Just a few years ago a conversation with one of our members about online security centered entirely around what the credit union was doing to protect member data and information. Although we still have a major role to play, online security has become just as much our member’s responsibility because of recent advances. New technology makes it possible for others to invade individual PCs and steal their information. In addition, programs now exist that can hide on a PC secretly recording keystrokes—including account numbers and passwords.
To ensure your security online, both Arizona Federal and you must take some precautionary measures. Please read the following information to learn more about these measures:
How to Report Fraud
If you suspect that fraudulent activity has occurred or been attempted on your account, please contact us immediately at (602) 683-1088 or (800) 523-4603 x1088. If you contact us after business hours, please provide details of what has occurred on our message system, and we’ll contact you immediately the following day. Alternatively, you may email us with the details through the CU Online system.
Below are some of the steps Arizona Federal takes to protect your information:
The first layer of security is an individual password for each account that accesses the CU Online system. The password must be input and validated in order to access any account through CU Online. Members should not share their passwords with others.
The CU Online system will automatically log you off after a period of non-use. You can adjust how long the system will wait before logging off.
Site Security & Encryption
CU Online uses software from Netscape® Communications that incorporates full data encryption to ensure the security and privacy of transactions. This encryption technology is so secure that it is classified by the U.S. Department of Defense. United States law forbids the export of this technology to other countries.
Any information that travels within the CU Online system does so with 128-bit encryption. This technique codes the information into a sequence with billions of different combinations. While this encryption is not 100% unbreakable (no solution is), it is so difficult and time-consuming to attempt to decipher, that most information thieves won't bother to try.
Even though CU Online is secure, the rest of our web site can be accessed as either secure or unsecure. To see at a glance if your current session is secure, you can do the following:
- Check if there is an "s" after the "http" in the URL. The "s" after the "http" denotes that the page is secure
- Check the key icon at the lower-left corner of Netscape's screen. If it is intact and a blue line appears at the top of the screen, all messages are secure
- If using Microsoft® Internet Explorer, and the image of a lock is displayed, the lock indicates the site is secure
WARNING: If the icon appears as a picture of a broken key or a broken lock, encryption is not in use and the current session is not secure.
CU Online uses several layers of technology including screening routers, filtering routers, and firewalls to prevent unauthorized users from gaining access to the internal network.
Our data center and network utilize updated anti-virus programs from multiple providers.
At least once each year, the CU Online data center and system is audited by a third-party specializing in PC network and information security. As a result of these audits, the data center hosting CU Online has been awarded TruSecure Certification (see www.trusecure.com for more information). This certification reflects our compliance with an extensive and continuous security assurance process and validates the presence of risk reduction practices.
The CU Online data center is located out of state and secured by both passcode and biometric technology. The servers are further monitored 24 hours a day by on-site personnel in addition to automated monitoring and alarm systems.
We make significant investments to upgrade hardware and software on an ongoing basis to keep up with evolving trends and advances in security technology.
Generally, we don’t accept unsecure Internet email from our members. Instead, we use a secured communication system within CU Online. Each time you send a message to us through CU Online, we create a secure, temporary inbox. This way we’re not sending any valuable or personal information out over the Internet unsecured.
A cookie is information stored in a text file which is temporarily stored on your computer.
Once the cookie is stored, the site's web server can retrieve that information with that browser. For example, when a person browses through an "online shopping mall" and adds items to a "shopping cart", their browser stores the list of items that have been added to the cart so that they can pay for all of the items at once when they are finished shopping. It's much more efficient for each browser to keep track of information like this than have a web server remember who bought what, especially if there are thousands of people using the web server.
When browsing the web, any cookies that are sent to a browser are stored in the computer's memory. When the browser is closed, any cookies that haven't expired are written to a cookie file so they can be reloaded next time the browser is used.
CU Online uses a different kind of cookie known as a session cookie, also called a non-persistent cookie or a pre-expired cookie. These cookies are temporary and are never stored on your computer. As you navigate through CU Online a pre-expired cookie is set on the server each time a page is viewed. Because the HTML page you are viewing is not "cached" or stored on your computer, it must always be re-retrieved from the server.
