eBay Asks 145 Million Users to Change Passwords After Data Breach

alert-resized-600Online commerce giant, eBay, recently asked users to change their passwords after hackers stole encrypted passwords and other personal information, including names, e-mail addresses, physical addresses, phone numbers and dates of birth.

The data breach occurred between late February and early March 2014, according to a press statement posted on the company’s website.

The company stated that Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network. The company is currently working with law enforcement and security experts to investigate the breach and has not noticed any fraudulent activity related to the incident. eBay discovered the breach in early May, meaning it went unnoticed for about a month. The company spent a few weeks investigating the incident before disclosing it to the public.

Here’s what you need to know:

  • The company is asking all of its 145 million active users to change their passwords as a “precautionary measure,” but is not sure how many accounts were compromised in the breach.
  • No financial information, including credit card numbers, were stolen.
  • Paypal information was also safe because it was encrypted and stored on a different network.
  • Users that use their eBay password elsewhere should immediately go change that password on other sites – especially their e-mail.

It is important that users heed eBay’s request to change their passwords because the hackers may eventually be able to break the encryption that secures them.

Don’t wait until it’s too late! Check out First Financial’s ID Theft Protection products – with our Fully Managed Identity Recovery services, you don’t need to worry. A professional Recovery Advocate will do the work on your behalf, based on a plan that you approve. Should you experience an Identity Theft incident, your Recovery Advocate will stick with you all along the way – and will be there for you until your good name is restored and you can try it FREE for 90 days!*

Our ID Theft Protection options may include some of the following services, based on the package you choose to enroll in: Lost Document Replacement, Credit Bureau Monitoring, Score Tracker, and Three-Generation Family Benefit. To learn more about our ID Theft Protection products, click here and enroll today!**

*Available for new enrollments only. After the free trial of 90 days, the member must contact the Credit Union to opt-out of ID Theft Protection or the monthly fee of $4.95 will automatically be deducted out of the base savings account or $8.95 will be deducted out of the First Protection Checking account (depending upon the coverage option selected), on a monthly basis or until the member opts out of the program. **Identity Theft insurance underwritten by subsidiaries or affiliates of Chartis Inc. The description herein is a summary and intended for informational purposes only and does not include all terms, conditions and exclusions of the policies described. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions.

Article source courtesy of Andrea Peterson of the Washington Post.

Important Message to Online Banking Users – Microsoft Security Flaw

alert-resized-600The following is an important message for Online Banking users which discusses a recently discovered Microsoft security flaw, and recommendations for use.

Issue: Microsoft recently acknowledged a security flaw in its widely used Internet Explorer browser that could put Online Banking members at risk. This vulnerability is commonly known as an “use-after-free” flaw.  This is affecting Internet Explorer versions 6 through 11.

Description: This vulnerability allows an attacker to host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. To make the attack successful however, users would have to be directed to take action, typically by getting users to click a link in an email message or in an Instant Messenger message that takes users to the attacker’s website, or by opening an attachment sent through email.

Recommendation: Since the issue pertains to a flaw in the Internet Explorer browser that may be used to conduct Online Banking transactions on your personal computers, we are urging our members to use a different browser to mitigate the risk until Microsoft releases a fix to address this issue. Chrome, Firefox or Safari (for Apple users) can be used in the meantime.

If you have any further questions or concerns, please contact Member Services at 866.750.0100 or email info@firstffcu.com.

References:

https://technet.microsoft.com/en-US/library/security/2963983

https://www.us-cert.gov/ncas/current-activity/2014/04/28/Microsoft-Internet-Explorer-Use-After-Free-Vulnerability-Being

 

 

Important Member Alert: Heartbleed Security Vulnerability Update

heartbleedYesterday, a serious vulnerability dubbed “Heartbleed” was uncovered and publicly disclosed by security researchers.  This vulnerability exists in certain versions of Open SSL, a widely used cryptographic library that enables SSL (Secure Socket Layer) and TSL (Transport Security Layer) encryption.

