MARCH 2007

Manly Warringah Credit Union has received advice of a significant increase in the number of reports of scams targeting online banking and electronic payment sites. To date there have been no attacks specifically against our Internet Banking Service NetTeller.

These scams are designed to fraudulently collect some or all of the following information:

• Online banking logins and passwords

• Full banking account details such as account name/id, full name of account holder and BSB number.

• Credit Card details such as cardholder name, card number and expiry date.

• Full account and password details of other forms of electronic payment or funds transfer (e.g. PayPal, Ebay)

Institutions targeted include banks, credit unions, online stores, online auction sites and alternative electronic funds transfer sites (e.g. PayPal).

DETAILS

Attackers are constructing mimic sites to lure customers of online banking and other forms of electronic funds transfer into accessing fake sites rather than the original.

They will often attempt to:

• Contact users by e-mail and request them to either reply to the e-mail with their account login details and passwords, or fill in a form that will send the results to a site under the attackers control.

• Contact the user by e-mail and request them to enter account/login details and password into a site that is not the real banking or electronic payments site of the organisation that is supposedly requesting this information.

This fake site may resemble the original very closely in both layout and function. The e-mail can also be in constructed as such to present links to the legitimate site that are in fact pointing to a fake address.

• Establish a website that resembles the original not only in just appearance and function but also has a very similar domain name e.g. where www.yourcreditunion.com.au is the real site and wwww.yourcreditunion-bank.com is the fake.

• Contact users in person and asking for their account login details and their password.

NetTeller users risk significant financial loss if their details are stolen in this manner.

MITIGATION

We urge all NetTeller users to take note of the following policies.

1. Protect your password and account details. Users should NEVER give out passwords or account details in response to unsolicited requests via e-mail or other forms.
   

2. Users should ONLY log into the appropriate financial institution's or other electronic payment website that has been verified as the legitimate site for that organisation.
   

3. Credit Unions and other electronic payment sites (online store and auction sites) never request account or credit card details and NEVER - under any circumstances - request passwords via email.
   

4. Credit Unions and other electronic payment sites take precautions to ensure you know you are connected to their legitimate website
   

5. Credit Unions and other electronic payment sites usually publish their correct website details in advertising brochures and other media
   

6. The majority of Credit Unions and other electronic payment sites verify the authenticity of their sites through the use of digital certificates
   

7. If the Credit Union or electronic payment site uses digital certificates, a small padlock icon will appear on the bottom of the users browser. Users can view the certificate of the site by clicking on the padlock icon. The details of the certificate should then appear in a browser window that allows users to verify the identity of, and the level of encryption being used by the site.

Manly Warringah Credit Union's NetTeller site is owned and run by The System Works Pty Ltd (TSW). This company hosts many Credit Union Internet Banking sites. TSW does all maintenance and all the upgrades of our website and NetTeller. When you click on the padlock in NetTeller, you will receive one of three certificates that TSW hold:

1. netteller.tsw.com.au
   

2. netteller2.tsw.com.au
   

3. netteller.com.au

If there are any issues or questions you would like to discuss, please contact us on 1300 13 1964 during business hours.

Yours Sincerely,

Peter Cole
Assistant General Manager

To further improve the security features of our Internet Banking, NetTeller, we are introducing NetTeller Pay Anyone from 1 August 2006.

Basically, NetTeller Pay Anyone requires you to register any internal or external accounts that you intend to transfer money to from your account. This registration process is done online.

Once the new feature is activated you will find additional options to the Transfers menu. These options are:

• Add Pay Anyone Internal Details – allows you to add internal accounts for use in internal transfers.
• Add Pay Anyone Inter-bank Details – allows you to add external account details for use in external transfers.
• List/Delete Pay Anyone Internal – allows you to display and remove registered internal accounts.
• Edit/Delete Pay Anyone Inter-bank BSBs – allows you to edit or delete external account records.

When selecting to transfer funds internally to another membership, you can choose to either transfer to all accounts in that membership, or only nominate selected accounts. So for example you could choose to only transfer to an S4 account of another membership if you want to.

Like everything else about the NetTeller banking service, the Pay Anyone password feature will be user friendly.

If you have any questions about this new feature or wish to register for this additional security feature, please feel free to contact our Member Service Centre on 1300 13 1964.