The pre-expired cookies keep the session alive until you log out properly or time out of CU Online. Once this occurs, you must login with your User ID and Password to regain access. This ensures that another person using the same computer cannot access a previous session.
What you should do to protect your information and security:
Choosing a Password
Choose a password that is not obvious to you. We strongly recommend that you do not choose any of the following for your password:
- Social Security Number
- Name (first or last) or a family member’s name
- Pet’s name
- Birth date or that of a family member
- Phone numbers
For maximum protection, we recommend that your password be a combination of both letters and numbers. You can mix uppercase and lowercase letters. If your browser or operating system offers a feature that will “save” your password, don't use this feature, because anyone who uses your computer can access your account.
Use a Current Browser
Make sure you are using the most current and updated version of a web browser. As security features are strengthened, most of the popular software providers make updates and new versions of their browser available for free. Having a current browser will help to ensure you have the most recent updates and strongest protection. Click here for a list of the minimum browser requirements in order to access CU Online.
Set Browser Security Settings
Some browsers, including Microsoft’s Internet Explorer, allow you to create lists of sites that you know to be secure. You may find it convenient to add certain sites to this custom list to ensure their functionality, but to set high security settings for all other sites.
Don’t Open Email Attachments From Unknown Sources
If you receive an email from an unknown source, never open any attached file. Viruses, spyware and other harmful programs can be delivered through email attachments. It’s good practice to delete memos from unfamiliar sources prior to opening or previewing them.
Disable any Email Preview Windows or Panes
Some email programs offer a preview window or pane that automatically shows the content of the email. Because viruses, spyware and other harmful programs can be delivered to you via email, this preview can launch the program (virus, spyware, etc.). It’s good practice to delete memos from unfamiliar sources prior to opening or previewing them.
Use a Current Operating System
Like browsers, many operating systems are continually updated with new security enhancements. To download the most current versions of your operating system, the following links have been provided for your convenience.
Install and Update Anti-Virus Software
Using virus protection software will help to keep your PC safe from some attempts to load destructive programs – whether its being done intentionally or accidentally. However, simply loading an anti-virus program is not enough. You should also enable your anti-virus software to receive online updates. As new viruses are detected, many anti-virus providers update their system to catch and destroy them in the future. If you do not update your anti-virus software, your PC may not be safe from the most current virus threats.
Though neither of the following are specifically endorsed by Arizona Federal, the following are popular providers of anti-virus software:
Install and Update Anti-Spyware Software
There are many different types of Spyware that may have found their way onto your PC. They range widely in their danger and significance from either causing slight performance problems, to being used to record and transmit all keystroke activity (including the passwords you enter) from your PC to someone else.
Install a Firewall
A firewall is software that acts as a guard or barrier between a PC and the rest of the world. Properly used, a firewall scrutinizes and filters information that attempts to pass through it. Only information and files that are permitted are allowed to pass to the PC. Those that are not are turned away and not successfully passed through to the PC. If you have an Internet connection (especially a cable, DSL or any other high speed solution) and no firewall, you are making your PC available to others to use via the Internet. Some firewalls also help to fight or limit viruses, spyware and spam.
Contact Your Internet Service Provider (ISP)
Many ISP's have built-in security features which may include anti-virus software, firewalls or other features. You should contact them to determine what (if anything) they are doing to help protect you when you use their Internet service. You can then create a strategy that compliments what they already have in place. If they have nothing in place, you may want to consider alternate providers.
Don’t Respond to Requests for Information
Arizona Federal will never ask you to supply us with personal or account information, unless responding to your specific request—and only through our secure communication system within CU Online. We will never email you to request that you “update your security information” or anything of the sort.
Do not respond to any attempts by email or pop-up ad to “verify” your information for anyone. These are attempts by criminals to collect information for fraudulent use.
For more information about these attempts, otherwise known as “phishing,” please click here.
