Tuesday, June 14, 2011
Your security is important to us. We created our online Security Center to provide you with the latest threat information, scam alerts, prevention tools, victim resources and articles for your online safety. Visit us often.
Our Current Rates:
For a listing of our current deposit and loan rates, click here.
Can't Prevent It
GCFlash readers may have figured out by now that I take online security pretty seriously. I have to restrain myself from covering the topic too often in this newsletter. I'm afraid of the overkill factor where a subject is so over-saturated that people will overlook it. Ho-hum... another day, another data breach.
Life's day-to-day functions hold constant demand. So what do we do with information we're already familiar with? We turn a deaf ear. There are too many other issues clamoring for our attention.
But this time we're not talking about a new attack. We're talking about a massive tidal wave of attacks targeting some pretty large victims. And eventually, every single one of us.
It's called spear phishing. Unlike traditional phishing where mass e-mailings try to hook a few uneducated victims, spear phishing targets specific entities holding whatever valuable information they seek.
Malicious emails are sent to employees in the target organization, knowing at least one of them will open an attachment that promises inside market tips, a preview of new management structure or great deals on products your company buys.
Once the attachment is opened, malware downloads to infiltrate the organization's internal network where the cyber crook can view any confidential information stored within. Without having to penetrate a firewall.
Security vendor RSA was one of the first reported to fall victim. RSA produces security tokens used by government agencies, healthcare providers, credit card issuers and others to authenticate identity when logging in to a secure system. We first reported this in the April 5, 2011 edition of GCFlash.
There are different types of tokens. The most common type works by displaying a random number to a user via an external device. The user must then input it along with user name and password to gain access to the computer system. The number is generated using a complex algorithm living on the security vendor's network.
The cyber crook that infiltrated RSA's network was after the algorithm. And they've already used it to break into the systems of government contractors Lockheed Martin and L-3 Communication Holdings, Inc.
RSA has already issued replacement tokens to its customers. They learned of the breach before it penetrated deep into their system. Yet, if the company that set the industry standard for security procedures can be compromised, none of us are safe.
Spear phishing has caught high level government employees through their Gmail accounts. No doubt the perpetrators were phishing for confidential data on the inner workings of the U.S. government.
Gmail does not stand alone in falling victim. Yahoo! mail and Hotmail account holders have also been targeted. The provider is merely the tool here, not the entity being compromised.
But it is important to note that Gmail users carry a greater risk than others. Often they use the calendar feature which would allow the thieves to know their whereabouts at any given time. Or they use Google Docs to store data in the cloud. Learning a Gmail user's password provides access to all features they've subscribed to.
The IMF (International Monetary Fund) is in the news again. This time, there were no sexual misconduct charges filed. This time they were the victim. Of spear phishing.
The agency maintains confidential information on countries that are in financial trouble. It's speculated that the thieves were after market moving inside information.
The IMF breach was announced just days after Citi reported personal information was compromised for 200,000 of their credit card customers. The crooks got away with names, addresses and account numbers. But failed to gain Social Security numbers, expiration dates or CSV code.
This was the largest breach of a financial institution to date. Citi has issued replacement cards to those affected.
Crimes of this type aren't carried out by your neighborhood small time crook. The targets and volume represent the work of organized crime rings. Once they've sifted out the prime bounty - inside information on world governments and global economics - it's possible they'll scatter the remnants down to lower rungs on the criminal ladder.
Little stuff... like your name, Social Security number or account numbers.
So how do you avoid becoming a victim? You can't. In today's realm of criminal activity, it's no longer a matter of whether or not you'll become a victim. The question is exactly when it will happen to you.
You cannot afford to get complacent, regardless how often you hear security warnings. You can't let your guard down. Cannot prevent cybercrime.
Rather, the issue has become how you can best protect yourself when it occurs. And to learn about that, you have to read the next article.
So Learn to Protect
Consumers have caught on to scams. Most people recognize the Nigerian email scam. They've learned to avoid doing business with buyers who want to send you more than the asking price, wanting you to refund the difference. They realize they never won a lottery they didn't enter.
Education is working.
Yet threats still become increasingly more sophisticated. Virtually everyone is under attack. So how do you learn to protect your identity when fraud is nearly inevitable?
To merely avoid conducting business online won't help. In fact, electronic transactions can be safer than those made face to face.
As long as you practice safe surfing, you're more likely to have your credit card number stolen by a server at a restaurant than you are over the Internet. Those intending to commit fraud do not care how they get your personal information. They're going to get it one way or another.
Paying all your bills by check carries risk as well. We know a contractor who didn't trust electronic banking so paid all of his bills manually. When one of his suppliers was robbed, the contractor's check was among the items stolen. The crook now had his routing and account number along with the proper account title.
