Fraud & ID Theft Protection
"Banking Hackers Target Smartphone Apps"
Article by Robin Sidel, Wall Street Journal
August 30, 2016 - Hackers are using the growing popularity of mobile banking apps on smartphones to launch new types of attacks on big banks and their customers.
While it is difficult to quantify how much money has been stolen as a result of malicious software, or malware, on mobile phones, the trend is alarming the Federal Bureau of Investigation and U.S. banking regulators. The move by cyber thieves to target mobile banking apps has occurred amid a glut of stolen credit-card data for sale on underground websites.
Cyber thieves are using the malware to steal banking credentials from unsuspecting consumers when they log onto their bank accounts via their mobile phones, according to law enforcement officials and cyber-security specialists.
Attacks have occurred on the two most common operating systems – Apple Inc.'s iOS and Alphabet Inc.'s Android. Phones typically come with built in security protections, but the devices can still be vulnerable. On Thursday, Apple urged some iPhone users to update their software due to a security slaw that could allow a hacker to remotely take control of the operating system.
The problem for banks, which have stepped up spending on cyber-security in recent years after several high-profile breaches, is that consumers often aren't as vigilant about security on their phones as they are on their desktop computers.
"As a bank, you can have all the protections you want, but unless there is protection on the device, you can't protect against this kind of attack," says Ross Hogan, global head of the fraud prevention division of Kaspersky Lab, a cyber-security firm.
Also troubling is that the attacks can be hard to track down because thieves can access an account through any normal channel after they steal credentials through a phone.
The FBI is seeing new types of malware specifically aimed at banking applications for the purpose of stealing account credentials, says Richard Jacobs, an assistant special agent in charge who handles cyber-crimes. He has been warning the financial-services industry about the trend, which is typically aimed at larger banks. The Federal Financial Institutions Examination Council, which brings together five banking regulatory bodies, in April updated its guidance for banks to include potential threats facing mobile financial services, including mobile phone malware.
The Malware often gets onto a phone when a user clicks a text message from an unknown source or taps an advertisement on a website. Once installed, it lies dormant until the user opens a banking app. The malware then creates a customized overlay on the authentic banking app. This allows criminals to follow a user's movements on the phone and eventually grab credentials to the account.
In some cases, the malware adds fields that request the customer's date of birth or Social Security Number, says the FBI's Mr. Jacobs. Some of the more advanced forms of malware can even track verification codes that the bank may send to the customer in text messages as a secondary authentication, cyber-security officials said.
Once the malware captures a phone user's banking credentials, it can send them remotely to the criminal, who can use them or sell them.
Bank executives say they are trying to thwart the malware by frequently updating and revising their banking applications. They also say that the bank's security systems can often trigger alerts for unusual behavior, such as a large withdrawal or if the account is accessed from a previously unknown device or an unfamiliar location. In such cases, the bank may require additional authentication from the user.
Malware that has gained popularity around the world among criminals have names like Acecard and GM Bot. Some of the bank-specific malware sells for as much as $15,000, according to people who are tracking the trend. Ian Holmes, banking fraud solutions manager for analytics firm SAS, estimates that Acecard malware has customized overlays to imitate 50 financial-services apps. The malware "is gaining credibility in the criminal underworld," said Mr. Holmes.The growing threat represents a new entry point for criminals who typically steal bank credentials by other means, such as installing skimmers on automatic teller machines or by using scams targeting desktop computer users.
It is a setback for banks that are pushing customers toward digital channels as a way to reduce costs and improve efficiency. Banks typically reimburse customers for money stolen from their accounts, particularly if they notify the institution quickly after the theft occurs.Kaspersky, the security firm, said in a recent report that banks may be underestimating the risk associated with the malware. "While the industry has so far been relatively unscathed by a major mobile banking security attack, the sophistication and levels of malicious activity on mobile solutions have begun to rise, which we believe increases the security risks of mobile banking," it said.
