A warning message on Yahoo

A warning message on Yahoo


Yahoo says 500 million user accounts have been compromised, and they are telling users to change their passwords. That’s good advice, and below you’ll find better advice from security firm Sophos.

But first: For the next several days, or even weeks, beware emails that appear to come from Yahoo. Now will be a great time for phishers to trick users into following alleged “change your password” links that actually lead to hacker-controlled sites.

Now, onto the better advice:

  1. Change your Yahoo password immediately.
  2. Reset this password, if you’re reusing it on other online sites. Cybercriminals are now using tools that sniff out passwords reused on other, more valuable sites to make their work easier and to make the stolen passwords and other hacked data more lucrative on the dark web.
  3. Make all new passwords different and difficult to guess – yes, you need to create different passwords for every site you visit.
  4. Include upper and lower case letters, numbers and symbols to make passwords harder to crack – refer to the Sophos Password Quick Tips guide for creating stronger passwords.
  5. Don’t trust password strength meters – these are unreliable and inaccurate.
  6. In general, it’s always good practice to update your passwords, password manager and security questions if you hear of a potential data breach that might affect you. Even data breaches from several years ago could still impact you today.

I disagree about using a new password for every site. I mean, it’s a lovely idea, but it’s just not realistic.  Instead, I’m an advocate of having password families.    One simple password for throwaway accounts you don’t care about, like newsletters;  one medium-hard password for sites that require a registration, but don’t involve money; and then one really strong password for financial accounts that you change on a regular basis.

For that tough password, use something clever, like the first letter of every word in a sentence.  Like this: I Was Born on November 1 in North Dakota — IWBoN1iND (I wasn’t, by the way).  Change a number to a symbol and you are in good shape, like IWBoN!iND.

Now, as for how often you should change your password — I asked a bunch of experts that question not long ago and got some interesting answers.

Graham Cluley

Graham Cluley

Graham Cluley – Independent computer security analyst, formerly of Sophos and McAfee (more about him)

 I only change my password if I’m worried a service has been hacked/compromised. I have different passwords for each site. In fact, I reckon I have over 750 unique passwords. I use password management software. 🙂 I think requiring people to regularly change their password is a bad idea. it encourages poor password choices, (such as) ….passwordjan, passwordfeb, etc.
Mikko Hypponen

Mikko Hypponen

Mikko Hypponen – Chief Research Officer, F-Secure (more about him)


For your corporate network account? Several times a year. For an online newspaper that requires registration in order to read it? Never.  As always, it’s about threat modelling: Figure out which services are the important services FOR YOU. Then use a strong, unique password on those, and change it regularly. For non-important sites: who cares.

James Lyne, Global Head of Security Research at Sophos, speaking specifically about corporation passwords (More about him)

JamesLynn SophosThe requirement to change your passwords is a preventive measure that is designed to minimize the risk of your already stolen password being cracked and used. Over 2014 there have been a huge number of attacks which have led to the loss of password hashes (or other representations). These password ‘representations’ require time and effort for attackers to crack and reverse to their plain text form. Depending on the hashing scheme in use and the resources of the attacker this can take little, or a very long time. Changing your password regularly helps manage the risk of an attacker stealing your password hash from the provider (without you knowing) by increasing the probability you have changed it before they use it.

There is a real balance to be struck with password rotations. Some enterprises set painful rotation rules that require staff to regularly learn a new password and commit it to memory – ironically this can lead to staff producing poor passwords to meet the requirement which again ironically makes it much easier for the attacker to break. Providing the service provider does their part and secures your password with an appropriate storage mechanism often using a significantly longer, complex and hard to guess password is a much better defence. Good luck to the cybercriminal going after a 128 character password stored as a (moderately poor) SHA1 hash.

Password managers help you generate long and complex passwords that will be hard to crack even if lost, that said, if you go this far and implement a manager you may as well rotate your passwords once in a while as you don’t need to remember them and it helps minimize the risk of attackers using stolen credentials (particularly on sites that store your password poorly).  Most enterprises would do well to consider how to improve their password storage security and the strength of the original password over a 30 day rotation period.

