P2P File-Sharing Risks

Reprinted from the Federal Trade Commission Consumer Information Website

Install Reputable Security Software

Some file-sharing programs may hide malware or let malware onto your computer. That could allow criminals to monitor or control your computer activity. Before you use any file-sharing program:

•install a reputable security program that includes anti-virus and anti-spyware protection
•set your security software and operating system to update automatically
•delete files the security program flags as problematic
•back up files that you’d want to keep if your computer crashes; store them on CDs, DVDs, or external drives, or use an online service

Before you open or play any downloaded files, use your security software to scan them.

If a P2P program asks you to disable or change the settings of your firewall, you might want to reconsider installing it. Disabling or changing the settings could weaken your computer’s security.

If you believe you’ve downloaded malware, take steps to remove it.

Limit What You Share and How Often

Know what folders you are sharing.
Install P2P programs carefully, and understand exactly which folders will be made public. These programs are designed to share files, and once they’re installed on your computer, they may share files, folders, and subfolders you never intended to share.

For example, a careless setting on the “shared” folder could expose information on your hard drive – like your tax returns, email messages, medical records, photos, or other personal documents. Don’t save any personal information, files or subfolders in your “shared” or “download” folders.

In addition, security problems within the P2P program could open the door to attacks from hackers. Some malware is designed to change which folders you have designated for sharing, so criminals can access your personal information.

Close your connection.
In many instances, closing the file-sharing program window (clicking the “x”) doesn’t close your connection to the network, so other users still have access to your shared files. This could increase your security risk and slow your computer. When you’re not downloading files, close the program entirely: Double click on the file-sharing program, choose the file menu, and then choose exit.
Some P2P programs open automatically every time you turn on your computer. You may want to change the settings so this doesn’t happen.

Create separate user accounts.
If more than one person uses your computer, consider setting up separate user accounts with limited rights. Only a user with administrator rights can install software. That’s one strategy to protect against installing software you don’t want. It also can keep certain users from accessing – or sharing – another user’s folders and subfolders.
Use a password to protect the administrator account on your computer so someone else can’t disable security features or grant themselves rights you may not want them to have.

Talk with Your Family about File-Sharing

If you’re a parent, ask your children whether they’ve downloaded file-sharing software, and if they’ve exchanged games, videos, music, or other material. Talk to your kids about the security and other risks involved with file-sharing. If they’re going to use P2P at all, talk to them about how to install and use the software correctly.
And if you’re a teen or tween interested in file-sharing? Talk with your parents before you download software or exchange files.

Know the File-Sharing Policies at Work

Because using P2P software can weaken computer security and expose folders with sensitive information, your office might have rules about how file-sharing can be used – if at all. For more information about the business implications of P2P, read Peer-to-Peer File Sharing: A Guide for Business.

To learn more about how to secure your wireless network, visit ftc.com.

Securing Your Wireless Network

PadlockReprinted from the Federal Trade Commission Consumer Information Website

Understand How a Wireless Network Works

Going wireless generally requires connecting an Internet “access point” – like a cable or DSL modem – to a wireless router, which sends a signal through the air, sometimes as far as several hundred feet. Any device within range can pull the signal from the air and access the Internet.

Unless you take certain precautions, anyone nearby can use your network. That means your neighbors – or any hacker nearby – could “piggyback” on your network or access information on your device. If an unauthorized person uses your network to commit crime or send spam, the activity could be traced back to your account.

Use Encryption on Your Wireless Network

Once you go wireless, you should encrypt the information you send over your wireless network, so that nearby attackers can’t eavesdrop on these communications. Encryption scrambles the information you send into a code so that it’s not accessible to others. Using encryption is the most effective way to secure your network from intruders.

Two main types of encryption are available for this purpose: Wi-Fi Protected Access (WPA) and Wired Equivalent Privacy (WEP). Your computer, router, and other equipment must use the same encryption. WPA2 is strongest; use it if you have a choice. It should protect you against most hackers. Some older routers use only WEP encryption, which likely won’t protect you from some common hacking programs. Consider buying a new router with WPA2 capability.

Wireless routers often come with the encryption feature turned off. You must turn it on. The directions that come with your router should explain how. If they don’t, check the company’s website.

Limit Access to Your Network

Allow only specific devices to access your wireless network. Every device that is able to communicate with a network is assigned a unique Media Access Control (MAC) address. Wireless routers usually have a mechanism to allow only devices with particular MAC addresses to access to the network. Some hackers have mimicked MAC addresses, so don’t rely on this step alone.

Secure Your Router

It’s also important to protect your network from attacks over the Internet by keeping your router secure. Your router directs traffic between your local network and the Internet. So, it’s your first line of defense for guarding against such attacks. If you don’t take steps to secure your router, strangers could gain access to sensitive personal or financial information on your device. Strangers also could seize control of your router, to direct you to fraudulent websites.

Change the name of your router from the default. The name of your router (often called the service set identifier or SSID) is likely to be a standard, default ID assigned by the manufacturer. Change the name to something unique that only you know.

Change your router’s pre-set password(s). The manufacturer of your wireless router probably assigned it a standard default password that allows you to set up and operate the router, as its “administrator.” Hackers know these default passwords, so change it to something only you know.  The same goes for any default “user” passwords. Use long and complex passwords – think at least 12 characters, with a mix of numbers, symbols, and upper and lower case letters. Visit the company’s website to learn how to change the password.

Turn off any “Remote Management” features. Some routers offer an option to allow remote access to your router’s controls, such as to enable the manufacturer to provide technical support.  Never leave this feature enabled. Hackers can use them to get into your home network.

Log out as Administrator: Once you’ve set up your router, log out as administrator, to lessen the risk that someone can piggyback on your session to gain control of your device.

Keep your router up-to-date: To be secure and effective, the software that comes with your router needs occasional updates. Before you set up a new router and periodically thereafter, visit the manufacturer’s website to see if there’s a new version of the software available for download. To make sure you hear about the latest version, register your router with the manufacturer and sign up to get updates.

Protect Your Network during Mobile Access

Apps now allow you to access your home network from a mobile device. Before you do, be sure that some security features are in place.

Use a strong password on any app that accesses your network. Log out of the app when you’re not using it.  That way, no one else can access the app if your phone is lost or stolen.

Password protect your phone or other mobile device. Even if your app has a strong password, it’s best to protect your device with one, too.

To learn more about how to secure your wireless network, visit ftc.com.

Cybersecurity for Small Businesses: Ways to Stay Protected

Reprinted from FDIC Consumer News – Winter 2016

In today’s world, it’s important for small business owners to be vigilant in protecting their computer systems and data. Among the reasons: Federal consumer protections generally do not cover businesses for losses they incur from unauthorized electronic fund transfers. That means, for example, your bank may not be responsible for reimbursing losses associated with an electronic theft from your bank account — for instance, if there was negligence on the part of your business, such as unsecured computers or falling for common scams. (To learn more about the rules pertaining to electronic theft, including losses involving a business debit card, see How Federal Laws and Industry Practices Limit Losses From Cyberattacks).

Here are tips to help small business owners and their employees protect themselves and their companies from losses and other harm. Several of these tips mirror basic precautions we have suggested elsewhere in this issue for consumers.

Protect computers and Wi-Fi networks. Equip your computers with up-to-date anti-virus software and firewalls to block unwanted access. Arrange for key security software to automatically update, if possible. And if you have a Wi-Fi network for your workplace, make sure it is secure, including having the router protected by a password that is set by you (not the default password). The user manual for your device can give you instructions, which are also generally available online.

Patch software in a timely manner. Software vendors regularly provide “patches” or updates to their products to correct security flaws and improve functionality. A good practice is to download and install these software updates as soon as they are available. It may be most efficient to configure software to install such updates automatically.

Set cybersecurity procedures and training for employees. Consider reducing risks through steps such as pre-employment background checks and clearly outlined policies for personal use of computers. Limit employee access to the data systems that they need for their jobs, and require permission to install any software.

And, train employees about cybersecurity issues, such as suspicious or unsolicited emails asking them to click on a link, open an attachment or provide account information. By complying with what appears to be a simple request, your employees may be installing malware on your network. You can use training resources such as a 30-minute online course from the Small Business Administration (SBA).

Require strong authentication. Ensure that employees and other users connecting to your network use strong user IDs and passwords for computers, mobile devices and online accounts by using combinations of upper- and lower-case letters, numbers and symbols that are hard to guess and changed regularly. Consider requiring more information beyond a password to gain access to your business’s network, and additional safety measures, such as requiring confirmation calls with your financial institution before certain electronic transfers are authorized.

Secure the business’s tablets and smartphones. Mobile devices can be a source of security challenges, especially if they hold confidential information or can access your company’s network. In the case of the latter, require employees to password-protect their devices, encrypt their data and install security apps to prevent criminals from accessing the device while it is connected to public networks. Also develop and enforce reporting procedures for lost or stolen equipment.

Back up important business systems and data. Do so at least once a week. For your backup data, remember to use the same security measures (such as encryption) that you would apply to the original data. In addition, in case your main computer becomes infected, regularly back up sensitive business data to additional, disconnected storage devices.

Use best practices for handling card payments online. Seek advice from your bank or a payment processor to select the most trusted and validated tools and anti-fraud services. This may include using just one computer or tablet for payment processing.

