Wednesday, April 9, 2014

What is the Heartbleed Bug and Should I be Worried?

If you have been listening to or reading the new today you likely will have heard about the Heartbleed bug that could compromise encrypted communications across the Internet.  It is a vulnerability in some web servers that could allow a hacker to "listen in" on (be able to read) an encrypted internet session.  Many internet session are encrypted especially those that involve financial transactions.

What is most interesting about this bug is that it has been a bug since late 2011 but was only publicly announced today, along with the update that fixes it.

Now here is the good news about this bug........

Our Data Security experts at KFCU have been busy this morning researching our potential exposure to this bug and we are happy to report that none of our systems are affected by this bug.  

We take our member's internet security and safety very seriously and will continue to be diligent in researching and remediating any and all threats to our member's financial transactions and identity. 

Say Good bye to an Old Friend – Windows XP

Microsoft has ended support (including security patches) for Windows XP operating systems.  As I sit at my computer on the eve of the day that Microsoft will effectively put to rest the beloved system, I reminisce over fond memories of what was probably the most stable, easy-to-use Windows Operating System.  I'm sure you may have questions about what this really means as it relates to things like ATMs and online banking, but first let’s pay a little homage where due; Windows XP was built in late 1990 and released in 2001.  It far outlived most people's expectations and has now been faithfully serving us for 13 years.  Microsoft has been warning us since 2007 that the time would come to lay it to rest; we just didn't want to believe it.  Since technology ages in dog years, Windows XP is an old dog for sure.

Let me answer some predictable questions.  If you have more, please contact us at 505-254-4369.

“I have heard that most ATMs in the US are running Windows XP.  Should I be afraid to use an ATM starting tomorrow?”

ATMs will continue to be safe to use.  ATM networks have always had additional security software and measures in place to protect them.  ATM networks including CU Anytime have always been safe and secure.
Of course, it’s always a good idea to practice safe banking practices when using an ATM.  Be wary of your surrounding when using one and follow up online to check all your account balances and transactions every day.  Let us know immediately if you see something suspicious.

“My Windows XP PC still runs just fine - why can’t I just keep on using it until it stops working?”

Once Microsoft stops fixing security bugs, Windows XP will soon become an unsafe operating system.  Continuing to use it on your PC will put you at significant risk for account takeover fraud.  Hackers will have an increasingly easier time of compromising your PC--putting your finances and identity at risk.
Although it’s hard to say “good by” to an old friend, now is the time to invest in a new PC with a modern operating system.

There are several great options --Windows 7, Windows 8 and Mac, to name the most popular.  These all provide the level of security that is currently needed.  Just a word of advice from personal experience: if you really like the functionality of Windows XP, Windows 7 is the most similar to it and may make your transition relatively easily.  You can still find PCs that give you the option of Windows 7 over Windows 8.  Windows 8 is a very good operating system; it’s just very different than XP or Windows 7.  The Mac platform has been mostly unchanged for 15 years and is a great platform as well.  If you have a lot of Apple devices such as iPhones or iPads, the Mac might be a great option, although it’s a bit pricy.  Whatever operating system best fits your budget and personality, please make an investment in updated security now, before your aging Windows XP system fails to stop a criminal whose goal is to control your hard-earned money.

Wednesday, October 30, 2013

One Time PassCodes - Why They Are Important

As cyber criminals become more sophisticated, KFCU and our partners continue to seek out ways to protect our members.  Account takeover is on the rise.  The bad guys are gaining online banking credentials by capturing the keystrokes on your PC as you log in to online banking and then using them to log on as you, the member and commit fraud.  Typically this occurs when a piece of software, called a Trojan Horse, is unknowingly downloaded to an unsuspecting member's computer, capturing the member's keystrokes including the User ID and password to their online banking account.

Several years ago, the Federal Financial Institutions Examination Council, (FFIEC) published some best practices for financial institutions on how to protect members and customers against account takeover fraud through the online banking channel.  The biggest portion of the recommendation was the use of "out of band" authentication in the online banking sign on process.

Out of band authentication is simply the concept of providing another way to make sure that you are who you say you are when you sign on to online banking.  When a member uses their debit card to get cash from an ATM, we use a form of out of band authentication when we ask for a PIN number to be entered.  Even if someone had possession of your debit card they would need to know your PIN to use it.

