We care about your security.
Encryption
How Encryption Works
When you visit an online banking sign-on page, your browser establishes a secure session with our server using a protocol called Transport Layer Security (TLS). This protocol involves the exchange of public and private keys. These keys are random numbers chosen for each session and are only known to your browser and our server. Once the keys are exchanged, your browser uses them to encrypt the messages sent between your browser and our server. Both sides need these keys to decrypt the messages received, ensuring privacy and preventing any other website from impersonating your financial institution or altering the information sent.
You can verify that your browser is in secure mode by looking for the lock symbol in the address bar.
Encryption Level
The strength of encryption is similar to the complexity of a combination lock. The more possible combinations, the harder it is for someone to guess the key and decrypt the message. For your protection, our servers require browsers to connect at 256-bit encryption, which is significantly more secure than the older 128-bit or 40-bit encryption. Users with browsers that do not support this level of encryption will need to upgrade their browsers to access online banking functions.
All modern browsers support 256-bit encryption. To ensure that your connections are secure, please make sure you keep your computers browser up to date.
Authorization
To ensure that only authorized persons log into online banking, we verify your identity through your password and other factors. When you submit your password, it is securely compared with the one stored in our data center.
Account Lockout
You are allowed a limited number of attempts to enter your password correctly. Exceeding this limit will result in your account being locked. You will need to contact us to reinitialize your account. We monitor and record unsuccessful login attempts to detect any suspicious activity, such as someone trying to guess your password.
Multi-Factor Authentication
Our multi-factor authentication solution adheres to the latest FFIEC authentication guidelines. After successfully logging in with your username and password, a one-time password (OTP) is sent to your phone. You must enter this OTP into the banking application to complete the login process. The OTP can be received via a voice call or text message. Alternatively, you can setup an app on your mobile device to generate the OTP. MFA significantly reduces the risk of credential exposure from phishing, keystroke loggers, Man-in-the-Middle, and brute force attacks.
Your Role in Security
You play a crucial role in safeguarding your account. Follow these guidelines to enhance your security:
- Avoid Easy-to-Guess Passwords:
- Birth dates
- First names
- Pet names
- Addresses
- Phone numbers
- Social Security numbers
- Protect Your Password:
- Never reveal your password to anyone.
- Do not write your password down.
- Consider using a password manager to store and track your passwords to online accounts.
- Use a unique password for online banking that is different from those used for other applications.
- Session Security:
- Always log off your online banking session before leaving your computer.
We will NEVER email you to request personal information. Any email claiming to be from the bank that asks for personal information such as Social Security numbers, IDs, or passwords should not be trusted.
Electronic Funds Transfer Act. For more details, please refer to your Electronic Funds Transfer Act Disclosure.
Network Security
The network architecture supporting our online banking service is designed with state-of-the-art technology. While the details are complex, it is crucial to know that the computers storing your actual account information are not directly connected to the Internet.
- Internet Transactions: Transactions initiated through the Internet are received by our online banking web servers.
- Routing: These servers route your transaction through firewall servers.
- Firewall Servers: Acting as traffic controllers, firewall servers manage the flow of data between the segments of our network that store information and the public Internet.
- Isolation: This configuration isolates publicly accessible web servers from the data stored on our internal servers, ensuring only authorized requests are processed.
We employ various access control mechanisms, including intrusion detection and anti-virus software, to monitor and protect our systems from potential malicious activity. Additionally, our online banking servers are fault-tolerant, ensuring uninterrupted access even in the event of various types of failures.
Session Timeout For added security, your online banking session will automatically “timeout” after a specified period of inactivity. This prevents unauthorized access if you leave your computer unattended without logging out. You can set the timeout period in the User Options screen. However, we recommend always signing off (logging out) when you finish banking online.
Identity Theft Info
Understanding Different Types of Attacks
Phishing:
Phishing is a type of cyber attack where attackers deceive individuals into providing sensitive information such as usernames, passwords, credit card numbers, or other personal data. This is typically done by masquerading as a trustworthy entity in electronic communications. Phishing is one of the most common and dangerous forms of cybercrime due to its effectiveness in exploiting human vulnerabilities.
Key Characteristics of Phishing:
- Impersonation: Phishers often impersonate reputable entities such as banks, email providers, online retailers, or social media platforms. They create emails, messages, or websites that closely resemble those of the legitimate organization.
- Urgency and Fear: Phishing messages often create a sense of urgency or fear to prompt immediate action. Common tactics include warning about account suspensions, unauthorized transactions, or security breaches that require immediate attention.
- Deceptive Links: Phishing emails and messages frequently include links that appear legitimate but redirect to fraudulent websites designed to capture sensitive information. These links may be hidden behind text or buttons that seem trustworthy.
