Information Security

FFIEC Consumer Guidance
Account Authentication &
Online Banking

Important facts

Multi-factor authentication and layered security are helping assure safe Internet transactions for banks and their customers.

If you use online or mobile banking, you will be interested to learn that six federal financial industry regulators teamed up recently to make your accounts more secure. New supervisory guidance from the Federal Financial Institutions Examination Council (FFIEC) will help banks strengthen their vigilance and make sure that the person signing into your account is actually you. The supervisory guidance is designed to make online transactions of virtually all types safer and more secure.

Understanding the factors

Online security begins with the authentication process, used to confirm that it is you, and not someone who has stolen your identity. Authentication generally involves one or more basic factors:

  1. Something the user knows (e.g., password, PIN)
  2. Something the user has (e.g., ATM card, smart card)
  3. Something the user is (e.g., biometric characteristic, such as a fingerprint).

Single factor authentication uses one of these methods; multi-factor authentication uses more than one, and thus is considered a stronger fraud deterrent. When you use your ATM, for example, you are utilizing multi-factor authentication: Factor number one is something you have, your ATM card; factor number two is something you know, your PIN.

To assure your continued security online, your bank uses both single and multi-factor authentication, as well as additional "layered security" measures when appropriate.

Layered security for increased safety

Layered security is characterized by the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control. An example of layered security might be that you follow one process to log in (user/password), and then give additional information to authorize funds transfers.

Layered security can substantially strengthen the overall security of online transactions… protecting sensitive customer information, preventing identity theft, and reducing account takeovers and the resulting financial losses.

The purpose of these layers is to allow your bank to authenticate customers and detect and respond to suspicious activity related to initial login and then to reconfirm this authentication when further transactions involve the transfer of funds to other parties.

Internal assessments at your bank

On the back-end, the new supervisory guidance offers ways your bank can look for anomalies that could indicate fraud. The goal is to ensure that the level of authentication called for in a particular transaction is appropriate to the transaction’s level of risk. Accordingly, your bank has concluded a comprehensive risk assessment of its current methods as recommended in this supervisory guidance. These risk assessments consider, for example:

  1. changes in the internal and external threat environment
  2. changes in the customer base adopting electronic banking
  3. changes in the customer functionality offered through electronic banking; and
  4. actual incidents of security breaches, identity theft, or fraud experienced by the institution or industry

Whenever increased risk to your transaction security might warrant it, your bank will be able to conduct additional verification procedures, or layers of control, such as:

  1. Utilizing call-back (voice) verification, e-mail approval, or cell phone based identification.
  2. Employing customer verification procedures, especially when opening accounts online.
  3. Analyzing banking transactions to identify suspicious patterns. For example, that could mean flagging a transaction in which a customer who normally pays $10,000 a month to five different vendors suddenly pays $100,000 to a completely new vendor.
  4. Establishing dollar limits that require manual intervention to exceed a preset limit.
Your protections under “Reg E”

Banks follow specific rules for electronic transactions issued by the Federal Reserve Board. Known as Regulation E, the rules cover all kinds of situations revolving around transfers made electronically. Under the consumer protections provided under Reg E, you can recover internet banking losses according to how soon you detect and report them.

Here is what the Federal rules require: If you report the losses within two days of receiving your statement, you can be liable for the first $50. After two days, the amount increases to $500. After 60 days, you could be legally liable for the full amount. These protections can be modified by state law or by policies at your bank, so be sure to ask your banker how these protections apply to your particular situation.

Customer vigilance: The first line of defense

Of course, understanding the risks and knowing how fraudsters might trick you is a critical step in protecting yourself online. You can make your computer safer by installing and updating regularly your:

  1. Anti-virus software
  2. Anti-malware programs
  3. Firewalls on your computer
  4. Operating system patches and updates

You can also learn more about online safety and security at these websites:

If you have suspicions

If you notice suspicious activity within your account or experience security related events (such as a Phishing email from someone purporting to be from your bank), you can contact anyone at your bank and you will be quickly and courteously guided to the person responsible for such issues.

© FINANCIAL EDUCATION CORPORATION
Mobile Banking

Banking on-the-go using a mobile phone, personal digital assistant or tablet is safe and convenient, and an educated user can help keep it that way. Here’s what you should know.

