Author: Kai Xu

07 Mar 2019
Cell Phone Porting - Don’t Fall Victim to Phone Number Fraud

Cell Phone Porting – Don’t Fall Victim to Phone Number Fraud

Cell Phone Porting - Don’t Fall Victim to Phone Number Fraud

Increasingly, consumers are sharing their mobile phone numbers to retrieve and change lost passwords, set up new accounts, verify identity, and even for something as simple as securing a dinner reservation. Mobile phone text-based verification has proven extremely convenient but imagine if someone else had access to all of those text messages delivering secret codes required to verify our identities.

While not new, cell phone porting has recently gained traction as yet another way for scammers to hack into your systems, including bank accounts. The most alarming part of this scam is that it can allow hackers to get past added security measures on personal and financial accounts and logins by intercepting the one-time password that many companies send via text message to the mobile device to perform two-factor authentication.

How Does Porting Work?

Once a scammer has your name and phone number, they will attempt to gather personal information such as address, social security number, date of birth, etc. that can be used to impersonate you. Once obtained, they then contact your mobile provider, claim to be you, report your phone as stolen or lost and then request the number be “ported” with another provider and device. Surprisingly (and unfortunately), mobile carriers often grant this request and forgo formal verification procedures.

All calls and texts are then forwarded to the new device and the original phone – your phone — is shut off. Once in control of the mobile number, thieves can request second factor authentication be sent to the newly activated device, such as a one-time code sent via text message or an automated call that reads the one-time code aloud. This enables them to access accounts that require additional security authorization such as email, financial accounts, medical records, social networks – anything you might need to access with a password!

You may not know you are a victim of porting until your phone has lost service and you no longer can access important accounts since the hackers have changed passwords. A phone might also switch to “Emergency Calls Only” status, which is what happens when a phone number has been transferred to another phone.

Download the PDFThe 2019 IT Outlook for Community Banking Get a Copy

There are several steps you can take to protect yourself from falling victim to porting scams:

Contact your Wireless Provider About Port-out Authorization

Most major wireless providers offer an extra layer of security that customers can request, like a unique PIN or verification code, that only you have. This code or PIN must be provided before any changes can be made to your account.

Use Two Phone Numbers

Have two different phone numbers that you use in different ways. Have one number that you give out freely and another one that you never give out and use only as a backup verification tool. You can do this using a free online service, eliminating the need for an additional costly phone plan. Do not share this number with anyone – if it is shared just once it is considered public information! You can’t trust that the other person’s phone is secure or that they won’t share it.

Utilize Apps for Verification

Whenever there is the option, choose the app-based alternative for authentications. Many companies now support third-party authentication apps which can act as powerful two-factor authentication alternatives that are not nearly as easy for thieves to intercept.

In addition to these precautions, be vigilant about communications you receive and watch for alert messages from financial institutions, and texts in response to two-factor authorization requests, especially if you did not initiate the request. Also, if your phone switches to “Emergency Calls Only” mode, it is a sign the number has been compromised. If you do find yourself a victim of this type of scam, contact your mobile provider and financial institutions immediately.

The rise of porting attacks serves as a warning that we not only need to keep our emails secure, but we also need to keep our phone numbers more secure. To protect yourself, consider alternative forms of authentication other than a text message.

18 Oct 2017
Targeting Employees - How to Prevent Phishing

Targeting Employees: How to Prevent Phishing Scams & Keep Your Financial Institution’s Data Secure

Targeting Employees - How to Prevent Phishing

Cyber-attacks are becoming more sophisticated as cyber criminals find alternative ways to target financial institutions and their data. Most recently, there has been an increase in phishing scams that specifically target bank employees, attempting to obtain sensitive information such as usernames and passwords. The ultimate goal is to trick bank employees into clicking on links or opening attachments that redirect them to fake websites where they are encouraged to share login credentials and other personal information.

With access to your employees email accounts, cyber criminals have the ability to read your bank’s critical information, send emails on your employees’ behalf, hack into the employee’s bank and social media accounts, and gain access to internal documents and customer financial information. This can result in both financial and reputational risks for the institution and its employees.