Harri Hursti

Harri Hursti

Harri Hursti – independent security researcher, famous for “The Hursi Hack” of voting machines (more about him)

This is not (an easy question) … because also changing the password too often can become a security risk

It greatly depends. Passwords I use more often, over the internet and are in sensitive sites are changed 2-3 times a year. Then there are very important passwords which are either used very seldom or are used in more secure environment and those I change once a year, or not even then.

Chester Wisniewski and Paul Ducklin, senior security advisors at Sophos. (More about Chester and Paul)

The answer, loosely, is this.

Change a password if any one of these is true:

1. You suspect (or know) it has been compromised.
2. You feel like changing it.
3. You have been re-using passwords and have decided to mend your ways.

We explain better in the podcast “busting password myths,” I think.

The podcast is 15 minutes, however, the first two minutes address this very question and may be worth your time.


{ 1 comment }

Yahoo's message to users

Yahoo’s message to users

It’s not the big one, but it’s close.

Yahoo confirmed on Wednesday long-suspected reports that a hacker had accessed millions of customer passwords. The number, however, is a bit shocking even to a reporter who’s been writing this same story for the past 10 years.

Five Hundred Million. For many years, I’ve prepared myself to report on a very, very large scale data compromise that would undercut the integrity of the Internet itself, and perhaps cause immediate harm to the economy. I won’t tell you what kind of event that would be, but you could probably guess.

This Yahoo news isn’t that. But it’s the closest thing to date.

Yahoo announced earlier today that 500 million user accounts had been compromised; the data stolen by a hacker believed to be working for a nation state, the firm said.

“Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network,” the firm said. Yahoo is working closely with law enforcement on this matter.”

The attack happened in 2014, which raises an obvious question: What took Yahoo so long to figure out the severity of the heist? Users are also entitled to know more about the state-sponsored attack, and any guesses at what it’s motivation might be,

Here’s what was taken:

“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords …. and, in some cases, encrypted or unencrypted security questions and answers,” Yahoo said in a statement. “The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.”

Yahoo has set up an information page on the hack. at https://yahoo.com/security-update.  When I tried it at 4:30 ET, it was inaccessible, probably overwhelmed with traffic.

The news follows reports in early August that a massive dump of Yahoo data was being sold online by someone using the same handle as a hacker who sold similar data dumps from LinkedIn and MySpace.  In a sign perhaps that the data was old, and had been in the underground for some time, the hacker — using the name Peace — said he or she was selling data on 200 million users for a mere $1,400.  Yahoo did not confirm this announcement was related to that incident.  (And Andy Greenberg over at Wired seems to think this might be a *separate* attack,” which

Yahoo says users should change their passwords. And in fact, stories about the Peace data sale claim offered the same advice.  Yes, you should change your passwords, and passwords at any site where you may have used that Yahoo password.  It’s a little like closing the barn door after the hacker’s already been inside for a while, however.

Yahoo said it will notify impacted users and “taken steps to secure their accounts.”

“These steps include invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords,” the firm said.

It then tried to easy the blow a bit by talking about the increased prevalence of hacker attacks plotted by foreign governments.

“Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry,” it said. “Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account. Since the inception of Yahoo’s program in December 2015, independent of the recent investigation, approximately 10,000 users have received such a notice.”

The dramatic bad news — it’s scale along is stunning — creates another opportunity for consumers to think more carefully about how they protect themselves.

“Every day we receive hard data that demonstrates why we all must be on high alert when it comes to internet security,” said John Peterson, vice president & general manager, Comodo Enterprise, a security firm. “From the everyday consumer to the largest enterprise, we are constantly under attack from people and organizations that want to profit from stealing our personal information.  Only by changing the way we think about internet security and deploying technology that provides full end-to-end coverage, will we be able to stop cybercriminals from profiting.”

In the end, however, there is little consumers can do to protect themselves from such wide-scale attacks. It’s up to technology firms to build better security into their products in the first place.

“What happened to Yahoo and their customers is tragic, but what is more tragic will be the next several data breaches at this scale which, unfortunately we have every reason to expect,” said Brett McDowell, executive director of the FIDO Alliance, a consortium of tech firms like Microsoft and Google. “The frequency and severity of these data breaches is only getting worse year-over-year, and this trend will continue until our industry ends its dependency on password security and adopts un-phishable strong authentication. The old excuses about strong authentication being a bad user experience are going away.”

Yahoo’s Tumblr page recommends that users take these actions:

  • Change your password and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.
  • Review your accounts for suspicious activity.
  • Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
  • Avoid clicking on links or downloading attachments from suspicious emails.
A warning message on Yahoo

A warning message on Yahoo

If you’ve read this far, perhaps you’d like to support what I do. That’s easy. Sign up for my free email list, or click on an advertisement, or just share the story.


Click to watch Elizabeth Warren at the Wells Fargo hearing.

Click to watch Elizabeth Warren at the Wells Fargo hearing.

Elizabeth Warren rightly eviscerated Wells Fargo CEO  John Stumpf at today’s hearing on that bank’s wide-ranging scandal.  She connected the dots neatly, showing that Stumpf made perhaps hundreds of millions of dollars in salary and stock while presiding over a crime involving two million fake consumer accounts.  She then made the point that a $12-per-hour teller who stole a few $20 bills would be in jail; Stumpf gets to laugh all the way to the bank.

There’s plenty more places to read about the outrage.  Start with Helaine Olen at Slate. NPR’s coverage is good, too.

But I’d like to highlight a critical element of this story that’s easy to miss in the blind rage of it all.   Victims of this massive fraud tried to stop it by suing — both individually, and as a class. But they couldn’t.  Why?

Because in America, consumer contracts are now nearly all built with a get-out-of-jail free card known as binding mandatory arbitration. The cases were tossed by courts, which said the consumers had no right to sue.  Because of clauses in the Wells contract (and in most of your contracts, I assure you), consumers had no day in court. And the scam went on.

The Consumer Financial Protection Bureau is trying to ban such clauses, but for now (thanks to the Supreme Court) they are still the law of the land.

The Consumer Federation of America is trying to bang home this point, which shouldn’t be missed. So here is more detail from that organization.

The Consumer Federation of America applauds the Senate Banking Committee for holding the hearing and Senator Sherrod Brown of Ohio and Elizabeth Warren for noting the large role forced arbitration played in the Wells Fargo scandal.  In his opening remarks at a hearing on the recently uncovered fraud at Wells Fargo, Senator Brown noted that “rather than letting fraud victims have their day in court, Wells Fargo forced customers to abide by the mandatory arbitration clauses in their real accounts. You heard that right – the bank invoked the fine print on a real account to block redress on a fake one which it had created.”  In questions to the second panel, Senator Warren asked whether forced arbitration clauses make it easier for large banks to cover up wrong doing and Director (Richard) Cordray indicated that they do.

Consumers had previously tried to sue Wells Fargo both in a class action (Shariar Jabbari & Kaylee Heffelfinger et al. v. Wells Fargo (U.S. District Court, N.D. Cal.)) and individually (David Douglas v. Wells Fargo (Superior Ct of Los Angeles, CA) but both were dismissed because of forced arbitration agreements.

The fact that even clear cases of fraud, ultimately resulting in serious enforcement actions, cannot be brought to court by consumers is why the CFPB’s proposed rule prohibiting class action waivers in forced arbitration clauses is so important, and why CFA supports the proposed rule so strongly.

The Consumer Financial Protection Bureau…has begun issuing new rules which would limit the use of force arbitration clauses in financial contracts, such as the ones used in this case.  While the harm to consumers is clear and an outright ban on forced arbitration enjoys broad public support, there have been numerous efforts in Congress to halt the progress of the CFPB rules and weaken the Bureau’s ability to protect consumers.

In the House, the CHOICE Act of 2016 passed out of committee last week and contained a host of deregulatory, anti-consumer provisions, including a provision that would thwart the implementation of the CFPB’s proposed rule against forced arbitration clauses.

“The practices at Wells Fargo brought to light by the CFPB demonstrate exactly why an independent watchdog is so critical to protecting consumers from abusive financial practices,” stated Rachel Weintraub, Legislative Director and General Counsel at Consumer Federation of America, “It is troubling that, in the wake of a case of such widespread fraud and consumer harm, we continue to see efforts to block consumer’s access to justice.”

If you’ve read this far, perhaps you’d like to support what I do. That’s easy. Sign up for my free email list, or click on an advertisement, or just share the story.


