ID Protect™ - Identity Theft Protection Service, Powered by ID Protect™
Internet Safety Tips
Tips to avoid Identity Theft!
April 8, 2014
Risk Alert - Major new security vulnerability dubbed Heartbleed
Gerber FCU has been tested and IS NOT vulnerable.
How to protect yourself from the 'Heartbleed' bug
A major new security vulnerability dubbed Heartbleed was disclosed Monday night with severe implications for the entire Web. The bug can scrape a server's memory, where sensitive user data is stored, including private data such as usernames, passwords, and credit card numbers.
It's an extremely serious issue, affecting some 500,000 servers, according to Netcraft, an Internet research firm. Here's what you can do to make sure your information is protected, according to security experts contacted by CNET:
Do not log into accounts from afflicted sites until you're sure the company has patched the problem. If the company hasn't been forthcoming -- confirming a fix or keeping you up to date with progress -- reach out to its customer service teams for information, said John Miller, security research manager for TrustWave, a security and compliance firm.
Some Web sites that appeared to have been affected included Yahoo and OKCupid, though the companies have said their sites are all or partly fixed (see below for details). You can check sites on an individual basis here, though caution is still advised even if the site gives you an "all clear" indication. If you're given a red flag, avoid the site for now.
The natural response might be to want to change passwords immediately, but security experts suggest waiting for confirmation of a fix because further activity on a vulnerable site could exacerbate the problem.
Once you've got confirmation of a security patch, change passwords of sensitive accounts like banks and email first. Even if you've implemented two-factor authentication -- which, in addition to a password asks for another piece of identifying information, like a code that's been texted to you -- changing that password is recommended.
Don't be shy about reaching out to small businesses that have your data to make sure they are secure. While the high-profile companies like Yahoo and Imgur certainly know about the problem, small businesses might not even be aware of it, said TrustWave's Miller. Be proactive about making sure your information is safe.
Keep a close eye on financial statements for the next few days. Because attackers can access a server's memory for credit card information, it wouldn't hurt to be on the lookout for unfamiliar charges on your bank statements.
Even after following these guidelines, there is still some riskiness in surfing the Web in the aftermath of the bug. Heartbleed is even said to affect browser cookies, which track users' activity on a site, so even visiting a vulnerable site without logging in could be risky. The Tor Project, which stresses anonymity and privacy, wrote in a blog post that users with those needs "might want to stay away from the Internet entirely for the next few days while things settle."
Yahoo seems to be the most major Web to site have been vulnerable to the bug (preliminary tests for Facebook, Google, and Twitter's Web sites said they appear to be safe). The company said that it has "successfully made appropriate corrections" to the main Yahoo properties: Yahoo Homepage, Search, Mail, Finance, Sports, Food, Tech, Flickr and Tumblr. Still, a Yahoo spokesperson said the company is still working to make the fix across the rest of the Yahoo sites.
"I encourage users to not log in into [Yahoo] and other services that are affected since the credentials could have been leaked if they used the service," said Jaime Blasco, director of AlienVault Labs, a security research firm. "As soon as Yahoo solves the issue, it will be helpful if users change their password just in case."
Yahoo has been stressing authentication of late, so that the company would be able to provide a more personalized experience to users, a drum CEO Marissa Mayer has been beating almost since she took over the company. Yahoo provides services like email and fantasy sports, requiring passwords to get access to the applications.
The company has already had some trouble in the security arena. In January, the company had to reset the passwords of some email users after an attempted attack on a third-party's database. In response to the Heartbleed bug, some users have already expressed their outrage on Twitter. Brandon Oxford, from Royal, Ark., wrote: "After this I'm officially done with Yahoo email. I've now set up a Gmail. They seem to be more on top of stuff than Yahoo."
