Essential oils come from exotic plants all over the world, but do the companies selling these oils have the proper permits to import and sell the products made from them? The company Young Living has been sentenced for importing rosewood oil and spikenard oil without permission, and must pay $760,000 for importing the products without permits.
Why would someone need to dispose of a huge amount of cash — tens of thousands of euros — very quickly? That’s what authorities in Geneva, Switzerland, want to know, after finding wads of foreign cash clogging toilets at a bank and at restaurants around the city. The euro is a useful currency for stashing huge amounts of ill-gotten money, since its largest note is worth almost $600. The U.S. dollar now tops out at the $100 bill. Yet who flushed the cash, and why did they do it? The first notes were discovered in a toilet near the safety-deposit box department at a Geneva branch of UBS. It’s possible that someone may have kept a large amount of cash in one of the boxes and disposed of it after retrieving it. The mystery deepened a few days later, when restaurants in Geneva found that their toilets were clogged with cut-up cash as well. Police say that someone tried to cut the bills up before flushing them, but why were they destroying so much cash in the first place? We may never know. It’s worth noting that it’s not technically a crime to destroy banknotes in Switzerland. Still, the bill-flusher’s behavior indicates that he or she was trying to hide some other activity from authorities.
When you download an app meant to clean your computer, you assume that it’s supposed to remove junk from your machine, not add more. Yet for about a month, downloads of the popular program CCleaner came with a free bonus dose of malware, installed on millions of PCs around the world.
Clean up some crap, add some crapCCleaner is a shortened and cleaned-up name; the program was once better known as “Crap Cleaner.” The security software company Avast recently acquired the company that created it, Piriform. It helps speed up systems, remove temporary files, and delete programs while actually fully removing them from one’s system. It’s a free app with paid upgrades that unlock more features, and has been downloaded billions of times. The compromised version of the program was distributed between Aug. 15, 2017 and Sept. 11, 2017. It was part of the Windows and cloud versions of CCleaner, distributed as version 5.33.6162. Yes, the malware installer piggybacked on the official versions of the app. Since the compromised program came with a genuine Norton signature and was on the company’s servers, the investigation shows that baddies probably gained access to the company’s systems either by posing as one of its developers or using a developer’s login to add the extra malware to the program.
So what should I do?Piriform pushed a malware-free version of the program to users, and you should make sure that you’ve updated your copy to the latest version if you’re a CCleaner user. The good news is that the malware was two-stage, and the malicious program hadn’t been installed on target computers… yet. Piriform and other experts believe that the end game here was probably to stage a future botnet attack on an outside target, turning your PC into part of a zombie army attacking… someone. If you want the super-technical details of how the malware worked and how this happened, read up at Cisco Talos, the research group that discovered the mostly-hidden malware, and Piriform’s news site.
Is Payless ShoeSource trying to recover from bankruptcy by discouraging customers from ever redeeming their gift cards? A Consumerist reader bought a discounted gift card from a card exchange site, then was annoyed when his local Payless store wouldn’t accept it. The retailer says that it accepts virtual gift cards in its stores, but only from certain vendors, and only after taking very specific anti-fraud measures.
So, you want to buy and sell gift cards onlineReader Steve contacted Consumerist about his issue with a gift card for Payless ShoeSource that he bought from a marketplace. He believed that Payless was up to some trickery and refusing to accept gift cards that customers had bought in good faith. We found that wasn’t the case, but ruling that out means doing some research before you buy discounted gift cards online. Before we get into Steve’s story, it’s important to understand gift card exchange sites and how they work. Ostensibly, these sites exist so people with gift cards they don’t want can exchange them for either cash or a card that they do want. Would you rather have a $25 Outback Steakhouse card that you’ll never use because you’re a vegan, or twenty bucks in your PayPal account? However, they can also be used to sell gift cards that have either been stolen the old-fashioned way, or that scam victims have used as currency. There’s a reason why iTunes and Amazon gift cards are popular forms of currency for paying scammers: There’s always a market for them, and they can be resold quickly. Marketplaces can also be used to sell gift cards obtained from shoplifting. In this scam, people steal from brick-and-mortar retailers, then return the goods for gift cards and re-sell those gift cards for cash. They might sell those cards online, including in online marketplaces. From some sites, you can buy just a code instead of a physical card. That means the gift credit can change hands instantly, without having to wait for a card to be mailed. The buyer can turn around and spend this code on a retailer’s website, and some retailers accept them from some gift card marketplaces as payment in stores. It’s those limitations that are important for Steve’s story, since a gift card marketplace site sold him a gift card code that the retailer isn’t willing to accept.
Pay even lessSteve bought a gift card code worth $31 from ABC Gift Cards, a site that he says that he normally trusts. He brought this code over to a physical Payless store, but they wouldn’t accept it, since the chain’s policy is that it only accepts virtual gift cards from the sites Raise and Gift Card Mall, and customers have to meet strict requirements. He was told that he would have to print out the virtual gift card and hand this copy over to the store, and the store would write down his driver’s license number and keep it with the printout. Steve thought that this sounded excessive, and speculated that Payless was trying to weasel out of accepting pre-bankruptcy gift cards. “This bulls–t policy makes a lot of sense since Payless is bankrupt and every gift card they refuse to honor is more money they get to keep,” he emailed to Consumerist. Unlike some retailers, Payless accepted gift cards all through its Chapter 11 bankruptcy, and at store liquidation sales. Now that it has emerged from bankruptcy, the company plans to accept its old gift cards indefinitely. Steve’s hypothesis would be true in some retail bankruptcies, but not this one. We checked with Payless about using gift card codes purchased from third-party sites. A company spokeswoman confirmed that yes, it only accepts cards from Raise and from Gift Card Mall, and yes, it requires a printout of the virtual gift card.
The code wasn’t useless after allWe learned that Steve could have used the code on the Payless website as long as the seller provided the PIN used for online purchases. However, that wouldn’t have been helpful if he needed the shoes right then and couldn’t wait for them to be shipped, or if he were shopping a liquidation sale at a local store. The transaction worked out okay for Steve. He received a refund from ABC Gift Cards when he reported that he had trouble spending the gift card. He most likely could have used the code online with no problems, but he didn’t know that at the time. Consumerist checked with ABC Gift Cards to ask about how it markets cards for retailers that don’t accept them, but haven’t yet received a response. We will update this post if we do.
When you check into a hotel and provide a photo ID, your expectation is that the hotel will be holding this info for its records in case you mess up the room or try to skip out on your bill. What you don’t expect is that the hotel management is taking its daily guest logs and turning them over to federal immigration officials. Earlier this week, an article in the Phoenix New Times pointed to a recent pattern of frequent arrests by Immigrations and Customs Enforcement (ICE) officers at two Motel 6 locations in the Phoenix area. Records showed that ICE was showing up at these two Motel 6 addresses at a rate of about once every two weeks, while New Times reporters couldn’t find any evidence of ICE making arrests at any other area hotels during the same time period. Warrants granted for these arrests only stated that the officers were “following a lead,” though these were leads with incredibly specific information about the allegedly illegal aliens staying at the hotel. It appeared to those concerned that someone at the hotels was the source of the information being provided to ICE. In fact, Motel 6 staff confirmed to the New Times that they weren’t just calling ICE when they suspected that a guest was in the country illegally. They were giving daily reports of all guests to the officers. “We send a report every morning to ICE — all the names of everybody that comes in,” a front-desk clerk admitted to the New Times. “Every morning at about 5 o’clock, we do the audit and we push a button and it sends it to ICE.” Unlike some Motel 6 locations that are owned by franchisees, the two Phoenix hotels involved in this story are corporate-owned, but in a statement released after the story broke, the company still contends that the decision to voluntarily turn over all guest records to ICE was made at the local level and without knowledge of Motel 6 HQ. “When we became aware of it, it was discontinued,” says the hotel chain, which is promising to make sure that all 1,400 of its locations now understand that “they are prohibited from voluntarily providing daily guest lists to ICE.”
We’re constantly learning new things about the massive Equifax data breach, including its actual cause, that it affected people all over the world, and that the Federal Trade Commission is investigating. Let’s back up, though, and remember something important: Along with the millions of Social Security and driver’s license numbers, 200,000 customer credit card numbers were taken too. Krebs on Security obtained a confidential alert that Visa and MasterCard sent to financial institutions, and the alert is pretty specific. Fraud alerts that go out to banks and other financial institutions after a payment data breach usually have incomplete information and can’t name specific customers, but for cards that the Equifax hackers took, the networks had more detail than that. The credit card networks know which customers’ cards were breached and shared that information with banks. They also were able to confirm the source that the numbers were taken from, Equifax. It’s easy to skip over a mere 200,000 credit card numbers when the ingredients to commit identity theft on half of all American adults were also taken. However, the hackers were able to obtain card numbers and expiration dates as well as users’ names, which is enough information to create a magnetic stripe cloned card or place fraudulent orders from some websites. Equifax estimates that the hackers downloaded the credit card data sometime in mid-May of 2017, and the company didn’t discover the breach until the end of July 2017.
