Online banking security

Quick Tip:

When changing your username please do not use your Social Security Number in any part of your new username. To edit your username, go to My Profile.

Online Banking Security: Everyday, everywhere!

Your online security has always been a top priority. The Bank of Fincastle offers Enhanced Login Security Services to further help protect you from identity theft. Enhanced Login Security, is a free and easy way to help prevent fraud.

Enhanced Login Security

This superior security technology protects your accounts from unauthorized access. It identifies you as the true "owner" of your accounts by recognizing not only your password but your computer as well. If we don't recognize your computer — you've logged in from a public computer or one you haven't used before — we'll prompt you for a onetime verification code (that you will receive by phone, text or email) as an additional line of defense to prevent unauthorized access. With Enhanced Login Security, you'll be protected from whatever you're using, whether you're at home or on the go.

Enhanced Login Security will:

  • Defend against identity theft and fraud
  • Provide security from any computer, wherever you are
  • Make it easy for you to bank online anytime, anywhere

Just one more way to ensure online fraud prevention, everyday and everywhere!


How We Protect You

Keeping your online financial and personal information secure and confidential remains one of our top priorities.

We ensure your privacy and security by offering technology and services designed by the brightest minds in the online banking industry.

  • Encryption: The privacy of communications between you (your browser) and our servers is ensured by encryption. Encryption scrambles messages exchanged between your browser and our online banking server.
  • Password Complexity: It is important to verify that only authorized persons log into online banking. This is achieved by verifying your password. When you submit your password, it is compared with the password we have stored in our secure data center.

We allow you to enter your password incorrectly a limited number of times; too many incorrect passwords will result in the locking of your online banking account until you call us to reinitialize the account. We monitor and record "bad-login" attempts to detect any suspicious activity (i.e. someone trying to guess your password.)

You play a crucial role in preventing others from logging on to your account. Never use easy-to-guess passwords. Examples:

  • Birth dates
  • First names
  • Pet names
  • Addresses
  • Phone numbers
  • Social security numbers

Never reveal your password to another person. You should periodically change your password in the My Profile section of Internet Banking.

Secure Architecture

The computers storing your actual account information are not linked directly to the Internet.

  • Transactions initiated through the Internet are received by online banking Web servers.
  • These servers route your transaction through firewall servers.
  • Firewall servers act as a traffic cop between segments of our online banking network used to store information and the public Internet.
  • This configuration isolates the publicly accessible Web servers from data stored on our online banking servers and ensures only authorized requests are processed.

Various access control mechanisms, including intrusion detection and anti-virus, monitor for and protect our systems from potential malicious activity. Additionally, our online banking servers are fault-tolerant, and provide for uninterruptible access, even in the event of various types of failures.


Validating your Identity Screen

Should you logon to your computer and see a screen with the following message, "Please validate your identity. Sorry, we don't recognize the computer you are using," you are seeing this message because you are using Enhanced Login Security for extra online security protection, and we don't recognize this computer as one you have added.

In order to gain access to the system, please validate your identity with the call, text or email option. This will give you a onetime verification code to enter in to the computer. Be sure to add your cell phone number as an additional option in case you log in somewhere other than your home phone. If this computer is one you use frequently, avoid this page in the future by adding extra security protection to your computer. This can be done by clicking "Yes, Enroll This Computer." You can add, edit or delete phone numbers you have by going to the "My Profile" link once you are logged in to your online banking.


Questions & Answers

What is Multifactor Authentication?

Multifactor Authentication is superior security technology that protects your accounts from unauthorized access by strengthening the security of your online banking session. When you login to your internet banking session you can have peace of mind. Powered by the best-of-breed technology, Multifactor Authentication protects against online fraud by providing an additional authentication factor beyond your username and password used today.

Multifactor Authentication will:

  • Defend against identity theft and fraud
  • Provide added security from any computer, wherever you are
  • Make easy for you with one-time sign-up and convenient

When will I know that Multifactor Authentication/Enhanced Login Security is set for my accounts?

Soon you will be prompted to sign up when you login to your online banking session. Sign up once at your computer, set up your phone numbers or email capability, and you're all set.

How will it affect my online banking experience?

One you set up your account, the next time you login it will be business as usual. The rest of your online banking experience will remain exactly the same.

Can I access my account from other computers at my home, my office, or on the road?

Multifactor Authentication identifies you as the true owner of your accounts by recognizing not only your password but your computer as well. If we don’t recognize your computer you’ve logged in from a public computer or one you haven’t used before, for example, we’ll ask you to choose from the options on the screen (call, text or email) for a onetime verification code as an additional line of defense to prevent unauthorized access. With Enhanced Login Security, you’ll be protected from whatever computer you’re using, whether you’re at home or on the go.

For more information on Multifactor Authentication/Enhanced Login Security please contact a branch representative today.


Heartbleed Bug

04/11/2014: The Bank of Fincastle confirmed with our service provider that both our website and internet banking services are not affected by the bug and our customers will not be adversely impacted.  Our service provider is monitoring the situation and taking the appropriate steps to ensure that our systems are secure.  Our customers’ information is not at risk.

According to In April 2014 came the announcement that a bug in software used by millions of web servers may have exposed many web sites' users to spying and eavesdropping, including the interception of their passwords and other account information The bug, dubbed "heartbleed," resides in a software library called OpenSSL that is used in servers, operating systems, email, and instant messaging systems. Ironically, this software is supposed to protect sensitive data as it travels back and forth.

"Heartbleed" allows hackers to easily trick servers running OpenSSL into revealing decryption keys stored on their memory. With those keys, the ill-intentioned can eavesdrop on encrypted communications, directly steal sensitive information, and impersonate users and services.

OpenSSL is employed in the widely used Apache and Nginx server software. 
Statistics from net monitoring firm Netcraft suggest that about 500,000 of the web's secure servers are running versions of the vulnerable software. (The bug gained its "heartbleed" moniker due to its occurring in the heartbeat extension for OpenSSL.) 

The bug was discovered by researchers working for Google and security firm Codenomican. In a blog entry about their findings, the researchers said the "serious vulnerability" allowed anyone to read chunks of memory in servers running the flawed version of OpenSSL. Via this route, attackers could get at the secret keys used to scramble data as it passes between a server and its users. 

The bug has been present in versions of OpenSSL that have been available for over two years. The latest version of OpenSSL released on 7 April 2014 is no longer vulnerable to the bug. However, protecting a server from this vulnerability may not be merely a matter of installing the updated version of OpenSSL: if attackers had exploited the weakness at an earlier date, they could have already stolen the encryption keys, passwords, or other credentials required to access accounts on that server. 

Full protection might require web site operators' updating to the safer version of OpenSSL as well as getting new security certificates and generating new encryption keys. To help operators check their systems, security researchers have produced tools that will determine if servers are running vulnerable versions of OpenSSL. 

Unfortunately, as security experts have noted, there is not much that individual Internet users can do to protect themselves against the Heartbleed vulnerability, as resolution of the issue depends upon the operators of web sites making changes to their systems: Security experts warn there is little Internet users can do to protect themselves from the recently uncovered "Heartbleed" bug that exposes data to hackers, at least not until exploitable websites upgrade their software.


TAS Phishing Scam

The Internal Revenue Service has learned of a new phishing scam in which taxpayers receive emails purporting to be from the Taxpayer Advocate Service (and bearing the IRS logo). The email contains a bogus case number and says:

“Your reported 2013 income is flagged for review due to a document processing error. Your case has been forwarded to the Taxpayer Advocate Service for resolution assistance. To avoid delays in processing your 2013 filing contact the Taxpayer Advocate service for resolution assistance.”

The email contains a link where the recipient can find contact information for the “advocate” assigned to their case that solicits personal information such as the recipient’s legal name and contact information. There’s also a link to review “your reported income” that again solicits this kind of personal information.

DO NOT click on the link and forward the email to the IRS’s designated address for such emails – You can find instructions for forwarding the messages on

If you believe you may have fallen victim to this type of scam and wish to report it, please file a complaint with the Internet Crime Complaint Center (IC3)


'Ransomware' Locks Computers, Demands Payment

There is a new “drive-by” virus on the Internet, and it often carries a fake message—and fine—purportedly from the FBI.
“We’re getting inundated with complaints,” said Donna Gregory of the Internet Crime Complaint Center (IC3), referring to the virus known as Reveton ransomware, which is designed to extort money from its victims.
Reveton is described as drive-by malware because unlike many viruses—which activate when users open a file or attachment—this one can install itself when users simply click on a compromised website. Once infected, the victim’s computer immediately locks, and the monitor displays a screen stating there has been a violation of federal law.
The bogus message goes on to say that the user’s Internet address was identified by the FBI or the Department of Justice’s Computer Crime and Intellectual Property Section as having been associated with child pornography sites or other illegal online activity. To unlock their machines, users are required to pay a fine using a prepaid money card service.
“Some people have actually paid the so-called fine,” said the IC3’s Gregory, who oversees a team of cyber crime subject matter experts. (The IC3 was established in 2000 as a partnership between the FBI and the National White Collar Crime Center. It gives victims an easy way to report cyber crimes and provides law enforcement and regulatory agencies with a central referral system for complaints.)

Podcast: Reveton Ransomware

“While browsing the Internet a window popped up with no way to close it,” one Reveton victim recently wrote to the IC3. “The window was labeled FBI and said I was in violation of one of the following: illegal use of downloaded media, under-age porn viewing, or computer-use negligence. It listed fines and penalties for each and directed me to pay $200 via a MoneyPak order. Instructions were given on how to load the card and make the payment. The page said if the demands were not met, criminal charges would be filed and my computer would remain locked on that screen.”
The Reveton virus, used by hackers in conjunction with Citadel malware—a software delivery platform that can disseminate various kinds of computer viruses—first came to the attention of the FBI in 2011. The IC3 issued a warning on its website in May 2012. Since that time, the virus has become more widespread in the United States and internationally. Some variants of Reveton can even turn on computer webcams and display the victim’s picture on the frozen screen.
“We are getting dozens of complaints every day,” Gregory said, noting that there is no easy fix if your computer becomes infected. “Unlike other viruses,” she explained, “Reveton freezes your computer and stops it in its tracks. And the average user will not be able to easily remove the malware.”
The IC3 suggests the following if you become a victim of the Reveton virus:

  • Do not pay any money or provide any personal information.
  • Contact a computer professional to remove Reveton and Citadel from your computer.
  • Be aware that even if you are able to unfreeze your computer on your own, the malware may still operate in the background. Certain types of malware have been known to capture personal information such as user names, passwords, and credit card numbers through embedded keystroke logging programs.
  • File a complaint and look for updates about the Reveton virus on the IC3 website.

What Is 'Phishing'?

Most likely you've seen them: e-mail messages asking you to verify personal information over the Internet.

The scam, popularly called 'phishing,' involves the use of replicas of existing Web pages to try and deceive you into entering personal, financial, or password data. Often suspects use urgency or scare tactics, such as threats to close accounts.

We here at The Bank of Fincastle will never ask you via e-mail to verify account information. We will never use e-mail to threaten account closure. Please know this, as one defense against phishing. Other safeguards to help protect you from phishing scams:

  • Be suspicious of any e-mail messages that claim to be from us that use an urgent or scare-tactic alone.
  • Do not respond to e-mail messages asking you to verify personal information.
  • Delete suspicious e-mail messages without opening them. If you do open a suspicious e-mail message, do not open any attachments or click any links.
  • Install and regularly update virus protection software.
  • Keep your computer operating system and Web browser current.

If you see a suspicious looking e-mail message claiming to be from The Bank of Fincastle please let us know. We continually monitor such reports and act on them promptly. Additionally, also consider contacting the FBI's Internet Fraud Complaint Center at