Credit Union at the University of Chicago

A recent incident involved a data compromise at the card transaction processing center of a major nation-wide retailer. Please read this to see if and how you may have been affected.

We have been notified by VISA International that the TJX Corporation data center has been breached by an intruder. TJX corporation operates several stores including TJ Max, Marshall's and stores with other names. Certain data may have been exposed, though it does not necessarily mean that your specific card was affected. VISA is providing the Credit Union at the University of Chicago and all the other financial institutions throughout the country whose cardholders were affected, so that we can alert you and monitor the situation. Please note that this MAY affect you if and only if you transacted business with one of the TJX stores; we have been notified by VISA so we can take steps to protect your account. If you did not complete such a transaction, then this breach does NOT affect your card. If your card was affected we have or are in the process of contacting you, but once again just because your card may have been in their data base does not mean that any compromise of your particular card has occurred.

The proper authorities are investigating. You may begin to hear information in the news media about this as it becomes newsworthy.

Further information is available directly from TJX corporation at www.tjx.com. This Web Site lists all of their stores which operate under several different names and provides helpful information to their customers.

As always, we ask that you carefully review the transactions on your account, and if you notice a suspicious transaction, please contact card services at 1-800-523-4175 (24/7) or during the day on week days call the Credit Union at 773-702-7179

The Credit Union at the University of Chicago has made several changes to our internet (PC) banking, called OASIS On-Line. This enhancement makes it exceedingly difficult to be victimized by a phishing scam. When you use OASIS on or after December 21st for the first time, you will be asked a series of questions. These questions pertain to your personal preferences such as "What is your favorite color?" When answering these questions for the first time you are creating a data base for yourself in which the questions and answers are stored. Later each time you enter OASIS you will be randomly asked to answer one of those questions. It will be important for you to remember your original answers and then to enter the response in exactly the same way. The responses are not case sensitive, however spelling and punctuation (if any) must exactly match. This is an additional level of security entered after your user name and password. In order to proceed to your accounts in OASIS, you must enter the user name, password and the answer correctly.

Just like your passwords, the Credit Union will not have access to the responses to your questions. We cannot look them up for you which of course protects the integrity of this whole process.

Why is this change being made now? The enhancement is being made for two reasons (1) to comply with the new law and (2) to protect your account from illicit access. All other financial institutions will be adding additional security of one type or another.

There are several phishing scams that are being perpetrated upon some members of the University of Chicago community. They involve an email sent to you at your University of Chicago email address, asking you to supply information about your accounts or plastic card here at the Credit Union. Please do not respond to these scams. DO NOT PROVIDE INFORMATION IN RESPONSE.

The latest scam (September 26, 2006) is in the form of an email that was sent to some University of Chicago employees and students, who may or may not even be members of the Credit Union. The perpetrators copied graphics from our web site to give it an aura of legitimacy and somehow gained a number of UC email addresses from a another source (that is, not from the Credit Union. See the message marked "by the way" about the independence and integrity our data). This scam message refers to last month's problems (there weren't any!) and asks you to update your records. It warns that if you do not respond, your account will be suspended. We have reported this to the University of Chicago Security Department and to the FBI. Of course please do not respond to this or similar messages.

By the way....

Your accounts at the Credit Union at the University of Chicago are NOT maintained by the University of Chicago, and they do not reside on any UC operated server. The Credit Union's accounts are hosted by a processor that is totally separate and distinct and is located in another state. There is no connection between the University's computer systems and those of the Credit Union. Like all Credit Unions, we are required by the governmental regulators to have an outside company host our members accounts, to make them totally separate from the company whose employees & students we serve (in this case the company being the University of Chicago and the University of Chicago Hospitals).

As we have mentioned before, we do not ask you for your PIN either over the phone or by email. We do not ask you to update your information in order to keep or protect your accounts. We do not contact you in this manner if we suspect a problem on your account.

Some of the emails appear to be from other legitimate companies, such as EBay, asking you to "update your records" with them and asking you to provide your Debit Card number and the security PIN on the back of the card, as well as other information. Do not respond to this scam!

Another scam appears to be an Email from the Credit Union at the University of Chicago indicating that "we suspect an unauthorized ATM based transaction". It asks you to log in to what appears to be our PC Banking, Oasis On-Line, complete with all of our graphics. It then asks for sensitive information. Do not respond to this scam!

Another scam also appears to be an email from the Credit Union at the University of Chicago asking you to open a link to our Web site that appears to be our OASIS On-Line 24/7 banking and then asks for sensitive information to update your account. This is a serious scam to induce you to provide sensitive information that can be used to re-create an ATM card for the perpetrators to use to withdraw money. Do not respond to this scam!

There may be variations on these scams, but in general: Please never respond to emails from your credit union or others (including stores and legitimate internet vendors with which you have an ongoing relationship) that have a link from which you are asked to provide sensitive information. This is NOT the way financial providers such as the Credit Union, banks and stores update their information!

We have contacted the Security Department at the University of Chicago's Networking Services and Information Technology (NSIT). We are also working with others who handle plastic card and internet security for us, including the Federal Bureau of Investigation (F.B.I).

If you receive one of these phishing emails, please contact us by telephone at 2-7179 (773-702-7179). You are urged to also forward such email (without opening it) to the Security Department at NSIT. Their address is security@uchicago.edu