passwords

Breached Security, Breached Trust: Yahoo’s Leak And What It Means For You

/ destinationscreditunion / Leave a comment


It seems like the bigger they are, the harder they fall. At least, that’s the lesson some security experts are taking away from the latest revelations about Yahoo’s serious security breach. More than 500 million Yahoo accounts have been compromised, according to the latest reports. As a result, the company is facing a civil suit for gross negligence in allowing an unknown group of assailants to steal login information from a large contingent of its users.
The security breach, which began in 2014, was limited to username and password information for Yahoo’s various sites, including webmail, news and fantasy sports services. Fortunately, no financial information is believed to be included in the stolen data. Still, there’s reason to be concerned if you’re a user of one of Yahoo’s sites.
The stolen data
This breach, thought to be the largest of its kind, was confined to usernames and passwords for Yahoo services. It was discovered after FBI officials detected hackers attempting to sell the personal information of Yahoo users. Would-be buyers of such data have several reasons they find value in this information.
First, stealing an email account can be a first step to identity theft. By taking command of an email address, a thief can access password retrieval services at websites linked to that email. For example, a hacker could gain access to a Yahoo account, then use password retrieval to gain access to online shopping, banking and even employment or government accounts.
Second, thieves can use what’s called “credential stuffing.” Many people recycle username and password combinations across several services. Thieves take advantage of this by trying stolen usernames and passwords at other common sites. Think of it like finding a locker combination on the ground and trying it on every locker in the hallway. This strategy works, on average, for about 0.5% of stolen information. With 500 million possible options, though, that still represents a lucrative payday for the thief.
While Yahoo has been attempting to get in contact with victims, sorting through a breach of this size takes a lot of time and energy. It’s safest to assume that all Yahoo login information was stolen. If you do use or have used a Yahoo site for any services, assume it’s compromised. Fortunately, two of Yahoo’s most popular platforms, Tumblr and Flickr, were unaffected by the breach.
Steps you should take
The first step after any breach like this one is to change passwords. Even if you don’t have a Yahoo account, it’s not a bad idea to use events like these as reminders. For high-security accounts, like your primary email address, credit cards, brokerages and online banking, change passwords every 6 months, regardless of their safety. If you have a Yahoo account, you’ll need to change that password right away. And of course, if you use your Yahoo password at other sites, you’ll want to change those as well.
If you use a Yahoo account to access your finances, consider changing the email address connected to those accounts, as well. The service provider may have been negligent in protecting information in this instance, and there is no telling what other security vulnerabilities still exist in their systems. While it may be a hassle to change accounts, it may be worth it for peace of mind.
Another less examined aspect of the data breach is security questions. Questions and answers used in the password reset process may have been compromised, too. If you use information like your favorite author, book or sports team to secure multiple accounts, that data could also be at risk. Worse yet, this data is frequently unencrypted, since it represents only one part of the password reset process. This means it may be widely available.
If you use the same personal information question(s) at multiple websites, now is a good time to review and change that information. Wherever possible, switch to a two-step authentication method. These processes use your cellphone number as a backup password option. If you try to reset your password, the service will call or text you with a code to use as a verification method. It puts another step between potential thieves and your information.
Finally, this is a good time to check your credit. This information has been leaking since 2014, so it’s possible you could already be a victim of identity theft. Getting a credit report will let you know if any new accounts have been opened using your personal information. Similarly, this might be a good time to consider a credit monitoring service. Such services keep an eye on your credit periodically, and can help protect against identity theft.
YOUR TURN: Have you been burned by Yahoo or in another security breach? What did you do to keep yourself safe? Let us know in the comments!
SOURCES:
http://www.kivitv.com/news/bbb-offers-advice-for-yahoo-breach-victims
https://www.yahoo.com/tech/password-breach-could-ripple-effects-100929929.html
http://www.usatoday.com/story/tech/2016/09/22/report-yahoo-may-confirm-massive-data-breach/90824934/


