Information & Account Security

Security of Your Personal Information

The popularity and rapid growth of the Internet has certainly provided consumers with an unprecedented amount of information and services. Access to information from financial institutions is no exception. Banking customers in the U.S. alone perform millions of account transactions each day. Online banking certainly has benefits for Internet-savvy customers.

Unfortunately, online banking also has benefits for Internet-savvy criminals. According to the SANS Institute, a cooperative research and education organization that monitors Internet security, the vast majority of organized attacks on Internet-connected computers are orchestrated by criminals. These attackers are usually interested in two things; finding a way to 'hijack' and take control of your computer so they can use it for their own purposes, or gaining access to your computer to scan for personal information that can be used to their advantage. The information they look for is usually credit card numbers, bank account numbers, account passwords and PIN's - basically any personal information that can be used to gain access to your financial accounts.

Any computer that is connected to the Internet, whether by telephone dial-up service, wireless service or broadband service, is vulnerable to such attacks. The following information is provided to educate our customers on the many ways criminals try to gain access to your personal information.

Identity Fraud

Identity fraud is the fastest-growing crime in the United States, costing its victims over $475 million per year, according to the Federal Trade Commission. Yet, it happens so quietly, most people don't realize they've been victimized until months later. Identity theft -- or fraud -- occurs when someone uses your personal information without your permission to make illegal purchases, withdrawals, or to open financial accounts. This can damage your credit rating and your reputation.

What is The Bank of LaFayette Doing to Prevent Fraud?

After the events of September 11, 2001, legislation was passed to help prevent fraud. Evidence shows that credit card, debit card, and similar fraud is a major source of funding for terrorists. To safeguard our nation against terrorists, and to help prevent you from becoming a victim of fraud, all financial institutions are required to more carefully verify the identity of our account owners, loan applicants, parties to trusts, and individuals who purchase investment products.

This means we may ask you additional questions at the time of your transaction. We may also ask you to provide one or more types of identification (ID), such as a driver's license, U.S. taxpayer ID number, or other government-issued document that verifies your nationality or residence. By answering these questions and providing the required forms of identification, you can help us to meet the requirements and better protect you against identity theft.

What Happens to the Information You Provide Us?

The new regulations require us to verify all of the information you provide us using one or more methods. For instance, we may compare your information against public databases of information to verify that is is current, accurate, an valid. Any information we obtain is safeguarded according to our Privacy Policy and information-sharing practices. That way, you can be confident that your personal information remains secure as we work toward preventing all forms of fraud.

What Else Can You Do to Prevent Fraud?

Keep your credit cards, debit cards, personal identification numbers (PIN's), checks, social security number, driver's license number, and other personal information in a safe place.

Keep deposit and withdrawal slips and credit and debit card receipts where they will be safe, and always shred them first before they are disposed.

Before disposing of credit card solicitations, credit card statements, financial institution statements, utility bills, insurance information, medical bills, and investment updates, shred them first.

Do not put your trash out until shortly before it will be picked up.

Do not put mail in your curbside mailbox until shortly before it will be picked up.

Take your mail out of your curbside mailbox as soon as possible after it is delivered. And, if you are traveling, have the U.S. Postal Service hold your mail or have someone you trust pick it up daily.

Limit the information on your checks, and don't carry around more credit or debit cards than necessary.

Do not give any of your personal information to anyone in person, over the telephone, or over the Internet, unless you have a very good reason to trust them.

Do not give any of your personal information to any web sites that don't use encryption or other secure methods to protect it.

Always use a firewall when connecting to the Internet, even for dial-up accounts.

Always use a good, up-to-date anti-virus program to help keep your computer free from viruses and worms. Also highly recommended is software which will scan your computer for so-called 'spyware' and 'adware' programs that may have been maliciously installed on your computer. Some types of these programs can silently collect personal information from your computer, perhaps including account numbers and PIN's or passwords. This software can be purchased online or from most software retailers.

Do not use PIN's or other passwords that are easy to guess (such as family birth dates or your pet's name).

Examine your credit card, debit card, and bank statements immediately when you receive them to determine whether there are any unauthorized transactions. Report any that you find immediately to the financial institution.