- Malicious Attachments: Some phishing emails contain attachments that, when opened, install malware or spyware on the victim’s device. This can lead to further exploitation of the victim’s data and system.
Spear-Phishing:
Spear-phishing is a targeted form of phishing attack where cybercriminals aim to steal sensitive information from a specific individual or organization. Unlike generic phishing attacks that are sent to many people, spear-phishing attacks are customized and tailored to the intended victim, making them more convincing and harder to detect.
Key characteristics of spear-phishing include:
- Personalization: The attacker gathers information about the target from various sources such as social media, company websites, or public records. This information is used to craft a personalized message that appears to come from a trusted source.
- Deceptive Content: The email or message often appears to come from a known and trusted sender, such as a colleague, supervisor, or business partner. The message may reference specific details relevant to the target, making it seem legitimate.
- Malicious Intent: The goal is typically to obtain sensitive information, such as login credentials, financial information, or other confidential data. This can be achieved through malicious links, attachments, or by convincing the target to disclose information directly.
- High Stakes: Spear-phishing attacks often target high-value individuals, such as executives, finance officers, or IT personnel, to gain access to valuable information or systems.
Examples of spear-phishing tactics:
- Impersonation: The attacker impersonates a trusted person or entity, such as a CEO or a bank, requesting sensitive information or urgent action.
- Malicious Attachments: The email contains attachments that, when opened, install malware or spyware on the victim’s device.
- Fraudulent Links: The email includes links to fake websites designed to capture login credentials or other personal information.
Protection against spear-phishing and phishing:
- Education and Awareness: Understand and look for red flags to identify phishing emails.
- Verification: Always verify the authenticity of unexpected or unusual requests for sensitive information by contacting the purported sender through a separate, known communication channel.
- Multi-Factor Authentication (MFA): Implement MFA to add an extra layer of security, making it harder for attackers to gain access even if they obtain login credentials.
Vishing:
Vishing, short for “voice phishing,” is a type of social engineering attack where scammers use phone calls to deceive individuals into revealing sensitive personal information, such as credit card numbers, Social Security numbers, or login credentials. The term combines “voice” and “phishing,” reflecting the method of attack and its fraudulent nature.
Key characteristics of vishing:
- Impersonation: Attackers often impersonate legitimate entities, such as banks, government agencies, tech support, or well-known companies. They use this guise to build trust and make their requests seem credible.
- Urgency: Scammers create a sense of urgency or fear to prompt immediate action from the victim. They might claim that there is a problem with the victim’s bank account, that they owe money to the IRS, or that their computer is infected with a virus.
- Manipulation: Vishing relies on psychological manipulation. Attackers may use authoritative language, threats, or emotional appeals to convince the victim to comply with their requests.
- Spoofing: Attackers may use caller ID spoofing to make it appear as though the call is coming from a legitimate source. This increases the likelihood that the victim will answer the call and trust the caller.
Common vishing tactics:
- Bank fraud: A caller claims to be from the victim’s bank, warning of suspicious activity and requesting verification of account details to “secure” the account.
- Tech support scams: A caller pretends to be from a tech support team, claiming that the victim’s computer is compromised and offering to fix it if the victim provides remote access or payment information.
- Government impostors: A caller poses as an IRS or Social Security Administration representative, threatening legal action or fines unless the victim provides personal information or makes a payment.
- Medical scams: A caller impersonates a health insurance provider or medical facility, seeking personal and financial information under the pretense of verifying or updating records.
Protection against vishing:
- Be cautious: Always be skeptical of unsolicited phone calls requesting personal or financial information. Verify the caller’s identity through independent means, such as calling the official phone number of the organization they claim to represent.
- Do not disclose personal information: Never provide sensitive information over the phone unless you are certain of the caller’s legitimacy.
- Use call-blocking technology: Employ call-blocking tools and services to filter out potential scam calls.
- Educate yourself and others: Stay informed about common vishing tactics and share this knowledge with friends and family to help protect them from falling victim to such scams.
SIM Swapping or SIM Hijacking:
SIM swapping, also known as SIM hijacking or SIM swapping fraud, is a type of cybercrime where an attacker tricks a mobile carrier into transferring a victim’s phone number to a SIM card controlled by the attacker. This allows the attacker to gain control over the victim’s phone number and use it to intercept calls and text messages, including two-factor authentication (2FA) codes sent to the victim’s phone. With this access, the attacker can potentially gain control of the victim’s online accounts, such as email, banking, and social media.
How SIM swapping works:
- Gathering Information: The attacker collects personal information about the victim, often through phishing, social engineering, data breaches, or publicly available information. This information can include the victim’s name, phone number, address, and possibly answers to security questions.
- Contacting the Mobile Carrier: The attacker contacts the victim’s mobile carrier, posing as the victim. They use the gathered information to convince the carrier’s customer service representative to transfer the victim’s phone number to a new SIM card controlled by the attacker.