Now that Equifax is part of the mass public consciousness for failing to secure sensitive financial and personal information for about half of the adult U.S. population, soulless scammers are trying to prey on this heightened awareness by blasting out fake calls to people, asking them to verify their account information. This morning, the Federal Trade Commission — which is currently investigating the data breach — posted a consumer fraud alert, warning Americans that Equifax is not trying to call you, no matter what some jerk on the phone claims. READ MORE: 4 Things To Remember To Avoid Getting Scammed In Wake Of Equifax Breach The FTC says that if you receive a call from someone claiming to be from Equifax, just hang up. “Don’t tell them anything,” writes the FTC. “They’re not from Equifax. It’s a scam. Equifax will not call you out of the blue.” Don’t press any buttons, give them any info. Just hang up and get on with your day. To help the FTC catch these scammers, you should also report the bogus call via the FTC’s online complaint portal. Every little bit of information the FTC gets about these calls can aid in tracing them back to the amoral morons who think this is an acceptable way to make a buck. If you are worried that there is some extraordinary reason that Equifax would be calling you out of all the 143 million people affected by this breach, you can always call the company back at 866-447-7559.
It’s been a week since credit reporting agency Equifax admitted it had lost sensitive personal data for 143 million American consumers — one of the worst data breaches yet. Now, the company says it knows how the intruders got in… and it’s through a bug that was first identified six months ago.
The ProblemEquifax updated its breach information page this week to identify the vulnerability malicious actors were able to use to get access to all that juicy private data. The issue was in the Apache Struts framework, code used to develop and run Java-based apps for web servers. Loads of companies, including other banks and credit reporting agencies, rely on versions of Apache Struts to work. Ars Technica reported on the vulnerability in early March. Means of exploiting the vulnerability were “trivial, reliable, and publicly available,” Ars noted at the time, making the flaw high-impact, high-visibility, and leaving major sites vulnerable to an increasing wave of attacks. By the time Ars ran that story on March 9, Apache had already issued a patch. And yet by the time the big breach began two months later, in mid-May, Equifax had apparently still not updated, since its systems were vulnerable to that flaw. Ars notes that applying this particular patch is “labor intensive and difficult,” due to the way the software works. But clearly the worse-case outcome of not doing it has proven to have massive consequences for not only nearly half the entire U.S. population, but tens of millions of people around the world as well.
The InvestigationIn an extremely unusual move, the Federal Trade Commission has confirmed that it has opened an investigation into the circumstances of the Equifax breach. “The FTC typically does not comment on ongoing investigations. However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach,” an agency spokesman told media. MORE: How much control do you have over your private data? The FTC is responsible for overseeing business compliance with laws that require credit reporting agencies to keep non-public personal information, well, non-public. So although it’s exceedingly rare for the Commission to confirm an investigation has been opened, it’s also unsurprising they would do so in this case. Virginia Senator Mark Warner on Wednesday sent a letter [PDF] to the FTC requesting it launch an investigation into the massive data breach. “Aspects of this breach raise questions about the data security practices of Equifax that implicate the FTC’s existing authority,” Warner wrote. The Senator also called out several of “Equifax’s post-breach actions,” including poor site management of the breach notification portal, weak user PINs for credit freezes, and confusing notification to consumers who just wanted to know if they were hit. “Taken as a whole, and given past breaches by other major credit bureaus, these lapses may potentially represent a systemic failure by firms currently incentivized to collect and store highly sensitive identification and financial data for Americans,” Warner said. “I fear that firms like Equifax may illustrate a set of institutions whose activities, left unchecked, can significantly threaten the economic security of Americans.” In the wake of consumer complaints and media coverage, Equifax says this week it has updated call center support, added clarification about mandatory binding arbitration, and revamped the way it issues PIN codes to consumers placing freezes on their credit. We’ve asked Equifax for a comment and will update if we hear back.
With more than 143 million consumers’ personal information now circulating on the dark web thanks to the massive Equifax data breach, there’s no doubt many of these victims are turning to the other two major credit bureaus — TransUnion and Experian — for credit freezes and monitoring services. But is one of these agencies cashing in on the Equifax hack by raising the price for its services? That’s the accusation some long-time TransUnion customers are throwing out after finding their TrueCredit monitoring service bill increased by 50% this month — just days after Equinox’s breach came to light.
