Equifax Data Breach – FAQs

Concerned about the Equifax breach? See our FAQs to learn more about the breach and how to protect yourself.

Frequently Asked Questions

I’ve been hearing about the Equifax breach in the news. What happened?

Equifax, one of the three major credit bureaus, experienced a massive data breach. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people.

Was my information stolen?

If you have a credit report, there’s a good chance it was. Go to a special website set up by Equifax to find out: https://www.equifaxsecurity2017.com/. Scroll to the bottom of the page and click on “Potential Impact,” enter some personal information and the site will tell you if you’ve been affected. Be sure you’re on a secure network (not public wi-fi) when you submit sensitive data over the internet.

How can I protect myself?

  • Enroll in Equifax’s services.

Equifax is offering one year of free credit monitoring and other services, whether or not your information was exposed. You can sign up at https://www.equifaxsecurity2017.com/.

  • Monitor your credit reports.

In addition, you can order a free copy of your credit report from all three of the credit reporting agencies at annualcreditreport.com. You are entitled to one free report from each of the credit bureaus once per year.

  • Monitor your bank accounts.

We also encourage you to monitor your financial accounts regularly for fraudulent transactions. Use online and mobile banking to keep a close eye on your accounts.

  • Watch out for scams related to the breach.

Do not trust e-mails that appear to come from Equifax regarding the breach. Attackers are likely to take advantage of the situation and craft sophisticated phishing e-mails.

Should I place a credit freeze on my files?

Before deciding to place a credit freeze on your accounts, consider your personal situation. If you might be applying for credit soon or think you might need quick credit in an emergency, it might be better to simply place a fraud alert on your files with the three major credit bureaus.  A fraud alert puts a red flag on your credit report which requires businesses to take additional steps, such as contacting you by phone before opening a new account.

How do I contact the three major credit bureaus to place a freeze on my files?

Equifax: Call 800-349-9960 or visit its website.

Experian: Call 888-397-3742 or visit its website.

TransUnion: Call 888-909-8872 or visit its website.

Where can I get more information about the Equifax breach?

You can learn more directly from Equifax at https://www.equifaxsecurity2017.com/. To learn more about how to protect yourself after a breach, visit https://www.identitytheft.gov/Info-Lost-or-Stolen.


How We Protect Your Data from Ransomware

It is important to us to provide you timely information regarding the steps we take to protect our customers’ data in the event of a Ransomware attack.

Criminals use Ransomware to hold your data hostage. They will typically include malware as an attachment in an email or as an embedded link in the email. The recipient opens the attachment or clicks on the link and the ransomware installs to their PC or laptop. The malware will quickly encrypt the data stored on the workstation and other network resources and, when the encryption is complete, demand a ransom from the victim, typically payable in bitcoin. The criminals will promise to provide the victim with the key to decrypt the data, but there are no guarantees.

F&M Bank takes the following steps to protect our customers’ data from malware, especially Ransomware:

• The Bank trains its employees to recognize phishing email attempts and the Bank tests compliance with our polices on a quarterly basis.

• The Bank continuously patches and updates the operating systems of our workstations and servers.

• Software applications are patched to the latest versions and configured to reduce the risk of malware infection.

• Anti-virus software is installed to all workstations and servers and the virus signature files are continuously updated.

• We employ spam filters and secure email protocols to help prevent malware laden email from reaching our employees.

• An Intrusion Detection/Intrusion Prevention system also monitors traffic to alert the Bank and block malware infections.

• Web filters prevent employee access to sites known to host malware or other malicious material.

• The Bank performs daily backups of all customer data and the backups are segregated from the network to prevent a malicious encryption of the data.

We appreciate your trust in our financial institution. Please contact us online or at your nearby branch for any account-related questions you may have.


Protecting Your Mobile Device

Your mobile device provides convenient access to your email, bank and social media accounts. Unfortunately, it can potentially provide the same convenient access for criminals. The American Bankers Association recommends following these tips to keep your information – and your money – safe.

Use the passcode lock on your smartphone and other devices. This will make it more difficult for thieves to access your information if your device is lost or stolen.

• Log out completely when you finish a mobile banking session.

• Protect your phone from viruses and malicious software, or malware, just like you do for your computer by installing mobile security software.

• Use caution when downloading apps. Apps can contain malicious software, worms, and viruses. Beware of apps that ask for unnecessary “permissions.”

• Download the updates for your phone and mobile apps.

• Avoid storing sensitive information like passwords or a social security number on your mobile device.

• Tell your financial institution immediately if you change your phone number or lose your mobile device.

• Be aware of shoulder surfers. The most basic form of information theft is observation. Be aware of your surroundings especially when you’re punching in sensitive information.

• Wipe your mobile device before you donate, sell or trade it using specialized software or using the manufacturer’s recommended technique. Some software allows you to wipe your device remotely if it is lost or stolen.

• Beware of mobile phishing. Avoid opening links and attachments in emails and texts, especially from senders you don’t know. And be wary of ads (not from your security provider) claiming that your device is infected.

• Watch out for public Wi-Fi. Public connections aren't very secure, so don’t perform banking transactions on a public network. If you need to access your account, try disabling the Wi-Fi and switching to your mobile network.

• Report any suspected fraud to your bank immediately.

Yahoo! Data Breach

Yahoo Data Breach – Precautions to Take

On September 22, Yahoo announced that 500 million of their accounts were hacked and are sold by internet criminals. Internet criminals can use this information in a variety of ways. For instance, they could send phishing emails claiming you need to change your Yahoo account, looking just like the real ones. If you are a Yahoo user or use the same user codes and passwords for different accounts, including a Yahoo account, consider taking these steps:

  • Open your browser and go to Yahoo. Do not use a link in any email. Reset your password and make it a strong, complex password or rather a pass-phrase.
  • If you were using that same password on multiple websites, stop doing so immediately. Using the same password all over the place is an invitation to get hacked. If you did use your Yahoo passwords on other sites, go to those sites and change the password there too. Also change the security questions and make the answer something non-obvious.
  • Use a free password manager that can generate hard-to-hack passwords, keep and remember them for you.
  • Watch out for any phishing emails that relate to Yahoo in any way and ask for information.

The Federal Trade Commission also offers a short video on handling data breaches and points consumers to the website IdentityTheft.gov/databreach for more information.


Browser update notice

Effective Monday, July 11, 2016, users attempting to gain access to online banking with Internet Explorer versions 7 or 8 will be unable to do so. Please update your browser to the latest version.


Online Banking Supported Browsers

Supported Browsers – our online banking supports the latest versions of Safari, Chrome, Internet Explorer and Firefox. Each time a new version of these browsers is released the bank encourages you to update your internet browser for the best online experience.

Effective Monday, July 11, 2016, users attempting to gain access to online banking with Internet Explorer versions 7 or 8 will be unable to do so. Please, update your browser to the latest version. Feel free to contact your local branch with any questions regarding this update. Thank you!


New Phishing Email Uses Accurate GPS Data To Attempt to Gather Credit/Debit Card Information

There is a newly reported phishing tactic that may prove to be very effective. Criminals, most likely using GPS data from compromised mobile phones, will use this data to craft an e-mail with accurate travel information to a specific user. The e-mail will contain a link or attachment to either gather credit/debit card information or load malware to the recipient’s device.

Remember that traffic citations are never emailed or sent out in the form of an email attachment, and report scams like this to your local police department.

A sample scam e-mail is below:

From: Speeding Citation <citation@safe-browsing.com></citation@safe-browsing.com>

To: (Accurate Email Removed)

Date: 03/11/2016 03:08 PM

Subject: [External] Notification of excess speed

First Name: (Accurate Name removed)

Last Name: (Accurate Name removed)

Notification of excess speed

Route: (Accurate Local Township Road –removed)

Date: 8 March 2016

Time: 7:55 am

Speed Limit: 40

Detected Speed: 52

The Infraction Statement contains an image of your license plate and the citation which must be paid in 5 working days.


Source: KnowBe4.com


Safeguard Yourself & Your Family|fa-key|159|Identity Protection|1

The Harm in Password Reuse

Every day malicious cyber-actors compromise websites and post lists of usernames, email addresses, and passwords online. While this can be embarrassing, such as when thousands of government employees email addresses and passwords were exposed during the recent Ashley Madison breach, it also leaves users open to follow-on potential attacks due to password reuse.

Every day malicious cyber-actors compromise websites and post lists of usernames, email addresses, and passwords online. While this can be embarrassing, such as when thousands of government employees email addresses and passwords were exposed during the recent Ashley Madison breach, it also leaves users open to follow-on potential attacks due to password reuse.

Password reuse is when someone reuses the same password on multiple websites or accounts.  This is a vulnerability when the password is exposed in coordination with other information that identifies who is using the password, such as first and last names, login names, or email addresses.

How Password Reuse is a Threat

NEVER use your work email address when signing up for and accessing personal web sites.

Password reuse is a threat because malicious actors can take advantage of a reused password if there is other associated information that identifies you. This typically occurs through one of two potential scenarios:

In the first, and most common  scenario, the malicious actors can search for other accounts you use and try to login with the same password. In some cases the actors might try to find personal accounts such as Facebook, Twitter, or banking websites. If they can identify those accounts, and you reuse your password, they can login as you. In other instances the malicious actors may try to determine where you are employed and attempt to use for remote access, such as through a remote email or timecard access.

A second scenario involving a malicious website is much less common, but still poses a threat. In this scenario the malicious cyber-actor sets up a website that spoofs a legitimate web site, which requests you enter an email address, password, and potentially other information to gain access. Once you have done that, they know who you are and can search for your other accounts where you used the same password.

Avoiding Password Reuse

Avoiding password reuse can be challenging because of the number of websites and accounts that require passwords, some of which require updating your password every 30 days.  There are two ways to both avoid password reuse and to ensure any password meets the recommended password complexity requirements.

The first technique is to use a password manager to remember each unique password. Password managers are applications that can be stored on a computer, smartphone, or in the cloud, and will securely track passwords and where they are used. Most password managers can also generate complex random passwords for each account if you choose to do so. As long as the password to access the password manager is sufficiently complex, this technique can be affective. However, if the company running the password manager is compromised (which does happen!) it is possible that all your passwords will also be compromised. If you choose a password manager that is local to your computer or smartphone, that information may be compromised if malware gets on your computer or you lose your smartphone.  When choosing a password manager, ensure it is from a known, trustworthy company.

The second technique is to choose a repeatable pattern for your password, such as choosing a sentence that incorporates something unique about the website or account, and then using the first letter of each word as your password. For example the sentence: “This is my August password for the Center for Internet Security website.” would become “TimAp4tCfISw.” Since a strong password is complex, and includes upper and lower case letters, numbers, and a symbol, this password keeps the capitalization within the sentence, translates the word “for” to the number “4,” and adds the period to include to add a symbol. The vulnerability in this technique is that if multiple passwords from the same user are exposed it may reveal the pattern.

Regardless of how a unique password is chosen, it is critically important that every password is unique. Some companies, such as Facebook, have begun programs to identify password reuse. Facebook’s program to identify password reuse involves monitoring for lists of compromised usernames, emails, and passwords, and attempting to match those to the usernames or email addresses of existing Facebook users. If a match is found Facebook asks the user to reset their Facebook password.

Article sourced from the Desk of Thomas F. Duffy, Chair, MS-ISAC. Republished with permission.

Further advice on choosing a strong, complex password is available in the MS-ISAC Security Primer available at: http://msisac.cisecurity.org/documents/SecuringLoginCredentials.cfm


Netteller Password Self-Reset Instructions

Password Self-Reset Instructions

Anticipate Forgetting Your Password (PIN)
It happens to many of us! But you can reset your Online Banking password yourself if you have forgotten it, or you’re not sure if you remember it correctly.

Please note: If you try the incorrect password three times you will “lock” your account and will need to contact us to release it.

Here are the steps for this process:

1) Set up the reset capability ahead of time: Log into Online Banking as usual, and go to the Options tab.

You will see two lines:
PIN Reset Question
PIN Reset Answer

Create your own question and answer. These will be used to identify you if you ever want to reset your PIN.
For example, your question and answer could be something like:
Q – What is my favorite animal? A – dog
Click “submit”

Now you have the capability of self-resetting your PIN any time you are in doubt, without logging into Online Banking.

OK, you’ve forgotten your password, or you’re not sure you remember it correctly!

1) Go to the usual login page and enter your ID (or alias that you have created)

2) To the right of the PIN entry box you’ll see the text “Reset Password.” Click on this text.

3) You will next see a screen asking for your Online Banking ID (or alias), the e-mail address you have on file via Online Banking; and a subject line that you create.

4) You will then receive an email alert from do-not-reply@fmbankva.com with wording as follows:

“You have requested that your Internet Banking PIN be restored. To confirm this request, please click here.”
This link will be valid for two hours.

5) After following the “click here” link you will be directed to enter your Online Banking ID and the answer to your security question. Be sure to click this link within two hours, as it will expire.

6) Once done, the PIN will reset to the last 4 digits of your tax ID# (Social Security number). You can then begin the process of logging in again using these 4 digits as your PIN, and then create a new PIN of your choosing.


Online Banking Browser Requirements

F&M Bank’s Online Banking program supports the latest version of Safari, Chrome, Internet Explorer and Firefox. Each time a new version of these browsers is released the bank encourages you to update your internet browser for the best online experience.