The Target Corporation confirmed December 19, 2013, that its customers had been the victims of unauthorized access to their credit and debit card information during 19 days of the holiday-shopping season. The unauthorized access to payment card data occurred in the retailer’s physical stores in the United States, not online, November 27 through December 15, 2013. Federal authorities are investigating.

Target has determined that the information involved in the breach included customer names, payment card numbers, card expiration dates and three-digit security codes, and Personal Identification Numbers (PINs).  The data breach affects all major credit card brands and Target’s private label card.

Zero liability protection offered by card companies protects cardholders from fraudulent charges made with a stolen card or card information.

What American Federal Is Doing

American Federal re-issued, at no cost to the customer, the American Federal-issued VISA debit cards identified as being among the cards exposed to potential fraud in the breach of payment card data at Target.

Additionally, American Federal is urging debit cardholders to change their card PINs and to consider lower daily purchase and cash withdrawal limits on their cards to lessen loss should a card ever be compromised.

Protect Your Accounts From Potential Fraud

Take the following actions to protect against potential misuse of credit and debit card information:

• Remain vigilant for incidents of fraud and identity theft by regularly reviewing your retail, credit card and bank account statements. With American Federal Online Banking, you can monitor your bank transactions 24/7.
• Whether you are checking a paper or an online statement, look for large purchases in cities where you have never been and on websites you have never visited.  Look for tiny amounts, too, since thieves will sometimes “ping” an account for only a few cents to verify an open status and then progress to much larger fraud in the account.
• Periodically obtain free credit reports. You can request one free copy of your credit report every 12 months from each of the following three nationwide credit reporting agencies:
• Equifax: 800-525-6285 www.equifax.com
• Experian: 888-397-3742 www.experian.com
• TransUnion: 800-680-7289 www.transunion.com
• Obtain information from the credit reporting agencies and the Federal Trade Commission (FTC) about fraud alerts and security freezes. You can add a fraud alert on your credit report file to help protect your credit information.
• If you discover suspicious or unusual activity on your bank accounts or suspect fraud, contact your American Federal Banker immediately.
• Employ a healthy dose of skepticism when you use cards to make purchases or shop online. Contact your payment card company and retailer if you believe a transaction on your statement is not legitimate.
• You may also want to contact the FTC or local law enforcement to report incidents of identity theft and to learn about steps you can take to protect yourself from identify theft.
• FTC: 877-438-4338 www.consumer.gov/idtheft

There are several ways a scam artist will try to steal your identity or fraudulently obtain personal information such as your social security number, driver’s license, credit card information or bank account information.

Phishing

Phishing refers to emails sent to you by scammers, which are designed to trick you into providing your personal and banking information. Sometimes, a scammer will first send you a benign email (think of it as the bait) to lure you into conversation and then follow up with a phishing email. At other times, the scam artist will just send one phishing email.

Typically, the email appears to be from your bank, a government agency, or a company urging you to click on a link to update your personal profile or “validate” or “confirm” your personal details. By clicking on the link, you will be taken to a fake website designed to look like the real thing and prompted to enter your password, PIN or other personal information. Any details you enter are recorded by the scammer.

Some phishing emails contain odd-looking type fonts, spelling mistakes or other errors that may alert you to the scam; however, other messages look so genuine that you could be fooled, if you are not careful. Scammers are creative and manipulative. They can easily copy a financial institution’s logo and message format to make their email look genuine, and they often set up a fake website.

Vishing

“Vishing” is a combination of the words voice and phishing. Vishing is similar to phishing. The difference is the technology. While phishing involves the use of emails to trick you into providing your personal details, vishing involves voice or telephone services, including voice mail and phone recordings, to persuade you to respond to a phone call or to dial a phone number and provide personal and financial information. Vishing exploits the public’s trust in landline telephone services. If you use a Voice over Internet Protocol (VolP) phone service, you are particularly vulnerable to a vishing scam.