The rising popularity of mobile banking malware also creates yet another security headache for consumers who are increasingly turning to their mobile phones for everyday tasks from banking to shopping. The crimes can be difficult to track because customers might not notice thefts have occurred until well after they used their phones to log into their accounts. Plus, customers are unlikely to consider a mobile phone as an entry point for hackers if the phone hasn't left their possession. A recent study conducted by SAS and Javelin Strategy & Research found that fewer than one-third of smartphones owners use mobile antivirus or anti-malware software on their phones. Additionally, some mobile phone owners unknowingly make their devices vulnerable to attacks when they tamper with operating systems in order to run unauthorized apps.
New Fraud Prevention Service - Effective June 8, 2016
In our continuing efforts to keep your accounts secure, Evergreen Bank Group has improved our alert system for potential fraud. This new system will take effect on June 8, 2016.
Here's how it works:
1. When potential fraud is detected, you will receive an automatic email notification, with the option to reply with "fraud" or "no fraud".
2. One minute after the email, you will receive a text alert, which also has the "fraud" or "no fraud" option.
3. If there is no response received, you will then receive automatic phone calls to confirm or deny fraud. The call will also give the option of speaking to a fraud analyst.
REMEMBER – our messages will NEVER ask for your PIN or account number.
The phone number for our Fraud Center has changed to 1-800-417-4592. If you add this number to your phone contacts and label it "Fraud Center", it will display on your phone whenever you get a call from this number.
Please feel free to call us with further questions regarding this update.
How We Protect Your Online Security
The security of your financial information is one of Evergreen Bank Group's most important responsibilities. We maintain our Internet banking platform using stringent information security guidelines and use many lines of defense to protect your account information. From authentication, SSL, encryption software, high-end firewalls, and automatic log off, your information is always safe and secure.
- Authentication ensures that you, the legitimate user is communicating with us and not a fraudster who does not have authority to access your online accounts.
- SSL stands for "Secure Socket Layer." This technology allows users to establish sessions with secure Internet sites, meaning they have minimal risk of external violation. Once inside the Internet Banking site, our use of SSL technology keeps you and your account information secure. Only browsers supporting the SSL security protocol with 128 bit encryption can be used to log on to our system.
- Encryption turns words and phrases into coded language. All of your online activities during an Internet banking session become a string of unrecognizable numbers before entering the Internet. We employ the strongest forms of cryptography that are commercially available for use over the Internet, so your account information will read as gibberish to everyone but you and our financial institution.
- High-end firewalls protect our computer systems interacting with the Internet against unauthorized access by outside individuals or networks.
- Automatic log off is done automatically after 10 minutes of inactivity during an Internet banking session. So if you forget to log off after your online session, we will do this for you to prevent anyone else from accessing your account.
- We take numerous steps to keep your account information secure. However, you must take precautions as well.
- Choose a good passcode - Your online passcode, along with your access ID, authenticate your identity when accessing online accounts. You should carefully select a passcode that is difficult to guess and not use personal information or a word that can be found in the dictionary.
- Keep your passcode safe - Even the best passcode is worthless if it's written on a note attached to your computer or kept in your checkbook. Memorize your passcode and never tell it to anyone.
- Change your passcode regularly. For your protection, we require you to change your passcode every 60 days.
- Remember to log off properly - You may not always be at your own computer when banking online. Therefore, it's important to log off using the "log off" link at the top of each Internet banking page. If you forget to do so, the system automatically signs you off after 10 minutes of inactivity.
If you need any assistance, please contact your local Evergreen Bank Group branch office.
Account Masking Feature Protects Your Sensitive Data & Defends Against Online Fraud
Evergreen Bank Group's Account Masking reveals only pseudo names to identify your accounts during Internet banking sessions.
Thus, your online account numbers are better protected against criminals wanting to use this sensitive information to access your accounts.
How to Protect Yourself from Online Fraud
The increased sophistication and rapid growth of online fraud continues to be a challenge. These scams appear in many forms, especially fraudulent emails and Web site, spyware and viruses, and pop-up advertisements.
