Farmers State Bank has verified that the OpenSSL "Heartbleed" vulnerability has not impacted our systems.
There has been considerable media coverage of a security issue that affects a large number of websites using the OpenSSL implementation of the Secure Socket Layer (SSL) protocol for exchanging data between devices. An example is a web browser and a website using SSL (evidenced by 'https' and the padlock symbol in the browser address bar).
The 'Heartbleed' bug as it is called, allows for the leakage of data that was supposed to be protected by encryption. This could allow, under the right conditions, the capture of private information such as logins, passwords, account numbers, etc. Obviously this has the potential for serious problems.
Beware of Heartbleed Phishing Spam
Be very careful with emails that you receive suggesting you change your password due to the Heartbleed bug.
There are reports that users are receiving emails containing links for performing password resets that are being sent maliciously in order to capture login credentials.
These phishing messages are sometimes being sent for websites and services for which the user does not have an account, but since people tend to use the same password for multiple services, it is possible to allow login credentials to be abused for other services and sites that they do have accounts on.
Helpful emails with links in them are many times NOT helpful!
Never click on links in such messages unless you are confident that the sender is legitimate. When in doubt delete the message and go directly to the website of the service you are concerned with. Most sites will have information concerning how they were impacted by the vulnerability and what action you should take.
At Farmers State Bank, we have a variety of techniques to help ensure that your financial information is secure. You too should protect yourself by being aware of the things you can do to minimize your risk of being a victim of identity theft or fraud.
Here are some suggested steps you can take to protect yourself:
- Prevent unauthorized people from using your computer or workstation
- Log off your workstation whenever you leave your computer
- Change your passwords often and never share them with anyone
- The same passwords or security challenge questions should never be used for social media, email and online banking access.
- If you notice suspicious activity, report it immediately
- Install some form of internet security software on you PC and keep it up to date
- Be cautious of e-mails that ask you to verify or submit personal information
- Make sure your browser uses the strongest encryption available and be aware of the encryption levels of the sites and applications you use.
Becoming a victim of Identity Theft is rising dramatically. To prevent identity theft before it occurs, consumers should follow these safe practices.
- Do not carry social security cards in a wallet or purse, but rather in a lock box or otherwise safe location
- Carry only credit cards and checkbooks that are needed on a regular basis
- Never carry PINs and passwords in a wallet along with the cards they activate
- Obtain your credit report regularly and make sure everything is normal
- Close accounts that are not needed or used
- Keep a photocopy of all the contents of your wallet in a secure place such as a lock box so they can be reported easily if lost or stolen
- We’ll never e-mail or call you to ask for any personal information as a requirement for getting additional security to manage your accounts online.
If you’ve become a victim of identity theft, report it to the appropriate parties immediately. File a complaint with the Federal Trade Commission (FTC). Call the FTC’s identity theft hotline tollfree at 1 (877)IDTHEFT (438-4338). Additionally, we suggest you call the fraud departments of all three credit bureaus. Ask them to put a “fraud alert” on your file. This tells creditors to call you before they open any more accounts in your name.
The most important thing to know is that Farmers State Bank does not make a practice of asking for or verifying personal information through an email. If you ever receive an email that asks for this type of information, call the bank and verify its legitimacy with a bank employee. Also, just because an e-mail states the sender’s address, it may not be the true origin of the e-mail. The “from” field of an e-mail can be altered easily.
Consumers should also be wary of claims that a company is updating its records or those that threaten an account will be closed, suspended or restricted if they don’t receive a response. Always verify these types of e-mails by calling a number you know to be a legitimate number for that company, not one obtained from the e-mail.
“Phishing” (pronounced fishing) is when criminals use e-mail to try to lure you to fake websites, where you’re asked to disclose confidential financial and personal information, like passwords, credit card accounts numbers or Social Security Numbers.
The most common type of phish is an e-mail threatening some dire consequence if you do not immediately log in and take action.
You should never respond to these emails. Always verify the need for this information by calling or writing the company. You should obtain an address or phone number from a source you know to be correct such as a statement, business card or phone book.
Fraudulent Emails claiming to be from NACHA:
Fraudulent emails claiming to be from the National Automated Clearing House Association (NACHA) continue to occur. These emails, which are similar to the ones previously reported over the past couple of months, make reference to an ACH transfer, payment or transaction and contain a link or attachment that infects the computer with malicious code when clicked on by the recipient. Do not click on any links or open any attachments within the email!
NACHA has reported that these attacks are occurring with greater frequency and increased sophistication. The contents of these fraudulent emails vary, with more recent examples including a counterfeit NACHA logo and the citation of NACHA’s physical mailing address and telephone number.
NACHA does not process nor touch the ACH transactions that flow to and from organizations and financial institutions. NACHA does not send communications to persons or organizations about individual ACH transactions that they originate or receive.
Do not open attachments or follow Web links in unsolicited emails from unknown parties or from parties with whom you do not normally communicate, or that appear to be known but are suspicious or otherwise unusual. Please forward suspected fraudulent emails appearing to come from NACHA to firstname.lastname@example.org to aid efforts by security experts and law enforcement officials to pursue the perpetrators.
If malicious code is detected or suspected on a computer, consult with a computer security or anti-virus specialist to remove malicious code or re-install a clean image of the computer system. Always use anti-virus software and ensure that the virus signatures are automatically updated. Ensure that the computer operating systems and common software application security patches are installed and current.
Fraudulent Email Claiming to be from FDIC
The Federal Deposit Insurance Corporation (FDIC) has received numerous reports of fraudulent e-mails that have the appearance of being from the FDIC.
The e-mails appear to be sent from various "@fdic.gov" e-mail addresses, such as "email@example.com," "firstname.lastname@example.org," or "email@example.com."
They have various subject lines such as "Update for your banking account," "ACH and Wire transfers disabled," and "Banking security update."
The fraudulent messages state:
Your account ACH and Wire transactions have been temporarily suspended for your Security, due to the expiration of your security version. To download and install the newest Updates, follow this link. As soon as it is set up, your transaction abilities will be fully restored. Best regards, Online security department, Federal Deposit Insurance Corporation."
These e-mails and links are fraudulent and were not sent by the FDIC. Recipients should consider these e-mails an attempt to collect personal or confidential information, or to load malicious software onto end users’ computers. Recipients should NOT access the link provided within the body of the e-mails and should NOT install any related files or software updates.
Financial institutions and consumers should be aware that these fraudulent e-mails may be modified over time with other subject lines, sender names, and narratives. The FDIC does not directly contact bank customers, nor does the FDIC request bank customers to install software upgrades.
Information about counterfeit items, cyber-fraud incidents, and other fraudulent activity may be forwarded to the FDIC’s Cyber-Fraud and Financial Crimes Section, 3501 North Fairfax Drive, CH-11034, Arlington, Virginia 22226, or transmitted electronically to firstname.lastname@example.org. Questions related to federal deposit insurance or consumer issues should be submitted to the FDIC using an online form that can be accessed at http://www2.fdic.gov/starsmail/index.asp.
For your reference, FDIC Special Alerts may be accessed from the FDIC’s Web site at www.fdic.gov/news/news/SpecialAlert/2011/index.html. To learn how to automatically receive FDIC Special Alerts through e-mail, please visit www.fdic.gov/about/subscriptions/index.html.
The following are online resources recommended for information about online fraud and prevention: