Security Center

Internet Banking Best Practices

At Astera Credit Union, our goal is to provide you with the best all-around banking experience. We secure all of our online services to help protect you and your finances.

You can also help yourself to be as safe as possible. To help ensure the security of your online banking experience at Astera Credit Union, we recommend that you do the following:

1. Install Real-Time Antivirus and Antispyware (Security) Software

  • Make sure to have updated antivirus software installed on your computer. It protects your personal information from being lost due to a virus.
  • Make sure to also have updated antispyware (security) software on your computer.
  • Allow for automatic scanning and updates of all antivirus and security software.
  • Run anti-virus software after using any public Internet or unsecured wireless connections.
  • Search for the services of a computer expert to enable you to get the top rated software and services available.

2. Install Security Updates to the Operating System and All Applications as They Become Available

  • Keep your computer operating system up-to-date.
  • Install security updates to your operating system as they become available.
  • Install software patches, operating system updates, legitimate third party application updates and hotfixes.
  • Install the latest updates and/or patches for your web browser (Internet Explorer, Firefox, Chrome, Safari, etc.).

3. Use a Desktop Firewall

  • Enable the personal firewall that came with your operating system. Personal firewalls assist in preventing cyber-attacks from happening.
  • Or, buy a separate personal firewall and install it on your computer.

4. Adopt Safe Email Practices

  • Never follow a link in your email to a site and then proceed to enter personal information, especially account numbers or passwords.
  • If you want to visit a site to make a transaction. Open a new browser window and enter the URL of the exact, trusted site.
  • Do not open attachments or click on links contained in emails received from unfamiliar sources.
  • Beware of questionable emails. You may receive emails asking for your personal information such as a password or PIN. Some may even contain what appear to be legitimate bank/credit union logos, and they may be structured to look very much like the official communications that you regularly receive from Astera Credit Union. You can usually detect fake emails because the links usually direct you to questionable Internet addresses. The emails may also contain poor grammar.
  • Always delete account sensitive emails that contain any information regarding your account activity.

5. Secure Your Home Wireless Network

  • Change the factory-default service set identifier (SSID). Wireless router manufacturers often set the SSID to a default value. Even if your router is not broadcasting your SSID, intruders may be able to find it by trying default settings. These default settings have become well known, so leaving the default setting may allow intruders to access your wireless network.
  • Do not broadcast your SSID if possible. Hiding your SSID may not be a perfect method to secure your network, but it is still good practice to hide it.
  • Change the default password. Since the default passwords for most brands of wireless routers are published on the Internet where anyone can find them, you should change your password.
  • Enable encryption. This is the single most important step in securing your wireless communication. Wireless Protected Access - Pre-Shared Key (WPA-PSK) is the suggested encryption method for a home network.
  • Use a software firewall on all computers connected to your network.
  • Limit access to shared files and folders on your computers. Set passwords on file shares and provide access only to authenticated users.

6. Create and Maintain a Strong Password and/or PIN

  • Don't write your PIN o r passwords down.
  • Create a password using a combination of letters and numbers. You should use a password that is at least 8 characters long and combines lower case letters with upper case letters.
  • Your password should be unique to you and difficult for others to guess.
  • Create passwords that do not contain any obvious information (such as your zip code, year of birth, phone number, address, relative's name, pet's name or nicknames) and never use personal information such as your Social Security Number.
  • Avoid using password managers and do not click on the "Remember Me" option when offered.
  • When creating a password, don't use a password that you use for any other service.
  • Change your passwords every 30 to 60 days. If you suspect your accounts, user names, passwords or PINs are compromised, contact Astera Credit Union immediately and change your passwords.
  • Keep your password confidential and do not share it with anyone.
  • It's mandatory to establish and use a password to conduct online banking transactions, but you have an option to use passwords to access other electronic devices such as mobile phones and tablets. Choose to protect those other electronic devices by using the password option.

7. Practice Safe Computing

  • Avoid performing online banking transactions on a public computer. If you must use a public computer, change your password after completing your transactions.
  • Consider using a dedicated computer for daily online banking activity.
  • Do not have multiple browsers open while banking online.
  • Never leave your online banking account open while your computer is unattended.
  • Always ensure that you have signed out (logged off) of online banking and close your browser.
  • Do not share or provide any of your banking information to any other party or website requesting this information.
  • Ensure you have strong computer expertise to improve the safety of your personal information: Otherwise, avoid shared computers.
  • Do not select the Remember Me login option offered on some sites. This is the option in your browser that remembers your username and password, thus allowing automatic log on.
  • Disable file sharing software so unauthorized users cannot access your computer and its data.
  • Use common sense when you connect. If you're online through an unsecured or unprotected network, be cautious about the sites you visit and the information you release.
  • When banking and shopping, check to be sure the site is security enabled. Look for web addresses with "https://" or "shttp://," which means the site takes extra measures to help secure your information. "http://" is not secure.
  • Clear the browser cache and history before and after an online banking session. This function is generally found in the browser's preferences menu.

8. Protect Your Personal Information

  • Astera Credit Union will never ask you for personal information in an email or text message. Personal information consists of your name, Social Security number, driver's license number or identification card number, account number, credit card number, debit card number, mother's maiden name, security code, access code, password, Personal Identification Number (PIN) or any information that would permit access to your account(s).
  • Examine your financial statements and/or account activity on a regular basis.
  • If you need to dispose of sensitive documents, shred them.
  • Information about electronic transactions is provided within your periodic statements. To protect your account, we encourage you to regularly review your statements and account activity and immediately notify us of any error or unauthorized transactions.
  • If you believe your online banking PIN is lost or stolen, or that someone has used or will use your account without your permission, notify Astera Credit Union immediately at 800-323-0048.
  • Keep an eye on your account and make sure to report anything that seems to be suspicious activity. You can help stay on top of things by signing up for eAlerts that will inform you when changes have been made to your account.
  • If you discover that you have submitted private detail to an unknown source, notify Astera Credit Union immediately at 800-323-0048.

Best Practices for Mobile Banking

At Astera Credit Union, our goal is to provide you with the best all-around banking experience. We secure all of our online services to help protect you and your finances.

Mobile devices (smartphones and tablets) are computers with software that need to be kept up-to-date just like your PC or laptop. Take time to make sure all the mobile devices in your household have the latest protections. This may require synching your device with a computer.

Remember that these devices can contain tremendous amounts of personal information. Lost or stolen devices can be used to gather information about you and, potentially, others. Protect your phone like you would your computer.

Use common sense when you connect. If you're online through an unsecured or unprotected network, be cautious about the sites you visit and the information you release. To help ensure the security of your mobile banking experience at Astera Credit Union, we recommend that you do the following:


1. Practice Safe Mobile Device Usage

  • Secure your smartphone and/or tablet with a strong passcode to power on or awake it from sleep mode. A strong password consists of at least eight characters and a mix of alpha numeric and punctuation marks or symbols. See guideline #9 for more detailed information about creating and maintaining strong passwords and PINs.
  • Never store usernames and passwords on your mobile devices.
  • Keep your device with you or secure the device when not in use.
  • For mobile devices using the Android operating system, do not enable Android's "install from unknown sources" feature.
  • Do not modify your mobile device as it may disable important security features.
  • Learn how to disable the geotagging feature on your smartphone at: http://cnettv.cnet.com/disable-mobile-geotagging/9742-1_53-50101455.html


2. Practice Safe Wi-Fi Usage

  • Get savvy about Wi-Fi hotspots. Limit the type of business you conduct and adjust the security settings on your device to limit who can access your phone.
  • Don't use public Wi-Fi networks for credit union transactions.
  • Turn off your Bluetooth connection when not in use. It will limit the vulnerability of your device to be accessed remotely.

