Customer Security Awareness
Internet security is not just about protecting your business, but also sharing a commitment of utilizing “best practices” with those you work with and your customers to help mitigate and eliminate the viral component of most online threats. Throughout this you will read many tips and suggestions about security. While nothing can ever provide 100% elimination of risk, using them cohesively will ensure maximum protection.
The Internet & You
The Internet has altered America’s lifestyle by enabling people to bring a plethora of information to your fingertips. Here are some general tips to keep in mind while using the Internet:
Keep it private
Never give out personal information including User Names, Passwords, Social Security Number, or Date of Birth.Variety for security. Use multiple usernames and passwords for all online activity and keep them separate.
Block cookies on your web browser. When you’re online, data are being collected by sites you visit. These data are combined to form your digital profile, which is often sold to companies around the world without your consent
Do not click
Pop-ups often claim your computer is infected or offer discounts, don’t click on them as you may be installing malicious software malware on your computer.
Spyware is a program that can give criminals access to the information on your computer. Install and regularly update virus protection software that detects abnormal behavior.
Plug & scan
USB (Universal Serial Bus) and other storage devices can be infected by viruses or malware, too, use your virus protection software to scan them.
A firewall is a network security system that monitors the incoming and outgoing network traffic based on predetermined security rules. A good firewall keeps criminals out and sensitive data in.
If you use a wireless network, it is suggested that you use password protection. Otherwise, wireless networks are discouraged.
Set up automatic Windows (or other operating system) updates.
Don’t download Facebook apps from outside the United States. Apps on social networks can access large amounts of personal information, which may not be kept securely.
Own your online presence
When available, set the privacy and security settings on websites. You should limit how and with whom you share information.
Duplicate important items
Protect your valuable work, music, photos, and other digital information by making extra copies and storing them safely.
A large impact of the Internet is how we shop. It is the most convenient way to purchase everything from groceries to houses. You can buy almost anything without leaving your chair. In addition to the suggestions above, keep these tips in mind when shopping online:
- Learn as much as possible about the seller and the product.
- Understand their refund policies.
- Choose a secure password to protect account information.
- Ensure the website is secure by looking for a lock icon on the browser’s status bar or a website URL that begins “https:” (the “s” stands for “secure”).
- If an offer sounds too good to be true, it probably is.
Online Banking Security
While online banking is convenient, it can pose some risks. To help ensure user safety, we use superior technology and monitoring techniques, complex firewalls and other methods of securing customer data.
Customers, too, play an important role in protecting financial information. Here are some steps you can take to keep your online banking information secure:
Use a strong password
Experts advise using a combination of letters, numbers and symbols whenever possible, and caution you not to use easily guessed passwords, such as birthdays, names or home addresses. Change your password regularly and do not use the same password for multiple accounts.
Avoid fraudulent websites and public computers
To help ensure the website you have visited is secure, when conducting financial transactions online look for a lock icon on the browser’s status bar or a website URL that begins “https:” (the “s” stands for “secure”). Avoid using public computers to access your banking accounts.
Monitor your account
Check your online balances and paper statements frequently to spot any fraudulent activity and report it immediately.
Remember to sign off when you have finished online banking. Also log off of your computer to prevent unauthorized access to your information and files.
Identity theft involves the unlawful acquisition and use of someone’s information, such as Name, Address, Date of Birth, Social Security Number, Driver’s License, Bank or Credit Card Account Numbers. Thieves then use the information to commit fraud in an attempt to duplicate your identity which may include opening new accounts, purchasing large items such as vehicles, applying for loans, credit cards, and social security benefits, renting apartments and establishing services with utility and telephone companies. It can have a negative effect on your credit and create a serious financial disaster for you.
How to protect yourself from Identity Theft
- Report lost or stolen checks or credit cards immediately.
- Never give out any personal information to anyone you don’t know.
- Dispose of documents you don’t need any more that contain personal information, like bank statements, unused checks, deposit slips, credit card statements, pay stubs, medical billings, and invoices.
