id theft

The Best RFID-Blocking Wallets For Men

/ destinationscreditunion / 1 Comment


By the end of the year, you’re going to be carrying some brand new tech in your wallet. That is, if you aren’t already doing so. The major credit card companies have all moved to chip-and-PIN cards, which use Radio Frequency Identification (RFID) to prevent fraudulent transactions and keep your data safe. Unfortunately, the cutting edge technology that makes your transactions more secure at the register also decreases your security everywhere else. That’s because scammers can steal radio signals from the air and use your credit card information and then go on a shopping spree before you know anything’s wrong.

  

When RFID passports were released in the UK, scammers had broken into them within 48 hours. That’s enough to scare even the most tech-ignorant among us.

  

To combat this vulnerability, you need a wallet that can protect your identity by blocking those radio signals, which many new wallets can do by simply adding a layer of metal that goes entirely around your wallet. So many new wallets can protect you from scammers that you might find the choices overwhelming, particularly if you’re the kind of guy who uses a velcro trifold style wallet. We’ll walk you through your choices and pick the best one for each category, based on style, security, and price, because there’s no point in buying a wallet so expensive you have nothing to put in it.

  

Here are our top choices for three very different kinds of wallets:

Front Pocket Wallet in Bison Leather

by Herrington ($49.95)

  

If you don’t carry much cash or the idea of sitting on metal plates bound in leather sounds uncomfortable, you might be in line for a front pocket wallet. Back pocket wallets have been linked to sciatica and other forms of chronic back pain, so carrying a few cards in your front pocket may be the best long-term choice you can make for both your financial and physical health.

Herrington’s front pocket wallet is curved to fit into the front pocket of your pants without bouncing around or disrupting the lines of your outfit. The handsome Bison leather is masculine and stylish, so you won’t be embarrassed to pull it out at a business lunch or on a date.

The wallet is manufactured in Maine out of multiple layers of material that create a Faraday cage for preventing radio signals from escaping and therefore allowing skimmers to get at your cards.  

  

 

The Ridge Wallet ($45-$115)

   

If you want something even slimmer, you may be interested in one of the all-metal wallets that have taken over Kickstarter in the last few years. These wallets wrap your cards in layers of metal held together with a nylon band or screws and look like incredibly modern, wallet-sized Swiss Army knives. Some even have fold-out extensions to hold keys, USB drives or very small pens!

Our choice among the modern, minimalist, metal wallets opts for simplicity. The Ridge Wallet doesn’t have key rings or add-ons, just a simple wallet with a clean look. Ridge offers four different materials ranging from the youthful and inexpensive polycarbonate, which comes in a variety of bright hues, all the way to pricey and indestructible titanium in various shades ranging from gray to black. If you want a wallet sleek and cool enough for Batman, but you don’t want to carry an entire utility belt, you want a black titanium Ridge Wallet.
  

Derrick RFID-Blocking Flip ID Bifold

Manufacturer: Fossil

Price: $45

It’s tough to argue with the classic bifold. With ample room for cards and cash, a classic design certain to fit any outfit, and all the features you’ve always enjoyed, a leather bifold wallet is a traditional men’s accessory that never goes out of style. 
Fossil offers a selection of RFID-blocking wallets that don’t look too technical or modern, with the Derrick bifold at the top of the list for its combination of looks, materials, and price. The RFID-blocking material is sewn into the lining, so you won’t feel like you’re sitting on a phone book, but you’ll still be protected. The Derrick bifold is the kind of wallet you can buy now and not think about for a few decades, which tends to be the way most men buy wallets.  

  

 

Altoids tin

Manufacturer: Altoids

Price: $3

   

If you’re looking for a budget option, or a stopgap security solution while you shop, you can always keeps your cards in an Altoids tin. The thick metal is an effective Faraday cage that offers top-flight security at a price that can’t be beat. Just don’t be surprised if people are quick to comment how fresh your cards smell!
In the end, you’re going to have to decide what matters to you. Unlike other fashion items, you’ll carry your wallet every day, and you probably don’t want to replace it very often. It’s up to you to weigh fashion, security and comfort and come to a decision for your own peace of mind. The only thing you need to make sure of is that you don’t leave your financial information available for motivated scammers to steal.
Please note:  Destinations Credit Union is planning to convert to the “Chip” cards in early 2016.

Sources:

Four Steps To Checking Your Credit Report

/ destinationscreditunion / Leave a comment

If there were a song about keeping yourself safe from financial scams, the refrain to that song would be “Check your credit report!” But practically speaking, what does that mean? How can that one piece of advice keep you safe from so much?

Though it sounds like an advanced financial maneuver, checking your credit report is easier than balancing your checkbook. All you have to do is get it, read it, report errors and stay on it. Let’s look at each step in detail:

1.) Get your credit report

There are three different credit reporting agencies: Equifax, TransUnion, and Experian. They share data, but each makes its own report. You’re entitled to one free report from each agency every year. If you know you’ve got a major purchase, like a car or house, coming up in the next year, you’ll want to check all three bureaus before you start shopping. This way, you can catch inaccuracies before lenders see your information and score. Otherwise, it makes sense to stagger them and view one report every four months. This puts the shortest amount of time between checks.

You can get your credit report for free at annualcreditreport.com. This is the only website approved by the Federal Trade Commission (FTC) for this purpose. Take care to avoid “imposter” websites operated by scammers. They may use similar-sounding website names or common misspellings in an attempt to trick you and get your personal information.

There are other situations under which you can get a free copy of your credit report. If you are denied credit, you can request a copy of the information that was used to make that determination provided you do so within 60 days. If you have been the victim of certain kinds of fraud, the service will also provide you with a free copy of your credit report in order to help you make it right. These checks will never hurt your credit score.

If you’ve requested your report online, it should be available immediately. You may need to answer a few questions to verify your identity. The service may ask if you shared an address with anyone else or about previous streets you’ve lived on. Once you answer these questions, you’ll get your credit report.

2.) Go over your report

With your credit report now in your hands, it’s time to look it over. There are three things you’ll want to look for. You want to find accounts that are open in your name and you want to see if there’s any collection activity. You’ll also want to take a look at the number and frequency of inquiries.

There are slight differences in the three reports, but each has a list of accounts. They may be broken down by type (mortgage, installment, revolving, and other) or listed by date. You’ll want to look through each one to make sure you recognize them. This can be a tricky task, as every store credit card you open and every installment loan you make is listed. If there are any accounts you don’t recognize, you’ll want to make a note of them and potentially contact the credit reporting agency. Look particularly for accounts going to PO Boxes or listed with addresses in other states.


“Negative items” include bankruptcies, accounts in collection or accounts reporting as past due. Such activity is another good place to check for fraud. If someone else opened an account in your name, they likely won’t be paying the bills. You’ll also want to look for inaccuracies that may be hurting your credit score. If there’s an account listed here that was discharged in bankruptcy, for example, you’ll want to make note of that, too.

The list of inquiries shows you the number of times someone has checked your credit. No one can do this without your permission, so if there are more inquiries than you remember, it could be a sign someone has stolen your identity. It might be worthwhile to put a freeze on an ability to open new accounts until you’ve gotten everything resolved.

3.) Report inaccuracies

Each reporting agency maintains a separate error reporting process, so you’ll have to report each error to the agency that made it. For basic errors, like address, name, or personal information, the agency can make those corrections with minimal trouble. For more serious errors, you’ll need to send a dispute letter.

The FTC has a template for a dispute letter available on its website. You can use that or you can draft your own. Either way, you’ll need to clearly identify the accounts or items you’re disputing. Where possible, use partial account numbers or other numerical information. You’ll also need to explain why you consider the item an error. Attach copies, but not originals, of documents that support your claim. Examples include police reports for stolen or lost wallets, bankruptcy orders that discharged a debt or letters from a lender indicating that an account was opened fraudulently.

Send your letter via certified mail. This costs a little more than a stamp, but you’ll get proof of receipt. This is important because the agency has 30 days to make a determination about your dispute. They’ll send your dispute to the information provider (the company that told the agency about the account or negative item).

If the reporting agency finds your claim to be correct, you can request that they send copies of the updated report to anyone who received your credit report in the last six months, and to any employer who pulled your credit report over the last two years. They’re also required to send you an updated copy with any new information in it.

4.) Stay on it

Checking your credit report periodically is the only way to keep yourself safe from identity theft and other modern crimes. If you need assistance, Destinations Credit Union is here to help.  Call, click, or stop by today.

SOURCES:

Is 2015 The Year Of The Health Care Hack?

/ destinationscreditunion / 2 Comments
Brought to you by Destinations Credit Union

If 2014 was the year of major retailers being involved in security breaches, 2015 has thus far been the year for insurance companies. Anthem led the way earlier this year with a hack that compromised the personal information of hundreds of thousands of victims. Now, Premera Blue Cross, one of the largest health insurance providers in the Pacific Northwest, has been the target of a security breach.

Security experts are still attempting to discover the full extent of the breach. Hackers evidently accessed housing data from as far back as 2002. It is believed that at least 11 million people were affected by the breach.

Premera also has dozens of subsidiary organizations, clients, and contractors each with its own set of records. Technology experts from the health care provider are working tirelessly to determine the extent of their information that was compromised. Vivacity, a workplace wellness provider, and Connexion Insurance Solutions, which focuses on small- to medium- sized businesses, were both affected, too.

The vulnerability has been in use for some time. Company officials say the first breach occurred in May of 2014 and was only discovered in January of 2015. The FBI, in coordination with private cyber security firm Mandiant, is working to uncover the size and severity of this attack as well as to find the perpetrators.

