***************** SECURITY NEWS *******************
Many participants have seen recent press reports regarding proper protection of personal information while transacting business on-line. These reports often note the constantly evolving nature of the threat. Participants using the TSP Web site (or any Web site) must be vigilant and protect their computers; the TSP cannot be responsible for their negligence. The TSP will ensure that its security is current and that the risk of fraudulent activity is reduced to the greatest extent possible.
To illustrate the importance of participant vigilance, in late December the computers of several TSP participants were infected with keylogging software. This software allowed criminals to record all key strokes made by the participant without the participant’s knowledge and to learn the participant’s TSP PIN and other account information.
We were able to identify approximately two dozen participants who had relatively small amounts withdrawn from their accounts and electronically forwarded to fraudulent accounts. Although we are working with the financial companies involved for the return of the funds, the total amount of loss involved is approximately $35,000. All affected participants have been notified.
We emphasize that the account information for these participants was not improperly obtained from the TSP record keeping system. External penetration testing has demonstrated that our system has not been breached. There is no evidence of any successful attacks against the system to identify a PIN and thus obtain access.
We have concluded that the personal information was compromised when keyloggers monitored each keystroke made by these participants while they entered their TSP information into their own computer. We are working with the U.S. Secret Service, which has found that such personal information is increasingly available on keylogger lists that are for sale through criminal networks.
The cases identified all involve electronic funds transfers. Criminals prefer this “paperless” way to steal money. As an added security measure, we have discontinued making these electronic payments for on-line transactions.
While anyone can be a victim of keylogging, individuals whose computers are not protected with updated security software (that includes firewalls, anti-virus and spyware detection) are most vulnerable. We strongly urge all participants to ensure the adequacy of security on their computers by installing keylogger protection and promptly closing their browser after each visit to their TSP account information on the Web site. These steps will reduce your exposure. This practice should be followed for all on-line access to any financial account. (To close your browser, click the X at the top of your internet screen – logging off a Web site does not clear your browser’s memory.)
If you are uncertain about your computer’s safeguards, please do not expose yourself to risk. Get assistance to protect your computer – see our FAQs and the tips available on many government and financial institutions’ Web sites. You may also use the TSP Thriftline or paper forms to conduct your business with the TSP.
The TSP takes the protection of your account very seriously. Over the coming months, the TSP will be introducing a number of enhancements to the Web site, including a new alert message, more robust Web passwords, and TSP account numbers which will replace the use of the Social Security numbers for most TSP purposes. We will announce these upcoming changes as we implement them. Please be assured that we will make every effort to strike the right balance between ease of use and ensuring the safety and security of your retirement savings.