The vulnerability relies on a bug in the implementation of Open SSL’s “heartbeat” feature, hence the “Heartbleed” name. When exploited, this vulnerability enables an attacker to trick a system into revealing chunks of data residing in its memory. This attack can lead to a server leaking private SSL keys, usernames/passwords, and other sensitive data. Many well known sites have been reported as vulnerable to attack.

First Financial’s website and system utilizes network load balancers, which manage SSL encryption and decryption for our member information and data. These load balancers operate in a different Open SSL platform that is not vulnerable to this bug.

Should you have any further questions or concerns regarding this matter, please contact Member Services at 866.750.0100 or email info@firstffcu.com.

Important Alert: Card Cracking Scam Targets Students

scamCash-strapped college students are being recruited to participate in a scam
referred to as “card cracking.” Using ATM/debit cards and PINs willingly provided by the students, fraudsters deposit fraudulent checks to the students’ accounts. The funds are subsequently withdrawn by the fraudsters with the students receiving a portion of the funds for their participation.

Details
The “card cracking” scam was reported to originate in Chicago and generally targeted college students who were recruited through social media sites including Facebook, Instagram and YouTube. Participants were even recruited in-person at college campuses. The sales pitch is to allow the fraudster to deposit a check to a student’s account and withdraw the funds for which the student receives half of the proceeds for agreeing to participate. This scam is now being reported nationwide.

Willing participants provide the fraudsters with their ATM/debit cards and PINs. The fraudsters deposit fraudulent checks (stolen or counterfeit checks) to the student accounts via ATMs and subsequently withdraw the funds. Their proposition is simple: If you provide me with access to your account so I can deposit a check and withdraw the money, I will provide you with half of the proceeds.

After initial contact is made, the scammer arranges to meet up with the student to retrieve the debit card and corresponding PIN. The deposit is made, the money is withdrawn and then the fraudulent checks were subsequently returned unpaid and charged back to the students’ accounts. Following the fraudsters’ instructions, the participants report their ATM/debit card as lost or stolen and that the transactions were fraudulent.

The participants may not be entitled to protection under Regulation E (Reg E) for
unauthorized use of their ATM/debit card since they willingly provided their card to the
fraudsters which contains an exclusion to the definition of unauthorized
electronic fund transfer:

Unauthorized electronic fund transfer means an electronic fund transfer from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer, and from which the consumer receives no benefit. The term does not include an electronic fund transfer initiated by a person who was furnished access to the consumer’s account by the consumer, unless the consumer has notified their financial institution that transfers by that person are no longer authorized.

This is a huge risk – especially for students who may have large amounts going through their accounts from loans, scholarships and tuition reimbursements.

“Even though the students might be considered victims, authorities point out that providing their debit cards to someone else is a crime,” the Sun-Times of Chicago says.

There’s an easy solution: Never share your account information, debit card or PIN! 

Here are some other safety tips you should keep in mind:

  • Always verify the identity of the person trying to obtain personal information.
  • Never give personal information to someone over the phone or via email. Personal information includes: Birth dates, social security numbers, maiden names, addresses, bank account numbers, debit/credit card numbers, PIN numbers, etc.
  • Maintain a record of the phone call or solicitation. Write down the phone number that the person is calling from, the time and date they called, the caller’s name, and reported affiliation. If it was online, save a copy of the email conversation or advertisement.
  • If it sounds too good to be true, it probably is.
  • If you believe you may be a victim of fraud call your local police department so authorities can be alerted to the activity. You can also report email or internet scams to the Internet Crime Complaint Center (IC3) by going online to http://www.ic3.gov.

Check out First Financial’s ID Theft Protection products – with our Fully Managed Identity Recovery services, you don’t need to worry. A professional Recovery Advocate will do the work on your behalf, based on a plan that you approve. Should you experience an Identity Theft incident, your Recovery Advocate will stick with you all along the way – and will be there for you until your good name is restoredTo learn more about our ID Theft Protection products, click here and enroll today!*

Click the links to view more information from the original article sources: Yahoo Finance, Explorer News and CUNA Mutual Group.

*Identity Theft insurance underwritten by subsidiaries or affiliates of Chartis Inc. The description herein is a summary and intended for informational purposes only and does not include all terms, conditions and exclusions of the policies described. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions.

Important Vishing Scam Alert – March 2014

alert-resized-600Vishing calls originating from (410) 768-7599 are being made via automated dialer to random telephone numbers. Vishing or Voice phishing is the criminal practice of using social engineering over the telephone system to gain access to private personal and financial information from the public for the purpose of financial reward.

SCAM DETAILS

  • Calls are automated and a recorded message warns that there is a very important matter to discuss that involves a lower interest rate on a credit card. Victims are encouraged to press 1 to speak to a representative.
  • Callers who press 1 are directed to a call center operator/fraudster.
  • The operator who answers the call has a very heavy accent and at no time asks the victim what their name is or where they live. Operators focus on collecting payment card expiration dates and the last 12 digits of the victim’s payment card.
  • Card issuer brands are never mentioned.

BEST PRACTICES

  • Please do not call the potentially fraudulent number. Law enforcement and local communication companies may be in the middle of an investigation that will be compromised if the fraudsters become suspicious.

If you receive any suspicious calls from this phone number, do not call it back – please contact us immediately at 866.750.0100 so we can report the scam. Due to an increase in these vishing scams, it is important to be cautious if you receive any calls from unknown numbers or area codes. If you have any additional questions or concerns, please give us a call or email us at info@firstffcu.com. Thank you for being a valued member of First Financial.

*Article source courtesy of FICO Alert Bulletin 14.03.

Important Apple iOS Security Flaw Alert

alert-resized-600Apple announced last week that there is a significant security flaw affecting literally hundreds of millions of iPhones, iPads and iPod Touches running iOS 7, the latest version of the company’s mobile operating system.

Baked into the system was a flaw that allowed an attacker, under certain circumstances, to intercept and read in plain sight – traffic the users thought was encrypted via Secure Socket Layer technologies. That would include email, tweets, Web browsing and, potentially, mobile banking sessions that occur within the Web browser.

Mark Bower, a vice president at Voltage Security, elaborated: “For quite some time, attackers with knowledge of this bug had the ability to mount man-in-the middle attacks to users operating Apple devices. This could have allowed interception or modification of SSL communications which are supposed to be private and encrypted.”

Experts appear divided as to whether this flaw also impacted traffic via apps, such as mobile banking apps.

Last week Apple issued a patch that it said fixed the problem on iPad, iPhone and iPod Touch.

However, the company also indicated that a related flaw exists in its OS 10 operating system for desktop and laptop computers. No patch has been issued so far, although Apple has indicated that one is imminent.

Note, too, the SSL attack can occur only when the hacker has control over a WiFi network (typically a public network) or has erected a rogue cellular network (technically doable but sophisticated and rare). This requires significant skill on the part of the attacker, said experts.

Users who never access public WiFi probably have nothing to fear, said most experts.

Experts also, unanimously in this reporter’s poll, urged Apple mobile device owners to download the security patches as soon as possible.

Don’t wait until it’s too late! Check out First Financial’s ID Theft Protection products – with our Fully Managed Identity Recovery services, you don’t need to worry. A professional Recovery Advocate will do the work on your behalf, based on a plan that you approve. Should you experience an Identity Theft incident, your Recovery Advocate will stick with you all along the way – and will be there for you until your good name is restored.

Our ID Theft Protection options may include some of the following services, based on the package you choose to enroll in: Lost Document Replacement, Credit Bureau Monitoring, Score Tracker, and Three-Generation Family Benefit. To learn more about our ID Theft Protection products, click here and enroll today!*

*Identity Theft insurance underwritten by subsidiaries or affiliates of Chartis Inc. The description herein is a summary and intended for informational purposes only and does not include all terms, conditions and exclusions of the policies described. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions.

Article Source (Written by Robert McGarvey in the Credit Union Times): http://www.cutimes.com/2014/02/24/apple-ios-security-flaw-prompts-patch-advice?eNL=51520a1b140ba0ed7800006c&utm_source=Daily&utm_medium=eNL&utm_campaign=CUT_eNLs&_LID=15773060