Security

Posted September 9, 2014

Home Depot Breach

ATLANTA, September 8, 2014 -- The Home Depot®, the world's largest home improvement retailer, today confirmed that its payment data systems have been breached, which could potentially impact customers using payment cards at its U.S. and Canadian stores. There is no evidence that the breach has impacted stores in Mexico or customers who shopped online at HomeDepot.com.

While the company continues to determine the full scope, scale and impact of the breach, there is no evidence that debit PIN numbers were compromised.

Home Depot’s investigation is focused on April forward, and the company has taken aggressive steps to address the malware and protect customer data. The Home Depot is offering free identity protection services, including credit monitoring, to any customer who used a payment card at a Home Depot store in 2014, from April on. Customers who wish to take advantage of these services can learn more at http://www.homedepot.com and https://homedepot.allclearid.com/ or by calling 1-800-HOMEDEPOT (800-466-3337). 

 
Posted June 16, 2014

Hackers Exploit CryptoLocker Fears

Cyber gangs have launched a massive phishing campaign to exploit the fear generated by the recent CryptoLocker news announcements. The scam offers "decryption keys for CryptoLocker". The utility can be downloaded, and claims it will unlock any files encrypted by CryptoLocker. However, as you might have guessed, it's a scam.

If an unsuspecting user downloads it, a fake registry cleaner is installed which falsely claims that there are lots of registry problems. And of course, it claims the only way these can be solved is by buying the product.

This is clearly an attempt to exploit the news coverage of both CryptoLocker and GameOver Zeus. This type of scam will escalate for sure, and more dangerous viruses will be marketed as CryptoLocker file decrypters. Don't fall for this scam! 

Posted April 18, 2014

Heartbleed Update

Do I need to change any passwords due to Heartbleed?

Here is a link to a list of popular websites and their Heartbleed status. Mashable's Heartbleed List Use this link to check whether you need to change passwords on any vulnerable sites you may use. If the site is in the process of being patched, do not visit it until after it is patched, and then change your password. If you change your password for a vulnerable site now, it could still be compromised and you will have to change it again after the site has been patched.

Rest assured that First Federal’s online banking sites never used OpenSSL and are not vulnerable.

 

Posted April 15, 2014

Credit Card Text Message Alert

Some of our customers have reported receiving a text message stating that “Your Visa has been temporarily deactivated – Please call our Card Service 24 hr. line at 206-212-0255”

This is a scam designed to get you to divulge account information. It is not a legitimate Visa notification, and was not sent by First Federal.  If you should receive such a text message, do not reply to the text or call the number in the message. Ignore the text message.

With the increase in fraud, it is always good practice to monitor your accounts regularly for any abnormal activity.

 

Posted April 11, 2014

Heartbleed Bug Update 

No doubt by now you have heard about the widespread web server vulnerability called “Heartbleed” that has been in the news. We have verification from our online banking providers that First Federal’s online banking websites for both consumer and business banking are not vulnerable to this bug.

 First Federal is continuing to research the possible impact of the Heartbleed bug and taking appropriate action to ensure that there is no impact to our customers.

 

What can you do? Because this vulnerability is so widespread, one or more of your passwords at various websites may have been compromised. Make sure you are not using the same password across multiple websites on the internet. Use strong passwords and always use a unique password for online banking and e-commerce sites.


Last Updated April 10, 2014
Scam Of The Week

Microsoft XP

I'm sure you know that next week April 8th, Microsoft will stop supporting Windows XP which means they will stop distributing security updates for XP for free. You can still get them but have to pay through the nose. For the vast majority of us, when after April 8th another security bug is found in XP, (a certainty) that bug cannot be patched anymore, and the workstation that runs XP will be very easy for the bad guys to get into. Microsoft on their website states: "PCs running Windows XP after April 8, 2014, should not be considered to be protected."

What most of you may -not- know, is that the bad guys have been hoarding XP zero-day vulnerabilities, patiently waiting for next week, so that they can either use them or sell them. There are estimates that there are now hundreds of known holes that are waiting to be exploited. This IS something to be worried about. The least you can do is give end-users that still run XP some effective security awareness training, and I have 9 other things you can do to secure XP, see the link below.

Despite Microsoft's continuous warnings, Redmond does not see a stampede toward Win7 or 8. David Rodger, commercial lead for the Windows Business Group at Microsoft, said there was no sense of "panic" from firms about moving off XP. He stated: "We’re not seeing a stampede. Many organizations will have looked at this from a ‘T-minus’ perspective and are probably now seeing their plans come together."

So now, if you are stuck with XP, here are 10 things you should do to make sure it's not going to be cake-walk for the bad guys to penetrate your network. It's already easy enough. My business partner Kevin Mitnick is always happy to hear that a penetration-test customer has XP running in their network, as that makes his job that much faster. Here is the link to the KnowBe4 blog:
http://blog.knowbe4.com/bid/377532/sticking-with-winxp-10-things-you-must-do

 

You Owe Taxes

This scam uses a combination of phishing emails and spoofed Caller ID scam calls. The scammers intimidate the victim, threaten with arrest, deportation or loss of a business or driver's license.

The Treasury Inspector General for Taxpayer Administration this week issued a warning about it. "This is the largest scam of its kind that we have ever seen," said J. Russell George, the Treasury Inspector General for Tax Administration. Over 20,000 victims have collectively paid more than $1 million as a result of the scam.

Scammers claiming to be from the IRS tell people they owe taxes and must pay using a pre-paid debit card or wire transfer. The truth is that the IRS usually first contacts people by mail - not by phone - about unpaid taxes. Here are some Red Flags you need to watch out for:

> The callers use common names and fake IRS badge numbers.

> The perpetrators know the last four digits of your Social Security Number.

> Caller ID looks like it is the IRS calling.


> The criminals send bogus IRS e-mails to support their scam.

>Many fraudsters call a second time claiming to be the police or Department of Motor Vehicles, and the caller ID again supports their claim.

The IRS recently warned consumers of this and other ongoing scams that tend to peak during tax season when many taxpayers could be on edge. The scams come in many variations, from scams where callers say the victims owe money or are entitled to a huge refund. More at Treasury.gov: http://www.treasury.gov/tigta/

 

"You may have cancer" phishing email

If you recently had a blood test (and many of us have)... beware!

"Cybercriminals have hit a new low. They’re telling users they might have cancer just to trick them into installing a piece of malware on their computers." The email is being send as part of a phishing campaign that uses the excellent reputation of the United Kingdom’s National Institute for Health and Care Excellence (NICE). The malicious notifications carry the subject line "IMPORTANT: blood analysis results" and come from a spoofed email address.

Now, you might think the UK is far away so this does not concern you. Think again. The UK is often used as a test bed by the Russian cyber mafia, and you will see this in the U.S in the near future, if it hasn't already arrived. The phishing emails over here will likely come from a spoofed email at Healthcare.gov, or providers like Blue Cross Blue Shield or Aetna and read something like this:

"We have been sent a sample of your blood analysis for further research. During the complete blood count (CBC) we have revealed that white blood cells is very low, and unfortunately we have a suspicion of a cancer. We suggest you to print out your CBC test results and interpretations in attachment below and visit your family doctor as soon as possible."

The PDF file that’s attached to the emails is not a CBC test result, but a double extension file (it ends with dot pdf dot exe) and will install malware on your workstation. At the time of writing, only 14 of the 50 antivirus products detect the file as being malicious. STOP LOOK and THINK before you click!

Posted March 5, 2014

National Consumer Protection Week 2014

Five Key Tips From the FDIC for National Consumer Protection Week

No matter your age or stage in life, it’s important to have as much information as possible to effectively manage your money and avoid financial frauds and scams. That’s why, in observance of National Consumer Protection Week 2014 (March 2-8), the FDIC will post information about a specific topic each day on the agency’s web site, along with links to helpful FDIC Consumer News articles, to encourage discussion and provide tips about what you need to know to save and protect your money.
 

Click here to view the 5 key tips posted daily.

The goal of FDIC Consumer News is to deliver timely, reliable and innovative tips and information about financial matters, free of charge. To find current and past issues of FDIC Consumer News, visit www.fdic.gov/consumernews.

 

Posted March 4, 2014

Hotmail Email Account Scam

Cybercriminals are trying to trick Hotmail users into handing over their credentials with fake emails that claim to come from "The Microsoft account team." The emails, analyzed by researchers from Malwarebytes, inform recipients that their Hotmail account is upgraded to Outlook.

The scam claims their Hotmail Account has expired and that due to a new system upgrade to Outlook they need to follow the link, sign in and re-activate their account.

The email address is spoofed and the link points to a website whose owners are probably not aware of the fact that they’ve been hacked.