An Inconvenient IncreaseReader Frank tells Consumerist that he was shocked to see his monthly TrueCredit monitoring service tab jump from $9.95 to $14.95. Of course it’s not uncommon for companies to increase the fees on their services over time or at the end of a promotional period. However, in Frank’s case, a promotional price wasn’t in play, as he’s had the service since 2003, and always paid $9.95/month. Additionally, he says he hadn’t received any kind of notice from TransUnion that the cost of the service would be increasing. The abrupt change and the timing of the increase were concerning to Frank. “I find it interesting that they decided to raise the cost by 50% on existing customers at precisely the time that Equifax disclosed their breach,” he tells Consumerist. “It seems like the moral equivalent of price-gouging for water during a hurricane.” When he reached out to TransUnion’s customer service about the issue, he received a less than helpful answer. He was told that the company had increased the service cost without notice. If he didn’t like it, he could cancel the service for a full refund of the month’s fees. Consumerist has reached out to TransUnion about the increase and the blunt response Frank received. We’ll update this post when we hear back.
Where’s The Freeze?Frank isn’t the only TransUnion customer to run into issues with the company’s services following the Equifax breach. Several Reddit users shared their dissatisfaction with the credit reporting agency this week, claiming that TransUnion was pushing them into credit monitoring service rather than simply freezing their credit. A credit freeze — generally free for identity theft victims — prevents lenders and others from accessing a consumer’s credit report in response to a new credit application. With a freeze in place, even the bona fide account holders will need to take special steps if they want to apply for any type of credit or unfreeze the account. Related: My Identity Was Stolen, Then TransUnion Let The Fraudster Unfreeze My Accounts One user says he noticed a change on the TransUnion website Wednesday morning while providing links to family on how to freeze their credit in the wake of the Equifax breach. “I froze my credit the day after news about the Equifax breach broke, and it looks like TransUnion has since changed their site to push people away from freezing their credit in favor for their own product called TrueIdentity,” the user claims. The Redditor says the company’s website previously provided easy to follow instruction for placing a credit freeze and had no mention of TrueIdentity. Now, however, if someone wants to place a credit freeze they must traverse through a page of information about credit and fraud, then click on the “about credit freeze” button. The next page, once again, tries to convince customers to enroll in TrueIdentity. The user says that the new language related to the credit freeze is passive and dissuasive, “A credit freeze may be available under your state law.” Conversely, the language related to the TrueIdentity service appears phrased for action, “Lock your credit information by enrolling in TrueIdenity.” While TrueIdentity is free of charge and allows customers to lock and unlock their credit, a premium version of the service is $10/month. “This is such a blatant attempt by TransUnion to take advantage of the Equifax breach for their own financial gain,” Reddit user Equisux wrote. “It’s a shitty thing for TransUnion to do, and people should be aware that they are being led away from putting an actual credit freeze on their account.”
No Freezes HereOther consumers note on the thread that they have had a difficult time enrolling in credit freezes through the company. Redditor InformalProof reports that after going through the steps on the phone to obtain a credit freeze he was told that the credit card number “you entered is not a valid credit card number.” He was then put on hold and hung up on. “This happened to me yesterday, right after I entered my numeric address,” Redditor Dr_Iridium wrote. “They ‘could not verify’ and transferred me to an agent but I was hung up on in the process.” It is possible that TransUnion’s credit freeze phone system — which is automated — is overwhelmed given the extent of the Equifax breach. Consumerist has reached out to TransUnion for information on both the website changes and difficulties in enrolling in credit freezes. We’ll update this post when we hear back.
The cheating diesels that Volkswagen has bought back as part of its settlement with purchasers are sitting in vehicular purgatories across the country, waiting to be repaired so they can go to new homes. Only some of them were sprung early: 69 “Dieselgate” vehicles were stolen only to turn up with fake Michigan titles at an auto auction in Kentucky. Volkswagen needs a lot of space to store cars that have its TDI “clean diesel” engines that were cheating on their emissions tests, a global scandal that led to massive penalties, recalls, and even criminal charges against the company and against key executives involved in the scandal. While a fix has been approved for most of the recalled vehicles, they still remain in vehicular purgatory awaiting repairs. They’re being kept at sites including the port of Baltimore, an Air Force base in California, and the parking lot of the Pontiac Silverdome, former home of the Detroit Lions and Detroit Pistons.