Financial Self Defense: Internet Hygiene

The Best Computer Time Investment You Can Make

Wash your hands after you use the bathroom. Cover your mouth when you sneeze. Brush your teeth daily. These are all basic elements of personal hygiene. We practice them, in part, to minimize the amount of gross stuff that our bodies do, but we also practice them to help protect us from disease.

You might think “Internet hygiene” means wiping down keyboards after you use them and not spilling things on your computer. While these are good habits, there’s another range of behaviors that security experts call “Internet hygiene,” and it can be the difference between a safe and effective Internet and a world of hackers, bots, and identity thieves.

For most people, the beginning and end of cyber-security is a piece of anti-virus software. Imagining that there is nothing on their computer worth stealing, most users don’t take their online security very seriously. Increasingly, that’s the attitude hackers are counting on people exhibiting.

One such recent cyber attack, a malicious worm called Game Over Zeus, infected around 10,000 computers. The worm allowed hackers to remotely control infected computers, using them to launch attacks on major websites. In addition, users frequently found their personal files encrypted. A window created by the worm would inform them that, unless they paid a ransom that sometimes was as much as a few thousand dollars, they would lose access to the contents of their hard drive forever.

How did such a vicious worm spread so quickly? Hackers have gotten better about choosing their targets. It’s easy to find out-of-date software and exploit known structural weaknesses in it to gain control of a computer. From there, it’s a trivial task to create emails that look like they come from the owner of that computer, which makes it easier to infect that person’s friends and family members’ computers.

Security expert Tom Kellerman compares the state of a compromised computer to a neighbor who always leaves the front door to an apartment complex unlocked. Not only can thieves break into the neighbor’s apartment, but they can use their expanded building access to more easily break into other units. If you aren’t maintaining the security protocols on your computer and being vigilant about what links you click, you aren’t just putting your own security at risk. You’re creating a more dangerous Internet for your friends, co-workers, and family, too.

The lesson of Game Over Zeus is pretty simple. Computer viruses spread a lot like human viruses. They infect people who don’t practice good hygiene, then spread to their friends and family. If you wouldn’t sneeze on your hand before pushing buttons on an elevator, don’t practice unsafe internet behaviors.

How can you practice good Internet hygiene? You don’t need to be a tech guru to keep your PC safe. Security experts consistently recommend you take at least these five steps.

1.) Download an anti-virus software program, like AVG or McAfee, and keep it up-to-date. Schedule updates for it to run when your computer is on, and don’t interrupt the process. Do the same thing with an anti-malware program, like MalwareBytes. Tens of thousands of new malicious programs are being created every day. If you’re not regularly updating your security software, you might as well not have it.

2.) Run scans of both anti-virus and anti-malware software on a weekly basis. Just like people with strong immune systems can get sick, even if you have a Mac computer, you can still be infected with malicious programs. If you’re on the Internet, you’re at risk.

3.) Do it right away. If your computer gives you a message that it needs to download or install critical updates, do it the first time you see the warning. It’s annoying to stop what you’re doing and restart your computer, but it’s better than having your computer compromised. When IT professionals call something a “critical update,” it usually means it fixes a known software exploit. Make sure the message that pops up is from a trusted source, however. There are malware programs around that use fake “critical update” popups to infiltrate your computer.

4.) Don’t click links that take you to sites you don’t recognize, even if they’re emailed to you by a friend or family member. These emails are frequently generated by bots to keep malicious software spreading. You clicking that link might make you yet another disease vector.

5.) Don’t download, install or run any software you don’t recognize. For these bots to keep spreading, at some point human beings have to authorize them. If you’re installing software you think might be dangerous, you’re putting your computer and the computers of everyone you know in jeopardy.

This might seem like a lot of work, but it’s the price of doing business and living in a digital age. With the convenience of a world of information at your fingertips comes the responsibility to maintain the health of that system. Do your part – install and update security software, and be constantly on guard for threats!

Important Information Regarding Home Depot Stores Data Compromise

NASA FCU member account security is our highest priority. We are monitoring account activity and will continue to do so for those who made credit or debit card transactions at a US or Canadian Home Depot store in 2014, from April on.

If you discover any suspicious or unusual activity on your accounts, or suspect fraud, be sure to report it immediately by contacting us at 1-888-NASA-FCU.

Here are some answers to frequently asked questions:

How do I know if the Home Depot data breach impacts me?
If you shopped at a United States or Canadian Home Depot store in 2014 from April on, you should check your account for any suspicious or unusual activity. If you see something that appears fraudulent on your NASA FCU credit or debit card then please contact NASA FCU immediately at 1-888-NASA-FCU (627-2328).

