National Cyber Security Awareness Month
National Cyber Security Awareness Month (NCSAM) is now its 14th year. This annual month-long event dedicates October to reminding all digital citizens and businesses that protecting our computers and networks is “Our Shared Responsibility” and that everyone plays a critical role in promoting safe computing. The NCSAM is led by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS). The month’s primary goal is to provide Internet users and businesses with the information and tools they need to be safer and more secure online, including education about how to protect personal information in today’s highly connected world. Everyone can join in and be a part of the something big by becoming a NCSAM 2017 Champion. Hundreds of organizations and individuals have officially signed on as Champions to support the month. NCSAM Champions strengthen and boost the greater effort by spreading the word and host NCSAM Partner Events about online safety at home, at work, and in the community.
NCSAM 2017 kicked off on October 1st with a strong reminder for all digital citizens to
STOP: make sure security measures are in place
THINK: about the consequences of your actions and behaviors online
CONNECT: and enjoy the Internet.
Cybersecurity in the Workplace is Everyone’s Business
Whatever your place of work ? whether it’s a large or small organization, healthcare provider, academic institution or government agency – creating a culture of cybersecurity from the breakroom to the board room is essential and a shared responsibility among all employees. NCSA’s advice, based on national standards, recommends that organizations have a plan in place to identify your digital “crown jewels,” protect your assets, be able to detect incidents, have a plan for responding, and quickly recover normal operations. You can help your organization do this: take part in cybersecurity discussions, learn how to protect the digital “crown jewels,” and what to do if you detect an incident. Then expand this to your home: identify what you would hate to lose, and ensure that information is protected with antivirus software and backed up somewhere else. Be sure everyone in your family knows how to detect and recover from an incident.
NCSA and DHS are highlighting particular themes as we continue through the month. We invite you to join in each coming week, with the following user-friendly, actionable advice:
Today’s Predictions for Tomorrow’s Internet
Take a look into our future through the lens of the connected Internet and identify strategies for security, safety, and privacy while leveraging the latest technology. With the explosion of digital interconnectivity, it is critical to explore everyone’s role in protecting our cyber ecosystem. NCSA’s top tips include:
- Learn how to safeguard your Internet of Things (IoT) devices: Protecting devices like wearables and smart appliances can be different than securing your computer or smartphone. Research how to keep an IoT device secure before you purchase it and take steps to safeguard your device over time.
- Pay attention to the Wi-Fi router in your home: Use a strong password to protect the device, keep it up-to-date and name it in a way that won’t let people know it belongs to you.
- Delete when done: Many of us download apps for specific purposes or have apps that are no longer useful or interesting to us. It’s a good security practice to delete apps you no longer use.
The Internet Wants You: Consider a Career in Cybersecurity
A key risk to our economy and security is the shortage of cybersecurity professionals to protect our extensive networks. Growing the next generation of a skilled cybersecurity workforce ? along with training those already in the workforce ? is a starting point to building stronger defenses. Here are a couple of to-dos for parents or anyone interested in a cybersecurity career of their own:
- Volunteer at schools, after-school programs, boys and girls clubs, and community workshops to teach kids about online safety and cybersecurity careers. Check out NCSA’s online safety resources for ideas on what to cover and materials you can use.
- Learn more about starting your own path to a cybersecurity career by checking out the National Initiative for Cybersecurity Education (NICE) Framework. The framework provides information on what knowledge, skills, and abilities are valued by employers for different cybersecurity jobs.
Equifax Data Breach – Frequently Asked Questions
I’ve been hearing about the Equifax breach in the news. What happened?
Equifax, one of the three major credit bureaus, experienced a massive data breach. The data breach at the company may have affected 143 million Americans. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people.
In a press release, Equifax said it discovered the “unauthorized access” on July 29, after which it hired an outside forensics firm to investigate. Equifax said the investigation is still ongoing. Equifax said the attackers were able to break into the company’s systems by exploiting an application vulnerability to gain access to certain files. It did not say which application or which vulnerability was the source of the breach.
Equifax will be sending direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted.
Was my information stolen?
If you have a credit report, there’s a good chance it was. Go to a special website set up by Equifax to find out: https://www.equifaxsecurity2017.com/. Scroll to the bottom of the page and click on “Potential Impact,” enter some personal information and the site will tell you if you’ve been affected. Be sure you’re on a secure network (not public wi-fi) when you submit sensitive data over the internet.
How can I protect myself?
Enroll in Equifax’s services.
Equifax is offering one year of free credit monitoring and other services, whether or not your information was exposed. You can sign up at https://www.equifaxsecurity2017.com/.
Monitor your credit reports.
In addition, you can order a free copy of your credit report from all three of the credit reporting agencies at annualcreditreport.com. You are entitled to one free report from each of the credit bureaus once per year.
Monitor your bank accounts.
We also encourage you to monitor your financial accounts regularly for fraudulent transactions. Use online and mobile banking to keep a close eye on your accounts.
Watch out for scams related to the breach.
Do not trust e-mails that appear to come from Equifax regarding the breach. Attackers are likely to take advantage of the situation and craft sophisticated phishing e-mails.
What is First State Bank & Trust Company doing to protect my information?
In order to provide our customers with efficient service while preventing unauthorized access to your account information, staff at First State Bank & Trust Company may ask additional questions about your account for verification during telephone inquiries, beyond the information that could have been compromised in the breach. These additional inquiries may include information about the opening of the account or information on recent transactions.
You may also ask a customer service representative to establish an Identity Theft Question that must be answered before any information will be given on your account.
Should I place a credit freeze on my files?
Before deciding to place a credit freeze on your accounts, consider your personal situation. If you might be applying for credit soon or think you might need quick credit in an emergency, it might be better to simply place a fraud alert on your files with the three major credit bureaus. A fraud alert puts a red flag on your credit report which requires businesses to take additional steps, such as contacting you by phone before opening a new account.
How do I contact the three major credit bureaus to place a freeze on my files?
Equifax: Call 800-349-9960 or visit its website.
Experian: Call 888-397-3742 or visit its website.
TransUnion: Call 888-909-8872 or visit its website.
Where can I get more information about the Equifax breach?
You can learn more directly from Equifax at https://www.equifaxsecurity2017.com/. You can also learn more by visiting the Federal Trade Commission’s web page on the breach at https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do. To learn more about how to protect yourself after a breach, visit https://www.identitytheft.gov/Info-Lost-or-Stolen.
Free Credit Reports:
You are entitled by law to a free credit report from each of the Big 3 once a year. This means you can check your credit 3 times a year (once every 4 months with each of the bureaus). The only site you need to obtain this free copy is annualcreditreport.com, or by phone at 877-322-8228. Everywhere else will try to sell you a report, or offer a “free” report if you agree to sign up for some kind of subscription service — usually credit monitoring. There are lots of look-alike sites out there (like freecreditreport.com) that are not the real, government-mandated service.
Your free credit report will show all your lines of credit and other debt obligations, along with lots of data. However, it won’t show your FICO score, it usually costs money to get your FICO score.
Connected Home Devices: The Internet of Things
What is the Internet of Things (IoT)?
We have become more connected than ever before. A little over ten years ago, we only accessed the Internet through a laptop or a desktop computer. Then, we added phones and tablets to our list of connected devices. Today, we have even smaller connected devices, such as fitness trackers and smart watches. According to ABI Research, there will be over 30 billion devices connected to the Internet by 2020. The list of Internet connected devices, or “things”, keeps growing. Kevin Ashton, cofounder and executive director of the Auto-ID Center at the Massachusetts Institute of Technology (MIT), first mentioned the term Internet of Things (IoT) in 1999, but the first device to be connected to the Internet was actually a Coke machine at Carnegie Mellon University in the early 1980s. Programmers could connect to the machine over the Internet, check the status of the machine, and determine whether there would be a cold drink waiting for them. Today, IoT consists of everyday devices that are connected to the Internet, such as fitness trackers, vehicles, smart televisions, doorbells, light bulbs, home security systems, thermostats, and refrigerators. Basically, if it is not a computer, smartphone or tablet, and it connects to the Internet, it can be called an IoT device.
