ECCU Blog

As you steward the financial resources entrusted to your ministry, one way to deter fraud is to establish internal controls around your checking account activities. Here are some best practices you should consider adopting:

Examine your bank statements quickly: When you opened your checking account with your bank, you entered an agreement (usually communicated through your account disclosures) that requires you to review your bank statements promptly and report losses as soon as possible. If you delay this review, fraudulent activity can go undetected. Even worse, it may escalate and you may become liable for the loss or future losses. Be sure you understand the requirements in your account agreement for timely statement review.

Use online banking features: Most online banking systems have a feature that allows you to set up account alerts that can be configured to inform you when checks clear and if balances fall below specific thresholds. Alerts are a strong tool in your early fraud detection arsenal.

Instill segregation of duties for check responsibilities: “Opportunity” is a common risk factor for internal fraud or embezzlement. You can minimize opportunities to commit fraud by implementing an internal control known as segregation of duties. An example would be assigning different people in your organization to prepare and reconcile checks. This way no transaction is handled by only one person from beginning to end.

Perform spot checks: Performing occasional surprise checks of the processes you have put in place shows you if those processes are performing as they should and that duties are indeed segregated.

Keep your check stock secure: You can keep check stock secure by restricting access to it. One good option is a locking cabinet that is accessible only to those individuals who are responsible for issuing checks. A cabinet with two locks is even better. The check reorder form should also be stored securely. Otherwise, a forger could easily reorder checks with the form and have them shipped to another location. It’s also a good idea to do occasional surprise inspections of your check inventory.

What internal controls do you have in place to protect the funds in your checking account?

I may be Ministry Banking Guy, but I’m not Banking Security Guy. That title would rightly belong to information systems expert Alan Weisenberger. So I asked him to write this post because this issue is so timely and important.—MBG

The buzz in the information security world this past week sounds like something straight from the Cooking Channel. Data breaches at four major websites including LinkedIn, eHarmony, music sharing site Last.fm, and gaming site League of Legends have resulted in millions of passwords being compromised. The common element is that “hashed” passwords that weren’t “salted” were stolen from their databases and posted on the internet. Say what?

In layman’s terms, hashing is a way to store passwords in an encrypted form. Salting adds characters to a password before hashing to make it more difficult to figure out the password from the hash. So hashing is good, but hashing with salt is better. But even salty hashes aren’t invincible. They just require more effort to decode.

We always have to remember that security is not an on/off switch. “Is it secure?” is a question that, in an absolute sense, nearly always requires a “no” answer. It’s more accurate to ask, “Is it secure enough?” To answer that question, we have to match the security requirement to the value of what’s being protected. A six-digit password might be enough for some things, while others need the better protection of ten or twelve digits. Storing password hashes salted provides more protection than unsalted, but no matter how they’re stored, passwords aren’t enough protection for some things. You’re familiar with this idea. I suspect you would protect a stack of $100 bills more than you would your pocket change.

I’m not too concerned about my LinkedIn account being hacked. I suppose someone could deface my profile or do something that could mar my reputation. But I’m not dependent on LinkedIn for anything critical. (Not to imply that’s necessarily true for you.)

My biggest concern about these passwords being stolen is that many people use the same password for these sites that they use for more critical things, like online banking. If you use your online banking password for anything else in addition to online banking, please change it NOW—then come back and finish reading this article!

The alert on the League of Legends website about their breach contained some eye-opening statistics:  “We compared encrypted password hashes and discovered that 11 passwords were shared by over 10,000 players each,” the alert states. “A double-digit percentage of individuals had the same password as at least one other person.”  Wow.  How common is your password?

It’s also concerning that the League of Legends breach compromised other personal information, including security questions and answers. Could your online banking security questions be compromised by the breach of some other website?

In case you’re wondering, we don’t store your ECCU online password in a database anywhere. While the explanation of how this works is too complex for a blog entry, suffice it to say that your password decrypts a complex key on your PC that is transmitted to us. Your password never gets sent to us so we don’t know it, don’t store it, and never have access to it. That’s why you have to jump through some extra security hoops if you log in from a different computer. So keep your password secure and you can be confident that we will too.

Keep checking back in for more tips on how to chose and manage a secure password. In the meantime, have you experienced the headache of a hacked account? What advice would you offer other ministries?

Hackers never seem to tire of devising ingenious ways to inflict mayhem. An alarming new threat has emerged known as “Spear Phishing.” This phishing technique uses a personalized email message that’s designed to pique your interest. It might be a conference invite, an invoice, or a missions support plea.

Spear phishing messages, which appear genuine and often convey a sense of urgency, are ruses to get you to provide sensitive information (such as your login and password) or entice you to click on a link that contains an infectious virus. Often, these email “spears” pass through SPAM filters because they appear to be legitimate.

RSA, a security software firm, reported that about one in every 300 emails in 2011 was a phish. A growing number are being received at work email boxes as personalized “spear” messages addressed to specific employees, sometimes including details mined from social networks to make them appear valid.

Keeping your anitvirus software and spam filtering up to date will help weed out these nefarious emails. However, hackers are adept at getting them to pass through undetected. This is where employee training helps. Microsoft lists the following components of scam emails:

• Alarmist messages and threats of account closures
• Promises of money for little or no effort
• Deals that sound too good to be true
• Requests to donate to a charitable organization after a disaster that has been in the news
• Bad grammar and misspellings

A best practice is to only open email from trusted sources.

What is your ministry doing to guard against spear phishing attempts?

If you’re like me, last week’s bank card breach involving Global Payments prompted a question: “Was my card affected?” While the odds of the answer being “yes” are small—just a fraction of the billion or so cards in use in North America were affected by the breach—the thought of nearly 1.5 million cards being compromised is still alarming.

We received an alert from the Credit Union National Association (CUNA) this week that says, in the wake of this card breach, you’re wise to be vigilant about card security. Quoting from the alert:

In the wake of the card breach, the next several days or weeks are critical for credit union members to be on the alert for any suspicious emails, text messages or phone calls requesting personal or financial information, especially card data. The card information that may be requested includes, cardholder billing address, 3 digit CVV2/CVC2 code found on the back of the card, or enrollment criteria/passwords for Verified by Visa or MasterCard SecureCode. This card information was not part of the recent Global Payments breach. Criminals may ask members for this information to add to the other card data they may have obtained from the breach to perform card present (key entered) or card-not-present (mail/telephone/internet) non-magnetic stripe transactions.

Given this cautionary note, here’s a reminder: NEVER respond to emails, text messages, or phone calls requesting this type of information. If you receive a suspicious request, contact ECCU immediately at 800.634.3228. And be sure to monitor your financial accounts closely, and report any discrepancies.

I was in a meeting the other day when one of my coworkers received a text message on her cell phone from the bank where her daughter, a college sophomore, has an account. She looked at her phone and commented, “It looks like there’s some strange activity on my daughter’s account.”

After the meeting she contacted her daughter and discovered that the strange activity was fraud, but thanks to the early detection by her bank, it would be handled swiftly.   This experience was a powerful personal reminder of how technology can now mitigate the risk of fraud in our banking relationships.   

The message my coworker received is called an alert. Banks send alerts to inform or remind you of important transactions, including those that might place you at risk.  Alerts can be sent to an individual, a group, or even a department. Best of all, online banking allows you to set up alerts to meet your specific needs.

For example, you can configure alerts to inform you when:

• All transactions from the previous day exceed a certain threshold
• A check has cleared
• Your balance drops below a pre-selected dollar amount

In addition to helping combat fraud, alerts can also help you manage your account by understanding transaction posting times and balance levels. 

At ECCU we offer these types of alerts and more through online banking. To find out more, follow this link.

How have you used alerts on your online bank accounts?