To help protect your institution’s data, here are two key ways to prevent phishing scams and increase security for your community bank or credit union:

  1. Employee Training is the Number One Priority
  2. Without proper training, it is very easy for employees to fall victim to a variety of email phishing scams. Financial institutions must have a policy of on-going testing and training to ensure employees understand security procedures and are equipped to identify phishing emails and other security threats. It is also important to establish a security culture within your organization to ensure that all employees recognize that they have a personal responsibility to safeguard against breaches.


    Community banks and credit unions can also leverage an outside security company to conduct security training and checks to verify how employees interact with suspicious emails. This allows network administrators to look at different levels of risk based on whether an employee ignored the email, opened the email, or clicked the link and provided information. After conducting this test, the administrator can then use that opportunity to educate employees on what happened during the test, explain how the system was compromised, and provide applicable advice on how to recognize these types of attacks in the future.

  3. Stop Email Phishing Attacks with Multifactor Authentication
  4. A proven way to protect your bank’s network is to implement multifactor authentication, which requires more than one method of authentication to verify a user’s identity for a login or other transaction. This security option is designed to make it more difficult for cybercriminals to access bank accounts and other sensitive information.

    While there are different ways to implement multifactor authentication, the three basic elements that can be used in this process include:

    • Something the user knows, like a password or PIN;
    • Something the user possesses, like a smart card, token or mobile phone; and
    • Something the user is (i.e., biometrics), such as a fingerprint or retina scan.

Many of our customers rely on Safe Systems SafeSysMail O365 hosted email solution, which provides them the option to turn on dual-factor authentication to increase the layers of security. When an employee tries to login to their email account, they would first type in their username and password. Then, as a second factor, they would use a mobile authentication app, which will generate a code or PIN to enter on the screen and would then be given access to the account. Implementing multifactor authentication is a powerful step toward preventing hackers from gaining access to accounts even if a password or security answer is stolen.

To combat today’s cyber threats, financial institutions must stay up to date on the latest phishing strategies and verify that the security policies and solutions in place can reduce potential threats. It is also vitally important that employees understand the types of attacks they may face, the risks, and how to address them. Implementing a combination of employee training and multifactor authentication strengthens your institution’s security strategy and can make the difference when (not if) cybercriminals attempt to hack into your employee accounts.

White Paper Download
Read the Guide

14 Jun 2017
Stay Ahead of the Curve! Windows 10 Updates Your Institution Needs to Know

Stay Ahead of the Curve! Windows 10 Updates Your Institution Needs to Know

Stay Ahead of the Curve! Windows 10 Updates Your Institution Needs to Know

Many financial institutions have just recently converted to Windows® 10, the latest operating system from Microsoft™ that was released July 29, 2015. Unlike previous versions of Windows, Windows 10 receives ongoing updates from Microsoft through a staggered update process that involves build numbers (Branch Releases) and regular build update (Branch Release) intervals to sustain the security of its signature product. These updates increase the build number and should be treated as a new operating system install, meaning that, as the build numbers increase, Microsoft will stop supporting older build numbers of Windows 10. To put this in context, the initial Windows 10 Release Build Number was 1507 and Microsoft is now releasing build 1703.

Knowing key dates in a product’s lifecycle helps organizations make informed decisions about when to upgrade or make other changes to software. Microsoft ended support in May 2017 for build number 1507, which means it no longer provides automatic fixes, updates, or online technical assistance for this version. Without Microsoft support, financial institutions will no longer receive important security updates that can help protect PCs from harmful viruses, spyware, and other malicious software that can steal information and infect networks. Because of this, we recommend systems be upgraded before they reach their end of life whenever possible.

To better understand the Microsoft upgrade schedule, here is a chart from Juriba that outlines the Windows 10 Branching Release Updates and End of Life Support Timeline:

Windows 10 Timeline

Technical Issues with New Releases


While a steady stream of build releases are great for resolving major issues and do provide a continuous flow of new features, the problem is that they pose a huge burden for in-house system administrators and IT professionals. These individuals are left deploying an often-insurmountable series of new builds and updates to machines both locally and remotely. While the updates are designed to increase security and address bugs in the system, they can be quite large and cumbersome to install. These large downloads have resulted in hung downloads, hung installations, download delays, and more. Microsoft addressed this issue by releasing the Universal Update Platform (UUP), designed to reduce download size for build updates. Recently, however, the ability to capture the UUP download files and convert them into an ISO was not working correctly. There is also the risk of data loss as some applications have proven to have compatibility challenges. Certain updates have also proven to kick machines off the domain and network servers and cancel out anti-virus and malware programs.

Staggered Update Plan

To help alleviate these issues and make the update process more seamless, we recommend implementing a staggered update plan. This approach helps reduce risk and minimize negative effects on productivity by not affecting an entire department or service. For example, implement the update on one or two teller machines, leaving a few untouched as to not affect the entire teller operation. This approach also gives you time to make improvements as needed and test for security issues while enabling the financial institution to operate its teller department.

Enlisting a Trusted Advisor

It is best for financial institutions to keep up with the latest technology, especially when it comes to keeping systems protected from malware and viruses that could lead to the equivalent of a virtual, modern day heist. As a trusted advisor exclusively serving financial institutions, Safe Systems is available to help along every step of the way. We have worked with more than 600 financial institutions and monitor more than 20,000 devices, and we understand the many considerations that go into providing secure, reliable IT. Safe Systems’ experts work directly with your team to better understand and tailor a solution specific to your needs. Please reach out to Safe Systems if you need assistance with your Windows 10 upgrade.




Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



Take the guesswork out of WAN communications by attending our webinar on Thursday, June 15th

Webinar:
Designing Your Credit Union’s WAN for
Network Availability and Business Continuity

Thursday, June 15th, 2–3 pm EST

Register Now

01 Feb 2017
Evolution of IT

The Value of Evolution for IT Administrators

Evolution of IT

Community banks continue to embrace technology and remain committed to investing in new technologies and services this year. In fact, according to the 2017 Community Bank Information Technology Outlook Study, a survey conducted by Safe Systems in the fourth quarter of 2016, nearly 77% of respondents claim they are spending more on technology today than they have in the past. The challenge however, often lies in trying to keep pace with the rapid rate of change that is influencing and impacting the banking industry.

It seems that the one constant in our industry is continuous change as new systems, new hardware and new techniques are being developed to improve uptime, increase efficiency, control costs, assist with compliance issues, and generally help banks run more smoothly. This rate of change pushes virtually every institution to regularly perform system upgrades and technology modifications to improve its IT environment. According to the survey, the driving factor for change among community banks is business strategy, with 28% of survey respondents naming this as their primary reason for investigating new resources or services to enhance their institution. However, rather than making large, wholesale changes that can deplete valuable HR energy and resources, IT administrators stand to benefit more by making targeted, incremental improvements to support their bank’s overall IT strategy.


White Paper Download

2018 Community Bank Information
Technology Outlook

Primary Research and Analysis of Your IT Priorities
in 2018
White Paper Download

Slow and Steady Wins The Race

The IT industry is built on innovation that fuels revolutionary change. Perhaps the most notable example, Apple®, essentially redefined consumer electronics starting with the Macintosh®, then the MacBook®, the iPod®, the iPhone®, the iPad ® and the Apple Watch®, each building on the other, usually attracting lines around the block of consumers turned brand evangelists.

While technological evolution can yield incredible results, it can also be extremely hard on financial institutions by forcing them to change their entire network or IT plan to accommodate a new innovation. This is particularly relevant for small community banks with limited resources. Additionally, charting the future path of innovation can be an unreliable and unpredictable undertaking. Are you going to innovate this year, next year or in three years? It is very hard to manage and predict. On the other hand, by making smart, incremental changes, it enables the bank to set manageable goals and actually see those goals and improvements come to fruition more rapidly.

Evolutionary Change to Save Time and Improve Efficiency

One proven example of an evolutionary change is automated patch management, software updates designed to fix known vulnerabilities or security weaknesses in applications and operating systems. All software applications require updates from vendors, including third-party software programs such as Microsoft®, Adobe®, Adobe Reader®, Adobe Flash®, Chrome ™, and QuickTime®. Too often, though, IT professionals are relying on a manual process, requiring staff to update each machine and workstation individually. This also requires them to stay abreast of all changes essentially in real-time, which is unfeasible. Increasingly, banks are automating this process, which delivers quick, accurate, and secure patch updates to all workstations and servers and mitigates the multiple risks associated with running unpatched programs. The time the IT department saves on managing patch management enables them to instead focus on more profit-generating activities for the financial institution.

