Protect Your “Cyber Home” With a Solid Foundation
Simple steps to secure your computers and mobile devices for Internet banking and shopping
Your home has locks on the doors and windows to protect your family and prevent thieves from stealing cash, electronics, jewelry and other physical possessions. But do you have deterrents to prevent the loss or theft of your electronic assets, including bank account and other information in your personal computers, at home and when banking or shopping remotely online?
“Think about all of the access points to and from your computer — such as Internet connections, email accounts and wireless networks,” said Michael Benardo, manager of the FDIC’s Cyber-Fraud and Financial Crimes Section. “These always need to be protected. Otherwise, it’s like leaving your front door wide open while you are away so that anyone could come in and take what they please.”
Banking by Computer or Mobile Device
Take extra precautions for logging into bank and other financial accounts. These measures include using "strong" user IDs and passwords by choosing combinations of upper- and lower-case letters, numbers, and symbols that are hard for a hacker to guess. Don't use your birthdate, address or other words or numbers that can be easy for con artists to find out or guess. Don't use the same password for different accounts because a criminal who obtains one password can then log into your other accounts. Keep your user IDs and passwords secret, and change them regularly. Make sure to log out of financial accounts when you complete your transactions or walk away from the computer.
Consider using a separate computer solely for online banking or shopping. A growing number of people are purchasing basic PCs and using them only for banking online and not Web browsing, emailing, social networking, playing games or other activities that are more susceptible to malicious software — known generally as "malware" — that can access computers and steal information. As an alternative, you can use an old PC for this limited purpose, but uninstall any software no longer needed and scan the entire PC to check for malicious software before proceeding.
Take precautions if you provide financial account information to third parties online. For example, some people use online "account aggregation" services that, from one website, can provide a convenient way to pay bills, monitor balances in deposits and investment accounts, and even keep track of your frequent flyer miles. While these websites may be beneficial, they can also present potential issues related to the security of the account information you have shared with them. If you want to use their services, thoroughly research the company behind the website, including making sure that you're dealing with a legitimate entity and not a fraudulent site. Also, ask what protections the website offers if it experiences a data breach or loss of data.
Periodically check your bank accounts for signs of fraud. If you bank online, check your deposit accounts and lines of credit at frequent intervals to spot and report errors or fraudulent transactions, just as you would review a paper statement. Online banking makes it easier and faster to monitor your accounts. This is important because the sooner you can detect a problem with a transaction, the easier it should be to fix.
Federal laws generally limit your liability for unauthorized use of your debit, credit, and prepaid cards, especially if you report the problem to your financial institution within specified time periods, which vary depending on the circumstances. A good rule of thumb is to check your accounts online at least twice a week. Also, many banks make it easier for customers to keep track of their accounts by offering email or text message alerts when balances fall below a certain level or when there is a transaction over a certain amount.
Courtesy of FDIC Consumer News – Winter 2016
Basic Security Tips
1. KEEP YOUR SOFTWARE UP TO DATE. SOFTWARE MANUFACTURERS CONTINUALLY UPDATE THEIR PRODUCTS TO FIX VULNERABILITIES OR SECURITY WEAKNESSES WHEN THEY FIND THEM.
"All of your software should be checked and updated as generally recommended by the manufacturer or when flaws are found," explained Kathryn Weatherby, a fraud examination specialist for the FDIC. "This advice goes for everything from your operating system to your word processing software, Internet browsers, spreadsheet software, and even your digital photography applications. A vulnerability in one piece of software, no matter how insignificant it may seem, can be exploited by a hacker and used as a pathway into your whole computer."
Some software manufacturers may issue "patches" that you need to install to update a program. Others may simply provide you with a completely new version of the software. "Before installing any update you receive, make sure it is legitimate, especially if it is emailed to you," said Michael Benardo, manager of the FDIC’s Cyber-Fraud and Financial Crimes Section. "Check the software manufacturer's website or contact the company directly to verify the update's validity. Criminals have been known to imitate software vendors providing a security update when, in fact, they are distributing malware. Once you confirm that an update is legitimate, install it as soon as possible to correct whatever security flaw might exist."