Mobile banking is growing in popularity
There’s a good reason for the incredible popularity of smart phones and similar mobile devices. They can be carried anywhere, and increasingly, they can do many of the functions of a computer, including online banking. By one estimate, 238 million people in the U.S. have mobile phones—78 percent of the population. Chances are you’re one of the 52 percent of consumers who have accessed some form of mobile banking. Or perhaps you haven’t put your toe in the water yet…you want to know more.

What is mobile banking?

Just as the name implies, Mobile Banking is a system that allows customers of a financial institution to conduct financial transactions through a mobile device such as a mobile phone, a personal digital assistant or a computer tablet.

In general, there are three ways mobile banking can provide this convenient access to your accounts:

  1. Mobile app-Some banks may offer a special “app” (a software application designed for a specific purpose), allowing you to log into your accounts and conduct business.
  2. Mobile web browser-This allows you to login to your account through the internet using your phone’s browser and internet connection.
  3. SMS/text-You can set up text alerts or text your bank for information about your accounts.

Are there risks with mobile banking?

As with other forms of online banking, mobile banking has some inherent risks. But these can be minimized using some common sense precautions (see “How Do I Make Mobile Banking Safer?”). A major factor contributing to the risk of mobile banking is the failure to treat a cell phone or tablet like a computer. Consider the following:

  1. As much as 36% of users don’t even lock their devices with a simple PIN or password.
  2. Few consumers have any form of anti-malware software on their mobile devices and, with little consideration for security, many are willing to download apps from virtually any source.
  3. Because they are mobile, cell phones and tablets are regularly used on public networks, which are inherently less secure.

Making matters worse, customers are far more likely to lose a mobile phone than a laptop.

If your mobile device is lost or stolen, you could fall prey to identity theft and account hijacking. And beyond accessing your online accounts, thieves can access other saved passwords and sensitive information. (To guard against this, explore one of the many security apps that will erase the device’s content remotely.)

How do I make mobile banking safer?

The good news is that you can protect your information and your device by taking a few simple precautions, just as you would on your computer:

  1. Don’t get phished-Avoid clicking on links in text messages or emails, since these links may lead to malicious websites or downloads.
  2. Don’t save login information on your mobile device, especially to online banking or e-commerce sites.
  3. Have a passcode on your device and set it to auto-lock after a certain period of time.
  4. Before downloading any app, make sure it is from a known provider, then read the app’s privacy policy to make sure that it is not sharing your personal information.
  5. Carefully review your mobile phone bills for any suspicious charges or activity.
  6. Create secure passwords and keep your PIN safe. Change your password often, and do not use your pets’ names, your child’s name, or any birthdays.
  7. Consider installing a security app from one of the known and reliable security providers.

When used properly, mobile banking can be just as safe as any other form of online banking. Safety and security begins with treating your mobile device the same as a computer or laptop. Then, additional measures to safeguard against loss of the device, as well as use on public networks, can go a long way toward personal safety. And finally, if you are like most people, you usually know where their phone is—often within arm’s reach 24 hours a day. If you lose it, you know it almost immediately, unlike a wallet or a credit card, and can notify your bank before any damage is done.

To learn more about your bank’s mobile banking opportunities talk to your banker.

© FINANCIAL EDUCATION CORPORATION
Safe Online Banking
Online Banking,
Data Security & You

Partnering for online security

Online banking has grown rapidly into a major new way to bank. Some surveys show that more people prefer to bank online than in the traditional ways. This phenomenal growth has been accompanied by increases in the safety and security measures undertaken by banks and their customers. But cyber-criminals are always looking for new ways to electronically break into the bank and steal your money.

Safe online banking depends on continuing and strengthening this partnership for safe online banking:

Banks invest substantially in security

Lawmakers, regulators and the banking industry have forged substantive standards for safeguarding customers’ personal information.