The use of one time passcodes delivered to a cell phone or land line phone is the way that we ensure that you are who you say you are when you sign on to online banking.  If a criminal were to obtain your User Id and Password for your online banking account, they could not sign on without that one time passcode.  Receiving and inputting that one time passcode keeps online banking secure.

The safest, most secure way to bank online is to receive a one time passcode each time you sign on to online banking.  We realize that it can be a nuisance to receive that code each and every time and key it in, but it really does offer the highest degree of protection and security for banking online.

So the next time you are prompted for a one time passcode, remember KFCU is just trying to keep your online banking safe and secure!

Your Wingman GW

Thursday, September 26, 2013

Social Engineering – Don’t Be Fooled into Giving Away Your Identity!

One of the tricks that the bad guys use to gain personal information about us is called Social Engineering.  Wikipedia defines it as “psychological manipulation of people into performing actions or divulging information.”   There are several common social engineering techniques including:
Pretexting
Pretexting is the act of creating and using an invented scenario to engage a targeted victim to divulge information (like social security number, date of birth or account numbers) that they would not normally divulge.  Many times the pretext involves impersonating a person or business (your Credit Union for example) so that the person doesn’t think anything is wrong and will many times unknowingly give out personal identity information.
The opening scene of the 2012 movie Identity Thief is a prime example of a pretext.  In the scene, Jason Bateman is tricked into believing that the person on the other end (Melissa McCarthy) is really from his bank’s fraud division.  He is fooled into giving out his personal information and she steals his identity and makes his life pretty miserable.  Just like in real life, Melissa McCarthy relied on an elaborate lie over the phone that forced Jason Bateman to make a quick decision on whether to fall for the pretext.
Kirtland Federal Credit Union will NEVER call you and ask for any personal information.  Not ever!  If anyone calls saying they are from KFCU and are asking for personal information, don’t give it out!  When we call you it will be to give you information, not ask for it!
Phishing
Phishing is another way to fraudulently obtain personal information for the purpose of identity theft and fraud.  Most phishing attacks come in the form of emails.  Typically the email has a similar look and feel as the company that it is trying to mimic, many times including a logo from the company.  The emails usually ask for things like social security numbers, account numbers and many times ask for your security questions (like mother’s maiden name high school or other things only you should know).  The purpose of phishing is to get enough information to steal your identity and eventually commit fraud against you.  Sometimes the phishing email will have a link to a web page that looks similar to the real thing.
KFCU will NEVER send you an email asking you to supply any information.  We do from time to time send emails with great offers and information about upcoming events, but we will never ask for any of your personal or account information by email.
Quid Pro Quo
Lastly, another type of social engineering is called quid pro quo.  This involves a fraudster calling a lot of people posing as technical support.  When they call someone who is really having computer issues they offer to help and fix the problem, and in the process gets the unsuspecting user to type commands that load malware that will then allow the fraudster to access the computer to steal identity or account information.
The way to avoid this type of social engineering is simple.  Ask the caller what company they are calling from and who they are calling for.  If they don’t know who you are and you don’t recognize the company, hang up.
Social engineering relies on confusion and trickery.  Don’t be fooled into giving up your personal information.  KFCU will never call or email you asking for any personal information.  If in doubt,  hang up and call us!

Your Wingman  GW   

Tuesday, September 10, 2013

Online Banking Security Enhancements Part 2

Last time we talked about creating a User ID the first time we login to online banking on or after October 8th of this year.  Using a User ID that is not the member number adds a layer of security when using online banking should your member number inadvertently get in the wrong hands.  Our number one goal is to keep all our members’ personal and financial information safe and secure.
The second step in navigating our security upgrade on or after October 8, 2013, we will check your password to make sure it is “strong” enough.  (You will only be asked to create a new one if your current password doesn’t meet the requirements Ill outline in a  minute) When we talk about “strong” passwords we mean we want them to be hard to guess by someone else.   The challenge with passwords is we want them to be easy to remember for ourselves but hard to guess for anyone else.  The new password requirements are:
·         Minimum length is six characters and maximum is 32 characters
·         Must be composed of two out of these three: letters, numbers and symbols
·         Cannot contain part of username
·         Cannot contain any spaces
·         Is case sensitive  

