Rates
  15 Yr. Fixed
5.695%APR
  30 Yr. Fixed
6.077%APR
  20 Yr. Fixed
6.085%APR

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 
 

Security Bulletin

December 16, 2004


There are organizations on the Internet that offer 'free services' such as Internet acceleration or email virus scanning.  Some of those organizations have 'privacy policies' that are so loosely defined as to allow them to harvest and share information that is universally considered to be personal and highly sensitive by Internet users.  Such organizations ask unwitting end users to configure their browsers to cause all web traffic, including highly sensitive encrypted secure traffic to be decrypted, pass through that organization's servers to be harvested and then continue on to its intended destination.  Hence, information that is thought by the end user to be inaccessible to everyone except the intended recipient is collected, and according to liberal privacy policies, may be shared by the intermediaries with unnamed third parties.  We believe such organizations may rely upon the fact that many inexperienced Internet users don't understand the ramifications of such a situation (referred to in information security circles as a 'man-in-the-middle' exploits), or that they will carelessly click through acceptance terms without reading the fine print of the privacy policy.  In our opinion, this dangerous situation is made worse by the fact that end users' efforts to uninstall such software on their computers has been designed so that it will often fail, leaving what amounts to a back door by the organization to usurp what are supposed to be private communications in the future.

Consider MarketScore, (formerly known as NetSetter) which we believe follows this sort of business model.  MarketScore installs its own trusted root certificates, so that it can intercept secure (SSL) connections made by the end user machine.

The privacy policy of MarketScore states:

...Marketscore monitors all of your Internet behavior, including both the normal web browsing you perform, and also the activity you may have through secure sessions, such as when filling a shopping basket or filling out an application form that may contain personal financial and health information...

... We monitor the Internet connections of our users so we can not only accurately and anonymously model the browsing habits of Internet users, but also their shopping, registration, and other interactions as well...

 ... In addition to the monitoring of your Internet behavior, we may also combine the information that you provide us with information such as credit or prescription information that we obtain from third parties such as consumer preference reporting companies, credit reporting agencies, and prescription benefits managers....

 ... There are some limited cases in which we share personally identifiable information with third parties. Specifically, we provide personally identifiable information to third parties for the purpose of conducting the secure and confidential matches discussed more fully above....

It is important that Internet Banking users be made aware that those Internet companies that use technologies to intercept encrypted communications have full access to end users' personal information and have publicly stated that they can share users' information with third parties.

There have recently been an increasing number of attempts on the Internet to trick people into revealing sensitive and private information about themselves to con artists who use that information to defraud them. The latest scam, popularly called ‘phishing’, uses replicas of existing web pages to deceive users. These replicated pages prompt the user to enter personal, financial or password data. We encourage you to review this communication, which includes tips to protect your financial institution and end users.

What is Phishing?

Phishing is a term coined by Internet hackers who use email lures to ‘fish’ passwords and financial data from the sea of Internet users. Email messages designed to look like they came from a merchant or financial institution are mailed to Internet users. The emails direct the recipient to update or provide information back to the company’s web site by instructing the user to click on a URL embedded within the email. The embedded URL links the user to a counterfeit web site designed to look like the company’s legitimate web site. Passwords and other personal information are then solicited and collected by the web site and used by the scammer to defraud the user.

To date, large financial institutions have been the primary targets of these phishing scams. It is prudent to expect that smaller financial institutions may also be targeted.

What Can You Do to Protect Your Financial Institution and Your End Users?

  • Do not trust or act upon unsolicited emails that request personal information such as passwords, credit card numbers, ATM PINs, social security numbers, etc.
  • Fraudulent emails are typically not personalized with Peoples Bank information.
  • Fraudulent email often present end users with scenarios of negative consequences if they do not act immediately on the email’s instructions.
  • Fraudulent email messages often contain flawed English.
  • Do not fill out forms contained in email messages requesting sensitive information.
  • Personal information should be provided by calling your financial institution directly or by logging onto their secure web site by typing the URL (web address) into your browser.
  • Type http://www.pbkconline.com into your browser and bookmark it. Use the bookmark derived from hand-typing the address for all subsequent visits to your financial institution’s website.
  • Keep your web browser patches up to date.
  • Regularly access your browser’s website to download security patches. Patching your browser regularly will protect you against a variety of software vulnerabilities.
  • Regularly log in to your online accounts. If you see anything unusual, report it immediately to your financial institution.
  • Pay close attention to your bank, credit card and debit card statements. If you see anything suspicious, immediately contact your financial institution and the card issuer.

If you receive an email claiming to be from your financial institution, but which you suspect is aimed at defrauding you, contact your financial institution and the FBI’s Internet Fraud Complaint Center at www.ifccfbi.gov.

Peoples Bank will NEVER send you an email requesting a username or password.