Q&A: Google and Cybersecurity

/ destinationscreditunion / Leave a comment

Google had a good day in mid-July. It’s safe to say it had a better day than you did, even if your day was fantastic. The company set a record for the largest single-day increase in value in the history of American investing at nearly $67 billion, breaking the previous record held by Apple.  Google did well enough that if it wanted to relax with a weekend of video games, movies, and pulp novels, it could simply buy Nintendo, Loews, and Barnes and Noble with the money it made just in that one day.
That day was less enjoyable for Google’s customers, though. As investors were thrilled by YouTube’s growth, Gmail users were beset by faulty spam filters which hid so many legitimate emails that Linux founder Linus Torvald took to an online op-ed calling out the tech giant. The misstep was a rare occurrence from Google, but considering it followed a much-ballyhooed revision to its Gmail platform, it was worrisome for many. When considered in the context of major hacks of the U.S. government and infidelity website Ashley Madison this summer, the Gmail problems had people wondering what security Google has in place for the largest privately-held collection of American’s data.
Don’t leave your cyber security in doubt. We’re here to answer your questions about your online safety. 
Question: Everyone is always going on and on about online security, but nothing has ever happened to me. Should I even care? What’s the worst that could happen? 
Answer: If you’ve never paid attention to your Internet security and never had a security problem, you’re probably fine. You clearly have a rabbit’s foot offering you magical protection from scammers, spammers, spoofers, and identity thieves. Or maybe you have been compromised and just don’t know it yet.
If black hats get their hands on your machine, there’s no telling what they could do. In some cases, you’re looking at spyware and malware that’s merely annoying. In others, your personal and financial information could be compromised. You might even have had your identity stolen. Online security is crucial, and you really can’t be too careful.
Question: I don’t have Gmail. I use Outlook. I don’t use Android. I have an iPhone. I’m good, right?
Answer: Internet security is like a 1980s slasher flick: The instant you let down your guard, something bad is going to happen. No, you’re not safe and Google isn’t bad at security. They’re actually pretty good at it.  Their cyber security task force is responding to the perception of a problem, not an actual problem.
Conversely, consider the products offered by Apple: Apple is slow to offer security updates for OS-X and sometimes bizarrely laconic when it comes to iOS apps.  While Google and Microsoft update their iOS apps every two weeks or so, Apple often waits months. Apple also doesn’t support security updates for older versions of OS-X, so if you’re still running Snow Leopard or anything older, Apple stopped updating security on your machine last year, leaving about 1 in 5 users behind.  When El Capitan comes out this fall, it will likely mean that security updates will end for machines still using Mountain Lion. 
Question: How do I know if my security is up to date? 

Answer:  Every reputable piece of software you use, on your computer or on the Web, should allow you to view your security settings.  If you can’t find your security settings, Google it or look for help on the site.  If you still can’t find your security settings, consider using different software. 
Question: What do I do if I think something fishy is going on with my account information? 
Answer:  For our members, let Destinations Credit Union know right away.  The sooner we know, the sooner we can protect your important financial information.  You may have your credit or debit card information stored at your favorite shops and you don’t want anyone to mess with your cards. After you’ve gotten in touch with us, get in contact with whomever is in charge of the site where you have suspicions.  See what they recommend.  It may be a good idea to notify the police.  Anyone who has access to your online profile is likely to have your home address, too.
Now is a really good time to protect yourself.  Update your password for all of your main accounts and any others you can think of.  Don’t write your password down, try not to make it obvious, and try to keep your passwords separate.  It may be a lot of work, but it will pay off in peace of mind.

Sources:

http://fortune.com/2015/07/21/activist-investors-tech-companies/

Mobile Banking – 4 Ways To Stay On Top Of Your Finances While On The Go

/ destinationscreditunion / Leave a comment

Most people have a checklist they go through before they leave the house. Is the stove turned off? Are the doors locked? Do I have my wallet, my keys and my cellphone? The only thing that has changed about that process in the last few years has been the addition of that last item on the list.

Today, 91% of Americans have cellphones and 61% of them have smartphones. This is a remarkable change from even two years ago. More than half of the people you see every day are carrying a computer that dwarfs the most powerful computing technology that was available a decade ago. It’s also connected to all of the world’s information, literally at our fingertips. What do we use it for? Drawing moustaches on our selfies and tossing wingless birds at shoddily made pig housing.

If you’d like to use your smartphone for more sophisticated purposes, plus add a ton of convenience and peace of mind to your life, consider mobile banking. With a couple of taps, you can access a whole suite of financial information. Let’s look at four scenarios where mobile banking can save you some time … and even some money. 

1.) Say goodbye to security woes 

Despite all of the data breaches that have been in the public eye over the past few years, no one has figured out how to compromise mobile devices as a platform. Security leaks have affected PCs, Macs and point of sale terminals, but no widespread security vulnerability has compromised mobile banking. Despite the fear, mobile banking is actually a fundamentally secure platform.

The first reason for this is the plurality of platforms. You and your neighbor may not be able to share cellphone chargers, much less apps or other experiences. This diversity makes it difficult for a single vulnerability to affect many users. Since there’s less possibility of large scale attacks, hackers have very little incentive to dedicate time toward trying to compromise mobile platforms.

