Security

Multi-Layered Security

  • A dedicated network Intrusion Prevention System (IPS) is used at the Internet Gateway to inspect all Internet traffic for network-based attacks.

  • A firewall restricts inbound and outbound services.

  • An SSL firewall and IPS are used to inspect Web application communications and block malicious Web application attacks such as SQL Injection, Cross Site Scripting, Directory Traversal, and other known attacks.

  • Each Web server runs a proprietary security code that inspects communications for malicious strings, characters, commands, and other input that could be considered suspect. The Webserver works directly with the firewall to block attackers who attempt to inject, deface, or perform other malicious acts on the Web site.

  • In addition to these four layers of security, we place permanent blocks on known IP addresses and subnets that continue to perform attacks.

Data Encryption

The client data stored on our systems have an additional layer of theft protection not commonly found in our industry. In fact, it is the only security layer that can make stolen information useless to the thief. GWFCU’s Internet Banking provider is one of the few Internet Banking providers that use HLDDE (Host Level Dynamic Data Encryption). HLDDE involves the dynamic encryption and decryption of data stored on our host systems. We use accepted industry standard encryption techniques to encrypt data not only in transmission between the Provider and the host processor but on our servers as well. Powerful on-demand processes encrypt the data before storage and decrypt it each time it is used. HLDDE works with our multilayered security controls to provide GWFCU and members with a highly secure Internet Banking system. We are constantly safeguarding our systems to protect your members.

Enhanced Security Features

  • Secure Sockets Layer (SSL) connectivity secures online banking for members and protects credit union communications within the Back Office management area.

  • VPN (Virtual Private Network) communications are established between our Internet Bank Provider and the credit union’s Web servers, databases, and core processing systems.

  • Encrypted login and password databases.

  • Digital certificate with 128-bit encryption and 1024-bit exchange.

XtraSecure Intrusion Detection 

Our Internet Banking Provider monitors unusual activity on our Web site and controls bad password attempts, lockout rates, and intrusion attempt activity through our secure and flexible XtraSecure system. The XtraSecure security console allows credit union security personnel to monitor bad login attempts by hour of the day. Bad login attempts go hand-in-hand with the amount of traffic an Internet Banking Website receives throughout the day. Bad attempt rates become so stable that credit unions can introduce effective alarm mechanisms for values that exceed the norms for any period of the day. The ‘Alarm Rates’ feature allows credit unions to establish alarm thresholds by any period they choose. In addition to monitoring general bad login attempts, GWFCU also monitors bad login attempts per IP address. This information allows the credit union to narrow its focus to one offending PC or network and detect an automated attack against their Internet Banking system.

Multi-Factor Authentication

Our secure login process for online banking requires each of the following:

  • Member Number.

  • Member selected 8-character minimum (16-character maximum) passwords.

  • Graphical security code designed to prevent automated password resolution scripts.

  • Member must be originating login request from a previously used IP address.

  • If the member is originating from a new IP address, they are presented with one of three challenge/response questions created during Internet Banking sign-up. 

Token Technologies

In addition to our software-based offering, our partnership with OHVA Technologies allows us to provide strong key fob and virtual token solutions as well. OHVA’s optional authentication solutions work right out of the box. Once the database has been configured, users activate their token or software keys themselves. OHVA’s solutions only need Java® software and do not use Web browser cookies. Plus, their authentication tools cost substantially less than other leading solutions, allowing credit unions to affordably provide widespread deployment among users.

Additional Security Information

GWFCU, along with our Internet Banking Provider, understands security at the controls level and the compliance level. In addition to the security technologies mentioned, a complete Security Compliance package is available to satisfy the NCUA-required vendor oversight program and FFIEC-recommended best practice security guidance. The compliance package includes documentation of our Security controls, our Internet Banking Providers SAS 70 audit, external audits, and specific Security Policies related to Internet Banking.

Security Tips:

  • Memorize your User Name and Password.
    Your online User Name and Password authenticate you when you begin a GWFCU home banking/bill payment session. You should memorize your Password and never write it down anywhere or reveal it to anyone.

  • Create a complex password that:

    • The longer the password, the better.

    • Includes upper and lower case letters and numerals.

    • Has at least four different characters (no repeats).

    • Looks like a sequence of random letters and numbers.

    • Is not obvious or easily obtainable information.

  • Change your password regularly.
    You can easily change your password by going to the Change Your Password page under Preferences.

  • Remember to sign off.
    You may not always be at your own computer when you bank online. Therefore, it is important to sign off when you are finished with your session. 

  • Notify GWFCU immediately by phone if you notice any unusual account activity. 

  • Always use your browser's built-in security features.

  • Make sure the computer(s) you use have current anti-virus software. Anti-virus software needs frequent updates to guard against new viruses.

  • Install a personal firewall to help prevent unauthorized access to your home computer.

  • Be suspicious of unsolicited email from a "business" that asks for your password, Social Security number, or highly sensitive information. Legitimate businesses typically do not ask for this type of information over the Internet. Contact the business directly to verify the authenticity of the email.

  • Do not reply to or click on any links in unsolicited emails, especially those asking for personal information.

  • Do not give out financial information online or on the phone unless you initiated the contact and know the party you are dealing with is legitimate.

  • Promptly and carefully review your account statements, such as bank statements, credit card statements, as well as mobile phone and home telephone bills for unauthorized charges or activity. Regularly check your statements and account activity online to spot questionable transactions.