Security

Dollar Bank is committed to protecting your account and customer information. We will make sure you have what you need to protect yourself. Sign up for our e-mail alerts and we will send you an alert when new information is posted.

Security Alerts

RSS
Last Updated on: 04/10/14 3:46 PM

'Heartbleed' bug causes big security headache on Internet

Date Updated: 04/10/14 3:48 PM

SAN FRANCISCO -- A confounding computer bug called "Heartbleed" is causing major security headaches across the Internet, as websites scramble to fix the problem and Web surfers wonder whether they should change their passwords to prevent theft of their email accounts, credit card numbers and other sensitive information.

The breakdown revealed this week affects a widely used encryption technology that is supposed to protect online accounts for a variety of online communications and electronic commerce.

Security researchers who uncovered the threat are particularly worried about the lapse because it went undetected for more than two years. They fear the possibility that computer hackers may have been secretly exploiting the problem before its discovery. It's also possible that no one took advantage of the flaw before its existence was announced late Monday.

Although there is now a way to close the security hole, there are still plenty of reasons to be concerned, said David Chartier, CEO of Codenomicon. A small team from the Finnish security firm diagnosed Heartbleed while working independently from another Google Inc. researcher who also discovered the threat. "I don't think anyone that had been using this technology is in a position to definitively say they weren't compromised," Mr. Chartier said.

Canada's tax agency isn't taking any chances. Citing the security risks posed by Heartbleed, the Canada Revenue Agency shut off public access to its website "to safeguard the integrity of the information we hold," according to a notice posted on its website Wednesday. The agency said it hopes to re-open its website this weekend. The lockdown comes just three weeks from Canada's April 30 deadline for filing 2013 tax returns.

The U.S. Internal Revenue Service said in a statement Wednesday that it's not affected by the security hole. "The IRS advises taxpayers to continue filing their tax returns as they normally would in advance of the April 15 deadline," the agency said.

TurboTax, the most popular tax preparation software, also issued a statement Wednesday reassuring people that its website is now protected against Heartbleed.

Computer security experts are still advising people to consider changing all their online passwords.

"I would change every password everywhere, because it's possible something was sniffed out," said Wolfgang Kandek, chief technology officer for Qualys, a maker of security-analysis software. "You don't know, because an attack wouldn't have left a distinct footprint."

Google is so confident that it inoculated itself against the Heartbleed bug before any damage could be done that the Mountain View, Calif., company is telling its users they don't have to change the passwords they use to access Gmail, YouTube and other product accounts. More than 425 million Gmail accounts alone have been set up worldwide.

Facebook, which has more than 1.2 billion accountholders, also believes that its online social network has purged the Heartbleed threat. But the Menlo Park, Calif., company encouraged "people to take this opportunity to follow good practices and set up a unique password for your Facebook account that you don't use on other sites."

Online short messaging service Twitter Inc. and e-commerce giant Amazon.com Inc. say their websites weren't exposed to Heartbleed. Ebay Inc., which runs the PayPal payment service as well as online shopping bazaars, says most of its services avoided the bug.

Changing passwords on other online services potentially affected by Heartbleed won't do much good, security experts said, until the problem is patched. The troubleshooting software was released Monday.

So far, very few websites have acknowledged being afflicted by Heartbleed, although the bug is believed to be widespread.

Yahoo Inc. and Google are among the most prominent Internet services to say they have already insulated most of the most popular services from Heartbleed.

At Yahoo, the repairs have been made on a list of services that includes its home page, search engine, email, finance and sport sections, Flickr photo-sharing service and its Tumblr blogging service. In a blog post Wednesday, Google said it had applied the Heartbleed patch on its search engine, Gmail, YouTube, Wallet and Play store for mobile apps and other digital content.

Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and "https:" on Web browsers to signify that traffic is secure. The flaw makes it possible to snoop on Internet traffic even if the padlock had been closed. Interlopers could also grab the keys for deciphering encrypted data without the website owners knowing the theft had occurred, according to security researchers.

The problem affects only the variant of SSL/TLS known as OpenSSL, but that happens to be one of the most common on the Internet.

About two-thirds of Web servers rely on OpenSSL, Mr. Chartier said. That means the information passing through hundreds of thousands of websites could be vulnerable, despite the protection offered by encryptions.

Read More

Information provided by: PostGazette.com and Michael Liedtke and Anick Jesdanun / Associated Press


New Apple Security Flaw

Date Updated: 02/26/14 4:16 PM

It is important for all Apple users to keep their operating system updated and to apply current security patches. Recently, it has been recognized that iOS 7.0.6 has been released to patch an SSL security flaw which is issued for iPhones (4 and later), iPod touch (5th generation) and iPad (2nd generation). You are strongly encouraged to update all of your devices with the latest software update.

Currently Apple has not released a patch for the Mac computer.

Please keep your computers and devices patched with the latest security patches to help ensure you are protected.

•For information on the security content of this update, please visit this website: Apple Support

•Please update through iTunes or on the device while connected to a secure wireless network.

Information provided by: Dollar Bank

Fraudulent Correspondence Regarding the Release of Funds

Date Posted: 01/22/14 5:14 PM

Fictitious correspondence, allegedly issued by the Office of the Comptroller of the Currency (OCC) regarding funds purportedly under the control of the OCC and possibly other government entities, is in circulation. Correspondence may be distributed via e-mail, fax, or postal mail.

Any document claiming that the OCC is involved in holding any funds for the benefit of any individual or entity is fraudulent. The OCC does not participate in the transfer of funds for, or on behalf of, individuals, business enterprises, or governmental entities.

The correspondence may indicate that funds are being held by Bank of America and that the recipient will be required to pay a mandatory administrative charge for an issuance of a Capital Currency Control Certificate to release the funds to the beneficiary.

Attached (links below) are copies of the fraudulent documents, which include a solicitation as well as an invoice. This material is being sent to consumers in an attempt to elicit funds from them and to gather personal information to be used in possible future identification theft.

Sample Telegram Sample Invoice

The correspondence in question contains the name of a fictitious OCC employee. In addition, the material contains telephone numbers, addresses, and e-mail addresses that are not associated with the OCC or Bank of America.

Before responding in any manner to any proposal supposedly issued by the OCC that requests personal information or personal account information or that requires the payment of any fee in connection with the proposal, recipients should take steps to verify that the proposal is legitimate. At a minimum, the OCC recommends that consumers

A. Contact the OCC directly to verify the legitimacy of the proposal
(1) via e-mail at occalertresponses@occ.treas.gov;
(2) by mail to the OCC’s Special Supervision Division, 400 7th Street, SW, Suite 3E-218; MS 8E-12, Washington, D.C. 20219;
(3) via fax to (571) 293-4925; or
(4) by calling the Special Supervision Division at (202) 649-6450.

B. Contact state or local law enforcement.

C. File a complaint with the Internet Crime Complaint Center if the proposal appears to be fraudulent and was received via e-mail or the Internet.

D. File a complaint with the U.S. Postal Inspection Service by telephone at (888) 877-7644; by mail at U.S. Postal Inspection Service, Office of Inspector General, Operations Support Group, 222 S. Riverside Plaza, Suite 1250, Chicago, IL 60606-6100; or via the Online Complaint Form if the proposal appears to be fraudulent and was delivered through the U.S. Postal Service.

Information provided by: OCC
Office of the Comptroller of the Currency - Alert 2014-4 Issues Jan 16 2014

Neverquest Virus

Date Updated: 12/11/13 9:04 AM

Neverquest is a virus (trojan) to be aware of. It is a new version of an old trojan, but this version steals your account login information and attempts to access your online accounts from your computer. It might also use your computer and email address to send out spam.

How to protect yourself:

Dollar Bank offers free anti-malware software called Trusteer. Download Trusteer
Customers are strongly encouraged to take advantage of this.

Do not follow unsolicited web links in email messages or submit any information to webpages in links.

Use caution when opening email attachments. Don’t open attachments from senders you don’t know. If you were not expecting an attachment from a sender you do know, verify with them first that they did send you the attachment.

Maintain up-to-date anti-virus software.

Keep your operating system and software up-to-date with the latest patches.

For more details about Neverquest, see Network World

Information provided by: Dollar Bank

Holiday Shopping Tips prepared by the Internet Crime Complaint Ctnr

Date Updated: 12/03/13 3:57 PM

The FBI reminds holiday shoppers to beware of cyber criminals who are out to steal money and personal information. Scammers use many techniques to defraud consumers, from phishing e-mails offering too good to be true deals on brand-name merchandise to offering quick cash to victims who will re-ship packages to additional destinations. Previously reported scams are still being executed today.

While monitoring credit reports on an annual basis and reviewing account statements each month is always a good idea, consumers should keep a particularly watchful eye on their personal credit information at this time of year. Scrutinizing credit card bills for any fraudulent activity can help to minimize victims’ losses. Unrecognizable charges listed on a credit card statement are often the first time consumers realize their personally identifiable information has been stolen.

Bank transactions and correspondence from financial institutions should also be closely reviewed. Bank accounts can often serve as a target for criminals to initiate account takeovers or commit identity theft by creating new accounts in the victims’ name. Consumers should never click on a link embedded in an e-mail from their bank, but rather open a new webpage and manually enter the URL (web address), because phishing scams often start with phony e-mails that feature the bank’s name and logo.

When shopping online, make sure to use reputable sites. Often consumers are shown specials on the web, or even in e-mail offers, that look too good to be true. These sites are used to capture personally identifiable information, including credit card numbers, addresses and phone numbers to make fraudulent transactions. It’s best to shop on sites with which you are familiar and that have an established reputation as trusted online retailers, according to the MRC, a nonprofit that supports and promotes operational excellence for fraud, payments and risk professionals within eCommerce.

If you look for an item or company name through a search engine site, scrutinize the results listed before going to a website. Do not automatically click on the first result, even if it looks identical or similar to the desired result. Many fraudsters go to extreme lengths to have their own website appear ahead of a legitimate company on popular search engines. Their website may be a mirrored version of a popular website, but with a slightly different URL.

