We Have Security Measures in Place to Protect Your Data
This Internet Banking System brings together a combination of industry-approved security technologies to protect data for the bank and for you, our customer. It features password-controlled system entry, a VeriSign-issued Digital ID for the bank’s server, Secure Sockets Layer (SSL) protocol for data encryption and a router loaded with a firewall to regulate the inflow and outflow of server traffic.
Certain personal information about visitors to this website is being collected by Central Bank, located in Houston, Texas. Personal information is collected from you at the time an application for a loan or deposit account is submitted to the Institution, at the time transactions are conducted through the online banking service, and at the time information is provided by you via email (including the name, email address and any other information on the email header).
A cookie is a very small text file placed on your hard drive by a web page server. It is your identification card for that server. A cookie can only be read by the server that gave it to you. A cookie’s purpose is to tell the server that you returned to that webpage. By configuring your preferences or options in your browser, you determine if and how a cookie will be accepted. In order to use our Online Banking system, you will need to have cookies enabled in your browser.
Messages sent by email may not be secured, may be intercepted by third parties and may not be immediately received by the appropriate department at Central Bank. Please do not use email to send communications that contain confidential information, which we require in writing or which need our immediate attention. Please call the bank location nearest to you. Be aware that a “receipt” acknowledgement on an email message means only that the message has routed into the internet, not that the message has been received by Central Bank. Urgent or confidential matters should be addressed via phone or in person. Written authorizations should be provided via U.S. mail or in person.
The links in this website will let the user leave Central Bank’s site. The linked sites are not under the control of Central Bank, and Central Bank IS NOT RESPONSIBLE FOR THE CONTENT AVAILABLE ON OTHER INTERNET SITES. These links are provided as a convenience to users. Access to any other internet sites linked to this website is at the user’s own risk. The inclusion of any link does not imply a recommendation or endorsement by Central Bank of the linked site.
Secure Access and Verifying User Authenticity
To begin a session with the bank’s server, the user must key in a Log-in ID and a password. Our system, the Internet Banking System, uses a “three strikes and you’re out” lock-out mechanism to deter users from repeated login attempts. After three unsuccessful login attempts, the system locks the user out, requiring a phone call to the bank before re-entry into the system. Upon successful login, the Digital ID from VeriSign, the experts in digital identification certificates, authenticates the user’s identity and establishes a secure session with that visitor.
Secure Data Transfer
Once the server session is established, the user and the server are in a secured environment. Because the server has been certified as a 128-bit secure server by VeriSign, data traveling between the user and the server is encrypted with Secure Sockets Layer (SSL) protocol. With SSL, data that travels between the bank and customer is encrypted and can only be decrypted with the public and private key pair. In short, the bank’s server issues a public key to the end user’s browser and creates a temporary private key. These two keys are the only combination possible for that session. When the session is complete, the keys expire and the whole process starts over when a new end user makes a server session.
Router and Firewall
Requests must filter through a router and firewall before they are permitted to reach the server. A router, a piece of hardware, works in conjunction with the firewall, a piece of software, to block and direct traffic coming to the server. The configuration begins by disallowing ALL traffic and then opens holes only when necessary to process acceptable data requests, such as retrieving web pages or sending customer requests to the bank.
Identifying and Reporting Common Scams
A little knowledge can go a long way toward keeping your important information safe. Read on for important tips you can put to good use!
How to Protect Your Funds from Check Fraud
Check fraud and check washing are just one of the many ways criminals can fraudulently deposit funds from your account. Read about how this scam works and what you can do to help prevent it or protect your organization from loss.
Beware of Money Mule Scams
Scammers may try to use you to move stolen money. Money mule scams happen several ways. The story often involves scams related to work-at-home jobs or prizes. Scammers send money to you, sometimes by check, then ask you to send (some of) it to someone else. Criminals are good at making up reasons to help them move money. Don’t do it.
New Vishing/Phishing Scam
A recent round of schemes involves fraudsters attempting to get money by posing as your financial institute. Here are a few important tips to help protect your accounts.
Distributed Denial of Service Attack (DDoS)
A denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the internet. A distributed denial-of-service (DDoS) attack is a common attack used against businesses, including financial institutions, where the attack source uses more than one, often thousands, of unique IP addresses that are targeted at the victim causing on overload of activity rendering the service unavailable.
- DDoS attacks do not steal money
- DDoS attacks do not steal personal information, although an attack may be used as a distraction while a hacker is attempting to steal information
If you experience a DDoS attack at your business, you should shift your attention to any payment systems or any recent online fund transactions you have. DDoS attacks do not involve the hacking of your business, but they are used as a distraction for other means of criminal activity that could include hacking or insider theft within your money payment systems or online banking (funds transfer and ACH) sessions. As a business, you should train your employees, in the event you experience a DDoS attack, to first focus on and review all payments going in and out of your organization. You can then work with your vendor to remediate the attack against your systems.
At Central Bank, our employees and third-party vendors are trained on DDoS attacks, and we have systems in place to monitor and block these types of activities.
Protect Your Company from BEC
Business email compromise (BEC) — also called “wire transfer phishing,” “impostor phishing” and “CEO phishing” — is a type of cyberattack comprising low-volume campaigns of highly targeted phishing emails. These campaigns focus on one or two people within an organization, asking the recipient to transfer funds or private information of value, such as W-2 forms, directly to attackers.
Here’s How BEC Works
From a technical perspective, to prevent BEC you need a secure email gateway that supports advanced options for flagging suspicious messages based on attributes (such as direction and subject line) and email authentication techniques. At a minimum, configure your email gateway to block messages that spoof your domain(s). This function is built into most secure email gateways. Another best practice is automatically adding the [EXTERNAL] tag, or a similar designation, to the subject line of emails sent from outside your organization.
From a human resources perspective, train your staff and put the effective processes in place. Here are a few basic guidelines:
- Be Suspicious
- If Something Doesn't Feel Right, it Probably isn't
- Slow Down
- Check the Reply-To Field
- Check the Domain
- Watch for the Use of Personal Accounts
- Follow a Process
Adding safeguards that include out-of-band contact (personal interactions outside the back-and-forth of email conversations) can save organizations hundreds of thousands — or even millions — of dollars. Vigilant employees are the last line of defense against these threats. You should create a culture in which employees ask questions, think carefully and understand their important role in security.
Your home has locks on the doors and windows to protect your family and prevent thieves from stealing your valuables. Do you have deterrents to prevent the loss or theft of your electronic assets when banking at home or shopping online? Central Bank is here to help.
Access Our Cybersecurity Guide
Take Steps to Avoid Identity Theft
Identity theft is a growing problem in the world, but there are things you can do to avoid it. Read on for helpful advice to protect yourself against ID theft.
Common Ways ID Theft Occurs
Thieves use a variety of methods to access your information, including:
- Dumpster Diving: They rummage through trash looking for bills or other paper with your personal information on it.
- Skimming: They steal credit/debit card numbers by using a special storage device when processing your card.
- Phishing: They pretend to be financial institutions or companies and send spam or pop-up messages to get you to reveal your personal information.
- Changing Your Address: They divert your billing statements to another location by completing a “change of address” form.
- “Old-Fashioned” Theft: They steal wallets and purses, mail — including bank and credit card statements — pre-approved credit offers and new checks or tax information. They might also steal personnel records from their employers, or bribe employees who have access.
Remember, Your Security is Our Top Priority at Central Bank
- Central Bank will never initiate a request for sensitive information such as Social Security number, account number(s), PIN numbers or login information (ID and/or passwords), nor will we ever request you to verify your account information via email.
- Help us protect you by keeping sensitive information, such as your Social Security number, account number(s), PIN number(s), ATM card(s) and checkbook(s) in a secure location. We strongly recommend you avoid sharing such information with anyone.
- Email Disclosure: Information sent via email is not encrypted. Confidential information, such as account and tax ID numbers, should not be sent via email. Central Bank is not responsible for the content or security measures provided by third-party websites linked to this page.
When it Comes to Keeping Your Information Safe, Remember: Deter, Detect, Defend
Identity theft is a serious crime that occurs when personal information is stolen and used without your knowledge to commit fraud or other crimes. Identity theft can cost you time and money. It can destroy your credit and ruin your good name. Deter identity thieves by safeguarding your information.
- Shred financial documents and paperwork with personal information before you discard them.
- Protect your Social Security number. Don’t carry your Social Security card in your wallet or write your Social Security number on a check. Give it out only if absolutely necessary, or ask to use another identifier.
- Don’t give out personal information on the phone, through the mail or over the internet unless you know who you are dealing with.
- Never click on links sent in unsolicited emails. Instead, type in a web address you know. Use firewalls, anti-spyware and anti-virus software to protect your home computer — and keep them up to date. (Find more information at onguardonline.gov.)
- Don’t use an obvious password like your birth date, your mother’s maiden name or the last four digits of your Social Security number.
- Keep your personal information in a secure place at home, especially if you have roommates, employ outside help or are having work done to your house.
Routinely monitor your financial accounts and billing statements to detect suspicious activity.
Be alert to signs that require immediate attention:
- Bills that do not arrive as expected
- Unexpected credit cards or account statements
- Denials of credit for no apparent reason
- Calls or letters about purchases you did not make
- Your credit report. Such reports contain information about you, including your accounts and bill paying history.
- The law requires the major nationwide consumer reporting companies – Equifax, Experian and TransUnion – to give you a free copy of your credit report each year, if you ask for it.
- Visit annualcreditreport.com or call 1.877.322.8228, a service created by these three companies, to order your free credit reports each year. You also can write: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, Georgia 30348-5281
- Your financial statements. Review account and billing statements regularly, keeping an eye out for charges you did not make.
Defend against ID theft as soon as you spot it.
- Place a “Fraud Alert” on your credit reports, and review and reports carefully. The alert tells creditors to follow certain procedures before they open new accounts in your name or make changes to your existing accounts. The three nationwide consumer reporting companies have toll-free numbers for placing an initial 90-day fraud alert; a call to one company is sufficient:
- Equifax: 1.800.525.6285
- Experian: 1.800.EXPERIAN (397.3742)
- TransUnion: 1.800.680.7289
- Online: ftc.gov/reportfraud
- Placing a fraud alert entitles you to free copies of your credit reports. Look for inquiries from companies you haven’t contacted, accounts you didn’t open and debts on your accounts that you can’t explain.
- Close any accounts that have been tampered with or established fraudulently.
- Call the security or fraud departments of each company where an account was opened or charged without your okay. Follow up in writing, with copies of supporting documents.
- Use the ID Theft Affidavit at ftc.gov/idtheft to support your written statement.
- Ask for verification that the disputed account has been closed and the fraudulent debts discharged.
- Keep copies of documents and records of your conversations about the theft.
- File a police report with law enforcement officials to help you with creditors who may want proof of the crime.
- Report the theft to the Federal Trade Commission. Your report helps law enforcement officials across the country in their investigations.
- Online: ftc.gov/idtheft
- By Phone: 1.877.ID.THEFT (438.4338) or TTY, 1.866.653.4261
- By Mail: Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Ave., NW, Washington, DC 20580
For More Information About Identity Theft:
Or, request copies of ID theft resources by writing to:
Consumer Response Center
Federal Trade Commission
600 Pennsylvania Ave., NW, H-130
Washington, DC 20580
Online Security Tips
Small steps now can help you sidestep big problems down the road. Here is some helpful advice:
Mobile Device Security
- Configure your device to require a passcode to gain access, if this feature is supported.
- Avoid storing sensitive information. Mobile devices have a high likelihood of being lost or stolen, so you should avoid using them to store passwords, bank account numbers and the like. If sensitive data is stored, use encryption to keep it secure.
- Keep your mobile device’s software up to date. These devices are small computers, running software that must be updated just as you would update your PC. Use the automatic update option, if available.
- Disable features not actively in use, such as Bluetooth, Wi-Fi and infrared. Set Bluetooth-enabled devices to non-discoverable when Bluetooth is enabled.
- Delete all information stored on a device before the device changes ownership. Use a “hard factory reset” to permanently erase all content and settings stored on the device.
- Sign out or Log off when finished with an app, rather than simply closing it.
- Never click on suspicious links in emails, tweets, posts or online advertising. Links can take you to a different website than their labels indicate. Typing an address in your browser, instead of clicking a link in an email, is a safer alternative.
- Only give sensitive information to websites using encryption, so your information is protected . Verify the web address begins with “https://” (the “s” is for secure) rather than just “http://”. Some browsers also display a closed padlock.
- Do not trust sites with certificate warnings or errors. These messages could be caused by your connection being intercepted or the web server misrepresenting its identity.
- Avoid using public computers or public wireless access points for online banking and other activities involving sensitive information when possible.
- Always sign out or log off of password-protected websites when finished to prevent unauthorized access. Simply closing the browser window may not actually end your session.
- Be cautious of unsolicited phone calls, emails or texts directing you to a website or requesting information.
General Computer Security
- Maintain active and up-to-date antivirus protection provided by a reputable vendor. Schedule regular scans of your computer in addition to real-time scanning.
- Update your software frequently to ensure you have the latest security patches. This includes your computer’s operating system and other installed software (e.g. web browsers, Adobe Flash, Adobe Reader, Java, Microsoft Office, etc.)
- Automate software updates, when the software supports it, to ensure it’s not overlooked.
- If you suspect your computer is infected with malware, discontinue using it for banking, shopping or other activities involving sensitive information. Use security software and/or professional help to find and remove malware.
- Use firewalls on your local network to add another layer of protection for all the devices that connect through the firewall (e.g. PCs, smart phones, and tablets).
- Require a password to gain access. Log off or lock your computer when not in use.
- Use a cable lock to physically secure laptops when the device is stored in an untrusted location
- Create a unique password for all the different systems you use. If you don’t, then one breach leaves all of your accounts vulnerable.
- Never share your password over the phone, in texts, by email or in person. If you are asked for your password, it’s probably a scam.
- Use unpredictable passwords with a combination of lowercase letters, capital letters, numbers and special characters.
- The longer the password, the tougher it is to crack. Use a password with at least 8 characters. Every additional character exponentially strengthens a password.
- Avoid using obvious passwords such as:
- Your Name
- Your Business Name
- Family Member Names
- Your Username
- Dictionary Words
- Choose a password you can remember without writing it down. If you do choose to write it down, store it in a secure location.
Additional Online Cybersecurity Resources
“Account takeover” is when cyber-thieves gain control of bank accounts by stealing the valid online banking credentials. Although there are several methods used to steal credentials, the most prevalent involves malware that infects a computer workstations and laptops.
A computer can become infected with malware via infected documents attached to an email, or a link contained within an email that connects to an infected website. In addition, malware can be downloaded to users’ workstations and laptops through legitimate websites — especially social networking sites — and clicking on the documents, videos or photos posted there. This malware can also spread across an internal network.
The malware installs key logging software on the computer which allows the perpetrator to capture a user’s credentials as they are entered at the financial institution’s web site. Sophisticated versions of this malware can even capture token-generated passwords, alter the display of the financial institution’s web site to the user, and/or display a fake web page indicating that the financial institution’s website is down. In this last case, the perpetrator can access the account online without the possibility that the real user will log in to the website.
Once installed, the malware provides the information that enables the cyber-thieves to impersonate the business in online banking sessions. To the financial institution, the credentials look just like the legitimate user. The perpetrator has access to and can review the account details, including account activity and patterns, and ACH and wire transfer origination parameters (such as file size and frequency limits, and Standard Entry Class (SEC) Codes).
The cyber-thieves use the sessions to initiate funds transfers, by ACH or wire transfer, to the bank accounts of associates within the U.S. These accounts may be newly opened by accomplices or unwitting “money mules” for the express purpose of receiving and laundering these funds. The accomplices or mules withdraw the entire balances shortly after receiving the money, and then send the funds overseas via over-the-counter wire transfer or other common money transfer services.
Why Are Smaller Businesses and Organizations Targeted?
Cyber-thieves appear to be targeting small- to medium-sized businesses, as well as smaller government agencies and nonprofits, for several reasons:
- Many small businesses and organizations have the capability to initiate funds transfers — ACH credits and wire transfers — via online banking.
- Individual consumers generally do not have this capability, except for payees set up in online bill payment systems. This funds transfer capability is often related to a small business’ origination of payroll payments.
- In corporate account takeover, the cyber-thieves may add fictitious names to a payroll file (directed to the accounts of money mules) and/or initiate payroll payments off-cycle to avoid daily origination limits.
- Small businesses often do not have the same level of resources as larger companies to defend their information technology systems.
- Many small businesses do not monitor and reconcile their accounts on a frequent or daily basis.
- Small businesses bank with a wide variety of financial institutions with varying degrees of IT resources and sophistication.
Prevention, Detection and Reporting for Customer Account Control
- Reconcile all banking transactions on a daily basis.
- Initiate ACH and wire transfer payments under dual control, with a transaction originator and a separate transaction authorizer.
- Utilize routine reporting on transactions.
- Perform periodic risk assessments of the banking products/services you use, including regular reviews of user access levels, dollar limits and activity.
- Immediately report any suspicious transactions to the financial institution.
- Stay in touch with other businesses and industry sources to share information regarding suspected fraud activity.
Computer Security Tools and Practices
- Install a dedicated, actively managed firewall. A firewall limits the potential for unauthorized access to a network and computers.
- Install commercial anti-virus software on all computer systems.
- Ensure virus protection and security software are updated regularly.
- Ensure computers are patched regularly, particularly operating system and key applications, with security patches.
- Consider installing spyware detection programs.
- Be suspicious of emails purporting to be from a financial institution, government department or other agency requesting account information, account verification or banking access credentials such as usernames, passwords, PIN codes and similar information. If you are not certain of the source, do not click any links.
- Be suspicious of pop-up boxes asking you to update your contact information (phone numbers) at any time, even if the pop-up box occurs just after you have logged in to online banking.
- Create strong passwords.
- Prohibit the use of “shared” usernames and passwords for online banking systems.
- Use a different password for each website that is accessed.
- Change the password several times each year.
- Never share username and password information with third-party providers.
- Limit administrative rights on users’ workstations.
- Carry out all online banking activities from a stand-alone computer system from which email and web browsing are not possible.
- Verify use of a secure session (“https”) in the browser for all online banking.
- Avoid using an automatic login features that save usernames and passwords for online banking.
- Never leave a computer unattended while using any online banking or investing service.
- Never access bank, brokerage or other financial services information at Internet cafes, public libraries, etc. Unauthorized software may have been installed to trap account number and sign on information leaving the customer vulnerable to possible fraud.
Recommendations for Account Takeover Victims
If you experience any of the above, please follow these procedures:
- Immediately cease all activity from computer systems that may be compromised. Disconnect the Ethernet or other network connections to isolate the system from remote access.
- Immediately contact your financial institution at 832.485.2300 and request assistance with the following actions:
- Disable online access to accounts
- Change online banking passwords
- Open new account(s) as appropriate
- Request the financial institution’s agent review all recent transactions and electronic authorizations on the account.
- Ensure that no one has requested an address change, title change, PIN change or ordered new cards, checks or other account documents be sent to another address.
- Maintain a written chronology of what happened, what was lost and the steps taken to report the incident to the various agencies, banks and firms impacted. Be sure to record the date, time, contact telephone number, person spoken to and any relevant report or reference number and instructions.
- File a police report and provide the facts and circumstances surrounding the loss. Obtain a police report number with the date, time, department, location and the name of the officer taking the report or involved in the subsequent investigation. Having a police report on file will often facilitate dealing with insurance companies, banks and other establishments that may be the recipient of fraudulent activity. The police report may initiate a law enforcement investigation into the loss with the goal of identifying, arresting and prosecuting the offender and possibly recovering losses. This document is for information purposes and is not intended to provide legal advice. The guidance included is not an exhaustive list of actions and security threats change constantly.
Sources: NACHA and the Financial Services-Information Sharing and Analysis Center