Important Member Alert: Heartbleed Security Vulnerability Update

heartbleedYesterday, a serious vulnerability dubbed “Heartbleed” was uncovered and publicly disclosed by security researchers.  This vulnerability exists in certain versions of Open SSL, a widely used cryptographic library that enables SSL (Secure Socket Layer) and TSL (Transport Security Layer) encryption.

The vulnerability relies on a bug in the implementation of Open SSL’s “heartbeat” feature, hence the “Heartbleed” name. When exploited, this vulnerability enables an attacker to trick a system into revealing chunks of data residing in its memory. This attack can lead to a server leaking private SSL keys, usernames/passwords, and other sensitive data. Many well known sites have been reported as vulnerable to attack.

First Financial’s website and system utilizes network load balancers, which manage SSL encryption and decryption for our member information and data. These load balancers operate in a different Open SSL platform that is not vulnerable to this bug.

Should you have any further questions or concerns regarding this matter, please contact Member Services at 866.750.0100 or email info@firstffcu.com.

Important Alert: Card Cracking Scam Targets Students

scamCash-strapped college students are being recruited to participate in a scam
referred to as “card cracking.” Using ATM/debit cards and PINs willingly provided by the students, fraudsters deposit fraudulent checks to the students’ accounts. The funds are subsequently withdrawn by the fraudsters with the students receiving a portion of the funds for their participation.

Details
The “card cracking” scam was reported to originate in Chicago and generally targeted college students who were recruited through social media sites including Facebook, Instagram and YouTube. Participants were even recruited in-person at college campuses. The sales pitch is to allow the fraudster to deposit a check to a student’s account and withdraw the funds for which the student receives half of the proceeds for agreeing to participate. This scam is now being reported nationwide.

Willing participants provide the fraudsters with their ATM/debit cards and PINs. The fraudsters deposit fraudulent checks (stolen or counterfeit checks) to the student accounts via ATMs and subsequently withdraw the funds. Their proposition is simple: If you provide me with access to your account so I can deposit a check and withdraw the money, I will provide you with half of the proceeds.

After initial contact is made, the scammer arranges to meet up with the student to retrieve the debit card and corresponding PIN. The deposit is made, the money is withdrawn and then the fraudulent checks were subsequently returned unpaid and charged back to the students’ accounts. Following the fraudsters’ instructions, the participants report their ATM/debit card as lost or stolen and that the transactions were fraudulent.

The participants may not be entitled to protection under Regulation E (Reg E) for
unauthorized use of their ATM/debit card since they willingly provided their card to the
fraudsters which contains an exclusion to the definition of unauthorized
electronic fund transfer:

Unauthorized electronic fund transfer means an electronic fund transfer from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer, and from which the consumer receives no benefit. The term does not include an electronic fund transfer initiated by a person who was furnished access to the consumer’s account by the consumer, unless the consumer has notified their financial institution that transfers by that person are no longer authorized.

This is a huge risk – especially for students who may have large amounts going through their accounts from loans, scholarships and tuition reimbursements.

“Even though the students might be considered victims, authorities point out that providing their debit cards to someone else is a crime,” the Sun-Times of Chicago says.

There’s an easy solution: Never share your account information, debit card or PIN! 

Here are some other safety tips you should keep in mind:

  • Always verify the identity of the person trying to obtain personal information.
  • Never give personal information to someone over the phone or via email. Personal information includes: Birth dates, social security numbers, maiden names, addresses, bank account numbers, debit/credit card numbers, PIN numbers, etc.
  • Maintain a record of the phone call or solicitation. Write down the phone number that the person is calling from, the time and date they called, the caller’s name, and reported affiliation. If it was online, save a copy of the email conversation or advertisement.
  • If it sounds too good to be true, it probably is.
  • If you believe you may be a victim of fraud call your local police department so authorities can be alerted to the activity. You can also report email or internet scams to the Internet Crime Complaint Center (IC3) by going online to http://www.ic3.gov.

Check out First Financial’s ID Theft Protection products – with our Fully Managed Identity Recovery services, you don’t need to worry. A professional Recovery Advocate will do the work on your behalf, based on a plan that you approve. Should you experience an Identity Theft incident, your Recovery Advocate will stick with you all along the way – and will be there for you until your good name is restoredTo learn more about our ID Theft Protection products, click here and enroll today!*

Click the links to view more information from the original article sources: Yahoo Finance, Explorer News and CUNA Mutual Group.

*Identity Theft insurance underwritten by subsidiaries or affiliates of Chartis Inc. The description herein is a summary and intended for informational purposes only and does not include all terms, conditions and exclusions of the policies described. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions.

Important Vishing Scam Alert – March 2014

alert-resized-600Vishing calls originating from (410) 768-7599 are being made via automated dialer to random telephone numbers. Vishing or Voice phishing is the criminal practice of using social engineering over the telephone system to gain access to private personal and financial information from the public for the purpose of financial reward.

SCAM DETAILS

  • Calls are automated and a recorded message warns that there is a very important matter to discuss that involves a lower interest rate on a credit card. Victims are encouraged to press 1 to speak to a representative.
  • Callers who press 1 are directed to a call center operator/fraudster.
  • The operator who answers the call has a very heavy accent and at no time asks the victim what their name is or where they live. Operators focus on collecting payment card expiration dates and the last 12 digits of the victim’s payment card.
  • Card issuer brands are never mentioned.

BEST PRACTICES

  • Please do not call the potentially fraudulent number. Law enforcement and local communication companies may be in the middle of an investigation that will be compromised if the fraudsters become suspicious.

If you receive any suspicious calls from this phone number, do not call it back – please contact us immediately at 866.750.0100 so we can report the scam. Due to an increase in these vishing scams, it is important to be cautious if you receive any calls from unknown numbers or area codes. If you have any additional questions or concerns, please give us a call or email us at info@firstffcu.com. Thank you for being a valued member of First Financial.

*Article source courtesy of FICO Alert Bulletin 14.03.

Important Apple iOS Security Flaw Alert

alert-resized-600Apple announced last week that there is a significant security flaw affecting literally hundreds of millions of iPhones, iPads and iPod Touches running iOS 7, the latest version of the company’s mobile operating system.

Baked into the system was a flaw that allowed an attacker, under certain circumstances, to intercept and read in plain sight – traffic the users thought was encrypted via Secure Socket Layer technologies. That would include email, tweets, Web browsing and, potentially, mobile banking sessions that occur within the Web browser.

Mark Bower, a vice president at Voltage Security, elaborated: “For quite some time, attackers with knowledge of this bug had the ability to mount man-in-the middle attacks to users operating Apple devices. This could have allowed interception or modification of SSL communications which are supposed to be private and encrypted.”

Experts appear divided as to whether this flaw also impacted traffic via apps, such as mobile banking apps.

Last week Apple issued a patch that it said fixed the problem on iPad, iPhone and iPod Touch.

However, the company also indicated that a related flaw exists in its OS 10 operating system for desktop and laptop computers. No patch has been issued so far, although Apple has indicated that one is imminent.

Note, too, the SSL attack can occur only when the hacker has control over a WiFi network (typically a public network) or has erected a rogue cellular network (technically doable but sophisticated and rare). This requires significant skill on the part of the attacker, said experts.

Users who never access public WiFi probably have nothing to fear, said most experts.

Experts also, unanimously in this reporter’s poll, urged Apple mobile device owners to download the security patches as soon as possible.

Don’t wait until it’s too late! Check out First Financial’s ID Theft Protection products – with our Fully Managed Identity Recovery services, you don’t need to worry. A professional Recovery Advocate will do the work on your behalf, based on a plan that you approve. Should you experience an Identity Theft incident, your Recovery Advocate will stick with you all along the way – and will be there for you until your good name is restored.

Our ID Theft Protection options may include some of the following services, based on the package you choose to enroll in: Lost Document Replacement, Credit Bureau Monitoring, Score Tracker, and Three-Generation Family Benefit. To learn more about our ID Theft Protection products, click here and enroll today!*

*Identity Theft insurance underwritten by subsidiaries or affiliates of Chartis Inc. The description herein is a summary and intended for informational purposes only and does not include all terms, conditions and exclusions of the policies described. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions.

Article Source (Written by Robert McGarvey in the Credit Union Times): http://www.cutimes.com/2014/02/24/apple-ios-security-flaw-prompts-patch-advice?eNL=51520a1b140ba0ed7800006c&utm_source=Daily&utm_medium=eNL&utm_campaign=CUT_eNLs&_LID=15773060 

A Message for Members Regarding Account Security Following the Target Data Breach

alert-resized-600The recent data breach announced by Target at its stores in the U.S. between November 27 and December 15 has created a high number of inquiries from First Financial members regarding the security of their credit and debit card accounts.