Scroll down to watch video recorded as state troopers discuss how to manufacture charges against protester.

Scroll down to watch video recorded as state troopers discuss how to manufacture charges against protester.

America is being ripped apart right now by one video after another showing unarmed African Americans killed by police.  The videos often turn into Rorschach Tests, with viewers seeing what they want to see; taken as a package, however, the depth of the problem is both obvious and undeniable.

Thank goodness we have the videos.  Don’t take that for granted, because in plenty of places in America, the legal right to film police in public spaces is still under attack. You probably missed this story in all the other news of the week (Angelina and Brad!), but Connecticut state troopers confiscated a camera recently and — not realizing it was still recording — chatted openly with each other about how to trump up a charge on the citizen filming them. (More in a moment).  Meanwhile, in some parts of America, local police are demanding DNA samples from citizens who aren’t even accused of crimes, and building gene databases of residents.   Towns hide tax increases by levying crazy fines for small offenses, and in some cases, are bringing back debtors prisons.

To twist a phrase, police departments can only enforce the law with the consent of the governed. If you think the “us vs. them” problem applies only to racial profiling, you aren’t paying attention.  Americans have let their law enforcement officials get away with far too much for far too long.  All these things are symptoms of the same problem. Law and order America is out of control. Fear is used to justify atrocities large and small.  If you don’t think there’s a problem with power-hungry cops, that just means it hasn’t been your turn yet.

But first, let me get this out of the way,  In America today, it seems nearly impossible to hold two points of view at the same time. But that’s the only way to get to the truth. Cops are brave. Cops are abusive.  Cops are life savers. Cops are power-hungry racists.  All those things are, at times, true.

If you think all cops are bad, how do you deal with the cognitive dissonance stirred by video from this week showing first responders running to a bomb scene when everyone else is running away? Two officers were shot Monday when they encountered a man sleeping outside a bar in Linden, N.J. on Monday. He could have been just another homeless man or a vagrant. Instead he was a man who had tried to commit mass murder several times.

Cops do this dozens of times a day.  Basic training teaches them that any “routine traffic stop” can land them in a coffin.  It’s a reality that anyone hasn’t been in law enforcement can’t fully grasp. And cops save plenty of lives. A relative of mine dove at a would-be George Washington Bridge jumper this month, and prevented a suicide. All in a day’s work.

It’s a really, really hard job.

But that doesn’t mean cops should get any free passes to toy with the law.   Right now, they get plenty.

Here’s how (some) cops behave when they don’t realize they are being watched. Connecticut resident Michael Picard was filming cops legally at a DUI check last year when state troopers approached him, told him filming was illegal, and seized his camera. After a back and forth, they took the device back to their patrol car and discussed what to do next.  Unfortunately for the troopers, the camera was still rolling, and captured their conversation. One trooper said, “We gotta cover our ass.”  Here’s how the ACLU, in a lawsuit, describes what happened next:

(State troopers) discussed whether they could charge Mr. Picard with any crimes, and one of the two suggested that any charge would suffice, saying, “let’s give him something.”

(One trooper said to another) “we do simple trespass, we do reckless use of the highway, and creating a public disturbance.” (Another) agreed.

(A trooper) said that the defendants should issue Mr. Picard a public disturbance charge, “then we claim that in backup we had multiple [motorists] stopped to complain about” a man waving a gun, “but that no one wanted to stop and give a statement.”  (He) emphasized the words “then” and “multiple” when speaking, as if formulating the defendants’ cover story aloud.

Defendants … also discussed whether they should charge Mr. Picard with walking in the road for his presence (near the highway). The two agreed to do so.

When (a third tropper) returned to the discussion, the three discussed how many criminal infraction tickets Mr. Picard was going to receive, eventually settling on two.

If part of you is saying right now, “Of course cops invent trumped-up charges,” I want you to pause and think about that for a moment.

We’ve learned to put up with far too much, and accept far too little, from our sworn officers of the law.

The criminal complaints against the citizen have been dropped, and the ACLU is now suing the three state troopers.   But a cop who trumps up a charge against an innocent citizen and admits it on video should be charged with a crime.  Playing fast and loose with the law, as an officer of the court, is an abomination to our system of justice.  It ruins the credibility of all cops.

It shows where we are, and how far we have to go.

I asked Connecticut officials to comment on the lawsuit, but I have not yet received a response.  The Associated Press reported that Trooper Kelly Grant, a state police spokeswoman, “said an internal affairs investigation is active and referred other questions to the state attorney general’s office, which declined to comment.”

I’ve written before about the important role that cameras are playing in bringing bad cops to light. (Here’s a guide to both the law and the reality of filming law enforcement that I wrote for NBC. In short, it’s legal as long as you aren’t creating a disturbance, but legal and practical aren’t always the same thing).

As we move forward, cameras will continue to play perhaps the most important role in exposing abusive police behavior. Without the video of these cop killings, we almost certainly would never have heard about them.

Meanwhile, every informed American should read last week’s ProPublica story about cops in local police departments around America engaging in what’s being called “Stop and Spit.”  In some places, cops are asking as many citizens as they can to swab their cheeks and volunteer some DNA that can be used in perpetuity to find criminals.  Writer  Lauren Kirchner begins with the story of a 15-year-old kid who cops swabbed, and his physician father, who spent more than a year trying to get the DNA sample destroyed.  The FBI has been collecting DNA for a while from suspected criminals. But local police have begun grabbing genetic code from anywhere they can find it and logging it in databases owned by private corporations.  Citizens who haven’t been arrested, in most cases, can refuse to give the sample. But saying no to cops is hardly easy; especially if you are 15.

One can imagine a big national discussion about DNA collection and crime. It makes me queasy, but an intelligent person could argue that it would make communities safer.  We haven’t had that discussion, however.  Stop and Spit is just happening; like trumped-up charges are just happening.

And 1,000 or so people each year are shot and killed by cops.  While people of all races suffer that fate, many because they posed a direct threat to society, this important Washington Post story right-sizes the issue with data:  unarmed African Americans are five times more likely to be shot by cops as unarmed white men.  Overall, African Americans are 2.5 times as likely as whites to be shot by cops.

If you can’t see the problem, you aren’t looking.  And if you don’t think it impacts you, just wait.

If you’ve read this far, perhaps you’d like to support what I do. That’s easy. Sign up for my free email list, or click on an advertisement, or just share the story.


The federal lawsuit

The federal lawsuit

The alleged NYC-area bomber and his family were engaged in a 7-year long court battle with city officials over late-night hours and accusations of ethnic prejudice at the restaurant they ran in Elizabeth N.J., and the father of the family declared bankruptcy in 2005, my review of  extensive federal court records has found.

The extensive legal history paints the picture of a family that was intimately familiar with the ways of the U.S. justice system, and had spent many years working within it, both to obtain financial relief, and to assert what it believed to be its civil rights.

In a 2005 bankruptcy filing, Mohammed Rahami described himself as a single father with 8 kids working as a cook at First American Chicken in Elizabeth.  At the time, he said he had take-home pay of $1,450 per month but $37,000 in unsecured debt — mostly credit card debt.   The filing does not say Rahami owned the business. It says he was paying rent of $700 for an apartment at the address listed for the restaurant. Other news reports indicate the family lived in an apartment above the eatery.

The family’s only real possession at the time, according to the filing, was a 1999 Chevy Suburban worth $7,000 – but the family owed more in a loan on the vehicle that it was worth.  Listed under debtors, Rahami held a Bank One credit card  with an outstanding balance of $8,300, a Capital One card at $6,133, a Chase card at $8,294 a Citibank card at $6,178, and a Direct Merchants Credit Card Bank debt of $4,760

There are also unpaid doctor and lawyer bills.   He also owed a high balance on a car loan held by Thrift Inestment Corp, which specializes in loans to the  “non standard credit market,” according to its website.

The debt was discharged in federal court in 2006. A call to Rahami’s bankruptcy attorney wasn’t immediately returned.

Soon after, the Rahami family began a protracted legal battle with the city of Elizabeth that ultimately led to a massive court docket with 71 filings.  The family sued the city and various law enforcement officials in federal court in 2011 for “singling plaintiffs out on the basis of race, religion, or national origin.” It accuses one police officer of repeatedly telling the family “Muslims make too much trouble in this country,” and “Muslims should not have businesses here.” It also claims the city selectively enforced laws to harm the family’s business.