What are the issues with IoT devices?
Many people know they should install anti-virus (AV) software on their computers and be careful of what websites they visit or software they download. Unfortunately, most people probably do not consider their IoT devices to be a security threat. These devices are more accessible and make our lives more integrated, but many of the companies behind these new devices are not designing them with security in mind. For example, many IoT devices have default passwords that are well known and cannot be changed, or cannot be changed easily. They also can be difficult or impossible to update to mitigate known vulnerabilities, or have no settings to customize security.
Our dependence on Internet-connected devices has grown faster than the means, and/or awareness, to secure them. Leaving IoT devices unsecured, as with any Internet connected device, is like leaving the back door to your house unlocked. It gives attackers access to your personal information and the potential to further compromise other devices on your network. It also gives attackers the means to propagate their attacks onto others by using your insecure devices to attack other networks and devices.
How can you secure your IoT device?
So, what can you do to enjoy the functionality of IoT devices and remain more secure at the same time? The following tips may help you in these endeavors:
- Know what IoT devices are connected to your network. It is possible that there are devices connected to your network that you do not know about.
- Consider only purchasing devices that you need to use. Some Internet-capable devices may be nice to have, but provide limited benefit and reduce your security.
- Isolate IoT devices from other devices on your network by creating a separate Wi-Fi network just for them. This protects your other devices if your connected IoT devices are compromised.
- Update the device’s software, if possible. If you update your device regularly, this will reduce the chances of a successful attack.
- Replace default passwords with unique and strong ones of your choosing. Passwords should have upper and lower case characters, numbers, and special characters, with at least 10 total characters.
- Configure security and privacy options, such as enabling encryption and limiting the information your devices share.
- Replace insecure IoT devices with more secure ones. Seek out reviews on these devices that address security features and patching support to determine which ones may have a reasonable baseline of security.
Identifying and Reporting Common Scams
On July 6, 2017 the Federal Trade Commission (FTC) issued an alert on scammers posing as FTC officials who contact individuals and claim they have won prizes from a charity contest. The scammers ask for money to cover taxes or insurance costs associated with the prize. While this is a new malicious campaign, scammers use these basic tactics time and time again with slightly different wording to take advantage of unsuspecting individuals. It may seem like a day doesn’t go by without scammers contacting you online or by phone seeking money and/or personal information. Since this is so commonplace, it is worth exploring how to identify these schemes, and how to go about reporting them in the event that scammers target you.
Identifying the scam
Two common financial schemes involve coercing individuals into paying money to prevent a negative outcome, such as a tax audit or police investigation, or asking the individual to pay a fee up front to claim a prize. A third type of scam seeks individuals’ personally identifiable information (PII), such as Social Security numbers and birthdates, to commit identity theft. Individuals providing information to scammers may suffer large financial losses, as well as negative impacts to their credit. It is important that you know how to spot these scams so you can easily ignore them.
It's most likely a scam if you...
- have to pay money to claim a “prize” or “winnings”
- are asked for money to stop or prevent a police, FBI, or other federal investigation
- have to provide your bank account number and information
- are specifically asked to purchase any form of prepaid gift card to be used as payment
- are approached with no prior contact to give out your date of birth, social security number, password, username or other personal sensitive information online or over the phone
- are approached online or by phone in an unprovoked manner and asked for payment or personal information by someone claiming to be a government employee on official business
One final thing to be aware of is that scammers create convincing emails that may look like official communication from your bank, credit card issuer, or a retailer. These emails often include a link to a very convincing, yet fraudulent website that will ask you to log in with your username and password. If you provide your credentials, the criminal can then use them to gain access to your legitimate account. From there, they can steal your personal information or generate fraudulent transactions. If you ever receive an email asking you to click a link to log in and update your account or change your information, be safe and use your browser to directly type in the legitimate website address for that account in order to complete this request. By doing this, you will always be sure you are on the right website.
Scammers constantly target individuals by email, false advertisements, and phone calls to bring these types of scams to fruition. Being wary of any communication that meets any of the above criteria will go a long way in keeping your information and money safe!
