Avoiding Card Skimmers

Summer is a popular time for vacations and traveling.  While we are usually focused on relaxing and finding something fun to do, it’s easy to let our guard down and get scammed.

Unfortunately one common place where scam artists hit is with card readers.  Often they will place a skimmer on a gas pump, but it can also be at an ATM machine.

The Federal Trade Commission describes Skimmers as illegal card readers attached to payment terminals — like gas pumps — that grab data off a credit or debit card’s magnetic stripe without your knowledge. Criminals sell the stolen data or use it to buy things online. You won’t know your information has been stolen until you get your statement or an overdraft notice.

While Skimmers are nothing new, advancements in technology have made them smaller and harder to find. Many times they’re even hidden inside a gas pump.

Here are tips to help you avoid a skimmer when you gas up:

  • Make sure the gas pump panel is closed and doesn’t show signs of tampering. Many stations now put security seals over the cabinet panel. This is part of a voluntary program by the industry to thwart gas pump tampering. If the pump panel is opened, the label will read “void,” which means the machine has been tampered with.
Gas pump skimmer photo

Photo credit: National Association of Convenience Stores (NACS) and Conexxus

  • Take a good look at the card reader itself. Does it look different than other readers at the station? For example, the card reader on the left has a skimmer attached; the reader on the right doesn’t

Photo credit: Royal Canadian Mounted Police in Kamloops, Canada

  • Here’s an example of a skimmer and transmitter on an ATM.  In this case the skimmer slid over the regular card reader and looked just like the real ATM reader.

ATM-skimmer image ATM-card cover pic

  • Try to wiggle the card reader before you insert your card. If it moves, report it to the attendant or bank. Then use a different pump or ATM.
  • If you use a debit card at the pump, run it as a credit card instead of entering a PIN. That way, the PIN is never exposed. If that’s not an option, cover your hand when entering your PIN. Scammers sometimes use tiny pinhole cameras, situated above the keypad area, to record PIN entries.
  • Review your bank and credit card accounts regularly to spot unauthorized charges.
  • If you’re really concerned about skimmers, you can pay inside rather than at the pump. Another option is to use a gas pump near the front of the store. Thieves may target gas pumps that are harder for the attendant to see.


If your credit card has been compromised, report it to your bank or card issuer. Federal law limits your liability if your credit, ATM, or debit card is lost or stolen, but your liability may depend on how quickly you report the loss or theft.

How To Protect Yourself After a Data Breach

Sonic Drive-In released this week that they had been breached.  An unknown amount of stores released millions of credit and debit card accounts to hackers.  Equifax announced yesterday that an additional 2.5 million people’s information was exposed in its breach last month.  This takes their total to 145 million people affected.  As these breaches become a regular occurrence, and with so much potential for fraud and identity theft, you may be asking how to protect yourself after a data breach?  We’ve compiled a comprehensive list of things you can do to protect your credit, your identity, and your peace of mind when it’s likely your information has been exposed.

Tips For Protecting Yourself

The link below takes you to our tips page:



The Equifax Breach

What You Need To Know About The Equifax Breach

In an effort to keep our customers informed, and in case you haven’t already heard, Equifax, a very large credit monitoring bureau suffered a very large, very severe breach of customer information that affects 143 million people.  You probably recognize the name from whenever you hear people talk about pulling your credit report from the “big three” credit bureaus.  However, there are actually 4 credit bureaus: Equifax, Experian, Innovis and Trans Union.
Alert Icon

So what happened?
At the end of July 2017, Equifax realized they had a massive breach of consumer information. A criminal was able to use a point of weakness in one of their web based applications to steal personal and confidential information for 143 million people (nearly half of the population of the United States). The criminals were able to access social security numbers, birth dates, addresses, and some driver’s licenses for the affected individuals.
Equifax has set up a web site (https://equifaxsecurity2017.com) dedicated to the breach. There’s more detailed information on the breach itself, and there’s also a tool where you can go to check and see if your information was included in the compromise. You simply enter your last name and the last 6 digits of your social security number. Equifax will then tell you whether your information was potentially involved in the breach.
They are offering a free one-year enrollment into their credit monitoring service, Trusted ID, but enrollment into this program means you must waive your right to class-action and personal lawsuits against Equifax to use the service.
Update: Sept. 9, 2017, 12:22pm
Since we published this post, Equifax has updated their breach alert page to include the following response regarding their unclear legalese for using their free monitoring service.
“In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident.”

