Online Banking Security

How do I know the Internet is safe and that my account is secure?

Short answer
First and foremost, Community Resource Credit Union will stand behind you should any fraudulent activity occur on your account. Secondly, we believe we have sufficient safeguards in place to protect you and us from fraudulent activity via the Internet. These safeguards include state-of-the-art security controls, encryption of sensitive information, and account access via a PIN that you can change at any time. Please refer to the "technical answer" if more detailed information is desired.

Technical answer
Community Resource Credit Union's service provider for Home Banking and Bill Payment has developed a multi-tiered security program that provides protection for our Internet Home Banking and Bill Paying Service. This program is made up of software and hardware solutions and procedures. This program enables our members to conduct account access and Bill Pay via the Internet with an extremely high degree of security.

Data Source Security
At no time does anyone from the outside world have access to Community Resource Credit Union's database via the Internet. Any request for data must pass through two distinct validation and control centers, the Application Firewall and the WWW Home Banking Server. Each request and answer is logged at each stop through the firewall. Any suspicious activity is logged and causes an alarm.

Firewall Segmentation
Firewall Segmentation
Any incoming request from the Internet is first captured by the Application Firewall and validated. The Application Firewall stops all incoming traffic. The Application Firewall then makes a request to the WWW Home Banking Server mimicking the request made by our member's on the Internet as long as that request is a valid secure HTML request. The WWW Home Banking Server will only take requests from the Firewall. The WWW Home Banking Server then makes a request to the Firewall speaking its own language on a secret port for a secret address. The Firewall again validates this request and talks to the credit union database on its secret port for its secret address. Provided the request has followed the above listed steps, the credit union database then receives the request for data. All ports and IP addresses used behind the Firewall are private and can not be routed via the Internet. Therefore, no communication is ever possible between the Internet and the credit union's private database.

Real Time Security and Auditing
Through the use of blanketed network monitoring, the Application Firewall stands guard over the entire network, notifying the system administrator of any attempts of unauthorized access or hacking. Every transaction is audited and contains all network information. This allows the Application Firewall to act as an effective phone tap and tracing tool.

Data Transmission Protection
Secure Socket Layering (SSL) protects all transmissions via the Internet between the user and the credit union. SSL utilizes authentication and encryption technology developed by RSA Data Security Inc. This method of cryptography (also known as Public Key Encryption) provides for:

  • Server Authentication (thwarting impostors)
  • Privacy using encryption (thwarting eavesdroppers)
  • Data Integrity (thwarting vandals)

Public key encryption is a technique that uses a pair of asymmetric keys for encryption and decryption. One is called the public key, and one is called the private key. The public key is made public by distributing it widely. The private key is never distributed and is always kept secret. When data is encrypted using the public key, it can only be decrypted using the private key. Conversely, when data is encrypted using the private key, it can only be decrypted using the public key. A message encrypted with 40-bit RC4 takes on average 64 MIPS-years to break. In other words, a 64-MIPS computer needs a year of dedicated processor time to break the message's encryption. The RC4 128-bit U.S. domestic version, which is the version used, provides protection exponentially more vast. To provide additional protection, we change our private keys at irregular intervals. The server authentication uses RSA public key cryptography in conjunction with ISO X.509 digital certificates.

Account Setup Protection
Our members can access their accounts via the Internet Home Banking and Bill Paying Service only after they have specifically signed up for this service through the credit union. This process requires that the customer sign-up for Home Banking and Bill Paying before they are allowed to use the service. Only credit union personnel can perform this setup process. The customer will receive confirmation of this setup in the mail along with their PIN. Only after receiving this PIN will our member be able to access the service.

Account and PIN Validation Protection
To access the Internet Home Banking and Bill Paying Service, a customer must enter a correct account number and PIN. This PIN number is initially generated by the credit union. The member has the option of changing the PIN whenever desired via the Internet Home Banking and Bill Paying Service.

Account and PIN Retry protection
As stated before, to gain access to the Internet Home Banking and Bill Paying Service, a member must give a correct account number and PIN. These fields are hidden on the computer screen when the member enters them. (When a member types in these fields, only asterisks ' * 'appear.) If a hacker tries to arbitrarily guess at an account number and PIN by writing a program that tries all possible combinations or by just manually typing in combinations, this action will be detected immediately by the Application Firewall, and he will be denied access to the entire system by his IP address or range of IP addresses. We can then trace him back to his source.

How do I know I am connected to Community Resource Credit Union's web site?
Home Banking is done on a secure server and data is encrypted between that server and your computer. You can tell your browser is connected to a secure server by the presence of a symbol on your computer screen. You will only see this symbol when you connect with the Home Banking secure server. You will not see the symbol at our public web site. The symbol is a "padlock" if you are using Microsoft Explorer as your browser and a "key" if you are using Netscape's browser. You may double click on this symbol to view information about the server to which you are connected.

When you see this information, you can be assured you are correctly connected to Community Resource Credit Union's Home Banking service.

Why must I enable Cookies to use home banking?
When you logon to Home Banking a temporary session ID is written to your browser's memory. While not technically a Cookie (which is stored on your hard drive), the cookie feature in the browser must be enabled to accept this temporary ID session. This temporary session ID is encrypted when sent to the browser and remains encrypted in the browser's memory. It disappears when you exit Home Banking or when you exit your browser program. This ID allows continuous authentication to occur between your PC and the Home Banking secure server. This prevents someone else from intercepting your PC's communication with the server and "spoofing" the server into thinking it is talking with you. The use of this session ID is yet another layer of security, complementing the use of your pin, and SSL encryption to provide the most secure environment possible for your financial transactions.