Making Evolution Part of your Company Culture

IT Admin with LaptopBanks should make continual service improvement a key part of their overall corporate culture. These changes can be identified by a single resource or through a committee focusing on operational improvement. Allocating time and resources to focus on the right aspects of new technology and process improvement is key as even the smallest incremental changes can have the ability to provide a significant positive impact.

For more information please download our complimentary white paper, 2017 Community Bank Information Technology Outlook.

24 Feb 2016

9 Things To Do as a New IT Administrator in the First 30 Days – Part 3

We’ve reached the final installment in our “New Bank IT Administrator” blog series. After reviewing vendors, ensuring security and creating a solid disaster recovery program, it’s important for a new bank IT administrator to become extremely familiar with your bank’s processes and team. The final three steps will help communications and create a smooth and seamless transition for new bank IT administrators.

7. Examine the Network Infrastructure of Your Bank’s Branches

Determine how information comes and goes to ensure your portals and locations are all equally protected. For example, you might have two branches that share the Internet that comes directly from one of the branches. When you perform the audit you might discover that the firewall is not working the way it is designed to, creating a significant security hole. It is important to take the time to ensure all network systems and hardware are working correctly and that everything is secure within all branches. This process can also uncover policies that should be revised or updated, giving you the chance to provide the bank instant value.

8. Review Previous Exams at Your Bank

Become familiar with anything brought up within an IT exam that needs to be fixed or reviewed. Make sure you are able to put a plan in place to immediately address these issues as you will ultimately be responsible for the next audit.

9. Work Closely with Your ISO and CTO in the First Five Days

Have a list of questions and points to go over with your information security officer and CTO during your initial meetings. This will help uncover previous pain points the bank has been experiencing, objectives moving forward and expectations for your role. This will also set priorities in place for the next 30 days to a year and will ensure the entire team is on the same page.

In addition to the meeting with your bank’s technical management team, you should also set up meetings with key vendors, which might include, the core vendor, loan origination software vendors, backup solutions vendor, security provider, the IT managed services provider and the hosted email vendor.

By following these important steps, a community bank’s new IT administrator should have all the tools he/she needs to succeed. Taking inventories of hardware/software, reviewing vendors, double checking security measures and creating solid relationships are all important measures to ensure both the IT administrator and the bank thrive.

Download this 3-Part Series for Later

17 Feb 2016

9 Things To Do as a New IT Administrator in the First 30 Days — Part Two

In our last blog, we explained the first three tasks that should be accomplished as a new community bank IT administrator. The IT administrator wears many hats and plays multiple roles within a community bank. After taking hardware, software and vendor inventories, the next three steps are important to ensure the financial institution is secure and successful.

4. Determine Most Recent Dates of Hardware and Software Vendor Audits

In addition to simply completing a vendor audit, it is also important to vet vendors or at least identify the last time vendors were audited. If they haven’t been reviewed in a while, they should be, as IT admins need to ensure updated information on all aspects of the relationship and that the vendor is in compliance with all recent Federal vendor management guidelines.

5. Determine and Test the Backup Schedule

Every bank has to perform backups. The IT admin should familiarize themselves with the software used to perform backups. Are the backups being done on schedule, are the backups up to date, and when was the last time a successful restore was performed. Along those same lines, determine if the backup is done on-site, off-site or in the cloud and are the backups being encrypted with the correct cipher strength. Are the backups being done in-house or is it outsourced? It is very important to make sure backups are being done regularly. The schedule should be evaluated closely to make sure it aligns with the most recent disaster recovery plan. If they are not aligned, the schedule should be adjusted.

One of the main tasks associated with the administrative side of the IT administrator’s job is making sure you become familiar with the disaster recovery plan and ensuring it is up to date with any updated regulatory requirements. If the plan was last updated four or five years ago, you will need to redo it to meet new Federal requirements. This is usually done by a committee that consists of the information security officer and CTO. You should work closely with the information security officer to go through policies and procedures and to make sure everything is documented to remain in compliance with current regulatory guidelines.