Be vigilant for early signs something is wrong. “Monitor bank account balances regularly to look for suspicious or unauthorized activity,” suggested Luke W. Reynolds, chief of the FDIC’s Outreach and Program Development Section.

Cybersecurity tips for small businesses also can be found in a new FDIC brochure. Also go to OnGuardOnline and the SBA website.

Protect Your Data During Cyber Security Awareness Month

PadlockAmericans live in a mobile society, relying on smartphones, tablets and computers to gather news, make purchases, interact with friends and family, and connect with financial institutions. Increasingly, cybercriminals compromise the networks that support these devices. This often results in identity theft, which can also yield financial losses and safety for consumers. In fact, a recent report from the Center for Strategic and International Studies (CSIS) found that computer hackers have stolen the personal information of approximately 40 million U.S. residents.

October is Cyber Security Awareness Month, and the Independent Community Bankers of America® (ICBA) and MutualOne Bank are offering tips to help consumers avoid having their online financial information disrupted or stolen:

When sending sensitive information via the Internet, make sure “https:” appears in the address bar. This  means the information you are transmitting is encrypted.

Ensure the wireless network you use is password-protected, and choose a strong password and update it frequently for your work and home wireless networks. Likewise, always use a passcode on your mobile phone or tablet to stop an unauthorized user from accessing your device.

Don’t enter sensitive information into your phone when others can see what you’re entering.

Set the privacy settings on frequented social network sites. Cybercriminals often learn about people and their families and friends via social media in an attempt to spoof or phish you and your network.

Remain cautious of someone who isn’t who they say they are or if the name and area don’t match what appears on caller ID. This is often how spoofing occurs.

Never respond to text messages, emails or phone calls from companies alleging to be your bank, government officials or business representatives that request your banking ID, account numbers, user name or password.

Similarly, don’t click on links sent to you from unknown sources via text message because they are likely malware.

Beware of “get rich quick” schemes; never voluntarily give out your bank account information or security credentials.

You can learn more about Cyber Security Awareness Month by visiting the Stay Safe Online website.

Avoiding Password Reuse

password_469093745Password reuse occurs when someone uses the same password on multiple websites or accounts. This is a vulnerability if the password is exposed in coordination with other information that identifies who is using the password – such as first and last names, login names, or email addresses.

Avoiding password reuse can be challenging because of the number of websites and accounts that require passwords, some of which require updating your password every 30 days. There are two ways to avoid password reuse and to ensure any password meets the recommended password complexity requirements.

The first technique is to use a password manager to remember each unique password. Password managers are applications that can be stored on a computer, smartphone, or in the cloud, and will securely track passwords and where they are used. Most password managers can also generate complex random passwords for each account if you choose to do so. As long as the password to access the password manager is sufficiently complex, this technique can be affective. However, if the company running the password manager is compromised (which does happen!) it is possible that all your passwords will also be compromised. If you choose a password manager that is local to your computer or smartphone, that information may be compromised if malware gets on your computer or you lose your smartphone. When choosing a password manager, ensure it is from a known, trustworthy company.

The second technique is to choose a repeatable pattern for your password, such as choosing a sentence that incorporates something unique about the website or account, and then using the first letter of each word as your password. For example the sentence: “This is my August password for the Center for Internet Security website.” would become “TimAp4tCfISw.” Since a strong password is complex, and includes upper and lower case letters, numbers, and a symbol, this password keeps the capitalization within the sentence, translates the word “for” to the number “4,” and adds the period to include adding a symbol. The vulnerability in this technique is that if multiple passwords from the same user are exposed it may reveal the pattern.

Regardless of how a unique password is chosen, it is critically important that every password is unique. Some companies, such as Facebook, have begun programs to identify password reuse. Facebook’s program to identify password reuse involves monitoring for lists of compromised usernames, emails, and passwords, and attempting to match those to the usernames or email addresses of existing Facebook users. If a match is found Facebook asks the user to reset their Facebook password.

How Password Reuse is a Threat
Password reuse is a threat because malicious actors can take advantage of a reused password if there is other associated information that identifies you. This typically occurs through one of two potential scenarios:

In the first, and most common scenario, the malicious actors can search for other accounts you use and try to login with the same password. In some cases the actors might try to find personal accounts such as Facebook, Twitter, or banking websites. If they can identify those accounts, and you reuse your password, they can login as you. In other instances the malicious actors may try to determine where you are employed and attempt to use it for remote access, such as through a remote email or timecard access.

A second scenario involving a malicious website is much less common, but still poses a threat. In this scenario the malicious cyber-actor sets up a website that spoofs a legitimate web site, which requests you enter an email address, password, and potentially other information to gain access. Once you have done that, they know who you are and can search for your other accounts where you used the same password.