 

Posted February 27, 2014

Important Security Announcement for Computers Running Windows XP

Microsoft will no longer provide support for computers running Windows XP after April 8, 2014.

Microsoft provides current operating systems with regular security updates. After April 8, 2014, they will stop providing these updates for computers running the Windows XP operation system. If your computer is running on Windows XP, and you use it to access the internet, it is highly recommended that you consider upgrading your computer before the April 8th deadline. Upgrading your computer will insure that you are provided with access to the latest updates from Microsoft necessary to protect it from malware and other vulnerabilities that can potentially compromise the information stored or accessed on that computer.

You can click here to see what version of Windows you are using:

http://windows.microsoft.com/en-us/windows/which-operating-system

Using Windows XP after April 8, 2014 puts your computer and your personal information at risk. Your personal computer security is your responsibility. First Federal encourages all users of Windows XP to consult with a computer professional for upgrade options as soon as possible, or alternatively, replace the computer with a new one. 

 

Posted January 29, 2014

Credit Card Fraud Alert - $9.84

News agencies are issuing fraud alerts related to consumer complaints reporting a charge to your credit card in the amount of $9.84. We encourage you to closely monitor all your credit card activity and confirm the charges.

Credit card scam artists believe that many cardholders will ignore small dollar amounts listed on their credit cards. If you do see a charge for $9.84 that you cannot verify, please contact your credit card provider immediately: you can then request a new card and place a fraud alert on your credit file. Learn More

Please click on the links below to read more information. 

Finance Yahoo News
USA Today News

 

Posted January 24, 2014

Target Debit Card Fraud

In mid-December Target Stores announced that they experienced a data breach. It is believed that as many as 40 million debit and credit cards used at their stores and 70 million customer data records have been compromised.  Target has been active in reaching out to all their affected customers. Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experian’s® ProtectMyID® product which includes identity theft insurance where available. For additional information, please visit the link below to view their latest updates.
 
 
First Federal’s Commitment to You, Our Customer:
  • In late December, First Federal was notified of customers who shopped at Target during the data breach time period and those customers were issued new cards.
  • Please be assured that our Customers are protected from any loss related to debit card fraud by Regulation E.  This Regulation provides 100% protection and zero liability to customers for any unauthorized transactions in events such as these. 
  • We continue to monitor accounts for unusual activity and will alert you of any suspicious activity. 
  • There has been some discussion in the media regarding the safety of using your card as “credit” versus “debit”. However, when card data is breached, there is no difference.
  • We will periodically update this site as additional information becomes available. Your safety and peace of mind is important to us.
  • We encourage you to review the recommendations below. We have also provided a link to our security tips for good advice on how to keep your information safe and secure.
 
FIRST FEDERAL recommends the following to help keep your information safe:
 
1)     Watch your account closely for any suspicious activity. If you see any transactions that are fraudulent, please call us at 360/417-3204. If you have online banking, you have the ability to check your account when you are able to and as often as you would like.
2)     You can set up balance alerts to receive notification of any unexpected changes in your account.
3)     If you are one of our customers affected by the Target breach, we encourage you to enroll in the free year of credit monitoring and identity theft protection that Target is offering.
4)     We know that customer education is the first line of defense against these scams and have compiled the following tips and resources to help in this education process. Below are some of the valuable resources available to you via our First Federal website.
 
Important Tip – “Phishing” Education:
 
There has been a worldwide increase in phishing scams. Phishing refers to criminal activity that attempts to fraudulently obtain sensitive information, such as your social security number, driver’s license, credit card and/or bank account information. We know that customer education is the first line of defense against these scams and have compiled the following tips and resources to help in this education process. 
 
  • Please do NOT respond to any email that directs you to update your personal information by dialing a telephone number. Only use the customer service number that is listed on the back of your credit/debit card.
  • Phishing scam artists try to replicate the look and feel of the company they are scamming. Be sure to check the website address and the “look and feel” of the information being sent. Does the email ask you to do something that seems unusual or ask you to provide personal information? When in doubt, please contact the sender to confirm. Our Contact Center is available to take your phone call (360) 417-3204 Monday-Thursday 8:00 am to 5:30 pm, Friday 8:00 am to 6:00 pm, and Saturday 9:00 am to 1:00 pm.
  • Below are additional resources available to you via our First Federal website.
 
 

October - National Cyber Security Awareness Month

This year marks the tenth anniversary of National Cyber Security Awareness Month sponsored by the Department of Homeland Security in cooperation with the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center

5 Ways to Protect Your Small Business
7 Tips for Protecting Yourself Online
8 Tips to Protect Your Identity
10 Ways to Protect Your Mobile Device

  

Frequently Asked Security Questions about online banking.

Q I'm still hesitant about banking online. Can other people see my account information?

A Your account information is just as secure as it is at our physical brick and mortar bank. We've taken every step possible to be sure our system meets the latest security standards, including using the latest security encryption methods and software.

Q What about filling applications out online? How secure is that?

A Filling out applications online is as secure as the Online Banking System. Your entire session, from beginning to end, is encrypted. Our system supports 128-bit encryption, so you can also use the latest browser from Netscape or Microsoft that supports this security level. In fact, the highest encryption Netscape and Microsoft browsers support is 128-bit, so you will be using the highest bit encryption currently available if you use a 128-bit encryption capable browser.

Q I keep hearing a lot about encryption? What exactly is it, and why does it make everything more secure?

A Encryption is basically a way to rewrite something in a code which can then be decoded later with the right key. The encryption we use employs a mathematical process for the key which is made up of a certain number of bits (hence, 128-bit encryption). The higher the number of bits, the better the encryption. While using our Online Banking System, all communication from you to the system and from the system to you is encrypted using a maximum of 128 bits. In other words, when you send information to the system, your browser encrypts it using a 128-bit key, then sends it to the system. The system then decodes the information you sent it using the key (which is predetermined when your Online Banking session is started) and processes it.

Q What about information that is stored? Is it encrypted as well?

A Information stored on our system is also encrypted using at least 128 bits.

During the course of the day you may write a check, charge tickets to your favorite event, mail your bills, call home, or apply for a credit card. Normally you wouldn't give these transactions a second thought. But someone else may.

The age of information technology has created a new line of crooks called identity thieves. With each transaction, you may share personal information; your credit card number, account number, social security number, name, address, and phone numbers. An identity thief may capture this information without your knowledge and commit fraud or theft. And you may not even know it until months later.

How do thieves get your information?

They use a variety of methods such as:

  • Stealing wallets and purses containing identification and credit and bank cards.
  • Stealing mail, including bank and credit card statements, pre-approved credit offers, new checks, or tax information.
  • Rummaging through your trash, or the trash of businesses or dumps in a practice known as "dumpster diving."
  • Stealing credit and debit card numbers as your card is processed by using a special information storage device in a practice known as "skimming."
  • Completing a "change of address form" to divert your mail to another location.

Once they have your personal information they may:

  • Go on a spending spree using your credit and debit card numbers to buy "big-ticket" items like computers that can easily be resold.
  • Open a new credit card account, using your name, date of birth, and Social Security Number. When they don't pay the bills, the delinquent account is reported on your credit report.
  • Take out auto loans in your name.
  • Establish phone or wireless service in your name.
  • Create counterfeit checks or debit cards, and drain your bank account.
  • Give your name to the police during an arrest. If they are released and don't show up for their court date, an arrest warrant could be issued in your name.
     

How can you tell if you are a victim?

Monitor the balances of your financial accounts. Look for unexplained charges or withdrawals. Pay attention to your mail; if you fail to receive bills or other mail your address may have been changed. You may be denied credit for no apparent reason, or you are receiving calls from debt collectors or companies about merchandise or services you didn't buy.

The key to protecting your identity and minimizing your exposure to potential damage is to exercise caution!

