DOD looking into reports that some myPay personal accounts were compromised
ARLINGTON, Va. — Investigators are looking into how some myPay users had their accounts hacked, said Defense Department spokesman Lt. Col. Brian Maka.
Operated by the Defense Finance and Accounting Service, or DFAS, myPay allows all servicemembers and Defense Department civilians to check their finances online.
About two dozen myPay users have had their accounts hacked over the past eight months, probably after their personal information was stolen from their home computers using spyware, a DFAS official said in a Wednesday e-mail to Stars and Stripes. There are about 3.7 million myPay users.
“DFAS was notified that a small number of myPay participants may have had their accounts accessed by unauthorized personnel most likely using personal information stolen from home computers via spyware,” Maka wrote in a Wednesday e-mail to Stars and Stripes.
The matter has been referred to the Defense Criminal Investigative Service and is under investigation, Maka said.
“DFAS has instituted a heightened monitoring process of myPay transactions to detect suspicious activity in accounts,” Maka said. “When we detect what we believe is suspicious activity we are immediately notifying the receiving financial institutions to reverse the payment.”
Last week, the Navy Reserve sent out a mass e-mail warning that a sailor had discovered his myPay account had been hacked and his personal identification number had been stolen.
“The hacker redirected his direct deposit institution to a credit card vendor called Wired Plastic — a pre-pay credit card,” according to the e-mail, obtained by Stars and Stripes. “At this point, it appears as though he might not receive a paycheck on payday. Apparently the hacker changed the account one day prior to the pay information upload from DFAS — indicating that the hacker is well-versed in military pay accounts.”
Preliminary findings indicate that the neither the myPay system itself nor its database on personal information have been hacked, Maka said.
“The problems discovered so far are due either to the user failing to protect their account number and PIN or via key logging,” he said.
Recently, DFAS said tips to avoid having your personal information stolen include:
Do not store User IDs and passwords on your computer.Close all of your browser windows after viewing sensitive information online, such as your bank account.Be careful when installing software that gives others access to your computer.Do not send personal or financial information via e-mail.Understand that DFAS will never send you an e-mail asking you to update or verify information.Account users also are urged to buy software to protect their computers from hackers, Maka said.
“In addition, DOD servicemembers and civilians can download and install anti-virus and firewall software free under terms of the DOD enterprise anti-virus license with the supporting companies,” Maka said.