Other companies that were said to be affected chimed in as well. Imgur, the photo-sharing site popular with Reddit users, said: "[We] invalidated sensitive data such as cookies and session IDs, just to be on the safe side. We're proceeding with caution, since the nature of the attack makes it hard to detect, but we have no reason to believe it has been used against Imgur." OKCupid said, "The fix is now fully live on OKCupid."
The question in the aftermath of something like this is whether Web companies will reform their security practices. There has been a move toward Perfect Forward Secrecy (PFS) by many of the major Web companies, but not all of them have implemented the practice. PFS means essentially that encryption keys get a very short shelf life, and are not used forever. "People should want their communications to be secure as possible. PFS is one thing they can push for in the future," said Miller.
Source: cnet.com, by Richard Nieva
CNET's Seth Rosenblatt contributed to this report.
Update at 12:00 p.m. on Wednesday, April 9, to change Heartbleed site verification to https://lastpass.com/heartbleed/.
March 31, 2014
Risk Alert - TIGTA Warns of "Largest Ever" Phone Fraud Scam Targeting Taxpayers
The Treasury Inspector General for Taxpayer Administration (TIGTA) has issued a warning to taxpayers to beware of phone calls from individuals claiming to represent the Internal Revenue Service (IRS) in an effort to defraud them.
“This is the largest scam of its kind that we have ever seen,” said J. Russell George, the Treasury Inspector General for Tax Administration. George noted that TIGTA has received reports of over 20,000 contacts and has become aware of thousands of victims who have collectively paid over $1 million as a result of the scam, in which individuals make unsolicited calls to taxpayers fraudulently claiming to be IRS officials.
“The increasing number of people receiving these unsolicited calls from individuals who fraudulently claim to represent the IRS is alarming,” he said. “At all times, and particularly during the tax filing season, we want to make sure that innocent taxpayers are alert to this scam so they are not harmed by these criminals,” George said, adding, “Do not become a victim.”
Inspector General George urged taxpayers to heed warnings about the sophisticated phone scam targeting taxpayers, noting that the scam has hit taxpayers in nearly every State in the country. Callers claiming to be from the IRS tell intended victims they owe taxes and must pay using a pre-paid debit card or wire transfer. The scammers threaten those who refuse to pay with arrest, deportation or loss of a business or driver’s license.
The truth is the IRS usually first contacts people by mail – not by phone – about unpaid taxes. And the IRS won’t ask for payment using a pre-paid debit card or wire transfer. The IRS also won’t ask for a credit card number over the phone.
“If someone unexpectedly calls claiming to be from the IRS and uses threatening language if you don’t pay immediately, that is a sign that it really isn’t the IRS calling,” he said.
The callers who commit this fraud often:
- Use common names and fake IRS badge numbers.
- Know the last four digits of the victim’s Social Security Number.
- Make caller ID information appear as if the IRS is calling.
- Send bogus IRS e-mails to support their scam.
- Call a second time claiming to be the police or department of motor vehicles, and the caller ID again supports their claim.
If you get a call from someone claiming to be with the IRS asking for a payment, here’s what to do:
- If you owe Federal taxes, or think you might owe taxes, hang up and call the IRS at 800-829-1040. IRS workers can help you with your payment questions.
- If you don’t owe taxes, call and report the incident to TIGTA at 800-366-4484.
- You can also file a complaint with the Federal Trade Commission at www.FTC.gov. Add “IRS Telephone Scam" to the comments in your complaint.
TIGTA and the IRS encourage taxpayers to be alert for phone and e-mail scams that use the IRS name. The IRS will never request personal or financial information by e-mail, texting or any social media. You should forward scam e-mails to firstname.lastname@example.org. Don’t open any attachments or click on any links in those e-mails.
Taxpayers should be aware that there are other unrelated scams (such as a lottery sweepstakes winner) and solicitations (such as debt relief) that fraudulently claim to be from the IRS.
Read more about tax scams on the genuine IRS website at www.irs.gov.