What is Home Depot doing about this?
Since Home Depot first became aware of a potential breach, their forensics and security teams have been working around the clock with leading IT security firms, banking partners, and the Secret Service. They felt it was important to let everyone know that they’re confident there has been a breach. They acknowledge that it’s frustrating not to have all the details, and assert that customers won’t be responsible for any fraudulent charges. Home Depot is also offering free identity protection services, including credit monitoring to any customer who used a payment card at a Home Depot store in 2014, from April on.

Tell me more about the identity protection services Home Depot is offering.
Home Depot is taking steps to protect customers’ payment card information. If you need identity repair assistance during the next 12 months, starting on September 8, 2014, Home Depot has a team of dedicated fraud resolution investigators available to assist you. They will do the work to recover financial losses, restore your credit, and make sure your identity is returned to its proper condition. For additional protection, Home Depot is also making available at no cost to customers, a service that includes credit monitoring, identity monitoring, and an identity theft insurance policy. Customers who used a payment card at a Home Depot store in 2014, from April on, are eligible to receive these services. For more information about these services and to enroll, please visit https://homedepot.allclearid.com/

What information was compromised/stolen?
Home Depot has confirmed that their payment data systems have been breached. Their investigation of the details of the breach is likely to take some time. At this time, there is no reason to believe debit card PINs were impacted; however it is always a good idea to review your bank statements carefully and call your financial institution if you see any suspicious transactions.

Should I block my card at this time and get a new one?
If you want to leave the card open and continue to monitor your statements you may do so. If you wish to block your credit or debit card and have a new card reissued we can help you do that as well.  Debit cards can be reissued instantly at one of the following branch locations: Annapolis, Bowie, Collington, Columbia, Falls Church, Greenbelt, Headquarters, Oak Hall and Rockville.

Were social security numbers included in the breach?
Your social security number is in no way related to your debit/credit card therefore, it was not included in the breached data.

Ransomware and Mobile Devices

One moment, you’re surfing the Internet. A minute later, a pop-up shows your files have been taken hostage and that you’re required to pay a $300 ransom to have them released back to you. You stare at the screen in disbelief. How is this possible, especially considering you are on your mobile device?

Ransomware – malware that accesses your computer system and blocks access to your files until a ransom is paid to restore access all while stealing your payment information – has been becoming more prevalent among PC users. While these attacks typically focused solely on PCs, they are now adapting to include mobile devices. That’s right, the very same mobile devices you use to access your credit union accounts for checking balances, transfer funds and make payments.

An example of a Russian-based mobile device ransomware is called “Svpeng.” It focuses on tactics for infecting mobile phones and mobile banking applications. It infects the device with a phishing window when the application is opened. This overlay attack is used to steal online banking information as the malware pretends to be the application’s login screen. The user enters login and password information, which is then stolen by the hackers. Once they have access to the account, they can control the account. Svpeng also phishes through Google Play if that is on the mobile device.

This tactic also involves SMS messages being sent to two Russian banks to determine if the phone number of the device is connected to any payment cards. If a card is indeed connected to a number, the hackers use commands through the device to transfer the victim’s money into their own accounts. While Svpeng has currently been seen only in Russia, it is expected to expand into other countries; one of the features of the ransomware checks the mobile device’s language settings to determine the appropriate language to use for the attack.

As time goes on, other PC-based ransomware programs may also be adapted for mobile devices or more ransomware programs that are specifically designed for mobile devices may be created. Hackers are always looking for ways to evolve their tactics in hopes of stealing more information and making immediate profits. Svpeng, for example, had 50 modifications to its malware within a three-month period.

How does this type of malware get onto a PC or a mobile device? It could be through a “drive-by download” where malicious software is downloaded without the user even knowing about it. This happens as the user surfs the Internet without a care, yet comes across a compromised Web page or clicks to a website through an HTML-based email. It could have been downloaded through a phishing email, which appears to be from a credit union, yet is a fake email linking to a compromised Web page. The ransomware could also come through an email attachment that is malicious.

After the infection occurs on the mobile device or PC, the overlay or ransomware tactics are used as was described with Svpeng. That way the hackers can either directly steal the login and password information when the credit union account is accessed, or the user is blackmailed by a direct ransomware attack to send money to unlock the mobile device.

Many of the ways ransomware can be prevented from infecting a PC are the same for preventing on a mobile device. Make sure data on a mobile device is regularly backed up. This will help with recovering information if the device is hijacked. Make sure an antivirus program is running on the mobile device. Follow safe Web browsing habits. Block suspicious emails.

Don’t download data or apps from questionable sources. Don’t “jailbreak” a device where built-in controls and security features are overridden; this removes an additional layer of protection against ransomware attacks.