Fraudulent Emails and Websites
This particular type of fraud occurs when someone poses as a legitimate company to obtain personal data, such as account numbers, and then makes transactions with this information illegally. A common form of this scam is called "phishing". Phishing refers to cyber-criminals who attempt to gather sensitive personal information from consumers through emails and/or through imitations of legitimate Web sites. To combat phishing, please remember that Evergreen Bank Group will never ask for sensitive information from you via e-mail (ex. Social security number, access ID, passcode or account number, or ATM/debit card number and PIN).
Spyware and Viruses
Spyware and viruses are destructive programs loaded on your computer without your permission or knowledge. Spyware appears as a legitimate application on your computer but actually monitors your activity and collects sensitive information. Viruses are harmful programs spread through the Internet that can compromise the security of your computer. Maintaining up-to-date anti-spyware and virus protection software and firewalls help avoid these risks.
Pop-ups appear in a separate browser window and, when clicked, can download harmful spyware or adware to your computer. While some make legitimate offers, many pop-ups are attempts to obtain your sensitive information. Evergreen Bank Group will never ask you to verify personal financial information in pop-up advertisement.
FDIC Insurance Coverage
For more information about FDIC insurance coverage of transaction accounts, visit www.fdic.gov.
EDIE can be used to calculate the insurance coverage of all types of deposit accounts offered by an FDIC-insured bank, including:
- Checking Accounts
- Savings Accounts (both statement and passbook)
- Money Market Deposit Accounts (MMDAs), and
- Certificates of Deposit (CDs)
Helpful Tips to Protect You
While online banking is safe, as a general rule you should always be careful about giving out your personal financial information over the Internet. Review the following tips to protect your personal information while using the Internet.
- Regularly log into your online accounts to verify that your bank, credit, and debit card statements and transactions are legitimate.
- Be suspicious of any e-mail with urgent requests for personal financial information.
- If you receive an unsolicited e-mail from any source asking you to click on a link to visit a site and input personal data, be very wary of it.
- Be cautious about opening any attachments or downloading any files from e-mails, regardless of who sent them.
- Instead of clicking on links in emails, type in the URL that you're familiar with, such as www.evergreenbankgroup.com, or select the Web address saved in your browser's "Favorites".
- If an offer sounds too good to be true, it probably is and should be avoided.
- If you have any doubts about the validity of an email, contact the sender using a telephone number you know to be genuine.
- Before you initiate an online transaction, make sure your personal information is protected by looking for indicators that the site is secure. URLs for secure sites typically begin with "https" instead of "http" and display a lock in the lower right corner of your browser.
- Use anti-virus software and keep it up-to-date.
- Make sure you have applied the latest security patches for your computer. Most software providers, like Microsoft, offer free security patches.
- If you have broad-band Internet access, such as cable modem or DSL, make sure that you have a firewall.
Other Resource Websites
- FTC Identity Theft Website - The Federal Trade Commission web site has information for consumers and businesses on how to Deter, Detect, and Defend against identity theft. The website also includes details on how an active duty military person can place an "Active Duty Alert" on their credit report and how you to file an identity theft complaint with the Federal Trade Commission.
- Annual Credit Report - You are allowed one free credit report every 12 months from each of the nationwide consumer credit reporting companies: Equifax, TransUnion and Experian. You may request this report via their website, phone or mail. See details on the Annual Credit Report website.
- Anti-Phishing Website - Find consumer advice on how to avoid phishing scams, what to do if you have given out your personal financial information, how to report phishing and also browse the phishing archives.
- FBI Website - The Federal Bureau of Investigations website has many features which include the "Be Crime Smart" section on e-scams, warnings, reporting internet crime, common fraud schemes and other tips and suggestions.
- Digital Defense Identity Theft Website - Evergreen Bank Group is pleased to provide the Digital Defense module to our customers to help combat the fastest-growing crime in the world today - Identity theft. Digital Defense provides tips, training, education and awareness on identity theft prevention techniques when using the internet and other electronic means. Furthermore, this service includes information on what to do in the event your information is compromised.