Online Banking Security Best Practices
Helena Community Credit Union safeguards information according to established security standards and procedures in order to keep your financial information secure and confidential. In addition, we have external vendors perform regular audits of our system. The result is a "layered security" platform, one that ensures protection throughout the banking process, on your computer, during the transmission of information, and in the bank's own computer systems.
Layered security means that, rather than rely on one security measure, we use many lines of defense to protect your account information. Whether you are viewing your account information, transferring money, or paying your bills, you can depend on your accounts and your account information being safe.
Due to the sophisticated nature of cyber-crimes, there is not one single solution for online security. Helena Community Credit Union takes numerous steps to keep your accounts and personal information secure, and you also play a role in maintaining the security of your banking information. Here are some of the things HCCU does and that you can do to help keep your online banking safe.
What Helena Community Credit Union Does to Protect You
HCCU uses a minimum 128-bit encryption for Online Banking [NetTeller] transactions, and each session uses a unique master key to encrypt messages. Encryption is a communications process that scrambles private information to prevent unauthorized access as during the exchange of information between your computer and the online banking servers. Once you sign off, the master key used for that session becomes useless, as it is only good for one session.
You authenticate your NetTeller online banking session by entering your unique NetTeller User ID and password (sometimes referred to as your PIN), both of which are encrypted as they pass over the Internet and before they are stored on our system. Once you change your password on the first access, we do not have access to your password to further increase security. We advise that you do not set your internet browser(s) to remember your NetTeller ID and/or password.
HCCU has a process called "watermarking" to help give you the confidence that you are secure. A watermark is an image that you will select from over 10,000 available that will be displayed each time you log in. Seeing this image each time will let you know that you are on our website and have entered your NetTeller ID correctly.
In order to continue to improve your online banking experience and make it as secure as possible, we also have another security feature. Multi-Factor Authentication (MFA) detects uncharacteristic or unusual behavior involving your online banking account. If anything out of the ordinary is detected, we will verify your identity.
After a brief monitoring period, you will be prompted to select some personal verification questions. During a future log in or transaction, we may ask you to answer these questions if we don't recognize your computer or location, or if you are attempting to complete a transaction for which we need a second level of authorization.
This will most likely be a rare occurrence depending on your usual online banking behavior. Once you answer your questions, you can continue banking, with an even higher level of security!
Timed Log Out
If you forget to log out, or if your online banking session is inactive for more than 10 minutes, we take care of you by ending the session. You will need to log back in to access your information.
HCCU takes numerous steps to keep your accounts and personal information secure, but you also play a role in maintaining the security of your banking information. Here are some things you can do to help keep your online banking more safe and secure.
Protect the Confidentiality of Your User ID and Password
Creating a good password and keeping it a secret are essential to keeping your online banking account secure. As you are responsible for what occurs with your NetTeller ID, we strongly recommended that you follow these guidelines to prevent someone from obtaining your password and abusing your account.
- Make your password unique and change it regularly. You should never use a password that would be easy for others who know you to guess, or one that a common password cracking utility could find.
- Memorize your password. Your NetTeller ID and password authenticate you when you begin an online banking session. You should memorize this password and never write it down anywhere or reveal it to anyone.
- Do not set your internet browser to remember your NetTeller ID and/or password.
- Do not share your password with anyone. Sharing your password (PIN) with someone else is the same as giving that individual authority to use your name in a transaction.
If you forget your NetTeller ID or password, you may contact our Call Center at (406) 443-5400, extension 3. After positively identifying you, they will be able to find your NetTeller ID and reset your password so you may choose a new one. Do not release any personal information on the phone, in the mail, or over the Internet unless you initiate the contact or are certain you know with whom you are dealing. You may also use the “Reset Password” link if you have enabled that feature under the “Options” tab of your online banking account.
Log Out When You Are Finished Using Online Banking
We recommend our online banking users complete online transactions and log out before visiting other sites or turning off their computers. We also suggest they do not visit other sites when logged in to NetTeller online banking. In addition, you may not always be at your own computer when you bank online; therefore, it's important to sign off using the “Log Out” tab when you're finished banking.
Use A Current Browser and Anti-Virus Software
HCCU recommends you use a modern browser and install and use a good quality anti-virus software. It is also very important that you stay up-to-date with patches and updates on these also. There are security patches issued regularly that fix new issues that may be exploited. For information on NetTeller supported browsers, see our Login page. If you choose not to use one of the supported browsers, please be sure your browser complies with current security standards and be aware that not all online banking features may function properly.
Ensure That You Keep Your Information Secure
As explained in HCCU's Online Banking Agreement and Disclosure Statement, you are responsible for keeping your NetTeller Password, account numbers, personal identification information, and other account data confidential.
- Select a strong, unique NetTeller ID and Password.
- Do not give or disclose any part of your NetTeller ID and Password to anyone. Bank employees may request your NetTeller ID when accessing your account profile, but should never ask for your password.
- Do not send your password or account information over any public or general email system.
- Do not send personal or financial information over unsecured websites.
- Do not release any personal information on the phone, in the mail, or over the Internet unless you initiate the contact or are certain you know whom you're dealing with.
- Contact us immediately if there are charges on your account you don't recognize.
- Do not leave your computer unattended while you are connected to NetTeller Online Banking.
- Pay special attention to security on your local computer. Watch for any changes or suspicious activity.
- If using a public computer, be sure to log out of your internet sessions, close the browser, and clear your browser cache.
- Backup your important data and files regularly.
- Mobile users are highly encouraged to maintain remote wipe capabilities on their mobile devices. To learn more about remote wipe, please visit the documentation for the mobile device specific to you.
You can also learn more about online safety and security at these websites:
If You Have Suspicions
If you notice suspicious activity within your account or experience security-related events (such as a Phishing email purporting to be from your bank), you may contact anyone at your bank and you will be quickly and courteously guided to the person responsible for such issues.
Use a separate Computer for Higher Risk Transactions (Cash Manager users)
Business customers who have the ability to process ACH originations and/or wire transfers through NetTeller Cash Manager are highly encouraged to use a separate, non-personal computer when performing these types of transactions. This computer should have an up-to-date supported browser, in addition to good quality anti-virus software, installed on it. See below for information specific to small business and/or commercial accounts.
Corporate Account Takeover
What is Corporate Account Takeover (CATO)?
Corporate account takeover occurs when a criminal obtains electronic access to your bank account and conducts unauthorized transactions. The criminal obtains electronic access by stealing the confidential security credentials of employees who are authorized to conduct electronic transactions on your corporate bank account.
How are Confidential Security Credentials Stolen?
There are several methods being employed to steal confidential security credentials. One is to mimic the look and feel of a legitimate financial institution's website. Users provide their credentials to these sites without knowing that a perpetrator is stealing their security credentials through a fictitious website which appears to be their financial institution.
A second method is malware that infects computer workstations and laptops via infected emails with links or document attachments. In addition, malware can be downloaded to a user's workstation and laptop from legitimate websites, especially social networking sites. Clicking on the documents, videos or photos posted there can activate the download of the malware. The malware installs key-logging software on the computer, which allows the perpetrator to capture the user's ID and password as they are entered at the financial institution's website.
Other viruses are more sophisticated. They alert the perpetrator when the legitimate user has logged onto a financial institution's website, then trick the user into thinking the system is down, or not responding during this perceived downtime, the perpetrator is actually sending transactions in the user's name.
What does Corporate Account Takeover (CATO) look like?
If robust authentication is not used and a user's credentials are stolen, the perpetrator can take over the account of the business. To the financial institution, the credentials appear to be the legitimate user. The perpetrator has access to and can review the account details of the business, including account activity and patterns and ACH and wire transfer origination parameters such as file size and frequency limits and Standard Entry Class (SEC) codes.
With an understanding of the permissions and the limits associated with the account, the perpetrator can transfer funds out of the account using wire transfers or ACH files. With ACH, the file would likely contain PPD (Prearranged Payments & Deposits) credits routed to accounts at one or more receiving depository financial institutions (RDFl's). These accounts may be newly opened by accomplices or unwitting "mules" for the express purpose of receiving and laundering these funds. The accomplices or mules withdraw the entire balances shortly after receiving the money and send the funds overseas via wire transfer or other popular money transfer services.
Perpetrators also send ACH files containing debits in order to collect additional funds into the account that can subsequently be transferred out. The debits would likely be CCD (Cash Concentration & Disbursement) debits to other small business accounts for which the perpetrator has also stolen the credentials or banking information. Given the return timeframe for CCD debits and the relative lack of account monitoring and controls at many small businesses, these debit transactions often go unnoticed until after the return timeframe has expired.
What are Some Warning Signs of a Potentially Compromised Computer System?
- Dramatic loss of computer speed
- Changes in the way things appear on the screen
- Computer locks up or freezes
- Unexpected rebooting or restarting
- Unexpected request for password and/or token passcode in the middle of an online session
- Unusual pop-up messages, especially a message in the middle of an online banking session that says the connection to the bank system is not working (system unavailable, down for maintenance, etc.)
- New or unexpected toolbars and/or icons
- Inability to shut down or restart the computer
What Can You do to Potentially Prevent and Detect a Corporate Account Takeover (CATO)?
- Reconcile all banking transactions on a daily basis
- Initiate ACH and wire transfer payments under dual control, with a transaction originator and a separate transaction authorizer
- Utilize routine reporting on transactions
- Perform periodic risk assessment of the banking products/services you use, including regular reviews of user access levels, dollar limits, and activity
- Immediately report any suspicious transactions to the bank
- Stay in touch with other business and industry sources to share information regarding suspected fraud activity
- Install a dedicated, actively managed firewall. A firewall limits the potential for unauthorized access to a network and computers
- Install commercial anti-virus software on all computer systems
- Ensure virus protections and security software are updated regularly
- Ensure computers are patched regularly, particularly operating systems and key applications, with security patches
- Consider installing spyware detection programs
- Be suspicious of emails purporting to be from a financial institution, government department, or other agency requesting account information, account verification, or banking access credentials such as user names, passwords, PIN codes, or similar information. If you are not certain of the source, do not click any links
- Create strong passwords
- Prohibit use of "shared" user names and passwords for online banking systems
- Use a different password for each website that is accessed
- Change the password several times a year, even if you are not "required" to do so
- Never share user name and password information with third-party vendors
- Limit administrative rights on users' workstations
- If possible, carry out all online banking activities from a stand-alone computer from which email and web browsing are not allowed
- Verify use of a secure session ("https") in the browser for all online banking
- Avoid using an automatic login feature that saves user names and/or passwords for online banking
- Never leave a computer unattended while using any online banking or investing service
- Never access bank, brokerage, or other financial services information at Internet cafes, public libraries, etc. Unauthorized software may have been installed to trap account numbers and sign on information, leaving the customer vulnerable to possible fraud
What Should You do if You Think You Have Been the Victim of a Corporate Account Takeover (CATO)?
- Immediately cease all activity from computer systems that may be compromised. Disconnect the Ethernet or other network connections to isolate the system from remote access.
- Immediately contact the bank and request assistance with the following actions:
- Disable online access to accounts
- Change online banking passwords
- Open new account(s) if and when appropriate
- Request that the bank review all recent transactions and electronic authorizations on the account
- Ensure that no one has requested an address change, title change, PIN or Password change, or ordered new debit/credit cards, checks, or other account documents be sent to another address
- Maintain a written chronology of what happened, what was lost, and the steps taken to report the incident to various agencies
- Maintain a written record of what happened, what was lost, and the steps taken to report the incident to various agencies, banks, and firms impacted. Be sure to record the date, time, contact telephone number, person(s) spoken to, and any relevant report or reference number and instructions.
- File a police report and provide the facts and circumstances surrounding the incident. Obtain a police report number with the date, time, department, location, and officer's name taking the report or involved in the subsequent investigation. Having a police report on file will often facilitate dealing with insurance companies, banks, and other establishments that may be the recipient of fraudulent activity. The police report may initiate a law enforcement investigation into the incident with the goal of identifying, arresting, and prosecuting the offender(s) and possibly recovering any losses.
You may also find more information by clicking on any of the links below:
- The National Institute of Standards and Technology's (NIST) Fundamentals of Information Security for Small Businesses
- The Better Business Bureau’s website on Data Security Made Simpler
- The Federal Trade Commission’s (FTC) interactive business guide for protecting data
This information is for educational purposes only and is not intended to provide legal advice. The guidance included is not an exhaustive list of actions, and keep in mind that security threats change constantly.
Go to main navigation