And since the contractor didn't monitor his accounts online, he didn't know the account was being siphoned until his paper statement arrived the following month.
The irony lies in that the Internet, considered by many to be the villain in security matters, is actually your best tool for prevention and early detection.
Not only is it the best method to relay news, trends and cures, but it also provides a means to watch your accounts on a daily basis. The damage level is greatly decreased when you catch an unauthorized entry before your next paper statement cycle.
Check your credit report at annualcreditreport.com. It's the only one offering the free annual report required by the Fair Credit Act, despite all the catchy commercials claiming otherwise.
You are entitled to one free report annually from each of the three major credit reporting bureaus. So get one at a time over the course of the year to make sure nobody is applying for credit in your name. If you're married, your spouse is entitled to the same. That's six free credit reports. Download one every two months to catch fraud or any errors promptly.
Use a strong password. A strong password contains a minimum of 10 characters using a combination of upper and lower case letters with at least one numeric or special character where allowed.
If a hacker were determined to guess your password, inexpensive hardware could test every possible character combination at a rate of a hundred-billion-guesses-a-second. It would take 19.24 years to cover all possible combinations with a 10 character password.
Drop just one character and those nine digits could be covered in only 2.43 months.
Don't use words found in a dictionary. Or your child's name, pet's name or telephone number. Anything known or easy to guess should be avoided.
Come up with a mnemonic phrase that you can't forget, and use the first letter of each word. Insert numbers where relevant. For example, if you're a diehard Phillies fan you might consider:
"Chase Utley is the best player in baseball."
In this case, you might insert the player's number into the sentence to make your password CU2itbpiB6.
Diligent security habits are all the more important when you're at work. Particularly with the new wave of spear phishing (see 1st Flash).
Set a password requirement if your system is idle for even a short period of time. You may only be going to grab a cup of coffee, but someone walking by could access any information you have stored.
You could likely recite any other tips I could offer here by heart. They've been covered often in this newsletter, as well as by your other creditors, financial institutions and security vendors. But they serve no purpose unless you implement them. Be wise. Be safe.
The big financial news of the day is the increase in the stock market. The Dow was up over 130 points at one point today. The cause? The market is all about expectations. Retail sales and the producer price index reported today were better than predicted.
Retail sales dropped 0.2 percent in May, besting the predicted fall of 0.3 percent. The big drop was auto sales of 2.9 percent following a decline of 0.7 in April.
The producer price index increased by 0.2 in May following a 0.8 percent bump in April. This was good news to the market that had expected an increase of 0.1 percent. The big performer was energy, which rose by 1.5 percent following a 2.5 percent increase the month before. This was offset by a 1.4 percent drop in food.
GCFlash is a weekly e-mail sent only to its listed customers and associates free of charge. GCFlash informs customers of special product offerings which may be of interest, current interest rates on both deposit and loan products, selected financial news and other financial tidbits. GCFlash is intended to supplement the more comprehensive information listed on the GCF Web site at http://www.gcfbank.com.
For more comprehensive information, visit our Web site at http://www.gcfbank.com or call (856) 589-6600 Ext: 337 (Timothy P. Hand)GCFLASH PRIVACY STATEMENT
GCF maintains your e-mail address in a confidential and secure database along with much of your other account information, such as mailing address and telephone number, etc. Before aggregating our e-mailing list each week, we filter out any duplicates. In most cases, this inhibits the unintended e-mailing of multiple copies of GCFlash to a single e-mail address. However, because these account records are kept by both individual and account, there is a chance members of the same household could each receive a copy of GCFlash or any other transmission at the same e- mail address - resulting in multiple copies. For example, a husband and wife that both have accounts with GCF may both receive a copy because the names are different but listed at the same e-mail address. This is similar to the manner in which each individual may share a common telephone number. To handle this situation, GCF recommends you simply delete any extra copies of GCFlash as this will ensure that ALL individuals receive any future promotional mailings, which might only be targeted or offered to specific accountholders meeting certain criteria. GCF has the capability to suppress customer e-mail addresses so they are omitted from our transmission list. If you would rather have a specific household memberÃ¢â‚¬â„¢s e-mail address suppressed in our electronic database, simply send us a reply, as stated below, and indicate the accountholder for which you would like to have e-mail suppressed. Please keep in mind that this suppression will mean that NO future e-mails are sent, including special promotional offers. If you have any questions about this process or need additional information, please contact us at email@example.com.
If you would like to be removed from this electronic mailing list, please hit reply and place the word REMOVE in the subject line. Please note, removing your name from our electronic mailing list means GCF will send NO FUTURE NEWS or SPECIAL OFFERS.
Banking With Us