Add Kmart and Dairy Queen to the Latest Data Breach List and Check Your Statements!

Kmart_logoRecent data breach news reports have Dairy Queen admitting to a breach at as many as 395 stores between August and September 2014, and Sears Holding Co. disclosing that malware at Kmart point-of-sale registers stole customer debit and credit card data.

Kmart customers who shop in its Brick, Manahawkin, Toms River, or Wall, NJ stores may need to check their debit and credit card accounts, after the retailer discovered a data breach last week.

According to an article on APP.com, the company announced its payment system had been attacked by hackers who stole customers’ debit and credit card numbers. Kmart discovered the intrusion into its payment system on Thursday – but the investigation shows it goes back to early September 2014, Kmart said in a statement released Friday.

Kmart joins a list of other big companies, including retailers Target, Acme, and Home Depot, that have been attacked by hackers recently.

“According to the security experts we have been working with, our Kmart store payment data systems were infected with a form of malware that was undetectable by current anti-virus systems,” the company said in a statement. “We were able to quickly remove the malware. However, we believe certain debit and credit card numbers have been compromised.”

No personal information, debit card PIN numbers, email addresses, or Social Security numbers were obtained by the hackers, the company said. There also is no evidence that Kmart.com customers were affected. Dairy_Queen logo

In late August, Dairy Queen announced its data breach after it was reported by KrebsonSecurity, which placed the attacks as early as June 2014.

Dairy Queen and Kmart have said there is no indication that Social Security numbers, personal identification numbers, or email addresses were taken in these incidents. Krebs also reported on the malware incident at Kmart, which posted a notice Friday about the malware incident.

In related news, federal investigators reportedly believe the hackers who breached JPMorgan Chase over the summer also stole information from Fidelity Investments, according to the Wall Street Journal. The paper’s sources do not believe the breach of Fidelity was on the same scale as the JPMorgan breach affecting contact information for as many as 76 million households.

First Financial would like to remind our members that your accounts with us are monitored 24/7 by an experienced team of security professionals for any suspicious or potentially fraudulent activity. First Financial employs the most advanced fraud detection and prevention technology to guard members’ credit and debit accounts against unauthorized access and use. Here’s a quick update for your peace of mind:

  • If our security team observes any unusual activity on member accounts, we will contact members immediately to determine whether the transaction activity is legitimate and authorized.
  • It is also a good practice for members to keep a watchful eye on their accounts and transactions and look for any unauthorized activity or purchases.

Don’t wait until it’s too late! Check out First Financial’s ID Theft Protection products – with our Fully Managed Identity Recovery services, you don’t need to worry. A professional Recovery Advocate will do the work on your behalf, based on a plan that you approve. Should you experience an Identity Theft incident, your Recovery Advocate will stick with you all along the way – and will be there for you until your good name is restored and you can try it FREE for 90 days!*

Our ID Theft Protection options may include some of the following services, based on the package you choose to enroll in: Lost Document Replacement, Credit Bureau Monitoring, Score Tracker, and Three-Generation Family Benefit. To learn more about our ID Theft Protection products, click here and enroll today!**

We will continue to monitor all members’ accounts for suspicious activity. If you have any additional questions or concerns, please give us a call at 866.750.0100 or email us at info@firstffcu.com. Thank you for being a valued member of First Financial.

*Available for new enrollments only. After the free trial of 90 days, the member must contact the Credit Union to opt-out of ID Theft Protection or the monthly fee of $4.95 will automatically be deducted out of the base savings account or $8.95 will be deducted out of the First Protection Checking account (depending upon the coverage option selected), on a monthly basis or until the member opts out of the program. **Identity Theft insurance underwritten by subsidiaries or affiliates of Chartis Inc. The description herein is a summary and intended for informational purposes only and does not include all terms, conditions and exclusions of the policies described. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions.

Article Sources:

http://www.app.com/story/money/business/consumer/2014/10/10/kmart-hacker-attack/17080339/

http://patch.com/new-jersey/wall/do-you-shop-wall-kmart-check-your-credit-and-debit-cards-0?utm_source=newsletter-daily&utm_medium=email&utm_term=business&utm_campaign=newsletter#.VD0z5WddUuc

http://www.nafcu.org/News/2014_News/October/Dairy_Queen__Kmart_in_latest_data_breach_stories/

 

Important Member Alert: Shellshock Cyber Security Threat Update

cyber-security shellshockIf you’re trying to navigate the news concerning Shellshock, you can be forgiven for thinking the coverage is written in another language. The official name for the exploit, CVE-2014-6271, sounds like it should come from a “Star Trek” character. It’s not easy to explain and it’s even harder to figure out what to do about it. Let’s first see what the exploit is and then see what you need to do to keep yourself safe.

Shellshock is an exploitable security gap in Bash, one of the most popular operating environments for Internet backbone computers. Bash support is rare for home computers and is disabled by default on OSX and Windows devices. It’s extremely common though, on email and website hosting servers, which usually run Linux-based operating systems. Shellshock allows hackers to operate servers remotely, installing and operating software, accessing data and executing operations.

It might seem like Shellshock is a problem for other people, but it’s a serious security concern for everyone. From hotels to credit card companies, Bash-operated computers are everywhere in e-commerce, and unless they’re using a patch that was released on 9/29/14, they’re vulnerable to remote manipulation. This could put sensitive data at risk. More seriously, hackers can use remote servers to distribute malware and engage in further acts of cyber crime.

How many computers were affected by the bug? It’s difficult to say. The flaw was discovered on 9/26/14 and exists on devices other than computers. Automated engineering equipment, database maintenance computers, and even facilities management machines run variants of Linux that rely on Bash. Many of these devices were set up with the expectation they would never need software maintenance, so getting an accurate count of devices is impossible. Early estimates by security experts at HP suggest that the loophole could affect a half-billion computers in America.

Worse yet, the exploit has been embedded in the system for as much as 22 years. Linux archivists charged with tracing the flaw claim that the bug may have been allowing limited access to online machines since 1992.

First Financial updates our systems regularly and your data security is the highest priority. Our systems were updated immediately upon announcement of the threat’s discovery and we will always keep our members informed of any threats to their privacy.

There are steps you can take to protect your privacy online, as well:

1. Do not install any software that claims to fix this patch unless it comes from the manufacturer of your operating system. There are two ways cybersecurity problems cause damage: first, the damage of the actual attack, and second, the collateral damage from the panic and insecurity in the wake of the crisis. Many opportunistic criminals will use the confusion surrounding the bug to distribute malware and other harmful programs. Unless you have specifically enabled Bash on your PC, Mac, or mobile device, you do not need to install any new programs to stop the bug.

2. Change your passwords. One of the common commands hackers run with Shellshock is to download a list of passwords and account names. If you’ve used a password somewhere, assume that password is no longer secure. Choose a new, strong password. If you’re struggling, try using the four random words strategy pioneered by cryptologist Randall Munroe. Put four random words together, capitalize the first letter of each word, and put a number and a piece of punctuation on the end – like FootballAnarchyMondayCamden4! – to create an easy-to-remember but hard-to-guess password.

3. Keep a careful eye on your account and card statements. Watch for small, recurring charges. For many hackers, the easiest way to make a living is to steal a dollar a month from a thousand people. The odds of getting caught are lower than trying to steal a thousand dollars from one person and the profits are the same. If you see suspicious activity, call your issuing financial institution immediately to put a hold order on the account.

4. Avoid storing your credit card information with online retailers. Not only can this expose you to identity theft, but it can also make it easier to impulse spend. Shellshock is not the last security bug we will see. It is smartest to begin expecting this level of insecurity and keeping your personal information in as few places online as possible.

Should you have any further questions or concerns regarding this matter, please contact Member Services at 866.750.0100 or email info@firstffcu.com.

Article Source: CUcontent.com

IRS Warning About Phone Scams

scamThe Internal Revenue Service and the Treasury Inspector General for Tax Administration (TIGTA) continue to hear from taxpayers who have received unsolicited calls from individuals demanding payment while fraudulently claiming to be from the IRS.

Based on the 90,000 complaints that TIGTA has received through its telephone hotline, to date, TIGTA has identified approximately 1,100 victims who have lost an estimated $5 million from these scams.

“There are clear warning signs about these scams, which continue at high levels throughout the nation,” said IRS Commissioner John Koskinen. “Taxpayers should remember their first contact with the IRS will not be a call from out of the blue, but through official correspondence sent through the mail. A big red flag for these scams are angry, threatening calls from people who say they are from the IRS and urging immediate payment. This is not how we operate. People should hang up immediately and contact TIGTA or the IRS.”