6. Run a Security Audit and Ensure Previous IT Administrator’s Access to Systems is Disabled

There are also some steps you should take to transition from the prior IT administrator. This starts with making a list of all user names and passwords and disabling the previous administrator’s accounts. As the new IT administrator, you should run a new security audit. You need to be fully aware of what the previous administrator did so you can be familiar with the security processes and correct anything that was not done to standards.

This audit includes making sure passwords are changed, and the previous administrator’s access is terminated and accounts are disabled. If an administrator had remote access, you need to ensure this access is taken away or denied. Another area to examine is the use of programs such as Dropbox, often times used to store information so that it can be accessed remotely. When the administrator leaves the bank, this access to information must be eliminated.

Once you create hardware, software and vendor inventories, the bank IT administrator should have the capabilities to take the next three steps in ensuring your community bank is secure. Reviewing vendors, evaluating backups and security and auditing security operations are all important steps that should be performed within the first month of a new IT administrator. In our next blog, we will explore the final three steps in extending your review of your bank’s IT operations.

Download this 3-Part Series for Later

10 Feb 2016

9 Things To Do as a New IT Administrator in the First 30 Days — Part One

Starting a new job is always a challenge, but stepping into the role of a community bank IT administrator can be especially daunting. Oftentimes, the IT administrator is overwhelmed and at a loss as to where to start, given the demands of the position. After all, the health of a bank’s IT assets is every bit as valuable as the money in the vault!

The IT administrator position must support two distinct roles. The position serves as the technical resource as well as an administrative resource. Primarily, they are the IT resource for servers, workstations, networks, software and other technical aspects of the bank. Additionally, the IT administrator must work with the CTO and ISO in an administrative capacity to help with IT audits, regulatory examinations and providing senior management with information about the bank’s IT infrastructure.

 
Today, we’ll explore the first three things a new IT administrator should accomplish for a successful initial week on the job:

1. Create an Inventory of All Hardware

The IT administrator should immediately familiarize themselves with the equipment used in the bank. Identify your servers and their roles, tally your workstations (production and any spares), examine the networking equipment in use and continue this process for printers and other peripherals until you have created a thorough inventory of all equipment you have in-house. With your inventory results in-hand, check on warranty status for all your key equipment; warranty coverage can be invaluable in case of hardware failure or if you need customer support. Be sure to include serial numbers and warranty expiration dates for every device in your master inventory.

2. Audit All of the Software in Use

What operating systems and versions are you running? What software do you use for your teller stations, for loan operations and/or ATM management functions? Don’t forget about common third party software such as MS Word, MS Excel and Adobe Acrobat. Next, determine if all software is still being supported by the vendor, and make note of the support contact for each software system or application. Finally, investigate the support end of life date for the current software systems in place. This last step will significantly help come budget season by giving you a good idea of what should be replaced in the coming year.

3. Compile an Updated List of Vendors

After the hardware and software audits are complete, begin looking at the vendors your bank uses. For regulatory compliance purposes, your institution should have a thorough vendor management program. You may be able to work with the ISO to obtain the existing list of vendors, but your fresh start with the company is a great chance to take a fresh look at the list. This should include original manufacturers, third party resellers and service providers. Vendors should be identified for both hardware and software. For example, if you use Cisco network routers, did you purchase these from Cisco or are you leasing devices from a third party reseller? Create a comprehensive vendor list of who you will contact for support during both normal business hours as well as any emergency contacts for afterhours emergencies. Your final document should have a list of all vendors and primary contacts for each specific service provided.

These three steps set the foundation for the next steps required in keeping your community bank running smoothly while transitioning to a new IT administrator. While this sounds like a large amount of work, an IT administrator does not have to do it all alone. Many financial institutions are turning to IT and security service providers to act as an extension of their organization and help augment internal IT resources. The right IT solution provider can serve as a true partner and work alongside current IT staff to help manage the network and streamline technology processes. When the IT staff has turnover or is simply unavailable, outsourcing select IT business processes helps fill the personnel gap and provide added support resources and peace of mind to all.

 

Read Part 2  Read Part 3

Download this 3-Part Series for Later