Customer Awareness Program: Security for Internet Based Services
- Mifflinburg Bank & Trust's Commitment to Security
- Online Banking Security
- Multi-factor Authentication
- Debit Card Protection
- Additional Considerations for Business
- Risk Assessment - What If?
- Internet Usage/Email Policy
- Why Your Business is at Risk
- What Should Your Internet Policy Include?
- Tips for Safe Browsing
- Warning Signs of Potentially Compromised Computer Systems
- Additional Security Measures
- Applicable Laws and Regulations
- Incident Response Plan
Phishing: Don't take the Bait!
Identity Theft: Protect Yourself
Internet Fraud: If it sounds to good to be true, it probably is
Social Media: Be careful who you Trust
Play it Safe with Portable Devices
MBTC will NEVER request personal information by telephone, mail or text messaging including account numbers, passwords, personal identification information or any other confidential customer information.
Fraudulent emails may be designed to appear as though they are originated by MBTC. Do not respond to any email communications which request any type of personal or confidential information and do not go to any links listed on that email. Further the bank will not request its account holders to install software or require changes to established procedures without securely communicated notification.
If you contact us, we may ask you to verify two or more of the following pieces of information to verify your identity. These include ‘challenge questions’ that you may have established with us and/or the joint account holder’s name (if applicable), last 4 digits of you SSN or TIN, account number, most recent deposit amount (if applicable), birth date or a day-time telephone number. If we contact you, we will never ask you for your debit/credit card number or your full SSN or TIN. If we need to contact you, it will always be done in a manner that protects your personal, confidential information and we will clearly identify ourselves. Safeguarding YOUR confidential information to preserve and maintain our reputation as, “Your Community’s Trusted Financial Resource” is a top priority of MBTC’s
MBTC deploys a layered security approach including multi-factor authentication as part of a comprehensive information security program to protect your confidential information. If you receive any suspicious emails, telephone calls or any other communications regarding your personal or confidential bank information, please contact MBTC immediately at 570-966-1041. MBTC works with local regulatory and law enforcement departments to be certain that any type of illegal activity is stopped as soon as possible. Reacting promptly can help you maintain certain protections you have as a consumer under federal law regarding limits on liability for unauthorized activity. For more information regarding consumer protections, please refer to the Electronic Fund Transfer disclosures that were provided at the time you opened your account. You may also contact us and we will gladly send a copy to you.
Tips for you to keep your information secure:
- Never give out any personal information including user names, passwords, SSN or date of birth.
- Create difficult passwords that include letters, numbers and symbols when possible.
- Do not use personal information for your user names or passwords such as birth dates and SSN.
- Avoid using public computers to access your online banking account information.
- Do not give any of your personal information to any web site that does not use encryption or other secure methods to protect your personal information.
Multi-factor authentication works by using more than one way to confirm your identity.Internet fraud is becoming more common and more advanced. This is done using a combination of technology and human input.
- MBTC’s internet banking system’s EMFA solution conforms with the latest FFIEC’s authentication guidelines. After successfully authenticating using a username and password(something you know), a one-time password (OTP) is sent to the user’s phone(something they have). The user must then enter this OTP into the banking application to complete the login.
- The user may receive this OTP via a voice call or text message. EMFA provides a secure and easy-to-use second factor of authentication. EMFA reduces the risk of credential exposure due to phishing, keystroke loggers,Man-in-the-Middle and brute force attacks.
Back to Top
Debit card usage has increased dramatically in recent years and fraudulent use of debit cards has also increased.
MBTC has some suggestions for you to consider regarding the care and usage of your debit cards:
Never give your debit card number information when requested by phone, email or texting unless you are making an authorized purchase of goods or services. MBTC will never contact you to request this type of information. Please contact us immediately if you receive this type of request. As mentioned above, if you contact us, we may ask you for some personal or account information to verify your identity.
It is a good idea to pay by credit card if your card leaves your sight. An example may be when a waiter takes your card from your table in a restaurant or when making purchases online. Debit cards are easier to process illegally in comparison to credit cards.
In accordance with Federal Regulatory guidelines and sound business practices, MBTC has implemented a security program to specifically address identified risks in offering internet based services to its customers. The bank recognizes that the most sophisticated and expensive security program can be rendered ineffective if combined with the absence of fundamental customer controls. Thus we need you to consider the following guidelines for your business so that together we can maintain a safe environment for conducting business transactions online.
MBTC has created an extensive list of “What If” scenarios to consider that present varying degrees of risk to bank and its ability to continue conducting business. These risks are categorized into technical risks including internet related, computer and telecommunications; human risks such as fraud, error and robbery; and natural risks including flooding, fire and snow. A response plan has been created to respond to each risk. We suggest that you also consider doing this for your business.
To address specific risks from conducting business online, consider the following questions.
- D o you have a password policy that requires the use of strong passwords (includes at least 3 of the following elements, upper case letter, lower case letter, number or special character?
- What is your password lockout policy?
- How frequently are passwords required to be changed?
- Are passwords being written somewhere such as on the back of the monitor or underside of a keyboard by employees?
- Can passwords previously used be repeated? Is this based on number of days since last use or the number of times since last use?
- Does your company conduct background checks on employees? The cost is minimal compared to the potential loss from fraud.
- Are computer system rights and permissions revoked timely for dismissed employees? Does this include all remote devices?
- Are duties segregated sufficiently to create effective checks and balances if possible?
- Do you have a data backup? Is this tested periodically? If this data is transported to another location, is it encrypted or have password protection to guard sensitive data?
- Does your business have insurance coverage for losses resulting from these events? Do you understand what is not covered?
- Have you considered reconciling or reviewing account activity daily?
- Do you ensure that PC and Network related patches and components are up-to-date?
- Do you ensure that anti-virus and anti-malware software programs are up-to-date?
- Do you provide periodic communication and training to employees using online banking systems?
- Are dual controls in place where applicable ie. to originate and transmit ACH files?
- Consider using dedicated IT staff or a consultant to implement security measures
- The Better Business Bureau’s website on Data Security Made Simpler
- The Sma ll Business Administration’s (SBA)
- The Federal Trade Commission’s (FTC) interactive business guide for protecting data
- The National Institute of Standards and Technology’s (NIST)
- The jointly issued “Fraud Advisory for Businesses: Corporate Account Takeover” from the U.S. Secret Service, FBI, IC3 on the IC3 website
- NACHA – The Electronic Payments Association’s website has numerous articles regarding Corporate Account Takeover for both financial institutions and banking customers
- Review and/or consider insurance coverage to cover incidents relating to electronic theft.
- Th e resources in the Business Center can help you comply with the law.
If your business does not have a policy on internet usage for your employees, please consider adopting one. Though the web can be an incredibly useful workplace tool, it can also cause significant workplace havoc that can result in lost productivity, financial loss, liability and damage to the reputation of your business. Unscrupulous websites, as well as pop-ups and animations, can be dangerous. Establish rules about internet usage including email guidelines to protect your business — and your employees.
Beyond malicious activities instigated by outsiders, businesses can be put in a vulnerable position by employees who engage in illegal and/or undesirable web activity during work hours and on company-owned computers.
When creating a company-wide internet use policy, consider addressing the following issues:
- Are employees allowed to browse the web for personal use as well as business purposes?
- Can employees use the web for personal use (lunch hours, after-hours, etc?)
- Does the company monitor web use and what level of privacy employees can expect
- Is certain web activity prohibited? Spell out unacceptable behavior in detail. In many companies, this includes:
-Threatening or violent behavior Illegal activities
-Commercial solicitations (non-business related)
-Provide two copies of the policy to employees*
*One for them to keep and another for them to sign and return to you. The signed copy provides written proof that the employee was made aware of company policies, possible consequences of violating company policies and that they understand and accept these conditions.
In addition to having a policy, the following recommendations can also help promote safe web browsing:
- Go to trusted sites only
- Do not use work computers for idle browsing
- Never browse web sites from a server. Always use a client PC or laptop
- Use a firewall/router. It allows you to filter web addresses and block internet traffic to and from dangerous sites
- Consider web-filtering software
- Develop an incident response plan to address security breaches.
- Inability to log into online banking (thieves could be blocking customer access so the customer won’t see the theft until the criminals have control of the money);
- Dramatic loss of computer speed;
- Changes in the way things appear on the screen;
- Computer locks up so the user is unable to perform any functions;
- Unexpected rebooting or restarting of the computer;
- Unexpected request for a one time password (or token) in the middle of an online session;
- Unusual pop-up messages, especially a message in the middle of a session that says the connection to the bank system is not working
- (system unavailable, down for maintenance, etc.);
- New or unexpected toolbars and/or icons;
- Inability to shut down or restart the computer
Examples of Deceptive Ways Criminals Contact Account Holders
- The FDIC does not directly contact bank customers (especially related to ACH and Wire transactions, account suspension, or security alerts), nor does the FDIC request bank customers to install software upgrades. Such messages should be treated as fraudulent and the account holder should permanently delete them and not click on any links.
- Messages or inquiries from the Internal Revenue Service, Better Business Bureau, NACHA, and almost any other organization asking the customer to install software, provide account information or access credentials is probably fraudulent and should be verified before any files are opened, software is installed, or information is provided.
- Phone calls and text messages requesting sensitive information are likely fraudulent. If in doubt, account holders should contact the organization at the phone number the customer obtained from a different source (such as the number they have on file, that is on their most recent statement, or that is from the organization’s website). Account holders should not call phone numbers (even with local prefixes) that are listed in the suspicious email or text message.
It is important that businesses understand that a breach of customer information can potentially create financial and reputational risks for the business. For certain businesses or those utilizing certain services such a debit and credit cards payments, compliance with applicable rules to secure data is necessary to prevent potential lawsuits, cancelled accounts and monetary fines.
Please be aware that banking regulations regarding liability differ between consumer accounts and business/corporate accounts. Please contact us with any questions you may have.
If you suspect that your computer system has been compromised, having an action plan to follow can save time critical to preventing loss. Consider developing a plan that includes the following information and action steps:
- Contact information for key financial institution employees
- Changing passwords
- Disconnecting computers used for Internet Banking
- Requesting a temporary hold on all other transactions until out-of-band confirmations can be made
- Insurance carrier contact information
- Working forensic specialists and law enforcement to review appropriate equipment