If you think your mobile device has become a victim of ransomware, you can try to remove it by running a virus scan through mobile antivirus software. Don’t pay any ransom because it won’t guarantee the release of your data and you are giving additional payment information to the hackers. If none of these work, talk with your mobile device or cellular provider and/or their tech support. Of course, notify your credit union to monitor your accounts for any potentially fraudulent activity.

Emails and Phone Calls from Utility Providers

Usually, you get your electric bill in the mail. This month, however, it appears in your email account. You don’t remember signing up for the electronic version of the bill. You aren’t even sure they have that available. You stare at the email. Wait. How did a bill that is normally $150 a month suddenly jump to $550? You stare at the email in a panic.

In another scenario, you receive a phone call from someone claiming to be from your water company. They tell you that you owe on your account or your water will be immediately shut off. You are pretty sure you paid that bill last week. If only you could find the most recent bill while also trying to find a debit card to pay the bill.

If anything like this happens to you, it should trigger alarm bells. What you’re encountering may be fraud. It may come in the form of emails or phone calls, but the goal of the fraudster is the same: to steal your information.

This is happening to customers in Pennsylvania, Texas, Oregon, Florida, and Oklahoma. It has happened under the guise of reputable companies such as UGI Utilities, PG&E Energy, Atmos Energy Corporation, Portland General Electric, NW Natural Gas Company, Pacific Power, and Duke Energy.

If you get an email from a utility company, pay attention to the account number, the logo and the return email address. Even links within the email can actually send you to a fraudulent website that looks just like the website you would expect to see. Pay attention to the amount. Is it close to what you typically pay? Of course, consider if you even signed up for electronic bills from the utility company. If things don’t look right or you just aren’t sure, don’t click on any links and contact your utility company immediately. It should go without saying, look up the phone number in the phone book or online – don’t rely on any phone number that is printed within the suspicious email.

If a phone call comes from someone claiming to be from your utility company, consider that your service won’t be turned off that instant. In other words, don’t reach for that prepaid debit card. And remember, if indeed your bill is past due, you will be mailed other reminder notices. The phone call won’t be the only indicator that your bill is past due (if it really is).

If you get an email or phone call, gather as much information you can from the caller. Refuse to pay any money or provide personal information like account numbers, tax identification, etc. Call your utility provider and share the information. If it is a fraudulent email or phone call, you likely aren’t the only potential victim. Any information you share with your real utility provider will help them inform their customers and protect their financial identity.

Heartbleed Bug: Your NASA FCU Accounts are Not Affected

You may have heard the news reports regarding security vulnerability called Heartbleed. The Heartbleed Bug affects OpenSSL-an open source software widely used to encrypt Web communication.

First, we want to assure you that your NASA Federal Credit Union accounts are not affected by the Heartbleed Bug.

Do Our Members Need to Take Action?

NASA FCU Member Accounts have not been affected however we always encourage members to routinely change their passwords and to continue to take proactive steps towards protecting their personal information from fraud. We also encourage members to be cautious of what sites they visit, sign on to, and what links they click since these may be unsecure.

Members can visit the NASA FCU Security Center for more information on protecting themselves from fraud, as well as the steps NASA FCU takes to keep their information secure.

More information on the Heartbleed SSL can be found at www.heartbleed.com.

How to Protect Yourself from Identity Theft

Identity Theft

Data breaches at retail establishments and universities seem to be abundant these days. And if you’re like most of us, you may be wondering if there’s anything you can do to help protect yourself—and your credit—from prying eyes.

According to the Federal Trade Commission (FTC), the nation’s consumer protection agency, there is an important tool you may consider: a credit freeze—or security freeze—on your credit report. By employing a credit freeze, you essentially restrict access to your credit report.

The reason this tool is so effective is that creditors must review your credit report before approving new accounts. If they are unable to access your credit file, they are unlikely to extend credit. As a result, restricting access to your credit report puts the brakes on identity thieves who would open new accounts in your name.

To place a freeze on your credit reports, you’ll need to contact each of the nationwide credit reporting companies: Equifax, Experian, and TransUnion. Be prepared to share with them your name, address, date of birth, Social Security number and other personal information. There are also fees for this service. They are based on your address, but they typically are only between $5 and $10.

A credit freeze does not affect your credit score or prevent you from getting your free annual credit report. You can still open new accounts, apply for jobs, rent an apartment, and buy insurance, but you’ll need to lift the freeze temporarily, either for a specific time, or for a specific party, say, a potential landlord or employer. The cost and lead times to lift a freeze vary, so it’s best to check with the credit reporting company in advance.

Although a credit freeze is an effective tool, it won’t prevent a thief from making charges to your existing accounts. You still need to monitor all bank, credit card and insurance statements for fraudulent transactions.