2. INSTALL ANTI-VIRUS SOFTWARE THAT PREVENTS, DETECTS AND REMOVES MALICIOUS PROGRAMS.
Crooks and computer hackers are always developing new malware that can access computers and steal information, such as account passwords or credit or debit card numbers. These programs also may be able to destroy data from the infected computer's hard drive.
Malware can enter your computer in a variety of ways, perhaps as an attachment to an email, a downloaded file from an infected website, or from a contaminated thumb drive or disk. Fight back by installing anti-virus software that periodically runs in the background of your computer to search for and remove malware. Also be sure to set the software to update automatically so that it can protect you from the latest malware. (For more information see the fifth tab on this page, "Beware of Malware: Think Before You Click!").
3. USE A FIREWALL PROGRAM TO PREVENT UNAUTHORIZED ACCESS TO YOUR PC.
A firewall is a combination of hardware and software that establishes a barrier between your personal computer and an external network, such as the Internet, and then monitors and controls incoming and outgoing network traffic. In simple terms, a firewall acts as a gatekeeper that helps screen out hackers, malware and other intruders who try to access your computer from the Internet.
4. ONLY USE SECURITY PRODUCTS FROM REPUTABLE COMPANIES.
Some anti-virus software and firewalls can be purchased, while others are available free. Either way, it's a good idea to check out these products by reading reviews from computer and consumer publications. Look for products that have high ratings for detecting problems and for providing tech support if your computer becomes infected. Other ways to select the right protection products for your computer are to consult with the manufacturer of your computer or operating system or to ask someone you know who is a computer expert.
5. TAKE ADVANTAGE OF INTERNET SAFETY FEATURES.
When you are banking online, shopping on the Internet or filling out an application that requests sensitive personal information such as credit card, debit card, and bank account numbers, make sure you are doing business with reputable companies. You also can have greater confidence in a website that encrypts (scrambles) the information as it travels to and from your computer. Look for a padlock symbol on the page and a Web address that starts with "https://." The "s" stands for "secure."
Also, current versions of most popular Internet browsers and search engines often will indicate if you are visiting a suspicious website or a page that cannot be verified as trusted. It's best not to continue on to pages with these kinds of warnings. Review your Internet browser's user instructions and explore the "tools" and "help" tabs to learn more about the security settings and alerts offered.
6. BE CAREFUL WHERE AND HOW YOU CONNECT TO THE INTERNET.
A public computer, such as at an Internet café or a hotel business center, may not have up-to-date security software and could be infected with malware. Similarly, if you are using a portable computer (such as a laptop or mobile device) for online banking or shopping, avoid connecting it to a wireless (Wi-Fi) network at a public "hotspot" such as a coffee shop, hotel or airport. Wi-Fi in public areas can be used by criminals to intercept your device's signals and as a collection point for personal information.
The bottom line, especially for sensitive matters such as online banking and activities that involve personal information, is to consider only accessing the Internet using your own computer with a secure, trusted connection, and to only connect laptops and mobile devices to trusted networks.
For more tips on computer and Internet security for bank customers, visit www.onguardonline.gov for information from the federal government on how to be safe online. The site includes videos from the Federal Trade Commission on what to do if your email is hacked or if malware attacks your computer.
Courtesy of FDIC Consumer News – Winter 2016
Practice Good Password Management
It’s literally impossible to remember unique passwords for all the devices you have, and all the sites that require them. But the most common mistake people make is to create a simple, easy to remember password, and use it on all their devices and websites.
Unfortunately, this makes it really easy for cybercriminals to figure it out and exploit this weakness in security.
Here are a few basic tips to better manage passwords:
- Use long passwords. 20 characters or more is recommended. Hint: think of a favorite song lyric and use that as a starting place.
- Use a strong mix of characters. Include numbers and special characters like dollar signs and exclamation points.
- Never use the same password for multiple sites.
- Don’t share your passwords. And if you must write them down, put them in a secure place, not on a sticky note attached to your monitor.
- Update your passwords periodically, at least once every 6 months (90 days is better).
- A password management program can help you to maintain strong unique passwords for all of your accounts. These programs can generate strong passwords for you, enter credentials automatically and remind you to update your passwords periodically. There are several online password management services available, and many offer free versions.