Make a prompt inquiry if bills or statements are not received in a timely manner -- this could mean they are being diverted by an identity thief.

Obtain copies of your credit report annually from each of the three major credit reporting agencies (see below) to make sure they are accurate.

You may also wish to do the following:

Request to not receive any further pre-approved offers of credit by calling 1-888-5-OPT-OUT.

Ask to be removed from national direct mail lists by writing to the DMA Mail Preference Service at P.O. Box 9008, Farmingdale, NY 11735-9008. Include your name and address.

Ask to not receive telephone solicitations from national marketers by writing to the DMA Telephone Preference Service at P.O. Box 9014, Farmingdale, NY 11735-9014. Include your name, address and telephone number.

What if You Discover That You Are A Victim of Fraud?

Contact the Federal Trade Commission at www.ftc.gov or by phone at 1-877-438-4338 or by mail at Consumer Response Center, F.T.C., 600 Pennsylvania Avenue NW, Washington, DC 20580

Contact the following three major credit reporting agencies to put yourself on Fraud Alert and request a copy of your credit report:

Equifax - P.O. Box 740250, Atlanta, GA 30374-0250 or call 1-800-525-6285

Experian - P.O. Box 1017, Allen, TX 75013 or call 1-888-397-3742

TransUnion - P.O. Box 6790, Fullerton, CA 92634 or call 1-800-680-7289

Cancel all accounts that have fraudulent activity or are at risk.

Contact your local law enforcement agency.

Contact the U.S. Postal Service if you know or suspect your mail has been stolen.

Keep detailed records of any theft of your identity and of your activities to resolve the theft, including logs of the following:

The date, time and amount of any unauthorized activity on your accounts

The date, time, duration, and cost of any phone calls

The date and cost of any mailings

(Portions of the information on Identity Fraud were prepared by the Banker's Systems, Inc.)

Phishing

Law enforcement officials use the word "phishing" to describe a type of identity theft by which scammers use fake Web sites and e-mails to "fish" for valuable personal information from consumers. In the typical phishing scam, you receive an e-mail supposedly from a company or financial institution you may do business with or from a government agency. The e-mail describes a reason you must "verify" or "re-submit" confidential information — such as bank account and credit card numbers, Social Security numbers, passwords and personal identification numbers (PINs) — using a return e-mail, a form on a linked Web site, or a pop-up message with the name and even the logo of the company or government agency. Perhaps you're told that your bank account information has been lost or stolen or that limits may be imposed on your account unless you provide additional details. If you comply, the thieves hiding behind the seemingly legitimate Web site or e-mail can use the information to make unauthorized withdrawals from your bank account, pay for online purchases using your credit card, or even sell your personal information to other thieves.

"These thieves are very good at convincing you that you are receiving a legitimate message or using a Web site from a trusted source," says Michael Benardo, a manager in the FDIC's Technology Supervision Branch.

While federal and state laws and industry practices generally limit dollar losses for unauthorized transfers from accounts, if an ID thief uses your name to commit fraud you are likely to spend a great deal of time and money — sometimes hundreds or thousands of dollars — correcting your credit files or otherwise defending yourself. Therefore, it's very important to be on guard against phishing scams and other types of Internet fraud.

What Can I Do To Protect Myself from Phishing Scams?

Never provide your personal information in response to an unsolicited call, fax, letter, e-mail or Internet advertisement. "If you did not initiate the communication, do not give this information, regardless of how legitimate or genuine these people or entities may appear to be," says William Henley, Jr., an FDIC electronic banking specialist.

If you decide to initiate a transaction with a bank or other entity on the Web, take some simple precautions. Don't provide personal information to a Web site using a link from an e-mail or an Internet advertisement, no matter how legitimate it may appear. "Clicking on a link in an e-mail or an Internet ad is very risky," says Donald Saxinger, another FDIC electronic banking specialist. "You're always safer typing in the URL (Web address) from scratch, assuming you type it in correctly." The problem with typing a URL incorrectly or guessing about a Web address is that some fraudulent, copycat sites deliberately use URLs that are very similar to, but not the same as, those for well-known companies or government agencies. When contacting your bank, for example, use the phone number or Web address listed on your monthly statements or other literature from the institution.

Quickly report anything suspicious to the proper authorities. Report any questionable e-mail message or Web site to the real bank, company or government agency, using a phone number or e-mail address from a reliable source. Example: If your bank's Web page looks different or unusual, contact the institution directly to confirm that you haven't landed on a copycat Web site set up by criminals. "Customer inquiries about changes to a Web site are one of the most prevalent ways that banks and other organizations are finding out about unauthorized sites containing the look and feel of a legitimate Web site," says Paul Onischuk, also an FDIC electronic banking specialist. And if you're pretty sure an e-mail or Web site is fraudulent, contact the Internet Crime Complaint Center (www.ifccfbi.gov), a partnership between the FBI and the National White Collar Crime Center.

What If I Am Already A Victim of a Phishing Scam?

If you believe you are a victim of ID theft due to a phishing scam, perhaps because you submitted personal information in response to a suspicious, unsolicited e-mail or you spotted unauthorized charges on your credit card, immediately contact your financial institution and, if necessary, close existing accounts and open new ones. Also contact the police and request a copy of any police report or case number for later reference. In addition, call the three major credit bureaus (Equifax at 800-525-6285, Experian at 888-397-3742 and TransUnion at 800-680-7289) to request that a fraud alert be placed on your credit report.

You also can file a complaint or learn more about ID theft and Phishing scams by going to the Federal Trade Commission Web site at www.ftc.gov or calling toll-free 877-382-4357.

(The information on Phishing was taken from FDIC Consumer News - Winter 2003/2004)

Pharming

"Pharming" is the practice of redirecting Internet domain name requests to false Web sites in order to capture personal information, which may later be used to commit fraud and identity theft. For example, an Internet banking customer, who routinely logs in to his online banking Web site, may be redirected to an illegitimate Web instead of accessing his or her bank's Web site.
Pharming can occur in four different ways:

Static domain name spoofing: The "pharmer" (the person or entity committing the fraud) attempts to take advantage of slight misspellings in domain names to trick users into inadvertently visiting the pharmer's Web site. For example, a pharmer may redirect a user to anybnk.com instead of anybank.com, the site the user intended to access.

Malicious software (Malware): Viruses and "Trojans" (latent malicious code or devices that secretly capture data) on a consumer's personal computer may intercept the user's request to visit a particular site, such as anybank.com, and redirect the user to the site that the pharmer has set up.

Domain hijacking: A hacker may steal or hijack a company's legitimate Web site, allowing the hacker to redirect all legitimate Internet traffic to an illegitimate site. Domain names generally can be hijacked with what is known as DNS poisoning. Domain name servers (DNS) are similar to Internet road map guides. When an individual enters www.anybank.com into his or her browser, Domain Name Servers on the Internet translate the phrase anybank.com into an Internet protocol (IP) address, which provides routing directions. After the DNS server provides this address information, the user's connection request is routed to anybank.com. Local DNS servers can be "poisoned" to send users to a Web site other than the one that was requested. This poisoning can occur as a result of misconfiguration, network vulnerabilities or Malware installed on the server.

What Can I Do to Protect Myself from Pharming Scams?

The Bank of LaFayette has taken stringent steps to reduce the likelihood that domain hijacking and DNS poisoning will occur. If you are a customer of The Bank of LaFayette (or any other financial institution for that matter) you need to be concerned about domain name spoofing and malicious software.

Domain Name Spoofing

Always type the website's URL into your browser's address bar yourself or use a known-good 'favorite' or 'bookmark' from your browser's menu bar.

Always carefully check the spelling of the website's address and make sure you've typed it correctly.

Never click on a link in an email to access your financial institution's website. Attacker's may place incorrect information in the email link that will direct your browser away from the legitimate site. Sometimes such links will even take you to the legitimate website but will route the traffic through a malicious server that 'captures' all information you send such as account numbers and passwords.

If you are suspicious of a website you have accessed, call your financial institution and ask them to give you the their website's address. Inform the institution if the address is different. When calling the institution, look up the telephone number yourself and do not depend on the accuracy of any phone numbers on the website as it may be fraudulent as well.

Malicious software (Malware)

Make sure that you have current versions of virus detection software, firewalls and spyware scanning tools installed on your computer(s) to reduce computer infections. You should also regularly update these tools to combat new threats.