A review of those files shows the Rahami family opened the restaurant in 2002. Soon after, the city of Elizabeth passed an ordinance forcing restaurants to close at 10 p.m., with some exceptions.  In July 2008, the family received a summons for staying open past 10 p.m. The 2011 lawsuit claims that summons was dismissed after the city ruled First American Chicken qualified for an exemption.  After that, the lawsuit says, law enforcement officials continued to threaten the family with legal action for staying open late despite the exemption ruling. At one point, a police officer who told the restaurant to close at 10 p.m. were shown the court order and responded, “I don’t believe it.”  Instead, officers repeated that the restaurant was contributing to making the area ripe for criminal activity, the lawsuit says.

“Many other food-based establishments, including but not limited to Duncan donuts (sic), White Castle, Carvel and other restaurants in the immediate vicinity stayed open past 10 p.m. without incident,” the lawsuit says.

Five summons were issued from April to June 2009, the lawsuit says. Those summons were eventually dismissed, according to the lawsuit.

“On some occasions, police would advise that it was ‘ok’ to keep the restaurant open; on some occasions, the police…would tell them to shut it down,” the lawsuit claims.

At one point, two family members were detained  when trying to record an interaction with police. Mohammed K. Rahami – believed to be the bombing suspect — was charged with disorderly conduct; the other family member was released.

The restaurant continued its late-night hours “without incident” or further tickets after Feb. 15, 2010, the lawsuit says.

All parties agreed to a stay of the federal civil rights case in 2012. Meanwhile, Mohammed K. had pled guilty in municipal court to one of the late-night summons and a $233 fine, but in a 2014 court filing he claimed the guilty plea was coerced. His lawyer filed several motions in an attempt to withdraw that municipal court guilty plea. One of those motions cites a Superior Court of N.J. state appellate court decision on the summons, which indicates the family had conceded that more than 5 percent of it late-night business was take-out, disqualifying it for the late-night exemption. The court refused to overturn a lower court ruling against the family in part because the fine was small and no jail time had been assessed, but mainly because court filing deadlines had been missed.

In 2015, the Rahami family’s attorney filed a motion to withdraw as counsel. At the time, the court acknowledged the family was now operating pro se, meaning they were representing themselves.

The case file dies quietly soon after when a court notice about a conference sent to the Rahami family was returned as undeliverable. The notice was sent to the current address for First American Chicken, and it was not immediately clear why the notice was returned.

If you’ve read this far, perhaps you’d like to support what I do. That’s easy. Sign up for my free email list, or click on an advertisement, or just share the story.



In another sign that the housing market is beginning to resemble its pre-recession heyday, house flipping is back in style.

ATTOM Data Solutions released a report Thursday showing that flipping activity — buying and selling the same home within 12 months — is at its highest level in six years. More investors completed at least one house flip sale than in any year since 2007. And per-sale profits enjoyed by flipping investors are the highest they’ve been since 2000.

A total of 51,434 U.S. single-family home and condo sales were completed flips in the second quarter of 2016, up 14% from the previous quarter, and up 3% from a year ago, ATTOM Data said.

(This story first appeared on Credit.com. Read it there.)

Daren Blomquist, senior vice president at ATTOM Data Solutions, called it a “flipping frenzy,” but he also said observers shouldn’t jump to conclusions that increased flipping activity suggests the bubble days have returned.

“We’re starting to see home flipping hit some milestones not seen since prior to the financial crisis, which is somewhat concerning, but there are a couple of important differences in the home flipping of 2016 compared to 2006, when home flipping peaked during the last housing boom,” Blomquist said.

“First, home flippers are realizing a much bigger gross ROI in 2016, averaging 49% in the first two quarters, compared to an average gross ROI of just 27% in 2006. Second, while an increasing number of flippers are financing their purchases, more than two-thirds are still using cash to purchase, compared to about one-third using cash to purchase back in 2006.”

In other words, flippers are using their own money — and making good money doing so — rather than borrowing to flip and eking out gains, a sign of risky speculation that marked the middle part of the last decade.

Logan Mohtashami, a California loan manager and housing economy expert, agreed that increased flipping activity isn’t necessarily a sign of an overheated market.

