Online Banking Login Login

Online Banking Security Tips

Avoid Social Engineering

Heartbleed Vulnerability

Secure Websites Aren't So Secure & Website Passwords May Be Compromised

There is a “new” vulnerability that impacts an estimated 2/3 of ALL WEBSITES.  Our Internet Banking service provider has informed us they do not utilize the vulnerable technology and there has been no indication that a breach or data leak has occurred. However, you may be impacted in other areas of your life. Please continue reading.

What it is:
It was dubbed “Heartbleed” after the vulnerable “heartbeat” feature w/in certain versions of OpenSSL (a free encryption standard used by most websites).  “Discovered” only days ago, it has security vendors and website operators in a panic.  This vulnerability rips a hole in the fabric of security everyone thought the web was wrapped in.  And although it is considered “new,” it has actually existed for the last 2 years but only now reported to have been discovered.

Modus Operandi:
When you connect to a system using SSL, it encrypts the communication between the systems.  During the course of the connection, one system might want to check and make sure the other system is still at the other end of the secure connection.  That is the heartbeat feature (and flaw).  Because of an error with the way OpenSSL handles the heartbeat check, anyone in the know can create a maliciously modified “heartbeat packet”  and send to a webserver.  The webserver will then be tricked into sending back snipits of data stored in its active memory.  A serious data leak b/c what is stored in active RAM?  Hmm…. website usernames and passwords, encryption/decryption keys, credit card and other NPI/PCI related info, … you get the idea.

This vulnerability grants attackers access to siphon highly sensitive data from 2/3 of webservers on the Internet!!!  It leaves no trace of the attack or any digital footprint.  At all.  The data the attackers would target include usernames/passwords stored on web servers, and even more frightening - SSL decryption keys themselves.  Decryption key in hand, an attacker can intercept secure communications AND DECRYPT THAT COMMUNICATION CHANNEL.

There is a patch for website operators to apply.  There’s nothing YOU can do but change your passwords to critical sites (banking/email/etc).  Of course if you change your password before the website is fixed, then you’ll need to change it again.  How can you tell if a website you login to is still vulnerable?  There are tools to check.  Put in the website and it will give you an idea if it’s vulnerable or not.  It is being said that everyone should just assume their usernames and passwords for most sites has been stolen.

If your business has a webserver or a hosted website that stores sensitive/confidential data, or if your company uses a VPN to connect to your business network, you may want to contact your trusted I.T. systems administrator to discuss potential risks and how to mitigate them.

More info is available through these technology websites:
Krebs On Security


Back to the top

Phone Scams

Don't Be a Victim of "Vishing"

Residents of Mille Lacs County are reporting phone scam activity targeting area banks and their customers. If you receive a phone call from an automated voice stating your account and/or card has been compromised, do not provide any information and hang up immediately. If you already gave them your account information, contact your financial institution right away. The scam is known as "vishing" (short for voice phishing). Other counties across the country are reporting similar activity.

Back to the top

Beware Rogue Antivirus Malware

Just Because a Pop-Up Says You're Infected Doesn't Mean You Are

Since around November 2007, a new form of virus has been plaguing computers around the world. Watch this video to better understand how it tricks users into installing a fake antivirus application, which is itself classified as a virus/malware. This video was released November 2007 and the tactics used haven't changed much since. Even legitimate websites like Major League Baseball, and even government sites like USAID have been manipulated to distribute malware. See more of Roger Thompson's videos here.

Back to the top

Prevent ID Theft By Opting Out of Unwanted Solicitations

Opt-Out of Unwanted Credit Card Solicitation

If you do not want to receive credit card solicitations, you can call this federally-mandated toll-free number to opt-out: (888) 567-8688. You can also opt-out online at For a two year period, your name will be removed from national credit bureau lists that are sold to the credit industry.

Opt-Out of Telemarketing Calls

One of the most popular consumer opt outs is the National Do Not Call Registry. The list is managed by the Federal Trade Commission. Call (888) 382-1222 or go online to and add your name and numbers to the list. (You can add cell phone numbers, too.) Marketers who use phone solicitation are then prohibited from calling you for five years.

Back to the top