Additionally, it is important for taxpayers to know that the IRS:

  • Never asks for credit card, debit card, or prepaid card information over the telephone.
  • Never insists that taxpayers use a specific payment method to pay tax obligations
  • Never requests immediate payment over the telephone and will not take enforcement action immediately following a phone conversation. Taxpayers usually receive prior notification of IRS enforcement action involving IRS tax liens or levies.

Potential phone scam victims may be told that they owe money that must be paid immediately to the IRS or they are entitled to big refunds. When unsuccessful the first time, sometimes phone scammers call back trying a new strategy.

Other characteristics of these scams include:

  • Scammers use fake names and IRS badge numbers. They generally use common names and surnames to identify themselves.
  • Scammers may be able to recite the last four digits of a victim’s Social Security number.
  • Scammers spoof the IRS toll-free number on caller ID to make it appear that it’s the IRS calling.
  • Scammers sometimes send bogus IRS emails to some victims to support their bogus calls.
  • Victims hear background noise of other calls being conducted to mimic a call site.
  • After threatening victims with jail time or driver’s license revocation, scammers hang up and others soon call back pretending to be from the local police or DMV, and the caller ID supports their claim.

If you get a phone call from someone claiming to be from the IRS, here’s what you should do:

  • If you know you owe taxes or you think you might owe taxes, call the IRS at 1.800.829.1040. The IRS employees at that line can help you with a payment issue, if there really is such an issue.
  • If you know you don’t owe taxes or have no reason to think that you owe any taxes (for example, you’ve never received a bill or the caller made some bogus threats as described above), then call and report the incident to TIGTA at 1.800.366.4484.
  • You can file a complaint using the FTC Complaint Assistant; choose “Other” and then “Imposter Scams.” If the complaint involves someone impersonating the IRS, include the words “IRS Telephone Scam” in the notes.

Taxpayers should be aware that there are other unrelated scams (such as a lottery sweepstakes) and solicitations (such as debt relief), that also fraudulently claim to be from the IRS.

The IRS encourages taxpayers to be vigilant against phone and email scams that use the IRS as a lure. The IRS does not initiate contact with taxpayers by email to request personal or financial information. This includes any type of electronic communication, such as text messages and social media channels. The IRS also does not ask for PINs, passwords or similar confidential access information for credit card, bank or other financial accounts. Recipients should not open any attachments or click on any links contained in the message. Instead, forward the email to phishing@irs.gov.

For more information or to report a scam, go to www.irs.gov and type “scam” in the search box. More information on how to report phishing scams involving the IRS is available on the genuine IRS website, IRS.gov.

A Message for Members Regarding Account Security Following Home Depot Data Breach

??????????????Home Depot is officially the latest big retailer to suffer a payment data breach, the company confirmed on 9/8/14. It’s unclear how many customers were affected, but Home Depot said the breach could have hit customers who used debit or credit cards at its U.S. and Canadian stores from April 2014 forward.

The company released few other details in its statement as it continues to determine the full scope, scale and impact of the breach. At this point there is no evidence that debit PIN numbers were compromised, and the breach doesn’t appear to have affected physical stores in Mexico or HomeDepot.com.

Naturally, this latest data breach has created inquiry from First Financial members regarding the security of their credit and debit card accounts.

We want to assure members that your accounts with us are monitored 24/7 by an experienced team of security professionals for any suspicious or potentially fraudulent activity. First Financial employs the most advanced fraud detection and prevention technology to guard members’ credit and debit accounts against unauthorized access and use. Here’s a quick update for your peace of mind:

  • If our security team observes any unusual activity on member accounts, we will contact members immediately to determine whether the transaction activity is legitimate and authorized.
  • It is also a good practice for members to keep a watchful eye on their accounts and transactions and look for any unauthorized activity or purchases.

Don’t wait until it’s too late! Check out First Financial’s ID Theft Protection products – with our Fully Managed Identity Recovery services, you don’t need to worry. A professional Recovery Advocate will do the work on your behalf, based on a plan that you approve. Should you experience an Identity Theft incident, your Recovery Advocate will stick with you all along the way – and will be there for you until your good name is restored and you can try it FREE for 90 days!*

Our ID Theft Protection options may include some of the following services, based on the package you choose to enroll in: Lost Document Replacement, Credit Bureau Monitoring, Score Tracker, and Three-Generation Family Benefit. To learn more about our ID Theft Protection products, click here and enroll today!**

*Available for new enrollments only. After the free trial of 90 days, the member must contact the Credit Union to opt-out of ID Theft Protection or the monthly fee of $4.95 will automatically be deducted out of the base savings account or $8.95 will be deducted out of the First Protection Checking account (depending upon the coverage option selected), on a monthly basis or until the member opts out of the program. **Identity Theft insurance underwritten by subsidiaries or affiliates of Chartis Inc. The description herein is a summary and intended for informational purposes only and does not include all terms, conditions and exclusions of the policies described. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions.

