There’s a New Security Vulnerability Named POODLE and It’s Not Cute and Cuddly

poodleA new security hole was recently discovered in a basic protocol used for encrypting web traffic. Its name is POODLE, which stands for Padding Oracle on Downgraded Legacy Encryption, and it was discovered by three Google security researchers who published a paper about it.

POODLE affects SSLv3 or version 3 of the Secure Socket Layer protocol, which is used to encrypt traffic between a browser and a web site, or between a user’s email client and mail server. SSL is a cryptographic protocol used to provide encryption and authentication security. SSLv3 is the most recent variant – and has been widely used in browsers including Google Chrome, Mozilla Firefox, IE, Opera, and Safari. Primarily all browsers on Windows PCs, Windows Servers, Macs, tablets and smart phones may be affected. Additionally, SSLv3 is also used on Unix and Linux platforms.

This threat is not as serious as the recent Heartbleed and Shellshock vulnerabilities, but POODLE could allow an attacker to hijack and decrypt the session cookie that identifies you to a service like Twitter or Google, and then take over your accounts without needing your password.

To exploit the vulnerability, you must be running javascript, and the attacker has to be on the same network as you — for example, on the same public Wi-Fi network you’re using. This makes it less severe than an attack that can be conducted remotely against any computer on the Internet.

The attack works only on traffic sessions using SSLv3. Although this is an old protocol that has been replaced in many client and server configurations with TLS (Transport Layer Security), many browser clients and web servers that use TLS for connections still support SSLv3. Some products and browsers, like Internet Explorer 6 for Windows XP, only use SSLv3. There are also clients that support SSLv3 as an alternative to use whenever a TLS connection to a web server fails. An attacker could exploit this compatibility to downgrade a connection to SSLv3 and then conduct the POODLE attack to hijack your session.

“This attack is really against clients — you have to worry about it if you’re in a place like Starbucks,” says Rob Graham, CEO of Erratasec. “If you’re at home there’s probably no need to panic.”

Heartbleed and Shellshock were vulnerabilities that allowed an attacker to hack a server. POODLE instead targets the clients.

“The fear of rushing to go fix this is very low because of that,” Graham says. “People with servers can’t get hacked, and people with vulnerable clients also can’t get hacked unless they’re on an open Wi-Fi.”

RECOMMENDATIONS

Taking into consideration that this information could be overwhelming, the best practice is to upgrade older versions of browsers and disable SSLv3, as there is no other fix available at this time.

The following browsers support TLS 1.0 (and must be configured to disable SSLv3):

  • Google Chrome v1
  • Firefox v1
  • Internet Explorer v7
  • Safari v1

It is also recommended to upgrade email versions that use TLS 1.1:

  • Apple Mail (OS X Panther)
  • Outlook 2003 (SP2) or higher
  • Outlook Express 4.0 or higher
  • Thunderbird 2.0
  • Entourage 2008

First Financial updates our systems regularly and your data security is the highest priority.  Should you have any further questions or concerns regarding this matter, please contact Member Services at 866.750.0100 or email info@firstffcu.com.

Article Source: http://www.wired.com/2014/10/poodle-explained/

The Latest Data Breaches for November 2014: USPS and Grocery Stores Operated by AB Acquisition LLC & SUPERVALU

USPS data breachUSPS Breach

The U.S. Postal Service said on 11/10/14 that employees’ personal data, including Social Security numbers, may have been compromised in a cyber attack.

The Postal Service said more than 800,000 — all those that receive their pay from the postal service and some retirees, could potentially be affected.

In a statement, the USPS said the FBI was leading an investigation and that customer credit card data did not appear to be at risk.

“The intrusion is limited in scope and all operations of the Postal Service are functioning normally,” the statement said. “Postal Service transactional revenue systems in post offices as well as on usps.com, where customers pay for services with credit and debit cards have not been affected by this incident.”

Over 2.9 million customers who contacted the postal service customer care center with an inquiry via telephone or email between January 1, 2014, and August 16, 2014 are also at risk.

The intrusion compromised names, addresses, telephone numbers, email addresses and other information for those customers who may have provided this information, according to the statement.

AB Acquisition LLC & SUPERVALU Breach

ABS-Logo

In addition, malware was discovered this fall 2014 on some point of sale systems within grocery stores operated by AB Acquisition LLC & SUPERVALU.  SUPERVALU’s stores include: Cub Foods, Hornbacher’s, Farm Fresh, Shop ‘N Save, and Shoppers Food & Pharmacy. AB Acquisition’s stores include Albertson’s stores under Albertson’s LLC and ACME Markets, Jewel-Osco, and Shaw’s and Star Markets under New Albertson’s, Inc.

Click here to review a statement and press release from SUPERVALU with more details about the incident, should you suspect you may be affected by this malware incident.  For more information on the AB Acquisition LLC incident, click hereSuperValuLogo

It is important to know the following in regard to both data breaches:

  • Free credit monitoring services are usually offered to compromised customers. Should you be affected by either of these latest data breaches, an announcement will be sent with information regarding how to activate these services. However, credit monitoring only alerts you to new credit or changes to your existing credit. The criminal activity that is taking place uses existing open accounts, so no credit monitoring alerts may be triggered. You need to watch your account statements carefully.  
  • First Financial accountholders will not be responsible for any fraudulent account charges. If you suspect any fraudulent transactions, please contact Member Services immediately at 866.750.0100.

Be wary of emails or telephone calls that request information. Neither USPS, AB Acquisition LLC, SUPERVALU, nor our financial institution will ask you to provide any information in relation to this possible data breach incident.

Below are the recommended steps to remain vigilant against possible identity fraud:

  1. Check your bank statements. Review your statements carefully and repeatedly. Any purchases, large or small, should be verified as a purchase you made.
  2. Get Help. You are not responsible for fraudulent transactions on your account, but you need to notify us as soon as possible if you see any suspicious activity. Contact us with any questions.
  3. Take Action. If you suspect that your identity has been compromised, you can place a fraud alert on your credit file by calling any one of the three major credit reporting agencies shown below. A fraud alert is a notation on your credit file to warn credit issuers that there may be a problem. The credit issuer is asked to contact you at the telephone number that you supply to validate that you are the person applying for the credit. This is not the same as credit monitoring.

TransUnion: 1.800.916.8800, Experian: 1.888.397.3742, Equifax: 1.800.685.1111

In accordance with the Fair Credit Reporting Act, it is permissible for consumers to request a free copy of their credit report once every 12 months from each of the three major credit reporting agencies (TransUnion, Experian, and Equifax).

To order a free credit report -
Online: www.annualcreditreport.com or by Telephone: 1.877.322.8228.

Individuals are encouraged to report any suspected instances of identity fraud to the FBI’s Internet Crime Complaint Center at www.ic3.gov.

Don’t wait until it’s too late! Check out First Financial’s ID Theft Protection products – with our Fully Managed Identity Recovery services, you don’t need to worry. A professional Recovery Advocate will do the work on your behalf, based on a plan that you approve. Should you experience an Identity Theft incident, your Recovery Advocate will stick with you all along the way – and will be there for you until your good name is restored and you can try it FREE for 90 days!*

Our ID Theft Protection options may include some of the following services, based on the package you choose to enroll in: Lost Document Replacement, Credit Bureau Monitoring, Score Tracker, and Three-Generation Family Benefit. To learn more about our ID Theft Protection products, click here and enroll today!**

We will continue to monitor all members’ accounts for suspicious activity. If you have any additional questions or concerns, please give us a call at 866.750.0100 or email us at info@firstffcu.com. Thank you for being a valued member of First Financial.

*Available for new enrollments only. After the free trial of 90 days, the member must contact the Credit Union to opt-out of ID Theft Protection or the monthly fee of $4.95 will automatically be deducted out of the base savings account or $8.95 will be deducted out of the First Protection Checking account (depending upon the coverage option selected), on a monthly basis or until the member opts out of the program. **Identity Theft insurance underwritten by subsidiaries or affiliates of Chartis Inc. The description herein is a summary and intended for informational purposes only and does not include all terms, conditions and exclusions of the policies described. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions.

Article Sources: http://www.nbcnews.com/tech/security/800-000-post-office-employees-data-could-be-compromised-n245121, http://www.supervalu.com/security.html, http://www.albertsons.com/2014/08/ab-acquisition-llc-confirms-incident-involving-payment-card-data-processing/.

Add Kmart and Dairy Queen to the Latest Data Breach List and Check Your Statements!

Kmart_logoRecent data breach news reports have Dairy Queen admitting to a breach at as many as 395 stores between August and September 2014, and Sears Holding Co. disclosing that malware at Kmart point-of-sale registers stole customer debit and credit card data.

Kmart customers who shop in its Brick, Manahawkin, Toms River, or Wall, NJ stores may need to check their debit and credit card accounts, after the retailer discovered a data breach last week.

