Over the past several months, much has been written about the advanced, persistent threats to computer security. It seems as though each brings news of security breaches where passwords, credit card numbers and other personal information are possibly exposed to bad guys.
Peoples Bank is constantly monitoring its defenses to protect your sensitive data. The bank’s network and computers are always being tested and strengthened to avoid a data breach. And, we think about ways to help you protect yourself. The Bank’s “defense in depth” strategy includes customer education about the threats and how to address them.
Since data security is a critically important part of our standard business practice, as important to businesses as is managing the balance sheet, we are happy to share what we know with our business banking customers.
While new threats will continue to surface, the defense strategy remains unchanged. Thinking about vulnerabilities and being proactive to protect what is important – even when doing so is inconvenient – are the two things anybody can do to be safe. In this article, we include some reminders that we hope are helpful to you in taking those two steps to protect your financial and personal information online.
Train yourself how to think about online security
Answering questions related to online security is one way to prove to yourself that you are thinking like a person with important information to protect. So… what do you think would be the security implications in the hypothetical situations below? No cheating and reading ahead. These scenarios are written to help you think in terms of risk, access and control in the context of computers and networks. Can you think of some threats and risks? More important, by considering the bigger picture, can you think of a way to still move forward with technology while reducing or removing the risk?
- Your kids buy you a treadmill that needs a wireless connection to your home’s wireless router in order to post your work-out results to your online fitness page. Scenario One Solution
- Your wife manages the finances online and uses a 4-digit unlock code on her iPad. Scenario Two Solution
- Your husband thinks shredding check images from the bank statement is a hassle and makes too much noise. Scenario Three Solution
- Yahoo sends you an email with a link requesting you change your password because of the Heartbleed scare. The email reads in part something like “you need to change your password now. Please click here to conveniently and easily change your Yahoo! account password.” Scenario Four Solution
- You or someone who lives with you hates carrying keys. Those new door locks that can be controlled remotely with a smart phone look like a great solution… Scenario Five Solution
- Bonus question for business people: Vendors, customers, employees gripe about not having open internet access at your office. Often they need it to get something important done for you. The nephew of one of the employees has volunteered to help you set up a wireless network at the office to solve this problem. What risk(s) can you think of, and how can you mitigate them while solving the need? Scenario Six Solution
Let’s go through them. The 1st scenario would require that the wireless access point SSID and password be entered into a device on the treadmill that probably has no security features built in. Which means your secure router now has an unlocked door. A good way to mitigate this risk is to have 2 wireless networks, one that’s available with password but not connected to important assets like hard-drives or desktop computers. But what about the user account credentials that are used to post to the health web site? If the user id and password are unique to that site, there isn’t much to worry about. But, if you are in the habit of using the same user ID and password for lots of other sites, then you have a problem. Somebody could quite easily get that information off the treadmill and try to access other online accounts that have your credit card on file. Amazon, for example. Or the Wall Street Journal. Now you have a larger security risk. Mitigate that by never having the same password on multiple sites. The same thought process should happen when you considered scenario #5, the one about the remote door-lock app.
The 2nd scenario contains an obvious risk. The iPad that has access to financial sites is protected by a 4-digit code that would take a hacker only minutes to get past if he had the iPad in his hands. The ability to log into various websites via the iPad may or may not be easy for a hacker to accomplish; the bigger vulnerability in this case is the email app. If a bad guy has access to the email account, he can change passwords at will, including the password to your own email account(s) and thus gain access to an important part of your security defense. Mitigate the risk of the tablet (and other smart device) by requiring a better than 4-digit passcode, and make sure you have a way to wipe your iPad remotely when you need to.
Since your bank statement contains images of your signature on checks, there is an obvious risk if these statements are readily available at your home. The same is true if these check images are stored as digital files on your computer. Mitigate the risk of someone abusing your signature by deleting those files, or masking the signatures.
In the 4th scenario, the bad guys are trying to deceive you into responding to a bogus, though topical, offer to correct a known problem. Recall that in April 2014 Yahoo! announced some of their sites were affected by the Heartbleed vulnerability and that users should change passwords. In this example, the bad guys are “phishing”, or trying to get you to click on a link that looks legit but is really a link to a nefarious web server. If you hover your mouse over the link (Email link example for this scenario – http://www.yahoo.com.passwordcorrection.com/password.aspx) you will see that it looks like a Yahoo address, but read further. The last two elements “passwordcorrection.com” just before the forward-slash or “/” tell you all you need to know. The site you end up at is not yahoo.com, it is passwordcorrection.com. It is doubtful that Yahoo would use a site other than their own to handle such an important matter. In fact, reputable companies would never ask you to change your password in an email. Never. (See more about phishing, the popular method used by bad guys to get your password, on our online security page.)
The 5th scenario poses an interesting problem. What does the door-lock need to know about you and your network in order to work properly? How secure is it? What happens when the batteries die or there is a power failure? In some cases, power failure causes the lock to release. Therefore the risk of unwanted physical access is that there is a power fault. Or that the system relies on an open wireless network that could be accessed and changed by a bad guy who could lock you out of your own home.
The 6th scenario is relevant to those who own or operate a business. These days, being in any office for any length of time that doesn’t have internet access is viewed as a nuisance, if not a problem. There is a reputational risk if not a business risk. For example, your salesman or saleswoman may not be able to adjust their quote with additional discount because they can’t get access to their corporate quotation system via the internet. But the risk of providing access to anybody means that a hacker could get a toehold into the corporate network and cause trouble if not harm. Especially if that router uses OpenSSL to manage encryption certificates. A hacker could easily grab corporate user accounts and passwords if the router hasn’t been patched. There are many tools out there to solve this problem affordably and with due caution. One way is to provide a small portion of the company internet access via a separate public network. But it’s important to keep the public access completely separate from the private corporate network. This isn’t hard to do, but does require a commercial-grade router that can be managed and monitored
There are far more vulnerabilities than these 6 little scenarios can feature. But, if you have Security Top of Mind Awareness, you won’t need a long list of “what-to-do’s” when presented decisions; you automatically will think in terms of risk, access, control to valuable network resources. And, act appropriately.
Be proactive in protecting your data
Nobody needs to tell you the advantages of being proactive rather than reactive. Proactive people are ahead of things and seem to have a much better quality of life – both for themselves and their family. A proactive person is “reactive in advance.” Such a person typically avoids the knee-jerk or reflexive and irrational response that others experience from having to deal with identity theft, because, for example, they put their online banking password on a post-it note attached to the computer.
Proactive steps you can take have been itemized in these pages before. A summary of these steps would be:
- Educate yourself about online security. Know what the threats are (even if you don’t understand how they work) and try to stay up-to-date. The online security suggestions from the Bank’s blog can help you with this. We provide topical suggestions and provide links to sources for expert advice.
- Create a good online banking password that is not used for any other web site and change it from time to time.
- Keep that password safe. Don’t write it down. Memorize it. Memorizing things is good for your brain, and, in this case, good for protecting your sensitive personal and financial information.
- A good password manager can help you keep track of passwords and other sensitive information.
- Do not click on any links in the emails asking you to change your password. Instead go directly to the company’s website to access your account and update your passwords.
- Protect your computer and mobile devices (tablets, smart phones, etc.).
- Make sure your computer’s operating system (OS) is updated and patched. Same for your mobile devices.
- Install good anti-malware software protection.
- ALWAYS use a passcode lock so that a stranger can’t easily use the computer or device. For computers, this means requiring a password to log in to the computer and to get past the screen saver. For mobile devices, this means adding a special code or fingerprint scan to unlock and use the device.
- Don’t give out your social security number, bank account number, your mother’s maiden name or other facts used to verify your identity to unauthorized people. Legitimate people would never ask for such information via email or social networks such as Facebook and Twitter. Peoples Bank would never do this and we encourage you not to include such facts in your communication with the bank via social networks or email.
- Make sure your home and office networks are secure. This means requiring a password to access the wireless network. It also means that the default administrator ID and password of the home or office router should be changed from a factory default setting.
- Know who to contact when something goes wrong. For example, keep track of your credit card providers’ phone number.
Peoples Bank is thinking of the vulnerabilities, and is proactive, too
We appreciate the trust you place in our ability to protect your money and make your dreams financially possible. We respect that opportunity. Peoples Bank goes to extraordinary lengths to help you conduct banking safely, securely and conveniently at our many branch offices or via the internet.
One of the things we offer to you that can have real value is the security solution Rapport by Trusteer. The bank has made this software available to its customers free of charge, but don’t let that no-cost feature put you off. The software can provide a high level of confidence that online transactions between your computer and the banks’ are protected and private. Browse our Online Security page to learn more about it.
We urge you to do your part to be cautious and wise in protecting your sensitive information. Together we can present a unified, strong defense against those who would do you harm. And, perhaps as important, together we can thrive, overcoming and dismissing those who would limit our opportunity to grow.
No matter what new technological threats may appear in the days to come, we are fairly certain that having and maintaining a mental awareness of the overall threat and a proactive defense is the way of success.
Be assured of our best wishes for your continued success!