- Don’t give any of your personal information to websites that do not use encryption or other secure methods to protect it.
- Store personal information in a safe place.
- Pay attention to billing cycles and account statements and contact your bank if you don’t receive a monthly bill or statement.
- Review account statements thoroughly to ensure all transactions are authorized.
- Guard your mail from theft, promptly remove incoming mail, and do not leave bill payment envelopes in your mailbox with the flag up for pick up by mail carrier.
If you suspect your identity is stolen, contact:
- Your local bank branch to cancel existing accounts held in your name and reopen new accounts
- The creditors of any accounts that have been misused
- The local police to file a report
- And check your credit report
Order a copy of your credit report from each of the three major credit-reporting agencies every year. Make sure it is accurate and includes only those activities you have authorized. By checking your report on a regular basis you can catch mistakes and fraud before they wreak havoc on your personal finances. Don’t underestimate the importance of this step. You can request a free credit report from each of the three major credit bureaus through www.annualcreditreport.com.
Equifax – www.equifax.com
Report Fraud: 888.766.0008
Order Report: 800.685.1111
Experian – www.experian.com
Report Fraud: 888.397.3742
Order Report: 877 FACTACT
TransUnion – www.transunion.com
Report Fraud: 800.680.7289
Order Report: 877.322.8228
Debit & Credit Card Protection
Debit and credit cards have become the most convenient form for purchasing our everyday needs. They have replaced the actual need to carry cash and should be treated like cash. Fraud has also increased as a result of the volume of debit and credit card use. Follow these steps to protect your cards:
- Never leave your account information out in the open.
- Periodically check your account activity, especially if you bank online. Compare the current balance and transactions on your statement to those you’ve recorded. Report any discrepancies immediately.
- Draw a line through blank spaces on charge or debit slips above the total so the amount can’t be changed.
- Commit your PIN to memory. Don’t carry it with you or write it on your card, deposit slip, envelope or anything that could be lost or looked at.
- Don’t sign a blank charge or debit slip.
- Tear up copies and save your receipts to check against your monthly statements.
- Keep a record of your account numbers, expiration dates, and the telephone numbers of each card issuer so you can report a loss quickly.
- Before throwing old cards away, cut them in half through the account number.
- Open your monthly statements promptly and compare them to your receipts. Report mistakes or discrepancies as soon as possible.
- Only carry the cards you’ll need.
- Carefully check your ATM or debit card transactions; the funds for this item will be quickly transferred out of your account(s).
- Don’t share your account number over the phone unless you initiate contact.
Non-Electronic Security Tips
Use the following list of tips for general security measures.
- Tear up receipts, bank statements, and unused credit card offers before throwing them away.
- Keep an eye out for any missing mail.
- Use a U.S. Postal Service drop box rather than your mailbox to mail bill payments. Use automatic bill pay whenever possible.
- Review your accounts regularly for any unauthorized charges.
- Before sharing personal identifying information (for example, on an application), find out how it will be used and secured, and whether it will be seen by others. Ask if you have a choice about the use of your information, for instance, can you choose to have it kept confidential?
- When doing business, only use companies that you know and trust, especially online.
- Don’t open e-mails from unknown sources.
- To verify whether a call is safe, call our bank or visit the website, using phone numbers or internet addresses from your bank statement or account documentation. Do not call back a number provided over the phone nor click on a link in an email.
- Carry with you only the identification and credit and debit cards that you need.
- Don’t put your address, phone number, or driver’s license number on credit card sales receipts.
- Social Security numbers should not be written anywhere that is not secure.
- Promptly remove mail from your mailbox. If you’re planning to be away from home and can’t pick up your mail, contact the U.S. Postal Service to request a vacation hold.
- Ask about information security procedures in your workplace. Find out who has access to your personal information and verify that records are kept in a secure location. Ask about the disposal procedures for those records as well.
Regulation E is a law that protects customers making electronic fund transfers (EFT). An EFT is the electronic exchange, transfer of money from one account to another, either within a single financial institution or across multiple institutions, through computer-based systems. The term includes, but is not limited to, transfers initiated by telephone and transfers initiated through Internet banking and electronic bill pay. Non-consumer account owners, such as Corporations, Trusts, Partnerships, or LLCs, (among others), are not protected by Regulation E. To maximize your protection under Regulation E, you should notify your financial institution as soon as possible when you discover that an unauthorized or suspicious EFT is on your account or if you do not have possession of your ATM/Debit card. For more information, please contact us.
Corporate Account Takeover
Business/Commercial clients are not protected by Regulation E. As a result, it is critical that business/commercial clients implement thorough security practices within their places of business as outlined in this program to reduce the risk of fraud.
Corporate Account Takeover is a type of identity theft in which criminals steal your online banking credentials. Malware introduced onto your systems could go undetected for weeks or months. Depending on your account monitoring efforts, account draining transfers using stolen credentials may happen at any time and go unnoticed.
Follow these tips to protect your company:
- Use layered system security measures: Create layers of firewalls, anti-malware software and encryption. One layer of security might not be enough. Install robust anti-malware programs on every workstation and laptop. Keep the programs updated.
- Manage the security of online banking with a single, dedicated computer used exclusively for online banking and cash management. This computer should not be connected to your business network, should not retrieve any e-mail messages, and should not be used for any online purpose except banking.
- Educate your employees about this type of fraud. Make sure your employees understand that just one infected computer can lead to an account takeover. Make them very conscious of the risk, and teach them to ask the question: “Does this e-mail or phone call make sense?” before they open attachments or provide information.
- Block access to unnecessary or high-risk websites. Prevent access to any website that features adult entertainment, online gaming, social networking and personal e-mail.
- Establish separate user accounts for every employee accessing financial information and limit administrative rights. Many malware programs require administrative rights to the workstation and net work in order to steal credentials. If your user permissions for online banking include administrative rights, don’t use those credentials for day-to-day processing.
- Use approval tools in cash management to create dual control on payments. Requiring two people to issue a payment – one to set up the transaction and a second to approve the transaction – doubles the chances of stopping a criminal from draining your account.
- Review online accounts daily. The sooner you find suspicious transactions, the sooner the theft can be investigated.
Securing Your Business
The following information is provided by the Federal Trade Commission (FTC).
Most companies keep sensitive personal information in their files-names, Social Security numbers, credit card, or other account data-that identifies customers or employees. This information often is necessary to fill orders, meet payroll, or perform other necessary business functions. However, if sensitive data falls into the wrong hands, it can lead to fraud, identity theft, or similar harms. Given the cost of a security breach-closing your customers’ trust and perhaps even defending yourself against a lawsuit-safeguarding personal information is just plain good business. Some businesses may have the expertise in-house to implement an appropriate plan. Others may find it helpful to hire a contractor. Regardless of the size-or nature-of your business, the principles in this brochure will go a long way toward helping you keep data secure.
A sound data security plan is built on 5 key principles:
- Take stock – Know what personal information you have in your files and on your computers.
- Scale down – Keep only what you need for your business.
- Lock it – Protect the information that you keep.
- Pitch it – Properly dispose of what you no longer need.
- Plan ahead – Create a plan to respond to security incidents.
Use the checklists on the following pages to see how your company’s practices measure up-and where changes are necessary. You also can take an interactive tutorial at business.ftc.gov/privacy-and-security.
Take Stock – Know the nature and scope of the sensitive information contained in your files and on your computers.
- Take inventory of all file storage and electronic equipment. Where does your company store sensitive data?
- Talk with your employees and outside service providers to determine who sends sensitive information to your business, and how it is sent.
- Consider all of the methods with which you collect sensitive information from customers, and what kind of information you collect.
- Review where you keep the information you collect, and who has access to it.
Scale Down – Keep only what you need for your business.
- Use Social Security numbers only for required and lawful purposes. Don’t use SSNs as employee identifiers or customer locators.
- Keep customer credit card information only if you have a business need for it.
- Review the forms you use to gather data like credit applications and fill-in-the-blank web screens for potential customers and revise them to eliminate requests for information you don’t need.
