Thursday, September 26, 2013

Social Engineering – Don’t Be Fooled into Giving Away Your Identity!

One of the tricks that the bad guys use to gain personal information about us is called Social Engineering.  Wikipedia defines it as “psychological manipulation of people into performing actions or divulging information.”   There are several common social engineering techniques including:
Pretexting
Pretexting is the act of creating and using an invented scenario to engage a targeted victim to divulge information (like social security number, date of birth or account numbers) that they would not normally divulge.  Many times the pretext involves impersonating a person or business (your Credit Union for example) so that the person doesn’t think anything is wrong and will many times unknowingly give out personal identity information.
The opening scene of the 2012 movie Identity Thief is a prime example of a pretext.  In the scene, Jason Bateman is tricked into believing that the person on the other end (Melissa McCarthy) is really from his bank’s fraud division.  He is fooled into giving out his personal information and she steals his identity and makes his life pretty miserable.  Just like in real life, Melissa McCarthy relied on an elaborate lie over the phone that forced Jason Bateman to make a quick decision on whether to fall for the pretext.
Kirtland Federal Credit Union will NEVER call you and ask for any personal information.  Not ever!  If anyone calls saying they are from KFCU and are asking for personal information, don’t give it out!  When we call you it will be to give you information, not ask for it!
Phishing
Phishing is another way to fraudulently obtain personal information for the purpose of identity theft and fraud.  Most phishing attacks come in the form of emails.  Typically the email has a similar look and feel as the company that it is trying to mimic, many times including a logo from the company.  The emails usually ask for things like social security numbers, account numbers and many times ask for your security questions (like mother’s maiden name high school or other things only you should know).  The purpose of phishing is to get enough information to steal your identity and eventually commit fraud against you.  Sometimes the phishing email will have a link to a web page that looks similar to the real thing.
KFCU will NEVER send you an email asking you to supply any information.  We do from time to time send emails with great offers and information about upcoming events, but we will never ask for any of your personal or account information by email.
Quid Pro Quo
Lastly, another type of social engineering is called quid pro quo.  This involves a fraudster calling a lot of people posing as technical support.  When they call someone who is really having computer issues they offer to help and fix the problem, and in the process gets the unsuspecting user to type commands that load malware that will then allow the fraudster to access the computer to steal identity or account information.
The way to avoid this type of social engineering is simple.  Ask the caller what company they are calling from and who they are calling for.  If they don’t know who you are and you don’t recognize the company, hang up.
Social engineering relies on confusion and trickery.  Don’t be fooled into giving up your personal information.  KFCU will never call or email you asking for any personal information.  If in doubt,  hang up and call us!
Your Wingman  GW   
Posted by at No comments:

Tuesday, September 10, 2013

Online Banking Security Enhancements Part 2

Last time we talked about creating a User ID the first time we login to online banking on or after October 8th of this year.  Using a User ID that is not the member number adds a layer of security when using online banking should your member number inadvertently get in the wrong hands.  Our number one goal is to keep all our members’ personal and financial information safe and secure.
The second step in navigating our security upgrade on or after October 8, 2013, we will check your password to make sure it is “strong” enough.  (You will only be asked to create a new one if your current password doesn’t meet the requirements Ill outline in a  minute) When we talk about “strong” passwords we mean we want them to be hard to guess by someone else.   The challenge with passwords is we want them to be easy to remember for ourselves but hard to guess for anyone else.  The new password requirements are:
·         Minimum length is six characters and maximum is 32 characters
·         Must be composed of two out of these three: letters, numbers and symbols
·         Cannot contain part of username
·         Cannot contain any spaces
·         Is case sensitive  

Creating a “strong” password that is easy to remember doesn’t have to be difficult.  Here are some recommendations from Microsoft:
·         Create an acronym from an easy-to-remember piece of information. For example, pick a phrase that is meaningful to you, such as My son's birthday is 12 December, 2004. Using that phrase as your guide, you might use Msbi12/Dec,4 for your password.
·         Substitute numbers, symbols, and misspellings for letters or words in an easy-to-remember phrase. For example, My son's birthday is 12 December, 2004 could become Mi$un'sBrthd8iz12124.
·         Relate your password to a favorite hobby or sport. For example, I love to play badminton could become ILuv2PlayB@dm1nt()n.
 Ok so Microsoft’s recommendations are a little bit complex but they make some very good recommendations.  I like to substitute symbols for letters and put words and numbers together.  For instance:
K!ngj@mes=06  or !sOtopes#rULe  or !lOve.Co@Ch
You could use passwords that relate to you favorite sports team or your favorite clothes designer.  One note of caution is to not make passwords too obvious – if everyone knows you are a hardcore Cowboys fan (or Broncos fan!) and you live and breathe football the bad guys may also know that about you and have a head start on trying to guess your password.
One other tip- if you need to write down your password, make sure that you don’t label it as your password.
It’s best to resist using the same password for all your online accounts.  I realize that it’s hard to have a separate password for each online login.  If you feel like you must do this, make up several passwords and spread them around your different online logins.  The reason we recommend this is if one of your online accounts get compromised, you don’t want the bad guys to know your credentials to all your online accounts you might have.
Hopefully we provided some tips on creating strong password that will help keep your online banking safe and secure.  In closing let me offer one last reminder –
Kirtland Federal Credit Union will NEVER ask you for your user ID or password.  If someone is asking for these don’t give them out!  If you have any doubts or concerns about any request you might get in email or over the phone, please come in or call us.
Next time well talk about social engineering which is one of the tools bad guys use to try to steal your identity.
Your Wingman.  GW
Posted by at No comments:
Subscribe to: Posts (Atom)