Don’t Participate in Free Contests and Giveaways
While there are legitimate online contests and giveaways, many of these “contests” are illegitimate and coaxes to install spyware or other harmful files into your PC. A best practice would be to make sure the company offering the prize is legitimate and one that you are familiar with. You should also consider whether or not you had to go to their site to see the opportunity or if it was sent to you by email or pop-up window unsolicited. The degree of the aggressiveness of the campaign may have an opposite correlation to its legitimacy—the stronger the push, the more likely it's fraudulent.
Install a Pop-Up Blocker
Installing pop-up blocker software will reduce the number of illegitimate games, contests or other hoaxes presented to you.
Most Common Security Threats & How to Defend Yourself:
There are a few basic types of spyware: Advertiser software (Adware), Web Bugs, Proxy Adware, Stand-Alone Commercial Computer Monitoring/Surveillance software and Trojans.
Businesses will pay to learn your purchasing habits, preferences, household income, family composition and other demographics to better target their advertising to you. For example, if a marketing firm thinks you are an avid hiker, they will flood you with pop-up ads selling everything from boots to backpacks. These companies devise schemes to get you to install their software by offering a free game or other ‘entertainment’ type product.
Web Bugs are a form of adware that can track what you’re doing online, return that
information to a third party, and allow them to pop-up ads or just monitor you for
demographic purposes. While these forms of spyware are intrusive, they usually do not collect any personally identifiable information, just demographics.
These spyware programs load executable programs and take up resources running in your computer and can, usually by accident or poor design, interfere with your own programs or operating system causing unforeseen, unexplained crashes or abnormal behavior. The most often seen effect of adware is a general slow-down of your PC as more and more resources are diverted to the spyware programs and fewer resources are available for your own use.
There is a new form of adware commonly known as “proxy” adware. This type of software is again installed along with another program the user deems useful but, instead of just collecting demographic information, this software has the potential to collect absolutely all user information no matter how private.
Proxy adware works by getting the user to agree to allow all inbound and outbound
traffic from their PC to be re-routed through a marketer's servers. This is done by the
addition of a small software program on the user’s PC. What this means is that all
information sent by the user, to any other person at any time, is captured by the
marketer's servers. This also applies to SSL encrypted transactions containing sensitive
information such as online banking user IDs and PINs. This works because the
marketer is actually a man-in-the-middle who gets the encrypted transmission from the
user, is able to decrypt it because he is an authorized proxy, and then re-encrypts it and sends it on to its intended destination as the user.
This is an incredibly intrusive form of adware. Many users are actually unaware of the
implications of its use either because they did not read the End User License Agreement
(EULA) when installing the software or were not technically knowledgeable enough to
understand the full ramifications of the Agreement.
This software is sold for use by employers, employees, spouses, private investigators,
identity thieves and others for one purpose: to record everything you do on your
computer ... silently. These include URL recorders, keyloggers, chat monitors, screen
recorders, program loggers and more. While it may have legitimate uses such as
monitoring your child’s Internet access or ensuring that employees do not access
inappropriate websites on company time, it can be easily abused by unscrupulous
Trojans and Other Malware
The last type of spyware is broadly lumped into the category called a “trojan,” which was named after the infamous Trojan Horse. This type of software is most commonly used to deliver worms, viruses and other forms of ‘malware’ to PCs. The worst type is called a “RAT,” or Remote Access Tool. This tool enables an attacker to have complete control of your PC.
How Does Spyware Get Into Your PC?
Adware is often installed along with another program that the user considers useful.
Trojan spyware is most often installed either by a malicious prankster or a criminal.
Certain types of trojans exist solely to gather personal information, such as online
banking user IDs and PINs, which enables the perpetrator to commit identity theft. As the name implies, trojan software gets installed by the user’s own action or, in some
instances inaction. In some cases a user clicks a link in an email and either runs an
executable attachment or links to a website program that downloads and executes a
program. In some cases just visiting a malicious website and viewing a page is enough
to silently download and execute a spyware program.
Software ‘trading’ with friends can also mean an Internet spyware program could be
hidden in the traded software. This also applies to music files, MP3s and so forth. Even
graphics are not immune. There is an exploit that allows certain picture files to become
infected with malware and be able to propagate on a vulnerable PC. As with Stand-Alone Commercial Computer Monitoring/Surveillance software, this software/hardware is most usually installed by a trusted person who has physical access to your computer.