“Home sales itself are at a six-year high, so (there’s) nothing out of the norm on [this] trend,” he said. “This cycle is different than the last … Overheating to me is speculation.”

Instead, investors are acting rationally to a shift in the housing market, Mohtashami said. Since the recession, housing investors have soaked up distressed sales, such as foreclosures, to turn single-family homes into rentals. The trend has exhausted itself as the inventory of distressed homes has returned to normal, so those investors are returning to house flipping, Mohtashami said.

“The rental yield play was big early on, but the cash discount is all gone, so you don’t see growth there. Prices are rising,” he said. “Always (with) distressed homes you can flip in certain areas.”

The ATTOM Data Solutions report suggests it’s happening in plenty of areas around the country. Cities with the highest percentage of sales completed as flips last quarter were Memphis, Tennessee (11.1%); Visalia-Porterville, California (10.1%), Tampa, Florida (10.0%); York-Hanover, Pennsylvania (9.7%); and Mobile, Alabama (9.6%).

Other metro areas in the top 10 for the highest flipping rate included Fresno, California; Lakeland-Winter Haven, Florida; and Clarksville, Tennessee.

Other large markets with a population of at least 1 million and where the flipping rate was above 7% included Baltimore, New Orleans, Phoenix, Nashville, Tennessee, and Las Vegas.

Flippers made pretty good money on their sales. Homes flipped in Q2 2016 sold on average for $189,000, $62,000 more than the average purchase price of $127,000, according to ATTOM data.

“That $62,000 average gross profit was up from an average $57,250 gross flipping profit in the previous quarter,” the company said in a release, “and up from an average $57,900 gross flipping profit in Q2 2015 to the highest average gross flipping profit since Q1 2000, the earliest quarter tracked in the report.”

Cities where flippers enjoyed the highest ROI in the second quarter of 2016 were Pittsburgh (133.3%), Allentown, Pennsylvania (117.9%); New Orleans (111.5%); Cleveland (102.6%); and Philadelphia (98.9%).

(Here’s a story Credit.com wrote about a Pittsburgh flipper earlier this year.)

“Home flipping is becoming more accessible for smaller operators, thanks to an increasingly competitive lending environment with more loan options for real estate investors, who are also benefitting from the historically low mortgage interest rates,” said Blomquist. “That favorable lending environment for flippers has helped to fuel the recent flipping frenzy we’ve seen over the past five quarters.”

If you’ve read this far, perhaps you’d like to support what I do. That’s easy. Sign up for my free email list, or click on an advertisement, or just share the story.


Alert: Resurgence of infected Zip files a new (old) menace to your email inbox

September 16, 2016 Cybercrime / Privacy

You’re busy, so I’ll say this fast and loud: DON’T OPEN UNEXPECTED ZIP FILES THAT ARRIVE AS EMAIL ATTACHMENTS. Suddenly, there’s a lot of them around. That advice is nearly as old as email, but as they say, everything old is new again. And the Internet is newly awash in spam sending out booby-trapped zip […]

0 comments Read the full article →

Some Verizon customers say their data use (and fees!) has mysteriously soared recently

September 15, 2016 Cybercrime / Privacy

Q: When is the only time in life that you can’t wait to get older? A: When you’ve used up all your cell phone data for the month and can’t wait for a new month to arrive. I exceeded my monthly cell phone data last month, I believe for the first time ever, and paid […]

2 comments Read the full article →

My turn to deal with a bogus DirecTV early termination fee, and why we need a ‘Department of Leaving Scams’

September 12, 2016 Gotchas / Consumer

DirecTV has wasted a lot of my time this week, and it tried to take a lot of my money, too.  I’ll fill you in on the details below, but you already know the story.  I canceled service. I was told my bill was paid. Months later I was hit with a mysterious early termination […]

2 comments Read the full article →

Can she spend only $10 a day? Facing student loan mountain, she started ‘Frugal Females Challenge’

September 12, 2016 Gotchas / Consumer

Heather Young was nearly 30 and staring down $75,000 in student loan debt when she a made a choice. “I was paying almost $600 a month just in interest — $6,700 a year,” she said, and there wasn’t much she could do about that. “So I thought, ‘I can’t take control over XYZ, but what […]

1 comment Read the full article →