Protecting Yourself Online
The best defense is a good offense.
To keep your online banking information secure, you will need to think like a target and have good tools. This site exists to help with both. Start to think strategically about your online safety (if you haven’t already) and evaluate readily available hardware and software tools. Online security should have a relatively high rank within your life’s priorities, which means it should receive greater priority in your personal budget.
How to play good offense with Online Banking Security
Here are six things you can do to play successful offense in Online Banking Security world:
- You need good malware protection. First and foremost, you need to dowlnload IBM Trusteer, which is the gold standard for applications that provide online banking security for online banking users. Entegra Bank believes in Trusteer so much we had to buy it, at considerable expense, and provide it to our customers. Simply put, if you don’t have Trusteer downloaded and operating on your computer (and any other computer that does banking transactions with Entegra Bank), you are at risk. That’s true no matter what other anti-virus or anti-malware software you have. Learn about Trusteer
- Software such as those provided by Microsoft, Intel (formerly McAfee), Symantec and other companies can keep your computer clean from known software and routines that would breach your security practices. However, it’s very important to keep those programs up-to-date.
- You need a good computer. Resist the urge to save money with a good computer system deal on eBay from an unknown source. The risk of malware isn’t worth the savings. Unless you are a professional geek, don’t use a computer if you don’t know where it’s been. That’s good advice your mother would approve of.
- You need a good password, a well-managed computer or mobile device, and a secure internet connection at home. The best password scheme is to have a different password for each web site that is not the same as the password that protects your computer or mobile device. Very good “password managers” exist that address this process. We are not able to endorse a particular solution for your circumstance. We encourage you to make a careful evaluation and decision about what works best for you. But, remember, it’s your online banking security at stake. Choose wisely.
- You need a good attitude about Online Banking Security. Sadly, many who have suffered financial losses from hack attacks report they didn’t think it would happen to them. Others did not take precautions because they thought the bank was responsible for the loss, not themselves. The truth is, you are the ultimate defense against hackers. If you don’t take online banking security seriously, you could be “cruising for a bruising.”
- You must make Online Banking Security a top budget priority. When it comes to making a decision on hardware or software don’t make the decision solely on cost. Chances are you can’t afford to go with the cheap option – not with your finances and identity at risk.
Banking Online Safely
Be on guard against emails and web sites that appear to be legitimate but are in fact attempting steal your information or your money.
- Carefully inspect the web site address of any site asking for financial information or password.
- Emails from the bank will only direct you to pages on the EntegraBank.com website.
What about links in email?
As a rule of thumb, NEVER open emails, or click links in an email from people you don’t know. Also, even if you do know the sender, it makes sense to hover your mouse over the link (or button or banner) and verify that the link goes to a trusted site.
Entegra Bank email with a link to the Entegra Bank website.
Bogus email with a link to a spammers website.
Some email links are safe to use—but always verify
We often send emails to customers with links to sites we have reason to believe are safe. Below are some examples:
Our own website, for example:
(Note the link has our official web address in the link. Official websites for our bank are: EntegraBank.com, MyEntegraBank)
Examples of third party links we believe to be safe:
- http://www.fdic.gov (even the FDIC has external links in their email)
- https://www.ordermychecks.com/login_a.jsp (our check provider)
- http://mortgage.entegrabank.com/default.aspx (our provider for online home loan applications)
- http://www.consumer.ftc.gov/articles/0271-signs-identity-theft (links to official government sites)
- http://www.microsoft.com/security/default.aspx (links to industry leading security information)
If you have question about third party links in our email or on our website, please don’t hesitate to contact us directly:
Customer Service Hours
7:30am - 5:30pm, Monday through Thursday
7:30am - 6:00pm, Friday
Be skeptical of email from people you don’t know (and some you do!)
Many consumers (and businesses) lose money because they were victimized by bad guys using email to create an urgent or compelling reason to respond to the email.
Attempts to victimize recipients share two common themes:
- Scammers’ common goal is to entice, distract or frighten the recipient into responding to a call to action without considering potential consequences and
- the aim of these emails is to get recipients to divulge personal or financial information or to click on a link that allows criminals to steal information from or take control of a personal computer.
A good rule of thumb is “don’t reply or click any links in an email from someone you don’t know.” And, even if you do recognize the sender’s company, be careful. It could still be a trap! So, even if you do know the sender, it makes sense to hover your mouse over the link (or button or banner) and verify that the link goes to a trusted site.
There’s a very good newspaper article on this subject in our “Resources” section from BBB of Connecticut. Security Resources
What about opening links in email?
As we said above, a good rule of thumb is “don’t reply or click any links in an email from someone you don’t know.” And, even if you do recognize the sender’s company, be careful. Some links in email from people you know is harmless and may contain valuable information. But you should check out the link before you click.
However, there is an important exception to links in emails you receive from Entegra Bank.
We may send email that contain links to our website or to our trusted business partners. Those are links that we consider safe. But, even so, you should not trust any email or link, even if it appears to be from us. It makes sense to hover your mouse over the link (or button or banner) and verify that the link goes to a trusted site. If you have doubts, or questions, contact us first, before you open the email or click on a link.
What about attachments?
The same caution about opening email and email links applies to opening email attachments. The first rule of thumb: don’t open any attachments from a source you do not absolutely trust. There may be exceptions, for example, your attorney may send you documents in an attachment. But, if you are not absolutely sure about the sender, or if you get an email you didn’t expect, do not open any attachment until you verify that is legitimate – by contacting the sender.
Phishing and Pharming are techniques the bad guys use to trick you to provide your information (such as user ID, password, email address, etc.) by appearing to be a legitimate entity. These fraudsters then use the information to access your accounts, sometimes within minutes, maybe even seconds. Generally they try to get you to “confirm your information” either by a pop-up window or email. Be wary of this type of threat, and pay careful attention to the source of the request. Don’t click on the link without first inspecting it to see if the link itself is the same as what it says it is. In the case of “pharming,” the bad guys are intending to redirect a website’s traffic to another, fake site.
Navigating the internet safely
The bad guys have two primary means of getting what they want, and both of them can be successfully dealt with by simple precautions. One way is to appear to be somebody they are not, like Amazon, or your bank. The other way is to hack into the computers of legitimate web properties and grab a database of passwords or other sensitive information (that might include yours). Let’s talk about how you can protect yourself against each type of internet threat, the imposter and the hacker.
The threat of imposter is as old as the internet itself. How many times have you thought you typed “amazon.com” but found yourself at “anazon.com” instead? Some clever people have thought about how to exploit such a typo and go to extensive effort to keep you from realizing the mistake until you have given them your email address, user id and/or password. So make sure that you are where you intended to be before entering your personal information. Imposters are also rampant in social media. Some software tools will help by blocking such imposter sites, pop-ups and suspicious links.
Hackers are considered one of many “advanced persistent threats” or APTs in the information security business. If they can hack into high-profile government and corporate sites, they can hack into anything. (At least, you are better off making that assumption.) To reduce the threat to yourself, do not use the same password for every web site. Your passwords for financial web sites should never be the same as the password to another site. If you think this is too inconvenient, think how inconvenient it will be when your identity and money is stolen. Having different passwords at each site means that hackers can’t use what they got from one site (say target.com) and use it at another, your bank’s online center or other shopping web sites, for example.
The types of threats (and their number) continue to escalate. Understanding the threat and the basic principles of mitigation will protect against most threats. Here’s help to keep you informed about online banking security threats.
Protecting Computers and Mobile Devices
Your online security depends much upon the security of your computer, mobile device or tablet. Follow three simple steps to protect them.
1. Keep your software up-to-date to ward off online threats
Keeping your software up-to-date will often remove the vulnerabilities that viruses and other malware are known to attack. Most computer operating systems and program applications have settings for that allow for automatic updates, including those that relate to user security. It is suggested that users allow those updates to automatically be installed on their computer, thereby providing ongoing protection against current and known threats. You can usually go online, to official websites, and find out if you have the most current version of operating systems and applications.
Apple Computer pushes out updates through the Software Update function in Mac OSX and also posts updates on its Support Downloads page. Microsoft Windows users can check to see if they are up-to-date and verify their security software at their Safety & Security Center.
And the updates are needed for more than your operating system and anti-virus software. Other programs such as Java, Acrobat, Microsoft Office, and Quicken will also need to be kept up-to-date. Most of these applications will remind you from time to time to download and install current versions.
Sometimes online games and social media that you (or others such as children or grandchildren) are using on your computer can cause trouble. So make sure that you run a virus or malware scan of your entire hard drive periodically ensuring you (or some other user) didn’t inadvertently layout the welcome mat for an intruder. You can go online to Microsoft or Apple (and other trusted sources) and get information about anti-virus and anti-malware. Just be careful and vigilant. There are bad guys out there masquerading as legitimate sources.
