Secure your accounts
- Multi-Factor Authentication (MFA): Enable multi-factor authentication on all accounts that you are able. Multi-Factor Authentication requires two or more different forms of authentication: Something you know (Password) and Something you have (Token) or Something you are (Fingerprint)
- Creative Passwords: Password strength is directly related to the length of the password. Try using different passwords for each login or different passwords for banking then social media.
- Alerts: Setting up account alerts to show new logins, password changes, or account changes is a great way to help monitor for account takeover.
- Masked Account Numbers: Only the last four digits of your account number(s) will be printed on bank statements and notices. For example: Account number: xxxx xxxx xxxx 1503
Secure your devices
- Patching and Updating: Enable automatic updates for all of your devices. You should always run the latest versions of software on your computer (Mac or Windows) mobile devices (iPhone or Android) and your software or apps installed on those devices.
- Passcodes, Passwords, and Biometrics: Always use a password, passcode, or biometrics (Fingerprint or facial recognition) on all of your devices including you phone and computer.
- Reputable Software: Always download software from reputable sources: Apple App Store, Google Play, or Windows Store.
- Security Software: On any of your devices, it is a good idea to run anti-virus software. Configuring firewalls, spam filters, and privacy protections are good practices on all of your devices.
- Disable features: When not actively in use disable features such as Bluetooth, Wi-Fi, and Web Cameras. Set Bluetooth-enabled devices to non-discoverable when Bluetooth is enabled.
Safety Tips for Cards and ATMs
- PINs are like passwords, commit them to memory and never share
- Always shield your PIN from view when entering it
- Always be aware of your surroundings
- Look for signs of ATM tampering:
Before using an ATM or point-of-sale terminal, try wiggling the keypad or card slot. If anything seems loose, don't use the device. Also look for keypads that appear raised or have an unusual color. A thief could have placed an overlay on the keypad to record the personal identification number you punch in. Some gas pumps have security tape that forms a seal around the card reader. If the seal is broken, that could be a sign that the reader has been compromised.
To learn more about information security, visit any of the following websites:
- SecurityPlanner.org: Answer a few simple questions to get a personalized online safety recommendation.
- Video about reporting internet crime
- Lost or stolen debit/credit card info
Spot and Stop Fraud
Website spoofing is the act of creating a fake website to mislead individuals into sharing sensitive information. Spoofed websites are typically created to look exactly like a legitimate website published by a trusted organization.
- Pay attention to the web address (URL) of websites. A website may look legitimate, but the URL may have a variation in spelling or use a different domain.
- If you are suspicious of a website, close it and contact the company directly.
- Do not click links on social media sites, pop-up windows, or non-trusted websites.
Phishing is when an attacker attempts to acquire information by masquerading as a trustworthy entity in an electronic communication. Phishing attacks are typically carried out through email, instant messaging, telephone calls, social media, and text messages (SMS).
- Delete email and text messages that ask you to confirm or provide sensitive information. Legitimate companies don’t ask for sensitive information through email or text messages.
- Beware of messages sent through social media.
- Beware of visiting website addresses sent to you in an unsolicited message.
- Even if you feel the message is legitimate, type web addresses into your browser or use bookmarks instead of clicking links contained in messages.
- Try to independently verify any details given in the message directly with the company.
How Credential Stuffing Threatens Your Online Accounts
Major data breaches at brand name companies, such as Sony, Yahoo, JP Morgan, have siphoned off billions of login credentials – usernames and passwords – people use every day to access their online accounts. So, what happens to all those credentials, and how vulnerable are any of us to possible identity theft or account takeovers? Chances are those credentials have found their way into the underground economy where cybercriminals buy them in bulk. Then they use them in massive “credential stuffing” campaigns, which are a direct threat to anyone with online accounts.
What is Credential Stuffing?
Credential stuffing is an automated process that cybercriminals use to steal login credentials to gain fraudulent access to user accounts. With lists of credentials numbering in the millions, the automated attacks on targeted websites are massive. The expectation is that a small percentage will penetrate the target and gain access to users’ accounts. Using automated tools, hackers can bombard a website with thousands of credentials and make them appear as legitimate logins.
From there, the hackers can pillage the user’s account to drain balances or steal sensitive information. The attacks are most harmful when a large number of people reuse the same password across multiple websites.
Successful credential stuffing doesn’t require any special skills or knowledge, just a few hundred dollars to buy the right tools, which is why it is so prevalent. Over 17 months from November 2017 to March 2019, more than 55 billion credential attacks were detected across dozens of industries, including retail, gaming and media streaming. Because its use is so widespread and easy to execute, anyone who logs onto an online account is vulnerable.
How to Defend Against Credential Stuffing Attacks
Companies are the front line of defense against credential stuffing attacks, working with security experts to detect and counter attacks. However, even as companies improve their defenses, credential stuffing attacks are likely to grow in number and intensity. The most vulnerable among us are those who fail to practice “password hygiene”. Weak passwords should always be avoided, but reused passwords are the biggest enablers of credential stuffing attacks. Utilizing password manager software to generate unique and complex passwords for each online account you have makes it much more difficult for hackers to lift your credentials.
Report Fraudulent or Suspicious Activity
Contact us immediately if you suspect you have fallen victim to a social engineering attack and have disclosed information concerning your Alpine Bank accounts.
Regularly monitoring your account activity is a good way to detect fraudulent activity. If you notice unauthorized transactions in your account, notify Alpine Bank immediately.