Criminals have stolen a wide variety of personal information from the provider. Names, addresses, and Social Security numbers are the obvious targets, and these are frequently used to commit identity theft or cloning. A surprising amount of health information is also used to illegally obtain prescription medication or commit insurance fraud. This form of medical identity theft is growing as a black market solution to higher medical costs. In 2014, 2.3 million people were victims of this kind of fraud and each victim had to pay an average of $13,500 to resolve the problem.

There appears to be a strong connection between the attacks made on Premera and those made on Anthem. In both cases, hackers registered domains with common misspellings of the company’s name and used those sites to collect login information. These usernames and passwords were then used to breach the company at higher and higher levels. These tactics, and several others, point to Chinese hacking group Deep Panda.

As these groups grow bolder, it’s more important than ever to keep up with your own best practices in medical identity theft prevention. The FTC recommends following these three steps to keep yourself safe:

1.) Watch your medical records

Medical identity theft results in bills to you for procedures done to someone else. Unscrupulous doctors bill insurance companies for procedures they never did or for more costly versions of operations than what they performed. They count on instant reimbursement, knowing the insurance company will try to collect the fraudulent charge from the policyholder. Medical identity theft confounds this process. In other instances, criminals use your identity to get medical treatment and bill it to your insurance, leaving you on the hook for the charges.

These charges will show up in a few places. For instance, you may get a call from a collection agency over a medical bill. You may also have a medical bill arrive in the mail for a procedure you didn’t have. Your insurance company may also notify you of a change in your premium or coverage based on a new medical condition. Each of these is a red flag that you’ve been the victim of medical identity theft.

2.) Review your records

The Health Insurance Privacy Protection Act (HIPPA) requires that healthcare companies keep and maintain detailed records about patient services. You have the right to obtain a copy of those records. In most cases, your best bet will be to contact a major provider of medical services, like a national pharmacy.

You may also need to contact your insurance provider for copies of their records. They have the same record-keeping and disclosure requirements that providers do, but they may charge for the service of providing records. If you can narrow down a window of time during which you suspect your account was compromised, you can save yourself both time and money.

Providers may refuse to comply with your request for disclosure because they fear violating the privacy of the identity thief. Fortunately, an appeals process exists for this decision. You need to contact the person named in the privacy policy as the patient representative or ombudsman. If you are still unsuccessful, you can contact the US Department of Health and Human Services’ Office for Civil Rights.

3.) Get corrections to your records

You can submit requests for corrections to each provider that has charged you for services. Such a request should explain the reason for the error and include documentation that the charge is, in fact, an error. Examples would be proof that you were nowhere near the provider at the time of the charge or a letter from your doctor stating that you have never experienced the condition that was treated.

If your provider refuses to change or reverse the charge, ask them to place a notice of dispute on your account. This notice will show credit agencies that the charge may not reflect your borrowing habits and will help you mitigate the impact of a poor credit score. Such a notice should also stop the collection calls.

This pattern of security leaks means everyone is potentially at risk. You can’t avoid digitizing your health care information. But you can take steps to keep your identity safe. Credit monitoring services can provide you with peace of mind. Knowing you’ve got a team of dedicated professionals watching your back around the clock can help you sleep soundly at night.

SOURCES:

New Discoveries In TurboTax Fraud: Keep Informed And Stay Safe!

/ destinationscreditunion / Leave a comment


With the April 15th deadline now visible on the calendar, many Americans are finally sitting down to do their taxes. The good news? A standard return isn’t that hard and there’s still plenty of time to get it done. The bad news? One of the most popular online tax filing services is still compromised.

New reports in the Washington Post describe a new breed of tax fraud using the online platform. Previous attacks would focus on filing fraudulent returns using stolen personal information. Such returns were usually riddled with errors designed to inflate the amount of a potential refund, which would be routed to an account far away.

New attacks seem to have taken a different direction. Criminals use stolen email and password information to amend recently filed returns. The only change they make is the account number into which any refund will be deposited.

While only a few people have been victims of this kind of fraud, investigators are still working with TurboTax to identify the source of the leak. In the meantime, additional security measures have been added to online accounts. New logins will be required to answer credit report style identity verification questions, like former addresses, roommates and employers. So-called “knowledge-based authentication” (KBA) procedures are of suspect value.

Fraudsters with access to personal information can find it remarkably easy to get more. Real estate transaction databases can quickly eliminate possible choices about former addresses. The multiple choice nature of the questions makes it possible to mechanically “crack” the authentication procedure in relatively short order.

To make matters worse, fraudsters are getting better at covering their tracks. According to security blog KrebsOnSecurity, more and more scammers are registering accounts using stolen identity information on IRS.gov. Because IRS.gov accounts aren’t necessary for e-filing, many people never have cause to create one. One thing they are useful for, though, is getting copies of past tax returns. This is a vital step in protesting a fraudulent return.

Scammers have identified this weak point in fraud prevention and begun registering accounts using stolen personal information. This presents one more hurdle in the face of fraud reporting. It also gives scammers more time to take the money and run. Without an IRS.gov account, the IRS is bound by policy not to disclose any information on a tax return to anyone not designated on the return as an approved party. This does mean they’re protecting the privacy of criminals, but there’s little they can do about the policy at this point.