3. Practice Safe App Usage

  • Download signed applications (Apps) only from trusted sources, like Google Play and the Apple iTunes App Store.
  • Review the privacy policy and understand what data (location, access to your social networks) the App can access on your device before you download.
  • Never set the App, web or client-text service to automatically log you in to your credit union account. If your phone is lost or stolen, someone will have access to your money.
  • Never set your banking App to auto-populate your username and password.
  • Visit http://www.asteracu.com/Mobile_Banking_76.html and follow the links to download the official Astera Credit Union Mobile Banking Apps found on Google Play and the Apple iTunes App Store.
  • Always sign out of the Astera Credit Union Mobile Banking App when you have completed your activity.

4. Practice Safe Mobile Computing

  • Do not share or provide any of your banking information to any other party or website requesting this information.
  • Never provide personal identification or banking information over your mobile device.
  • Be aware of your surroundings. Don't type any sensitive information if others around you can see.
  • Use common sense when you connect. If you're online through an unsecured or unprotected network, be cautious about the sites you visit and the information you release.
  • When banking and shopping through a mobile browser, check to be sure the site is security enabled. Look for web addresses with "https://" or "shttp://," which means the site takes extra measures to help secure your information. "http://" is not secure.
  • If you must use a mobile browser, clear the browser cache and history before and after an online banking session. This function is generally found in the browser's preferences menu.

5. Install Real-Time Antivirus and Antispyware (Security) Software

  • Make sure to have updated antivirus software installed on your mobile device. It protects your personal information from being lost due to a virus.
  • Make sure to also have updated antispyware (security) software on your mobile device.
  • Allow for automatic scanning and updates of all antivirus and security software.
  • Run anti-virus software after using any public Internet or unsecured wireless connections.
  • Search for the services of a mobile computing expert to enable you to get the top rated software and services available. Perhaps, start with the customer service representatives at your wireless provider.

6. Install Security Updates to the Mobile Operating System and All Applications as They Become Available

  • Keep your mobile device operating system up-to-date.
  • Install security updates to your mobile operating system as they become available.
  • Install software patches, mobile operating system updates, legitimate third party application updates and hotfixes.
  • Install the latest updates and/or patches for your mobile web browser.

7. Adopt Safe Texting Practices

  • Do not respond to text messages requesting personal information, such as Social Security numbers, credit/debit/ATM card numbers, and account numbers. Remember, your bank would never contact or text message you asking for personal or banking information. Assume any unsolicited text request is fraudulent. Giving this information places your finances and privacy at risk.
  • Understand the criminal activity of SMShing. SMShing is phishing that happens via an SMS text message. A criminal sends a text message encouraging you to reply with financial or personal information, or they may ask you to click on links that will sneak viruses onto your mobile device.
  • Don't respond to a text message that requests personal or financial information.
  • Frequently delete text messages received from the credit union.
  • Verify the phone numbers that appear in a text message before you place a call, and never give out personal or financial account information over the phone – by voice, text or email.

8. Adopt Safe Email Practices

  • Utilize the official Astera Credit Union Mobile Banking App found on Google Play and the Apple iTunes App Store.
  • If you must use a mobile device web browser to make a transaction. Open a new browser window and enter the URL of the exact, trusted site.
  • Never follow a link in your email to a web site and then proceed to enter personal information, especially account numbers or passwords.
  • Do not open attachments or click on links contained in emails received from unfamiliar sources.
  • Beware of questionable emails. You may receive emails asking for your personal information such as a password or PIN. Some may even contain what appear to be legitimate bank/credit union logos, and they may be structured to look very much like the official communications that you regularly receive from Astera Credit Union. You can usually detect fake emails because the links usually direct you to questionable Internet addresses. The emails may also contain poor grammar.
  • Always delete account sensitive emails that contain any information regarding your account activity.


9. Create and Maintain a Strong Password and/or PIN

  • Don't write your PIN or passwords down.
  • Create a password using a combination of letters and numbers. You should use a password that is at least 8 characters long and combines lower case letters with upper case letters.
  • Your password should be unique to you and uneasy for others to guess.
  • Create passwords that do not contain any obvious information (such as your zip code, year of birth, phone number, address, relative's name, pet's name or nicknames) and never use personal information such as your Social Security Number.
  • Avoid using password managers and do not click on the "Remember Me" option when offered.
  • When creating a password, don't use a password that you use for any other service.
  • Change your passwords every 30 to 60 days. If you suspect your accounts, user names, passwords or PINs are compromised, contact Astera Credit Union immediately and change your passwords.
  • Keep your password confidential and do not share it with anyone.


10. Be Wise With Regard to Your Personal Information

  • Astera Credit Union will never ask you for personal information an email or text message or direct you to call a phone number in an email, other than 800-323-0048.
  • Personal information consists of your name, Social Security number, driver's license number or identification card number, account number, credit card number, debit card number, mother's maiden name, security code, access code, password, Personal Identification Number (PIN) or any information that would permit access to your account(s).
  • Examine your financial statements and/or account activity on a regular basis.
  • If you need to dispose of sensitive documents, shred them.
  • Information about electronic transactions is provided within your periodic statements. To protect your account, we encourage you to regularly review your statements and account activity and immediately notify us of any error or unauthorized transactions.
  • If you believe your online banking PIN is lost or stolen, or that someone has used or will use your account without your permission, notify Astera Credit Union immediately at 800-323-0048.
  • Keep an eye on your account and make sure to report anything that seems to be suspicious activity. You can help stay on top of things by signing up for eAlerts that will inform you when changes have been made to your account.
  • If you discover that you have submitted private detail to an unknown source, notify Astera Credit Union immediately at 800-323-0048.


11. If You Lose Your Phone or Change Your Phone Number

  • If you change your phone number, notify Astera Credit Union as soon as possible.
  • If you lose your phone or suspect that it has been stolen, notify Astera Credit Union immediately at 800-323-0048. Also notify your wireless carrier immediately so that your phone can be deactivated.
  • Consider using a remote wipe program. This will give you the ability to send a command to your device that will delete any data.
  • Keep a record of your mobile device's name, model and serial number in case it's lost or stolen.








Additional Resources Regarding Online Security


Stay Safe Online

A project of the The National Cyber Security Alliance. NCSA's mission is to educate and empower a digital society to use the Internet safely and securely at home, work, and school. They work to protect the technology we use, the networks we connect to, and the digital assets we share.

www.staysafeonline.org


STOP. THINK. CONNECT.

The Anti-Phishing Working Group (APWG) and National Cyber Security Alliance (NCSA) led the development of the STOP. THINK. CONNECT. campaign. The U.S. Department of Homeland Security provides the Federal Government's leadership for the STOP. THINK. CONNECT. campaign.

www.stopthinkconnect.org


Tips for Safe Banking Over the Internet

Published by The Federal Deposit Insurance Corporation (FDIC), this information will help you understand your rights as a consumer and guide you to helpful resources to keep your private data secure.

http://www.fdic.gov/bank/individual/online/safe.html


Federal Regulation E

Federal Regulation E protects consumers by establishing basic rights, liabilities and responsibilities of both financial institutions and customers. Most accounts, which can be accessed by the Internet, as well as transactions, which are initiated electronically, are covered by these rules.

Regulation E applies to consumer accounts.

http://www.federalreserve.gov/bankinforeg/regecg.htm



Additional Security Measure for You to Consider

More seasoned computer users may want to consider using a bootable operating system when conducting transactions online. You could configure a bootable system on a USB Flash Drive with only the services and applications needed to perform financial transactions with Astera Credit Union.

When you need to access the online banking system to initiate electronic funds transfers, you would boot the "read-only" system on a USB Flash Drive attached to your computer. Any malware or spyware that may exist on your hard drive would not impact you in this scenario.


Definitions



Phishing

A form of identity theft in which a scammer uses an authentic-looking e-mail to trick recipients into giving out sensitive personal information, such as a credit card numbers, bank account numbers, Social Security numbers or other sensitive personal information.


Vishing

Voice phishing is the criminal practice of using social engineering over the telephone system, most often using features facilitated by Voice over IP (VoIP), to gain access to private personal and financial information from the public for the purpose of financial reward. The term is a combination of "voice" and phishing. Voice phishing exploits the public's trust in landline telephone services, which have traditionally terminated in physical locations known to the telephone company, and associated with a bill-payer. The victim is often unaware that VoIP makes formerly difficult-to-abuse tools/features of caller ID spoofing, complex automated systems (IVR), low cost, and anonymity for the bill-payer widely available. Voice phishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.


SMiShing

In computing, SMS phishing or smishing is a form of criminal activity using social engineering techniques. Phishing is the act of attempting to acquire personal information such as passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. SMS (Short Message Service) is the technology used for text messages on cell phones.

SMS phishing uses cell phone text messages to deliver the bait to induce people to divulge their personal information. The hook (the method used to actually capture people's information) in the text message may be a website URL, but it has become more common to see a telephone number that connects to an automated voice response system.


Identity theft

Even if hackers don't steal from your account, it can be compromised by identity theft. ID thieves can capture your personal information, such as your Social Security number, and other identifying data. That data could be used to create new accounts in your name or hack into your other accounts.


Keylogging

If you access your online banking site on public networks, such as Internet cafes or public Wi-Fi, there is a chance that you could fall prey to keylogging. Keylogging uses software that records your keystrokes to get your account details.


Pharming

This might be a little more difficult for hackers to carry out, but it does happen. Pharming occurs when hackers are able to hijack a bank's URL so that when you try to access your bank's website, you get redirected to a bogus site that looks like the real thing.


Trojans

Programs that perform malicious actions but have no replication abilities. Like the original Trojan horse, these programs may arrive as seemingly harmless files or applications, but actually have malicious intent within their code. Banking Trojans are specifically designed to gain control and compromise online accounts.


Site spoofing

Websites that appear professionally designed and legitimate with the purpose of collecting sensitive information from unsuspecting visitors.



Social engineering

in the context of information security, is understood to mean the art of manipulating people into performing actions or divulging confidential information. This is a type of confidence trick for the purpose of information gathering, fraud, or gaining computer system access. It differs from traditional cons in that often the attack is a mere step in a more complex fraud scheme.



Caller ID spoofing

is the practice of causing the telephone network to display a number on the recipient's Caller ID display that is not that of the actual originating station. The term is commonly used to describe situations in which the motivation is considered malicious by the speaker or writer. Just as e-mail spoofing can make it appear that a message came from any e-mail address the sender chooses, Caller ID spoofing can make a call appear to have come from any phone number the caller wishes. Because of the high trust people tend to have in the Caller ID system, spoofing can call the system's value into question.


Email spoofing

is email activity in which the sender address and other parts of the email header are altered to appear as though the email originated from a different source. Because core SMTP doesn't provide any authentication, it is easy to impersonate and forge emails.

Although there may be legitimate reasons to spoof an address, these techniques are commonly used in spam and phishing emails to hide the origin of the email message.



Man-in-the-browser (MITB, MitB, MIB, MiB)

a form of Internet threat related to man-in-the-middle (MITM), is a proxy Trojan horse that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host web application. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or two or three-factor Authentication solutions are in place. A MitB attack may be countered by utilising out-of-band transaction verification, although SMS verification can be defeated by man-in-the-mobile (MitMo) malware infection on the mobile phone. Trojans may be detected and removed by antivirus software with a 23% success rate against Zeus in 2009, and still low rates in 2011. The 2011 report concluded that additional measures on top of antivirus were needed. A related, more simple attack is the boy-in-the-browser (BitB, BITB). The majority of financial service professionals in a survey considered MitB to be the greatest threat to online banking. For online banking, using portable applications or using alternatives to Microsoft Windows and Mac OS X like Linux, Chrome OS or mobile OSes may be the safest, especially when run from non-installed media.