Scammers give those they call different reasons why they need personal information: for example, to verify an account or to authorize a purchase. Most often, the vishing call involves a scammer posing as an employee from a bank or another organization claiming to need your personal details. Many times, the call is positioned as an emergency and that your account may be cancelled or suspended unless you act. The scammer will be aiming to convince you to divulge confidential personal and banking information, such as your password, bank account and credit card numbers, and debit card and ATM PINs. Even if you use your telephone keypad to type in your information, if you are on the line to a scammer, the scammer can record your keystrokes.

A vishing telephone call can be automated. If a call is not answered, a message will be left on the phone asking you to call back and provide the information through an automated system. Entering a bank account or credit card number on your keypad when you return the call gives the scammer the information necessary to make fraudulent use of the card or to access your account. These calls are often used to harvest additional details such as a card’s expiration date and three-digit security code and your date of birth.

Smishing

Just like phishing, smishing uses cell phone text messages to lure consumers in. Often, the text will contain an URL or phone number. The phone number often has an automated voice response system. And, like phishing, the smishing message usually asks for your immediate attention.

In some cases, the smishing message can come from a “5000” number instead of displaying an actual phone number. This usually indicates the message was sent via email to the cell phone and not sent from another cell phone. Never respond to smishing messages.

How to Protect Against Phishing, Vishing, Smishing

• Know the sender or the caller.
• Do you know the sender of an email or the telephone caller? If no, do not click any links in the email and delete the email. If yes, still be cautious before clicking an email link.
• If an email is from a business you do not recognize or if you are suspicious, go directly to the website address of the business that you independently know or have used. Do not click links within the email.
• If you suspect a call might be a scammer or contain a fraudulent request, independently look up the organization’s customer service number and call that number rather than a number provided in a solicitation email or phone call. Forward the solicitation email to the customer service or security address of the organization, asking whether the email is legitimate. Don’t activate any links until the authenticity of the email is verified.
• Be careful with attachments. If an email has an attachment, is the attachment an executable (a file with the extension .exe, .bat, .com, .vbs, .reg, .msi, .pif, .pl, .php)? If yes, do not click the attachment. Even if the file does not contain one of these extensions, be cautious about opening the file. It is best to contact the sender first to verify the contents of the email. Your first contact to the sender should be by phone to a trusted or verified phone number.
• Never provide personal information or your password in response to an unsolicited request whether it is in an email, over the phone, in a text message or in response to an Internet request.
• Watch grammar and spelling. Grammar, context and spelling errors can be a clue to a malicious email. Be suspicious.
• Check for a relationship. Do you have a relationship with the company or the sender? Are you being addressed by name? What is the content of the sender’s email signature? If the relationship appears generic or you are suspicious, do not respond.
• Don’t click links from unverified senders. Hover over a link and check the URL. Does it look legitimate or does it look like it will take you to a different website? Shortened links on a mobile device can be hard to verify and may link to malicious content. Without seeing a full address, it is difficult to tell if the website or sender is legitimate. Often, you cannot hover over a mobile device link like you can from your computer to get a preview of a linked word or graphic.
• Be wary of incoming calls. If you receive an incoming call from a person you do not know or cannot identify or an automated system requests personal information, hang up. Caller ID creates a false sense of security, so do not trust it either. Before you give out any information to someone claiming to be from the bank or a company you trust, call the bank or company directly to verify there is a need for the information. Locate the phone number through the official bank or company website, on a business card or on your bank card, not by Googling.
• Verify a number left in a voice mail or text message. Before calling a number in a voice mail or text message, authenticate the number. Remember, American Federal will never ask for client information through an automated voice response system or text message.
• Report suspicious activity immediately. Document as much information as you can and then contact your American Federal Banker right away, if you question being contacted by an unsolicited request.

