Online Banking Security Statement

The First Citizens National Bank (FCNB), Fiserv Inc., and Information Technology Inc. (ITI), require all of its divisions and companies to take proactive steps to ensure information security. This includes the provision of adequate security measures within software, networks, and computers to limit the possibility of unintended distribution of confidential information and the potential for fraud-related losses.

System Configuration and Security Updates – FCNB and Fiserv Inc. perform vulnerability tests to uncover security flaws and apply security updates as soon as possible.

Firewalls & Intrusion Detection - State of the art firewall technology provides a first line of defense in preventing unauthorized access to networks and systems housing confidential information. Networks and computer systems are monitored for unusual activity.

Authentication – The FCNB Online banking system utilizes widely accepted multifactor methods to properly identify the customer at log-in as follows:

An initial registration process assigns an image and then allows the customer to:

  1. Register the computer being used for future reference
  2. Select a pass phrase associated with the image to later identify the web site
  3. Select an Access ID which can be letters and numbers, is case sensitive, and must be at least 6 characters long.
  4. Select a strong password. (Passwords must be 7-17 characters using at least one upper case letter, one lower case letter, and one number.)
  5. Input answers to several challenge questions (such as, “What is your pet’s name?”).

At the log-in screen, the customer enters the access code which prompts the display of the private image and associated pass phrase indicating a valid web site. If the system recognizes the computer being used as previously registered, entry of the password completes the process. 

If the computer is not recognized as registered, the additional challenge questions must be answered to complete the identification of the customer before the password is entered. 

These authentication methods prevent the following types of security incidents:

Password Guessing and Theft: Even if someone acquires the customer’s account access ID and password, they cannot access your account unless they are using a registered computer or have additional private information.

Phishing: This term describes the use of an email that directs one to a bogus web site to trick a person into thinking they are entering confidential information into a valid site. People are often led to a bogus web site through an e-mail that impersonates an organization they know. The First Citizens Bank does not ask for confidential information through e-mails and the new web sites can be verified through the displayed picture and pass phrase that only the Bank’s security system knows about. Access ID and password alone will not allow entry into Online banking.

Pharming: This term describes the case where a hacker somehow takes control of the bank’s website address or otherwise replaces the site with one that collects confidential information for them. Again, if the security image (picture) is not displayed as expected, the customer should not proceed. (Note that only Online banking and cash management sites have this feature at present.)

Data Encryption - Included in this system is the capacity to allow only secure connections by end users. Utilizing Secure Socket Layer (SSL) technology, all transmissions of web pages and data between the financial institution and its customer are completely encrypted and are unreadable to any person or group trying to "intercept" the transmission. SSL encryption is the industry standard and is commonly used in Internet applications that require security and privacy for sensitive data.

Account Number Masking and Account Aliases - For security reasons, complete account number(s) never appear on the computer screen. When the account number needs to be displayed it appears as

Regardless of the efforts, the “open” nature of the Internet makes it impossible to guarantee absolute confidentiality in all circumstances. The Bank’s security features alone cannot prevent all types of attacks to your computer or all methods of information theft. Every personal computer should have firewall software that is properly configured as well as anti-virus and anti-spy ware software that is updated on a regular basis. Unusual activity on the computer or severe performance problems should be checked out by a professional technician. Operating system updates should be installed when available. Unusual observations on web sites should be reported immediately.

The First Citizens National Bank continues to monitor and review the security procedures that it has in place to protect customer information. These measures are updated as practices change and new technology becomes available.

Home Computer Security Guidelines

While reputable companies that you deal with are working hard on their computers, networks and web sites to protect your data and identity, your own computer at home may be the most vulnerable link in the chain. The following are suggestions from multiple sources including Microsoft. Some of them will cost time and money, but the alternative costs are much greater. Security is sometimes a tradeoff with convenience, but you should try to make sure you aren’t trading security for convenience you never need or use.

  1. Establish a source of professional help and budget some funds to use that help for setup and when “weird” things are happening to your computer. Be wary of weekend computer geeks. They may get it to work, but not set it up in the most secure way. Ask your professional if he has any certifications from Microsoft or other well known companies, especially regarding security.
  2. Keep your computer software up-to-date, especially the operating system including the web browser (usually Microsoft Windows with Internet Explorer). Microsoft is constantly developing fixes to security holes in their latest software. Hackers are constantly trying to find the holes and use them to steal from you. Microsoft will not necessarily fix security problems in older operating systems (e.g., Windows98). As of January 2007, you should be using Windows XP Service Pack 2 with at least Internet Explorer version 6. You should be using the feature whereby you get automatic notification and downloads from Microsoft (through the Internet) of security fixes. When you are asked to install these fixes, do not delay.
  3. Use firewall software and make sure it is configured to block any types of communication to or from your computer that are not needed for normal day-to-day operation. Most firewall software will ask you if a blocked communication can be allowed temporarily. It is better to take the time to be asked for clearance and know what’s going on, than to just allow all types and manner of communication. The firewall can also be used to shut down communications to the internet when not needed. Microsoft now provides firewall capability within Windows, but some other software may be easier to use. The software will normally guide you in the configuration of the firewall, but it may ask you questions that only a professional can help you with.
  4. Secure your internet browser software to block certain types of features that you do not need all the time. Hackers often use the most sophisticated features of the internet for an attack, but you may not need these features and can frustrate them by turning them off. Microsoft continues to refine their Internet Explorer to help you configure it for your needs.
  5. Install anti-virus and anti-spyware software and keep it up-to-date. Too many mistakenly believe that anti-virus software will block anything harmful. In fact, it will only block certain types of attacks after they are known and the software has been updated with an antidote. Spyware is becoming more of a threat and only some anti-virus software includes anti-spyware features. You could accidentally ask for Spyware to be loaded onto your computer. Many of today’s attacks are initially stopped by an up-to-date operating system, with a well configured firewall and browser. However, anti-virus software is still very important along with anti-spyware.
  6. Choose your web sites wisely and be cautious of free downloads. If a web site asks you to enter confidential information, make sure you are dealing with a reputable company in the way they normally operate. Very few, if any, financial institutions will ask you to enter account information, passwords, or social security numbers without a secondary type of notification in the mail that it is required. If in doubt, get off the site and call the institution. Spyware often comes along with free downloads. Even if the download appears to be from a known reputable company, read the fine print of the license agreement which may admit that you are agreeing to be spied upon.
  7. Watch out for phishing. Phishing can take the form of fraudulent e-mail that asks you to enter confidential information into a web site. It can also take the form of a telephone call asking for information. Microsoft and other companies are now offering some web site filtering that can detect some fraudulent web sites. This is a developing area that all computer users should track.
  8. Consider shutting down the internet connection when not in use. Hackers cannot attack without the internet connection. Most dial-up users hang up when the connection is not needed, but it is too convenient for broad-band (such as DSL or Cable) users to leave the connection live all the time. The connection can be broken in a number of ways including shutting down the computer and using the firewall to “block all.’ Disconnecting wiring may cause an error to be reported to your provider.
  9. Read and ask questions about security. Follow the recommendations of any reputable companies that provide you web sites. Read their statements on security and privacy asking questions until you are comfortable. Technology changes rapidly and you may need to react quickly to a new type of threat. You don’t want to find out about a potential security problem the day after it affects you.