Sun, Sand, and Cyber Security

Every summer, vacationers put their house lights on timers and their mail on hold when they travel away from home. It’s just as important when taking a vacation to take similar precautions with good cyber habits. Many cyber criminals specifically target travelers…

Criminals often set online lures to sell fake vacations or tickets. These may be just simple advertisements or sophisticated scams using realistic websites, complete with phone operators that will “assist” you.

Home Alone
Social media posts with pictures of tourist attractions may update your friends and family, but they also tell criminals that you’re on vacation and your house is empty. Other older posts may contain personal details or pictures of your home, telling thieves what items of value are in the house or how to circumvent security systems.

Stolen “Keys”
Sensitive data, such as login names and passwords, are especially valuable to criminals. One way criminals obtain such data is by installing a “keylogger” on hotel public computers. The keylogger records every keystroke typed on the computer and then transmits that information to the criminal.

Missed Connection
Some cyber criminals specialize in “sniffing” the Wi-Fi and public networks in airports and coffee shops, allowing the criminal to collect and read all information sent over a wireless network.

Other criminals use a practice called “juice jacking”, where the criminal rigs a public charging kiosk to siphon information directly from your device when you plug into it.

Who’s the Boss?
The cyber security threat doesn’t end with you; Social engineers often use information about a boss’ vacation to gain physical access or commit financial fraud. The social engineer knows that they can reference the boss and the boss will not be reachable to verify whether he/she really did order the “repairman” or gave instructions for a fraudulent wire transfer.

When in Rome…
Different countries have different laws, which may allow government employees or law enforcement full access to your device without your knowledge or permission. Some countries are known to collect all data residing in that country, while others collect data from devices left in hotel rooms. This may be very important in countries that do not have the same freedom of speech as the United States. Some of these countries are known to have jailed tourists who posted negative comments online about the government or who posted criminal activities online, such as the use of alcohol or drugs.

Luckily, with a little care it’s possible to avoid these problems. Follow these simple tips to ensure that the only memories from your vacation are good ones:

Easy Tips to Protect Yourself

• Use discretion when posting personal information on social media. This information is a treasure-trove to social engineers. Do not post information about travel plans or details; save the pictures and updates until after you return home.
• Set email away messages to only respond to known contacts in your address book.
• Disable geo-locational features, such as automatic status updates and friend finder functionalities.
• Remind friends and family members to exercise the same caution.

Easy Tips to Protect Your Devices

• Keep your electronic devices with you at all times.
• Before traveling abroad, change all passwords that you will use while traveling, and upon return change the passwords of any accounts that were accessed while abroad. This includes passwords used by social media websites and email providers, for which you have automatic logins.
• Do not access sensitive accounts (e.g. banks, credit cards, etc.) or conduct sensitive transactions over public networks, including hotel and airport Wi-Fi and business centers, or Internet cafés.
• Use up-to-date anti-virus, anti-spyware, and anti-adware protection software; apply recommended patches to your operating system and software.
• Use wired connections instead of Bluetooth or Wi-Fi connections, whenever possible.
• Do not plug USB cables into public charging stations; only connect USB powered devices using the intended AC power adapter.
• Know the local laws regarding online behavior, as some online behaviors are illegal in certain countries.

Telephone Phishing Scam Alert

There is a telephone phishing scam underway in our area that we want our customers to be aware of. The victims of this scam receive a bogus text or telephone message that is supposedly from their bank, which is mentioned by name. The message claims that the customer’s debit card has been deactivated, and tells them to call a phone number provided in the message. When the customer calls that number, they are told to enter their debit card information and a replacement card will be issued.

Under no circumstances would MutualOne Bank contact you in this manner. If you receive such a message or experience any other suspicious or questionable activity regarding your account, please notify us immediately by calling us directly at (508) 820-4000.

Resources to protect consumers

Screen shot 2013-03-07 at 11.37.37 AM

While National Consumer Protection Week, will end on Saturday, the information shared through the website remains a valuable resources for consumers looking to protect their rights and make better-informed decisions about their finances.

Visitors to the site will find a wealth of information on everything from preventing identity theft, and protecting your home and business, to buying products & services, and investing your money.

For more information visit the National Consumer Protection Week website at ncpw.gov.

VIDEO: What is Identity Theft?

The Federal Trade Commission has created this informative video for consumers with 5 easy ways you can protect yourself from becoming a victim.

If you believe you have been a victim of identity theft, please visit your local branch, or contact Client Services at (508) 820-4000.

Please note by clicking on the link to YouTube, you are leaving the MutualOne Bank web site to enter a web site created, operated and maintained by a private business or organization. MutualOne Bank provides this link as a service to our web site visitors. We are not responsible for the content, views, or privacy policies of this site. We take no responsibility for any products or services offered by this site, nor do we endorse or sponsor the information it contains.