There’s a New Security Vulnerability Named POODLE and It’s Not Cute and Cuddly

poodleA new security hole was recently discovered in a basic protocol used for encrypting web traffic. Its name is POODLE, which stands for Padding Oracle on Downgraded Legacy Encryption, and it was discovered by three Google security researchers who published a paper about it.

POODLE affects SSLv3 or version 3 of the Secure Socket Layer protocol, which is used to encrypt traffic between a browser and a web site, or between a user’s email client and mail server. SSL is a cryptographic protocol used to provide encryption and authentication security. SSLv3 is the most recent variant – and has been widely used in browsers including Google Chrome, Mozilla Firefox, IE, Opera, and Safari. Primarily all browsers on Windows PCs, Windows Servers, Macs, tablets and smart phones may be affected. Additionally, SSLv3 is also used on Unix and Linux platforms.

This threat is not as serious as the recent Heartbleed and Shellshock vulnerabilities, but POODLE could allow an attacker to hijack and decrypt the session cookie that identifies you to a service like Twitter or Google, and then take over your accounts without needing your password.

To exploit the vulnerability, you must be running javascript, and the attacker has to be on the same network as you — for example, on the same public Wi-Fi network you’re using. This makes it less severe than an attack that can be conducted remotely against any computer on the Internet.

The attack works only on traffic sessions using SSLv3. Although this is an old protocol that has been replaced in many client and server configurations with TLS (Transport Layer Security), many browser clients and web servers that use TLS for connections still support SSLv3. Some products and browsers, like Internet Explorer 6 for Windows XP, only use SSLv3. There are also clients that support SSLv3 as an alternative to use whenever a TLS connection to a web server fails. An attacker could exploit this compatibility to downgrade a connection to SSLv3 and then conduct the POODLE attack to hijack your session.

“This attack is really against clients — you have to worry about it if you’re in a place like Starbucks,” says Rob Graham, CEO of Erratasec. “If you’re at home there’s probably no need to panic.”

Heartbleed and Shellshock were vulnerabilities that allowed an attacker to hack a server. POODLE instead targets the clients.

“The fear of rushing to go fix this is very low because of that,” Graham says. “People with servers can’t get hacked, and people with vulnerable clients also can’t get hacked unless they’re on an open Wi-Fi.”

RECOMMENDATIONS

Taking into consideration that this information could be overwhelming, the best practice is to upgrade older versions of browsers and disable SSLv3, as there is no other fix available at this time.

The following browsers support TLS 1.0 (and must be configured to disable SSLv3):

  • Google Chrome v1
  • Firefox v1
  • Internet Explorer v7
  • Safari v1

It is also recommended to upgrade email versions that use TLS 1.1:

  • Apple Mail (OS X Panther)
  • Outlook 2003 (SP2) or higher
  • Outlook Express 4.0 or higher
  • Thunderbird 2.0
  • Entourage 2008

First Financial updates our systems regularly and your data security is the highest priority.  Should you have any further questions or concerns regarding this matter, please contact Member Services at 866.750.0100 or email info@firstffcu.com.

Article Source: http://www.wired.com/2014/10/poodle-explained/

Help Local Families in Need this 2014 Holiday Season in any First Financial Branch!

season of giving joyHoliday Greetings to all of our First Scoop Readers!

As we approach the holiday season, First Financial will be partnering with local non-profit organizations to help families in need within Monmouth and Ocean Counties. Our First Financial branches will serve as collection sites for non-perishable food items that will then be donated to the following non-profit organizations:

Please note that the first branch food pick-up date will be on Friday, November 21, 2014. There will be other pick-up dates throughout the holiday season, so please feel free to donate your non-perishable food items after November 21st also.

We will also be partnering with the Salvation Army to offer Angel Tags: Gifts for Children. Each of our 4 branches will receive Angel Tags listing a child’s gender and age in the upcoming week. These tags will be available for you to bring home in order to purchase a gift for the child in need listed on the tag you select. These gifts will be picked up on Wednesday, December 10th at all First Financial locations – so please be sure to return your unwrapped gifts with the tag attached, by December 10th.

Help brighten someone’s holiday this season and thank you for your continued support!

The Latest Data Breaches for November 2014: USPS and Grocery Stores Operated by AB Acquisition LLC & SUPERVALU

USPS data breachUSPS Breach

The U.S. Postal Service said on 11/10/14 that employees’ personal data, including Social Security numbers, may have been compromised in a cyber attack.

The Postal Service said more than 800,000 — all those that receive their pay from the postal service and some retirees, could potentially be affected.

In a statement, the USPS said the FBI was leading an investigation and that customer credit card data did not appear to be at risk.

“The intrusion is limited in scope and all operations of the Postal Service are functioning normally,” the statement said. “Postal Service transactional revenue systems in post offices as well as on usps.com, where customers pay for services with credit and debit cards have not been affected by this incident.”

Over 2.9 million customers who contacted the postal service customer care center with an inquiry via telephone or email between January 1, 2014, and August 16, 2014 are also at risk.

The intrusion compromised names, addresses, telephone numbers, email addresses and other information for those customers who may have provided this information, according to the statement.

AB Acquisition LLC & SUPERVALU Breach

ABS-Logo

In addition, malware was discovered this fall 2014 on some point of sale systems within grocery stores operated by AB Acquisition LLC & SUPERVALU.  SUPERVALU’s stores include: Cub Foods, Hornbacher’s, Farm Fresh, Shop ‘N Save, and Shoppers Food & Pharmacy. AB Acquisition’s stores include Albertson’s stores under Albertson’s LLC and ACME Markets, Jewel-Osco, and Shaw’s and Star Markets under New Albertson’s, Inc.

Click here to review a statement and press release from SUPERVALU with more details about the incident, should you suspect you may be affected by this malware incident.  For more information on the AB Acquisition LLC incident, click hereSuperValuLogo

It is important to know the following in regard to both data breaches:

  • Free credit monitoring services are usually offered to compromised customers. Should you be affected by either of these latest data breaches, an announcement will be sent with information regarding how to activate these services. However, credit monitoring only alerts you to new credit or changes to your existing credit. The criminal activity that is taking place uses existing open accounts, so no credit monitoring alerts may be triggered. You need to watch your account statements carefully.  
  • First Financial accountholders will not be responsible for any fraudulent account charges. If you suspect any fraudulent transactions, please contact Member Services immediately at 866.750.0100.

Be wary of emails or telephone calls that request information. Neither USPS, AB Acquisition LLC, SUPERVALU, nor our financial institution will ask you to provide any information in relation to this possible data breach incident.

Below are the recommended steps to remain vigilant against possible identity fraud:

  1. Check your bank statements. Review your statements carefully and repeatedly. Any purchases, large or small, should be verified as a purchase you made.
  2. Get Help. You are not responsible for fraudulent transactions on your account, but you need to notify us as soon as possible if you see any suspicious activity. Contact us with any questions.
  3. Take Action. If you suspect that your identity has been compromised, you can place a fraud alert on your credit file by calling any one of the three major credit reporting agencies shown below. A fraud alert is a notation on your credit file to warn credit issuers that there may be a problem. The credit issuer is asked to contact you at the telephone number that you supply to validate that you are the person applying for the credit. This is not the same as credit monitoring.

TransUnion: 1.800.916.8800, Experian: 1.888.397.3742, Equifax: 1.800.685.1111

In accordance with the Fair Credit Reporting Act, it is permissible for consumers to request a free copy of their credit report once every 12 months from each of the three major credit reporting agencies (TransUnion, Experian, and Equifax).

To order a free credit report -
Online: www.annualcreditreport.com or by Telephone: 1.877.322.8228.

Individuals are encouraged to report any suspected instances of identity fraud to the FBI’s Internet Crime Complaint Center at www.ic3.gov.

Don’t wait until it’s too late! Check out First Financial’s ID Theft Protection products – with our Fully Managed Identity Recovery services, you don’t need to worry. A professional Recovery Advocate will do the work on your behalf, based on a plan that you approve. Should you experience an Identity Theft incident, your Recovery Advocate will stick with you all along the way – and will be there for you until your good name is restored and you can try it FREE for 90 days!*

Our ID Theft Protection options may include some of the following services, based on the package you choose to enroll in: Lost Document Replacement, Credit Bureau Monitoring, Score Tracker, and Three-Generation Family Benefit. To learn more about our ID Theft Protection products, click here and enroll today!**

We will continue to monitor all members’ accounts for suspicious activity. If you have any additional questions or concerns, please give us a call at 866.750.0100 or email us at info@firstffcu.com. Thank you for being a valued member of First Financial.

*Available for new enrollments only. After the free trial of 90 days, the member must contact the Credit Union to opt-out of ID Theft Protection or the monthly fee of $4.95 will automatically be deducted out of the base savings account or $8.95 will be deducted out of the First Protection Checking account (depending upon the coverage option selected), on a monthly basis or until the member opts out of the program. **Identity Theft insurance underwritten by subsidiaries or affiliates of Chartis Inc. The description herein is a summary and intended for informational purposes only and does not include all terms, conditions and exclusions of the policies described. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions.

Article Sources: http://www.nbcnews.com/tech/security/800-000-post-office-employees-data-could-be-compromised-n245121, http://www.supervalu.com/security.html, http://www.albertsons.com/2014/08/ab-acquisition-llc-confirms-incident-involving-payment-card-data-processing/.

8 Ways to Protect Your Identity While Shopping Online

Concept of mobile shoppingAs we move into the most frenzied shopping season of the year, scam artists will be on the prowl for vulnerable shoppers. To avoid becoming a victim, consider taking steps now to keep your financial accounts and personal information safe.

1. Skip attachments and hyperlinks. Even attachments from people you know can be nefarious, since those acquaintances could be infected with a computer virus. If the email contains unusual or scant wording, don’t open the attachment. The same logic applies to hyperlinks in emails (or requests for information received over text message). First hover over the link to make sure it’s going to direct you to a valid address.

2. Don’t make purchases over coffee shop lattes. Any public Wi-Fi connection, such as those offered at coffee shops or libraries, carry extra risks, since they aren’t private. Try to avoid shopping online or engaging in any financial transactions, like logging into your bank account, from such hot spots.

3. Protect your smartphone. Web browsers and retailer apps on mobile devices make it easy to shop on the go, but doing so can also expose shoppers to extra risks since many phones don’t have the same kind of data encryption that’s often installed on computers. Even taking a relatively simple step, like enabling the password lock feature on your phone, will make it harder for a thief to access private data stored on the phone in case it’s lost or stolen. The computer security company McAfee also warns against downloading apps that might steal personal information.

4. Don’t trust your “friends.” Hackers target social media, including Facebook and Twitter, because they know it’s easier to get people to click on a link that appears to be recommended from a friend. McAfee has identified dozens of examples, including free dinner offers at Cheesecake Factory and fake mystery shopper invitations. Offers that sound too good to be true, such as free iPads or free iPhones, are also a common lure. The company cautions against clicking on fake alerts from friends, who may have been hacked themselves, and avoiding shortened links on Twitter that claim to offer deals.

5. Open e-cards with caution. They can be cute, but they can also be malicious. McAfee warns that some e-cards download viruses onto your computer when you download them. To avoid that outcome, the company suggests only opening e-cards from domain names that you recognize.

6. Upgrade your passwords. The holiday season can serve as a good reminder to give your passwords a makeover; security experts recommend changing them regularly as a precaution against hackers. Avoid common and simple words, use long combinations of words that also incorporate numbers or symbols, and never use duplicate passwords for multiple accounts. Sites that offer two-step authentication, such as Twitter and Gmail, can also add another layer of protection.

7. Check up on an e-retailer before making purchases. Some fly-by-night operations take advantage of the uptick in shopping around the holiday season to collect cash without ever mailing out the goods in return, warns the Better Business Bureau. The same applies to in-person exchanges on Craigslist or other online sites. To protect yourself, the bureau recommends never wiring money or paying in advance, and bringing a friend to any in-person exchanges.

8. Review your statements. The first sign of identity theft is often an unfamiliar charge on a credit card or bank statement; reviewing those statements carefully and contacting your financial institution or card provider with any concerns can prevent a theft from expanding. Credit cards usually come with some measure of automatic protection, as long as you report the scam relatively quickly.

Following these tips might leave you feeling overly cynical about the world, but the real downer would be dealing with a stolen identity just as the holiday season is heating up.

Don’t wait until it’s too late! Check out First Financial’s ID Theft Protection products – with our Fully Managed Identity Recovery services, you don’t need to worry. A professional Recovery Advocate will do the work on your behalf, based on a plan that you approve. Should you experience an Identity Theft incident, your Recovery Advocate will stick with you all along the way – and will be there for you until your good name is restored and you can try it FREE for 90 days!*

Our ID Theft Protection options may include some of the following services, based on the package you choose to enroll in: Lost Document Replacement, Credit Bureau Monitoring, Score Tracker, and Three-Generation Family Benefit. To learn more about our ID Theft Protection products, click here and enroll today!**

Article Source: Kimberly Palmer for US News – Money, Http://money.usnews.com/money/personal-finance/articles/2014/09/16/8-ways-to-protect-your-identity-while-online-shopping

*Available for new enrollments only. After the free trial of 90 days, the member must contact the Credit Union to opt-out of ID Theft Protection or the monthly fee of $4.95 will automatically be deducted out of the base savings account or $8.95 will be deducted out of the First Protection Checking account (depending upon the coverage option selected), on a monthly basis or until the member opts out of the program. 

**Identity Theft insurance underwritten by subsidiaries or affiliates of Chartis Inc. The description herein is a summary and intended for informational purposes only and does not include all terms, conditions and exclusions of the policies described. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions.

4 Personal Finance Myths: Busted!

A computer generated image of a chain with a broken link.Financial myths are a force behind one of the biggest threats to your financial future – yourself. Here are some personal finance myths that could be costing you money and endangering your future security.

Myth 1: Two incomes are better than one. Truth: Today’s families often have two incomes out of necessity. They make more money than a one-income family did a generation ago. But, by the time they pay for the basics – an average home, a second car to get the second spouse to work, child care, health insurance, taxes, and other essentials, that family actually has less money left over at the end of the month to show for it.

The assumption in the myth is that with two incomes you’re doubly secure. But if you’re counting on both of those incomes, then you’re in serious trouble if either income goes away. And, if you have two people in the workforce, you have double the chance that someone will get laid off, or that someone could get too sick to work.

Housing prices are rising twice as fast for families with kids, and a big reason is dwindling confidence in public schools. People are bidding up the prices on homes situated in school districts with good reputations. The only way for a typical family to afford one of those homes is for both spouses to work. Average mortgage expenses have risen 70 times faster than the average family’s primary income, so, families are required to keep two incomes.

When two incomes are a necessity, the question of whether two may be better than one is moot. Busting this particular myth means understanding the true financial stakes involved in deciding to have children and raising a family, based on your personal situation.

Myth 2: Owning is always better than renting. Truth: The money you pay for rent is a necessity like your other living expenses. Do you consider the money you spend on food to be wasted? What about the money you spend on gas? Both of these expenses are for items you purchase regularly that get used up and appear to have no lasting value, but are necessary to carry out daily activities.

If you own a home, unless you paid cash for it, you pay a mortgage (and it’s likely as much as you’d be spending on rent), plus other expenses like property taxes, insurance, maintenance, etc.

The choice between owning and renting is often a financial toss up. Busting this myth means understanding the most important reason to buy a home. Decide how badly you want to settle down for the long-term and invest in a permanent residence.

First Financial offers a number of great mortgage options, including refinancing – click here to learn about our 10, 15, and 30 year mortgage features and see what a good fit for your home is!*

To receive updates on our low mortgage rates straight to your mobile phone, text FIRSTRATE to 69302 and each time our mortgage rates change, we’ll send you a text message with the new rates.**

Myth 3: A near-perfect credit score will get you the best loan rate. Truth: Every expert, credit bureau, and loan officer has a different opinion as to where the threshold for excellent credit lies. In addition, “near-perfect” can be a relative term. Do we mean “near-perfect” as in “excellent,” or as in “perfect,” which doesn’t exist? Different loans and lenders have different standards.

Generally, any credit score in the mid-700 range and up is considered excellent credit, and will get you credit approvals and the best interest rates. But at this high end of credit scoring, extra points don’t always improve your loan terms much. Sure, the higher your score, the better. But even an extra 50 points in this range doesn’t always help you get a better rate on your next loan.

Those extra points can serve as a buffer if a negative item shows up on your credit report, however. For example, if you max out a credit card, you can get dinged 30-50 points. An extra 50 points would absorb the hit and minimize the possible damage.

So, there really is no “magic number” when it comes to credit scores. Busting this myth means understanding that more than just your score is taken into consideration. To get the loan you want, you may need a high credit score, no negatives in your credit file, and adequate income to afford it.

Credit score not where you want it to be? Try First Financial’s First Score Credit Counseling program; a low cost, interactive session with a First Financial expert, which simulates your credit score with various “what if” scenarios. You can email us at firstscore@firstffcu.com or call 866.750.0100, Option 4 to get started.

Myth 4: You need to earn more to save more. Truth: Your ability to save is defined by your discipline to sacrifice and set aside a percentage of your spending. Your income level is not really a factor. And no matter the amount, the younger you start saving, the more years you’ll have for your money and any interest earned to work its magic. You may decide you want to invest some of your savings too – talk to a financial planner and decide if investing in stocks and mutual funds might be a good option for your savings goals.

So, savings is not some arbitrary amount – but a discipline. Busting this myth means understanding that you need to sacrifice some of your spending now for financial security later. You simply have to decide how important that security is to you.

Consider how these personal finance myths and others like them could be contributing to money problems you’re experiencing now, and pose more serious trouble for your future.

“Busting” these myths offers the answers you need to take action and change your behavior with money – and assure your financial security.