We will continue to monitor all members’ accounts for suspicious activity. If you have any additional questions or concerns, please give us a call at 866.750.0100 or email us at info@firstffcu.com. Thank you for being a valued member of First Financial.

Article Source: http://www.nbcnews.com/tech/security/home-depot-confirms-credit-card-data-breach-n198621

 

eBay Asks 145 Million Users to Change Passwords After Data Breach

alert-resized-600Online commerce giant, eBay, recently asked users to change their passwords after hackers stole encrypted passwords and other personal information, including names, e-mail addresses, physical addresses, phone numbers and dates of birth.

The data breach occurred between late February and early March 2014, according to a press statement posted on the company’s website.

The company stated that Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network. The company is currently working with law enforcement and security experts to investigate the breach and has not noticed any fraudulent activity related to the incident. eBay discovered the breach in early May, meaning it went unnoticed for about a month. The company spent a few weeks investigating the incident before disclosing it to the public.

Here’s what you need to know:

  • The company is asking all of its 145 million active users to change their passwords as a “precautionary measure,” but is not sure how many accounts were compromised in the breach.
  • No financial information, including credit card numbers, were stolen.
  • Paypal information was also safe because it was encrypted and stored on a different network.
  • Users that use their eBay password elsewhere should immediately go change that password on other sites – especially their e-mail.

It is important that users heed eBay’s request to change their passwords because the hackers may eventually be able to break the encryption that secures them.

Don’t wait until it’s too late! Check out First Financial’s ID Theft Protection products – with our Fully Managed Identity Recovery services, you don’t need to worry. A professional Recovery Advocate will do the work on your behalf, based on a plan that you approve. Should you experience an Identity Theft incident, your Recovery Advocate will stick with you all along the way – and will be there for you until your good name is restored and you can try it FREE for 90 days!*

Our ID Theft Protection options may include some of the following services, based on the package you choose to enroll in: Lost Document Replacement, Credit Bureau Monitoring, Score Tracker, and Three-Generation Family Benefit. To learn more about our ID Theft Protection products, click here and enroll today!**

*Available for new enrollments only. After the free trial of 90 days, the member must contact the Credit Union to opt-out of ID Theft Protection or the monthly fee of $4.95 will automatically be deducted out of the base savings account or $8.95 will be deducted out of the First Protection Checking account (depending upon the coverage option selected), on a monthly basis or until the member opts out of the program. **Identity Theft insurance underwritten by subsidiaries or affiliates of Chartis Inc. The description herein is a summary and intended for informational purposes only and does not include all terms, conditions and exclusions of the policies described. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions.

Article source courtesy of Andrea Peterson of the Washington Post.

Important Message to Online Banking Users – Microsoft Security Flaw

alert-resized-600The following is an important message for Online Banking users which discusses a recently discovered Microsoft security flaw, and recommendations for use.

Issue: Microsoft recently acknowledged a security flaw in its widely used Internet Explorer browser that could put Online Banking members at risk. This vulnerability is commonly known as an “use-after-free” flaw.  This is affecting Internet Explorer versions 6 through 11.

Description: This vulnerability allows an attacker to host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. To make the attack successful however, users would have to be directed to take action, typically by getting users to click a link in an email message or in an Instant Messenger message that takes users to the attacker’s website, or by opening an attachment sent through email.

Recommendation: Since the issue pertains to a flaw in the Internet Explorer browser that may be used to conduct Online Banking transactions on your personal computers, we are urging our members to use a different browser to mitigate the risk until Microsoft releases a fix to address this issue. Chrome, Firefox or Safari (for Apple users) can be used in the meantime.

If you have any further questions or concerns, please contact Member Services at 866.750.0100 or email info@firstffcu.com.

References:

https://technet.microsoft.com/en-US/library/security/2963983

https://www.us-cert.gov/ncas/current-activity/2014/04/28/Microsoft-Internet-Explorer-Use-After-Free-Vulnerability-Being