2. Keep your computer safe from prying eyes.
No firewall and anti-virus software can defend against theft of, or physical access to, your computer or mobile device. Take reasonable precautions against physical access of your computer by requiring a password to log on to the connected device, and require that password to get past the screen saver. A password to begin or awaken a computer or mobile device can be just enough to discourage would-be intruders.
Software updates and prudent physical security are very important to your online safety. Entegra Bank takes your information security seriously, but there’s no substitute for your vigilance.
3. Guard your computer cache
Your computer cache is a specialized form of computer memory. In the case of Internet, &lduoq;cache” is commonly used in the context of “browser cache”. Cache is designed to speed up the computer by prioritizing its contents for quick access.
Users are cautioned to be careful about permitting their web browser to cache information (login IDs, passwords, user name, etc.) which contains banking or other critical and private information. It is possible that an improperly set browser cache setting would permit unauthorized use, possibility Identity Theft and/or loss of funds.
If you want to know how to monitor and control your browser cache try these steps: (1) go the Help page of your browser, (2) search for “clear cache,” and follow the directions. For your convenience we have included links to major browsers below. (NOTE: instead of clicking the link, you may cut and paste the link into your browser’s URL line.)
- Microsoft Internet Explorer: http://windows.microsoft.com/en-us/windows/search#q=browser+caching&s=Answers
- Mozilla Firefox: https://support.mozilla.org/en-US/kb/how-clear-firefox-cache?esab=a&s=clear+cache&r=0&as=s#w_clear-the-cache
- Google Chrome: https://support.google.com/chrome/answer/95582?hl=en
- Apple Safari: Open Safari Help, navigate to the Search Index and type “Empty the cache” in the search box
Protect Your Online Business Banking
If you own a business, or if you are managing a business, information security is one of the more important issues you face. For the purpose securing the business’ information, pay particular attention to 1.) the people and 2.) the technology of the company. Each represents a broad target of vulnerability for the bad guys, and each has multiple threat “vectors”.
Information is a target because it can be abused by the bad guys. Businesses can be a target for innumerable political, geographical or personal reasons. It is therefore vital that businesses assign a high-priority to their online security, and ensure appropriate resources to support that priority.
Where do you start prioritizing? Here are some tips:
A good first step is to think like a target. Think strategically to determine the relative importance of information maintained by the company and the means of accessing that information.
An example to illustrate the importance of strategic thinking:
Imagine a doctors’ office that decided not to upgrade the computers at the front desk when they upgraded practice management computers. The older computers with known security vulnerabilities were observed by a patient who later accessed one from the outside and delivered up thousands of patient records over the course of many weeks, undetected. (This by the way is based on a true story.)
Impose behavioral responsibility by all in the company to conduct business in prudent ways. It does no good to have a $1,000 lock on the front door if you have an employee who props the back door open to get fresh air. If the cash management account is accessed by 4 people, each with the same global administrative rights, your company’s bank account is at risk.
Behavior the most difficult thing to change, that’s true. But it is the most important thing you can do as an owner or manager of any business.
Writing passwords on paper stuck to the computer is a behavior that can not be allowed to stand. Doing the company’s online banking at the community coffee shop, on a borrowed computer, with no thought to who’s looking at the screen should not be happening, either.
Thinking carefully about the security of the end-point, and following-up should be another big priority. By end-point we mean the “client”, the employee computers, laptops, mobile devices and smart phones. By careful thought we mean:
- Windows-based office computers should be running the most recent Professional (not “Home”) version of Windows
- Screen savers should be enabled after a few minutes of inactivity and require the domain user name and password.
- Laptops should have a Trusted Platform Module (TPM) installed so that the information on the hard drive can be protected via a good encryption scheme. That way even if the bad guys steal the laptop and take out the hard drive, they can’t get the information without a lot of very hard industry. Apple doesn’t have TPM technology in its computers, but you can encrypt all or part of the hard drive in current OS X, which will accomplish the same thing.
- Good, and by that we mean better than most, passwords should be required by domain policy.
- Every day each computer should verify that it is up-to-date with current operating system patches, software updates and malware protection.
Develop your people to protect your business
The people in your company are about the biggest risk to information security you’ve got. And not because they are bad people. Your company’s computers serve at the behest of your employees. Humans make computers do what they do. So, regularly and often train your people in security best-practice. Make it a “top of mind” matter. Devote some money to basic security training. There are some great online courses available.
Here&rsquols a scenario that highlights the need for training:
Somebody reset the wireless access point on the board room table to remove the password because one of the directors was unable to access email via his iPad. While convenient to the director, this action allowed anybody in the parking lot to hack into the mainframe and access sensitive intellectual property.
Consumer-grade software tools are generally insufficient for businesses.
That $500 laptop your new employee bought from Staples does not have the most current professional version of Windows. That means it will be unable to adhere to basic network security protocols at your business.
That little router you bought for home that cost $100 at Office Depot is absolutely inappropriate for your business infrastructure. It can’t handle the traffic well, and is vulnerable to even greenhorn hacktivists.
A malware package for your home computer probably doesn’t allow for the central management that a business malware package provides. It is easy to keep your personal computer up to date with patches and software updates, but how do you know that all the company’s computers are patched and updated? With consumer software it is usually impossible to know. This is unacceptable in today’s technology-centric world.
In any analysis, to operate well your business needs good management. That is true of the balance sheet, and it is true of the computer infrastructure. Therefore your business must be able to manage technology components, preferably from more than one location. Business technology assets that must be managed centrally, not just individually, would include:
- Employee access and control (user accounts)
- Your internet domain name
- Your website (not the same as your domain name)
- Computers (software installation, updates and patches)
- Mobile devices
- The file server
- The internal network traffic (firewalls, routers, switches, et al)
- Wireless access points
- The phone system (especially if it’s a VOIP system)
- Surveillance cameras (especially if they are wireless)
Managing such items means they are set up according to company technology policy (you have one, right?), controlled by authorized company representatives (employees and/or 3rd parties), and periodically inspected for updates and integrity.
If your company has a dozen computers or more, protect sensitive information with well-formed, centralized management. In most cases, employees should not be allowed to install software on their computer, or if they do, such installations should be monitored by those who are mindful of the threat risk associated with malicious software. And the company should know when computers on its network are running out-of-date virus software – and be able to fix that problem quickly.
One of the things that security professionals are learning is that many advanced persistent threats (APTs) are too advanced and deploy too quickly for traditional malware or anti-virus software to stop. A new technology, called application whitelisting, helps with this problem. Companies such as Lumension and Bit9 have developed solutions that essentially track in real-time disapproved applications and restrict them from gaining hold within a company’s network of computers. Anti-virus and malware software have to download an update in order to know about new threats.
Here’s why central management and periodic inspection are important. Consider this scenario:
The boss is an impatient man. He doesn’t like to take the time to let his virus software update on his laptop, so he keeps putting it off. Now he is working one night, late, and decides to design the new company brochure. To do this he bought a discounted page layout program online that had a free account to “Free Pictures R US” web site. He installed the program, downloaded a bunch of pictures, and got to work. At work the next day, his laptop isn’t working right, it’s VERY slow, but he can just get it to access his bank account and transfer money to his wife’s account to keep himself out of hot water. 24 hours later all his accounts are overdrawn and his email password isn’t working. Two days later his laptop is inspected and found to have malware that sent his personal information (and sensitive customer documents) to Moldova.
Small businesses can manage their systems on an individual, ad hoc basis. If your company has more than 10 employees, it should take a good, hard look at the people and the technology that stand in front of (not behind) its information. Perhaps it is time to hire an outside expert.
How Entegra Bank protects customer online banking security
Entegra Bank has extensive resources devoted solely to online security and brings this sizeable leverage to benefit its customers.
It starts with rigorous technology requirements, for itself and its partners. Extensive reviews and audits are regularly conducted. High standards and ethical behavior are demanded and received by employees and the employees of partners and vendors. The bank’s systems are protected by multiple physical and digital access control. The bank’s databases are protected by multi-factor authentication and off-set data connections. In addition, thousands of different types of transactions are constantly monitored for unusual or excessive activity. All of this requires substantial investment and resources, of a magnitude that is simply out of the reach of smaller institutions.
Nobody can protect against each and every threat. But Entegra Bank is doing all it can with known technology resources and insight to protect its information, your information.
We go to great efforts to make sure that the person attempting to log in to an account on Entegra Bank has been approved and is qualified to do so.
- A customer can’t just get to their account online without first telling us the account should have such access.
- At the time of account setup, the customer’s verified email account is used to make sure that only the person with access to that email account can begin the process of online account access.
- The user id is never the email address.
- The password is never emailed. A temporary password is emailed and intended to be used immediately. It is sent to the email address already set up on the account and does not include the additional piece of information needed to login, the user id.
- The password to our online system has a rigorous requirement of length and character combination.
Please talk to your knowledgeable and trained Entegra Bank employee if you have questions about online account access.