LAYERED SECURITY IS YOUR BEST DEFENSE.
In the fight against cybercrime, Layered Security is your best defense. This is why Peoples Bank is adding additional layers to its customer’s information at log-in as well as certain transactional pages. Our multi-layered approach will help protect against unauthorized access to your online accounts.
USERNAME AND PASSWORD
This is the first layer of security for your online account with Peoples Bank. When you apply for Internet Banking, you will choose a username and password and this will be the first step in gaining access to your account. When selecting your password, the stronger… the better. Try to avoid common passwords like: “password”, your child’s name, or your user ID. It is important that you change your password periodically to increase your defense against would be hackers, so we will send you a message every 180 days to help remind you to change it.
When you log into Internet Banking, you will be prompted to set up 3 security questions and answer them. Once you select which questions you would like, you will then be asked one of the three questions on all future logins. When selecting your security questions, remember that access to your information may already be available through social networks. If you are on Facebook or Twitter, it may be easy for someone to find the answer to a question like “What is your mother’s maiden name?”. So, pick a question that only you would know! This provides that additional layer of security for your online account.
ONE TIME PIN NUMBER (OTP)
As a Peoples Bank Internet Banking user, you may also be asked to retrieve a One Time PIN (OTP) to authenticate. After you have entered your username/password and answered your security question, you may then be prompted to have a One Time PIN sent to your email address that we have on file. Peoples Bank will send that PIN to your email, you will retrieve the PIN and enter it when prompted for access to your account.
It is important that Internet Banking users periodically change their password and security questions. We will send you a “reminder” every 180 days to suggest that you change your password and/or security questions. Changing these credentials will make it that much harder for a would be criminal to gain access to your account.
STILL WANT MORE SECURITY? We have you covered! As a Peoples Bank Internet Banking user, you can set up “Notify Me Alerts” to stay informed of the activity on your account. You can set the alerts to send you an email or text when a login is successful, when there are transactions over a certain amount, when a check has cleared, as well as balance information.
The above mentioned protections only apply to Peoples Bank account holders that utilize Peoples Bank Internet Banking. Peoples Bank will never, under any circumstance, contact you on an unsolicited basis and request your Internet Banking credentials. If at any time you notice suspicious account activity or experience other information security-related events associated with your account, please call 870-234-5777.
At Peoples Bank, we understand that the protection of your personal information is a top priority. We take this security very seriously and are always looking for better ways to keep that information safe. One of the greatest forms of protection is knowledge, so we have included some valuable tips on things you can do to help fight against unauthorized access to your personal information.
Tips to help you protect your information.
Create Strong Passwords
Selecting a password is often your first defense against unauthorized access to your information. Always use a “strong” password, which includes letters, numbers, special characters, and upper case letters. The more complex the password, the better chance you have in deterring a would be criminal from obtaining your credentials. For more information on creating a “strong” password, visit the the following link. Create Strong Passwords – Microsoft
Always Log Out
Not logging out of a computer or mobile device can put you and your personal information at risk. Always be careful when using public computers and when sending information over public networks (such as Wi-Fi). Making it a good habit of logging out of accounts (financial, social media, etc…) after every use can help reduce your exposure to unauthorized access to these accounts.
Change Your Password Periodically
Changing your password periodically can help keep your password security “fresh.” If you often use the same password for multiple accounts, (email, online banking, social media) then if one account is compromised, the others are also at much higher risk. Changing your password periodically on your accounts (even if just a few characters) can greatly reduce unauthorized access to your various accounts.
Beware of Malicious Email
Email is a great tool of communication but can also create one of the greatest risks to the security of your personal information. Cyber criminals use email for various attacks such as “Phishing,” “Spoofing,” and “Spam.” The impact of these attacks can be greatly reduced by understanding what these attacks look like.
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Visit the following link by the Federal Trade Commission on How Not to Get Hooked by a ‘Phishing Scam.’
Spoofing refers to email that appears to have been sent from someone other than the real sender. Virus writers and individuals who send junk email or “spam,” typically want the email to appear to be from an email address that is not their own. Thus, the email cannot be traced back to the originator.
Spam is flooding the Internet with many copies of the same message, in an attempt to force the message on people who would not otherwise choose to receive it. Most spam is commercial advertising, often for dubious products, get-rich-quick schemes, or quasi-legal services. Spam costs the sender very little to send — most of the costs are paid for by the recipient or the carriers rather than by the sender.
Corporate Account Takeover (CATO)
Corporate Account Takeover is a type of business identity theft where cyber thieves gain control of a business’ bank account by stealing employee passwords and other valid credentials. Thieves can then initiate fraudulent wire and ACH transactions to accounts controlled by the thieves.
Businesses across the United States have suffered large financial losses from electronic crimes through the banking system. These thefts have ranged from a few thousand to several million dollars. They have occurred in banks of all sizes and locations. And, they may not be covered by the bank’s insurance. Along with the financial impact, there is also a very high level of reputation risk for financial institutions.
