American National Bank Home Page
BankAtEase Internet Banking

BankAtEase™ Login
ID & Password Help
Enroll / Add / Delete

More BankAtEase™ Info
Secure Page Information

CURRENT RATES

  Apply Online



Privacy Policy

PRIVACY POLICY NOTICE

Protecting your privacy is important to American National Bank and our employees. We want you to
understand what nonpublic personal information about you we collect and how we use it. This policy applies
only to our customers who have products or services used primarily for personal, family or household
purposes.

What Information We Collect

Nonpublic personal information is information about you that is not available to the public that we obtain while
providing a financial product or service to you.

We may collect nonpublic personal information about you from the following sources:

  • Information we receive from you on applications or other forms, such as your name, address, telephone number, social security number, assets and income;
  • Information about your transactions with us, our affiliates or others, such as your account balance and payment history; and
  • Information we receive from a consumer-reporting agency, such as your creditworthiness and your payment history.

What Information We May Disclose

We do not disclose any nonpublic personal information about our customers or former customers to anyone,
except as permitted by law. Under our policy we may disclose your information only as follows:

  • We may disclose information about our experiences or transactions with you or your account (such as your account balance and your payment history with us) to companies related to us by common control or ownership (“affiliates”).
  • We may disclose nonpublic personal information about you to certain nonaffiliated third parties. For example, we may disclose nonpublic personal information about you to these third parties to assist us in originating or servicing your loan or account with us; in response to subpoenas, garnishments or similar processes; and to consumer reporting agencies.
  • We may disclose the information we collect to companies that perform marketing services on our behalf or to other financial institutions with whom we have a joint marketing arrangement (in order to offer you a credit card product, for example).

We will continue to follow our privacy policies and practices as in effect from time to time regarding the
nonpublic personal information that we may have on file even if you no longer do business with us.

Our Confidentiality and Security Procedures

We restrict access to your personal and account information to those of our employees who need to know
that information to provide products or services to you. We maintain physical, electronic, and procedural
safeguards that comply with federal standards to guard your nonpublic personal information. We regularly
assess our security standards.

Internet Scammers casting about for people’s financial information have new ways to lure unsuspecting victims.

Phishing - According to the Federal Trade Commission (FTC), the emails pretend to be from businesses the potential victims deal with – for example, their Internet service provider (ISP), online payment service or bank. The fraudsters tell recipients that they need to "update" or "validate" their billing information to keep their accounts active, and direct them to a "look-alike" Web site of the requestor. Unknowingly, consumers submit their financial information – not to the businesses – but the scammers, who use it to order goods and services and obtain credit.

Pharming – also referred to as brand spoofing or carding, is a variation of “phishing,” the idea being that bait is thrown out with the hopes that while most will ignore the bait, some will be tempted into biting. By spamming large groups of people, the “phisher” counts on the e-mail being read by a large percentage of people who actually will list personal information at the spoofed (known as pharming) website.

Vishing – (Voice phISHING) also called “VOIP Phishing”, s the voice counterpart to “phishing”. Instead of being directed by email to a website, an email message asks the user to make a telephone call. The call triggers a voice response system that asks for the user’s credit card number, or other confidential information. The initial bait can also be a telephone call with a recording that instructs the user to phone an 800 number.

Smishing – is a form of criminal activity using social engineering techniques similar to phishing. The name is derived from “SMs phISHING”. (SMS (Short Message Service) is the technology use for text messages on cell phones. Similary to phishing, smishing uses cell phone text messages to deliver the “bait” to get you to divulge your personal information. The “hook” (the method used to actually “capture” your information) in the text message may be a web site URL, however it has become more common to see a phone number that connects to automated voice response system. The smishing message usually contains something that wants your “immediate attention”, some examples include “ Your card has been deactivated for security reasons. If you would like to re-activate your card, please call 800 XXX_XXXX and enter the requested information.” If a customer calls the 800 number, it will normally ask for the customer’s full Credit of Debit Card number, their PIN number and possibly their Social Security and/ or Account number. At that point, the fraudsters have all the information they need to make fraudulent purchases on your card or create a counterfeit card and withdraw your entire account balance.

Cookie – A message given to a Web browser by a Web server. The browser stores the message in a text file. The message is then sent back to the server each time the browser requests a page from the server.

The main purpose of cookies is to identify users and possibly prepare customized Web pages for them. When you enter a Web site using cookies, you may be asked to fill out a form providing such information as your name and interests. This information is packaged into a cookie and sent to your Web browser which stores it for later use. The next time you go to the Web site, your browser will send the cookie to the Web server. The server can use this information to present you with a custom Web page. So, for example, instead of seeing a generic welcome page you may see a welcome page with your name on. Cookies do not act maliciously on computer systems. They are merely text files that can be deleted at any time - they are not plug-ins nor are they programs. Cookies cannot be used to spread viruses and they cannot access your hard drive. This does not mean that cookies are not relevant to a user’s privacy and anonymity on the Internet. Cookies cannot read your hard drive to find out information about you; however, any personal information that you give to a Web site, including credit card information, will most likely be stored in a cookie unless you have turned off the cookie feature in your browser. In only this way are cookies a threat to privacy. The cookie will only contain information that you freely provide to a Web site.

