ELECTRONIC BANKING CONSUMER AWARENESS PROGRAM
NobleBank's Commitment to Security
NobleBank will NEVER request personal information by email or text messaging including account number, passwords, personal identification information or any other confidential customer information. Fraudulent emails may be designed to appear as though they are originated by NobleBank. Do not respond to any email communications which request any type of personal or confidential information and do not go to any links listed on that email. These emails are not originated by NobleBank. Never give out any information that the bank already has to any caller, texter, or email sender. If you contact us we may verify the last 4 digits of your SSN to confirm your identity but we will never contact you and ask for your debit card number or your full SSN. If we need to contact you, it will always be done in a manner that protects your personal confidential information and we work diligently to do so. We always work with the local regulatory and law enforcement departments to be certain any type of illegal activity is stopped as soon as possible. We have multi-layer security to protect your confidential information and will continue to be vigilant in protecting it. Immediately report any suspicious emails or websites to NobleBank.
If you suspect identity theft or have any questions regarding this notice, please contact NobleBank at 256-741-1800.
To ensure security in your e-banking transactions and personal information, please be aware of the following guidance:
1. Internet Products and Services
a) Secure Login ID and Password or PIN
· Do not disclose Login ID and Password or PIN
· Do not store Login ID and Password or PIN on the computer.
· Regularly change password or PIN and avoid using easy-to-guess passwords such as names or birthdays. Password should be a combination of characters (uppercase and lowercase) and numbers and should be at least 6 digits in length.
b) Keep personal information private.
· Do not disclose personal information such as address, mother's maiden name, telephone number, social security number, bank account number or e-mail address -- unless the one collecting the information is reliable and trustworthy.
c) Keep records of online transactions.
· Regularly check transaction history details and statements to make sure that there are no unauthorized transactions.
· Review and reconcile monthly credit card and bank statements for any errors or unauthorized transactions promptly and thoroughly.
· Check e-mail for contacts by merchants with whom one is doing business. Merchants may send important information about transaction histories.
· Immediately notify the bank if there are unauthorized entries or transactions in the account.
d) Check for the right and secure website.
· Before doing any online transactions or sending personal information, make sure that correct website has been accessed. Beware of bogus or "look alike" websites which are designed to deceive consumers.
· Check if the website is "secure" by checking the Universal Resource Locators (URLs) which should begin with "https" and a closed padlock icon on the status bar in the browser is displayed. To confirm authenticity of the site, double-click on the lock icon to display a security certificate information of the site.
· Always enter the URL of the website directly into the web browser. Avoid being re-directed to the website, or hyperlink to it from a website that may not be as secure.
· If possible, use software that encrypts or scrambles the information when sending sensitive information or performing e-banking transactions online.
e) Protect personal computer from hackers, viruses and malicious programs.
· Install a personal firewall and a reputable anti-virus program to protect personal computer from virus attacks or malicious programs.
· Ensure that the anti-virus program is updated and runs at all times.
· Always keep the operating system and the web browser updated with the latest security patches, in order to protect against weaknesses or vulnerabilities.
· Always check with an updated anti-virus program when downloading a program or opening an attachment to ensure that it does not contain any virus.
· Install updated scanner softwares to detect and eliminate malicious programs capable of capturing personal or financial information online.
· Never download any file or software from sites or sources, which are not familiar or hyperlinks sent by strangers. Opening such files could expose the system to a computer virus that could hijack personal information, including password or PIN.
· NobleBank & Trust does not collect information about children under the age of 13, per the Children's Online Privacy Act.
f) Do not leave computer unattended when logged-in.
· Log-off from the internet banking site when computer is unattended, even if it is for a short while.
· Always remember to log-off when e-banking transactions have been completed.
· Clear the memory cache and transaction history after logging out from the website to remove account information. This would avoid incidents of the stored information being retrieved by unwanted parties.
· Read and understand website disclosures specifically on refund, shipping, account debit/credit policies and other bank terms and conditions.
· Before providing any personal financial information to a website, determine how the information will be used or shared with others.
· Check the site's statements about the security provided for the information divulged.
· Some websites' disclosures are easier to find than others -- look at the bottom of the home page, on order forms or in the "About" or "FAQs" section of a site. If the customer is not comfortable with the policy, consider doing business elsewhere.
h) Other internet security measures:
· Do not send any personal information particularly password or PIN via ordinary e-mail.
· Do no open other browser windows while banking online.
· Avoid using shared or public personal computers in conducting ebanking transactions.
· Disable the "file and printer sharing" feature on the operating system if conducting banking transactions online.
· Contact the banking institution to discuss security concerns and remedies to any online e-banking account issues.
2. Other Electronic Products
a) Automated Teller Machine (ATM) and debit cards
· Use ATMs that are familiar or that are in well-lit locations where one feels comfortable. If the machine is poorly lit or is in a hidden area, use another ATM.
· Have card ready before approaching the ATM. Avoid having to go through the wallet or purse to find the card.
· Do not use ATMs that appear to have been tampered with or otherwise altered. Report such condition to the bank.
· Memorize ATM personal identification number (PIN) and never disclose it with anyone. Do not keep those numbers or passwords in the wallet or purse. Never write them on the cards themselves. And avoid using easily available personal information like a birthday, nickname, mother's maiden name or consecutive numbers.
· Be mindful of "shoulder surfers" when using ATMs or POS terminals. Stand close to the ATM/POS and shield the keypad with hand when keying in the PIN and transaction amount.
· If the ATM is not working correctly, cancel the transaction and use a different ATM. If possible, report the problem to the bank.
· Carefully secure card and cash in the wallet, handbag, or pocket before leaving the ATM or POS terminal.
· Do not leave the receipt behind. Compare ATM receipts to monthly statement. It is the best way to guard against fraud and it makes record-keeping easier.
· Do not let other people use your card. If card is lost or stolen, report the incident immediately to the bank.
3. Corporate Account Takeover
What is corporate account takeover?
"Corporate account takeover" is when cybercriminals gain control of a business' bank account by stealing the business' valid online banking credentials. Although there are several methods being employed to steal credentials, the most prevalent involves malware that infects a business' computer workstations and laptops.
A business can become infected with malware via infected documents attached to an email or a link contained within an email that connects to an infected website. In addition, malware can be downloaded to users' workstations and laptops by visiting legitimate websites - especially social networking sites - and clicking on the documents, videos, or photos posted there. This malware can also spread across a business' internal network.
The malware installs key logging software on the computer, which allows the perpetrator to capture a user's credentials as they are entered at the financial institution's website. Sophisticated versions of this malware can even capture token-generated passwords, alter the display of the financial institution's website to the user, and/or display a fake Web page indicating that the financial institution's website is down. In this last case, the perpetrator can access the business' account online without the possibility that the real user will log in to the website.
Once installed, the malware provides the information that enables the cybercriminals to impersonate the business in online banking sessions. To the financial institution, the credentials look just like the legitimate user. The perpetrator has access to and can review the account details of the business, including account activity and patterns and ACH and wire transfer origination parameters (such as file size, frequency limits, and Standard Entry Class (SEC) Codes).
Cybercriminals use the sessions to initiate funds transfers, by ACH or wire transfer, to the bank accounts of associates within the U.S. These accounts may be newly opened by accomplices or unwitting "money mules" for the express purpose of receiving and laundering these funds. A "money mule" is a person who transfers stolen money or merchandise from one country to another, either in person, through a courier service, or electronically. The term is commonly used to describe online scams that prey on victims who are unaware that the money or merchandise they are transferring is stolen. In these scams, the stolen money or merchandise is transferred from the victim's country to the scam operator's country. The accomplices or mules withdraw the entire balance shortly after receiving the money, and then send the funds overseas via over-the-counter wire transfer or other common money transfer services.
Why are businesses and organizations targeted?
Cybercriminals appear to be targeting businesses, as well as government agencies and nonprofits, for several reasons:
1.Many businesses and organizations have the capability to initiate funds transfers - ACH credits and wire transfers - via online banking (individual consumers generally do not have this capability except for payees set up in online bill payment systems).
a. This funds transfer capability is often related to a business' origination of payroll payments.
b. In corporate account takeover, cybercriminals may add fictitious names to a payroll file (directed to the accounts of money mules) and/or initiate payroll payments off-cycle to avoid daily origination limits.
2. Some businesses do not have the level of resources to defend their information technology systems.
3. Many businesses do not monitor and reconcile their accounts on a frequent or daily basis.
4. Some businesses bank with a wide variety of financial institutions with varying degrees of IT resources and sophistication.
Prevention, detection, & reporting for business customers account control
1. Reconcile all banking transactions on a daily basis.
2. Initiate ACH and wire transfer payments under dual control, with a transaction originator and a separate transaction authorizer.
3. Utilize routine reporting on transactions.
4. Perform periodic risk assessment of the banking products/services you use, including regular reviews
of user access levels, dollar limits, and activity.
5. Immediately report any suspicious transactions to the financial institution.
6. Stay in touch with other businesses and industry sources to share information regarding suspected
7. Government entities (ie FDIC, IRS, etc.) will not contact business customers to request software
installation or the customer's access credentials.
Computer security tools & practices
1. Install a dedicated, actively managed firewall. A firewall limits the potential for unauthorized access to a network and computers.