- Enable two-factor authentication on services that support it, such as Gmail, Twitter and Facebook. Most of the time this service will send a unique one-time code to your phone, that you will confirm online. This way, if someone manages to sniff out your password while on a public Wi-Fi network, you have an extra layer of protection.
Going Mobile: How to be Safer When Using a Smartphone or Tablet
Everywhere you look, people are using smartphones and tablets as portable, hand-held computers. "Unfortunately, cybercriminals are also interested in using or accessing these devices to steal information or commit other crimes," said Michael Benardo, manager of the FDIC's Cyber-Fraud and Financial Crimes Section. "That makes it essential for users of mobile devices to take measures to secure them, just as they would a desktop computer."
Here are some basic steps you can take to secure your mobile devices.
Avoid apps that may contain malware.
Buy or download from well-known app stores, such as those established by your phone manufacturer or cellular service provider. Consult your financial institution's website to confirm where to download its official app for mobile banking.
Keep your device’s operating system and apps updated.
Consider opting for automatic updates because doing so will ensure that you have the latest fixes for any security weaknesses the manufacturer discovers. "Cybercriminals try to take advantage of known flaws, so keeping your software up to date will help reduce your vulnerability to foul play," said Robert Brown, a senior ombudsman specialist at the FDIC.
Consider using mobile security software and apps to protect your device.
For example, anti-malware software for smartphones and tablets can be purchased from a reputable vendor.
Use a password or other security feature to restrict access in case your device is lost or stolen.
Activate the "time out" or "auto lock" feature that secures your mobile device when it is left unused for a certain number of minutes. Set that security feature to start after a relatively brief period of inactivity. Doing so reduces the likelihood that a thief will be able to use your phone or tablet.
Back up data on your smartphone or tablet.
This is good to do in case your device is lost, stolen or just stops working one day. Data can easily be backed up to a computer or to a back-up service, which may be offered by your mobile carrier.
Have the ability to remotely remove data from your device if it is lost or stolen.
A “remote wipe” protects data from prying eyes. If the device has been backed up, the information can be restored on a replacement device or the original (if you get it back). A number of reputable apps can enable remote wiping.
Courtesy of FDIC Consumer News – Winter 2016
Beware of Malware: Think Before You Click!
Malicious software — or “malware” for short — is a broad class of software built with malicious intent. “You may have heard of malware being referred to as a “computer bug” or “virus” because most malware is designed to spread like a contagious illness, infecting other computers it comes into contact with,” said Michael Benardo, manager of the FDIC’s Cyber Fraud and Financial Crimes Section. “And if you don’t protect your computer, it could become infected by malware that steals your personal financial information, spies on you by capturing your keystrokes, or even destroys data.”
Law enforcement agencies and security experts have seen an increase in a certain kind of malware known as “ransomware,” which restricts someone’s access to a computer or a smartphone — literally holding the device hostage — until a ransom is paid. While businesses have been targeted more than consumers to date, many home computer users have been victims of ransomware. For more information, see an alert issued by the U.S. Department of Homeland Security at www.us-cert.gov/ncas/alerts/TA13-309A.
The most common way malware spreads is when someone clicks on an email attachment — anything from a document to a photo, video or audio file. Criminals also might try to get you to download malware by including a link in the wording of an email or in a social media post that directs you somewhere else, often to an infected file or Web page on the Internet. The link might be part of a story that sounds very provocative, such as one with a headline that says, “How to Get Rich” or “You Have to See This!” Malware also can spread across a network of linked computers, be downloaded from an infected website, or be passed around on a contaminated portable storage device, such as a thumb drive or flash drive.
Here are reminders plus additional tips on how to generally keep malware off your computer.
Don’t immediately open email attachments or click on links in unsolicited or suspicious-looking emails. Think before you click! Cybercriminals are good at creating fake emails that look legitimate but can install malware. Either ignore unsolicited requests to open attachments or files or independently verify that the supposed source did send the email to you (by using a published email address or telephone number). “Even if the attachment is from someone you know, consider if you really need to open the attachment, especially if the email looks suspicious,” added Benardo.
Install good anti-virus software that periodically runs to search for and remove malware. Make sure to set the software to update automatically and scan for the latest malware.
Be diligent about using spam (junk mail) filters provided by your email provider. These services help block mass emails that might contain malware from reaching your email inbox.
Don’t visit untrusted websites and don’t believe everything you read. Criminals might create fake websites and pop-ups with enticing messages intended to draw you in and download malware. “Anyone can publish information online, so before accepting a statement as fact or taking action, verify that the source is reliable,” warned Amber Holmes, a financial crimes information specialist with the FDIC. “And please, don’t click on a link to learn more. If something sounds too good to be true, then most likely it’s fraudulent or harmful.”
Be careful if anyone — even a well-intentioned friend or family member — gives you a disk or thumb drive to insert in your computer. It could have hidden malware on it. “Don’t access a disk or thumb drive without first scanning it with your security software,” said Holmes. “If you are still unsure, don’t take a chance.”
To learn more about how to protect against malware, visit www.onguardonline.gov/articles/0011-malware.
Courtesy of FDIC Consumer News – Winter 2016
Cybersecurity for Small Businesses: Ways to Stay Protected
In today's world, it's important for small business owners to be vigilant in protecting their computer systems and data. Among the reasons: Federal consumer protections generally do not cover businesses for losses they incur from unauthorized electronic fund transfers. That means, for example, your bank may not be responsible for reimbursing losses associated with an electronic theft from your bank account— for instance, if there was negligence on the part of your business, such as unsecured computers or falling for common scams.
Here are tips to help small business owners and their employees protect themselves and their companies from losses and other harm. Several of these tips mirror basic precautions we have suggested elsewhere herein for consumers.
PROTECT COMPUTERS AND WI-FI NETWORKS.
Equip your computers with up-to-date anti-virus software and firewalls to block unwanted access. Arrange for key security software to automatically update, if possible. And if you have a Wi-Fi network for your workplace, make sure it is secure, including having the router protected by a password that is set by you (not the default password). The user manual for your device can give you instructions, which are also generally available online.
PATCH SOFTWARE IN A TIMELY MANNER.
Software vendors regularly provide "patches" or updates to their products to correct security flaws and improve functionality. A good practice is to download and install these software updates as soon as they are available. It may be most efficient to configure the software to install such updates automatically.
SET CYBERSECURITY PROCEDURES AND TRAINING FOR EMPLOYEES.
Consider reducing risks through steps such as pre-employment background checks and clearly outlined policies for personal use of computers. Limit employee access to the data systems that they need for their jobs and require permission to install any software. Train employees about cybersecurity issues, such as suspicious or unsolicited emails asking them to click on a link, open an attachment or provide account information. By complying with what appears to be a simple request, your employees may be installing malware on your network. You can use training resources such as a 30-minute online course from the Small Business Administration (SBA).
REQUIRE STRONG AUTHENTICATION.
Ensure that employees and other users connecting to your network use strong user IDs and passwords for computers, mobile devices, and online accounts by using combinations of upper- and lower-case letters, numbers, and symbols that are hard to guess and changed regularly. Consider requiring more information beyond a password to gain access to your business's network, and additional safety measures, such as requiring confirmation calls with your financial institution before certain electronic transfers are authorized.
SECURE THE BUSINESS'S TABLETS AND SMARTPHONES.
Mobile devices can be a source of security challenges, especially if they hold confidential information or can access your company’s network. In the case of the latter, require employees to password-protect their devices, encrypt their data and install security apps to prevent criminals from accessing the device while it is connected to public networks. Also, develop and enforce reporting procedures for lost or stolen equipment.
BACKUP IMPORTANT BUSINESS SYSTEMS AND DATA.
Do so at least once a week. For your backup data, remember to use the same security measures (such as encryption) that you would apply to the original data. In addition, in case your main computer becomes infected, regularly back up sensitive business data to additional, disconnected storage devices.
USE BEST PRACTICES FOR HANDLING CARD PAYMENTS ONLINE.
Seek advice from your bank or a payment processor to select the most trusted and validated tools and anti-fraud services. This may include using just one computer or tablet for payment processing.
BE VIGILANT FOR EARLY SIGNS SOMETHING IS WRONG.
"Monitor bank account balances regularly to look for suspicious or unauthorized activity," suggested Luke W. Reynolds, chief of the FDIC's Outreach and Program Development Section.
Courtesy of FDIC Consumer News – Winter 2016
Online Banking