- Executing the Swap: Once the mobile carrier approves the request, the victim’s phone number is transferred to the attacker’s SIM card. The victim’s phone loses service, while the attacker gains control of the victim’s phone number.
- Gaining Access to Accounts: With control over the victim’s phone number, the attacker can receive SMS-based 2FA codes sent to the victim’s phone. They can use these codes to reset passwords and gain access to the victim’s online accounts, potentially stealing personal information, money, or engaging in further fraudulent activities.
Impact of SIM swapping:
- Financial Loss: Attackers can drain bank accounts, make unauthorized purchases, and commit other types of financial fraud.
- Identity Theft: Attackers can access sensitive personal information, which can be used for identity theft and further fraudulent activities.
- Reputation Damage: Gaining control of social media accounts can lead to reputational damage if the attacker posts inappropriate content or messages.
- Loss of Control: Victims can temporarily lose control of their phone number and associated accounts, causing significant inconvenience and distress.
Preventing SIM swapping:
- Use Strong Authentication Methods: Whenever possible, use app-based or hardware-based authentication methods instead of SMS-based 2FA. Authenticator apps, such as Google Authenticator or Authy, are more secure.
- Add Extra Security to Your Mobile Account: Contact your mobile carrier and ask to add additional security measures, such as a PIN or password, to your account. Some carriers offer extra protection against SIM swaps.
- Be Cautious with Personal Information: Avoid sharing personal information publicly and be wary of phishing attempts. Protect your personal data to reduce the risk of attackers gathering information about you.
- Monitor Your Accounts: Regularly check your accounts for suspicious activity and set up alerts for any unauthorized changes or transactions.
- Act Quickly: If you lose service unexpectedly, contact your mobile carrier immediately to check if a SIM swap has occurred and take steps to secure your accounts.
Skimming:
Skimming is a type of financial fraud where criminals use devices to capture and steal credit card or debit card information from unsuspecting users. The stolen data can then be used to create counterfeit cards or make unauthorized purchases. Skimming typically occurs at points of sale where card transactions are made, such as ATMs, gas station pumps, or retail checkout counters.
How skimming works:
- Skimmer Installation: Criminals attach a small, often inconspicuous, skimming device to a legitimate card reader. These devices are designed to capture the magnetic stripe data from cards when they are swiped or inserted.
- PIN Capturing: In addition to the skimming device, criminals may install a hidden camera or a fake keypad to capture the cardholder’s PIN as they enter it. Some skimming devices also have built-in PIN capturing capabilities.
- Data Collection: The skimming device collects and stores the card information, while the camera or fake keypad captures the PIN. This data is either stored locally on the device or transmitted wirelessly to the criminals.
- Data Exploitation: Once the criminals have collected enough card information, they retrieve the skimming device and use the stolen data to create counterfeit cards or make online purchases. They may also sell the stolen data on the dark web.
Common skimming scenarios:
- ATMs: Skimmers are often placed over or inside the card slot, and hidden cameras are positioned to capture PIN entries. Some skimmers are sophisticated enough to be installed inside the machine, making them harder to detect.
- Gas Station Pumps: Skimmers can be installed inside the pump card readers, often requiring the criminals to access the machine’s interior. They may also use external skimming devices that fit over the card slot.
- Point-of-Sale Terminals: Skimmers can be attached to payment terminals in retail stores, restaurants, or other locations where card transactions are common.
Preventing skimming:
- Inspect Card Readers: Before using an ATM, gas pump, or point-of-sale terminal, inspect the card reader for any signs of tampering or unusual attachments. Wiggle the card reader to see if it moves or appears loose.
- Cover Your PIN: When entering your PIN, use your hand to cover the keypad to block the view of any hidden cameras.
- Use Secure ATMs: Prefer ATMs located inside banks or well-lit, monitored locations, as they are less likely to be tampered with compared to those in isolated or less secure areas.
- Enable Alerts: Set up alerts with your bank or card issuer to receive notifications of any suspicious or unauthorized transactions.
- Use Contactless Payments: When possible, use contactless payment methods such as NFC (Near Field Communication) cards or mobile payment apps, as they are less susceptible to skimming.
- Monitor Your Accounts: Regularly check your bank and credit card statements for any unauthorized transactions and report any suspicious activity immediately.
Ransomware:
Ransomware is a type of malicious software (malware) that encrypts a victim’s data or locks them out of their system, demanding a ransom payment to restore access. This form of cyber attack has become increasingly common and sophisticated, targeting individuals, businesses, and even critical infrastructure. Here are some key points about ransomware:
How Ransomware Works:
- Infection Vector: Ransomware often spreads through phishing emails, malicious attachments, infected websites, or exploit kits that take advantage of software vulnerabilities. Once the victim interacts with the malicious content, the ransomware is downloaded and executed on their system.