Purchases made on these sites could result in one or more of the following consequences: never receiving the item, having your credit card details stolen, or downloading malware/computer virus to your computer. Before clicking on a result in a search engine, inspect the URL of the destination website. Look for any misspellings or extra characters such as a period or comma as these are indicative of fraud. When taken to the payment page of a website, again verify the URL and ensure it is secure by starting with “HTTPS,” not just “HTTP.”

Here are some additional tips you can use to avoid becoming a victim of cyber fraud:

Do not respond to unsolicited (spam) e-mail.
Do not click on links contained within an unsolicited e-mail.
Be cautious of e-mail claiming to contain pictures in attached files; the files may contain viruses. Only open attachments from known senders. Scan the attachments for viruses if possible.
Avoid filling out forms contained in e-mail messages that ask for personal information.
Always compare the link in the e-mail to the link you are actually directed to and determine if they match and will lead you to a legitimate site.
Log on directly to the official website for the business identified in the e-mail instead of “linking” to it from an unsolicited e-mail. If the e-mail appears to be from your bank, credit card issuer, or other company you deal with frequently, your statements or official correspondence from the business will provide the proper contact information.
Contact the actual business that supposedly sent the e-mail to verify that the e-mail is genuine.
If you are requested to act quickly or there is an emergency that requires your attention, it may be a scam. Fraudsters create a sense of urgency to get you to act quickly.
Remember if it looks too good to be true, it probably is.
Finally, check these additional sources to become even more informed on safe online shopping.
Previous Holiday Shopping Tips public service announcements can be viewed on IC3.gov at the following links:
http://www.ic3.gov/media/2012/121120.aspx
http://www.ic3.gov/media/2011/111121.aspx and
http://www.ic3.gov/media/2010/101118.aspx

US-CERT posted a Holiday Season Phishing Scams and Malware Campaigns release on Nov. 19, 2013, reminding consumers to stay aware of seasonal scams. The entire alert can be viewed at Holiday Season Phishing Scams and Malware Campaigns .

To receive the latest information about cyber scams, go to FBI.gov and sign up for e-mail alerts by clicking on the red envelope labeled “get FBI updates.” If you have received a scam e-mail, notify the IC3 by filing a complaint at www.ic3.gov. For more information on e-scams, please visit the FBI's “New E-Scams” and Warnings webpage at http://www.fbi.gov/scams-safety/e-scams

Information provided by:
Public Service Announcement
Prepared by the Internet Crime Complaint Center (IC3)
November 19, 2013

What is a Watering Hole Attack?

Date Updated: 12/05/13 12:38 PM

An attacker will profile a victim (normally using phishing and spear phishing techniques) gathering data about you from Facebook, Linked-In, or other social networking sites you frequent, tracking the sites that you frequent or your tendency for shopping online. Once the attacker creates a profile about your web presence they test those targeted sites for vulnerabilities. When the attacker finds a website (or two) that (s)he can compromise, (s)he will inject JavaScript or HTML, redirecting you to a separate site that hosts exploited code chosen for the specific vulnerability. The compromised website is now waiting for you to “check back” for updates or more shopping to infect you with a zero-date exploit. “Just like a lion waiting at a watering hole”.

Attackers continue to use social engineering techniques to target their victims. The rate of attacks from compromised websites has increased by 30 percent, while the rate of discovery of vulnerabilities has increased only by 6 percent. (According to Symantec) Web-based attacks are on the rise, a hidden piece of JavaScript or a few lines of malicious code is all it takes for the attacker to cause havoc on a visitor to any infected website.

How do you protect yourself? Patch your browser. Patch your operating system. Run anti-virus. Update your plug-ins. Keep your system up-to-date on all patches, and patch in a timely fashion.

Information provided by: Dollar Bank

Spam E-mails Use FBI Officials' Names

Date Updated: 11/06/13 2:18 PM

The FBI continues to receive reports of spam e-mails that use FBI officials’ names and titles in online fraud schemes. Although there are different variations of these schemes, recipients are typically notified they have received a large sum of money. The latest round of e-mails uses the name of new FBI Director James B. Comey.

Some of the e-mails reported to the Internet Crime Complaint Center continue to use the alleged “Anti Terrorist & Monetary Crimes Division” of the FBI. All e-mails encourage the recipient to send money for various reasons.

Do not respond. These e-mails are a hoax.

Neither government agencies, nor government officials send unsolicited e-mail to members of the public. United States government agencies use the legal process to contact individuals.

The public should not respond to any unsolicited e-mails or click on embedded links in these messages because they may contain viruses or malicious software. If you have received a message that purports to be from the FBI, disregard its instructions and file a complaint at www.IC3.gov.

Information provided by:
Public Service Announcement
Prepared by the Internet Crime Complaint Center (IC3)
September 25, 2013
Print Page
Contact Us

Contact Us Today:
1-800-828-5527

Dollar Bank representatives are available Monday through Friday from 8:00 AM to 8:00 PM and Saturday from 9:00 AM to 3:00 PM

Access Your Account: