BankFinancial is committed to protecting your personal financial information from fraud and providing you with complete online security and privacy. We comply with all laws relating to the privacy and security of customer personal and financial information and we maintain electronic security safeguards that comply with federal regulations and security standards.
 
Fraudulent "FDIC" Emails  back to top
The Federal Deposit Insurance Corporation (FDIC) has received numerous reports of fraudulent emails that have the appearance of being from the FDIC. The emails appear to be sent from various "@fdic.gov" email addresses, such as "protection", "admin" or "service". They have various subject lines such as "Update for your banking account", "ACH and Wire transfers disabled", and "Banking security update". The fraudulent messages state that ACH and Wire transactions have been temporarily suspended for the Customer's security. The email instructs the recipient to download and install updates and provides a link.
 
These emails and links are fraudulent and were not sent by the FDIC. Do not click on the link or respond to the emails, and do not install any related files or software updates. It is possible that these fraudulent emails may be modified over time with other subject lines, sender names, and narratives. The FDIC does not directly contact bank customers, nor does the FDIC request bank customers to install software upgrades.
 
Email Phishing  back to top
Phishing is an Internet and email scam designed to elicit personal and confidential information for fraudulent purposes. Such email messages often are mass-mailed or "spammed" to thousands of potential victims. This is typically how it works:
  1. You receive an email from what appears to be a legitimate organization such as a bank, credit card company or a retail merchant with whom you may already have established a business relationship.
  2. The email often times includes a warning regarding a so-called "problem" related to your account and asks you to validate or update your personal or financial information in order to maintain your account.
  3. The information requested includes account numbers, passwords, PINs, Social Security numbers or other personal identifying information.
  4. The email is formatted to include the company's logos and branding and directs you to a link to a "spoofed" website disguised to appear like the company's site.
  5. Once you provide your personal or financial information at the site or by responding to the email, the perpetrators quickly use the information in a variety of identity theft crimes, including accessing your financial accounts or creating credit card accounts in your name.
For more information on phishing and other identity theft scams, visit the Federal Trade Commission (FTC) website.
 
Fraudulent Text Messages and Voice Mails - Smishing & Vishing  back to top
Similar to email phishing, "smishing" targets your mobile phone through text messages and "vishing" targets voice mail systems. If you receive a text message or voice mail asking you for information about yourself, your account, or your card information, contact BankFinancial immediately at 1.800.894.6900. Do not respond to the text message or voice mail, do not call a number they have provided you, and do not share any information with them.
 
For more information on smishing and vishing, visit the Federal Bureau of Investigation's website.
 
Online Security, Everyday, Everywhere  back to top
Your online security has always been a top priority. That's why Enhanced Login Security is so important. This security service is free, easy, and most importantly, gives you extra protection from fraud and identity theft. Enhanced Login Security identifies you as the true "owner" of your accounts. Not only will your password be recognized, your computer will be recognized as well. If we don't recognize your computer - you've logged in from a public computer or one you haven't used before - you will be prompted to answer challenge questions as an additional line of defense against unauthorized access to your accounts. Enhanced Login is just one more way to prevent fraud, protect against identity theft, and strengthen your online security as a whole. 
 
Reporting your BankFinancial ATM or Debit Card Lost or Stolen  back to top
  • Online
    • Log into Online Banking and click on "Cancel Cards Request"
    • Select the card you would like to cancel and follow the prompts
    • Select why you want to cancel your card. You may select the box to order a new card.
  • Call the Customer Service Center
    • During regular business hours (Monday - Friday, 8am - 8pm and Saturday, 8am - 3pm CST), call 1.800.894.6900 to speak to a representative
  • By phone, when the Customer Service Center is closed
    • Call Bank-by-Phone at 1.800.244.2265
    • Select "6" for "ATM or Debit Card Activation or Deactivation"
    • Select "1" for "Card Deactivation"
    • You will then need to call the Customer Service Center at 1.800.894.6900 during normal business hours (Monday - Friday, 8am - 8pm and Saturday, 8am - 3pm CST) and speak to a representative to order a new card
  • By phone, 24/7, Fidelity Customer Service Center
    • Call 1.866.537.2830
Customer Identification Program  back to top
In accordance with the U.S. Patriot Act, all financial institutions are required by law to obtain the following information for each individual or entity opening any new account:
  • Legal Name
  • Address of Permanent Residence or Principal Place of Business
  • Social Security Number or Taxpayer Identification Number
  • Date of Birth (for individuals)
We may also ask to see your driver's license or other identification documents. Thank you for your cooperation in providing this required information.
 
Protect Your Confidential Information  back to top
BankFinancial does not solicit confidential or sensitive Customer information - including your account number, Social Security number, Personal Identification Number (PIN) or password - via email. Beware if someone emails you claiming to represent BankFinancial and asking for your account number or personal identification information. BankFinancial associates will not ask for such information via email. Use of Social Security information has become an increasingly transparent security device. Your Social Security number should not be used as your user identification or password. Unauthorized individuals can use your Social Security number to access other information to which they are not entitled. BankFinancial continues to take steps to protect against this and other security threats. As you experience these increased security measures, we ask for your patience. Please understand that they are for your own protection.
 
PIN Reversals - Misinformation Could Lead to Personal Safety Issues  back to top
The Internet can often quickly spread "urban myth" stories, but few stories gain such rapid appeal with so many potentially negative impacts on cardholder safety and confidence as the misleading stories circulating the Internet regarding PIN reversal to signal duress. PIN reversal technology is a concept based upon the possibility that a cardholder could reverse his or her PIN at an ATM to draw attention to a dangerous situation like a kidnapping or a robbery. Critics say that it is unlikely that anyone under duress could successfully employ this technique without compromising personal safety. Financial institutions within the United States have not deployed this technique despite several well-circulated email chain letters that have misstated this. PIN reversal is not a valid security option at an ATM.
 
Protect Yourself from Cyber Attacks  back to top
Recently, there have been a number of cyber attacks targeted at financial institutions. These attacks are designed to exploit potential vulnerabilities in financial institution servers and Customer web browsers in an effort to gain login identification and password information. BankFinancial strongly urges you to take the following precautions to protect yourself from cyber attacks and keep you r personal financial information private and secure.
  1. Never use information that is easily accessible - such as your Social Security number, birthday or home address - as your Personal Identification Number (PIN) or password.
  2. Keep the PIN you use to log into Online Banking a secret. Change it often to make certain nobody will guess it, and never allow anyone else to use it.
  3. Never leave your computer without exiting from Online Banking. In the Online Banking module, under User Options you will find a selection to change your timeout. This feature will automatically close your Online Banking session after a specific period of inactivity. You are in control of the length of time between your last command and when the session will close. If the session ends before you are done, all you have to do is log back in.
  4. Use extreme caution when opening email attachments from any site and following URLs. If you have not received email from a site before, even a trusted one, be very careful opening attachments or following other links.
  5. Do not provide any personal financial information via email, and never respond to unsolicited emails asking for personal and financial information. Be cautious with the type of information you send via email. Do not include personal information such as your Social Security number or provide financial information such as account numbers, account balances, or charge card numbers.
  6. Periodically check your credit report for unauthorized activity. Three major credit report agencies are Equifax, Experian and TransUnion. You can obtain a free credit report online.
  7. Use the latest version of Netscape Navigator or Microsoft Internet Explorer and keep up to date on the latest security patches.
  8. Apply vendor-supplied software patches in a timely manner. Regularly visit the Microsoft web site for the most current patches to the operating system.
  9. Install anti-virus software and keep it up to date. Install anti-virus software and configure your computer to run it on a regular basis. Regularly visit the anti-virus software vendor's site for the most current updates and apply them.
  10. Disable features/services that are not explicitly required. "Active content," delivered by items such as JavaScript or Java and Active X controls, can provide increased functionality and embellishments on web pages, but also are ways for attackers to download or execute malicious code on a user's computer. You can prevent "active content" from running on most browsers. However, realize that added security may limit functionality and break features of some sites you visit. Before clicking on an unfamiliar site or a site you do not trust, take the precaution of disabling "active content." If you suspect fraudulent activity related to your BankFinancial accounts, contact us immediately at 1.800.894.6900.
 
Electronic Security Safeguards  back to top
BankFinancial uses various methods to ensure our Online Banking is secure:
  1. Secure Socket Layer (SSL) - SSL is an encryption tool. Whenever you see a little picture of a lock on your browser, it means that you are communicating in a secure mode with us. Any personal information you send us is encoded so that it cannot be intercepted. Likewise, information we send back to you when the lock is visible will be encrypted so your confidential information stays confidential.
  2. Site Certificate - We have registered www.bankfinancial.com with Verisign and received a Site Certificate. This certificate will check to ensure that all content you receive from our site originated from our site. This prevents others from sending back information to you, acting as if they were BankFinancial.
SQL Injection  back to top
A Russian crime ring recently compiled the largest known collection of stolen Internet credentials, including 1.2 billion unique user name and password combinations. The impacted websites range from small operations to Fortune 500 companies in both the U.S. and internationally. The Russian crime ring relied on a botnet of infected users. This botnet tested websites visited by infected users for vulnerability to a well-known hacking technique known as SQL injection. If the website proved vulnerable, criminals returned later to extract the full contents of the database.

The list of the impacted companies is not yet publicly available. However, BankFinancial 's Online Banking uses stored procedures, a technique that significantly decreases the likelihood of a SQL injection attack. Our production site is also continuously scanned for SQL injection flaws. Additionally, we use static analysis and dynamic analysis tools to test for SQL injection during our development cycle. Penetration testing, including SQL injection, is also done regularly by third party partners.