Contact: David Barnes (202) 622-3062
Source: Department of the Treasury
February 21, 2014
Risk Alert - You are the First Line of Defense in Reducing Fraud
Be cautious of any company you select to engage in business
When you are contacted by a company or private party through the internet or telephone wanting to do business or sell something, conduct your own independent research. Verify the identity of that company and read over reviews or other information you can find. Make a sound decision on any purchases or dealings with a company who received negative reviews.
Be cautious when asked to wire money
Be extremely cautious if you are asked to wire money to any person or entity you do not know because it’s nearly impossible to reverse the transaction or trace the money. Again, do research and make sure of the identity of the person or company you are doing business.
Review your account statements frequently
Fraudsters may have stolen your identity without your knowledge so check your accounts frequently. Dishonest merchants may also take advantage by billing you for “membership fees” each month or other goods or services without your authorization. Contact your credit union or card processor immediately if you see charges you don’t recognize or didn’t authorize.
Consider giving only to established charities in the event of a disaster
Don’t give to an unrecognized charity following a disaster as they could be collecting money for their own purpose or to finance illegal activity. For additional donating tips, check out ftc.gov/charityfraud.
Investments are never a sure thing
Always conduct your own research if someone contacts you with low-risk, high-return investment opportunities. When you are requested to “act now” to reap the benefits from “these guaranteed big profits,” be extremely cautious and report them at https://www.ftccomplaintassistant.gov/#&panel1-1.
Be cautious when buying products on line
It’s best to do business with online sites you know and trust. If you buy items through an online auction, consider using a payment option that provides protection, such as a credit card. Do not send money or wire funds to someone you don’t know.
Don’t agree to deposit a check and wire money back.
Members are responsible for checks deposited into their account and if a check turns out to be bogus, the Member is responsible for paying it back. Anyone who overpays with a check and requests that a portion of the funds be returned is almost certainly engaging in fraud.
Don’t respond to emails or messages to provide personal or financial information.
Be extremely cautious when opening a link to an email or responding to any question from a telephone call where personal information is requested. Fraudsters are attempting to trick you into revealing sensitive information. If you received such a message and you are concerned about your account status, call your credit union or the number on the reverse side of your credit or debit card.
If you think you may have been scammed:
- Notify your credit union to report the incident.
- File a complaint with the Federal Trade Commission at http://www.econsumer.gov/
- Visit FTC’s site on identity theft - http://www.consumer.ftc.gov/features/feature-0014-identity-theft
- File a complaint with the FBI at the Internet Crime Complaint Center at http://www.ic3.gov/default.aspx to report the incident.
- If you get what looks like lottery material from a foreign country through the postal mail, notify your local postmaster.
January 3, 2014
Risk Alert - Tips to Members for Stronger Password Security
Here are some tips for making passwords more secure:
- Do not use the same password for multiple accounts.
- Use unique passwords. Do not use passwords on any common password lists, such as SplashData’s annual list of worst Internet passwords.
- Use passwords with a variety of character types (i.e., use passwords that contain upper and lower case letters, numbers and special, non-alphanumeric characters). The more uncommon the combination of letters, numbers and symbols used in a password, the safer it will be.
- Use passwords that are at least eight characters long. The longer the password, the stronger it will be.
- Use password generators to create random passwords.
- Do not use passwords that are based on personal information (e.g., birthday, Social Security number, nicknames, names of family members, etc.).
- Do not use single dictionary words for passwords. Such passwords are susceptible to dictionary attacks.
Use pass phrases instead of passwords.
- Do not use passwords derived from strings of sequential numbers or letters (e.g., 123456 and qwerty).
- Do not use standard number substitutions (e.g., p455word instead of password).
- Use multifactor authentication when available. Facebook, Google, Microsoft and Twitter all offer multiple layers of authentication.
- Change passwords periodically, especially for major accounts such as those for banking and shopping sites.
Keep computers and browsers patched, updated and malware free.
December 13, 2013
Risk Alert - Avoiding Common Scams this Christmas Season
The Better Business Bureau serving Chicago and Northern Illinois compiled a list of common scams to be aware of this year and “Vigilance is the word” this shopping season, whether you are shopping on line or in stores, according to Steve J. Bernas, President and CEO of this BBB.
Keeping your eyes and ears open will help identify potential scams that are taking place and you may be able to avert a personal loss.
According to the BBS, consumers / members should be wary of the following potential holiday-oriented scams
- Dear Santa Websites – Parents should pay close attention to websites their children visit to avoid those that lure children into divulging too much personal information.
- Recalled toys –Shoppers should make themselves aware of what toys have been recalled. While they may have been removed from store shelves that may not be the case for online sites.
- Hot Holiday Gifts – There are thousands of new items introduced at Christmas, especially electronics. Consumers should be suspicious of any deal that offers merchandise at extremely low prices and should verify the offer with the retailer involved.
- Fake FedEx/UPS emails – Be wary of unexpected urgent emails from a shipper that request money or personal and/or financial information for the delivery of a package.
- Phony E-Tailers – Finding those treasures online is easy but you must be careful in selecting which site to shop. Fake e-commerce sites lure buyers with great deals, collect credit/debit card and other personal information and no products are every delivered. If you are shopping a site for the first time check other user’s reviews and verify that the phone number and other information provided on the site is legitimate.
- Fake Charities – Don’t ever give money to any charity without first verifying their validity. If the organization needs the money today, they will need it tomorrow – legitimate charities have no problem answering your questions and waiting for your donation.
- Bogus Gift Cards – Gift cards are easy and for some the perfect gift for many people. Be careful buying gift cards online or from third parties. It is best to make your purchase from the official retailer.
- Layaway plans – To avoid feeling scammed by a layaway plan, be sure to closely examine all terms and conditions. In some cases retailers charge up-front fees, and if you fail to make a payment you may lose the fee you paid and be charged a “restocking” fee.
- Dangerous e-cards – E-cards are a quick and easy way to say thank you or send a holiday greeting but you need to use caution because some may be malicious and contain spyware or viruses.
- Identity Theft – Use caution while shopping online. Look for third party “trust seals” such as the BBB. And make sure you know with whom you are doing business.
The Better Business Bureau urges consumers to follow these rules to help avert losses:
1. Stay suspicious
2. Practice safe surfing
3. Practice safe shopping
4. Use strong passwords
5. Be careful when clicking
6. Educate yourself
7. Update your computers virus protection program
April 30, 2013
Risk Alert - "Wire transfer canceled"? Watch out for spammed-out malware attack
On April 30, 2012, Graham Cluley, a computer security industry veteran who writes for Sophos’s award-winning Naked Security site has reported warned of the new malware attack reprinted below:
“If you've received an email in your inbox telling you that your wire transfer has been cancelled, take care - as it's the latest attempt by online criminals to infect the general public's Windows computers.
Brits (as opposed to Americans) probably won't be as likely to be duped by the spammed-out messages which use the US spelling of "canceled" in the subject line, and claim to come from the Federal Reserve.
The Wire transfer , recently sent from your bank account , was not processed by the FedWire.
Transfer details attached to the letter.
This service is provided to you by the Federal Reserve Board. Visit us on the web at website
To report this message as spam, offensive, or if you feel you have received this in error,
please send e-mail to email address including the entire contents and subject of the message.
It will be reviewed by staff and acted upon appropriately
Attached to the emails is a file called PAYMENT RECEIPT 30-04-2013-GBK-75.zip which Sophos products detect as containing the Troj/Zbot-EVX Trojan horse, designed to hijack your computer and - potentially - plunder your finances and steal private information.
Of course, the danger is that unsuspecting computer users will open the malicious email attachment even if they haven't recently tried to wire some cash.
The social engineering trap used in this attack takes advantage of people's natural curiousity, which - in many cases - will drive them to investigate the file even if alarm bells should be ringing.
Up-to-date anti-virus software and software patches can help protect your computer, but the real lesson that internet users need to learn is to not be so trusting of unsolicited emails that arrive out of the blue in their inbox.“
May 5, 2011
Malicious Software Features Osama Bin Laden Links to Ensnare Unsuspecting Computer Users
According to consumer protection officials, that email you receive purporting to have photos and videos showing Osama Bin Laden’s death could cost you dearly. This email could contain a virus that targets personal information and addresses stored on your computer and opening that information could set in motion malicious software that will attack your computer.
The FBI’s Internet Crime Complaint Center (IC3) urges computer users to not open unsolicited (spam) e-mails, including clicking links contained within those messages. Even if the sender is familiar, the public should exercise due diligence. Computer owners must ensure they have up-to-date firewall and anti-virus software running on their machines to detect and deflect malicious software.
The IC3 recommends the public do the following:
- Adjust the privacy settings on social networking sites you frequent to make it more difficult for people you know and do not know to post content to your page. Even a “friend” can unknowingly pass on multimedia that’s actually malicious software.
- Do not agree to download software to view videos. These applications can infect your computer.
- Read e-mails you receive carefully. Fraudulent messages often feature misspellings, poor grammar, and nonstandard English.
- Report e-mails you receive that purport to be from the FBI. Criminals often use the FBI’s name and seal to add legitimacy to their fraudulent schemes. In fact, the FBI does not send unsolicited e-mails to the public. Should you receive unsolicited messages that feature the FBI’s name, seal, or that reference a division or unit within the FBI or an individual employee, report it to the Internet Crime Complaint Center at www.ic3.gov.
By: Jay A. Slagel, Vice President - Risk Management / Claims Cell Phone: 608-213-2816 email@example.com
March 11, 2011
Tips On Avoiding Fraudulent Charitable Contribution Schemes
Recently several natural disasters, including tornadoes, floods, and earthquakes, have devastated lives and property. In the wake of these events that have caused emotional distress and great monetary loss to numerous victims, individuals across the nation often feel a desire to help these victims, frequently through monetary donations.
These disasters prompt individuals with criminal intent to solicit contributions purportedly for a charitable organization or a good cause. Therefore, before making a donation of any kind, consumers should adhere to certain guidelines, to include the following:
- Do not respond to unsolicited (SPAM) e-mail.
- Be skeptical of individuals representing themselves as officials soliciting via e-mail for donations.
- Do not click on links contained within an unsolicited e-mail.
- Be cautious of e-mail claiming to contain pictures in attached files, as the files may contain viruses. Only open attachments from known senders.
- To ensure contributions are received and used for intended purposes, make contributions directly to known organizations rather than relying on others to make the donation on your behalf.
- Validate the legitimacy of the organization by directly accessing the recognized charity or aid organization's website rather than following an alleged link to the site.
- Attempt to verify the legitimacy of the non-profit status of the organization by using various Internet-based resources, which also may assist in confirming the actual existence of the organization.
- Do not provide personal or financial information to anyone who solicits contributions: providing such information may compromise your identity and make you vulnerable to identity theft.
If you believe you have been a victim of a charity related scheme, contact the National Center for Disaster Fraud by telephone at (866) 720-5721, or by fax at (225) 334-4707, or by e-mail at firstname.lastname@example.org You can also report suspicious e-mail solicitations or fraudulent websites to the Internet Crime Complaint Center at www.IC3.gov.
National Center for Disaster Fraud (NCDF) was originally established by the Department of Justice to investigate, prosecute, and deter fraud in the wake of Hurricane Katrina. Its mission has expanded to include suspected fraud from any natural or man-made disaster. More than 20 federal agencies, including the FBI, participate in the NCDF, allowing it to act as a centralized clearinghouse of information related to relief fraud.