CyberSecurity Guide for Businesses
The FDIC put together some useful tips to help keep your business safe from online criminals.
FFIEC Business Account Guidance
Risk Assessment & Layered Security
New financial standards will assist banks and business account holders to make online banking safer and more secure from account hijacking and unauthorized funds transfers.
Banks and Businesses team up for security
As someone responsible for a business bank account, you will want to know that new supervisory guidance from the Federal Financial Institutions Examination Council (FFIEC) are helping banks strengthen their vigilance and assure that your business accounts are properly secured during money transfers of all kinds. FFIEC is the coordinating group that sets standards for the major financial industry regulators and examiners.
Understanding the risks
FFIEC studies have shown that there have been significant changes in the threat landscape in recent years. Fraudsters—many from organized criminal groups—have continued to deploy more sophisticated methods to compromise authentication mechanisms and gain unauthorized access to customers’ online accounts. For example, hacking tools have been developed and automated into downloadable kits, increasing their availability to less experienced fraudsters.
As a result, online account takeovers and unauthorized funds transfers have risen substantially each year since 2005, particularly with respect to commercial accounts, representing losses of hundreds of millions of dollars.
Enhanced controls protect higher risks
The FFIEC supervisory guidance addresses the fact that not every online transaction poses the same level of risk, recommending that financial institutions implement more robust controls as the risk level of the transaction increases.
Online business transactions generally involve ACH file origination and frequent interbank wire transfers. Since the frequency and dollar amounts of these transactions are generally higher than consumer transactions, they pose a comparatively increased level of risk to the institution and its customer, according to FFIEC. Thus banks are advised to implement security plans utilizing controls consistent with the increased level of risk for covered business transactions.
These enhanced controls are designed to exceed the controls applicable to routine customer users. For example, a preventive control could include requiring an additional authentication routine prior to final implementation of the access or application changes. A detective control might include a transaction verification notice immediately following implementation of the submitted access or application changes. Based upon the incidents the Agencies have reviewed, enhanced controls over administrative access and functions can effectively reduce money transfer fraud.
Layered security for increased safety
Your bank uses both single and multi-factor authentication, as well as additional “layered security” measures when appropriate.
Layered security is characterized by the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control. This allows your bank to authenticate customers and respond to suspicious activity related to initial login…and then later to confirm this authentication when further transactions involve the transfer of funds.
For business accounts, layered security might often include enhanced controls for system administrators who are granted privileges to set up or change system configurations, such as setting access privileges and application configurations and/or limitations.
Summary of recommendations for business accounts:
- Banks to urge business account holders to conduct periodic assessment of their internal controls.
- Use layered security for system administrators.
- Initiate enhanced controls for high-dollar transactions.
- Provide increased levels of security as transaction risks increase.
- Offer customers multi-factor authentication.
Internal assessments at your bank
The new supervisory guidance offers ways your bank can look for anomalies that could indicate fraud. The goal is to ensure that the level of authentication called for in a particular transaction is appropriate to the level of risk in that application. Accordingly, your bank has concluded a comprehensive risk assessment of its current methods as recommended in the FFIEC guidelines. These risk assessments consider, for example:
- Changes in the internal and external threat environment
- Changes in the customer base adopting electronic banking
- Changes in the customer functionality offered through electronic banking
- Actual incidents of security breaches, identity theft, or fraud experienced by the institution or industry.
Your bank joins FFIEC and the financial regulatory agencies in strongly urging businesses account holders to conduct similar internal assessments to ensure the highest level of security possible for your transactions.
Examples of layered security for business accounts
Whenever increased risk to your transaction security might warrant it, your bank will have available additional verification procedures, or layers of control, such as:
- Fraud detection and monitoring systems that include consideration of customer history and behavior.
- Dual customer authorization through different access devices.
- Out-of-band verification for transactions.
- “Positive pay,” debit blocks, and other techniques to appropriately limit the transactional use of the account.
- Transaction value thresholds, number of transactions allowed per day, and allowable payment windows (e.g., days and times).
- Internet protocol (IP) reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities.
- Policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud.
- Account maintenance controls over activities performed by customers either online or through customer service channels.
Your protection under “Reg E”
Banks follow specific rules for electronic transactions issued by the Federal Reserve Board known as Regulation E. Under the protections provided under Reg E, consumers can recover internet banking losses according to how soon they are reported. In general, these protections are extended to consumers and consumer accounts. Your banker can provide additional details about how Reg E might affect your business account.
If you have suspicions
If you notice suspicious activity within your account or experience security related events (such as a phishing email from someone purporting to be from your bank), you can contact anyone at the Bank and you will be quickly and courteously guided to the person responsible for such issues.
© FINANCIAL EDUCATION CORPORATION
FFIEC Consumer Account Guidance
Account Authentication & Online Banking
Multi-factor authentication and layered security are helping secure safe Internet transactions for banks and their customers.
If you use online or mobile banking, you will be interested to learn that six federal financial industry regulators teamed up recently to make your accounts more secure. New supervisory guidance from the Federal Financial Institutions Examination Council (FFIEC) will help banks strengthen their vigilance and make sure that the person signing into your account is actually you. The supervisory guidance is designed to make online transactions of virtually all types safer and more secure.
Understanding the factors
Online security begins with the authentication process, used to confirm that it is you, and not someone who has stolen your identity. Authentication generally involves one or more basic factors:
- Something the user knows (e.g., password, PIN).
- Something the user has (e.g., ATM card, smart card).
- Something the user is (e.g., biometric characteristic, such as a fingerprint).
Single factor authentication uses one of these methods; multi-factor authentication uses more than one, and thus is considered a stronger fraud deterrent. When you use your ATM, for example, you are utilizing multi-factor authentication: Factor number one is something you have, your ATM card; factor number two is something you know, your PIN.
To assure your continued security online, your bank uses both single and multi-factor authentication, as well as additional “layered security” measures when appropriate.
Layered security and increased safety
Layered security is characterized by the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control. An example of layered security might be that you follow one process to log in (user/password), and then give additional information to authorize funds transfers.
Layered security can substantially strengthen the overall security of online transactions… protecting sensitive customer information, preventing identity theft, and reducing account takeovers and the resulting financial losses.
The purpose of these layers is to allow your bank to authenticate customers and detect and respond to suspicious activity related to initial login and then to reconfirm this authentication when further transactions involve the transfer of funds to other parties.
Internal assessments at your bank
On the back-end, the new supervisory guidance offers ways your bank can look for anomalies that could indicate fraud. The goal is to ensure that the level of authentication called for in a particular transaction is appropriate to the transaction’s level of risk. Accordingly, your bank has concluded a comprehensive risk assessment of its current methods as recommended in this supervisory guidance. These risk assessments consider, for example:
- Changes in the internal and external threat environment.
- Changes in the customer base adopting electronic banking.
- Changes in the customer functionality offered through electronic banking.
- Actual incidents of security breaches, identity theft, or fraud experienced by the institution or industry.
Whenever increased risk to your transaction security might warrant it, your bank will be able to conduct additional verification procedures, or layers of control, such as:
- Utilizing call-back (voice) verification, Email approval, or cell phone based identification.
- Employing customer verification procedures, especially when opening accounts online.
- Analyzing banking transactions to identify suspicious patterns. For example, that could mean flagging a transaction in which a customer who normally pays $10,000 a month to five different vendors suddenly pays $100,000 to a completely new vendor.
- Establishing dollar limits that require manual intervention to exceed a preset limit.
Your protections under “Reg E”
Banks follow specific rules for electronic transactions issued by the Federal Reserve Board. Known as Regulation E, the rules cover all kinds of situations revolving around transfers made electronically. Under the consumer protections provided under Reg E, you can recover internet banking losses according to how soon you detect and report them.
Here is what the Federal rules require: If you report the losses within two days of receiving your statement, you can be liable for the first $50. After two days, the amount increases to $500. After 60 days, you could be legally liable for the full amount. These protections can be modified by state law or by policies at your bank, so be sure to ask your banker how these protections apply to your particular situation.
Customer Vigilance: The first line of defense
Of course, understanding the risks and knowing how fraudsters might trick you is a critical step in protecting yourself online. You can make your computer safer by installing and updating regularly your:
- Anti-virus software
- Anti-malware programs
- Firewalls on your computer
- Operating system patches and updates
You can also learn more about online safety and security at these websites:
If you have suspicions
If you notice suspicious activity within your account or experience security related events (such as a phishing email from someone purporting to be from your bank), you can contact anyone at your bank and you will be quickly and courteously guided to the person responsible for such issues.
© FINANCIAL EDUCATION CORPORATION
Tell me more about Online Banking Protection
Equitable Bank takes online security very seriously. The Bank provides a number of ways to ensure your online banking transactions are secure. There are also steps you can take to better protect yourself from the potential for online fraud.
How will we contact you?
Equitable Bank will never call, text or email requesting personal information, account numbers, debit cards numbers, passwords, or PINs.
Reporting Suspicious Activity
If you notice suspicious activity within your account, please promptly contact the Bank (800-641-5046). If you receive an email, text or phone call that you suspect might be an attempt at phishing, (an attempt to acquire your personal identifying information) please call or Email Equitable Bank for verification before sharing any information.
Protect Yourself Our customers are the first line of defense against fraud. Make sure your personal computer isn’t at risk. Install and update regularly:
- Anti-virus software
- Anti-malware programs
- Computer firewalls
- Operating system patches and updates
Use strong passwords (longer and more complex passwords that contain a combination of number, letters and special characters) for all online banking accounts.
Do not share online banking passwords or PINs with anyone not named on your account.
Regularly check your bank statements to ensure all transactions were all authorized.
To learn more about online safety and security visit any of these websites:
Best Practices for Mobile and Internet Banking Consumers
In this increasingly connected world, consumers must take proactive steps to safeguard their data. Channels (such as online and mobile banking) and tools (such as social networks) have become a part of our daily landscape. Due to increased risk of personal data being compromised and also increased probability for fraudulent transactions from these added conveniences, consumers should take the time to review the following recommendations for risk mitigation:
- Be vigilant in reviewing your financial statements and monitoring your transactions. Develop the good habit of monitoring your financial accounts (e.g. bank, credit card, retirement etc.) at least weekly through online, mobile, voice banking or the ATM.
- Never leave your computer, tablet or mobile phone unattended when using any Internet banking, mobile banking or other financial services.
- After you have completed your Internet or mobile banking session, it is good practice to log off to ensure that the session is completed.
- It is also good practice to lock your computer or mobile device whenever you plan to leave it unattended.
- Never use publicly available information to create your password. Examples to avoid are common names or phrases, birthdates, social security numbers, etc. And of course, it goes without saying that you should never reveal your password to anyone.
- Change your passwords frequently. Establish a routine where you change your password every few weeks to reduce the risk of a compromised account.
- Avoid using password managers. Even though they may be convenient, password managers create a habit of not changing your passwords regularly and therefore make it easy to forget your passwords over time.
- Never click on links or applications that you receive in Email, as those are common ways viruses, malware and malicious software are installed. If you get an Email with links purporting to be from your financial institution, please visit your financial institution’s main website through your browser or call your financial institution to verify legitimacy.
- Keep your passwords/pin confidential. Under no circumstance will you be asked to provide it to your financial institution.
- While using the Internet, verify use of a secure session (“https://” and not “http://”) in your browser’s address bar. This is your indication that the data being transmitted between your browser and your financial institution’s systems is securely encrypted.
- Install anti-virus and anti-malware software. There are many good applications available for both your computer and your mobile device. Some are even free. Also, remember to keep these products updated regularly so they can be most effective.
- If you have a mobile device such as a Smartphone or tablet, ensure that you install software capable of remotely wiping the device should it get stolen or lost.
- The minute you suspect that your device is lost or stolen, notify your mobile carrier and suspend your service.
- Install mobile software only from the Android Market or the Apple App Store and never a 3rd party site. Android users should read the permissions requested by the application carefully and determine whether the permissions coincide with the alleged function of the application.
- Do not “jailbreak” your iPhone or “root” your Android to avoid unintentionally opening “backdoors” for malicious software.
- Turn off wireless device services such as Wi-Fi, Bluetooth and GPS when they are not being used.
- Avoid using unsecured public wireless connections. If you must, then use VPN software to provide a secure “tunnel” within which to work.
- Be aware of the types of information that you post to social networking sites. Ensure you know who your “friends” are on such sites and do not accept “friend” requests from unverified parties. Statistics show that users of such sites experience a higher incidence of fraud. Use privacy settings on social networking sites to control who is able to access your personal information.
- If your Internet and mobile banking service has extensive alerts available for your use, be sure to take advantage of these alerts. Once you set up the alerts you need, your financial institution’s systems will notify you of activity on your accounts.
- Checks and your financial statements all have your private financial information on them.
- Request electronic statements and use online bill pay whenever possible to reduce the paper trail and the risk of your account information being compromised.
- If you suspect fraudulent activity or have doubts about the authenticity of a site or communication you have received via any medium, please call us at 800-641-5046.
How can I prevent fraud when using my debit card?
According to the American Bankers Association® Consumers should be aware of “skimming” and other scams.
Thieves have targeted some stand alone ATMs or retailers point of sale machines for “skimming” scams. They rig the swipe machine with a device that can capture the magnetic stripe and keypad information on your debit card.
- Be wary of your surroundings and of other people who may be near you at an ATM.
- Never give your PIN to anyone – including law enforcement, bank employees or family members who aren’t on the account.
- If an ATM looks suspicious – for instance, has a discolored card reader or an unresponsive keypad – use another machine.
- Do not “pay at the pump”. When using your debit card for a gas purchase, pay inside.
- Notify your bank immediately if your card is lost or stolen.
- If you have a reason to suspect fraud, check your account right away.
- Keep a record of card numbers, expiration dates and the toll free numbers for each card so you can contact the issuer immediately if it’s lost or stolen.
- Check your statements regularly for suspicious activity and report any unauthorized transactions immediately.
How can I be sure my computer is safe?
The American Bankers Association® recommends:
Install on your computer – and keep updated – anti-virus software, firewall and anti-spyware software.
Set your computer’s operating system and browser to “automatic download” to ensure your operating system and browser include the latest security updates.
Don’t get hooked by “phishing”. Do NOT respond to any unsolicited Emails requesting personal information and do not open attachments on any unsolicited Email.
Use strong passwords and change them regularly. The best passwords are long and complex, using a minimum of 8 characters and incorporating a combination of numbers, symbols and letters. Avoid birthdays, pet names and simple passwords like '12345'. Change passwords at least 3 times a year and do not keep them written down near your computer.
How Do I Know My Money is Safe in My Financial Institution
The FDIC Weighs in on how to know your money is safe.
First, you need to make sure that your bank is a member of the Federal Deposit Insurance Corporation (FDIC); by talking with your banker, looking for the FDIC sign at your bank, or going to www.FDIC.gov. The FDIC is an independent agency of the United States government that protects you against the loss of your deposits if an FDIC-insured bank or savings association fails. FDIC insurance is backed by the full faith and credit of the United States government. Since the FDIC’s creation in 1933, no depositor has ever lost even one penny of FDIC-insured deposits.
As long as your balance stays below the FDIC limits, you don’t need to worry about your money. The FDIC currently insures deposits at its member banks up to $250,000 per depositor. Check with your banker to understand how much coverage you have based on how your accounts are set up. For example, in your name alone, jointly with your spouse or as trust accounts for your children or grandchildren. These limits can be significantly higher when accounts are titled differently.
Examples of some limits are:
- Single Accounts (owned by one person with no beneficiaries): $250,000 per owner.
- Joint Accounts (two or more persons with no beneficiaries): $250,000 per co-owner.
- IRAs and other certain retirement accounts: $250,000 per owner.
- Revocable trust accounts: Each owner is insured up to $250,000 for each unique eligible beneficiary named or identified in the revocable trust, subject to specific limitations and requirements.
*These deposit insurance coverage limits refer to the total of all deposits that account owners have at each FDIC-insured bank. The listing above shows only the most common ownership categories that apply to individual and family deposits, and assumes that all FDIC requirements are met.
From December 31, 2010 through December 31, 2012, all non-interest bearing transaction accounts are fully insured, regardless of the balance of the account and the ownership capacity of the funds. This coverage is available to all depositors, including consumers, businesses, and government entities. The unlimited coverage is separate from, and in addition to, the insurance coverage provided for a depositor’s other accounts held at an FDIC-insured bank.
A non-interest bearing transaction account is a deposit account where:
- Interest is neither accrued not paid.
- Deposits are permitted to make an unlimited number of transfers and withdrawals.
- The bank does not reserve the right to require advance notice of an intended withdrawal.
Note: Money Market Deposit Accounts (MMDA) and Negotiable Order of Withdrawal (NOW) accounts are not eligible for this temporary unlimited insurance coverage, regardless of the interest rate, even if no interest is paid.
FDIC insurance covers all deposit accounts, including checking and savings accounts, money market deposit accounts, and certificates of deposit. FDIC insurance does not cover other non-deposit types of financial products and services that banks may offer, such as stocks, bonds, mutual fund shares, life insurance policies, annuities or securities. Safe Deposit Boxes are not insured by the FDIC.
If you’d like to learn more, be sure to check out www.FDIC.gov, where you’ll find a wealth of information about FDIC insurance, what types of accounts are covered, advice and alerts. They also offer a coverage calculator called EDIE (Electronic Deposit Insurance Estimator). EDIE will help you determine if your funds are FDIC insured.
Information in this article was collected from www.FDIC.gov.