We want to assure members that your accounts with us are monitored 24/7 by an experienced team of security professionals for any suspicious or potentially fraudulent activity. First Financial employs the most advanced fraud detection and prevention technology to guard members’ credit and debit accounts against unauthorized access and use. Here’s a quick update for your peace of mind:

  • We are aware of the accounts that are known to have been used at Target stores on the dates noted above and we are watching the activity on these accounts closely.
  • Our member service contact centers are experiencing unusually high call volume as a result of this breach and the coverage it has received in the media. Unless you see any suspect transactions on your First Financial credit or debit accounts, there is no need to call.
  • If our security team observes any unusual activity on member accounts, we will contact members immediately to determine whether the transaction activity is legitimate and authorized.
  • It is also a good practice for members to keep a watchful eye on their accounts and transactions and look for any unauthorized activity or purchases.

We will continue to monitor all members’ accounts for suspicious activity. If you have any additional questions or concerns, please give us a call at 866.750.0100 or email us at info@firstffcu.com. Thank you for being a valued member of First Financial.

Credit Card Data Breached? Enroll in ID Theft Protection Today!

Target CC BreachBy now we’re sure you’ve heard about the credit and debit card data breach which affected those who used their cards at most Target stores nationwide, from November 27th through December 15th.

Target said the credit and debit card information of as many as 40 million customers was compromised over three weeks of the holiday shopping season — one of the largest breaches ever of American consumer data.

The breach, which extended to almost all Target stores in the United States, captured data stored on the magnetic stripes of the cards that customers swipe at the cash register, according to Krebs on Security, a respected data security blog.

Krebs, cited sources from two top card companies. Target said that the information compromised included customer names, card numbers, expiration dates and the short verification codes known as CVVs — everything an attacker would need to create a counterfeit card.

Target said that it had alerted authorities and banks, and that the issue was “identified and resolved.” Still, it encouraged customers to look over their account statements and obtain credit reports. Target did not say how it might have happened. “It is very clear it is a sophisticated crime,” Molly Snyder, a spokeswoman for the company, told Reuters.

At up to 40 million customers, the breach ranks among the biggest in U.S. corporate history. In 2007, the data of more than 45 million customers was stolen from stores including T.J. Maxx and Marshalls.

Last year, the Barnes & Noble bookstore chain said that someone had planted software in PIN pad devices at 63 of its stores in nine states to steal the data from magnetic card stripes. The company responded by taking PIN pad devices out of all its stores. And in 2011, a hack exposed the credit card information of 100 million user accounts on the Sony PlayStation video game network.

Target, with almost $72 billion in U.S. sales last year, is the third-largest store in America, trailing only Walmart and the Kroger grocery store chain. Target has about 1,800 stores in the United States.

Krebs on Security reported that the breach hit only customers who shopped at physical Target stores, not online. The blog cited reliable sources familiar with the matter. The data would allow criminals to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If PIN codes were also intercepted, that would allow criminals to withdraw the cash of unsuspecting customers from ATMs.

Krebs quoted an anti-fraud analyst at one of the 10 biggest bank-card issuers as saying that “we do see customers all over the U.S. that were victimized.” Target said that its investigation includes working with a third-party forensics firm. The company said that customers who made purchases at its U.S. stores during the three weeks in question should call them at 866-852-8680, or seek copies of their credit reports from the agencies Equifax, Experian and TransUnion.

“Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence,” said Gregg Steinhafel, Target’s president and CEO. “We regret any inconvenience this may cause,” he said. “We take this matter very seriously and are working with law enforcement to bring those responsible to justice.”

Don’t wait until you become a victim! Think you don’t need ID Theft Protection? Think again! With Fully Managed Identity Recovery services from First Financial, you don’t need to worry. A professional Recovery Advocate will do the work on your behalf, based on a plan that you approve. Should you experience an Identity Theft incident, your Recovery Advocate will stick with you all along the way – and will be there for you until your good name is restored. Give us a call at 866.750.0100 to learn more. Get started today!*

Article Source: Alastair Jamieson and Erin McClam, NBC News. Reuters contributed to this report.

*Identity Theft insurance underwritten by subsidiaries or affiliates of Chartis Inc. The description herein is a summary and intended for informational purposes only and does not include all terms, conditions and exclusions of the policies described. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions.