2015 August 3 by Brad Ogura
Make Your Passwords Long, Complex and Unique
August 3, 2015 – Through its online site, www.OnGuardOnline.gov, the Federal Trade Commission (FTC) offers helpful information to help consumers stay safe, secure and responsible online.
Whitney Merrill, a legal fellow in the division of privacy and identity protection at the FTC, says a little extra attention when creating a strong password can prevent an attacker from getting access to your account – starting with making your password long, complex, and unique. She points out that attackers often use a dictionary of previously exposed passwords and information gathered from the internet to help them guess a password, so avoid common words and phrases.
2015 January 28 by Brad Ogura
American Bankers Association Raises Awareness for Data Privacy Day
January 26, 2015 — WASHINGTON — In recognition of Data Privacy Day on Jan. 28, the American Bankers Association is urging bank customers to take an active role in protecting their privacy. Banks use a combination of safeguards to protect customer data, which allows them to detect unusual spending patterns and protect accounts. Customers also play an important role in safeguarding personal financial information.
“Banks’ first priority is protecting their customers’ information,” said Frank Keating, ABA president and CEO. “While banks provide strong data protections, customers are the first line of defense. A partnership between banks and customers is the most effective way to protect financial data.”
To help ensure the safety of personal and financial information, ABA suggests following these four tips:
Create c0mplic@t3d passwords. Avoid birthdays, pet names and simple passwords like 12345. It is also important to change passwords at least three times a year. Because friendly theft – theft by someone the victim knows – is the most common type of identity theft or fraud, don’t share your passwords with family members and be mindful of who has access to your personal information.
Keep tabs on your accounts. Check account activity and online statements often, instead of waiting for the monthly statement. You are the first line of defense because you know right away if a transaction is fraudulent. If you notice unusual or unauthorized activity, notify your bank right away. When a customer reports an unauthorized transaction in a timely manner, the bank will cover the loss and take measures to protect the account.
Stay alert online. Be sure computers and mobile devices are equipped with up-to-date anti-virus and malware protection. Never give out your personal financial information in response to an unsolicited email, no matter how official it may seem. Your bank will never contact you by email asking for your password, PIN, or account information. Only open links and attachments from trusted sources. When submitting financial information on a website, look for the padlock or key icon at the top or bottom of your browser, and make sure the Internet address begins with “https.” This signals that your information is secure during transmission.
Mobilize your defenses. Use the passcode lock on your smartphone and other devices. This will make it more difficult for thieves to access your information if your device is lost or stolen. Before you donate, sell or trade your mobile device, be sure to wipe it using specialized software or using the manufacturer’s recommended technique. Some software allows you to wipe your device remotely if it is lost or stolen. Use caution when downloading apps, as they may contain malware and avoid opening links and attachments – especially from senders you don’t know.
Tips for Victims:
If you are a victim of fraud and suspect your personal information has been compromised, you should take the following steps:
Call your bank and credit card issuers immediately so they can take necessary steps to protect your account.
File a police report and call the fraud unit of the three credit-reporting companies.
Consider placing a victim statement in your credit report and a fraud alert on your account.
Keep a log of all the contacts you make with authorities regarding the matter. Write down names, titles, and phone numbers in case you need to re-contact them or refer to them in future correspondence.
Contact the FTC’s ID Theft Consumer Response Center at 1-877-ID THEFT (1-877-438-4338) or www.ftc.gov/idtheft.
Data Privacy Day commemorates the 1981 signing of the first legally binding international treaty dealing with privacy and data protection. It is led by the National Cyber Security Alliance, a non-profit, public private partnership focused on cyber security education for all online citizens.
The American Bankers Association is the voice of the nation’s $15 trillion banking industry, which is composed of small, regional and large banks that together employ more than 2 million people, safeguard $11 trillion in deposits and extend more than $8 trillion in loans. Learn more at aba.com.
ABA Media Contact: Sarah Grano
Follow us on Twitter: @ABABankers
# # #
2014 December 1 by Brad Ogura
Avoid Holiday Shopping Scams
December 1, 2014 — In the wake of recent data breaches, shoppers should be on high alert while purchasing their presents this holiday season. While millions of credit and debit card transactions are conducted safely every day, it’s important to be aware of potential holiday scams. The American Banking Association has asked member banks to share these tips to help consumers keep their information safe whether shopping in the store or online:
- Monitor your account. Use online and mobile banking to keep an eye on your transactions, especially during the holidays. Notify your bank right away if there’s any fraudulent activity.
- Beware of phishing scams. During the holidays, criminals will often create a fake email for a deal that’s too good to be true. If you click on any links within the email, you may be downloading malware onto your computer or you may be asked for payment information that could lead to fraud.
- Limit large sums of cash. Even though we’ve seen financial crime migrate from physical to cyber, consumers should be careful not to carry around large sums of cash when shopping.
- Secure your internet connection. If shopping online, make sure you do so from a password protected wi-fi network. Never access online banking from a public wi-fi network.
- Shop safely. Before making an online purchase, make sure the website uses secure technology. When you’re at the checkout screen, verify that the web address begins with https. Also, check to see if a tiny locked padlock symbol appears on the page.
Temporary Unlimited FDIC Coverage for Noninterest-Bearing Transaction Accounts (Including IOLTA Accounts)
2011 April 18 by Richard Lester
|On December 29, 2010, President Obama signed into law an amendment to the Federal Deposit Insurance Act to include Interest on Lawyer Trust Accounts (“IOLTAs”) within the definition of “noninterest-bearing transaction accounts.” On January 18, 2011, the FDIC Board of Directors issued a final rule to implement this amendment, and on January 21, 2011 the FDIC issued Financial Institution Letter FIL-2-2011 to provide further guidance on the matter to insured depository institutions.
Please be aware that since the last version of the Frequently Asked Questions dated December 20, 2010, some questions have been added, deleted, and amended. Specific references to the IOLTA changes are reflected in the following summary and in FAQs 2, 8, 17-25, and 33-36.
On November 9, 2010, the FDIC Board of Directors (the “Board”) issued a final rule (the “November Final Rule”) to implement Section 343 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“DFA”) that provides temporary unlimited deposit insurance coverage for noninterest-bearing transaction accounts at all FDIC-insured depository institutions (the “Dodd-Frank Provision”). The separate coverage for noninterest-bearing transaction accounts became effective on December 31, 2010 and terminates on December 31, 2012. The Dodd-Frank Provision and November Final Rule are discussed in Financial Institution Letter FIL-76-2010, issued November 9, 2010. The November Final Rule is published in the Federal Register at 75 Fed. Reg. 69577 (Nov. 15, 2010).
In issuing the November Final Rule, the Board confirmed it would not extend the Transaction Account Guarantee Program (“TAGP”) beyond its sunset date of December 31, 2010.
On December 29, 2010, President Obama signed into law an amendment (the “December 29 Act”) to the Federal Deposit Insurance Act (as amended by Section 343 of the DFA) to include Interest on Lawyer Trust Accounts (“IOLTAs”) within the definition of “noninterest-bearing transaction accounts.” As a result, IOLTAs will receive temporary unlimited insurance coverage at all FDIC-insured institutions (“IDIs”) from December 31, 2010 through December 31, 2012.
On January 18, 2011, the Board issued a final rule (the “January Final Rule”) to implement the December 29 Act. The January Final Rule is discussed in Financial Institution Letter FIL-2-2011, issued January 21, 2011.
The Dodd-Frank Provision is similar to the TAGP, except that it does not include low-interest Negotiable Order of Withdrawal (“NOW”) accounts. The Dodd-Frank Provision also differs significantly from the TAGP in that it applies at all IDIs with qualifying deposits.
The January Final Rule requires that by no later than February 28, 2011, each IDI that offers noninterest-bearing transaction accounts must post prominently an amended notice (see FAQ 17) in the lobby of its main office, in each domestic branch and, if it offers internet deposit services, on its website. The amended notice provides that noninterest-bearing transaction accounts are fully insured until December 31, 2012, and that IOLTAs are included in the definition of “noninterest-bearing transaction account.”
The November Final Rule required IDIs participating in the TAGP on December 31, 2010 to notify IOLTA customers by mail that IOLTAs would not receive unlimited insurance coverage starting January 1, 2011. The December 29 Act now includes IOLTAs in the definition of a “noninterest-bearing transaction account” entitled to temporary unlimited deposit insurance coverage. Financial Institution Letter FIL-2-2011 encourages (but does not require) IDIs who were participating in TAGP and sent individual notices to IOLTA holders advising that those accounts would not receive unlimited insurance coverage to send a revised notice explaining that IOLTAs will be fully insured through December 31, 2012. IDIs that have not already sent the individual notices need not send any such notice to IOLTA depositors. See www.fdic.gov for more information.
2011 January 12 by Richard Lester
January 12, 2013 – The Federal Deposit Insurance Corporation (FDIC) has received numerous reports from consumers who received an e-mail that has the appearance of being sent from the FDIC. The e-mail informs the recipient that “in cooperation with the Department of Homeland Security, federal, state and local governments…” the FDIC has withdrawn deposit insurance from the recipient’s account “due to account activity that violates the Patriot Act.” It further states deposit insurance will remain suspended until identity and account information can be verified using a system called “IDVerify.” If consumers go to the link provided in the e-mail, it is suspected they will be asked for personal or confidential information, or malicious software may be loaded onto the recipient’s computer.
This e-mail is fraudulent. It was not sent by the FDIC. It is an attempt to obtain personal information from consumers. Financial institutions and consumers should NOT access the link provided within the body of the e-mail and should NOT under any circumstances provide any personal information through this media.
The FDIC is attempting to identify the source of the e-mails and disrupt the transmission. Until this is achieved, consumers are asked to report any similar attempts to obtain this information to the FDIC by sending information to email@example.com.
For your reference, FDIC Special Alerts may be accessed from the FDIC’s Web site at www.fdic.gov/news/news/SpecialAlert/2011/index.html. To learn how to automatically receive FDIC Special Alerts through e-mail, please visit www.fdic.gov/about/subscriptions/index.html.
|Sandra L. Thompson|
|Director Division of Supervision and Consumer Protection|
Distribution: FDIC-Supervised Banks (Commercial and Savings)
Note: Paper copies of FDIC Special Alerts may be obtained through the FDIC’s Public Information Center, 877-275-3342 or 703-562-2200.
2010 November 11 by Richard Lester
November 11, 2013 – All funds in a “noninterest-bearing transaction account” are insured in full by the Federal Deposit Insurance Corporation from December 31, 2010, through December 31, 2012. This temporary unlimited coverage is in addition to, and separate from, the coverage of at least $250,000 available to depositors under the FDIC’s general deposit insurance rules.
The term “noninterest-bearing transaction account” includes a traditional checking account or demand deposit account on which the insured depository institution pays no interest. It does not include other accounts, such as traditional checking or demand deposit accounts that may earn interest, NOW accounts, money-market deposit accounts, and Interest on Lawyers Trust Accounts (“IOLTAs”).
For more information about temporary FDIC insurance coverage of transaction accounts, visit www.fdic.gov.
2010 June 5 by Richard Lester
June 5, 2010 – The term “phishing” — as in fishing for confidential information — refers to a scam that encompasses fraudulently obtaining and using an individual’s personal or financial information. This is how it works:
- A consumer receives an e-mail which appears to originate from a financial institution, government agency, or other well-known/reputable entity.
- The message describes an urgent reason you must “verify” or “re-submit” personal or confidential information by clicking on a link embedded in the message.
- The provided link appears to be the Web site of the financial institution, government agency or other well-known/reputable entity, but in “phishing” scams, the Web site belongs to the
- Once inside the fraudulent web site, the consumer may be asked to provide Social Security numbers, account numbers, passwords or other information used to identify the consumer, such as the maiden name of the consumer’s mother or the consumer’s place of birth.
- When the consumer provides the information, those perpetrating the fraud can begin to access consumer accounts or assume the person’s identity.
If you suspect an e-mail or Web site is fraudulent, please report this information to the real bank, company or government agency, using a phone number or e-mail address from a reliable source. Example: If your bank’s Web page looks different or unusual, contact the institution directly to confirm that you haven’t landed on a copycat Web site set up by criminals. Also, contact the Internet Crime Complaint Center (http://www.ic3.gov/), a partnership between the FBI and the National White Collar Crime Center.
If you suspect that you have been a victim of identity theft, perhaps because you submitted personal information in response to a suspicious, unsolicited e-mail or you see unauthorized charges on your credit card, immediately contact your financial institution and, if necessary, close existing accounts and open new ones. Also contact the police and request a copy of any police report or case number for later reference. In addition, call the three major credit bureaus (Equifax at 800-525-6285, Experian at 888-397-3742 and TransUnion at 800-680-7289) to request that a fraud alert be placed on your credit report.
Pharming is an attack on personal information used over the internet. A user can be fooled into entering sensitive data such as a password or credit card number into a malicious web site that impersonates a legitimate web site. It is different than phishing in that the attacker does not to rely on the user clicking a link in an email to deceive the user. If the user correctly enters a URL (web address) into a browser’s address bar, the attacker can still redirect the user to a malicious web site.
How can you protect yourself?
Only use pharming-conscious or (PhC) web sites. A PhC web site uses a secure connection to prevent other web sites from impersonating it. PhC web sites typically use the HTTPS web protocol on their login page to allow the user to verify the web site’s identity. If an attacker attempts to impersonate a PhC web site, the user will receive a message from the browser indicating that the web site’s “certificate” does not match the address being visited. Users should NEVER click “Yes” in response to such a window because they may get deceived by a pharming attack.
On October 12, 2005, the Federal Financial Institutions Examination Council (FFIEC) released an updated guidance on the risks and risk management controls necessary to authenticate the identity of customers accessing Internet-based financial services. The guidance, Authentication in an Internet Banking Environment, was issued to reflect the many significant legal and technological changes regarding the protection of customer information, increasing incidents of identity theft and fraud, and the introduction of improved authentication technologies and other risk mitigation strategies.
The growth of Internet banking and other electronic banking activities as well as the increased sophistication of threats to those environments have resulted in higher risks for financial institutions and their customers. An effective authentication system is crucial for the ability of financial institutions to comply with requirements in order to safeguard customer information. This system reduces fraud and the theft of sensitive customer information, which is often the precursor to identity theft, and promotes legal enforceability of financial institutions’ electronic agreements and transactions.
What is Multi-Factor Authentication (MFA)?
To access many online systems today, users commonly utilize an ID and password combination to identify (authenticate) themselves. This is considered “single factor authentication,” one of three basic “factors” used in authentication methodologies. The multi-factor program includes the following data:
1. What an individual knows — information that only a person knows (i.e. ID/ password, PIN, etc.).
2. What an individual has — something physical and unique a person possesses (i.e. token, smart card, ATM card, individual workstation computer, etc.).
3. What an individual is — a physical attribute unique to a person (i.e. a fingerprint, voice-print, eye-retina structure, etc.).
For additional information and resources regarding Identity Theft, please refer to the following Federal Trade Commission website. http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.shtm