The core of the problem, according to Krebs, is that the IRS uses those same KBA procedures. Sophisticated scammers are increasingly adept at bypassing these procedures. That means one less barrier between them and your money.

If you think you’ve been the victim of tax-related fraud, there are still steps you can take. Read on for three ways you can fight back against tax fraud and get your money back!

1.) Create an IRS.gov account and use a strong password

The current KBA authentication protocol can be broken into relatively easily. If you register your account now, you can create a much stronger password to protect yourself. At time of press, the IRS is not allowing new accounts to be created, but new procedures for account verification are forthcoming.

Once you’ve created your account, use a strong password that includes numbers, letters and symbols. Make it unique to your IRS account to reduce the possibility that your password will be compromised. Once you create your login information, write it down and put it with this year’s tax documents (preferably locked in a safe location). You’ll need it again next year!

2.) Request a copy of this year’s tax return

If you think your information has been used to file a fraudulent tax return, you’ll need a copy of the return to file a dispute. If you can’t get it with an IRS.gov account, you’ll need to get a hard copy. The IRS has a form for this and they’ll charge a small fee for processing.

The from you’re looking for is Form 4506. This will get you a printed photocopy of the return, including all information about refund destination. This may help you track down the stolen money, and it will definitely help you in proving to the IRS that this wasn’t your work.

3.) Beware of ‘Money Mule’ scams

Increasingly, international fraudsters are having difficulty getting the money out of the country. That’s why they turn to Americans who are desperate for a buck. They’ll advertise on sites like Craigslist for “financial processing assistants.” They use your checking account to receive the funds, then you’ll wire or send a portion of the proceeds to another bank. It’s one way of eliminating the paper trail of tax fraud. That’s been the laundering scheme of choice for many tax fraud perpetrators this season.

It’s clearly illegal and very dangerous, but it also makes it possible for scammers to steal money in the first place. Beware of any job solicitation that offers to pay you for your ability to have a checking account. If they were a legitimate business, they could get one all their own and wouldn’t have to pay you for the privilege!

SOURCES:

https://krebsonsecurity.com/2015/03/sign-up-at-irs-gov-before-crooks-do-it-for-you/

"ISIS" Hacks Credit Unions – What You Need To Know

/ destinationscreditunion / Leave a comment


ISIS is the new face of terrorism and the Internet is the next front. Terror organizations use social media to recruit members, spread their messages and plan attacks. That they would also use hacking to evoke fear should come as no surprise.

That appears to be what happened on March 9 this year when visitors to the websites of several credit unions did not see the front page they were expecting. Instead, they saw a black screen with the logo for the Islamic State. Under the image were the words “Hacked by Islamic State (ISIS) We Are Everywhere :)” along with a link to a now-defunct Facebook page.

A closer examination of the defacement suggested to the FBI that this was not the work of the international terrorist group. First, the smiley face at the end of the message does not fit the tone of other messages the group has sent. Second, the targets, which included several small businesses and credit unions, seem out of character for the group. Most of the group’s rage tends to focus on agents and governments it views as occupying territory in the Middle East. Third, the level of damage was relatively low. A sophisticated hacking operation would aim to debilitate or destroy economically or politically important assets. While taking down a credit union’s website for a few hours is certainly disconcerting, the dollar amount of that can be applied to the damage is relatively low.

Rather, the FBI suspects this is the work of fairly unsophisticated domestic hackers. The target selection fits more with an attention-seeking group of malcontents. The strategy of website defacement is popular among amateur computer security students seeking to prove their skills or leave a “calling card.” No member data, accounts, or contact information was compromised in the hack and the defacement of the websites has already been reversed.

As with every other security compromise, the possibility that a more serious data breach occurred is not out of the question. In most cases, this breach would involve rigging the website to install malicious software on users’ computers. While it is unlikely, precautions are free and an ounce of prevention is worth a pound of cure when it comes to information security. If you’re concerned about your computer integrity, take the following four steps.

1.) Install, update, and run security software

Using the Internet without antivirus software is like reaching your hand into a medical sharps disposal bin. You’re going to get something and the results won’t be pretty. Several free antivirus programs exist. Popular choices include Panda Security, AVG and Avast.

If you already have antivirus software, you might think you’re covered. Yet, antivirus programs only protect against specific kinds of malicious programming. While they’re certainly the worst of the worst, viruses are only one kind of threat you face on the Internet. You also need an anti-malware program, like MalwareBytes or Spybot. These programs find and remove security threats that, while not quite to the level of viruses, can still compromise your computer.

These programs are still serious threats. Data breaches at Home Depot, Target and others were caused by malware on company computers. Even professional security experts occasionally forget about defending their systems this way.

Once you get the software installed, make sure to keep it updated and run it regularly. The scans usually take between 20 minutes and an hour. That’s all it takes to stay safe from the worst threats.