Uniform examination procedures are in place to monitor and enforce these standards, and bank examiners regularly go on-site to assess how bank security measures are being implemented, understanding that each bank has a different menu of products and services, and therefore differing security requirements. Some of the areas they look at include:

  1. Access controls ensuring customer information can be accessed only by authorized persons, including use of multi-factor authentication when warranted.
  2. Physical restrictions at computer facilities that permit access to authorized persons only.
  3. Data encryption of electronically transmitted and stored customer information.
  4. Modification procedures to ensure that changes are consistent with the approved security program.
  5. Dual control procedures, segregation of duties, and employee background checks.
  6. Monitoring procedures to detect actual and attempted intrusions into customer information.
  7. Response programs specifying actions to be taken by specific individuals when the institution suspects unauthorized access.
  8. Environmental hazard protections against physical damage or technology failures.

Banks partner with you, the customer

Your bank has security measures to protect your account information, but they can’t be effective without your help and cooperation. Many account hijacking attempts come as a result of hacking into individual user accounts, and from there electronically breaking into the bank using your information and security codes.

Some common sense and easily implemented precautions can help you safeguard your personal information:

  1. Strong passwords-advise against using easily guessed passwords such as birthdays or home addresses.
  2. Anti-virus protections -Make sure the anti-virus software on your computer is current and scans your email as it is received.
  3. Email safety-Email is generally not encrypted so be wary of sending any sensitive information such as account numbers or other personal information in this way.
  4. Sign off and log out -Always log off by following the bank’s secured area exit procedures.
  5. Don’t get phished-Crooks are always trying to get your personal information, and they employ some ingenious methods. Don’t respond to any unusual email requests for personal information—when you opened your bank accounts you already gave it. When in doubt, call your bank.
  6. Monitor your accounts -When you check your accounts regularly, you can let your bank know immediately if you encounter anything that does not seem right.

Helpful Hint: Studies show that those who monitor their accounts online often detect fraud earlier than those who rely solely on paper statements.

Free credit reports your best tool

When it comes to guarding against cyber-fraud, one of the most important tools at your disposal is your credit report. It details all of your credit transaction accounts, and will be the first place that unusual charges or entirely new accounts will appear. And you can monitor your report for FREE.

Since Federal law permits consumers to obtain a free report annually from each of the three major credit reporting agencies, cyber-security experts advise that you to get a free report from a different agency every four months. Doing so will allow you to monitor your personal online security all year long.


To order your free credit report,
go to the only authorized source
www.annualcreditreport.com
1-877-322-8228

Online and mobile threats

Cyber-fraudsters want to earn their money the easy way—by stealing yours.

Understanding how criminals try to trap you is your first line of defense:

  1. Phishing -This is the criminal attempt to steal your personal information through fraudulent emails or smart-phone texts. They are often very believable, luring the victim to a site that asks them to provide (or “verify”) personal financial details such as account numbers and social security numbers. A variation is called Spear Phishing, which are electronic messages that appear to come especially to victims from their employer, usually a large corporation. Cyber-security experts often term the mobile phone version of phishing Smishing, playing off the SMS, or Short Message Service terminology used in text messaging. Remember: your bank will not send emails asking for your personal information—they already have it.
  2. Card Skimming -This is a criminal’s attempt to gain a victim’s personal information by tampering with ATM machines. Fraudsters set up a device that can capture magnetic stripe and keypad information, such as PINs and account numbers. Using ATMs you know and trust—as well as examining the machine closely—can help thwart this type of theft.
  3. Spyware-This is the term used for criminal software that a victim unknowingly loads on a personal computer. Once there, the spyware collects personal information and sends it to the criminal. Up-to-date security software is the best defense.

Helpful Hint: Cyber-criminals often prey on those who are most vulnerable, such as senior citizens or young adults, who may not be as aware of the technical aspects of the threats. Make sure you alert any friends or family members who might be in this category. They’ll appreciate it!



Resources
  1. Internet Crime Complaint Center: www.ic3.gov
  2. Consumer Fraud (Department of Justice Homepage): www.usdoj.gov
  3. Federal Trade Commission (FTC) Consumer Response Center: www.ftc.gov
  4. Consumer Guides and Protection:www.usa.gov
  5. Financial Fraud Enforcement Task Force: www.stopfraud.gov
  6. On Guard Online: www.onguardonline.gov
© FINANCIAL EDUCATION CORPORATION