‘Juice jacking’ plus music gift cards

Kelby Dominic worked hard all year, so she always looked forward to her vacation. Her excitement escalated the closer she was to departure. After checking in at the airport she noticed that her smartphone needed charging. She ponied up to a “free” charging station that provided USB ports for charging personal devices and charged her phone before boarding the plane. When she arrived at her hotel she checked her bank account and saw that the balance was wiped out. She quickly notified her bank, which informed her that her account number and probably other personally identifiable information (PII) had been compromised. But how?

When Kelby got home, she reported it to the police. A police officer, who began to track her behavior before she arrived at the vacation hotel, asked her if she’d charged her smartphone at the airport. She said that she had. The officer told Kelby that she was probably a victim of “juice jacking.”

A charge that will cost you

This is a fictitious case, but it’s a common example of a new scheme. Juice jacking is a form of cyberattack in which a malicious hacker can gain access to personal or sensitive corporate data stored on a personal or business-issued mobile device or inject malicious code into it when an unsuspecting victim uses a compromised public charging station at an airport, business center or hotel at a conference or other public place. All travelers, especially frequent ones, are at a heightened risk of this type of data breach that can lead to increased identity theft activity.

Hackers, like other predators, are opportunists and take advantage of any situation to exploit individuals and compromise their data. Significant improvements in functionality and data storage capacity for personal devices over the past few years have provided us the ability to use them to conduct business and personal transactions. So, a lot of sensitive information, such as bank account numbers, has been transferred from PCs and laptops to smartphones and notebooks, which increases the risk of hackers compromising data. These smaller devices lack the protections and privacy of PCs and laptops.

Nuts and bolts

You’re in an airport waiting to board a plane and notice your iPhone is running low on juice. You whip out your USB charging cord, plug one end of it into your phone and the other end into the kiosk charging station. Half an hour later your phone is charged, and you’re set to travel. A happy ending? No, a double whammy has occurred, and the bad news is yet to come.

A hacker had installed a small computer into the charging station kiosk, which allowed malicious code or malware to silently install onto your iOS device at the other end of the USB charging cord. Standard USB cable mini B connection and Apple’s proprietary cables are designed to do two things: provide a power source to charge your device and sync or transmit data to and from it. This vector allows a criminal hacker to establish a connection and gain permanent access via the wireless route to your PII on your iPhone or other personal device. Also, if your smartphone was ever linked or paired to your laptop or PC, then the hacker now has permanent wireless access to your files until you restore the hardware to its original factory state. This scenario can happen to any brand and type of smartphone — iPhone, Android device or Blackberry.

Defending against juice jacking

According to the Sept. 4, 2014, TechAdvisory.org article What’s Juice Jacking?, the following guidelines should be considered to avoid becoming a victim of “juice jacking” when traveling:

• Keep your devices charged. Charge them at home or in the car.
• Carry your own charger that you can plug into any electrical outlet with an AC adapter. 
• Keep a backup battery.
• Use the security features on your phone. When you need a PIN or a thumbprint to access your phone it shouldn’t be able to pair with any device.
• Power down. This may not work on all phones because the USB circuit or flash storage might still be on, so check with the manufacturer.
• Use power-only USB cables. These cables only have the two wires for power transmission, so they charge your device without any data transfer. Charging times might increase with these cables.

Using music gift cards in scam

On August 1, the Internet Crime Complaint Center (IC3) posted an alert, Online Scammers Require Payment Via Music Application Gift Cards, announcing that online scammers have exploited hundreds of victims by requiring them to use music application gift cards to make payments associated with a variety of fraudulent schemes. Losses totaled more than $6 million just from January through June. The individual losses have ranged from the hundreds to thousands of dollars

The IC3 said that this new scam is associated with a multitude of ongoing fraudulent schemes including “auction frauds, employment/opportunity scams, grandparent scams, loan frauds, romance scams, ransomware, tax frauds, and various other online schemes.”

Also, this scam has been linked to other fraud scams involving victims “having won a prize, needing to pay a tax debt, having qualified for a loan, or that a friend or relative is in trouble and needs a payment via music application or other prepaid gift card to assist.” When victims get scammed in a scheme, the fraudsters usually require payment with the use of a gift card because they’re easily transferred and converted. But this is the first time that music application gift cards have been used as a form of payment.

Once a fraudster has captured the attention of a victim in a scheme he tells them to go to a known retailer to purchase music application gift cards in various amounts. Then the crook tells the victim to share the numbers on the back of the cards. The fraudster then cuts off communication with the victim or continues to ask for more gift cards.

The IC3 suggest the following tips to avoid this and other online scams:

• If you suspect a scam, cut off communication with the fraudster. 
• Look up the subject’s contact information online; other victims have likely posted about the scam.
• Resist the fraudster’s pressure tactics. The criminal is trying to make you afraid to make you act too quickly. 
• Never give out your PII unless you know or verify the person asking for it. 
• Update all of your computer antivirus, security software and malware protection. Set up automatic updates for your software and firewalls.
• Shut down any device if a pop up appears or the screen freezes. 
• If you’re a victim, immediately contact your financial institution(s) to place protection on your account(s), and monitor your account(s) and personal information for suspicious activity.
• Enable pop-up blockers on your devices so you don’t accidentally click on one and install malware.  
• Be suspicious. Don’t open any emails or click on attachments from people you don’t know. Avoid suspicious websites.
• If you receive an alert that malware has infected your computer, immediately disconnect from the internet to save your data and stop the download of more malware. Alert your local FBI field office and file a complaint.

More help for the community

Please share this information with your business associates, family, friends and clients and include it in your outreach programs. An important takeaway from this column is that new online scams continue to emerge, and older ones are still racking up victims. To prevent scams like this and others, organizations must set up an ongoing fraud awareness program for all their employees that educates them about emerging cyberschemes and teaches them how to avoid becoming a victim.

Please contact me if you have any identity theft or cyber-related issues you’d like me to research and possibly include in future columns or if you have any questions related to this column or any other cybersecurity/identity theft issue. I don’t have all the answers, but I’ll do my best to help. Stay tuned!

Robert E. Holtfreter, Ph.D., CFE, CICA, CBA, is distinguished professor of accounting and research at Central Washington University in Ellensburg, Wash. He’s also a member on the ACFE’s Advisory Council and the Editorial Advisory Committee. His email address is: doctorh007@gmail.com.