2.) Change your passwords

It appears unlikely that any user data was compromised in this most recent round of hacks. Still, there’s no reason not to be cautious. Change the passwords you use to log on to major financial websites and any website where you use those same passwords. If you use your Destinations Credit Union password to access your email, change your email password, too.

It’s a good idea to cycle passwords every six months or so anyway. Doing so helps to keep your accounts safe. If you have trouble remembering to do so, consider using a password management service to keep track of your security.

Always choose strong passwords. Four random words with a number on the end is a great way to randomize passwords but keep them somewhat memorable. Just look around your computer area and use the names of the first four objects you see, followed by your birth month. Doing so creates a password that humans can easily commit to memory, but the most powerful computers would take years to crack.

3.) Get a credit score report

You can get a free credit report every year, and it’s a good idea to do so. If you’re planning to buy a house or a car this year, you might want to hold off and use your free report closer to your purchase date. If you don’t have major purchases planned for this year, you can use your free credit score report to check if you’ve been hacked.

Look for accounts you don’t remember opening or large, sudden upswings in debt utilization. These could be signals that someone’s compromised your identity. Call the credit reporting bureau immediately to report suspicious activity.

This alleged ISIS hack is nothing to fear, but it’s worth being cautious all the same. It’s much easier to take preventative action than to regret not having done so. Taking these steps can help ensure you stay safe, no matter what happens.

SOURCES:

http://www.cutoday.info/Fresh-Today/Hackers-Claiming-To-Be-ISIS-Take-Down-CU-s-Site

You Don’t Have An ‘Email Quota’

/ destinationscreditunion / Leave a comment


Scammers will concoct any number of believable-looking lies in pursuit of your personally identifying information. They’ll pretend to be anyone and claim anything to get you scared, anxious and uncertain. They know that’s when you are most likely to make mistakes.

A new circulating scam is a remix of that old con. The Better Business Bureau reports this week on a new malware distribution scheme.

In this scheme, the scammers email you pretending to be from your email service provider (Google, Yahoo, etc.). They’ll tell you you’ve exceeded your email quota or that you have “deferred email.” The email will instruct you to follow a link to retrieve your un-checked email. Other variations of the scheme will tell you that you need to “update your personal information” to continue using your email service, which will require you to click a link to log in.

The link is to a malware download site, and once you click the link, you’ll be infected. The breed of malware will vary from attempt to attempt. Some may only bog down your computer with popup ads and other irritations. Others will root through your browsing history and personal files, looking for account numbers, personal information, and passwords. You may never know you’ve been infected until you get an unexpected credit card collection call.

Some scammers have gotten more sophisticated with the initial pitch, and will include “unsubscribe” or “change notification settings” in the footer of the e-mail. People looking to reduce the amount of unsolicited email they receive might click this link. They would be disappointed to learn that this link will also direct them to malware download sites.

If you’re looking to keep yourself safe from this new threat, here are three steps you can take.

1.) Know your Terms of Service

While there are upper limits on the amount of email your service provider will store for you, unless you’re sending DVDs worth of information regularly, you will never approach that limit. Gmail, for instance, will store around 65 gigabytes of email data for you. This is bigger than the biggest memory card available for your camera. If you received 23 professional-quality photos every day, it would take you a year to exceed your storage limit, assuming you never deleted any of them.

Email service providers also set some limits on the number of emails you can send, but if you’re clicking the send button each time, you’ll never exceed that frequency. These limits are designed to prevent malicious or fraudulent activities, which is why they target automatic message sending. If you’re running a business out of your home, you might worry about tripping this limit. For your personal email, though, this will never be a concern.

If you’re expecting an email regarding a job interview, family news, or other significant life event, be proactive. Contact the person you’re expecting to hear from and ask for an update. Sitting and waiting creates anxiety, which makes an environment ripe for scams.

2.) Don’t follow mystery links

If you receive an email from someone you don’t know, and it contains a hyperlink, don’t click it. Even visiting malicious websites can infect your computer, causing untold damage. Even if the message comes from someone you know, if there’s no context for the link, don’t click it.

You can take steps to figure out if the message you’ve received is legitimate. Look at the “from” line. The message may appear to be from “Google Admin,” but the email address might be googleadmin@freesites.ru (for example). If the second part of the email address (the domain) doesn’t match what you think it should be, it’s probably bogus. If there’s even a shred of doubt in your mind, don’t click.

Part of practicing good Internet hygiene is keeping your computer away from dangerous websites. Even if you think there’s nothing on your computer worth stealing, your computer could be used by scammers to cause serious damage to your friends and family. Stay safe, and keep your friends safe, too.

3.) Report suspicious activity

Email service providers take these scams as seriously as you do. Someone is trafficking in their good name to exploit their customers. They are eager to put a stop to it to keep their brand image safe and their customers happy.

If you have any doubt about the legitimacy of a message, forward it to your provider’s abuse address. Gmail has an option to “Report phishing” in the drop-down menu next to the reply button. Yahoo and Hotmail offer similar functionality. For larger corporations, try forwarding the message to “abuse” or “admin” @ the company’s website – abuse@target.com, for example.