Finally, it is very important that targets of online or phone scams report this to the proper authorities. Although it can be a bit embarrassing to have been hit by such a crime, reporting is the only way to direct investigators and regulators to pursue the criminals behind the scam or identity theft. Aside from reporting the scam to law enforcement, it is important to work with your bank, credit card issuer, or the business where your account was compromised to take the necessary steps in preventing further financial loss.
If you are the target of a financial scam, report it to the FTC at www.ftc.gov/complaint. If this scam was via email or over the Internet, also file a complaint with the FBI’s Internet Crime Complaint Center at www.ic3.gov/complaint.
Targets of identity theft can also file a report at www.identitytheft.gov and receive a recovery plan detailing how to move forward based on the type of scam committed.
Sun, Sand, and Cybersecurity
School’s out and the beach and mountains are calling. It is that time of the year when so many of us pack our bags and hit the open road or head to the airport for a well-earned vacation. We may be ready to take a break from our normal lives, but we still need to be cyber secure while we are enjoying our time off! In this month’s edition, we will explore some ways to be safe and smart with our devices, Internet usage, and social media while out travelling on vacation.
Always be careful about how much you post on social media about your vacations before and during your travels. Criminals can and do watch online posts to find people that are on vacation because that means you have left your home unattended.
Before “checking in” to a location on a social network, consider what else you are sharing – like the information that you aren’t home. Consider skipping the “check in” and making your vacation posts after you have gotten back. This is another way people can see you aren’t home. Perhaps this will have the double benefit of letting you take the time to choose only the best photos to post after your trip is over! At the very least, consider using privacy settings that only let friends see your posts. Additionally, consider turning off GPS and auto-tagging/auto-check in features, if you have them enabled.
Disable WiFi auto-connect services
Some devices have an auto-connect feature that will search for and automatically connect to available and accessible WiFi networks without your interaction. This can allow your device to automatically connect to an unencrypted, public WiFi network, or even one that was set up by a malicious actor to eavesdrop on your browsing and connection activity.
If you want to connect to a store or hotel’s network, check with an employee to see what the correct network is called, and see if they can provide a network password for a more secure, encrypted network. Always use a secure, encrypted network that requires login credentials if you have the option. In the event that isn’t an option, and you can use your phone as a WiFi hotspot, use that instead to get a more secure connection for another device that can’t make direct use of the cellular network’s connection.
Additionally, make sure you do not choose to “remember this network” or “join this network automatically” once you have settled on a more trusted network for use during your vacation. If you have these settings switched on for a very generically named network, your device may connect you to a less secure one that happens to have the same name. Even if you have this turned off, there’s another setting that will automatically connect you to a network you have joined before, which can be a problem since your device doesn’t know the difference between your coffee shop’s “Guest” network and a malicious “Guest” network. Turn these settings off so you don’t automatically connect, and choose to connect only to more trusted, safer WiFi networks.
Keep your devices close, and keep them locked when not in use!
Whether it’s your laptop, tablet, or smartphone, be sure to keep your device on you or with someone you trust. Never leave a device unattended in an airport, train station, restaurant, hotel lobby or anywhere else in public while travelling. There is a common scam that targets people who leave devices sitting next to them. In this scam, another traveler will approach you and ask for help and then lay a newspaper or map down over your device. While you’re distracted answering their question, they are picking up and pocketing your device under the cover of the newspaper or map!
Are You Really Being Secure Online?
Browsing the web and interacting with websites in a secure fashion is immensely important in today’s connected world. Everyday things like online banking, shopping, and submitting your taxes involve sharing financial and sensitive information online. This makes browsing securely something that everyone should consider more closely. Below we will explore some ways to connect to the Internet and browse websites securely, as well as how you can double check that you are being secure.
Use a Secured Wi-Fi Network
Wi-Fi access is widely available, but many of the free connections are to unsecured public Wi-Fi that will leave your information travelling openly! On an unsecured public Wi-Fi network, cyber criminals can easily access the data you are transmitting due to the fact that your information is not encrypted.