(Portions of the information provided on pharming was taken from FDIC Financial Institution Letter FIL-64-2005)

Spyware

One of the fastest growing 'threats' on the Internet has become “spyware” – a form of software that collects personal and confidential information about a person or organization without their proper knowledge or informed consent, and reports it to a third party. Many firewall and anti-virus software packages do not protect computers from spyware.

How Can My PC Become Infected with Spyware?

Spyware is usually installed without a user's knowledge or permission. However, users may intentionally install spyware without understanding the full ramifications of their actions. A user may be required to accept an End User Licensing Agreement (EULA), which often does not clearly inform the user about the extent or manner in which information is collected. In such cases, the software is installed without the user's “informed consent.”

Spyware can be installed through the following methods:

Downloaded with other Internet downloads in a practice called “bundling.” In many cases, all the licensing agreements may be included in one pop-up window that, unless read carefully, may leave the user unaware of “bundled” spyware.

Directly downloaded by users who were persuaded that the technology offers a benefit. Some spyware claims to offer increased productivity, virus scanning capabilities or other benefits.

Installed through an Internet browsing technique called “drive-by downloads.” In this technique, spyware is installed when a user simply visits a Web site. The user may be prompted to accept the download believing it is necessary in order to view the Web page. Another method is to prompt the user to install the program through pop-up windows that remain open, or download the software regardless of the action taken by the user.

Automatically downloaded when users open or view unsolicited e-mail messages.

What Are the Behaviors Associated With Spyware?

Spyware can be difficult to detect and remove because it:

Does not always appear as a running program in the Window's Task Manager; therefore, the user may be unaware that his or her computer is infected.

May not include a removal option in the Windows “Add/Remove Programs” function. When such an option is present, the removal process may not eliminate all components, or it may redirect the user to an Internet site to complete the removal. This often results in new or additional infection rather than removal. In addition, some spyware includes a feature to reinstall itself when any portion is deleted.

May cause a further infestation by installing other spyware programs onto users' computers.

What Are The Risks Associated With Spyware?

Spyware increases the risk to users by:

Exploiting security vulnerabilities or settings, changing the computer configuration to relax security settings, or allowing a channel into the user's PC by circumventing the firewall. The result is that attackers can eavesdrop and intercept sensitive communications by monitoring keystrokes, e-mail and Internet communications. This monitoring may lead to the compromise of sensitive information, including user IDs and passwords.

Providing attackers the ability to control the user's computer to send unsolicited “junk” e-mail (SPAM) or malicious software (Malware), or to perform denial of service (DoS) attacks against other organizations.

Draining system resources and productivity and consuming system resources, even when the user is not browsing the Internet, such as when "adware" results in voluminous unwanted pop-up advertisements.

Compromising confidentiality. Certain types of spyware route all Internet communications through their own servers, often without the user's knowledge. This allows a third party to read sensitive Internet communications even when Secure Socket Layer (SSL) or other encryption protocols are used. Other forms of spyware install an application on the user's computer that monitors and records all Internet communications and sends the report back to the originator. Identity thieves may then impersonate the customer using the IDs and passwords collected.

Increasing vulnerability to “phishing” and “pharming” attacks, as some spyware can redirect Internet page requests. Phishing seeks to lure a user to a spoofed Web site using an e-mail that appears to come from a legitimate site. Pharming seeks to redirect a user to a spoofed Web site by introducing false data into a legitimate domain name server (DNS). The spoofed Web sites are set up to collect private customer information, such as account user IDs and passwords. In addition, objectionable or inappropriate information received by the customer from redirected Web sites can ultimately damage the financial institution's reputation.

What Can I Do To Minimize The Risk Of A Spyware Infection On My Computer?

You can prevent and detect spyware by:

Installing and periodically updating anti-spyware, virus protection and firewall software.

Adjusting browser settings to prompt the user whenever a Web site tries to install a new program or Active-X control.

Carefully reading all End User Licensing Agreements and avoiding downloading software when licensing agreements are difficult to understand.

Maintaining patches to operating systems and browsers.

Not opening e-mail from untrustworthy sources.

(portions of the information provided on spyware was taken from FDIC Institutional Letter FIL-66-2005)