These companies would rather sort through a thousand false positives than let people continue to defraud their customers. They value you because they’re providing you a service. Don’t hesitate to let them know something’s amiss.

For more information about fraudulent practices, visit Destinations Credit Union’s website and take a look in the Fraud Prevention section.


SOURCES:
https://sg.help.yahoo.com/kb/mail-for-desktop/report-spam-hacked-accounts-phishing-scams-yahoo-sln3402.html?impressions=true

Internet Hygiene – The Best Computer Time Investment You Can Make

/ destinationscreditunion / Leave a comment

Wash your hands after you use the bathroom. Cover your mouth when you sneeze. Brush your teeth daily. These are all basic elements of personal hygiene. We practice them, in part, to minimize the amount of gross stuff that our bodies do, but we also practice them to help protect us from disease.

You might think “Internet hygiene” means wiping down keyboards after you use them and not spilling things on your computer. While these are good habits, there’s another range of behaviors that security experts call “Internet hygiene,” and it can be the difference between a safe and effective Internet and a world of hackers, bots, and identity thieves.

For most people, the beginning and end of cyber-security is a piece of anti-virus software. Imagining that there is nothing on their computer worth stealing, most users don’t take their online security very seriously. Increasingly, that’s the attitude hackers are counting on people exhibiting.

One such recent cyber attack, a malicious worm called Game Over Zeus, infected around 10,000 computers. The worm allowed hackers to remotely control infected computers, using them to launch attacks on major websites. In addition, users frequently found their personal files encrypted. A window created by the worm would inform them that, unless they paid a ransom that sometimes was as much as a few thousand dollars, they would lose access to the contents of their hard drive forever.

How did such a vicious worm spread so quickly? Hackers have gotten better about choosing their targets. It’s easy to find out-of-date software and exploit known structural weaknesses in it to gain control of a computer. From there, it’s a trivial task to create emails that look like they come from the owner of that computer, which makes it easier to infect that person’s friends and family members’ computers.

Security expert Tom Kellerman compares the state of a compromised computer to a neighbor who always leaves the front door to an apartment complex unlocked. Not only can thieves break into the neighbor’s apartment, but they can use their expanded building access to more easily break into other units. If you aren’t maintaining the security protocols on your computer and being vigilant about what links you click, you aren’t just putting your own security at risk. You’re creating a more dangerous Internet for your friends, co-workers, and family, too.

The lesson of Game Over Zeus is pretty simple. Computer viruses spread a lot like human viruses. They infect people who don’t practice good hygiene, then spread to their friends and family. If you wouldn’t sneeze on your hand before pushing buttons on an elevator, don’t practice unsafe internet behaviors.

How can you practice good Internet hygiene? You don’t need to be a tech guru to keep your PC safe. Security experts consistently recommend you take at least these five steps.

1.) Download an anti-virus software program, like AVG or McAfee, and keep it up-to-date. Schedule updates for it to run when your computer is on, and don’t interrupt the process. Do the same thing with an anti-malware program, like MalwareBytes. Tens of thousands of new malicious programs are being created every day. If you’re not regularly updating your security software, you might as well not have it.

2.) Run scans of both anti-virus and anti-malware software on a weekly basis. Just like people with strong immune systems can get sick, even if you have a Mac computer, you can still be infected with malicious programs. If you’re on the Internet, you’re at risk.

3.) Do it right away. If your computer gives you a message that it needs to download or install critical updates, do it the first time you see the warning. It’s annoying to stop what you’re doing and restart your computer, but it’s better than having your computer compromised. When IT professionals call something a “critical update,” it usually means it fixes a known software exploit. Make sure the message that pops up is from a trusted source, however. There are malware programs around that use fake “critical update” popups to infiltrate your computer.

4.) Don’t click links that take you to sites you don’t recognize, even if they’re emailed to you by a friend or family member. These emails are frequently generated by bots to keep malicious software spreading. You clicking that link might make you yet another disease vector.

5.) Don’t download, install or run any software you don’t recognize. For these bots to keep spreading, at some point human beings have to authorize them. If you’re installing software you think might be dangerous, you’re putting your computer and the computers of everyone you know in jeopardy.

This might seem like a lot of work, but it’s the price of doing business and living in a digital age. With the convenience of a world of information at your fingertips comes the responsibility to maintain the health of that system. Do your part – install and update security software, and be constantly on guard for threats!

SOURCES:

   

Card Security Breaches: Why They Occur And Who’s To Blame

/ destinationscreditunion / Leave a comment

It seems like there’s another financial disaster at every turn lately. Target’s card databases get hacked. Heartbleed puts your passwords at risk. Home Depot’s credit card numbers are compromised. JP Morgan Chase’s credit information is breached. Shellshock threatens the integrity of the Internet. It’s enough to make you long for the days of the corner store keeping credit on a sheet of graph paper.


