ATLANTA, September 8, 2014 -- The Home Depot®, the world's largest home improvement retailer, today confirmed that its payment data systems have been breached, which could potentially impact customers using payment cards at its U.S. and Canadian stores. There is no evidence that the breach has impacted stores in Mexico or customers who shopped online at HomeDepot.com.
While the company continues to determine the full scope, scale and impact of the breach, there is no evidence that debit PIN numbers were compromised.
Home Depot’s investigation is focused on April forward, and the company has taken aggressive steps to address the malware and protect customer data. The Home Depot is offering free identity protection services, including credit monitoring, to any customer who used a payment card at a Home Depot store in 2014, from April on. Customers who wish to take advantage of these services can learn more at http://www.homedepot.com and https://homedepot.allclearid.com/ or by calling 1-800-HOMEDEPOT (800-466-3337).
Hackers Exploit CryptoLocker Fears
Cyber gangs have launched a massive phishing campaign to exploit the fear generated by the recent CryptoLocker news announcements. The scam offers "decryption keys for CryptoLocker". The utility can be downloaded, and claims it will unlock any files encrypted by CryptoLocker. However, as you might have guessed, it's a scam.
If an unsuspecting user downloads it, a fake registry cleaner is installed which falsely claims that there are lots of registry problems. And of course, it claims the only way these can be solved is by buying the product.
This is clearly an attempt to exploit the news coverage of both CryptoLocker and GameOver Zeus. This type of scam will escalate for sure, and more dangerous viruses will be marketed as CryptoLocker file decrypters. Don't fall for this scam!
Do I need to change any passwords due to Heartbleed?
Here is a link to a list of popular websites and their Heartbleed status. Mashable's Heartbleed List Use this link to check whether you need to change passwords on any vulnerable sites you may use. If the site is in the process of being patched, do not visit it until after it is patched, and then change your password. If you change your password for a vulnerable site now, it could still be compromised and you will have to change it again after the site has been patched.
Rest assured that First Federal’s online banking sites never used OpenSSL and are not vulnerable.
Some of our customers have reported receiving a text message stating that “Your Visa has been temporarily deactivated – Please call our Card Service 24 hr. line at 206-212-0255”
This is a scam designed to get you to divulge account information. It is not a legitimate Visa notification, and was not sent by First Federal. If you should receive such a text message, do not reply to the text or call the number in the message. Ignore the text message.
With the increase in fraud, it is always good practice to monitor your accounts regularly for any abnormal activity.
Posted April 11, 2014
Heartbleed Bug Update
No doubt by now you have heard about the widespread web server vulnerability called “Heartbleed” that has been in the news. We have verification from our online banking providers that First Federal’s online banking websites for both consumer and business banking are not vulnerable to this bug.
First Federal is continuing to research the possible impact of the Heartbleed bug and taking appropriate action to ensure that there is no impact to our customers.
What can you do? Because this vulnerability is so widespread, one or more of your passwords at various websites may have been compromised. Make sure you are not using the same password across multiple websites on the internet. Use strong passwords and always use a unique password for online banking and e-commerce sites.
I'm sure you know that next week April 8th, Microsoft will stop supporting Windows XP which means they will stop distributing security updates for XP for free. You can still get them but have to pay through the nose. For the vast majority of us, when after April 8th another security bug is found in XP, (a certainty) that bug cannot be patched anymore, and the workstation that runs XP will be very easy for the bad guys to get into. Microsoft on their website states: "PCs running Windows XP after April 8, 2014, should not be considered to be protected."
What most of you may -not- know, is that the bad guys have been hoarding XP zero-day vulnerabilities, patiently waiting for next week, so that they can either use them or sell them. There are estimates that there are now hundreds of known holes that are waiting to be exploited. This IS something to be worried about. The least you can do is give end-users that still run XP some effective security awareness training, and I have 9 other things you can do to secure XP, see the link below.
Despite Microsoft's continuous warnings, Redmond does not see a stampede toward Win7 or 8. David Rodger, commercial lead for the Windows Business Group at Microsoft, said there was no sense of "panic" from firms about moving off XP. He stated: "We’re not seeing a stampede. Many organizations will have looked at this from a ‘T-minus’ perspective and are probably now seeing their plans come together."
So now, if you are stuck with XP, here are 10 things you should do to make sure it's not going to be cake-walk for the bad guys to penetrate your network. It's already easy enough. My business partner Kevin Mitnick is always happy to hear that a penetration-test customer has XP running in their network, as that makes his job that much faster. Here is the link to the KnowBe4 blog:
This scam uses a combination of phishing emails and spoofed Caller ID scam calls. The scammers intimidate the victim, threaten with arrest, deportation or loss of a business or driver's license.
The Treasury Inspector General for Taxpayer Administration this week issued a warning about it. "This is the largest scam of its kind that we have ever seen," said J. Russell George, the Treasury Inspector General for Tax Administration. Over 20,000 victims have collectively paid more than $1 million as a result of the scam.
Scammers claiming to be from the IRS tell people they owe taxes and must pay using a pre-paid debit card or wire transfer. The truth is that the IRS usually first contacts people by mail - not by phone - about unpaid taxes. Here are some Red Flags you need to watch out for:
> The callers use common names and fake IRS badge numbers.
> The perpetrators know the last four digits of your Social Security Number.
> Caller ID looks like it is the IRS calling.
> The criminals send bogus IRS e-mails to support their scam.
>Many fraudsters call a second time claiming to be the police or Department of Motor Vehicles, and the caller ID again supports their claim.
The IRS recently warned consumers of this and other ongoing scams that tend to peak during tax season when many taxpayers could be on edge. The scams come in many variations, from scams where callers say the victims owe money or are entitled to a huge refund. More at Treasury.gov: http://www.treasury.gov/tigta/
Posted March 5, 2014
No matter your age or stage in life, it’s important to have as much information as possible to effectively manage your money and avoid financial frauds and scams. That’s why, in observance of National Consumer Protection Week 2014 (March 2-8), the FDIC will post information about a specific topic each day on the agency’s web site, along with links to helpful FDIC Consumer News articles, to encourage discussion and provide tips about what you need to know to save and protect your money.
Click here to view the 5 key tips posted daily.
The goal of FDIC Consumer News is to deliver timely, reliable and innovative tips and information about financial matters, free of charge. To find current and past issues of FDIC Consumer News, visit www.fdic.gov/consumernews.
Posted March 4, 2014
Cybercriminals are trying to trick Hotmail users into handing over their credentials with fake emails that claim to come from "The Microsoft account team." The emails, analyzed by researchers from Malwarebytes, inform recipients that their Hotmail account is upgraded to Outlook.
The scam claims their Hotmail Account has expired and that due to a new system upgrade to Outlook they need to follow the link, sign in and re-activate their account.
The email address is spoofed and the link points to a website whose owners are probably not aware of the fact that they’ve been hacked.
Posted February 27, 2014
Microsoft will no longer provide support for computers running Windows XP after April 8, 2014.
Microsoft provides current operating systems with regular security updates. After April 8, 2014, they will stop providing these updates for computers running the Windows XP operation system. If your computer is running on Windows XP, and you use it to access the internet, it is highly recommended that you consider upgrading your computer before the April 8th deadline. Upgrading your computer will insure that you are provided with access to the latest updates from Microsoft necessary to protect it from malware and other vulnerabilities that can potentially compromise the information stored or accessed on that computer.
You can click here to see what version of Windows you are using:
Using Windows XP after April 8, 2014 puts your computer and your personal information at risk. Your personal computer security is your responsibility. First Federal encourages all users of Windows XP to consult with a computer professional for upgrade options as soon as possible, or alternatively, replace the computer with a new one.
Posted January 29, 2014
News agencies are issuing fraud alerts related to consumer complaints reporting a charge to your credit card in the amount of $9.84. We encourage you to closely monitor all your credit card activity and confirm the charges.
Credit card scam artists believe that many cardholders will ignore small dollar amounts listed on their credit cards. If you do see a charge for $9.84 that you cannot verify, please contact your credit card provider immediately: you can then request a new card and place a fraud alert on your credit file. Learn More
Please click on the links below to read more information.
Posted January 24, 2014
This year marks the tenth anniversary of National Cyber Security Awareness Month sponsored by the Department of Homeland Security in cooperation with the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center
During the course of the day you may write a check, charge tickets to your favorite event, mail your bills, call home, or apply for a credit card. Normally you wouldn't give these transactions a second thought. But someone else may.
The age of information technology has created a new line of crooks called identity thieves. With each transaction, you may share personal information; your credit card number, account number, social security number, name, address, and phone numbers. An identity thief may capture this information without your knowledge and commit fraud or theft. And you may not even know it until months later.
Monitor the balances of your financial accounts. Look for unexplained charges or withdrawals. Pay attention to your mail; if you fail to receive bills or other mail your address may have been changed. You may be denied credit for no apparent reason, or you are receiving calls from debt collectors or companies about merchandise or services you didn't buy.
|Annual Credit Report Request Service
PO Box 105281
Atlanta, GA 30348-5281
|Federal Trade Commission||www.ftc.gov/infosecurity|
|FDIC Consumer News||www.fdic.gov/consumers/consumer/alerts/index.html|
Phishing is the practice of sending fraudulent e-mail messages requesting someone to supply confidential information. The e-mail is disguised to look like a request from a legitimate organization such as a bank, credit card company, or a retail merchant with which recipients may already have a business relationship. Often the message includes a warning regarding a problem related to the recipient's account and requests the recipient to respond by providing specific confidential information. The format of the e-mail typically includes proprietary logos and branding, a "From" line disguised to appear as if the message came from a legitimate sender, and a link to a web site or an e-mail address.
All of these features are designed to assure the recipient that the e-mail is from a legitimate business source. Victims may be directed to provide personal account information by responding to the e-mail, or they may be directed to click on a link that takes them to a legitimate looking web page containing a form on which they are instructed to provide information. Typically, the information requested includes account numbers, passwords, Personal Identification Numbers (PINs), Social Security numbers or other personal identifying information that will allow the perpetrator to gain access to the victim's accounts.
First Federal will never send an e-mail to a customer asking for any personally identifiable information. While you may occasionally receive an e-mail from First Federal, the e-mail will not contain personal information and will be informative in nature regarding products and services First Federal is offering, or information on transactions associated with your online banking service. You have the option of "Opting Out" of promotional e-mail by signing in to your Online Banking Service, and updating your user options.
Call the fraud department at any one of the three major credit bureaus. Ask for a fraud alert to be placed in your file at all three companies. The alert tells lenders and other users of credit reports to be careful before opening or changing accounts in your name. The toll free numbers for the fraud departments are:
Call your bank, credit card company or any other financial institution that may need to know. Ask to speak with someone in the security or fraud department and follow up with a letter if necessary, close old accounts and open new ones, and select new passwords and "PINs".
Call your local police or the police where the identity theft occurred. Fill out a police report that will detail what happened and get a copy for future reference.
Call the Federal Trade Commission. Call toll-free 877-IDTHEFT (877-438-4338). Also, an "ID Theft Affidavit" available on the FTC Web site can be used to help you prove you are an innocent victim and help you keep debts you did not incur from appearing on your credit report.