According to an article on APP.com, the company announced its payment system had been attacked by hackers who stole customers’ debit and credit card numbers. Kmart discovered the intrusion into its payment system on Thursday – but the investigation shows it goes back to early September 2014, Kmart said in a statement released Friday.

Kmart joins a list of other big companies, including retailers Target, Acme, and Home Depot, that have been attacked by hackers recently.

“According to the security experts we have been working with, our Kmart store payment data systems were infected with a form of malware that was undetectable by current anti-virus systems,” the company said in a statement. “We were able to quickly remove the malware. However, we believe certain debit and credit card numbers have been compromised.”

No personal information, debit card PIN numbers, email addresses, or Social Security numbers were obtained by the hackers, the company said. There also is no evidence that Kmart.com customers were affected. Dairy_Queen logo

In late August, Dairy Queen announced its data breach after it was reported by KrebsonSecurity, which placed the attacks as early as June 2014.

Dairy Queen and Kmart have said there is no indication that Social Security numbers, personal identification numbers, or email addresses were taken in these incidents. Krebs also reported on the malware incident at Kmart, which posted a notice Friday about the malware incident.

In related news, federal investigators reportedly believe the hackers who breached JPMorgan Chase over the summer also stole information from Fidelity Investments, according to the Wall Street Journal. The paper’s sources do not believe the breach of Fidelity was on the same scale as the JPMorgan breach affecting contact information for as many as 76 million households.

First Financial would like to remind our members that your accounts with us are monitored 24/7 by an experienced team of security professionals for any suspicious or potentially fraudulent activity. First Financial employs the most advanced fraud detection and prevention technology to guard members’ credit and debit accounts against unauthorized access and use. Here’s a quick update for your peace of mind:

  • If our security team observes any unusual activity on member accounts, we will contact members immediately to determine whether the transaction activity is legitimate and authorized.
  • It is also a good practice for members to keep a watchful eye on their accounts and transactions and look for any unauthorized activity or purchases.

Don’t wait until it’s too late! Check out First Financial’s ID Theft Protection products – with our Fully Managed Identity Recovery services, you don’t need to worry. A professional Recovery Advocate will do the work on your behalf, based on a plan that you approve. Should you experience an Identity Theft incident, your Recovery Advocate will stick with you all along the way – and will be there for you until your good name is restored and you can try it FREE for 90 days!*

Our ID Theft Protection options may include some of the following services, based on the package you choose to enroll in: Lost Document Replacement, Credit Bureau Monitoring, Score Tracker, and Three-Generation Family Benefit. To learn more about our ID Theft Protection products, click here and enroll today!**

We will continue to monitor all members’ accounts for suspicious activity. If you have any additional questions or concerns, please give us a call at 866.750.0100 or email us at info@firstffcu.com. Thank you for being a valued member of First Financial.

*Available for new enrollments only. After the free trial of 90 days, the member must contact the Credit Union to opt-out of ID Theft Protection or the monthly fee of $4.95 will automatically be deducted out of the base savings account or $8.95 will be deducted out of the First Protection Checking account (depending upon the coverage option selected), on a monthly basis or until the member opts out of the program. **Identity Theft insurance underwritten by subsidiaries or affiliates of Chartis Inc. The description herein is a summary and intended for informational purposes only and does not include all terms, conditions and exclusions of the policies described. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions.

Article Sources:

http://www.app.com/story/money/business/consumer/2014/10/10/kmart-hacker-attack/17080339/

http://patch.com/new-jersey/wall/do-you-shop-wall-kmart-check-your-credit-and-debit-cards-0?utm_source=newsletter-daily&utm_medium=email&utm_term=business&utm_campaign=newsletter#.VD0z5WddUuc

http://www.nafcu.org/News/2014_News/October/Dairy_Queen__Kmart_in_latest_data_breach_stories/

 

Important Member Alert: Shellshock Cyber Security Threat Update

cyber-security shellshockIf you’re trying to navigate the news concerning Shellshock, you can be forgiven for thinking the coverage is written in another language. The official name for the exploit, CVE-2014-6271, sounds like it should come from a “Star Trek” character. It’s not easy to explain and it’s even harder to figure out what to do about it. Let’s first see what the exploit is and then see what you need to do to keep yourself safe.

Shellshock is an exploitable security gap in Bash, one of the most popular operating environments for Internet backbone computers. Bash support is rare for home computers and is disabled by default on OSX and Windows devices. It’s extremely common though, on email and website hosting servers, which usually run Linux-based operating systems. Shellshock allows hackers to operate servers remotely, installing and operating software, accessing data and executing operations.

It might seem like Shellshock is a problem for other people, but it’s a serious security concern for everyone. From hotels to credit card companies, Bash-operated computers are everywhere in e-commerce, and unless they’re using a patch that was released on 9/29/14, they’re vulnerable to remote manipulation. This could put sensitive data at risk. More seriously, hackers can use remote servers to distribute malware and engage in further acts of cyber crime.

How many computers were affected by the bug? It’s difficult to say. The flaw was discovered on 9/26/14 and exists on devices other than computers. Automated engineering equipment, database maintenance computers, and even facilities management machines run variants of Linux that rely on Bash. Many of these devices were set up with the expectation they would never need software maintenance, so getting an accurate count of devices is impossible. Early estimates by security experts at HP suggest that the loophole could affect a half-billion computers in America.

Worse yet, the exploit has been embedded in the system for as much as 22 years. Linux archivists charged with tracing the flaw claim that the bug may have been allowing limited access to online machines since 1992.

First Financial updates our systems regularly and your data security is the highest priority. Our systems were updated immediately upon announcement of the threat’s discovery and we will always keep our members informed of any threats to their privacy.

There are steps you can take to protect your privacy online, as well:

1. Do not install any software that claims to fix this patch unless it comes from the manufacturer of your operating system. There are two ways cybersecurity problems cause damage: first, the damage of the actual attack, and second, the collateral damage from the panic and insecurity in the wake of the crisis. Many opportunistic criminals will use the confusion surrounding the bug to distribute malware and other harmful programs. Unless you have specifically enabled Bash on your PC, Mac, or mobile device, you do not need to install any new programs to stop the bug.

2. Change your passwords. One of the common commands hackers run with Shellshock is to download a list of passwords and account names. If you’ve used a password somewhere, assume that password is no longer secure. Choose a new, strong password. If you’re struggling, try using the four random words strategy pioneered by cryptologist Randall Munroe. Put four random words together, capitalize the first letter of each word, and put a number and a piece of punctuation on the end – like FootballAnarchyMondayCamden4! – to create an easy-to-remember but hard-to-guess password.

3. Keep a careful eye on your account and card statements. Watch for small, recurring charges. For many hackers, the easiest way to make a living is to steal a dollar a month from a thousand people. The odds of getting caught are lower than trying to steal a thousand dollars from one person and the profits are the same. If you see suspicious activity, call your issuing financial institution immediately to put a hold order on the account.

4. Avoid storing your credit card information with online retailers. Not only can this expose you to identity theft, but it can also make it easier to impulse spend. Shellshock is not the last security bug we will see. It is smartest to begin expecting this level of insecurity and keeping your personal information in as few places online as possible.

Should you have any further questions or concerns regarding this matter, please contact Member Services at 866.750.0100 or email info@firstffcu.com.

Article Source: CUcontent.com

IRS Warning About Phone Scams

scamThe Internal Revenue Service and the Treasury Inspector General for Tax Administration (TIGTA) continue to hear from taxpayers who have received unsolicited calls from individuals demanding payment while fraudulently claiming to be from the IRS.

Based on the 90,000 complaints that TIGTA has received through its telephone hotline, to date, TIGTA has identified approximately 1,100 victims who have lost an estimated $5 million from these scams.

“There are clear warning signs about these scams, which continue at high levels throughout the nation,” said IRS Commissioner John Koskinen. “Taxpayers should remember their first contact with the IRS will not be a call from out of the blue, but through official correspondence sent through the mail. A big red flag for these scams are angry, threatening calls from people who say they are from the IRS and urging immediate payment. This is not how we operate. People should hang up immediately and contact TIGTA or the IRS.”

Additionally, it is important for taxpayers to know that the IRS:

  • Never asks for credit card, debit card, or prepaid card information over the telephone.
  • Never insists that taxpayers use a specific payment method to pay tax obligations
  • Never requests immediate payment over the telephone and will not take enforcement action immediately following a phone conversation. Taxpayers usually receive prior notification of IRS enforcement action involving IRS tax liens or levies.

Potential phone scam victims may be told that they owe money that must be paid immediately to the IRS or they are entitled to big refunds. When unsuccessful the first time, sometimes phone scammers call back trying a new strategy.

