Online Security Guidance
The Federal Financial Institutions Examination Council (FFIEC) has issued supervisory guidance designed to help make online transactions more secure. The guidance is in response to an ever more dangerous online threat environment. Scams and hacking techniques are more sophisticated, new threats are continually being developed and organized crime groups both in the United States and internationally have become a major force in expanding online fraud and theft.
The guidance means you may begin to see new security features on the websites you visit. Each of our online products has built-in security features which are continually enhanced in response to changing threats. Some of these enhancements are visible to you, the user, but others occur behind the scenes.
The guidance also means you will see more information on how you, as a user of online services, can take action to keep your identity and your financial information and funds secure.
IMPORTANT INFORMATION FOR USERS OF FNB ONLINE SERVICES
FIRST NATIONAL BANK IN STAUNTON AND YOUR LOG-IN CREDENTIALS
We will never call, email or otherwise contact you to request your access ID, password, or other log-in credentials for the online services we offer. If you receive such a request, do not provide any information. Contact First National Bank at 618-635-2234 to report the incident.
REPORTING SUSPICIOUS ACTIVITY
If you see suspicious activity on your account(s) or have received a suspicious call, email, letter or other similar contact regarding your relationship to First National Bank in Staunton, call 618-635-2234 or your local First National Bank branch.
PROTECT YOURSELF BY CONTROLLING ONLINE RISKS
The security tips and links to websites noted below provide important information and news to help you understand online transaction risk and options to help you control these risks. It is important to be informed and proactive. When it comes to internet fraud, account takeover and identity theft, an ounce of prevention is definitely worth a pound of cure.
Password Security Tips
- Do not share your user IDs or passwords with another person or provide them to others. Safeguard your user ID and password information—never leave the information in an unsecured location.
- Create a unique user ID and password for each site. Do not use the same identifying information on multiple websites.
- Create strong user IDs and passwords. In other words, use upper case letter(s), lower case letter(s), number(s), and special character(s) (!@#$%^&*).
- Many websites force password changes. If a website does not do so, take the initiative and change your password on a regular basis.
Website Security Tips
- Monitor your account activity. Regularly view account activity online and review periodic account statements (monthly and/or quarterly) and reconcile them to your personal records.
- Log off from a website; do not just close the page or "X" out.
- Secure websites have a web address that includes an "s" (https rather than http). If this is lacking, the site is not genuine. Do not log in or conduct business on the site.
- If a website displays a security monitor, verify it has the current date. If it does not, do not use the site; it may be a spoofed or hijacked site.
- When completing financial transactions, verify encryption and other security methods are in place, protecting your account and personal information.
Computer / Network Security Tips
- Use quality security monitoring software on your PC that includes anti-virus, anti-malware and firewall functions.
- Use your PC's security features such as individual log-in accounts.
- Keep your PC operating system security up-to-date by applying patches and updates.
- Password-protect your computer network (physical or wireless).
Web Resources – Learn more and do more to protect yourself online!
Two user-friendly sites for users of all ages and interests:
Consumer alerts and online security tips on the FTC website:
Youth and teens and those concerned about them will find the following helpful:
Recent scams and how to report scams - Go to the IC3 website, a partnership of the FBI, the National White Collar Crime Center, and the Bureau of Justice:
Scams and fraud and tips to avoid being a victim - Visit the FBI website at:
CONSUMER PROTECTION – REGULATION E
Regulation E provides rules for error resolution and unauthorized transactions for electronic fund transfers, which includes most transactions processed online. In addition, it establishes limits to your financial liability for unauthorized electronic fund transfers. These limits, however, are directly related to the timeliness of your detection and reporting of issues to First National Bank in Staunton. It is for this reason that we encourage you to immediately review periodic account statements and to regularly monitor your account activity online.
The "Electronic Fund Transfers" disclosure provided to you at the time of account opening provides detailed information. We will provide to you, upon request, a free printed copy of this disclosure.
ADDITIONAL INFORMATION FOR BUSINESS USERS OF ONLINE SERVICES
The FFIEC Guidance takes note that business transactions, because of their frequency and dollar value, are inherently riskier than consumer transactions. The Guidance also notes the steep rise of online account takeovers and unauthorized online fund transfers related to business accounts in the last five years.
Recently, small- to medium-sized businesses have been primary targets as cyber criminals have recognized that the security controls they have in place are not as robust as that of larger businesses. Analysis indicates enhanced controls over administrative access and functions related to business accounts and layered security using multiple and independent controls would help to reduce these types of crime.
The FFIEC Guidance suggests enhanced controls for businesses:
- Business customers should be encouraged to perform a periodic risk assessment and an evaluation of the effectiveness of the controls they have in place to minimize the risks of online transaction processing.
- The password, website, computer and network tips above provide a starting point for this process and the web resource links provide additional detailed information.
- The FTC Business Center has a great deal of information for businesses at http://business.ftc.gov/privacy-and-security/data-security.
- Business customers should understand the security features of the software and websites they utilize and take advantage of these features. Segregation of duties—the process of separating duties so no one person can perform all steps of a transaction—is an example of a very important security feature.
- Layered security options that may be available to business customers doing online transactions include transaction thresholds, out-of-band verification (such as telephone or email verifications), fraud detection and monitoring systems, and IP reputation–based services. The Guidance encourages establishing layered security processes.
The privacy of communications between you (your browser) and our servers is ensured via encryption. Encryption scrambles messages exchanged between your browser and our Online Banking server.
How Encryption Works
- When visiting Online Banking's sign-on page, your browser establishes a secure session with our server.
- The secure session is established using a protocol called Secure Sockets Layer (SSL) Encryption. This protocol requires the exchange of what are called public and private keys.
- Keys are random numbers chosen for that session and are only known between your browser and our server. Once keys are exchanged, your browser will use the numbers to scramble (encrypt) the messages sent between your browser and our server.
- Both sides require the keys because they need to descramble (decrypt) messages received. The SSL protocol assures privacy, but also ensures no other website can "impersonate" your financial institution's website, nor alter information sent.
- To learn whether your browser is in secure mode, look for the secured lock symbol at the bottom of your browser window.
The numbers used as encryption keys are similar to combination locks. The strength of encryption is based on the number of possible combinations a lock can have. The more possible combinations, the less likely someone could guess the combination to decrypt the message.
For your protection, our servers require the browser to connect at 128-bit encryption (versus the less-secure 40-bit encryption). Users will be unable to access online banking functions at lesser encryption levels. This may require some end users to upgrade their browser to the stronger encryption level.
If your browser does not support 128-bit encryption, you must upgrade to continue to access the website's secure pages.
Browsers Encryption Level
- Chrome -
When you connect to a website, Google Chrome can show you details about your connection and alert you if it can't establish a fully secure connection with the site. Click thepapericon or the lock icon to see even more details about the site's identity, your connection, and your visit history for the site.Learn about Google Chrome's security settings. Sites using SSL present security certificates to the browser to verify their identity. Anyone can set up a website pretending to be another site, but only the real site possesses a valid security certificate for the URL you're trying to reach. Invalid certificates could indicate that someone is attempting to tamper with your connection to the site.
- Firefox -
Firefox will match the level of encryption the website uses, and Firefox is capable of higher encryption than 128-bit (256-bit if that is what the website uses). It depends on which order the server offers. If the server offers 128 bit with a higher priority that 256 bit then Firefox will only select 256 bit if you would disable the 128 bit ciphers.
- Internet Explorer 6 or higher -
Microsoft Internet Explorer supports two levels of encryption, 40-bit and 128-bit. The standard 40-bit versions include Server Gated Cryptography (SGC) technology. With SGC technology, international customers can conduct 128-bit transactions with banks and financial institutions (that support SGC) around the world. Internet Explorer with 40-bit (SGC) encryption is available worldwide, but Internet Explorer with full 128-bit encryption is available in the United States (or its territories, possessions and dependencies) and Canada only.
- Safari -
All versions of Safari support 128-bit encryption as part of its security model. All versions of Safari use the Secure Transport API from Mac OS X's Security Framework for all secure connections. For more information about Security on Mac OS X, or the Secure Transport API, please review the following references:
Mac OS X Security
Secure Transport Reference
Recently banks of all sizes have been faced with online attacks that delay or prevent customers from logging onto their bank’s website or accessing related services such as online banking. These attacks are known as distributed denial of service (DDoS) attacks. In order to block real customers from reaching their bank’s website, the website is flooded with millions of requests for information at once – essentially creating a “traffic jam” that temporarily disrupts the customer’s access to the website.
Unfortunately, these attacks are becoming more and more commonplace. At First National Bank, we are doing everything we can to limit the effect of these types of attacks. We feel it is important that our customers know the facts about these attacks and how they might affect you.
How does a DDoS attack affect my First National Bank accounts and personal information?
The main goal of DDoS attacks is to slow down or disable a financial institution’s website and, by doing so, denies the customer's requests for service. This means that the security of our banking systems, your accounts and personal information are completely safe.
What will First National Bank do if they come under attack?
We are on alert for these kinds of attacks and have strong, thorough measures in order to identify and block the computers involved.
How long should I expect to wait?
These attacks could last up to several hours. If you are not able to reach our website or our online banking, you can visit one of our ATMs or branch locations to perform your desired transaction. You may also call us at 618-635-2234.
We apologize for any inconvenience one of these DDoS attacks might cause, but know that we will be working diligently to get our website and its services back up and running.