends, not their closest relatives, not their spouses, and especially not the people at their bank because their are in on the scheme to steal their money. To keep their retirement money safe they're told to withdraw large sums of cash from their banks, or to purchase gold and take delivery, or to purchase bitcoin. The banks usually try to protect their customers, often warning them that they're concerned they may be the victim of a scam, but they don't listen. They wait on a street corner and when a certain car pulls up they put the cash or gold in the back seat and the car drives off. Or they transfer their money to a bitcoin account. They never see their money again.I wish these articles had comments sections so I could excoriate these people again. How do you get to be 65 or 70 years of age and actually believe that you're a key part of a sting operation orchestrated by the FBI?--Percy

Now that's a bold one. Are they dressed as police, or are they in plain clothes? If they're in plain clothes then that would definitely set off alarm bells for me. If they're in uniform then that's very bold.--Percy

The latest installment in the series of scammer columns by Michelle Singletary of the Washington Post has just dropped:

• Another blow for a scam victim: $180,000 in taxes on the stolen money

--Percy

The easier it is for scammers to find your private information the easier it is for them to scam you or convince someone else they're you. I just discovered a password security hole I've never heard about before.When you create an account at a secure website, it saves away an encrypted copy of the password you provide using a one-way encryption method, meaning that it cannot be decrypted. When you log in it encrypts the password you enter and compares it to the encrypted copy it has saved away. If they match then it logs you in.There's an additional detail that makes this even more secure. The first time that it encrypts your password and saves it away, the encrypted password might look like this: But the next time you log in it will encrypt it again and it will result in a different string. It has to call another function to compare the two strings to see if they're both valid encryptions of your password. If a hacker manages to steal your encrypted password he won't be able to use it, because even if he manages to submit it to a website (say by overwriting a password cookie), the comparison fails because the encrypted strings are identical, an obvious sign of hacking.But password managers, which are very popular, cannot use one-way encryption, whether they generate the password for you or you provide one yourself. The reason is that when they generate a password for you for, say, Wikipedia they save it away in encrypted form because they have to decrypt it in order to provide a valid password to Wikipedia the next time you log in. Passwords stored away via a decryptable method are very insecure.Let me describe this way I just discovered by which password managers can place your passwords at risk. Say you have an account at Wikipedia with a password that you selected yourself. Your spouse would like to use your Wikipedia account, but you don't want them to know your password, so you take their laptop, phone or tablet aside, enter your password, and now they're logged into your account but don't know your password.But if your spouse uses a password manager and clicks "yes" when asked whether to save that password away then the next time they log in the password manager provides the password to the password field, and if the password field has a show/hide button then they can see the password. They now know your password. Their device also knows your password and if it falls into the wrong hands can be used to discover your password. A compromised Wikipedia account isn't too much to worry about, but what if you use the same password at your bank? What if the password manager uses the cloud and is hacked?I love my wife, but she doesn't share my paranoia about security. I don't use password managers, and I have never in my life shared a password with anyone, but by logging my wife into one of my online accounts she was able to discover one of my passwords using her password manager and a helpful show/hide button.The lesson? Never share passwords, not even by logging someone else's device into one of your accounts. It will make it harder for scammers to uncover any personal information that they can use to convince you they're really legitimate, or to convince someone else that they're you.--Percy

This site, using PHP, works that way, though I could have explained it better. password_hash() is called using PASSWORD_BCRYPT as the algorithm. When a user logs in password_verify() checks the user-entered password against the saved hash to see if the saved hash is a valid hash of that password.The old approach of comparing the hashed password against the saved hash no longer works because password_hash() generates a different hash each time it is called with the same password. Yes, you're right. Two-way encryption for secure communication, one-way hash for secure validation.Your password advice is right on, but I don't think your average person is ever going to comprehend the critical importance of personal cyber security. Say your average person has accounts at 20 websites. If they use the same password everywhere, with maybe a few minor variations, then that's very insecure, for the reasons you gave.But if they've gotten the message about cyber security and are determined to use a different password at each website then they'll need to write them down, keep them in a file, have a mental system, or use a password manager.I use two-factor authentication for some sites, and it feels like that should produce a sizeable security improvement, but I haven't investigated its security aspects.--Percy

The scammers struck close to home this time. My sister, less than a year after losing her husband, has fallen for a scam website that is pushing "investing" in cryptocurrency. I put investing in quotes because it isn't really investing.The way their website works is that you first provide them money through their platform. This is stage 1.Once they have your money you place bets on whether cryptocurrency will go up or down over the next 30 or 60 seconds. The 30-second bet pays 15% if you're right, and the 60-second bet pays 30% is you're right. If you're wrong you lose your bet.For example, if you bet $1000 that cryptocurrency will go up over the next 30 seconds and you're right, you've gained $150. If you're wrong you lose the $1000. The scamming software that runs the website almost always reports that you're right. This is stage 2.In a relatively short time the amount you've provided them grows into a substantial sum, and at that point they inform you that you owe them capital gains taxes on the amount you've won. They lock your funds while until you pay the taxes This is stage 3.Of course, your funds are always, in effect, locked. Once you send them money they never send money back.My sister has fallen for this scam and is currently seeking a loan to pay the taxes so she can free up all the money she has won. When she came to me for a loan I explained to her that she was the victim of a scam, that all the money she had given them was gone, and that they were lying to her about taxes in order to get her to turn over even more money to them. She doesn't believe me and is still looking for a loan.--Percy