A more secure public Wi-Fi network requires a password or credentials to gain access that are provided by someone acting in an official capacity for the local business and the use of encryption. When looking for an available and more secure wireless network, you will see ones using encryption marked with a small lock symbol next to the name of the network. Some hotels and shops that provide free Wi-Fi to customers provide access to their secure networks by providing you with credentials or an access code when checking in, making a purchase, or on request.
If you opt to use a public Wi-Fi connection, make sure you understand the risk – others may be able to see what you do. Keep this in mind and do not conduct sensitive transactions or log in using your credentials on any sites. Not all apps and sites support encryption and other good security practices, which leaves you much more open to many types of cyber-attacks when on a public Wi-Fi connection.
Secure Your Information in Transit
Keep an eye out for that little lock icon on your browser, or the “https” in the URL! Sites that are taking security seriously will encrypt the sensitive information you are exchanging with the site. This is a strong way to ensure that your online activities like shopping or submitting personal information are protected.
The small lock icon or “https” at the beginning of the URL are indicators that encryption is currently in use. The lock icon is commonly found in the address bar on the most popular browsers, including Chrome, Firefox, Safari, Edge, and Internet Explorer.
Verify the Website
When you are looking for information or products online, make sure you are on the website you intended to visit, or are going to the correct site.
One particular sneaky technique used by cyber criminals is called typosquatting. Typosquatting is when someone purposely owns a website that is similar to a trusted website but with a typo in the address. For instance, the website “thisissafe” might be trusted, but the website “thisisafe” could be a malicious website using typosquatting. People are often linked to these incorrect, but very closely named websites through phishing emails sent out by malicious actors. Many websites look the same, and sometimes criminals or other unscrupulous folks use the names and logos of trustworthy companies to mislead you. In some forms of attack, a user being led to a false, but convincing copy of a known website will be prompted to enter their legitimate credentials, which are stolen by the malicious actor who set up this ruse.
A good practice is to not click a link that is provided in your emails, and to instead go type the intended website’s address directly into your browser to ensure you get to the right place.
May 8, 2017 - Skimmer identified on two First State Bank & Trust ATMs
Fremont, Neb. – First State Bank and Trust Company of Fremont learned this weekend that an ATM skimming device had been placed on the outdoor ATM at our 1005 East 23rd Street location. This device was found by a user of the machine, was removed and turned into local law enforcement. In investigating this matter, it came to the bank’s attention that a device had been used at our 1965 East Military location.
First State feels confident that users of the 23rd Street machine will not be impacted since the device on this location was captured. We have identified bank customers whose cards may have been skimmed at the Military location and have flagged their cards in our system. We are reaching out to those affected customers. It appears only those who used the ATM at the Military branch in Fremont on Friday, May 5th -Saturday, May 6th are potentially impacted. All consumers are fully protected by the bank against fraudulent transactions. As always, we strongly encourage our customers to monitor their transaction history in online banking or through our mobile app.
If you are a non-customer who used our Military branch location and see unusual activity, please contact your bank directly for assistance. You are also fully protected against fraudulent charges, but the process does need to begin with your own financial institution.
“We take a situation like this very seriously. We are working with local and federal law enforcement on this matter and are reaching out to all identified customers. We are doing everything we can to resolve this situation quickly for those affected,” states Chuck Johannsen, President of First State Bank & Trust Company.
Here are some tips from the Office of the Comptroller of Currency/U.S. Department of the Treasury to protect your financial information:
- Walk away from an ATM if you notice someone watching you or if you sense something wrong with the machine; immediately report your suspicions to the company operating the machine or a nearby law enforcement officer.
- Before using an ATM, examine nearby objects that might conceal a camera; check the card slot for a plastic sheath before inserting your card.
- Never keep a written copy of your PIN in your wallet or purse as it could be stolen; instead memorize your PIN and keep a paper record hidden at home.
- When entering your PIN, stand close to the machine and hold your hand over the keypad or screen to make it more difficult for a person or camera to watch you.
- Beware of strangers offering to help you with an ATM that appears disabled and notify someone responsible for the security of the machine.
- Regularly review your account statements, either online or on paper, and check for unauthorized withdrawals and purchases. If you find one, immediately contact your bank or credit card provider, as this will limit your financial liability for fraudulent charges.