Safety & Security

Shopping Tips

 Online shopping can be a great solution allowing you to find the perfect gift and saving time, but it can also end with identity theft, malware, and other cyber unpleasantness.  Please take a few simple security precautions to help reduce the chances of being a cyber victim.

When purchasing online keep these tips in mind to help minimize your risk:

1. Do not use public computers or public wireless Internet access for your online shopping.
Public computers and wireless networks may contain viruses and other malware that steal your information, which can lead to identity theft and financial fraud.
2. Secure your computer and mobile devices.
Be sure to keep the operating system, software, and/or apps updated/patched on all of your computers and mobile devices.  Use up-to-date antivirus protection and make sure it is receiving updates.
3. Use strong passwords.
The use of strong, unique passwords is one of the simplest and most important steps to take in securing your devices, computers, and online accounts. If you need to create an account with the merchant, be sure to use a strong, unique password. Always use more than ten characters, with numbers, special characters, and upper and lower case letters. Use a unique password for every unique site.
4. Know your online shopping merchants.
Limit your online shopping to merchants you know and trust. If you have questions about a merchant, check with the Better Business Bureau or the Federal Trade Commission. Confirm the online seller's physical address, where available, and phone number in case you have questions or problems. Do not create an online account with a merchant you do not trust.
5. Pay online wth one credit card.
A safer way to shop on the Internet is to pay with a credit card rather than debit card. Debit cards do not have the same consumer protections as credit cards. Credit cards are protected by the Fair Credit Billing Act and may limit your liability if your information was stolen or used improperly. By using one credit card, with a lower balance, for all your online shopping you also limit the potential for financial fraud to affect all of your accounts. Always check your statements regularly and carefully, though.
6. Look for "https" in the Internet address (URL) when making an online purchase.
The "s" in "https" stands for "secure" and indicates that communication with the webpage is encrypted. This helps to ensure your information is transmitted safely to the merchant and no one can spy on it. Alternatively, look for the lock symbol (sometimes it is green) in the Internet address bar.
7. Do not respond to pop-ups.
When a window pops up promising you cash or gift cards for answering a question or taking a survey, close it by pressing Control + F4 on a Windows computer and Command + W on a Mac. These could be social engineering attempts designed to convince you to open malware or click on a malicious link.
8. Do not auto-save your personal information.
When purchasing online, you may be given the option to save your personal information online for future use. Consider if the convenience is really worth the risk. The convenience of not having to reenter the information is insignificant compared to the significant amount of time you will spend trying to repair the loss of your stolen personal information.
9. Use common sense to avoid scams.
Don't give out your personal or financial information via email or text. Information on many current scams can be found on the website of the
10. Review privacy policies.

What to do if you encounter problems with an online shopping site:

Contact the seller or the site operator directly to resolve any issues. You may also contact the following:

Privacy

How Encryption Works
  • When visiting online banking's sign-on page, your browser establishes a secure session with our server.
  • The secure session is established using a protocol called Secure Sockets Layer (SSL) Encryption. This protocol requires the exchange of what are called public and private keys.
  • Keys are random numbers chosen for that session and are only known between your browser and our server. Once keys are exchanged, your browser will use the numbers to scramble (encrypt) the messages sent between your browser and our server.
  • Both sides require the keys because they need to descramble (decrypt) messages received. The SSL protocol assures privacy, but also ensures no other website can "impersonate" your financial institution's website, nor alter information sent.
  • To learn whether your browser is in secure mode, look for the secured lock symbol at the bottom of your browser window.
What is Encryption and how does it protect me?
Encryption is a mathematical process of coding and decoding information. Encryption ensures that information is scrambled in transit so that only the intended recipient can decode it. The number of bits (40-bit, 56-bit, 128-bit, 256-bit) tells you the size of the key. Like a longer password, a larger key has more possible combinations. In fact, 128-bit encryption is one trillion times one trillion times stronger than 40-bit encryption. At current computing speeds, a hacker with the time, tools, and motivation to attack would require a trillion years to break into a session with 128-bit encryption.
To determine if your browser supports 128-bit encryption:
  • Click "Help" in the toolbar of your Internet browser
  • Click on "About [browser name]"
  • A pop-up box or window will appear.
    • For Internet Explorer: next to "Cipher strength" you should see "128-bit"
    • For Netscape: you should see "This version supports high-grade (128-bit) security with RSA Public Key Cryptography"

If your browser does not support 128-bit encryption, you must upgrade to continue to access the website's secure pages.

Firefox and Safari browsers and DI

July 2005 --

  1. Firefox and Safari - Encryption levels

Both browsers recently designated as supported for use with DI products, Firefox 1.0 and Safari 1.2, use strong 128-bit encryption when accessing secure sites, to ensure safe and secure transmittal of private data such as account and payment information.

  1. Firefox and Safari - How end users can determine which levels of encryption they have
  1. Firefox - In Firefox, this option is not visible until connected to a site. Negotiation occurs between the client browser and the server at run-time. To view the encryption level being used while connected to a specific secure site, you can do the following:
    • Click to the 'Tools' menu
    • Select 'Page Info'
    • Click the 'Security' tab<
      Or: double-click the yellow 'lock' icon in the lower right corner of the screen while connected to a secure site.
  2. Safari - The Safari browser displays a 'lock' icon at the top right corner of the browser window when you're viewing a secure (https://) site. This symbol is absent when viewing an unsecured (http://) site. Safari can use both 40-bit and 128-bit "strong" encryption; the website determines which level of encryption is used at a given time.

Most browsers released since 2007 support 128-bit encryption, including:

  • Chrome
  • Opera
  • Internet Explorer
  • Firefox
  • Safari

Email Scams

'Phishing' or 'Spoofing' and How to Report Phishing
Phishing (pronounced "fishing") is a scam to steal valuable information such as credit card and Social Security numbers, user IDs, and passwords. In phishing, also known as "brand spoofing", an official-looking Email is sent to potential victims pretending to be from their ISP, credit union, bank, or retail establishment. Emails can be sent to people on selected lists or on any list, and the scammers expect some percentage or recipients will actually have an account with the real organization.
What is 'Spoofing'?
Pretending to be something it is not, whether an email, website, encrypted.
We suggest reporting "phishing" or "spoofed" emails to the following groups:
  • Forward the email to reportphishing@antiphishing.org
  • Forward the email to the Federal Trade Commission at spam@uce.gov
  • Forward the email to the "abuse" email address at the company that is being spoofed (e.g. "spoof@ebay.com")
  • When forwarding spoofed messages, always include the entire original email with its original header information intact
  • Notify the Internet Fraud Complaint Center of the FBI by filing a complaint on their website: www.ifccfbi.gov
'Phishing' or 'Spoofing' and How to Report Phishing
Phishing (pronounced "fishing") is a scam to steal valuable information such as credit card and Social Security numbers, user IDs, and passwords. In phishing, also known as "brand spoofing", an official-looking Email is sent to potential victims pretending to be from their ISP, credit union, bank, or retail establishment. Emails can be sent to people on selected lists or on any list, and the scammers expect some percentage or recipients will actually have an account with the real organization.
What is 'Spoofing'?
Pretending to be something it is not, whether an email, website, etc.
We suggest reporting "phishing" or "spoofed" emails to the following groups:
  • Forward the email to reportphishing@antiphishing.org
  • Forward the email to the Federal Trade Commission at spam@uce.gov
  • Forward the email to the "abuse" email address at the company that is being spoofed (e.g. "spoof@ebay.com")
  • When forwarding spoofed messages, always include the entire original email with its original header information intact
  • Notify the Internet Fraud Complaint Center of the FBI by filing a complaint on their website: www.ifccfbi.gov

Safe Computing

The number and sophistication of phishing and spoofing scams sent out to consumers is continuing to increase dramatically. While online banking is widely considered to be as safe as or safer than in-branch or ATM banking, as a general rule you should be careful about giving out your personal financial information over the Internet. Below is a list of recommendations you can use to avoid becoming a victim of these scams:

1. Be suspicious of any email with urgent requests for personal financial information

2. Phishers typically include upsetting or exciting (but false) statements in their emails to get people to react immediately

3. They typically ask for information such as usernames, passwords, credit card numbers, Social Security numbers, etc.

4. Phisher emails typically are not as personalized and may contain spelling errors while valid messages from your bank or e-commerce company generally are accurate in the way they spell your name and your financial institution's name.