The second reason for this is the tight control placed on mobile devices. Because these devices have to send regular usage information back to your mobile provider, they tend to be far less prone to modification. There’s just not as much you can do to an iPhone or an Android as you can to a PC. While some users might override those protections, such modifications are not widespread enough to justify attempted infiltration.

Mobile banking is secure and safe. Data transmitted from your cellphone to your provider is heavily encrypted. If you lose your phone, it can be remotely deactivated and passwords usually aren’t stored on the device. 

2.) You can check your balance any time 

Rather than waiting for your statement every month or booting up that slow PC for checking your account balances online, you can view transactions while waiting for a bus or in line at a restaurant. You can stay vigilant against illegal account access any time you’ve got your phone and a spare few seconds.

The convenience of mobile banking can also keep you from making costly mistakes. If you know funds may be running tight, check your account balance while in the checkout line to make sure you can cover the cost of your purchases. You can see if your monthly rent check has been withdrawn from your account to avoid the costly fees associated with overdrafting. It’s easier than ever to keep track of your finances.

You can also help to prevent errors with mobile banking. Accidental overpayment, duplicate payments and other errors are a regrettable reality of the modern high-speed economy. By regularly checking your account statement, you can catch these pesky problems before they turn into big issues. 

3.) It’s where you’ll find the next big thing 

Mobile payments and mobile check depositing are becoming more widely available and are already being used in many places. As technology gets better, these functions will become cheaper, faster and even more widespread. Getting involved in mobile banking on the ground floor will help you stay up to speed with this rapidly evolving world.

Imagine getting turn-by-turn walking directions to your nearest ATM. You could get alerts when new houses are listed for sale along your daily commute. You might pay for your breakfast by signing a receipt on your phone.  These and other changes are coming and they are only the beginning. If mobile banking doesn’t do something you need, wait six months. Someone will probably find an app for that. 

4.) 24-hour-a-day instant access 

Do you ever wake up in the middle of the night in a panic because you can’t remember if you paid your electric bill? Ever have a tiny freakout on the bus because you suspect someone may have accessed your account? Are money worries preventing you from enjoying your vacation? If you have these concerns and are nowhere near your computer, you could just suffer through them.

As an alternative, though, you could use a mobile app to check your balance and transaction history. See if your monthly bills have cleared. Make sure your balance is safe. You can do all of this any time you’ve got your phone, day or night.

Mobile banking won’t replace traditional, face-to-face interaction. There will always be a place in the credit union service standards for the human interaction. What mobile banking apps offer is a wonderful supplement to those high-quality services. Space-age convenience, top-level security, and blissful peace of mind are all available from your pocket, anywhere in the world. 

SOURCES:

"ISIS" Hacks Credit Unions – What You Need To Know

/ destinationscreditunion / Leave a comment


ISIS is the new face of terrorism and the Internet is the next front. Terror organizations use social media to recruit members, spread their messages and plan attacks. That they would also use hacking to evoke fear should come as no surprise.

That appears to be what happened on March 9 this year when visitors to the websites of several credit unions did not see the front page they were expecting. Instead, they saw a black screen with the logo for the Islamic State. Under the image were the words “Hacked by Islamic State (ISIS) We Are Everywhere :)” along with a link to a now-defunct Facebook page.

A closer examination of the defacement suggested to the FBI that this was not the work of the international terrorist group. First, the smiley face at the end of the message does not fit the tone of other messages the group has sent. Second, the targets, which included several small businesses and credit unions, seem out of character for the group. Most of the group’s rage tends to focus on agents and governments it views as occupying territory in the Middle East. Third, the level of damage was relatively low. A sophisticated hacking operation would aim to debilitate or destroy economically or politically important assets. While taking down a credit union’s website for a few hours is certainly disconcerting, the dollar amount of that can be applied to the damage is relatively low.

Rather, the FBI suspects this is the work of fairly unsophisticated domestic hackers. The target selection fits more with an attention-seeking group of malcontents. The strategy of website defacement is popular among amateur computer security students seeking to prove their skills or leave a “calling card.” No member data, accounts, or contact information was compromised in the hack and the defacement of the websites has already been reversed.

As with every other security compromise, the possibility that a more serious data breach occurred is not out of the question. In most cases, this breach would involve rigging the website to install malicious software on users’ computers. While it is unlikely, precautions are free and an ounce of prevention is worth a pound of cure when it comes to information security. If you’re concerned about your computer integrity, take the following four steps.

1.) Install, update, and run security software

Using the Internet without antivirus software is like reaching your hand into a medical sharps disposal bin. You’re going to get something and the results won’t be pretty. Several free antivirus programs exist. Popular choices include Panda Security, AVG and Avast.

If you already have antivirus software, you might think you’re covered. Yet, antivirus programs only protect against specific kinds of malicious programming. While they’re certainly the worst of the worst, viruses are only one kind of threat you face on the Internet. You also need an anti-malware program, like MalwareBytes or Spybot. These programs find and remove security threats that, while not quite to the level of viruses, can still compromise your computer.

These programs are still serious threats. Data breaches at Home Depot, Target and others were caused by malware on company computers. Even professional security experts occasionally forget about defending their systems this way.

Once you get the software installed, make sure to keep it updated and run it regularly. The scans usually take between 20 minutes and an hour. That’s all it takes to stay safe from the worst threats.

2.) Change your passwords

It appears unlikely that any user data was compromised in this most recent round of hacks. Still, there’s no reason not to be cautious. Change the passwords you use to log on to major financial websites and any website where you use those same passwords. If you use your Destinations Credit Union password to access your email, change your email password, too.

It’s a good idea to cycle passwords every six months or so anyway. Doing so helps to keep your accounts safe. If you have trouble remembering to do so, consider using a password management service to keep track of your security.

Always choose strong passwords. Four random words with a number on the end is a great way to randomize passwords but keep them somewhat memorable. Just look around your computer area and use the names of the first four objects you see, followed by your birth month. Doing so creates a password that humans can easily commit to memory, but the most powerful computers would take years to crack.

3.) Get a credit score report

You can get a free credit report every year, and it’s a good idea to do so. If you’re planning to buy a house or a car this year, you might want to hold off and use your free report closer to your purchase date. If you don’t have major purchases planned for this year, you can use your free credit score report to check if you’ve been hacked.

Look for accounts you don’t remember opening or large, sudden upswings in debt utilization. These could be signals that someone’s compromised your identity. Call the credit reporting bureau immediately to report suspicious activity.

This alleged ISIS hack is nothing to fear, but it’s worth being cautious all the same. It’s much easier to take preventative action than to regret not having done so. Taking these steps can help ensure you stay safe, no matter what happens.

SOURCES:

http://www.cutoday.info/Fresh-Today/Hackers-Claiming-To-Be-ISIS-Take-Down-CU-s-Site

Q & A: Anthem’s Data Breach And What You Need To Know

/ destinationscreditunion / 1 Comment



Q: I keep hearing about Anthem being a hacking target. What happened and am I at risk?

A: Anthem Inc., the second-largest health insurer in America, was targeted in a major security breach over the last month. New reports suggest hackers have been trying to compromise the company’s systems for months and may have been inside their system since December. According to the company, 80 million Anthem customers may have had their names, Social Security numbers and addresses compromised.

This is a unique event in the recent history of cybersecurity. Previous hacks, like those affecting Home Depot or Target, were attacking hardware. Hackers were exploiting vulnerabilities in computer hardware and software to gain access to confidential data. Here, the company is reporting that hackers had a different target: company employees.

Anthem reports that, beginning in December, hackers acquired login credentials of five employees. The employees could have been victimized by malware or social engineering scams. The hackers trying to beat Anthem didn’t need to find a flaw in the computer infrastructure. Instead, they just had to find a weakness in the people operating those systems.

Once they had these credentials, hackers used their access to do two things. First, they breached the company databases. Once inside, they exposed addresses, dates of birth, employment history, employment information, income data, medical ID’s, names and Social Security numbers. Particularly noteworthy is the fact that payment information was not compromised. That means there’s no need to cancel credit cards that were used to pay Anthem bills yet. Second, hackers created a number of phony email accounts with Anthem domains.

There are two ways victims might be affected by this scam. First, they might have their personal information stolen. This group exclusively consists of current and former Anthem customers. Given the timing of the hack, this will likely result in a fraudulent tax returns and possibly other instances of identity theft.
The second wave of victims is only just now emerging. The fake email accounts have been used to send wave after wave of “phishing” attacks to Anthem customers. These attacks take the form of an email apology with an offer for a year of free credit monitoring. Recipients of the email are redirected to another website to enter their Social Security number and other personally identifying information. This information is then used to commit any of a smorgasboard of identity theft crimes.

Anthem is currently being sued in several states. One lawsuit alleges current and former Anthem subscribers were misled about the security of their personal information and is seeking unspecified damages from the provider in overpaid premiums. Another pending lawsuit is seeking damages resulting from the frauds themselves. Until these lawsuits are settled, Anthem will likely not make any public statement of responsibility or apology, as this could be viewed by the courts as an admission of guilt. At this time, Anthem is offering no free credit monitoring service nor has it made any statement to members outside the press.

If you’re an Anthem subscriber, there are a few steps you should take as soon as possible. To find out if you’re an Anthem subscriber, check your insurance card. If you’re part of a group plan at work, you may need to ask your HR representative if your plan is administered through Anthem. In the meantime, take these three steps.

1.) File your taxes.

This will be one way to check if your Social Security number has been compromised. The state of Connecticut is encouraging their citizens to file early if they’re Anthem customers so hackers using stolen Social Security numbers will be easier to detect.

2.) Put a fraud alert on your credit report.

Contact any one of the three major reporting bureaus (Experian, Equifax, or Transunion) and explain your worries. A fraud report on one account will create a fraud report on all three, so there’s no need to duplicate your efforts. This report will notify you if anyone attempts to open an account in your name during the next 90 days. If you’re absolutely sure your number has been compromised, it might be worth putting a freeze on your credit history. This will prevent anyone from checking your credit or from opening up any account in your name, including you. While drastic, this measure is a sure-fire way to keep yourself safe.

3.) Get proactive with government services.

Notify the Social Security Administration and the Internal Revenue Service of the possible fraud to ensure that no one attempts to file a change of address form in your name. The US Postal Service also maintains a similar service. These steps will ensure that you’ll at least get a paper trail if someone makes an attempt to steal your identity.

Anthem is maintaining a toll-free question line.  Customers with concerns or fears should call 877-263-7995.  They have also created a website – www.AthemFacts.com – with up-to-date information about he scope and severity of the breach.  They have made it clear that future contact with customers affected by the breach will be made by mail. 
 
SOURCES:

You Don’t Have An ‘Email Quota’

/ destinationscreditunion / Leave a comment


Scammers will concoct any number of believable-looking lies in pursuit of your personally identifying information. They’ll pretend to be anyone and claim anything to get you scared, anxious and uncertain. They know that’s when you are most likely to make mistakes.

A new circulating scam is a remix of that old con. The Better Business Bureau reports this week on a new malware distribution scheme.

In this scheme, the scammers email you pretending to be from your email service provider (Google, Yahoo, etc.). They’ll tell you you’ve exceeded your email quota or that you have “deferred email.” The email will instruct you to follow a link to retrieve your un-checked email. Other variations of the scheme will tell you that you need to “update your personal information” to continue using your email service, which will require you to click a link to log in.

The link is to a malware download site, and once you click the link, you’ll be infected. The breed of malware will vary from attempt to attempt. Some may only bog down your computer with popup ads and other irritations. Others will root through your browsing history and personal files, looking for account numbers, personal information, and passwords. You may never know you’ve been infected until you get an unexpected credit card collection call.

Some scammers have gotten more sophisticated with the initial pitch, and will include “unsubscribe” or “change notification settings” in the footer of the e-mail. People looking to reduce the amount of unsolicited email they receive might click this link. They would be disappointed to learn that this link will also direct them to malware download sites.

If you’re looking to keep yourself safe from this new threat, here are three steps you can take.

1.) Know your Terms of Service

While there are upper limits on the amount of email your service provider will store for you, unless you’re sending DVDs worth of information regularly, you will never approach that limit. Gmail, for instance, will store around 65 gigabytes of email data for you. This is bigger than the biggest memory card available for your camera. If you received 23 professional-quality photos every day, it would take you a year to exceed your storage limit, assuming you never deleted any of them.

Email service providers also set some limits on the number of emails you can send, but if you’re clicking the send button each time, you’ll never exceed that frequency. These limits are designed to prevent malicious or fraudulent activities, which is why they target automatic message sending. If you’re running a business out of your home, you might worry about tripping this limit. For your personal email, though, this will never be a concern.

If you’re expecting an email regarding a job interview, family news, or other significant life event, be proactive. Contact the person you’re expecting to hear from and ask for an update. Sitting and waiting creates anxiety, which makes an environment ripe for scams.

2.) Don’t follow mystery links

If you receive an email from someone you don’t know, and it contains a hyperlink, don’t click it. Even visiting malicious websites can infect your computer, causing untold damage. Even if the message comes from someone you know, if there’s no context for the link, don’t click it.

You can take steps to figure out if the message you’ve received is legitimate. Look at the “from” line. The message may appear to be from “Google Admin,” but the email address might be googleadmin@freesites.ru (for example). If the second part of the email address (the domain) doesn’t match what you think it should be, it’s probably bogus. If there’s even a shred of doubt in your mind, don’t click.

Part of practicing good Internet hygiene is keeping your computer away from dangerous websites. Even if you think there’s nothing on your computer worth stealing, your computer could be used by scammers to cause serious damage to your friends and family. Stay safe, and keep your friends safe, too.

3.) Report suspicious activity

Email service providers take these scams as seriously as you do. Someone is trafficking in their good name to exploit their customers. They are eager to put a stop to it to keep their brand image safe and their customers happy.

If you have any doubt about the legitimacy of a message, forward it to your provider’s abuse address. Gmail has an option to “Report phishing” in the drop-down menu next to the reply button. Yahoo and Hotmail offer similar functionality. For larger corporations, try forwarding the message to “abuse” or “admin” @ the company’s website – abuse@target.com, for example.

These companies would rather sort through a thousand false positives than let people continue to defraud their customers. They value you because they’re providing you a service. Don’t hesitate to let them know something’s amiss.

For more information about fraudulent practices, visit Destinations Credit Union’s website and take a look in the Fraud Prevention section.


SOURCES:
https://sg.help.yahoo.com/kb/mail-for-desktop/report-spam-hacked-accounts-phishing-scams-yahoo-sln3402.html?impressions=true

Hackers Develop New Attack Method: Charities

/ destinationscreditunion / Leave a comment


It’s around this time of year that most charitable organizations run their biggest fund-raising drives. In so doing, they’re getting millions of contributions from many new contributors. Yet while they must make it as easy as possible for folks to donate, their limited personnel are overworked, making it difficult to thoroughly review all credit card authentication data.

Meanwhile, another group is working some holiday overtime too: Internet scammers. Because many consumers are shopping for goods they don’t usually buy, fake websites pop up, taking advantage of this inexperience to harvest payment information. The biggest challenge is sorting out the real sites from the fake or canceled ones. These two problems may have more in common than you think.

A new report by security firm, Phishlabs, unveils a shocking new strategy for solving that hurdle. Hackers use a chat-based program to transmit credit card information to make a small donation. If the transaction is successful, the program confirms the data the hacker supplied is legitimate.

In essence, hackers are using charities as a trial run for stolen credit card numbers. To understand what this means for you, let’s look at how the authentication process works, why charities are ideal targets, and how to keep yourself safe.

Authentication explained

Before you make an online transaction, the retailer will take some steps to verify your identity. You provide a credit card number, a security code and some other information. The form might ask for your billing address or ZIP code, for example. The idea is to keep your account safe by requiring several authentication factors. It works fairly well at frustrating casual scammers.

That’s why this bot is so useful to cyber-criminals. It can check data in low-risk, easily concealable ways. The operators of these services charge a fee in “credits” to would-be scammers. They earn these credits by paying for them or by performing a variety of “services” for the operator’s criminal enterprise.

By making a small donation to a charity, the bot can check to see if the information a scammer stole works. These donations are usually between $1 and $5 to one of a selected range of charitable organizations. If the payment sends, the scammer is free to use the information to buy other, more expensive goods.

Why charities?

Charities are the perfect target for this kind of operation. They use the same authentication strategies as every other business, but they seldom have the resources to investigate fraud. They also want to make it as easy as possible for people to donate. This means they use static donation website names and don’t use anti-bot software like Captcha. This makes them easy for a program to target.

Charities are also good targets because they have little at stake in stopping fraud. Defrauding a retailer puts them out the goods they sell. A fraudulent credit card used to buy a TV leaves the seller of that TV responsible for replacing the TV. Nothing like that exists for a charity. The donation amounts are usually miniscule, so their loss won’t seriously affect budgets.

Finally, charities are good targets because they are innocuous. Average consumers are more likely to overlook small charges to charitable organizations. They might think of them as contributions they made without thinking about it.

Protecting yourself

If you take all the usual measures to keep your identity safe online, this shouldn’t be much of an issue for you. If you think your information might have been stolen,though, consider taking the following steps:

1.) Watch for oddly specific amounts that have been sent to charities in your statement. Neither you nor your partner would give $4.48 to a charitable organization.

2.) Be preemptive in your giving. Donate to charities where you’ve done your research and only give to those that align with your values. Keep a list of charities you support and check your statement for any organization not on that list.

3.) Report these charges immediately both to your card issuer and to the charity on your statement. They can use a variety of indicators to track other fraudulent charges and catch other scammers in the act.

Beating this scam requires care and vigilance, just like every other scam. You need to know where your money’s going and be careful with where you make your payments. Don’t shop at websites you don’t know and trust, and don’t give out credit card information to anyone you don’t know. Check your statements regularly and report any suspicious activity.
SOURCES:

How 10 Seconds Of Diligence Can Keep You Safe From Fraud

/ destinationscreditunion / Leave a comment


We’re all bombarded with information. Nowhere is this more true than in our mailboxes, both real and virtual. After all, everyone who wants to get in touch with us has a phone number, social media account and a million other low-cost ways to get in touch. It seems like the only people who send mail anymore are the folks who want to sell us something.

If you treat your mail like most people, you skim through it on your way from the mailbox to the door, stuff it in a mail sorter and promise to deal with it later. Your inbox gets treated the same way. If it’s something from someone you know, you read it, chuckle, and respond. If not, it’s probably safe to ignore.

This is the kind of behavior that identity thieves are counting on. Petr Murmylyuk, a Russian immigrant living in New York, was convicted earlier this year of breaking into a number of online brokerage accounts like Scottrade, E*Trade Financial, Fidelity, and Charles Schwab, among others. His purpose was to initiate trades that moved the price of assets in a complicated combination of identity theft and security manipulation. He cost his victims more than a million dollars in losses, and he will likely only have to pay about $500,000 in restitution. He didn’t get away with his fraud, but his victims still lost a lot of money.

Imagine if this happens to you. You keep your retirement fund in an online brokerage account. You regularly deposit a few hundred dollars a month and you don’t want to withdraw the money any time soon. So you just log in every so often to make sure your auto payments are being made and check the balance. One day, you check the balance and discover tens of thousands of dollars are just gone.

If you’re counting on your brokerage to reimburse you, you might be waiting a while. Scottrade, for example, “does not cover situations in which … you failed to take reasonable precautions to protect your privacy.” Fidelity, too, specifies the need to ensure that transactions were not made by someone you “allowed” to access your account. Other online brokerage firms have similar policies to protect their own interests over yours.

What can you do to stop it? You already know how to maintain security on your online accounts. Choose strong, complex passwords. Don’t access sensitive websites from public computers. Don’t click links in emails that look suspicious. This is all the same financial personal hygiene you probably already practice.

However, when it comes to online financial accounts, like brokerages and draft accounts, there’s an extra step you need to take. You need to read your statements carefully. Here’s how the process works:

Pick a day each month. Making it the same time each month will help you remember as well as help you establish a reliable control. You don’t need much time, just 20 or 30 minutes. Take care of it while you’re drinking your coffee in the morning.

Go through monthly statements and confirmations for all your accounts. Make sure you or your spouse recognize every transaction that’s been made. Keep an eye out for the following kinds of transactions:

  • Transactions originating in foreign countries or other distant places. Identity thieves will often try to throw you off the trail and avoid prosecution by committing their crimes in distant places.
  • Small transactions. It’s tempting to write off a dollar here or there, but thieves are frequently counting on that tolerance. They’ll use a small transaction to test a stolen credit card or breached account. If they get away with that, they’ll try bigger amounts.
  • If you suspect something is wrong with your security, call the company and ask for a login history. This is a document that lists the dates, times, and locations of every access that’s been made to your account. This should let you know if someone else has gained access. Obviously, if that’s the case, you should change your passwords and let your financial institutions know immediately.

If you notice anything else that’s amiss, call the financial institution immediately. The longer you wait, the more likely it is they’ll conclude it was something you authorized. Even if it’s off business hours, call immediately and leave a message. Starting the process as soon as possible creates a trail that will be useful in the event of a dispute about responsibility. 

SOURCES:

   

   

Financial Self Defense: Protect Yourself Against Pinterest Scams

/ destinationscreditunion / Leave a comment

Social media is an ideal place to relax and find people who share your interests. Sites like

Pinterest are great for keeping your recipes and projects organized. They’re also a great way to keep up with the people in your life who you don’t see every day.

Scammers have recognized these sites as ideal places to strike. A Better Business Bureau report from March 27, 2014 reveals that scammers have found a way to use Pinterest. They sell counterfeit products, push dubious work-from-home schemes, and fish for your personal information.

 
The scam works like this: you receive an e-mail that a friend has shared a “pin,” which is what the site calls its scrapbook items. This link looks legitimate complete with a headline and a realistic photo.
 
You open the e-mail and click the link, which directs you to a fake login site that looks like the Pinterest log in page. You log in with your user name and password, which are then stored in the scammer’s database. They can use this information to commandeer your other social media accounts. Then, they can spread the scam to all your friends, providing the ideal environment for continued growth of the scam.

Worse yet, they can use the information you’ve stored on your social media profiles as part of a social engineering scheme. Efficient hackers can use the information in your profile to pretend to be you for financial transactions. Gaining control over your social media accounts is a first step toward identity theft.

It seems that the price of recreation is eternal vigilance. Even when in the parts of the Internet that seem devoted to relaxing and unwinding, you must always be on your guard against identity theft. Here are some steps the Better Business Bureau recommends you take to avoid getting pinned in a social media scam.

Watch where you log in

Check the web address every time you log into social media sites. It should always be pinterest.com or twitter.com or the trusted web address of your intended social media destination. If there’s another word, or if there are a bunch of jumbled letters in there, it’s a sure sign that someone is fishing for your password. Close the link immediately.

Also, practice good net hygiene. Log out of your social media accounts when you’re not using them, and don’t share your password with anyone. Keep your social media accounts separate and use different passwords for each. This will prevent scammers from accessing several accounts if one of them gets hacked.

See something, say something

Legitimate social media platforms hate scammers just as much as you do. They know that you’ll only keep using their service if you trust it. You can use the “report this” link to let the administrators of the site know that something’s amiss with the pin or page. They can investigate and close it down before it spreads further.

If you see a friend sharing something that seems out of character or suspicious, let them know. They may have been hacked without knowing it. Be a good friend and let them know so they can take steps to protect themselves.

Be security conscious

Choose complex passwords that include numbers, letters, and punctuation. Try to avoid using dictionary words. You can use names of streets, companies, or celebrities to get a password that’s easier to remember but harder to crack.
You should change your password at least every six months. If you develop two or three strong passwords, you can rotate between them to make sure no one is sneaking into your account. If you suspect your account has been compromised, change your password immediately!

With a little bit of added security, you can continue to enjoy all the benefits of social media. So go ahead and share your wedding plans, your house remodel, or your arts and crafts. Just be careful what you share from others and pay attention to what you click on in your email inbox. You never know who might be on the other side.
For more personal finance tips and fraud alerts, please visit our website, follow us on Twitter, or “Like” us on Facebook.

Heartbleed: What It Is and How You Can Protect Yourself

/ destinationscreditunion / Leave a comment


If you’ve been keeping an eye on the news this week, you’ve no doubt heard about “Heartbleed,” a security vulnerability in one of the most popular pieces of encryption software on the web. Some security experts are describing this as the biggest security breach in Internet history. Before we start lining bunkers with concrete, let’s look at what Heartbleed is, who it affects, and what you need to do in response.

Heartbleed? What’s that?

Heartbleed is the nickname given to a security vulnerability in OpenSSL. OpenSSL is a popular online encryption library. The vulnerability allows hackers to find the secret codes that websites use to identify themselves. These codes allow hackers to translate information that a computer sends to a website. Without it, this information would appear as indecipherable gibberish.

The worst part about this vulnerability is the fact that it’s been around for two years and there’s no way to know whether it’s been used on a particular service. Security experts have only discovered and informed the public about the flaw over the past few days.

It’s unlikely that this exploit was common knowledge before. The brightest minds in online security work for large, multinational corporations, charged with keeping data safe. Still, hackers could have compromised passwords, e-mail accounts, user names, and other personally identifiable information. That’s a significant concern.

Who was affected by Heartbleed?

The biggest problem areas are Yahoo Internet services. If you use Yahoo e-mail, play Yahoo Fantasy Sports games, or use Tumblr, your password(s) may have been compromised. Some Google services, like Gmail and Google Drive, were also vulnerable. Social media sites like Twitter and Facebook may have been, too. If you filed your taxes through TurboTax or USAA, your data may have been vulnerable. The good news: Most online financial services use other modes of encryption and were not vulnerable.

The threat in this case isn’t just in the fact that someone could gain access to your e-mail. The real problem is that most people use a small collection of passwords for most services. Hackers know this and will therefore use those user names and passwords on other, more lucrative services.

What can you do about it?

Understand, first, that the odds of any one password being released through this leak is small. This is an exploit that only a small number of the brightest minds in computing could find. There is no cause for panic, and this bug does not mark the end of the Internet.

If you use one of these services, change your password, both on these services and other services where you’ve used the same password. Pick a new password that is easy to remember and strong. Follow the same good password rules you always have to keep your data safe. Whether the services you use are identified as part of this breach or not, it would be wise to go ahead and swap out the old passwords for new passwords that are, again, strong and considerably different from what you had previously used.

Developers have released a new version of OpenSSL without the vulnerability in it. There is no need to change your online behavior. The services named above have all patched their encryption software to avoid this problem. You should have no less confidence in online shopping and banking than you did last week.

In the future, it makes good security sense to use a unique password for each site or service you access. Part of the reason Heartbleed has become such a big deal is the fact that it exposed a weak link in the system. Your passwords are only as secure as the least secure means you use to store them. Using more passwords and multiple variations of them helps keep your personal information safe and secure. It avoids putting your finances in the same security system as your social media.