2. Install commercial anti-virus software on all computer systems.
3. Ensure virus protections and security software are updated regularly.
4. Ensure computers are patched regularly, particularly operating systems and key applications, with security patches.
5. Consider installing spyware detection programs.
6. Be suspicious of emails purporting to be from a financial institution, government department, or other agency requesting account information, account verification, or banking access credentials such as usernames, passwords, PIN codes, or similar information. If you are not certain of the source, do not click any links.
7. Create strong passwords.
8. Prohibit use of "shared" usernames and passwords for online banking systems.
9. Use a different password for each website that is accessed.
10. Change the password several times each year.
11. Never share username and password information with third-party providers.
12. Limit administrative rights on users' workstations.
13. Carry out all online banking activities from a stand-alone computer system from which email and Web browsing are not possible.
14. Verify use of a secure session ("https") in the browser for all online banking.
15. Avoid using an automatic login feature that saves usernames and passwords for online banking.
16. Never leave a computer unattended while using any online banking or investing service.
17. Never access bank, brokerage, or other financial services information at Internet cafes, public libraries, etc. Unauthorized software may have been installed to trap account numbers and sign on information leaving the customer vulnerable to possible fraud.
Recommendations for corporate account takeover victims
1. Immediately cease all activity from computer systems that may be compromised. Disconnect the Ethernet or other network connections to isolate the system from remote access.
2. Immediately contact your financial institution and request assistance with the following actions:
a. Disable online access to accounts.
b. Change online banking passwords.
c. Open new account(s) as appropriate.
d. Request the financial institution's agent review all recent transactions and electronic authorizations on the account.
e. Ensure that no one has requested an address change, title change, PIN change, or ordered new cards, checks, or other account documents be sent to another address.
3. Maintain a written chronology of what happened, what was lost, and the steps taken to report the incident to the various agencies, banks, and firms impacted. Be sure to record the date, time, contact telephone number, person spoken to, and any relevant report or reference number and instructions.
4. File a police report and provide the facts and circumstances surrounding the loss. Obtain a police report number with the date, time, department, location, and officer's name taking the report or involved in the subsequent investigation. Having a police report on file will often facilitate dealing with insurance companies, banks, and other establishments that may be the recipient of fraudulent activity. The police report may initiate a law enforcement investigation into the loss with the goal of identifying, arresting, and prosecuting the offender and possibly recovering losses.
This document is for information purposes only and is not intended to provide legal advice. The guidance included is not an exhaustive list of actions and security threats change constantly.
4. Regulation E Protections and Liability
What is Regulation E?
Regulation E protects individual customers using electronic funds transfers (EFT). Non-consumer accounts are not protected by Regulation E.
What is an EFT?
An electronic funds transfer (EFT) is any transfer of funds that is initiated through an electronic terminal, telephone, computer, or magnetic tape for the purpose of ordering, instructing, or authorizing a financial institution to debit or credit a consumer's account. The term includes but is not limited to:
• Point of sale transfers
• Automated teller machine transfers (ATM)
• Direct deposits or withdrawals of funds
• Transfers initiated by telephone
• Transfers resulting from debit card transactions, whether or not initiated through an electronic terminal
• Transfers initiated through internet banking and bill pay
How does Regulation E apply to a consumer using internet banking and/or bill pay?
Regulation E is a consumer protection law for accounts such as checking or savings, established primarily for personal, family, or household purposes. Non-consumer accounts, such as Corporations, Trusts, Partnerships, LLCs, etc., are excluded from coverage. Regulation E provides consumers a means to notify their financial institution that an EFT has been made to their account without their permission. If you are unsure if your account is protected by Regulation E contact us.
What protections are provided to consumers under Regulation E for consumers who use internet banking and/or bill pay?
If you believe an unauthorized EFT has been made to your account, contact us immediately. If you notify us within two business days after you learn of the unauthorized transaction the most you can lose is $50. Failure to notify the bank within two business days may result in losses up to $500.
No liability limit:
Unlimited loss to a consumer account can occur if:
• The periodic statement you receive reflects an unauthorized transfer of money from your account, and
• You don't report the unauthorized transfer to the bank within 60 days after the statement was mailed , and
• The loss could have been avoided if you had given timely notice.
How does Regulation E apply to a non-consumer using internet banking and/or bill pay?
A non-consumer using Online Banking and/or Bill Payment is not protected under Regulation E. Because the customer is not protected by Regulation E special consideration should be made by the customer to review the controls in place to ensure that they are commensurate of the risk level that the customer is willing to accept.
What precautions should a non-consumer take because they are not protected by Regulation E?
As a non-consumer customer you should perform a risk assessment and periodically evaluate the controls you have in place. The risk assessment should be used to determine the risk level associated with any internet activities you perform and any controls in place to mitigate these risks.