FREQUENTLY ASKED QUESTIONS ABOUT SECURITY
What purpose do security questions serve?
— Security questions are used to help prevent unauthorized users from accessing your online account. This option helps to increase security versus the username/password combination alone. Some typical uses of security questions are:
- Sign-in verification: Some websites occasionally display a security question during sign-in as a second level of verification.
- Password retrieval/reset: If you forget your password, the website will ask one or more questions and if answered correctly, you'll get or reset the password.
Would someone from Old Second be able to change my security questions? —No, bank personnel do not have access to view or change a user’s account security information (security questions or passwords). We can, however, assist with password resets.
Spoofing—What are the types?
- Caller ID Spoofing: allows callers to lie about their identity and present false names and numbers, which could of course be used as a tool to defraud or harass.
- Website Spoofing: occurs when one website appears as if it is another. Using this technique, the hacker creates a series of fake websites with the intent to steal an unsuspecting user's private information. The address that is displayed is not the real URL of the site, therefore the information is sent to a hidden Web address. With Website Spoofing, a user is directed to a fraudulent site that has the same look and feel as the original. They are then tricked into logging in with their username and password where the hacker collects the user information, displays a password error and redirects the unsuspecting user to the legitimate site.
- Email Spoofing: email activity in which the sender's "From" field address is altered to appear as though the email originated from a different source. Because most free email accounts (think Hotmail, Google, AOL…etc.) tend to not provide any outgoing authentication (verifying the sender's name is actually the person who is sending the email), it is easy to impersonate someone else and forge emails. Although there are legitimate marketing uses for this substitution, these techniques are commonly used in spam and phishing emails to hide the origin of the message.
Phishing—What is it? And how can it affect me? — A phishing attack begins with an email pretending to be from someone or something you know or trust, such as your bank or favorite online store. These emails then try to entice you into taking an action, such as clicking on a link, opening an attachment or responding to a message. Cyber criminals craft these emails and then send them out to millions of people. They don’t have specific Internet users in mind; they are trying to obtain these three simple objectives: harvesting your "Publicly Identifiable Information (PII)", controlling your PC through malicious links or controlling your computer through malicious attachments.
Phishing—How can I protect myself?
- Be suspicious of any email that requires immediate action or creates a sense of urgency.
- Be suspicious of emails addressed to "Dear Customer" or some other generic salutation.
- Be suspicious of grammar or spelling mistakes; most businesses proofread their messages very carefully. If a link in an email seems suspicious, hover your mouse over the link. This will show you the true destination where you would go if you actually clicked it. The link that is written in the email may be very different than where it will actually send you.
- Do not click on links unless you know the source.
- Be suspicious of attachments; only open attachments that you were expecting.
- Remember, just because you got an email from your friend doesn’t mean they sent it.
- Using email safely is all about common sense. If something seems suspicious or too good to be true, it is most likely an attack. Simply delete the email.
What do I do if I have responded to a phishing attempt?
— Based on the information that was compromised and the data that was shared, each situation could have a different response. At Old Second, we'll help you decide what the best approach is to take to help correct what has been done. Contact firstname.lastname@example.org
, or call 877-866-0202 to have an O2 Fraud Specialist help you determine the course of action needed.
Privacy—How do I know if my privacy is being protected?
- Look for evidence that your information is being encrypted. To protect against attackers from hijacking your information, any personal information submitted online should be encrypted so that it can only be read by the appropriate recipient. Many sites use SSL, or secure sockets layer, to encrypt information. Indications that your information will be encrypted include a URL that begins with "https:" instead of "http:" and a lock icon in the address bar.
What additional steps can you take to protect your privacy?
- Do business with credible companies.
- Do not use your primary email address in online submissions.
- Avoid submitting credit card information online.
- Devote one credit card to online purchases.
- Avoid using debit cards for online purchases.
- Take advantage of options to limit exposure of private information.
Social Engineering—What does it mean and how is it done?
— It is simply the practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or Internet to trick a person into revealing sensitive information or getting them to do something that is against typical practices. There are usually four steps to a social engineering attack:
- Information gathering: A variety of techniques can be used by an aggressor to gather information about the target(s). Once gathered, this information can then be used to build a relationship with either the target or someone important to the success of the attack. Information that might be gathered includes, but is not limited to: a phone list; birth dates; an organization's organizational chart.
- Developing relationship: An aggressor may freely exploit the willingness of a target to be trusting in order to develop rapport with them. While developing this relationship, the aggressor will position himself into a position of trust which he will then exploit.
- Exploitation: The target may then be manipulated by the "trusted" aggressor to reveal information (e.g., passwords) or perform an action (e.g., creating an account or reversing telephone charges) that would not normally occur. This action could be the end of the attack or the beginning of the next stage.
- Execution: Once the target has completed the task requested by the aggressor, the cycle is complete.
Information can be gathered in many different means and strategies. Here are a few examples:
- Shoulder surfing: Looking over the shoulder of an individual as he types in his access code and password/PIN on a keypad for the purpose of committing this to memory so it can be reproduced.
- Checking the rubbish (commonly referred to as "dumpster diving"): searching through rubbish thrown away to obtain potentially useful information that should have been disposed of more securely (e.g., shredding).
- Mail-outs: Information is gathered about an individual/organization by enticing him/its staff to participate in a survey that offers enticements, such as prizes for completing the survey.
- Forensic analysis: Obtaining old computer equipment such as hard drives, memory sticks, DVD/CDs, floppy disks and attempting to extract information that might be of use about an individual/organization.
How do I know I am at the valid O2 Online Banking Internet site? — Your previously selected image will appear, confirming that you are at Old Second Bank’s Website.
Who to Contact Regarding Fraud or Suspected Fraud?
— To report a suspicious email or to contact O2 Security regarding possible fraudulent activity, please email email@example.com
Who to Contact Regarding a Lost Checkbook or O2 Debit Card?
— To report a lost or stolen checkbook or O2 Debit Card, email firstname.lastname@example.org
or call 877-866-0202 (for missing checkbooks) or 800-754-4128 (for a missing O2 Debit Card).