  • Make sure all of your credit card, bank, and phone accounts have strong passwords. Do not use easily available information like your mother's maiden name, your birth date, the last four digits of your social security number or a series of consecutive numbers. When asked for your mother's maiden name, use a password instead.
  • Secure your personal information in your home, especially if you have roommates, employee outside help, or are having service work done in your home.
  • Don't give out personal information on the phone, through the mail, or over the Internet unless you've initiated the contact and you are sure you know who you are dealing with. Identity thieves can be skilled liars and may even pose as representatives of banks, service providers, or government agencies to get you to reveal identifying information. You may even receive an e-mail message that looks legitimate, but is really part of a "Phishing" scam.
  • Guard your mail from theft. Deposit outgoing mail in post office collection boxes or at your local post office and not unsecured mail boxes. If you are planning to be away from home, stop by your local post office and place a hold on your mail. Or call the US Postal Service at 1-800-275-8777 to ask for a vacation hold.
  • Don't leave your trash out in the open. To thwart a thief who may pick through your trash or recycling bins, tear or shred your charge receipts, copies of credit applications or offers, insurance forms, medical statements, checks and bank statements, and expired charge cards.
  • Limit the identification information and the number of credit and debit cards that you carry to what you will actually need. Keep your purse or wallet in a safe place!
  • Your computer may be a gold mine of personal information. Be sure to update your virus protection software regularly. Look for security repairs and patches you can download from your operating system's Web site. Don't download files from strangers or click on hyperlinks from people you don't know. Opening a file could expose your system to a virus or program that could hijack your modem. Use a firewall, especially if you have a high-speed or "always on" connection to the internet.
  • Be sure you are dealing with a legitimate Web site when providing credit card information online. Look for a logo of a padlock or other indication that card numbers are protected during Internet transmissions. In addition, only provide your credit card information when you originate a transaction, not in response to an unsolicited call or e-mail, which may be fraudulent.
     
  • Check your credit report at least annually. Under the Fair and Accurate Credit Transactions Act (FACT Act) consumers have access to one free credit report each year. You can request a copy through www.annualcreditreport.com, the only service authorized by Equifax, Experian, and TransUnion - the three major credit bureaus. Additionally, you may request a copy by phone or e-mail.
     

Contact Information

Internet www.annualcreditreport.com
Toll Free 1-877-322-8228
Mail Annual Credit Report Request Service
PO Box 105281
Atlanta, GA 30348-5281

Web sites with more information:

Federal Trade Commission www.ftc.gov/infosecurity
FDIC Consumer News www.fdic.gov/consumers/consumer/alerts/index.html
Equifax www.equifax.com
Experian www.experian.com
TransUnion www.transunion.com

What is Phishing?

Phishing is the practice of sending fraudulent e-mail messages requesting someone to supply confidential information. The e-mail is disguised to look like a request from a legitimate organization such as a bank, credit card company, or a retail merchant with which recipients may already have a business relationship. Often the message includes a warning regarding a problem related to the recipient's account and requests the recipient to respond by providing specific confidential information. The format of the e-mail typically includes proprietary logos and branding, a "From" line disguised to appear as if the message came from a legitimate sender, and a link to a web site or an e-mail address.

All of these features are designed to assure the recipient that the e-mail is from a legitimate business source. Victims may be directed to provide personal account information by responding to the e-mail, or they may be directed to click on a link that takes them to a legitimate looking web page containing a form on which they are instructed to provide information. Typically, the information requested includes account numbers, passwords, Personal Identification Numbers (PINs), Social Security numbers or other personal identifying information that will allow the perpetrator to gain access to the victim's accounts.

First Federal will never send an e-mail to a customer asking for any personally identifiable information. While you may occasionally receive an e-mail from First Federal, the e-mail will not contain personal information and will be informative in nature regarding products and services First Federal is offering, or information on transactions associated with your online banking service. You have the option of "Opting Out" of promotional e-mail by signing in to your Online Banking Service, and updating your user options.

Who do you call if you suspect you are a victim?

Call the fraud department at any one of the three major credit bureaus. Ask for a fraud alert to be placed in your file at all three companies. The alert tells lenders and other users of credit reports to be careful before opening or changing accounts in your name. The toll free numbers for the fraud departments are:

  • Equifax   800-525-6285
  • Experian   888-397-3742
  • TransUnion   800-680-7289

Call your bank, credit card company or any other financial institution that may need to know. Ask to speak with someone in the security or fraud department and follow up with a letter if necessary, close old accounts and open new ones, and select new passwords and "PINs".

Call your local police or the police where the identity theft occurred. Fill out a police report that will detail what happened and get a copy for future reference.

Call the Federal Trade Commission. Call toll-free 877-IDTHEFT (877-438-4338). Also, an "ID Theft Affidavit" available on the FTC Web site can be used to help you prove you are an innocent victim and help you keep debts you did not incur from appearing on your credit report.

 

Rest assured that First Federal’s online banking sites never used OpenSSL and are not vulnerable.

 

Online Banking

Login

Business Online Banking

Login
  • PO Box 351
    Port Angeles WA 98362
    Routing #: 325170848
    Phone #: (360) 457-0461

  • FDIC
  • Equal Housing Lender