To better understand how these things happen, let’s first take a look at the steps involved in a financial transaction. Then, we’ll see where vulnerabilities exist. Finally, we’ll check out a few strategies you can use to keep yourself safe.

When you swipe your debit or credit card at a terminal, the only thing you see is an approval screen. Behind the scenes, the process from the moment you swipe a card to leaving the store with your purchases is complicated. And you want it to be that way. A less complicated process would remove many layers of security.

First, there’s an “authentication” process. The point-of-sale terminal in which you swipe your card reads the card’s information from the magnetic strip, encrypts it, and sends it to a payment processing center. This facility streamlines the data into a format your issuing company can understand and sends it along. Your card network company – Visa, Mastercard, Discover, etc. – validates the legitimacy of the information. You may be prompted for some information, most commonly your billing ZIP code. This is done to help authenticate the card.

Second, there’s the reconciliation process. This is usually done at the end of the day for most retailers. The retailer sends all the day’s receipts to a payment processor, which then sends them to the issuing institution – the credit union, bank, or credit card company. That institution debits its member or customer accounts for the amount of the transaction, then sends that money to the payment processor, which sends it to the retailer.

This is an explanation of how things work in a very simplified example, but it gives you an idea of the complexity that’s involved in the process of paying with a card. While it’s a lot of steps, it’s the best system that the brightest minds in the financial industry could develop. Unfortunately, each step also introduces a layer of vulnerability.

The encryption protocol for card authentication can be busted (that was, in part, what Heartbleed was about). The retailer’s receipt records they use for reconciliation can be hacked (like what happened to Target and Home Depot). The bank can have their register of accounts hacked (like JP Morgan did). So many layers of complexity create more possibilities for hackers to compromise sensitive information.

You might notice that there’s only one step in the process that involves Destinations Credit Union or its computer systems. That comes at the very end of the process, when customer records are debited for purchases. In the latter example, the only victim of that theft was a big Wall Street bank. In such cases, the kind of hacking hardware and know-how that is required to orchestrate such an attack are expensive. Because credit unions are smaller and less centralized, they’re much less likely to be targeted by this kind of attack.

That’s not to say Destinations Credit Union doesn’t take cybersecurity seriously. We keep up-to-date with the latest in computer hardware and software to make sure our members are secure against illegal access. We also have to adapt to a world where everyone else doesn’t follow those same values. That means we have to adjust our security protocols to cover for the failings of other parts of that big, messy system.

We’re all in this together. The convenience of the modern economy makes things better for everybody. If you go on vacation, you don’t have to fuss with traveler’s checks or currency exchange troubles. You can take your debit card or credit card and spend just the same. Electronic record keeping helps financial institutions keep costs down and we all benefit from a growing economy. If we want to keep getting these benefits, we all need to put the work in to make sure our networks are secure. Here are five small tips to make your little corner of the Internet more secure.                                                 
  1. Install updates for your computer, tablet, and mobile phone regularly.
  2. Don’t open suspicious e-mails or questionable links.
  3. Don’t install software you don’t recognize.
  4. Monitor your financial statements closely to check for unauthorized activities.
  5. Get an anti-virus program and run it regularly.                      
            If you follow these five steps, you can help make the Internet a safer place for people to share things they love and buy things they need. You can help make sure the big system of merchants, processors, and institutions keeps chugging along while providing benefits to everyone.

How 10 Seconds Of Diligence Can Keep You Safe From Fraud

/ destinationscreditunion / Leave a comment


We’re all bombarded with information. Nowhere is this more true than in our mailboxes, both real and virtual. After all, everyone who wants to get in touch with us has a phone number, social media account and a million other low-cost ways to get in touch. It seems like the only people who send mail anymore are the folks who want to sell us something.

If you treat your mail like most people, you skim through it on your way from the mailbox to the door, stuff it in a mail sorter and promise to deal with it later. Your inbox gets treated the same way. If it’s something from someone you know, you read it, chuckle, and respond. If not, it’s probably safe to ignore.

This is the kind of behavior that identity thieves are counting on. Petr Murmylyuk, a Russian immigrant living in New York, was convicted earlier this year of breaking into a number of online brokerage accounts like Scottrade, E*Trade Financial, Fidelity, and Charles Schwab, among others. His purpose was to initiate trades that moved the price of assets in a complicated combination of identity theft and security manipulation. He cost his victims more than a million dollars in losses, and he will likely only have to pay about $500,000 in restitution. He didn’t get away with his fraud, but his victims still lost a lot of money.

Imagine if this happens to you. You keep your retirement fund in an online brokerage account. You regularly deposit a few hundred dollars a month and you don’t want to withdraw the money any time soon. So you just log in every so often to make sure your auto payments are being made and check the balance. One day, you check the balance and discover tens of thousands of dollars are just gone.

If you’re counting on your brokerage to reimburse you, you might be waiting a while. Scottrade, for example, “does not cover situations in which … you failed to take reasonable precautions to protect your privacy.” Fidelity, too, specifies the need to ensure that transactions were not made by someone you “allowed” to access your account. Other online brokerage firms have similar policies to protect their own interests over yours.

What can you do to stop it? You already know how to maintain security on your online accounts. Choose strong, complex passwords. Don’t access sensitive websites from public computers. Don’t click links in emails that look suspicious. This is all the same financial personal hygiene you probably already practice.

However, when it comes to online financial accounts, like brokerages and draft accounts, there’s an extra step you need to take. You need to read your statements carefully. Here’s how the process works:

Pick a day each month. Making it the same time each month will help you remember as well as help you establish a reliable control. You don’t need much time, just 20 or 30 minutes. Take care of it while you’re drinking your coffee in the morning.

Go through monthly statements and confirmations for all your accounts. Make sure you or your spouse recognize every transaction that’s been made. Keep an eye out for the following kinds of transactions:

  • Transactions originating in foreign countries or other distant places. Identity thieves will often try to throw you off the trail and avoid prosecution by committing their crimes in distant places.
  • Small transactions. It’s tempting to write off a dollar here or there, but thieves are frequently counting on that tolerance. They’ll use a small transaction to test a stolen credit card or breached account. If they get away with that, they’ll try bigger amounts.
  • If you suspect something is wrong with your security, call the company and ask for a login history. This is a document that lists the dates, times, and locations of every access that’s been made to your account. This should let you know if someone else has gained access. Obviously, if that’s the case, you should change your passwords and let your financial institutions know immediately.

If you notice anything else that’s amiss, call the financial institution immediately. The longer you wait, the more likely it is they’ll conclude it was something you authorized. Even if it’s off business hours, call immediately and leave a message. Starting the process as soon as possible creates a trail that will be useful in the event of a dispute about responsibility. 

SOURCES:

   

   

Financial Self Defense: Ransomware and Mobile Devices

/ destinationscreditunion / Leave a comment


One moment, you’re surfing the Internet.  A minute later, a pop-up shows your files have been taken hostage and that you’re required to pay a $300 ransom to have them released back to you.  You stare at the screen in disbelief.  How is this possible, especially considering you are on your mobile device?

Ransomware – malware that accesses your computer system and blocks access to your files until a ransom is paid to restore access all while stealing your payment information – has been becoming more prevalent among PC users.  While these attacks typically focused solely on PCs, they are now adapting to include mobile devices.  That’s right, the very same mobile devices you use to access your credit union accounts for checking balances, transfer funds and make payments.

An example of a Russian-based mobile device ransomware is called “Svpeng.” It focuses on tactics for infecting mobile phones and mobile banking applications. It infects the device with a phishing window when the application is opened. This overlay attack is used to steal online banking information as the malware pretends to be the application’s login screen.  The user enters login and password information, which is then stolen by the hackers.  Once they have access to the account, they can control the account. Svpeng also phishes through Google Play if that is on the mobile device.

This tactic also involves SMS messages being sent to two Russian banks to determine if the phone number of the device is connected to any payment cards.   If a card is indeed connected to a number, the hackers use commands through the device to transfer the victim’s money into their own accounts. While Svpeng has currently been seen only in Russia, it is expected to expand into other countries; one of the features of the ransomware checks the mobile device’s language settings to determine the appropriate language to use for the attack.

As time goes on, other PC-based ransomware programs may also be adapted for mobile devices or more ransomware programs that are specifically designed for mobile devices may be created. Hackers are always looking for ways to evolve their tactics in hopes of stealing more information and making immediate profits.  Svpeng, for example, had 50 modifications to its malware within a three-month period.   

How does this type of malware get onto a PC or a mobile device?  It could be through a “drive-by download” where malicious software is downloaded without the user even knowing about it. This happens as the user surfs the Internet without a care, yet comes across a compromised Web page or clicks to a website through an HTML-based email.   It could have been downloaded through a phishing email, which appears to be from a credit union, yet is a fake email linking to a compromised Web page.  The ransomware could also come through an email attachment that is malicious.

After the infection occurs on the mobile device or PC, the overlay or ransomware tactics are used as was described with Svpeng.   That way the hackers can either directly steal the login and password information when the credit union account is accessed, or the user is blackmailed by a direct ransomware attack to send money to unlock the mobile device.

Many of the ways ransomware can be prevented from infecting a PC are the same for preventing on a mobile device.  Make sure data on a mobile device is regularly backed up. This will help with recovering information if the device is hijacked.  Make sure an antivirus program is running on the mobile device. Follow safe Web browsing habits.  Block suspicious emails.

Don’t download data or apps from questionable sources. Don’t “jailbreak” a device where built-in controls and security features are overridden; this removes an additional layer of protection against ransomware attacks.

If you think your mobile device has become a victim of ransomware, you can try to remove it by running a virus scan through mobile antivirus software. Don’t pay any ransom because it won’t guarantee the release of your data and you are giving additional payment information to the hackers.  If none of these work, talk with your mobile device or cellular provider and/or their tech support. Of course, notify your credit union to monitor your accounts for any potentially fraudulent activity.