5. Don't use the links in an email to get to any Web page, if you suspect the message might not be authentic. Instead, call the company on the telephone, or log onto the website directly by typing in the Web address in your browser

6. Avoid filling out forms in email messages that ask for personal financial information

7. Only communicate information such as credit card numbers or account information via a secure website or the telephone

8. Always ensure that you're using a secure website when submitting credit card or other sensitive information via your Web browser

9. A secure Web server designation can be found by checking the beginning of the Web address in your browser's address bar - it should be "https://" rather than just http://

10. Regularly log into your online accounts

11. Don't leave it for as long as a month before you check each account

12. Regularly check your bank, credit and debit card statements to ensure that all transactions are legitimate; if anything is suspicious, contact your bank and all card issuers

13. Ensure that your browser is up to date and security patches applied; always visit your browser's home page to download the latest security patches even if they don't alert you to do so

Security Tips

Mobile Device Security
  • Configure your device to require a passcode to gain access if this feature is supported in your device.
  • Avoid storing sensitive information. Mobile devices have a high likelihood of being lost or stolen so you should avoid using them to store sensitive information (e.g. passwords, bank account numbers, etc.). If sensitive data is stored then encryption should be used to secure it.
  • Keep your mobile device’s software up-to-date. These devices are small computers running software that needs to be updated just as you would update your PC. Use the automatic update option if one is available.
  • Review the privacy policy and data access of any applications (apps) before installing them.
  • Disable features not actively in use such as Bluetooth, Wi-Fi, and infrared. Set Bluetooth-enabled devices to non-discoverable when Bluetooth is enabled.
  • Delete all information stored on a device before the device changes ownership. Use a “hard factory reset” to permanently erase all content and settings stored on the device.
  • “Sign out” or “Log off” when finished with an app rather than just closing it.
Online Security
  • Never click on suspicious links in emails, tweets, posts, nor online advertising. Links can take you to a different website than their labels indicate. Typing an address in your browser instead of clicking a link in an email is a safer alternative.
  • Only give sensitive information to websites using encryption so your information is protected as it travels across the Internet. Verify the web address begins with "https://" (the "s" is for secure) rather than just "http://". Some browsers also display a closed padlock.
  • Do not trust sites with certificate warnings or errors. These messages could be caused by your connection being intercepted or the web server misrepresenting its identity.
  • Avoid using public computers or public wireless access points for online banking and other activities involving sensitive information when possible.
  • Always "sign out" or "log off" of password protected websites when finished to prevent unauthorized access. Simply closing the brower window may not actually end your session.
  • Be cautious of unsolicited phone calls, emails, or texts directing you to a website or requesting information.
General PC Security
  • Maintain active and up-to-date antivirus protection provided by a reputable vendor. Schedule regular scans of your computer in addition to real-time scanning.
  • Update your software frequently to ensure you have the latest security patches. This includes your computer's operating system and other installed software (e.g. Web Browsers, Adobe Flash Player, Java, Microsoft Office, etc.).
  • Automate software updates when the software supports it, to ensure it's not overlooked.
  • If you suspect your computer is infected with malware, discontinue using it for banking, shopping, or other activities involving sensitive information. Use security software and/or professional help to find and remove malware.
  • Use firewalls on your local network to add another layer of protection for all the devices that connect through the firewall (e.g. PCs, smart phones, and tablets).
  • Require a password to gain access. Log off or lock your computer when not in use.
  • Use a cable lock to physically secure laptops, when the device is stored in an untrusted location.
Passwords
  • Create a unique password for all the different systems you use. If you don't then one breach leaves all your accounts vulnerable.
  • Never share your password over the phone, in texts, by email, or in person. If you are asked for your password it's probably a scam.
  • Use unpredictable passwords with a combination of lowercase letters, capital letters, numbers, and special characters.
  • The longer the password, the tougher it is to crack. Use a password with at least 8 characters. Every additional character exponentially strengthens a password.
  • Avoid using obvious passwords such as:
    • your name
    • your business name
    • family member name
    • your user name
    • birthdates
    • dictionary words
  • Choose a password you can remember without writing it down. If you do choose to write it down, store it in a secure location.
Additional Resources

To learn more about information security visit any of the following links.

Identity Theft Prevention

Identity theft, in its simplest form, occurs when someone obtains and misuses your personal information without your permission, and often times without any knowledge of the activity by you. It is prudent to know about identity theft and what steps you can take to minimize your risk of potential identity theft or fraud. We recommend that you remain vigilant by reviewing account statements and monitoring free credit reports annually.

Free Fraud Alert. A fraud alert instructs creditors to watch for unusual or suspicious activity in your accounts, and provides creditors with notice to contact you separately before approving an extension of credit. To place a fraud alert, free of charge, contact one of the three national credit reporting agencies listed below. You do not need to contact all three agencies; rather, the agency that you contact will forward the fraud alert to the other two agencies on your behalf. An initial fraud alert stays on your credit report for 90 days.

Equifax

Office of Fraud Assistance
P.O. Box 105069
Atlanta, GA 30348
(888) 766-0008
TTY: (866) 478-0030
https://www.equifax.com/

Experian

Credit Fraud Center
P.O. Box 9532
Allen, TX 75013
(888) 397-3742
TTY: (800) 735-2989
https://www.experian.com/

TransUnion

Fraud Victim Assistance Department
P.O. Box 6790
Fullerton, CA 92834
(800) 680-7289
TTY: (877) 533-7803
https://www.transunion.com/

Free Credit Report
Placement of a fraud alert will also entitle you to a free credit report from each of the three agencies. When you place this alert on your credit report, you will receive information about ordering one free credit report from each of the credit reporting companies. (if you elect not to place a fraud alert on your consumer credit file, you may still receive a free credit report by visiting www.annualcreditreport.com or calling toll-free (877) 322-8228.) We encourage you to obtain free credit reports, and to verify that all of your personal information listed on the reports is accurate.
Review Your Credit Report
Once you receive your reports, you should review them carefully for unusual credit activities, such as inquiries from companies you did not contact, accounts you did not open, and debts on your accounts that you cannot explain. You should verify the accuracy of your Social Security number, address(es), complete name and employer(s). If your credit report shows suspicious activity or unusual credit inquiries, you should immediately notify the agency that issued the report. You may also contact your local police or sheriff's office to file a report of identity theft. Be certain to obtain a copy of the police report. You may need to provide the police report to creditors in order to address any credit problems that may arise. We recommend that you check your credit reports and review your account statements periodically. This can help you spot problems and address them quickly.
Credit Freeze
Depending on the state that you live in, you may be eligible to place a security freeze on your consumer credit file with each of the three credit bureaus. A security freeze prohibits credit agencies from sharing your credit file with any potential creditors without your consent. Once your files are frozen, even someone who has your personal information should not be able to obtain credit in your name. More information about security freezes is available through the website of the three national credit reporting agencies - Equifax, Experian and TransUnion (website addresses are noted above).
Additional Information
Additional information about personal identity theft and fraud is available from the Federal Trade Commission at http://www.consumer.gov/idtheft. If you suspect identity theft, you may also file a complaint with the FTC at its website or by calling 1-877-ID-THEFT. Your complaint will be added to the FTC's Identity Theft Data Clearinghouse, where it will be accessible to law enforcement agencies for use in their investigations.