What Can Happen if Spyware is on Your PC?
While most forms of adware are intrusive, trojans are even worse. Many trojans contain RATs. There are three main reasons why these trojans exist:
- The first is the prankster or ‘script-kiddie’. These perpetrators aren’t really hackers; they’re usually much less technically astute. They manage to get a copy of an existing malware program and modify it to some extent to avoid detection by anti-virus scanners. Some do this for a joke, some to get bragging rights with their friends, some to see how many PCs they can ‘own.’ If their malware contains a RAT they may enter your machine, copy software and/or cause intentional or accidental damage. These people usually aren’t looking for any personal information.
- The next use of trojans is by spammers. Spammers are slowly being squeezed by international law and are finding it harder and harder to get ISP's to host their activities. They have turned to the method of creating ‘zombies.’ A zombie is a PC that has been infected with, and is now controlled, by a RAT. The zombie PC is used to send bulk spam email for the spammer. By infecting thousands of home and business PCs the spammer can use them like throwaway, disposable mail generators. He can send millions of emails in a single night using someone else’s bandwidth and good name. The ISP's that get this flood of spam often block the sending machines and even get the person’s account at their ISP terminated.
- The last, and most dangerous, use of malware is identity theft. There are a number of trojans that are created specifically to harvest online banking user IDs and PINs, credit card numbers and other financial information. Many of these also install RATs as well. Some of these RATs will make contact through your firewall to a pre-defined Internet Relay Chat (IRC) channel and then accept commands from the owner. At this point the criminal can run software on your PC, upload or download files, and actually perform almost any action that you could perform by sitting at the keyboard
In a phishing (pronounced “fishing”) scam, an email is drafted to appear to be from a financial institution or other trusted service provider. It is intended to look as close to being "official" as possible, usually incorporating the logo, etc. from the company and in many cases including some of the same photos found on the company’s web site. A phishing email typically explains that due to some type of identity theft attempt, it is important that customers/members now log in (using a link provided) and provide information to confirm their account ownership. It is usually further accompanied by a threat that they may lose access to their account if they do not respond soon.
The link, while it may look official and genuine, is anything but. By clicking on the link, the recipient is taken to a phony web site which is also created to look as close to the company’s site as possible, with a phony login button. Once an account number and password are entered, they are now captured into a database behind the scenes (for future fraudulent use). Further, the next page will ask the victim to confirm their credit or check card number, expiration date, CVV code, ATM PIN, etc. - everything that a crook would need to make a counterfeit card. Believe it or not, thousands of people fall for these.
Arizona Federal will never send you an unsolicited email asking you to verify an account number, card number, PIN, or other sensitive information. Arizona Federal works with Cyveillance Anti-Phishing™ to quickly identify and shut down online scams.
Be suspicious of unsolicited email that you receive from other companies. Phishing emails usually have some sort of threat of consequence (i.e., “act now or else…”) to encourage victims to act quickly and without thinking through their actions. They often also contain spelling and/or grammar errors as many originate in foreign countries. They will also request that you provide sensitive account information, including password, account number, PIN, etc. If you’re ever suspicious of an email you’ve received from a company you do business with, call them using a number provided on your monthly statement or from a public source (commercial, etc.).
Arizona Federal will never send you an unsolicited email asking you to verify an account number, card number, PIN, or other sensitive information.
If you do receive a phishing attempt by email, do not follow the instructions and provide your account information. Instead, forward the email to the Federal Trade Commission at email@example.com. Or, you can report it by phone by calling 877.IDTHEFT (877-438-4338). Most of these sites are shut down within days, but that may be all it takes to gather a few thousand credit card numbers.
If you receive an attempt that is portraying Arizona Federal, please forward it to firstname.lastname@example.org so that we can act quickly to take their site down. Please include the phrase "report fraud" in the subject line. You may also contact us at 602-683-1088 or 800-523-4603, ext. 1088 if you ever receive anything from us online that you are suspicious of.
For additional information about online security and protecting yourself from Internet fraud, please visit www.onguardonline.gov