Protocols to Keep Your Money Safe
Online Banking Security Features
Touchstone Bank is always looking for the best way to protect our customers. You can read about the features we use below. The first time you access Touchstone Bank's Online Banking, you will be asked to choose a username, password, and three security questions.
Challenge Questions & Answers
You will need to choose three questions from a drop down menu and put in the answer that only you would know. You will need to remember the answers. The only times you will be asked one of these questions are when you are at a computer which has not been registered, or at a public computer. One of the three questions will be chosen randomly and you will have to answer the question before being able to login to your Touchstone Bank Online Banking.
Register a Computer
Choose to register only computers you use: for example, your home computer. Do not register public computers, such as at the library or at work. Once a computer is registered, when you login to Online Banking you will only have to put in your Access ID and password.
E-Banking Security Features
We offer secure E-Banking products for our business customers. When you sign up for our Merchant Capture (Remote Deposit Capture), online wire transfer, or ACH Origination, we assign you a token that you will use as your password. This token will give you a different series of numbers that you will use, along with a four digit pin number of your choice, you will use each time you login to your Business Online Banking.
Other Secure Banking Options
Have you considered Direct Deposit? This allows you to have you to have your paycheck or other payments owed to you to be deposited directly into your account without having to wait on a check or take a chance on your money being lost.
Most companies allow you to set automatic payments for your periodic or one-time expenses. This allows your payments to be drafted from your account automatically without having to write checks or use your debit card.
The privacy of communications between you (your browser) and our servers is ensured via encryption. Encryption scrambles messages exchanged between your browser and our online banking server.
How Encryption Works
When visiting Touchstone Bank's Online Banking sign-on page, your browser establishes a secure session with our server. The secure session is established using a protocol called Transport Layer Security (TLS) Encryption. This protocol requires the exchange of what is called public and private keys. Keys are random numbers chosen for that session and are only known between your browser and our server. Once keys are exchanged, your browser will use the numbers to scramble (encrypt) the messages sent between your browser and our server. Both sides require the keys because they need to descramble (decrypt) messages received. The TLS protocol assures privacy, but also ensures no other website can "impersonate" Touchstone Bank's website, nor alter information sent. To learn whether your browser is in secure mode, look for the secured lock symbol at the bottom of your browser window.
The numbers used as encryption keys are similar to combination locks. The strength of encryption is based on the number of possible combinations a lock can have. The more possible combinations, the less likely someone could guess the combination to decrypt the message.
For your protection, our servers require the browser to connect at 128-bit encryption (versus the less-secure 40-bit encryption). Users will be unable to access online banking functions if their browser does not support 128-bit encryption. This may require some end users to upgrade their browser to the stronger encryption level.
To determine if your browser supports 128-bit encryption:
- Click "Help" in the toolbar of your Internet browser.
- Click on "About [browser name]".
- A pop-up box or window will appear.
- For Internet Explorer: next to "Cipher strength" you should see "128-bit".
- For Netscape: you should see "This version supports high-grade (128-bit) security with RSA Public Key Cryptography".
If your browser does not support 128-bit encryption, you must upgrade to continue to access the website's secure pages.
It is important to verify that only authorized persons log into online banking. This is achieved by verifying your password. When you submit your password, it is compared with the password stored in our secure data center.
We allow you to enter your password incorrectly three times; (if you enter an incorrect password more than three times, your account will be locked and ou will have to contact us to unlock it.) We monitor and record "bad-login" attempts to detect any suspicious activity (i.e. someone trying to guess your password).
You play a crucial role in preventing others from logging into your account. Never use easy-to-guess passwords. Examples:
- Birth dates
- First names
- Pet names
- Phone numbers
- Social security numbers
Never reveal your password to another person. You should periodically change your password in the User Option screen of online banking.
The network architecture used to provide the online banking service was designed by the brightest minds in network technology. The architecture is too complex to explain here, but it is important to convey that the computers storing your actual account information are not linked directly to the Internet.
- Transactions initiated through the Internet are received by our online banking Web servers.
- These servers route your transaction through firewall servers.
- Firewall servers act as a traffic cop between segments of our online banking network used to store information, and the public Internet.
- This configuration isolates the publicly accessible Web servers from data stored on our online banking servers and ensures only authorized requests are processed.
Various access control mechanisms, including intrusion detection and anti-virus, monitor for and protect our systems from potential malicious activity. Additionally, our online banking servers are fault-tolerant, and provide for uninterrupted access, even in the event of various types of failures.
We provide a number of additional security features in online banking. For example, online banking will "timeout" after a specified period of inactivity. This prevents curious persons from continuing your online banking session if you left your PC unattended without logging out. You may set the timeout period in online banking's User Options screen. We recommend that you always sign off (log out) when you have completed banking online.
Real-World Warnings Keep You Safe Online
Original release date: August 25, 2010 | Last revised: March 09, 2017
Many of the warning phrases you probably heard from your parents and teachers are also applicable to using computers and the Internet.
Why are these warnings important?
Like the real world, technology and the Internet present dangers as well as benefits. Equipment fails, attackers may target you, and mistakes and poor judgment happen. Just as you take precautions to protect yourself in the real world, you need to take precautions to protect yourself online. For many users, computers and the Internet are unfamiliar and intimidating, so it is appropriate to approach them the same way we urge children to approach the real world.
What are some warnings to remember?
Don't trust candy from strangers – Finding something on the Internet does not guarantee that it is true. Anyone can publish information online, so before accepting a statement as fact or taking action, verify that the source is reliable. It is also easy for attackers to "spoof" email addresses, so verify that an email is legitimate before opening an unexpected email attachment or responding to a request for personal information.
If it sounds too good to be true, it probably is – You have probably seen many emails promising fantastic rewards or monetary gifts. However, regardless of what the email claims, there are not any wealthy strangers desperate to send you money. Beware of grand promises—they are most likely spam, hoaxes, or phishing schemes. Also be wary of pop-up windows and advertisements for free downloadable software—they may be disguising spyware.
Don't advertise that you are away from home – Some email accounts, especially within an organization, offer a feature (called an autoresponder) that allows you to create an "away" message if you are going to be away from your email for an extended period of time. The message is automatically sent to anyone who emails you while the autoresponder is enabled. While this is a helpful feature for letting your contacts know that you will not be able to respond right away, be careful how you phrase your message. You do not want to let potential attackers know that you are not home, or, worse, give specific details about your location and itinerary. Safer options include phrases such as "I will not have access to email between [date] and [date]." If possible, also restrict the recipients of the message to people within your organization or in your address book. If your away message replies to spam, it only confirms that your email account is active. This practice may increase the amount of spam you receive.
Lock up your valuables – If an attacker is able to access your personal data, he or she may be able to compromise or steal the information. Take steps to protect this information by following good security practices. (See the Tips index page for a list of relevant documents.) Some of the most basic precautions include locking your computer when you step away; using firewalls, anti-virus software, and strong passwords; installing appropriate software updates; and taking precautions when browsing or using email.
Have a backup plan – Since your information could be lost or compromised (due to an equipment malfunction, an error, or an attack), make regular backups of your information so that you still have clean, complete copies. Backups also help you identify what has been changed or lost. If your computer has been infected, it is important to remove the infection before resuming your work. Keep in mind that if you did not realize that your computer was infected, your backups may also be compromised.
Author: US-CERT Publications