Online Banking Security Threats
A scam, called "phishing" or "carding," uses spam (unsolicited email) to trick recipients into revealing their credit card numbers, bank account information, social security numbers, passwords and other sensitive information. Home Bank will never request you to send any of your personal information by email.
To avoid getting hooked by a phishing scam, the Federal Trade Commission says:
- If you get an email (with little or no notice) that one of your accounts will be closed unless you reconfirm billing information, do not reply or click on the link in the email. Instead contact the company cited using a telephone number or website address you *know* is genuine.
- Avoid emailing personal and financial information in all cases.
- Review credit card and bank account statements as soon as you receive them for any unauthorized charges.
For more information, visit the Federal Trade Commission's phishing website.
Once a user is logged in to online banking, the open session may be vulnerable to access by an unauthorized user either by physical presence at the logged-in computer, or by electronic take-over of the session by remote control of the browser used by the authorized user. This can be done without the knowledge of the person who initially logged in to the online banking site.
Skilled identity thieves use a variety of methods to gain access to your personal information. For example:
They get information from businesses or other institutions by:
- Stealing records from their employer,
- Bribing an employee who has access to these records, or
- Hacking into the organization's computers.
- They rummage through your trash, or the trash of businesses, or dumps, in a practice known as dumpster diving.
- They obtain credit reports by abusing their employer's authorized access to credit reports or by posing as a landlord, employer, or someone else who may have a legal right to the information.
- They steal credit and debit card numbers as your card is processed by using a special information storage device in a practice known as skimming.
- They steal wallets and purses containing identification and credit and bank cards.
- They steal mail, including bank and credit card statements, pre-approved credit offers, new checks, or tax information.
- They complete a change of address form to divert your mail to another location.
- They steal personal information from your home.
- They scam information from you by posing as a legitimate businessperson or government official.
Once identity thieves have your personal information, they may:
- Go on spending sprees using your credit and debit card account numbers to buy big-ticket items like computers that they can easily sell.
- Open a new credit card account, using your name, date of birth, and SSN. When they don't pay the bills, the delinquent account is reported on your credit report.
- Change the mailing address on your credit card account. The imposter then runs up charges on the account. Because the bills are being sent to the new address, it may take some time before you realize there's a problem.
- Take out auto loans in your name.
- Establish phone or wireless service in your name.
- Counterfeit checks or debit cards, and drain your bank account.
- Open a bank account in your name and write bad checks on that account.
- File for bankruptcy under your name to avoid paying debts they've incurred, or to avoid eviction.
- Give your name to the police during an arrest. If they are released and don't show up for their court date, an arrest warrant could be issued in your name.
Password and Device Security
Passwords serve as the primary protection for online banking accounts; they are the key that allows access to banking information and transactions. An inadequate or simple password may result in the unauthorized access to bank accounts, but also could result in the victim being held responsible for actions taken using his or her password. Each online banking user should have a unique Access ID (user name) and a secret password. This password should not be shared with anyone, including family, friends, supervisors or employees. Anyone needing access to an account should apply for a personal Access ID.
Weak, inadequate passwords often have one or more of the following characteristics:
- The password contains less than eight characters
- The password is a word easily found in a dictionary (English or foreign)
- The password is a common usage word such as:
- Names of family, pets, friends, co-workers, fantasy characters, etc.
- Computer terms and names, commands, sites, companies, hardware, software.
- The words "Company Name", "company initials", "company address" or any derivation.
- Birthdays and other personal information such as addresses and phone numbers.
- Letter or number patterns like aaabbbccc, qwertyu, zyxwvuts, 123321, etc.
- Any of the above spelled backwards.
- Any of the above preceded or followed by a digit (e.g., word1, 1 word)
Strong, secure, adequate passwords have the following characteristics:
- Contain both upper and lower case characters
- Have digits and punctuation characters as well as letters (e.g., 0-9, @$%&*()_+|~-=\`}[";'<?,./)
- Are at least eight alphanumeric characters long
- Are not words in any language, slang, dialect, jargon, etc.
- Are not based on personal information, names of family, etc.
- Are never written down or stored online; rather they are passwords that can be easily remembered.
- One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation. Note: Do not use either of these examples as passwords!
Avoid using the same password for various access needs (e.g., social networking site, email account, online shopping site, etc. All passwords are to be treated as sensitive, confidential information. As a reminder, the following are a list of things to avoid:
- Don't reveal a password over the phone to anyone
- Don't reveal a password to the boss, unless the boss accepts future responsibility
- Don't talk about a password in front of others
- Don't hint at the format of a password (e.g., "my family name")
- Don't reveal a password on questionnaires or security forms
- Don't share a password with family members
- Don't reveal a password to co-workers while on vacation
- Do not use the "Remember Password" feature of computer applications (e.g., Outlook, Netscape Messenger, Internet Explorer).
- Do not write passwords down and store them anywhere near your computer or in your office. Do not store passwords in a file on ANY computer system (including Palm Pilots or similar devices) without encryption/password protection of the file.
Even if you keep your password secret, if the computer or mobile device that you use to access online banking is not secure, then your password can be captured by malware present on the device.
Software often has security gaps that hackers discover and use to gain access to victim's computers. Updating software with repairs to these gaps is a very important part of online security. Microsoft updates, as well as updates for Adobe and Java should be applied as soon as they are offered on personal computers and mobile devices. Corporate machines on a network are likely being "patched" by the network administrator.
Along with desktop applications, security software such as anti-virus and anti-malware programs need to be kept up to date. Any computer on the internet without up-to-date protection will likely be infected within minutes.
When accessing online banking, do it from a clean browser, meaning that online banking should be the only tab open on the browser. The reason for this is an attack called cross-site scripting where malicious code embedded in a website, or in advertising on a website, can reach across to other tabs to collect information.
Public Computers or Networks
When you use a public computer, such as in a library or a hotel, you cannot be assured of the security status of the machine. It is recommended that you do not access online banking on such a machine, nor over a public Wi-Fi connection. If you own a personal Wi-Fi connection, but do not use available security features such as password protection and data encryption, it is as insecure as a public connection.
Internet Banking Security Checklist
Internet banking is a powerful tool for increasing the accessibility of your Home Bank accounts for you, but it also provides potential openings for fraudulent activity committed against your accounts. Online thieves are continuously developing new means of gaining access to your accounts through Internet Banking.
While Home Bank is working diligently to stay ahead of these thieves, we cannot completely prevent attacks occurring through your computer. It is very important that security measures be maintained by you in your home, office, or anywhere you access your bank accounts online.
To ensure protection of your Home Bank accounts when using Internet Banking, please following this security checklist.
- Change your access password at least every four months. Do not allow your internet browser or Windows to remember your internet banking password.
- Set your authentication image and authentication pass phrase, and be mindful of it when you log in to online banking. (Does not apply if tokens are used.)
- Maintain up-to-date antivirus, antispam, and antispyware programs on all computers and devices used to access your bank accounts.
- Never access your bank accounts using a public or un-secured private wi-fi connection.
- Never share your password or enter it in any website that is not the Home Bank Internet Banking login page. Home Bank will never ask you to enter your password on a form or send it by email.
- Do not send confidential information by email. Contact Home Bank for instructions for secure message delivery.
- Do not leave your computer or mobile device unattended while logged on to online banking. Click "Log Off" when you leave the online banking site to close the session.
- Notify Home Bank immediately if you discover unauthorized use of your security codes or if you believe that someone transferred money without authorization.