Other characteristics of these scams include:

  • Scammers use fake names and IRS badge numbers. They generally use common names and surnames to identify themselves.
  • Scammers may be able to recite the last four digits of a victim’s Social Security number.
  • Scammers spoof the IRS toll-free number on caller ID to make it appear that it’s the IRS calling.
  • Scammers sometimes send bogus IRS emails to some victims to support their bogus calls.
  • Victims hear background noise of other calls being conducted to mimic a call site.
  • After threatening victims with jail time or driver’s license revocation, scammers hang up and others soon call back pretending to be from the local police or DMV, and the caller ID supports their claim.

If you get a phone call from someone claiming to be from the IRS, here’s what you should do:

  • If you know you owe taxes or you think you might owe taxes, call the IRS at 1.800.829.1040. The IRS employees at that line can help you with a payment issue, if there really is such an issue.
  • If you know you don’t owe taxes or have no reason to think that you owe any taxes (for example, you’ve never received a bill or the caller made some bogus threats as described above), then call and report the incident to TIGTA at 1.800.366.4484.
  • You can file a complaint using the FTC Complaint Assistant; choose “Other” and then “Imposter Scams.” If the complaint involves someone impersonating the IRS, include the words “IRS Telephone Scam” in the notes.

Taxpayers should be aware that there are other unrelated scams (such as a lottery sweepstakes) and solicitations (such as debt relief), that also fraudulently claim to be from the IRS.

The IRS encourages taxpayers to be vigilant against phone and email scams that use the IRS as a lure. The IRS does not initiate contact with taxpayers by email to request personal or financial information. This includes any type of electronic communication, such as text messages and social media channels. The IRS also does not ask for PINs, passwords or similar confidential access information for credit card, bank or other financial accounts. Recipients should not open any attachments or click on any links contained in the message. Instead, forward the email to phishing@irs.gov.

For more information or to report a scam, go to www.irs.gov and type “scam” in the search box. More information on how to report phishing scams involving the IRS is available on the genuine IRS website, IRS.gov.

A Message for Members Regarding Account Security Following Home Depot Data Breach

??????????????Home Depot is officially the latest big retailer to suffer a payment data breach, the company confirmed on 9/8/14. It’s unclear how many customers were affected, but Home Depot said the breach could have hit customers who used debit or credit cards at its U.S. and Canadian stores from April 2014 forward.

The company released few other details in its statement as it continues to determine the full scope, scale and impact of the breach. At this point there is no evidence that debit PIN numbers were compromised, and the breach doesn’t appear to have affected physical stores in Mexico or HomeDepot.com.

Naturally, this latest data breach has created inquiry from First Financial members regarding the security of their credit and debit card accounts.

We want to assure members that your accounts with us are monitored 24/7 by an experienced team of security professionals for any suspicious or potentially fraudulent activity. First Financial employs the most advanced fraud detection and prevention technology to guard members’ credit and debit accounts against unauthorized access and use. Here’s a quick update for your peace of mind:

  • If our security team observes any unusual activity on member accounts, we will contact members immediately to determine whether the transaction activity is legitimate and authorized.
  • It is also a good practice for members to keep a watchful eye on their accounts and transactions and look for any unauthorized activity or purchases.

Don’t wait until it’s too late! Check out First Financial’s ID Theft Protection products – with our Fully Managed Identity Recovery services, you don’t need to worry. A professional Recovery Advocate will do the work on your behalf, based on a plan that you approve. Should you experience an Identity Theft incident, your Recovery Advocate will stick with you all along the way – and will be there for you until your good name is restored and you can try it FREE for 90 days!*

Our ID Theft Protection options may include some of the following services, based on the package you choose to enroll in: Lost Document Replacement, Credit Bureau Monitoring, Score Tracker, and Three-Generation Family Benefit. To learn more about our ID Theft Protection products, click here and enroll today!**

*Available for new enrollments only. After the free trial of 90 days, the member must contact the Credit Union to opt-out of ID Theft Protection or the monthly fee of $4.95 will automatically be deducted out of the base savings account or $8.95 will be deducted out of the First Protection Checking account (depending upon the coverage option selected), on a monthly basis or until the member opts out of the program. **Identity Theft insurance underwritten by subsidiaries or affiliates of Chartis Inc. The description herein is a summary and intended for informational purposes only and does not include all terms, conditions and exclusions of the policies described. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions.

We will continue to monitor all members’ accounts for suspicious activity. If you have any additional questions or concerns, please give us a call at 866.750.0100 or email us at info@firstffcu.com. Thank you for being a valued member of First Financial.

Article Source: http://www.nbcnews.com/tech/security/home-depot-confirms-credit-card-data-breach-n198621