Online
Security

Business Best Practices for Online Banking

• Recommend reconciliation of all banking transactions on a daily basis.
• Recommend customers initiate ACH and wire transfer payments under dual control, with a transaction originator and a separate transaction authorizer.
• If possible, and in particular for customers that originate ACH or wires or large numbers of online transactions, recommend commercial banking customers carry out all online banking activities from a stand-alone, hardened and completely locked down computer system from which email, web browsing and access to your company network are not possible.
• Be suspicious of emails purporting to be from a financial institution, government departments or other agencies requesting account information, account verification or banking access credentials such as usernames, passwords, PIN codes, answers to challenge questions and similar information. Opening file attachments or clicking on web links in suspicious emails could expose your computer network to malicious code that could hijack your private information, online banking credentials, and more.
• Never process payment instruction changes from clients, vendors or employees that have not been directly verified.
• Install a dedicated, actively managed firewall, if using a broadband or dedicated connection to the Internet, such as DSL or cable. A firewall limits the potential for unauthorized access to a network and computers.
• Create strong passwords that include a combination of characters. The latest guidance suggests using a passphrase such as a favorite line from a movie or a series of associated words rather than a traditional password. The idea is to create a passphrase that can be remembered easily and protect the account — for example, $unWalkRainDriv3.
• Prohibit the use of “shared” usernames and passwords for online banking systems.
• Use a different password for each website that is accessed and change your passwords several times each year.
• Never share username and password information for online services with third-party providers.
• Limit administrative rights on users’ workstations to help prevent the inadvertent downloading of malware or other viruses.
• Install commercial anti-virus, spyware detection and desktop firewall software on all computer systems. Free software may not provide protection against the latest threats compared with an industry standard product.
• Ensure security suite software pages and computer programs are patched regularly, particularly operating systems and key applications, such as Adobe products. It is recommended that you utilize the built in automatic software updates available for most operating systems and software programs.
• Recommend clearing the browser cache before starting an online banking session in order to eliminate copies of web pages that have been stored on the hard drive. How the cache is cleared will depend on the browser and version. This function is generally found in the browser's options or settings menu.
• Recommend customers verify use of a secure session (https not http) in the browser for all online banking and financial services and the site has a valid digital security certificate.
• Avoid using automatic login features that save usernames and passwords for online banking. This includes using Internet browsers to store password information.
• Never leave a computer unattended, especially when logged into online banking or financial service sites.
• Never access bank, brokerage or other financial services information sites using public Wi-Fi, such as at Internet cafes, public libraries, airports, etc. Using public Wi-Fi increases the potential for unauthorized software to be installed to trap account and sign on information.
• Recommend customers familiarize themselves with the institution’s account agreement and with the customer’s liability for fraud under the agreement pursuant to the Uniform Commercial Code Article 4A as adopted in the state of Nebraska.
• Recommend developing written security procedures designed to protect your company’s network from infection or breach and it is also recommended that you include regular security training for all employees. This is required for ACH origination clients.
• Stay in touch with other businesses to share information regarding suspected fraud activity. It is recommended that you subscribe to fraud alerts available from sources such as antivirus software companies, credit card processors, government agencies, etc. Also, become familiar with the services your financial institution provides regarding the latest fraud threats and fraud mitigation tips.
• Immediately escalate any suspicious transactions to the financial institution, particularly ACH or wire transfers. There is a limited recovery window for business transactions and immediate escalation may prevent further loss.

Some recommendations listed above may be required specific to services provided in accordance to your product agreement. Information provided by NACHA, EPCOR and FS-ISAC (Financial Services Information Sharing and Analysis Center).

Recommendations for Online Fraud Victims

In the event the customer is a victim of fraud, there are a number of immediate recommendations they should take to help protect their financial interests. A few general suggestions include:

• Immediately cease all activity from computer systems that may be compromised. Unplug the Ethernet or cable modem connections to isolate the system from remote access.
• Immediately contact their financial institution so that the following actions may be taken as a priority to contain the incident:
  • Online access to the accounts be disabled.
  • Online Banking passwords changed.
  • New account(s) opened as appropriate.
  • Request the financial institution’s agent review all recent transactions and electronic authorizations on the account.
  • Additionally, ensure that no one has requested an address change, title change, PIN change or ordered new cards, checks or other account documents be sent to another address.
• Customers can generally find customer service or fraud prevention contact telephone numbers on monthly statements. Recommending they have this information readily available will often facilitate a call.A customer suffering from fraud should file a police report with the local police department and provide the facts and circumstances surrounding the loss. Obtain a police report number with the date, time, department, location and officer’s name taking the report or involved in the subsequent investigation. Having a police report on file will often facilitate dealing with insurance companies, banks, and other establishments that may be the recipient of fraudulent activity. The police report may initiate a law enforcement investigation into the loss with the goal of identifying, arresting and prosecuting the offender and possibly recovering losses.
• The customer should maintain a written chronology of what happened, what was lost and the steps the customer took to report the incident to the various agencies, banks and firms impacted. Be sure to record the date, time, contact telephone number, person spoken to, and any relevant report or reference number and instructions.
• Realize that if the customer carries out personal online banking from the business computer system, there are also potential identify theft aspects to the compromise. Recommend the customer review the recommendation at the Federal Trade Commission’s Identity Theft website.
• Dependent on law enforcement investigative and forensic considerations, recommend the customer have their network and systems reviewed by a qualified computer forensic/information security professional.

Information provided by NACHA and FS-ISAC (Financial Services Information Sharing and Analysis Center)

Have you been affected by the recent Equifax Data Breach? Check out the Federal Trade Commission’s recommendations on what to do: https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do

Mobile Phone Security

To ensure the safety and privacy of your account information, we provide some key security features in Mobile Banking:

• Unique Activation Code for the WAP and SMS versions - We send you a unique activation code to verify your phone number. This code associates your mobile phone with your account. This verification also lets you know your mobile phone number has been successfully registered in our system.
• Authentication—You are authenticated for every interaction with Mobile Banking.
• Encryption—We use 128-bit encryption for all transactions.
• Fraud Detection—We incorporate mechanisms such as transaction validation and transaction reconciliation processes to detect fraud.
• Audit-ability—We provide full audit capabilities through event logs and event-based reporting.
• No Identifiable Information—We don't return any personally identifiable information in a text message, such as your full account number, e-mail address, or personal address. We never ask for or include your user ID or password in any message we send.

Here are some recommended tips to help you secure your mobile device.

• Treat your Smartphone with the same care regarding passwords and security as your PC.
• Install an antivirus app approved by your phone carrier.
• Keep smartphones within your sight at all times.
• Activate phone locking after a period of inactivity and use strong passwords or PINs for reactivation.
• Utilize your phone's auto wipe feature if someone repeatedly enters incorrect passwords.
• Back up Smartphone applications and content regularly.
• Report Smartphone theft immediately so remote locking or remote wiping can be activated.
• Avoid using smartphones over unsecure Wi-Fi networks.
• Keep Bluetooth out of discovery mode when not in use.
• Avoid clicking on links in SMS and Email messages unless you have verified the sender.
• Do not use a jail-broken phone or attempt to jailbreak your phone.
• Only download approved apps for your device.
• Only download apps you will use and research the credibility of any App you are not familiar with - look out for applications that seek access to things like contacts or location unnecessarily and to carefully read user application ratings before downloading.
• Keep your phone's operating system and installed apps up to date.