Article Source: http://www.nasdaq.com/article/why-these-4-personal-finance-myths-perpetuate-money-problems-cm396086

*A First Financial membership is required to obtain a mortgage and is open to anyone who lives, works, worships, volunteers, or attends school in Monmouth or Ocean Counties. Subject to credit approval. Credit worthiness determines your APR.

 **Standard text messaging and data rates may apply.

Add Kmart and Dairy Queen to the Latest Data Breach List and Check Your Statements!

Kmart_logoRecent data breach news reports have Dairy Queen admitting to a breach at as many as 395 stores between August and September 2014, and Sears Holding Co. disclosing that malware at Kmart point-of-sale registers stole customer debit and credit card data.

Kmart customers who shop in its Brick, Manahawkin, Toms River, or Wall, NJ stores may need to check their debit and credit card accounts, after the retailer discovered a data breach last week.

According to an article on APP.com, the company announced its payment system had been attacked by hackers who stole customers’ debit and credit card numbers. Kmart discovered the intrusion into its payment system on Thursday – but the investigation shows it goes back to early September 2014, Kmart said in a statement released Friday.

Kmart joins a list of other big companies, including retailers Target, Acme, and Home Depot, that have been attacked by hackers recently.

“According to the security experts we have been working with, our Kmart store payment data systems were infected with a form of malware that was undetectable by current anti-virus systems,” the company said in a statement. “We were able to quickly remove the malware. However, we believe certain debit and credit card numbers have been compromised.”

No personal information, debit card PIN numbers, email addresses, or Social Security numbers were obtained by the hackers, the company said. There also is no evidence that Kmart.com customers were affected. Dairy_Queen logo

In late August, Dairy Queen announced its data breach after it was reported by KrebsonSecurity, which placed the attacks as early as June 2014.

Dairy Queen and Kmart have said there is no indication that Social Security numbers, personal identification numbers, or email addresses were taken in these incidents. Krebs also reported on the malware incident at Kmart, which posted a notice Friday about the malware incident.

In related news, federal investigators reportedly believe the hackers who breached JPMorgan Chase over the summer also stole information from Fidelity Investments, according to the Wall Street Journal. The paper’s sources do not believe the breach of Fidelity was on the same scale as the JPMorgan breach affecting contact information for as many as 76 million households.

First Financial would like to remind our members that your accounts with us are monitored 24/7 by an experienced team of security professionals for any suspicious or potentially fraudulent activity. First Financial employs the most advanced fraud detection and prevention technology to guard members’ credit and debit accounts against unauthorized access and use. Here’s a quick update for your peace of mind:

  • If our security team observes any unusual activity on member accounts, we will contact members immediately to determine whether the transaction activity is legitimate and authorized.
  • It is also a good practice for members to keep a watchful eye on their accounts and transactions and look for any unauthorized activity or purchases.

Don’t wait until it’s too late! Check out First Financial’s ID Theft Protection products – with our Fully Managed Identity Recovery services, you don’t need to worry. A professional Recovery Advocate will do the work on your behalf, based on a plan that you approve. Should you experience an Identity Theft incident, your Recovery Advocate will stick with you all along the way – and will be there for you until your good name is restored and you can try it FREE for 90 days!*

Our ID Theft Protection options may include some of the following services, based on the package you choose to enroll in: Lost Document Replacement, Credit Bureau Monitoring, Score Tracker, and Three-Generation Family Benefit. To learn more about our ID Theft Protection products, click here and enroll today!**

We will continue to monitor all members’ accounts for suspicious activity. If you have any additional questions or concerns, please give us a call at 866.750.0100 or email us at info@firstffcu.com. Thank you for being a valued member of First Financial.

*Available for new enrollments only. After the free trial of 90 days, the member must contact the Credit Union to opt-out of ID Theft Protection or the monthly fee of $4.95 will automatically be deducted out of the base savings account or $8.95 will be deducted out of the First Protection Checking account (depending upon the coverage option selected), on a monthly basis or until the member opts out of the program. **Identity Theft insurance underwritten by subsidiaries or affiliates of Chartis Inc. The description herein is a summary and intended for informational purposes only and does not include all terms, conditions and exclusions of the policies described. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions.

Article Sources:

http://www.app.com/story/money/business/consumer/2014/10/10/kmart-hacker-attack/17080339/

http://patch.com/new-jersey/wall/do-you-shop-wall-kmart-check-your-credit-and-debit-cards-0?utm_source=newsletter-daily&utm_medium=email&utm_term=business&utm_campaign=newsletter#.VD0z5WddUuc

http://www.nafcu.org/News/2014_News/October/Dairy_Queen__Kmart_in_latest_data_breach_stories/