- Change the default settings on your software that reads customers’ credit cards. Don’t keep information you don’t need.
- Truncate the account information on any electronically printed credit and debit card receipts that you give your customers. You may include no more than the last five digits of the card number, and you must delete the card’s expiration date.
- Develop a written records retention policy, especially if you must keep information for business reasons or to comply with the law.
Lock It – Protect the information that you keep.
- Put documents and other materials containing sensitive information in a locked room or file cabinet.
- Remind employees to put files away, log off their computers, and lock their file cabinets and office doors at the end of the day.
- Implement appropriate access controls for your building.
- Encrypt sensitive information if you must send it over public networks.
- Regularly run up-to-date anti-virus and anti-spyware programs on individual computers.
- Require employees to use strong passwords.
- Caution employees against transmitting personal information via e-mail.
- Create security policies for laptops used both within your office, and while traveling.
- Use a firewall to protect your computers and your network.
- Set “access controls” to allow only trusted employees with a legitimate business need to access the network.
- Monitor incoming Internet traffic for signs of security breaches.
- Check references and do background checks before hiring employees who will have access to sensitive data.
- Create procedures to ensure workers who leave your organization no longer have access to sensitive information.
- Educate employees about how to avoid Phishing and phone pretexting scams.
Pitch It – Properly dispose of what you no longer need.
- Create and implement information disposal practices.
- Dispose of paper records by shredding, burning, or pulverizing them.
- Defeat “dumpster divers” by encouraging your staff to separate the information that is safe to trash from sensitive data that needs to be discarded with care.
- Make shredders available throughout the workplace, including next to the photocopier.
- Use a “wipe” utility programs when disposing of old computers and portable storage devices.
- Give business travelers and employees who work from home a list of procedures for disposing of sensitive documents, old computers, and portable devices.
Plan Ahead – Create a plan for responding to security incidents.
- Create a plan to respond to security incidents, and designate a response team led by a senior staff person(s).
- Draft contingency plans for how your business will respond to different kinds of security incidents. Some threats may come out of left field; others – a lost laptop or a hack attack, to name just two – are unfortunate, but foreseeable.
- Investigate security incidents immediately.
- Create a list of who to notify – inside or outside your organization – in the event of a security breach.
- Immediately disconnect a compromised computer from the Internet.
If you are a Business/Commercial client, we strongly encourage you to perform an annual Self Assessment focusing on your online banking practices and network security. A Self- Assessment will evaluate whether you have implemented sound business practices to address the five key principles outlined in the “Securing Your Business” section within this document.
Unsolicited Client Contact
We will never contact you on an unsolicited basis to request any security login credentials such as your username and password. Do not respond if you receive a request of this type. Please contact us immediately to report any activity of this nature. We will only contact you regarding online banking activity on an unsolicited basis for the following reasons:
- Inactive/dormant account
- To confirm changes submitted to your online banking profile
- Suspected fraudulent activity on your account
- To notify you of a change or disruption in service
If you receive an unsolicited contact from us for any reason not listed above, your identity will be confirmed through a series of security questions and you will always have the option of hanging up and calling us to confirm the validity of our request. Remember, we will never ask for your login security credentials.
We neither endorse nor guarantee in any way the organizations, services, or advice associated with these links. We are not responsible for the accuracy of the content found on these sites.
National Institute of Standards and Technology (NIST)
Computer Security Resource Center
SANS (SysAdmin, Audit, Network, Security) Institute
The Top Cyber Security Risks
United States Computer Emergency
Readiness Team (US-CERT)
About Insite Data Services
IDS data application hosting services combines secure and cost-effective core banking applications, enterprise-class servers and storage, and proven virtualization technology. IDS hosts all of the bank’s servers in secure data centers that use state of the art security systems including identity verification and biometric scanning. Insite Data Services also offers IDS On-Time, a full-service solution dedicated to back-office bank processing. These operations experts allow partnered banks to focus on their most important asset, their customers. For more information visit www.insitedataservices.com.