Saturday, May 12, 2018

Pension Theft - Part 2

May 10, 2018

Re: UCRS Pension Payment Thefts - Preventing

Dear Colleagues:

After reading my May 2, 2018 report: “UCRS Pension Payment Thefts,”* many of you asked what can you do to protect your account at AYSO (AtYourServiceOnline). First, how was OM’s AYSO account accessed by the hacker? The Director of RASC wrote OM (our member) “In reviewing your account history, we confirmed that on [date] your AYSO account was accessed by someone possessing your personal information, including your social security number, birth date, name, and address​. This individual requested a password reset​ and viewed your tax statements through the AYSO system. Using your personal information, that individual was able to use our authentication process and a temporary password was sent to your email account.​ Emails confirming these transactions were also sent to your email account on this date.”

The hacker did not know OM’s password, but did know OM’s SSN, birth date, name, and
address, obtained elsewhere. The hacker also apparently had gained access to OM’s email
account ​in order to 1) retrieve the temporary password, and 2) delete emails about changes
being made to OM’s AYSO account. Your email account must be secure to protect your AYSO

Today, theft of identities is very common: 50 million at Experian (2013), 3 billion at Yahoo in
2013 (disclosed in 2016, 40% of world’s population if unique accounts), 145 million at Equifax
(2017), 145 million at eBay (2014), 57 million at Uber (2016), 76 million households (half of all
US households) at JP Morgan Chase (2014), 79 million at Anthem (2015). There were 20 major
breaches in 2017 alone. UCLA’s 2006 breach, which affected OM, exposed name and SSN,
date of birth, home address and contact information​.[1]

Your name, SSN, date of birth, and home address probably haven’t changed in many years!
Unchangeable personal data is always valid, independent of when the breach occurred. Yet
this fixed personal information that you cannot change is all that is required to login to
AYSO today!​ You can not move your pension to another institution. You are dependent on
AYSO to adopt 2-factor authentication with phone so a hacker with all your personal information
can not access your account. This is now being promised for 2019.

But in the meantime you can eliminate the risks, by having your AYSO account blocked​:

1. Log in to AYSO and in the lower left corner of the main menu leave a comment for
Customer Care that you request two-factor authentication that requires them to call or
text your phone.
2. Change all document delivery from online to delivery by US Mail.
3. Check that your home address, telephone, email address, and security questions are
4. Check/change your security word. (You must remember this word.)
5. Log out.
6. Call RASC (800) 888-8267 and request that they “block” your account from all online
access by anyone, including you. Request they require that it may only be unblocked by
you, authenticated by a phone call from RASC to your phone on record.
7. Change your email password. Make sure that password is never used for any other
account anywhere and that it is a strong password that is unrelated to your other
passwords used elsewhere.
8. Adopt 2-factor authentication or “2-step authentication” if it is available for your email
account. Google offers it.
9. Each first of the month, verify that your monthly payment was deposited into your bank
and call RASC if it was not deposited.
10. To unblock, call RASC and request your account be unblocked.

Rest assured that our UCSC Emeriti Association, CUCEA (the Council of UC Emeriti
Associations), CUCRA (the Council of UC Retiree Associations), UCFW (system-wide Faculty
Welfare), and UCRS (UC Retirement System) Advisory Committee are all working to get AYSO
security improved and to get the pension payment theft victims reimbursed!

Best regards,
Todd Wipke
President, UCSC Emeriti Association
[1]On Dec 12, 2006​ OM received a letter from Norman Abrams, Acting Chancellor of UCLA:

“UCLA​ computer administrators have discovered that a restricted campus database containing
certain personal information has been illegally accessed by a sophisticated computer hacker. ...I regret to inform you that your name is in the database. ...The information stored on the affected database includes names and Social Security numbers, dates of birth, home addresses and contact information​.”

”This database contains personal information about UCLA​’s current and some former students,
faculty and staff, some student applicants and some parents of students or applicants who applied for financial aid. This data base also includes current and some former faculty and staff at the University of California, Merced​, and current and some former employees of the University of California Office of the President​, for which UCLA does administrative processing.”

No comments: