Take care while traversing information superhighway

Published Feb. 14, 2007

PETERSON AFB, Colo. -- While officials continue to protect information and data on the Defense Finance and Accounting Service and myPay, it reminds customers that they too have a responsibility to protect personal information from scams and identity theft.

"We proactively implement new security features on a routine basis to protect our customers against Identity theft and scams," said Pat Shine, a myPay official. "The secure technology provided to myPay customers meets or exceeds security requirements in private industry worldwide," he said, adding that maintaining the safety and security of myPay is a top priority.

Failing to safeguard important financial information can prove costly. Although Department of Defense computers are protected against viruses and other malicious software, care must be taken when accessing financial information from home.

In December 2006, the personal computers of several Thrift Savings Plan participants were infected with keylogging software, allowing criminals to record all key strokes made by the participant without the participant's knowledge. Keystroke logging (often called keylogging) is a diagnostic tool used in software development that captures the user's keystrokes.

It can be useful to determine sources of errors in computer systems; however, such systems are also used by computer hackers, providing a means to obtain passwords or encryption keys - bypassing other security measures including the participant's PIN and other account information. It was keylogging that caused approximately 25 participants to have relatively small amounts withdrawn from their TSP accounts and electronically forwarded to fraudulent accounts.

The total amount of loss involved was approximately $35,000, and all affected participants have been notified; but it's a good reminder to be cautious about information sent on the Internet.

Neither the TSP system nor the myPay system has been breached. The TSP compromises took place when keyloggers monitored the keystrokes of TSP participants as they entered their information into their personal computer.

The affected individuals' computers were not protected with updated security software (i.e. firewalls, anti-virus, and spyware detection), making them vulnerable to keylogging software. If you are in doubt about the current state of your security software, the Joint Task Force for Global Network Operations offers free protection software for Department of Defense personnel to use on home computers. To get this free software, click here from a .mil computer. Users can also request a copy of home antivirus and firewall software from their client support administrator.

Participants using the TSP web site, myPay or any web site involving personally identifiable information, should be vigilant and protect their computers. Users are encouraged to use only their private computers for personal financial use. Public-use computers, such as those found in Internet cafes, are not a secure means of conducting personal business, since there is no way for the user to determine that the machine is secure and free of malicious logic (spyware, keyloggers, etc.).

All participants are urged to ensure the adequacy of security on their computers by installing keylogger protection and promptly closing their browser after each visit to their TSP account on the web site. These steps will reduce exposure, and these practices should be followed for all on-line access to any financial account. Finally, users are cautioned to securely close Internet sites you have logged into; first log off the site (usually a button on the page will allow this), then close your browser by clicking the X at the top of your internet screen. Closing a browser (or hitting the 'back' button/arrow) does not guarantee that your secure session has been terminated, and logging off a web site alone does not clear your browser's memory.

What you can do to improve security:
1. Install operating system and application software (e.g. Internet Explorer) updates regularly. Many of these updates are issued to fix security problems which have been identified.

2. Install and use anti-virus software and personal firewalls. Keep this software updated. The correct use of these programs can help protect your system from being compromised by malicious software.

3. Do not store your various User-IDs and passwords in files on your computer. If someone gains access to your computer this is the type of information they look for and would aid them in accessing your account.

4. After using your browser to access a site where you process sensitive information (e.g. myPay, your bank account, etc.) close all of your browser windows and restart a new browser session. Sometimes the browser can hold that information in memory (e.g. cache, etc) and some web sites know where to look to find it.

5. Be very careful when installing software that gives others access to your computer. Remote service software or peer-to-peer software used for file sharing can create unintended openings into your computer that outsiders can use if the software is not configured correctly.