- Encryption: Once activated, the ransomware scans the victim’s system for files and encrypts them using strong encryption algorithms. The files become inaccessible without the decryption key, which is held by the attacker.
- Ransom Demand: After encryption, the ransomware displays a ransom note on the victim’s screen, demanding payment in exchange for the decryption key. The note typically provides instructions on how to make the payment, often in cryptocurrency like Bitcoin, to ensure anonymity.
- Payment and Decryption: If the victim pays the ransom, the attacker may provide the decryption key to unlock the files. However, there is no guarantee that the attacker will honor this agreement, and paying the ransom is generally discouraged by law enforcement and cybersecurity experts.
Types of Ransomware:
- Crypto Ransomware: This type encrypts the victim’s files and demands a ransom for the decryption key.
- Locker Ransomware: This type locks the victim out of their system, preventing access to the entire device or system. It usually demands a ransom to unlock the system.
- Scareware: This type displays fake warnings or alerts, often claiming that the victim’s system is infected with malware and demanding payment for fake antivirus software.
Prevention and Protection:
- Regular Backups: Regularly back up important data to an external drive or cloud storage. Ensure backups are not continuously connected to the system to avoid them being encrypted by ransomware.
- Software Updates: Keep your operating system and software up to date with the latest security patches to protect against vulnerabilities.
- Email Security: Be cautious with email attachments and links, especially from unknown senders. Use email filtering and anti-phishing tools to reduce the risk of phishing attacks.
- Anti-Malware Software: Use reputable anti-malware software to detect and prevent ransomware infections.
- Network Security: Implement strong network security measures, such as firewalls, intrusion detection systems, and network segmentation, to limit the spread of ransomware within a network.
- Employee Training: Educate employees about the risks of ransomware and how to recognize phishing emails and other common attack vectors.
Keylogger:
A Keylogger is a software program that records the keystrokes entered on the PC on which it is installed and transmits a record of those keystrokes to the person controlling the malware over the internet. Keyloggers can be surreptitiously installed on a PC by visiting an infected website, clicking on an infected website banner advertisement, or opening an infected email attachment.
Man-in-the-Middle (MIM):
Man-in-the-Middle (MIM) or Man-in-the-Browser (MIB) attacks occur when a fraudster inserts themselves between the customer and the bank, hijacking the online session. The fraudsters conceal their actions by directing the customer to a fraudulent website that mirrors the bank’s legitimate website.
Catfishing:
Catfishing is the act of creating a fake identity on a social networking service, typically to deceive others. The catfishers often use fake photos and biographical information to create a persona that is not real. This deceptive practice can be used for various purposes, including financial gain, emotional manipulation, or simply for the catfishers amusement.
In many cases, catfishing involves forming romantic relationships online under false pretenses. The person being deceived may develop strong feelings for the fictitious persona, only to eventually discover that the person they were communicating with does not actually exist or is someone entirely different.
Summary of Protection and Prevention Measures:
Education and Awareness:
- Understand and recognize phishing and other cyber attack techniques.
- Stay informed about common cyber attack tactics.
Verification:
- Verify unexpected or unusual requests for sensitive information through separate, known communication channels.
- Independently verify the identity of phone callers and online contacts.
Authentication:
- Implement multi-factor authentication (MFA) for all accounts.
- Use strong, unique passwords for different accounts.
Secure Browsing:
- Use secure, encrypted connections (HTTPS) and avoid suspicious websites.
- Be cautious with email attachments and links.
Account Security:
- Add extra security measures, such as PINs or passwords, to mobile and online accounts.
- Regularly monitor accounts for suspicious activity.
Call Security:
- Use call-blocking tools to filter potential scam calls.
- Avoid sharing sensitive information over the phone unless certain of the caller’s legitimacy.
Device and Software Security:
- Keep operating systems and software up to date with the latest security patches.
- Use reputable anti-malware and anti-virus software.
- Regularly scan your system for malware.
Data Backup:
- Regularly back up important data to external drives or cloud storage.
- Ensure backups are not continuously connected to the system to avoid ransomware encryption.
Transaction Security:
- Inspect card readers for signs of tampering before use.
- Use secure ATMs located in well-lit, monitored areas.
- Enable transaction alerts with your bank or card issuer.
- Prefer contactless payment methods when possible.
PIN Protection:
- Shield the keypad when entering your PIN at ATMs and point-of-sale terminals.
Immediate Action:
- Act quickly if you lose service unexpectedly; contact your mobile carrier immediately.
- Report suspicious activity to relevant authorities promptly.
For more information visit:
Federal Trade Commission (FTC)
Federal Deposit Insurance Corporation (FDIC)