When cash was king, transactional business was anonymous. If you gave someone a dollar, they provided you with a product or service. No information changed hands. No one gathered personal details. No one tracked, used, or sold your data.
Today, however, companies track noncash payments (i.e., credit card, debit card, and mobile payment systems) and payment providers list details from every transaction on your statement. To combat money laundering, the federal government also requires financial institutions to report all large transactions.
We have traded privacy for convenience. We can pay our bills online. We no longer have to carry a wad of cash and can instead use a credit card when we make a big purchase. And we can send money to anyone with a U.S. bank account using your phone.
The benefits come with a tradeoff between convenience and security, however, and smart consumers must know what factors to consider before giving a company your personal data.
Personal data checklist
Companies like banks, credit unions, insurance companies, and medical offices collect a vast amount of personal data. They have our financial information, sensitive personal information (like social security numbers and tax records), and health history (such as mental or physical conditions).
When you choose a company for your check and savings accounts, to provide your mortgage, or to help you buy a car, you should have a checklist to make sure you can trust it to safeguard your data.
Balance security and convenience
“Customers generally value convenience over most things and that includes security,” said Scott Schober, cybersecurity expert and author of Hacked Again. “So, it is important to balance the two when using a service and choosing the company that provides that service … Companies must implement strong encryption so that if or when your financial data ends up in the hands of a hacker, it is unreadable to all except those with the proper decryption key. Good encryption deters law enforcement agencies, both domestically and internationally, from spending resources to hack and decrypt that data. The same also holds true for hackers of all skill levels.”
On CU Info Security, a website that covers credit unions and risk management, fraud, and information security, IBM Trusteer Product Marketing Director Valerie Bradford said. “Customers want to log in, they want to initiate transactions, even create new accounts with a really user-friendly experience. But on the other hand, fraud is really here to stay, and it seems like with every new functionality you introduce, there's the opportunity for fraud."
That leads to real tension, she says. “How do you offer that great customer experience without compromising security, authentication and trust?”
Nuvision’s risk management team suggests seven key factors to consider in balance between security and ease-of-use.
1) Use secure and encrypted websites
Nuvision has covered this before. When you access your credit union on the web, make sure it uses a secure and encrypted website. If you plan to open an account online, or apply for an auto loan, home mortgage loan, or personal loan, make sure the URL at the top of your web browser includes an “s” in the https://.
Make sure you use HTTPS connections on any page where you enter personally identifiable information (PII). The National Credit Union Administration uses the standards articulated by National Institute of Standards and Technology (which is part of the U.S. Department of Commerce). PII includes:
- Login and password information;
- Credit card or payment information of any kind;
- Social security number;
- Home address;
- Date of birth;
- Driver’s license number;
- Passport number;
- Face, fingerprints, or handwriting;
- Phone number;
- Email or physical mailing address; or
- Any other information than can be linked to you personally.
2) Secure communication
Any online communication related to your accounts should be through a secure channel. You may receive an email to let you know that you have a message available through a secure inbox, but confidential information that has an account number, Social Security number, financial statement, etc. should not be sent using your regular personal email account.
For example, Nuvision will send a secure message to an inbox that you can only access by logging in to your account. You will receive a notification email that you have a message waiting. You can go to nuvisionfederal.com, enter your username and password, and then retrieve the message.
3) Follow best practices for passwords
Any site where you create an account will naturally also need a password. If it’s a site where you can access financial information, healthcare information, or other sensitive personal information, it should follow best practices for complex passwords.
You should be required to enter a password of at least eight characters, have at least one uppercase and one lowercase letter, at least one number, and at least one special character (e.g., $, ^, @, &, #, etc.). Numbers and letters cannot be sequential, such as ABCD, QWERTY, or 34567.
Those are the bare minimum standards you should look for. Longer password requirements are even better.
4) Add two-factor authentication
Two-factor authentication (also known as 2FA, multi-factor authentication or 2-step verification) is a type of online security feature that requires another login verification in addition to a username and password.
For example, after you sign in, a typical 2FA might require you to type in a mobile phone number that matches the number provided when you created the account. You will then receive a text message with a unique security code that you need to enter. You’ll need to do this every time you log in. This type of 2FA provides extra security because only the person in possession of the phone will receive the code.
Google reported that less than 10% of Gmail users enable two-factor authentication. According to Google, that means, “the remaining 90% [are] more vulnerable to cyber-attacks.”
5) Published privacy standards
Any website that collects personal information should have published privacy standards, but that is doubly important for financial institutions and healthcare providers. When a company provides a service without charging, it likely is making money by using your data. The same standard shouldn’t apply to bankers and doctors.
Nuvision publishes its account disclosures online, including its privacy notice, which it sends annually to every member and also whenever there’s a change.
In addition, the National Association of Federally-Insured Credit Unions is fighting for additional data security standards for merchants and retailers, and has published a five-point plan that embraces 21st Century data security standards. Among those standards:
- Establish national standards for the safekeeping of all financial information;
- Require merchants to disclose their data security policies to their customers;
- Require the timely disclosure of entities that have suffered a data breach; and
- Establish enforcement standards for provisions to prohibit merchants from retaining financial data.
6) Verify before providing personal information
If you receive an email or unsolicited phone call from your financial institution, do not reply with or provide any personal information. For emails regarding financial information or transactions, do not click on any links. Instead, go to the company website to access your secure inbox, or to download or upload any forms or documents.
Similarly, do not provide account information to anyone over the phone if it is unsolicited or if you didn’t initiate the call. Independently verify any phone numbers by looking at the back of the credit or debit card, or on the company website.
7) Account activity alerts and controls
A recent report entitled, “Rising Fraud And Data Breaches Are In The Cards,” notes that, “Offering members the tools needed to control and remain aware of account activity is a critical factor in preventing fraud.”
Nuvision has previously written about 7 Ways to Monitor Your Accounts and Reduce the Risk of Fraud.
Fraud, data theft, hacking, and cybercrime are evolving every day. So, too, is cybersecurity. Experts in digital security and mobile banking recommend a layered approach.
The Trend Micro White Paper, “There is no silver bullet,” published in April 2017, noted: “Rather than relying on just one or two of the so-called 'next-gen' techniques in isolation, a robust, multi-layered approach should involve a vast array of signature- and non-signature-based security techniques – working together and sharing threat intelligence to improve detection accuracy and deliver a maximum level of protection.”
Said Schober: “It is essential to look specifically at what you are trying to protect and the associated value of that data. This will help to assess the level of encryption that needs to be applied. I always encourage people to take their time and carefully look at what they are giving up from a security and privacy perspective in trade for convenience.”
To stay on top of Nuvision alerts and information related to the risks of fraud and identity theft, financial and data protection, and cybersecurity, check our Fraud Protection blog or follow Nuvision on Facebook and Twitter to receive updates when new articles are published.