Original Story
You might want to consider other options as credit monitoring is slightly different than identity theft protection.  There are other identity theft monitoring companies that you can pay for, in order to monitor your identity without forfeiting your right to a lawsuit.  One of the more well-known companies, and one that we recommend is LifeLock.
Credit Freeze:
You also have the option to do a Credit Freeze. A Credit Freeze will prevent anyone from accessing your credit report. So, if a scammer tries to open a new line of credit using your personal information, when the lender tries to pull your credit report, it’ll say that it’s blocked and to contact the credit bureau. This prevents the institution from being able to lend money to the person who’s using your stolen information.
To place a credit freeze, you’ll need to contact each of the 4 credit bureaus, you will also likely have to pay a small fee to freeze and unfreeze your credit reports.  Each of these bureaus will give you a 6-digit number (PIN) you can use to call and unfreeze or “thaw” your reports.  You should “hide” this PIN somewhere that you won’t lose it – because if you do, you’ll be stuck frozen.
If you need to open an account while your credit reports are frozen, you’ll have to contact the credit bureau ahead of time (either on the phone or online) and “thaw” your account for a little while. You can set the “thaw” either for a period of time or for a particular creditor. You can also choose to remove the freeze, if you determine you don’t want the protection any longer. You will need that PIN you set for the bureaus to thaw or unfreeze your reports.
You also have the option to temporarily thaw your accounts. For example, if you know you’re going to be looking for a car over the next week, call the three bureaus and thaw your report for the next week. Or, if you are applying for a credit card, call and unfreeze your report for that company, and then turn the freeze back on.
Using credit freezes is a little more trouble and a bit of an inconvenience in your life, but it’s better than the alternative – cleaning up your credit after your identity has been stolen.
Who do I talk to about a Credit Freeze?
You’ll need to contact each of the 4 credit bureaus. Here are the links to each of their sites: Equifax, Experian, Innovis and Trans Union.
Please be aware that a lot of phishing sites and scams will likely come out of a situation like this. Make sure that any site you visit for these bureaus are legitimate before entering any of your information. If you receive an unsolicited email from one of these companies, please delete it immediately and do not click on any links. Now is the time to be on high alert for phishing emails and sites, and not just from scammers posing as credit bureaus but in general as well. Scammers use these types of situations to take advantage of people who are vulnerable.
Fraud Alert:
A less-impactful alternative to a credit freeze is a fraud alert.  A fraud alert requires potential creditors to contact you and obtain your permission before opening new lines of credit in your name. You are allowed by law to file a fraud alert (also called a “security alert”) with one of the credit bureaus (Equifax, Experian or Trans Union) every 90 days.  Whichever one you file with, they are required by law to alert the other two big bureaus as well. The fourth bureau, Innovis, follows the same rules as the big three, but you will have to file a fraud alert with them as well.
Fraud alerts last 90 days, and you can renew them as often as you like (a recurring calendar entry can help with this task); consumers who can demonstrate that they are victims or are likely to be victims of identity theft can also apply for a long-term fraud alert that lasts up to 7 years (a police report and other documentation may be required).
Free Credit Reports:
You are entitled by law to a free credit report from each of the “big three” once a year.  This means you can check your credit 3 times a year (once every 4 months with each of those bureaus).  The site where you may obtain this free copy is annualcreditreport.com, or by phone at 877-322-8228. Everywhere else will try to sell you a report, or offer a “free” report if you agree to sign up for some kind of subscription service — usually credit monitoring.  There are lots of look-alike sites out there (like freecreditreport.com) that are not the real, government-mandated service, so watch out.
Your free credit report will show all your lines of credit and other debt obligations, along with lots of data.  However, it won’t show your FICO score.  If that’s what you’re looking for, go to your bank or credit card company.  It usually costs money to get your FICO score.
What about my bank accounts?
We don’t anticipate that your bank accounts will be affected by this particular breach since no account or debit card numbers were compromised. However, we do recommend that you check your checking/savings and credit card accounts at least weekly to ensure there is no fraudulent activity.  This is just best practice, even when there isn’t a breach of this magnitude.  Another easy practice is to setup free text or email alerts on your account.  Those are free at The Callaway Bank and help you keep an instant pulse on your account activity.  (Your wireless carrier may charge for the text messages so check with them.)
If you suspect fraudulent activity on any of your Callaway Bank accounts, please contact our Customer Care Team at 800.446.2265 immediately.
There is a lot being reported about this breach, and we encourage you to seek additional information to protect yourself.  A great resource regarding this breach, an all things cyber security related, is https://krebsonsecurity.com/.

Is a Joint Bank Account Right for You?

The American Bankers Association Foundation and AARP have produced an infographic to help people understand the risks of joint bank accounts.
Often people will use joint accounts specifically to help seniors manage their finances by giving caregivers access to funds.  While having a jointly owned account can have benefits, there are other ways to allow people to assist with your account while not opening yourself up to financial harm.

Click on the graphic for a full size .pdf.


Home Depot Data Breach And Your Card

On Monday, September 8th, 2014 The Home Depot® acknowledged that they had a nationwide breach of credit and debit cards used in their U.S. and Canada retail stores going back to April 1, 2014.  They stated that it did not include purchases through their website.  This breach is estimated to affect 60 million cards, which is bigger than Target’s breach of 40 million cards from November 2013.  These security breaches are unfortunate, and a tremendous pain for everyone involved.  However, it is important to remember that if you experience any fraud resulting from this or any other security breach, you are not liable for the loss, and you will be reimbursed the funds.  Contrary to a lot of misinformation going around, this zero liability standard applies to debit and credit card holders.
In the case of this breach at The Home Depot, they are offering 12 months of free identity protection services, including credit monitoring to any person who used a payment card at a Home Depot store in 2014, from April on. For more information about taking advantage of their offer, please visit https://homedepot.allclearid.com/ or call 800.HOME.DEPOT.
Information Specific to Callaway Bank Customers:
Because fraud at any level is not new, our systems constantly monitor cards for suspicious activity.  For instance, if you just bought groceries in Columbia, MO and 10 minutes later your card is used in LA to buy a TV, that will kick out an alert.
Regarding this breach with Home Depot we are analyzing card transactions to identify any cardholders who may be at risk.  If we identify any cards that we believe are at risk, we will contact the cardholder to discuss a replacement card.
However, you are the best person however to spot suspicious activity with your account.  Below are some tips to help you protect your account at all times:

  • Routinely review monthly checking account statements to identify any unauthorized purchases.
  • Monitor your account activity online through telebanking (888.642.6060), online banking, or our Mobile App
  • Changing your debit card PIN number helps prevent some types of fraudulent activity.  PINs can be changed at any of our ATMs
  • Setting up eAlerts on your checking account helps you better monitor your account activity by emailing or texting you when certain things happen with your account such as a low balance level.

If unauthorized charges are found or if you have any questions or concerns, please contact our Customer Care Team immediately by phone or live online chat.
Fulton Area        Columbia Area      Toll Free
573.642.3322  |  573.447.1771  |  800.446.2265
More information about protecting yourself from identity theft can be found here.

How Much is Your Email Account Worth?

Were you aware that your email account is worth real dollars on the hacker market? This might explain why we continue to see more and more people, even in Columbia or Millersburg, MO, with their Gmail, and other accounts, hijacked.  According to Krebs On Security, a person’s email account is seen as a valuable resource to cyber crooks because they can do so much with it.  While you might be thinking, “Why would anyone want access to my email account?  It’s not my checking account.” You would be surprised what a resource the average person’s email account is.
The biggest reason your ordinary, everyday email account is so valuable is because it is often the key to all of your other online accounts.  When signing-up for anything such as iTunes, Amazon, credit cards, or online banking, you provide your email as a contact point.  If someone then tries to take over that other account, they simply request a new password to be emailed and BAM, now they have that account too. That gets really scary when it’s your bank account or credit card, but even with access to your Amazon account they could easily order a couple of 52? flat panel TV’s and then sell them for cash.
Another way we see crooks using hijacked accounts is that they monitor who you do business with, and then send people a request posing as you.
“Hi Bill, would you please wire $3500 to a friend of mine in California?  His name is xxxxx, and the account number is xxxxxx ….”
Fortunately for our customers, we will not send a wire based from an email request, but that doesn’t mean it couldn’t happen at another well-meaning business.   The important thing is not to give someone the opportunity to hack into your account.
Another new trend with a hijacked account is holding it hostage.  They gain access and change passwords to lock you out.  Then they demand payment for you to get control back.  While it’s not at gun point, when a cyber-crook contacts you and says that he’s deleting your account unless you pay x-amount of dollars, it sort of feels like gun point.
Here are some suggestions to help prevent an account takeover:
>> Use only one password for one account.  Don’t ever use the same password for multiple accounts, especially your email account.  
A study from 2010 found that the average user visits 25 password protected sites but uses only 6 passwords, and 33% of people use the same password on every site. 1
>> Use a password with at least 8 digits and with a mix of numbers and special characters.
A professional hacker can crack a 6 digit, lowercase only password in 10 minutes.  Make it 8 digits, but still only lowercase letters, and it extends the time by a few minutes.  Instead, just adding a mix of uppercase, numbers, and symbols makes it much harder and longer to crack!  And don’t think that abcd1234 will throw them off.  That is one of the most common passwords used and common names found in the dictionary are all tested first.
Below is a short video about  how you can create stronger passwords that are easier to remember.

>> Be mindful of “shoulder surfers.”
Be aware of your surroundings and mindful if someone is nearby who could look over your shoulder when you key in your password.  That cute guy at the coffee shop may be smiling at you because he knows how to access your account.
>>  Be wary of emails from strangers, especially if it comes bearing gifts.
Your mama’s advice about not talking to strangers applies here as well.  If you get an email from someone you don’t know, do not click on any of the links and certainly don’t open any attachments.  They almost always will load some kind of malware or virus that can give a crook access to your computer or send them all of your keystrokes.  Emails now often come with a promise of a gift card to your favorite store if you take a survey or visit their website.  You’re better off just deleting those.

>> If you suspect your account has been hacked, stop using your computer.
If your account has been hacked, your computer may be hacked as well.  If a cyber-crook has access to your computer, changing your Gmail account password won’t help.  They’ll know the new password also.  Hire a computer pro to check your machine for viruses and malware, and remove them.  Having antivirus software that is up to date can help prevent this.  However, if you clicked on a nefarious link (see previous paragraph,) it will then bypass your security software.  In the mean time find a computer or device that you don’t normally use (preferably not a public computer).  You can access your account with it to change your password.


We hope this will help you realize that your computer security is not something to take lightly.  While we can’t help you with fixing your computer, we can help you if you feel your checking or savings accounts may be in jeopardy.  Please contact your Personal Banker or our Customer Care Team if you have concern that someone may have access to your bank accounts or online banking.   We can walk you through the process and help you determine if your bank accounts are at risk.  If they are, we’ll help you get new accounts setup and the old ones closed.   
By the way, a hacked iTunes account goes for around $8.  Some Gmail accounts are worth upwards of $30 on a black market.  How much would you pay to keep it from happening?  That’s the real question.
1 http://www.pcworld.com/article/188763/too_many_people_reuse_logins_study_finds.html

Scam Alert!

Scammers are at it again!  They are calling people in the Central Missouri area stating their debit card has been stolen and to follow the prompts for more information.  These robo calls have appeared in the area several alert-icontimes before.  Fortunately, people have learned to become leery of the automated calls, but it is advisable to always be on guard.  Be assured, The Callaway Bank does not use automated “robo” calls for any reason.  If you have received one of these calls and mistakenly provided your card number, contact our Customer Care Team immediately for assistance.

"Heartbleed" Bug in the news

The “Heartbleed” security bug has received great attention in the news over the past few days, and rightly so.  The security flaw means that people could have their usernames, passwords, and other sensitive data stolen heartbleedwhen they access websites without current security patches.
Please know that in regards to our own systems, we have tested and received high marks for compliance, and therefore are not exposed to the “Heartbleed” bug.  
As part of our everyday security practices,  The Callaway Bank monitors and routinely investigates known vulnerabilities.  We maintain open communications with our technology vendors and service providers, and as a matter of regular procedure we annually test and review our systems to ensure they are up to date.
For more information regarding the “Heartbleed” bug check out the following articles:

What? More Phishing Attempts.

Phishing is the act of attempting to acquire information such as usernames, passwords,  and credit card details (and sometimes  money indirectly) by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or IT administrators are commonly used to lure unsuspecting public. Phishing emails may contain links to websites that are infected with malware and the links in the emails will often direct the users to a fake website that looks like a real credit card website or bill paying website, etc.  The user inputs their user name and password and that information is captured by the crooks who then use the information to access the online accounts.
 What to look for:

  • Who is the email really from? The name in the from field will not necessarily reflect who is the actual sender.
  • Be cautious of links.  A general rule of thumb is if you weren’t expecting an email don’t open it and DO NOT click on any links or open any attachments.
  • Check that the URL is valid.  Don’t click on the link, but instead manually type in the URL in your browser.  Most times the link presented and where it goes are two different things.
  • Look at the email greeting.  It should raise suspicion if it is addressed generically like dear customer or to whom it may concern.  Most companies that you do business with will address you by name.
  • Previous history with company.  Be suspicious if you have not worked with this company before.

What to do when you suspect a phishing email:

  • Do not open.  Delete and delete from deleted items.
  • DO NOT forward the email.  You will only put our system at further risk by forwarding potentially dangerous emails on.
  • DO NOT ever give out your password.  There is never a reason for a supervisor, manager, IT person, people/customers you work with or companies you do business with to ask for your password(s).  It is unnecessary and if anyone asks for any passwords don’t give it to them.  It is suspect.

Most important points:
Do not forward the email.  This is the most important.  Don’t potentially spread the virus.
Do not click on the links or open attachments.
Do not ever give out your password.  Not to anybody at any time for any reason.