Recognizing the importance of having banker developed practices specifically to assist the banking industry, the Conference of State Bank Supervisors (CSBS) and the Financial Services – Information Sharing and Analysis Center (FS-ISAC) have joined with the United States Secret Service (US Secret Service) and Texas Department of Banking to make practices for mitigating the risks of Corporate Account Takeover available to financial institutions nationwide.
The Task Force developed a list of nineteen processes and controls for reducing risk of Corporate Account Takeovers. These processes and controls expand upon a three-part risk management framework developed by the FS-ISAC, the US Secret Service, the Federal Bureau of Investigation, and the Internet Crime Complaint (IC3)1. Fundamentally, a bank should implement processes and controls centered on three core elements: Protect; Detect; and Respond.
The Task Force has also compiled a set of best practices for each of the recommended processes and controls under the Protect, Detect, and Respond framework. These best practices are not an all-inclusive list and are provided as guidance to assist in implementing the nineteen processes and controls needed to reduce the risk of Corporate Account Takeover thefts. The Federal Financial Institutions Examination Council’s (FFIEC) Supplement to Authentication in an Internet Banking Environment2 (FFIEC Supplemental Guidance) issued on June 28, 2011, conveys minimum expectations with are noted within this document. It is important to remember that electronic crimes are dynamic as cyber criminals continually change their techniques. Additional changes in risk management processes and controls will be necessary as this type of theft continues to evolve.
1 Refer to the jointly issued “Fraud Advisory for Businesses: Corporate Account Takeover” available on the IC3 website (http://www.ic3.gov/media/2010/corporateaccounttakeover.pdf).
RESOURCES FOR BUSINESS ACCOUNT HOLDERS
- The Better Business Bureau’s website on Data Security Made Simpler: http://www.bbb.org/data-security
- The Federal Trade Commission’s (FTC) interactive business guide for protecting data: http://www.ftc.gov/bcp/edu/multimedia/interactive/infosecurity/index.html;
- The National Institute of Standards and Technology’s (NIST) Fundamentals of Information Security for Small Businesses: http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf;
- The jointly issued “Fraud Advisory for Businesses: Corporate Account Takeover” from the U.S. Secret Service, FBI, and IC3website (http://www.ic3.gov/media/2010/CorporateAccountTakeOver.pdf)
- NACHA – The Electronic Payments Association’s website has numerous articles regarding Corporate Account Takeover for both financial institutions and banking customers: http://www.nacha.org/c/Corporate_Account_Takeover_Resource_Center.cfm.
EXAMPLES OF DECEPTIVE WAY CRIMINALS CONTACT ACCOUNT HOLDERS
- The FDIC does not directly contact bank customers (especially related to ACH and Wire transactions, account suspension, or security alerts), nor does the FDIC request bank customers to install software upgrades. Such messages should be treated as fraudulent and the account holder should permanently delete them and not click on any links.
- Messages or inquiries from the Internal Revenue Service, Better Business Bureau, NACHA, and almost any other organization asking the customer to install software, provide account information or access credentials is probably fraudulent and should be verified before any files are opened, software in installed, or information is provided.
- Phone calls and text messages requesting sensitive information are likely fraudulent. If in doubt, account holders should contact the organization at the phone number the customer obtained from a different source(such as the number they have on file, that is on their most recent statement, or that is from the organization’s website). Account holders should not call phone numbers (even local prefixes) that are listed in the suspicious email or text message.
INCIDENT RESPONSE PLANS
Since each business is unique, customers should write their own incident response plan. A general template would include:
- The direct contact numbers of key bank employees (including after hour numbers)
- Steps the account holder should consider to limit further unauthorized transactions, such as:
- Changing passwords;
- Disconnecting computers used for Internet Banking; and
- Requesting a temporary hold on all other transactions until out-of-band confirmations can be made;
- Information the account holder will provide to assist the bank in recovering their money;
- Contacting their insurance carrier; and
- Working with computer forensic specialists and law enforcement to review appropriate equipment.
INFORMATION SECURITY LAWS AND STANDARDS AFFECTING BUSINESS OWNERS
Although banks are not responsible for ensuring their account holders comply with information security laws, making business owners aware of consequences for non-compliance if the information is breached can reinforce the message that they need to maintain stronger security. Breaches of credit and debit card information can create financial and reputational risks for the business.
When providing security awareness educations to corporate customers, banks may want to also alert business owners of the need to safeguard their own customers’ sensitive information. State statutes related to safeguarding customer information could be provided as part of the educations process. The Payment Card Industry Security Standards Council was launched in 2006 to manage security standards related to card processing. Any merchant that accepts credit or debit cards for payment is required to secure their date based on the standards developed by the council. The PCI Security Standards Council website https://www.pcisecuritystandards.org/security_standards/index.php notes that noncompliance may lead to lawsuits, cancelled accounts, and monetary fines. The website provides information for small business compliance.