 Just
a few years ago a conversation with
one of our members about online security
centered entirely around what the
credit union was doing to protect
member data and information. Although
we still have a major role to play,
online security has become just as
much our member’s responsibility
because of recent advances. New technology
makes it possible for others to invade
individual PCs and steal their information.
In addition, programs now exist that
can hide on a PC secretly recording
keystrokes—including account
numbers and passwords.
To ensure your security online, both
Arizona Federal and you must take
some precautionary measures. Please
read the following information to
learn more about these measures:
How to report fraud
If you suspect that fraudulent activity
has occurred or been attempted on
your account, please contact us immediately
at 602-683-1088 or
800-523-4603 x1088.
If you contact us after business hours,
please provided details of what has
occurred on our message system, and
we’ll contact you immediately
the following day. Alternatively,
you may email us with the details
through the CU Online system.
What Arizona Federal
does to protect your information
 Password
Authentication
The first layer of security is an
individual password for each account
that accesses the CU Online system.
The password must be input and validated
in order to access any account through
CU Online. Members should not share
their passwords with others.
Timed Log-Off
The CU Online system will automatically
log you off after a period of non-use.
You can adjust how long the system
will wait before logging off.
Site Security & Encryption
CU Online uses software from Netscape®
Communications that incorporate full
data encryption to ensure the security
and privacy of transactions. This
encryption technology is so secure
that it is classified by the U.S.
Department of Defense. United States
law forbids the export of this technology
to other countries.
Any information that travels within
the CU Online system does so with
128-bit encryption. This technique
codes the information into a sequence
with billions of different combinations.
While this encryption is not 100%
unbreakable (no solution is), it is
so difficult and time-consuming to
attempt to decipher, that most information
thieves won't bother to try.
Even though CU Online is secure,
the rest of our web site can be accessed
as either secure or unsecure. To see
at a glance if your current session
is secure, you can do the following:
- Check if there is an "s"
after the "http" in the
URL. The "s" after the
"http" denotes that the
page is secure.
- Check the key icon at the lower-left
corner of Netscape's screen. If
it is intact and a blue line appears
at the top of the screen, all messages
are secure
- If using Microsoft® Internet
Explorer, and the image of a lock
is displayed, the lock indicates
the site is secure
WARNING:
If the icon appears as a picture of
a broken key or a broken lock, encryption
is not in use and the current session
is not secure.
 Architecture/Firewalls
CU Online uses several layers of technology
including screening routers, filtering
routers, and firewalls to prevent
unauthorized users from gaining access
to the internal network.
Anti-virus programs
Our data center and network utilize
updated anti-virus programs from multiple
providers.
Security Audits
At least once each year, the CU Online
data center and system is audited
by a third-party specializing in PC
network and information security.
As a result of these audits, the data
center hosting CU Online has been
awarded TruSecure Certification (see
www.trusecure.com
for more information). This certification
reflects our compliance with an extensive
and continuous security assurance
process and validates the presence
of risk reduction practices.
Physical Security
The CU Online data center is located
out of state and secured by both passcode
and biometric technology. The servers
are further monitored 24 hours a day
by on-site personnel in addition to
automated monitoring and alarm systems.
Dedication
We make significant investments to
upgrade hardware and software on an
ongoing basis to keep up with evolving
trends and advances in security technology.
Email
Generally, we don’t accept unsecure
Internet email from our members. Instead,
we use a secured communication system
within CU Online. Each time you send
a message to us through CU Online,
we create a secure, temporary inbox.
This way we’re not sending any
valuable or personal information out
over the Internet unsecured.
Cookies
A cookie is information stored
in a text file which is temporarily
stored on your computer.
Once the cookie is stored, the site's
web server can retrieve that information
with that browser. For example, when
a person browses through an "online
shopping mall" and adds items
to a "shopping cart", your
browser stores the list of items that
have been added to the cart so that
the user can pay for all of the items
at once when he is finished shopping.
It's much more efficient for each
browser to keep track of information
like this than have web server remember
who bought what, especially if there
are thousands of people using the
web server.
When browsing the web, any cookies
that are sent to a browser are stored
in the computer's memory. When the
browser is closed, any cookies that
haven't expired are written to a cookie
file so they can be reloaded next
time the browser is used.
CU Online uses a different kind of
cookie known as a session cookie,
also called a non-persistent cookie
or a pre-expired cookie. These cookies
are temporary and are never stored
on your computer. As you navigate
through CU Online a pre-expired cookie
is set on the server each time a page
is viewed. Because the HTML page you
are viewing is not "cached"
or stored on your computer, it must
always be re-retrieved from the server.
The pre-expired cookies keep the session alive
until you log out properly or time out of CU Online.
Once this occurs, you must login with your User
ID and Password to regain access. This ensures
that another person using the same computer cannot
access a previous session.
What you should
do to protect your information and
security
 Choosing
a password
Choose a password that is not obvious
to you. We strongly recommend that
you do not choose any of the following
for your password:
- Your social security number
- Your name (first or last) or
a family member’s name
- Your address
- Your pet’s name
- Your birth date or that of a
family member
- Phone numbers
For maximum protection, we recommend
that your password be a combination
of both letters and numbers. You can
mix uppercase and lowercase letters.
If your browser or operating system
offers a feature that will “save”
your password, don't use this feature,
because anyone who uses your computer
can access your account.
Use a Current Browser
Make sure you are using the most current
and updated version of a web browser.
As security features are strengthened,
most of the popular software providers
make updates and new versions of their
browser available for free. Having
a current browser will help to ensure
you have the most recent updates and
strongest protection.
To download the most recent version
of your Internet browser, the following
links are provided for your convenience:
http://www.microsoft.com/downloads/search.aspx?displaylang=en&categoryid=6
http://browser.netscape.com/nsb/download/default.jsp
Click
here for a list of the minimum
browser requirements in order to access
CU Online.
Set Browser Security Settings
Most of the popular Internet browsers
have built-in security settings that
you can customize to protect your
PC from viruses, spyware, harmful
cookies, and other threats to your
PC. Keep in mind, however, that the
more strict you set your settings,
the more inconvenient using the web
becomes. For example, cookies must
be enabled to use CU Online because
we use cookies to establish a secure
connection.
Some browsers, including Microsoft’s
Internet Explorer, allow you to create
lists of sites that you know to be
secure. You may find it convenient
to add certain sites to this custom
list to ensure their functionality,
but to set high security settings
for all other sites.
Don’t Open Email Attachments
From Unknown Sources
If you receive an email from an unknown
source, never open any attached file.
Viruses, spyware and other harmful
programs can be delivered through
email attachments. It’s good
practice to delete memos from unfamiliar
sources prior to opening or
previewing them.
Disable any Email Preview
Windows or Panes
Some email programs offer a preview
window or pane that automatically
shows the content of the email. Because
viruses, spyware and other harmful
programs can be delivered to you via
email, this preview can launch the
program (virus, spyware, etc.). It’s
good practice to delete memos from
unfamiliar sources prior to opening
or previewing them.
Use a Current Operating System
Like browsers, many operating systems
are continually updated with new security
enhancements. To download the most
current versions of your operating
system, the following links have been
provided for your convenience.
 Install
and Update Anti-virus Software
Using virus protection software will
help to keep your PC safe from some
attempts to load destructive programs
– whether its being done intentionally
or accidentally. However, simply loading
an anti-virus program is not enough.
You should also enable your anti-virus
software to receive online updates.
As new viruses are detected, many
anti-virus providers update their
system to catch and destroy them in
the future. If you do not update your
anti-virus software, your PC may not
be safe from the most current virus
threats.
Though neither of the following are
specifically endorsed by Arizona Federal,
the following are popular providers
of anti-virus software:
Install and Update Anti-Spyware
Software
There are many different types of
Spyware that may have found their
way onto your PC. They range widely
in their danger and significance from
either causing slight performance
problems, to being used to record
and transmit all keystroke activity
(including the passwords you enter)
from your PC to someone else.
Install a Firewall
A firewall is software that acts as
a guard or barrier between a PC and
the rest of the world. Properly used,
a firewall scrutinizes and filters
information that attempts to pass
through it. Only information and files
that are permitted are allowed to
pass to the PC. Those that are not
are turned away and not successfully
passed through to the PC. If you have
an Internet connection (especially
a cable, DSL or any other high speed
solution) and no firewall, you are
making your PC available to others
to use via the Internet. Some firewalls
also help to fight or limit viruses,
spyware and spam.
Contact Your Internet Service
Provider (ISP)
Many ISPs have built-in security features
which may include anti-virus software,
firewalls or other features. You should
contact them to determine what (if
anything) they are doing to help protect
you when you use their Internet service.
You can then create a strategy that
compliments what they already have
in place. If they have nothing in
place, you may want to consider alternate
providers.
Don’t Respond to Requests
for Information
Arizona Federal will never ask you
to supply us with personal or account
information, unless responding to
your specific request—and only
through our secure communication system
within CU Online. We will never email
you to request that you “update
your security information” or
anything of the sort.
Do not respond to any attempts by
email or pop-up ad to “verify”
your information for anyone. These
are attempts by criminals to collect
information for fraudulent use.
For more information about these
attempts, otherwise known as “phishing,”
please click
here.
Don’t Participate in
Free Contests and Giveaways
Many of these “contests”
are illegitimate and coaxes to install
spyware or other harmful files into
your PC. There are obviously legitimate
contests and giveaways as well. A
best practice would be to make sure
the company offering the prize is
legitimate and one that you are familiar
with. You should also consider whether
or not you had to go to their site
to see the opportunity or if it was
sent to you by email or pop-up window
unsolicited. The degree of the aggressiveness
of the campaign may have an opposite
correlation to its legitimacy—the
stronger the push, the more likely
its fraudulent.
Install a Pop-Up Blocker
Installing pop-up blocker software
will reduce the number of illegitimate
games, contests or other hoaxes presented
to you.
Most Common
Security Threats & How to Defend
Yourself
Spyware
There are a few basic types of spyware:
Advertiser software (Adware), Web
Bugs, Proxy Adware, Stand-Alone Commercial
Computer Monitoring/Surveillance software
and Trojans.
Adware
Businesses will pay to learn your
purchasing habits, preferences, household
income, family composition and other
demographics to better target their
advertising to you. For example, if
a marketing firm thinks you are an
avid hiker, they will flood you with
pop-up ads selling everything from
boots to backpacks. These companies
devise schemes to get you to install
their software by offering a free
game or other ‘entertainment’
type product.
Web Bugs
Web Bugs are a form of adware that
can track what you’re doing
online, return that
information to a third party, and
allow them to pop-up ads or just monitor
you for
demographic purposes. While these
forms of spyware are intrusive, they
usually do not collect any personally
identifiable information, just demographics.
These spyware programs load executable
programs and take up resources running
in your computer and can, usually
by accident or poor design, interfere
with your own programs or operating
system causing unforeseen, unexplained
crashes or abnormal behavior. The
most often seen effect of adware is
a general slow-down of your PC as
more and more resources are diverted
to the spyware programs and fewer
resources are available for your own
use.
 Proxy
Adware
There is a new form of adware commonly
known as “proxy” adware.
This type of software is again installed
along with another program the user
deems useful but, instead of just
collecting demographic information,
this software has the potential to
collect absolutely all user information
no matter how private.
Proxy adware works by getting the
user to agree to allow all inbound
and outbound
traffic from their PC to be re-routed
through a marketers’ servers.
This is done by the
addition of a small software program
on the user’s PC. What this
means is that all
information sent by the user, to any
other person at any time, is captured
by the
marketers’ servers. This also
applies to SSL encrypted transactions
containing sensitive
information such as online banking
user IDs and PINs. This works because
the
marketer is actually a man-in-the-middle
who gets the encrypted transmission
from the
user, is able to decrypt it because
he is an authorized proxy, and then
re-encrypts it and sends it on to
its intended destination as the user.
This is an incredibly intrusive form
of adware. Many users are actually
unaware of the
implications of its use either because
they did not read the End User License
Agreement
(EULA) when installing the software
or were not technically knowledgeable
enough to
understand the full ramifications
of the Agreement.
Commercial Spyware
This software is sold for use by employers,
employees, spouses, private investigators,
identity thieves and others for one
purpose: to record everything you
do on your
computer ... silently. These include
URL recorders, keyloggers, chat monitors,
screen
recorders, program loggers and more.
While it may have legitimate uses
such as
monitoring your child’s Internet
access or ensuring that employees
do not access
inappropriate websites on company
time, it can be easily abused by unscrupulous
people.
Trojans and other malware
The last type of spyware is broadly
lumped into the category called a
“trojan,” which was named
after the infamous Trojan Horse. This
type of software is most commonly
used to deliver worms, viruses and
other forms of ‘malware’
to PCs. The worst type is called a
“RAT,” or Remote Access
Tool. This tool enables an attacker
to have complete control of your PC.
How Does Spyware get into
Your PC?
Adware is often installed along with
another program that the user considers
useful.
Trojan spyware is most often installed
either by a malicious prankster or
a criminal.
Certain types of trojans exist solely
to gather personal information, such
as online
banking user IDs and PINs, which enables
the perpetrator to commit identity
theft. As the name implies, trojan
software gets installed by the user’s
own action or, in some
instances inaction. In some cases
a user clicks a link in an email and
either runs an
executable attachment or links to
a website program that downloads and
executes a
program. In some cases just visiting
a malicious website and viewing a
page is enough
to silently download and execute a
spyware program.
Software ‘trading’ with
friends can also mean an Internet
spyware program could be
hidden in the traded software. This
also applies to music files, MP3s
and so forth. Even
graphics are not immune. There is
an exploit that allows certain picture
files to become
infected with malware and be able
to propagate on a vulnerable PC. As
to Stand-Alone Commercial Computer
Monitoring/Surveillance software,
this software/hardware is most usually
installed by a trusted person who
has physical access to your computer.
What Can Happen if Spyware
is on Your PC
While most forms of adware are intrusive,
trojans are even worse. Many trojans
contain RATs. There are three main
reasons why these trojans exist.
The first is the prankster or ‘script-kiddie’.
These perpetrators aren’t really
hackers; they’re usually much
less technically astute. They manage
to get a copy of an existing malware
program and modify it to some extent
to avoid detection by anti-virus scanners.
Some do this for a joke, some to get
bragging rights with their friends,
some to see how many PCs they can
‘own.’ If their malware
contains a RAT they may enter your
machine, copy software and/or cause
intentional or accidental damage.
These people usually aren’t
looking for any personal information.
The next use of trojans is by spammers.
Spammers are slowly being squeezed
by international law and are finding
it harder and harder to get ISPs to
host their activities. They have turned
to the method of creating ‘zombies.’
A zombie is a PC that has been infected
with, and is now controlled, by a
RAT. The zombie PC is used to send
bulk spam email for the spammer. By
infecting thousands of home and business
PCs the spammer can use them like
throwaway, disposable mail generators.
He can send millions of emails in
a single night using someone else’s
bandwidth and good name. The ISPs
that get this flood of spam often
block the sending machines and even
get the person’s account at
their ISP terminated.
The last, and most dangerous, use
of malware is identity theft. There
are a number of trojans that are created
specifically to harvest online banking
user IDs and PINs, credit card numbers
and other financial information. Many
of these also install RATs as well.
Some of these RATs will make contact
through your firewall to a pre-defined
Internet Relay Chat (IRC) channel
and then accept commands from the
owner. At this point the criminal
can run software on your PC, upload
or download files, and actually perform
almost any action that you could perform
by sitting at the keyboard.
Phishing
 In
a phishing (pronounced “fishing”)
scam, an email is drafted to appear
to be from a financial institution
or other trusted service provider.
It is intended to look as close to
being "official" as possible,
usually incorporating the logo, etc.
from the company, and in many cases
including some of the same photos
found on the company’s web site.
A phishing email typically explains
that due to some type of identity
theft attempt, it is important that
customers/members now log in (using
a link provided) and provide information
to confirm their account ownership.
It is usually further accompanied
by a threat that they may lose access
to their account if they do not respond
soon
The link, while it may look official and genuine,
is anything but. By clicking on the link, the
recipient is taken to a phony web site which is
also created to look as close to the company’s
site as possible, with a phony login button. Once
an account number and password are entered, they
are now captured into a database behind the scenes
(for future fraudulent use). Further, the next
page will ask the victim to confirm their credit
or check card number, expiration date, CVV code,
ATM PIN, etc. - everything that a crook would
need to make a counterfeit card. Believe it or
not, thousands of people fall for these.
Arizona Federal will never
send you an unsolicited email asking you to verify
an account number, card number, PIN, or other
sensitive information.
 Arizona
Federal works with Cyveillance
Anti-Phishing™ to quickly identify and
shut down online scams.
Be suspicious of unsolicited email that you do
receive from other companies. Phishing emails
usually have some sort of threat of consequence
(i.e., “act now or else…”) to
encourage victims to act quickly and without thinking
through their actions. They often also contain
spelling and/or grammar errors as many originate
in foreign countries. They will also request that
you provide sensitive account information, including
password, account number, PIN, etc. If you’re
ever suspicious of an email you’ve received
from a company you do business with, call them
– using a number provided on your monthly
statement or from a public source (commercial,
etc.).
| Arizona
Federal will never send
you an unsolicited email asking
you to verify an account
number, card
number, PIN,
or other sensitive information. |
If you do receive a phishing attempt by email,
do not follow the instructions
and provide your account information. Instead,
forward the email to the Federal Trade Commission
at spam@uce.gov. Or, you can
report it by phone by calling 877.IDTHEFT
(877-438-4338). Most of these sites are
shut down within days, but that may be all it
takes to gather a few thousand credit card numbers.
If you receive an attempt that is portraying
Arizona Federal, please forward it to reportfraud@arizonafederal.org
so that we can act quickly to take their site
down. Please include the phrase "report fraud"
in the subject line. You may also contact us at
602-683-1088 if you ever receive
anything from us online that you are suspicious
of.
Additional
Resources
For additional information about online security and protecting yourself from Internet fraud, please visit www.onguardonline.gov.
View
Account Protection Resources • Learn more in the Education Center
|
Print
Page