Creating a “strong” password that is easy to remember doesn’t have to be difficult.  Here are some recommendations from Microsoft:
·         Create an acronym from an easy-to-remember piece of information. For example, pick a phrase that is meaningful to you, such as My son's birthday is 12 December, 2004. Using that phrase as your guide, you might use Msbi12/Dec,4 for your password.
·         Substitute numbers, symbols, and misspellings for letters or words in an easy-to-remember phrase. For example, My son's birthday is 12 December, 2004 could become Mi$un'sBrthd8iz12124.
·         Relate your password to a favorite hobby or sport. For example, I love to play badminton could become ILuv2PlayB@dm1nt()n.
 Ok so Microsoft’s recommendations are a little bit complex but they make some very good recommendations.  I like to substitute symbols for letters and put words and numbers together.  For instance:
K!ngj@mes=06  or !sOtopes#rULe  or !lOve.Co@Ch
You could use passwords that relate to you favorite sports team or your favorite clothes designer.  One note of caution is to not make passwords too obvious – if everyone knows you are a hardcore Cowboys fan (or Broncos fan!) and you live and breathe football the bad guys may also know that about you and have a head start on trying to guess your password.
One other tip- if you need to write down your password, make sure that you don’t label it as your password.
It’s best to resist using the same password for all your online accounts.  I realize that it’s hard to have a separate password for each online login.  If you feel like you must do this, make up several passwords and spread them around your different online logins.  The reason we recommend this is if one of your online accounts get compromised, you don’t want the bad guys to know your credentials to all your online accounts you might have.
Hopefully we provided some tips on creating strong password that will help keep your online banking safe and secure.  In closing let me offer one last reminder –
Kirtland Federal Credit Union will NEVER ask you for your user ID or password.  If someone is asking for these don’t give them out!  If you have any doubts or concerns about any request you might get in email or over the phone, please come in or call us.
Next time well talk about social engineering which is one of the tools bad guys use to try to steal your identity.
Your Wingman.  GW

Friday, August 16, 2013

Online Banking Security Enhancements Part 1

WELCOME!
My name is George Walker and I am the Chief Technology Officer at Kirtland Federal Credit Union.  Electronic banking has become an integral part of most of our lives and many of us transact more business electronically than we do in person at a branch.  While branch banking has pretty much remained the same in the last several years, one thing about electronic banking (and technology in general) is that it is ever changing.  While change is good in many ways (more features and functionality, better security for example) it does come with a learning curve.  Some of us are comfortable with technology changes but some of us need a little more help understanding and getting used to those changes.  This Blog is for our members looking for tips and pointers on KFCU electronic banking as well as members who would like some insight into the security we employ to keep our members’ electronic transactions safe and secure.  
So let’s get started…..
Online Banking Security Enhancements Part 1
By now (hopefully!) all our members are aware of the security related enhancements coming on October 8th.  Probably the most important one is the change from using the member number as the User ID.  Its long been the norm for credit union members to use their member number as the user ID to log into online banking.  We all know our member number by heart so it’s an easy thing to remember when signing on.  
The problem comes if someone (like a cyber- thief!) somehow gets your member number; now they have half of your login credentials to access your accounts and personal financial information.  Other financial institutions (like USAA) have switched from using a member number to log into online banking due to the increased risk that member information could be compromised.  
We want to be sure that our member’s online experience is as easy and secure as possible.   On October 8th when you sign on to online banking, you will be prompted to create a User ID.  This user ID has specific requirements that will need to be followed and cannot be all numbers.  It will replace your member number as your sign on going forward.
The good news is that most of us already have a User ID that we have created for other online sites (perhaps USAA?) so there is no reason that we can’t all use one that we already know and use for other sites.  In the end, although an inconvenience and a change in the routine, creating a user ID that is known only to you is really more secure than using your member number.  So think about a user ID that you already use for Amazon or Ebay or USAA and try it out.  After you log in a few times you will be just as comfortable using your new User ID as you did using your member number.
Next time I’ll talk about the passwords.
I look forward to your comments, concerns and questions
Your Wingman.  GW