Online Security
Please take some time to familiarize yourself with our unique security features for debit cards and online banking
As part of our continuing effort to provide you, our customer, with as much security as possible, we are pleased to offer our 24 hour customized security system.
Important Security Alert:
-
Criminals are exploiting weak firewalls combined with social engineering to hold your files for RANSOM. Most often this exploit comes via email and when the document is opened it
will run a program which encrypts your files using commercial level encryption which can not be hacked. The ransomware then demands payment in Bitcoin to un-encrypt your files.
One of your best defenses is to backup your files regularly.
This problem is so prevalent, it has prompted the FBI to issue an alert to businesses and consumers to beware these documents.
Most documents are .doc files with subject headings indicating an invoice, fedex, ups, usps, or other similar subject.
You can research this subject by "googling": Locky, cryptoware, cryptowall, ransomware.
Unique features for Debit Cards:
- Debit Card Alerts - Receive Text messages to your Cell Phone or email as transactions occur on your debit card.
- Each Alert you receive lets you know the details of the transaction: Merchant Name, Dollar Amount, Country of Origin, Phone number to call if fraudulent. - Customized fraud rules on debit cards
- The bank has customizable fraud rules which deny many foreign countries for both online and card present transactions. We also may deny specific merchants, if you need an exception or you think you may be being blocked, please let us know so we can provide an exception. If you are going to travel, please let the bank know where you are going as well as the dates you are traveling.
Debit cards are being compromised almost daily through malicious software on your pc, or from bad employees at merchants swiping your debit or credit card data. Please help us take a bite out of crime by subscribing to debit card alerts and by monitoring your account DAILY.
Unique features for 2nd Factor Authentication with Online Banking:
- Voice call to your home or cell phone - MOST SECURE*
- most secure as it would require your phone or cell phone to be tapped or call forwarded, while possible - it makes it more difficult to intercept the call. - Text/SMS Message to your cell phone - SECURE*
- considered to be secure as it would require your cell phone to be compromised. - Email sent to your personal or corporate address - LEAST SECURE*
- not recommended but please realize that if your computer is compromised, your email is probably compromised as well.
* - The measure of security is based upon the known methods of compromising accounts and is no guarantee of security.
While the bank does have fraud detection in place on your online banking and debit card usage, you still remain the best fraud detection on your accounts.
Guidance from the Bank
Protecting Your Personal Information and Your Company's Information Online
All consumer accounts are protected under Regulation E. Commercial and Business Accounts are not protected under Regulation E; however, The State Bank believes that our controls exceed the FFIEC guidance and industry standards required to protect your information.
By default, without special arrangement and additional controls, The State Bank does not allow ACH or Wire transfers through the Online Banking system as we have always recognized that Online Banking is NOT secure. There are too many methods of compromising your computer or system and there have been too many public incidents where businesses, churches, school districts have had money stolen from their accounts because of the insecure nature of Online Banking. Please 'google' – “ACH fraud”. Cybercrime losses exceed hundreds of millions of dollars from unauthorized funds transfers.
Because your account information is high risk and we value your security and trust, The State Bank has added an additional control of authenticating online banking customers. You will be provided with three different channels of authenticating your account. We encourage you to use the first two channels.
>Channel 1: Receive a phone call via cell or land line Preferred – most secure
>Channel 2: Receive a text message via a cell phone Preferred – somewhat secure
>Channel 3: Receive an email Not Preferred – least secure
Channel 1, You receive a phone call - is seen as the most secure. There are only two ways for the secure code to be intercepted – they would have to be monitoring your phone or they would have to clone your cell phone. Both are considered relatively technically difficult to do. The phone call will verbally give you a 4 letter/number sequence by reading it to you and is only valid for several minutes.
Channel 2, Receive a text message via a cell phone is preferred, but it can be compromised if you have your cell phone compromised. There have been incidents at other banks where the phone was relaying messages to the “bad guys” in order to compromise the account.
Channel 3, Receiving an email is seen as the least secure and is not recommended by the bank. Although this can be seen as a separate authentication channel – if the bad guys have control of your computer, they probably have access to your email as well. In addition, email can be slow – we send the email out immediately, but we don't have any control over the server which delivers the email to you.
Historically, the vast majority of online banking losses via ACH or Wire fraud have occurred at the home or business computer. At this time, The State Bank is not aware of any losses that have occurred due to a breach at any bank including The State Bank.
The bank has active systems which are monitoring various facets of your account. If we need to contact you we will do so by phone or email. You should recognize that any person claiming to be from The State Bank will NEVER ask you for your pin number, password or any identifying personal information for any of our systems. If you are in doubt of the callers identity, we encourage you to hangup and call us directly. We will only discuss the minimum to authenticate you and to review the issue with your account.
We may call you to verify suspicious transactions on your account or for information regarding your login or transaction behavior via the online banking. If we believe that your system or devices may be compromised, we may close them until we can investigate the suspicious activity.
It is vital that you maintain current contact information with the Bank.
To mitigate your risks, we recommend that you implement the following:
Monitor your account on a daily basis – yes, daily
Use debit card alerts for transactions on your debit card - provides transaction activity and detail almost immediately to your cell phone via text messages.
The online banking has a screen which will show your recent login activity. Help -> history of logins
Use a dedicated computer for online banking, or use a linux boot distribution to start your computer and access your online banking. There are a number of free desktop distributions which are free and can be downloaded from the internet.
Examples: Use at your own risk
Tails – https://tails.boum.org/index.en.html – The Amnesic Incongnito Live System
Ubuntu – http://www.ubuntu.com/download/ubuntu/download - #2 Orange Option
Activate your firewall
Use current anti-virus and anti-malware which must be setup to update daily
Keep your operating system up to date with any patches – also daily
Most operating systems will do this automatically if you set them up properly.
Corporate users should perform a risk assessment and evaluate their own controls in order to secure their networks. Remember: by default, The State Bank does not allow ACH transfers or Wire Transfers out of the Bank via the Online Banking system.
If you have any questions, please feel free to contact us. If you think that your account has been compromised or you see unusual activity. Please contact us immediately.
Note: We can only offer limited technical support.
Contacts at the Bank
- Emergency Support: Brad (719) 468-8880
- Technical Support: Brad (719) 384-5901
- Customer Service:
- La Junta (719) 384-5901
- Rocky Ford (719) 254-7821
- Falcon (719) 494-2265
- Someone died (long lost aunt/uncle/cousin) - you win an inheritance
- Bank needs help transferring money because of difficulties, laws...
- You win the lotto or lottery
- You win an "internet" drawing where they picked your email from random
Resources
FFIEC Guidance: http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf
Common Online Schemes
Phone Calls / Vishing
What happens: A fraudster or automated system calls your phone numberWhat they want: Your account information, debit/credit card details, or to send a wire
What you should do: Hangup and call the bank
Common Scenario(s):
You receive a phone call from the "bank" letting you know that your card has been compromised. They explain to you that to authenticate who you are with the bank that they need to know the following details. Card number, expiration date of the card, the 3 digit code on the back of the card, the pin number of your card.
Any employee of the bank will never ask you for these details. We may ask you for the last digits of the card and maybe the expiration date, but never the 3 digit number or the pin number.
When in doubt, hangup on the caller and call the bank.
You receive a phone call and the first words you hear are "grandma" or "grandpa" - they request money to be wired to some overseas country because they are "stuck" or in "trouble". You really need to be careful here, they are very good at impersonating family or friends and you should call your family and friends to verify the whereabouts of said loved one.
SMS/Text Messages - Smishing
What happens: A fraudster sends a text message to your cell phoneWhat they want: Your account information or debit/credit card details
What you should do: Contact the bank, and forward the text message to the security officer
Common Scenario(s):
A text message arrives on your cell phone requesting that something has happened on your account and that you need to call "the bank". The number you call will not be the bank and will be fraudulent. They will request the same details as in the automated call from above: card number, expiration date, 3 digit code on the back of the card and your pin number.
Any employee of the bank will never ask you for these details. We may ask you for the last digits of the card and maybe the expiration date, but never the 3 digit number or the pin number.
When in doubt, hangup on the caller and call the bank.
Email Message / Phishing
What happens: A email is sent to you with an attachment or a linkWhat they want: Your account information, debit card details, or access to your computer system
What you should do: Delete the email
Common Scenario(s):
You receive an email that tells you something "bad" or "good" has happened - your package delivery failed, you won a prize, you won the lotto or lottery, your ACH failed, NACHA is fining you. These are just a few of the scenarios or emails...
They all will want you to click on a link or open an attachment. Most email filters have gotten pretty good at file extensions and stripping those out, so the fraudsters have been putting their malicious files in zip file format - kind of a container that can compress files. The files in those zip folders may be have the extensions of doc, exe, pdf. They also might encrypt the zip file and "include" the password in the email. By encrypting the file, the anti-virus scanners can't scan the file inside the zip folder.
By opening up these documents or files, or by clicking on the links, you will have all sorts of bad things happen to your computer. The end result is that your computer may be infected with a worm or a virus that allows the fraudsters to access your computer and see everything that you type or do on your computer. Thus, they can gain your online banking login and passwords as well as any other logins or passwords.
As an example: Look at the link below - it says that it is pointing to a SmartPal Login, however, if you place your mouse over the link (DON'T CLICK) and look at the bottom left corner of your browser, you can see the true link it is pointing to... abogusdomain.bad link.
SmartPAL LOGIN - Do not click on me - hover your mouse over the link
Other examples of bad links the bank has seen - links are sanitized, but enough remains for you to see how they are fraud. We replaced .com with .bad which is an invalid space. We don't want you clicking on something accidentally.
Alert - Changes to your credit score - to retrieve your credit score Click Here -- hint - common sense alert - what does baignaula.com have to do with credit reports
Alert - Your Redibank online account has been locked out - Click Here to unlock it. -- ok a little more tricky-- hint - the domain name anotherbad is not redibank, the redibank in the link is the webserver and not the domain name. You should always see something like webserver.redibank.com
Just because a link says it is pointing somewhere - don't trust it - check...
When in doubt, delete the email and call the bank.
Nigerian 411/419 Scheme
What happens: A fraudster sends you an email saying you have won, earned, inherited, or that you can participate in something to win/make a lot of money
What they want: Your account information or debit/credit card details or send a wire/western union moneygram. Sometimes, they want you to meet them in person
What you should do: Delete the email - Never meet anyone unsolicited
Common Scenario(s):
You get an email letting you know of some scheme where you have made a lot of money. Scenarios involve:
What Really Happens: To earn your Award/Winnings/Inheritance: They begin to scam you and request that you send money to them for various fees, government permits, bribes to officials, etc... There are numerous cases where people/businesses have lost hundreds of thousands of dollars to these criminals.
What Really Happens part 2: When you travel to collect your Award/Winnings/Inheritance - they kidnap you and hold you for ransom