Cookies have six parameters that can be passed to them:

  • The name of the cookie.
  • The value of the cookie.
  • The expiration date of the cookie - this determines how long the cookie will remain active in your browser.
  • The path the cookie is valid for - this sets the URL path the cookie is valid in. Web pages outside of that path cannot use the cookie.
  • The domain the cookie is valid for - this takes the path parameter one step further. This makes the cookie accessible to pages on any of the servers when a site uses multiple servers in a domain.
  • The need for a secure connection - this indicates that the cookie can only be used under a secure server condition, such as a site using Secure Socket Layers (SSL).
Both Netscape and Microsoft Internet Explorer (IE) can be set to reject cookies if the user prefers to use the Internet without enabling cookies to be stored. In Netscape, follow the Edit/Preferences/Advanced menu and in IE, follow the Tools/Internet Options/Security menu to set cookie preferences.

Insecurity of email – You should never send confidential customer information via unsecured email. Any emails containing confidential information should be sent in a secure manner, either via a secure mail program or password protected. Confidential customer information is considered to be, but not limited to: Account number; Social Security or Tax ID number; Loan #, Credit / Debit / ATM card number, PIN number, etc. The Bank will always send out confidential emails in a secure manner.

Relative to the potential of someone stealing your identity, please be advised that the Bank will never ask you for confidential information through email and/or phone. Please report any such request to the Bank immediately. For further information on Identity Theft and how to protect yourself, go to www.ftc.gov and select the consumer section.

If you have any questions or need additional information, please contact us toll free at the phone number or address listed below or your local banking center.

American National Bank
3033 East 1st Avenue, Denver, CO 80206
1-866-433-0282

BankAtEase™ Security
 

  There are three general categories of Internet security concern that are
  addressed in this white paper. The first is Log-In protection, the requirement that
  each user maintain a strictly private password and Log-In ID to which no one but
  the authorized customer should ever have access. Second is transmission
  security, the need to keep unauthorized agents from intercepting and/or
  deciphering the transmission of customers' encrypted data while it travels
  between the customer's computer and the bank's server. Third, and lastly, is
  information privacy and integrity, the ability to prevent unauthorized agents from
  viewing and/or writing to customers data while it is stored on the bank's server.

  "Customer" will be used to signify an authorized bank customer using software
  for the benevolent purposes it was intended and "agent" will be used to signify a
  person whose goal it is to exploit a software application for some negative end.

  1. LOG-IN PROTECTION FOR THE CUSTOMER

    Every customer must privately maintain a combination of password and Log-In ID. Because the customer is assigned the original password by the bank's technical representative, BankAtEase™ forces the customer to change the password once logged onto the system and before any transactions can be requested. This forces the customer to establish an absolutely private password. Also, any subsequent changes to the password (say a customer loses or forgets the password) which require back office processing by a representative at the bank will force a change once the customer uses the new password to log on.

    Three (3) Strikes And You're Out

    If an agent attempts unauthorized entry into a customer's account by trying to guess a password, BankAtEase will disable or destroy the password on the third incorrect attempt, thus invalidating the Log-In combination. The disabling and/or destruction of the password keeps an unauthorized agent from running a 'crack' program, an application that can run through millions of possible passwords eliminating the invalid ones until it arrives at a match. To guard against unauthorized use of your log-in ID and password, BankAtEase disables the password indefinitely until you call the bank and request your log-in and password to be reset. This will occur if you accidentally activate this security feature by unintentionally mis-keying a password three times. You will need to call the bank to reestablish the password for your account(s). For example, a common mistake made by customers is having the caps-lock on while keying in a password. Since the password is case sensitive and you cannot actually see the characters you are typing, it is easy to think you are typing the password correctly when the caps-lock is engaged.

    Suggestions for Passwords

    Your password and logon ID provide security against unauthorized entry and access to your accounts. Passwords should not be easy to guess; for example, children's or pets names, birth dates, addresses or other easily recognized identifications for you should be avoided. Combining upper and lower cases within your password as well as combined alpha and numeric characters is a good security precaution in selecting a password (for example: sp3aKer is a good password for "speaker" All passwords should be a minimum of 6 characters.
  2. Transmission Security

    Transmission security begins with the browser. A customer must be using a browser that supports the Netscape-developed encryption technology known as Secure Sockets Layer (SSL). Versions of Netscape 2.0 or beyond and Microsoft Internet Explorer 3.02 or beyond come equipped with SSL. SSL's specific function is to manipulate data into an unreadable format as it leaves the customer's PC. The temporary scrambling of data in transit is referred to as 'encryption'. In the unlikely case that an agent should intercept the data in transit, the encryption makes the data unreadable to a human and nearly impossible for a computer to crack. Furthermore, data in transit is split up into packets that travel separately and are not reorganized until they arrive at the bank's web server. So if the encryption code should be solved, the agent is likely to only be in possession of individual packets that would be out of context with the whole data.

    As you would expect, the converse of encryption, decryption, must take place before the data is rearranged back into a useful format. The relationship between which computer encrypts data and which computer has the subsequent ability to decrypt that data is determined by an extension of SSL known as public and private key pair technology. This method consists of two keys, one public and the other private. The public key is published from the bank's server upon request by the customer's web browser (i.e. Netscape or MS Internet Explorer). The private key is held privately at the bank's server. Once received by the customer's browser, the public key is used to encrypt the data as it leaves for the bank's server. The encrypted data can only be decrypted by the private key, based on the mutually exclusive, asynchronous relationship that these two keys share. As Netscape puts it, "Data that is encrypted with the public key can be decrypted only with the private key. Conversely, data encrypted with the private key can be decrypted only with the public key. This asymmetry is the property that makes public key cryptography so useful"

This answers the question that may have occurred to you: "Encryption may make data unreadable to a human, but can another machine intercept the data and unscramble it?" The co-dependency between the public and private key pair ensures that the only computer capable of decrypting data is the one who provides the means by which it is also encrypted. This raises another question: "How can either party, the recipient of a public key and/or the holder of the private key make any guarantee that either are who they say they are?" Indeed, if substitutions of identity can be made, it makes no difference how well encrypted data travels. To address this issue, BankAtEase employs the VeriSign Digital ID, authentication technology.

The VeriSign Digital ID (all quotes in this section are taken from VeriSign's white paper at https://www.VeriSign.com  as of 11/13/97.)

The reasoning behind the public/private key pair is similar to that of a safety deposit box that can only be opened by two separate keys that are owned by two different people and must be used simultaneously to work the lock. With a safety deposit box, it is relatively easy to make visual confirmation that the person holding the other key is who you think they are and, indeed, someone with whom you want to be sharing this mutual responsibility. The Internet is faceless, however, and a bank's server is likely to get requests all day long from customers all around the world. How does a bank bind the identity of the computer knocking on its server door with a legitimate, authorized customer? And conversely, how does the browser of a legitimate customer verify that it is communicating with its intended destination at the bank?

BankAtEase servers employ technology called the Digital ID to address the issue of identification. The Digital ID, developed by VeriSign, provides a standard of authentication against which claims of identity can be made and guaranteed. VeriSign, in its white paper, writes that "Digital ID's are electronic credentials that establish an individual's or entity's identity. A server secured with a Digital ID ensures visitors of the site's authenticity and allows the session with the client to be encrypted". It is essentially "third party evidence" that customers seeking and receiving data are who the server understands them to be, and vice versa.

Here is a section taken from VeriSign's white paper that describes how it works in conjunction with public/private key pair technology.

A Digital ID provides an electronic means of verifying that the individual or organization with whom you are communicating is who they claim to be. The identity of the Digital ID owner is bound to a pair of electronic keys that can be used to encrypt and sign digital information, assuring that the keys actually belong to the person or organization specified.

A CA (Certification Authority) such as VeriSign attests to an individual's or organization's right to use the keys by digitally signing the Digital ID after verifying the identity information it contains. The assurance provided by the Digital ID depends on the trustworthiness of the CA that issued the Digital ID and the integrity and security of the CA's practices and procedures.

When a connection is established between a client and a secure server, the client software automatically verifies the server by checking the validity of the server's Digital ID. The key pair associated with the server's Digital ID is then used to encrypt and verify a session key that is passed between the client and server. This session key is then used to encrypt the session. A different session key is used for each client-server connection, and the session key automatically expires in 24 hours. Even if a session key is intercepted and decrypted (very unlikely), it cannot be used to eavesdrop on subsequent sessions. SSL is the connection protocol used for this authentication and encryption process.

  1. Server Security and Information Privacy/Integrity

Having encrypted the data and verified that the sender and receiver can be appropriately identified by each other, the web server and the information stored on it are protected in the following ways. BankAtEase operates off a server that is physically separate from the bank's mainframe and is protected by a firewall.

In addition a router with firewall are installed that sit between the Internet and server. This router, loaded with a firewall as well as an additional firewall are configured to only allow HTTP traffic, from the Internet.

 

We want to hear from you. Contact us at info@anbbank.com

 

 

 
Member FDIC
Equal Housing Lender Equal Housing Lender