Protect your Identity

The following websites offer information and guidance on protecting against identity theft:

• Bankrate.com – http://www.bankrate.com/brm/news/cc/20020612a.asp
• Federal Trade Commission – http://www.consumer.ftc.gov/articles/0272-how-keep-your-personal-information-secure
• Social Security Administration – http://www.ssa.gov/pubs/EN-05-10064.pdf
• IRS – http://www.irs.gov/uac/Identity-Protection-Tips
• Department of Homeland Security’s United States Computer Emergency Readiness Team – http://www.us-cert.gov/ncas/tips/ST05-019
• United States Department of Justice – http://www.justice.gov/criminal/fraud/websites/idtheft.html
• United States Chamber of Commerce – https://www.uschambersmallbusinessnation.com/toolkits/guide/P14_2260

Media news coverage this week report hackers, apparently beginning about the third week in October, have stolen usernames and passwords for approximately two million accounts at some of the Internet’s most popular websites, social media and email accounts, including Facebook, Twitter, Google, Yahoo and LinkedIn.

The global electronic data breach was uncovered while cyber security researchers were investigating a server in the Netherlands. Victims include users in the United States.

An analysis posted by researchers at the security firm, Trustware, showed the most common password among the stolen log-in credentials was “123456.” Other commonly used credentials included “123456789,” “1234,” “password,” “admin,” “123” and “1.”

Researches also noted the overall password “strength” of the compromised log-ins. Since both the length and type of characters (uppercase letters, lowercase letters, numbers and special characters) in a password make up its ultimate complexity, passwords that use all four character types and are at least eight characters are considered the strongest. Researchers found there were more terrible passwords (four or less characters of only one type) than excellent ones in the attack.

Action You Can Take

If you use one of these sites and use the same username and / or password on your bank or other secure websites, change your log-in credentials immediately and follow these cyber security best practices:

• Create a strong password
• Create a password that is different from your previous five passwords
• Don’t use simple or obvious passwords, including personal information like a social security number, date of birth, address or account number
• Consider a longer password (called a passphrase often 16 characters or more in length) vs. a shorter convoluted one
• Don’t use the same passwords on multiple accounts
• Change your passwords regularly, every 60 to 90 days
• Use a site’s multi-factor authentication when it is available
• Update your system’s anti-virus software and download the latest patches for Internet browsers

Once you have ensured you have a strong password, review your bank account transactions for any suspicious activity. An easy way to do this is with Online Banking. Develop a habit of reviewing your bank account activity often. Report anything unusual to your American Federal Banker immediately.

If you’re a business, develop a maximum complexity password policy and enforce it. The U.S. Chamber of Commerce and several agencies of the federal government provide online resources for cyber security for small businesses. You can find information at the Small Business Administration, the Federal Communications Commission and the United States Computer Emergency Readiness Team (US-Cert).

Complex Password Requirements

Make your passwords meet the following minimum security requirements:

• Not contain all or part of the user’s account name or number
• Be at least eight characters in length
• Contain characters from the following four categories:
• Uppercase letters (A through Z)
• Lowercase letters (a through z)
• Base 10 digits (0 through 9)
• Non-alphabetic characters (for example !, #, %, $)

Brian J. Olson has been named Ag and Business Banker at American Federal Bank in the Fargo-Moorhead Market. His office is located at the bank’s Moorhead location.

Olson has nine years of banking and ag lending experience in the Red River Valley. He began his banking career as a Teller in Fargo. He has held the banking positions of Personal Banker, Assistant Store Manager and Ag Industry Specialist. Most recently, Olson was the Ag Relationship Manager at the Hillsboro, North Dakota location of Wells Fargo.

Olson is from Ada, Minnesota. He graduated from Ada-Borup High School in Ada, Minnesota. He holds an Associate of Arts Degree in Financial and Credit Services Administration from Minnesota State Community and Technical College (MState) in Moorhead and a Bachelor’s of Science Degree in Business Management from the University of Mary’s Fargo campus. In March, Olson will complete a Master’s of Business Administration at the University of Mary’s Fargo campus.

Olson is a member of the Advisory Committee for the Financial Services Program at MState and serves on the Board of the Hillsboro Medical Center Foundation.