Stopping Robocalls from Rachel at Cardholder Services
Over 80% of the calls on our home phone are spam marketing calls of one type or another. Our home phone line gets frequent calls from “Rachel at Cardholder Services” with a social engineering scam to get your credit card number. Sometimes her name is Carmen or some other name. Of late, the caller ID information has been spoofed--a felony punishable by a $10,000 fine for each violation. Blocking unknown callers doesn't do any good, because most of the scam calls have caller ID information--though the caller ID is bogus. In some case the scammers calling our number have spoofed United Parcel Service, while in others they spoofed a number a few digits off that is used by a residence a few blocks away, and occasionally our number itself. It had gotten to the point that my wife and I were starting to use our cell phones to call one another at home, so I started looking at some solutions, and ended up with a three-layer system that now catches most of the spam calls. The first layer is call blocking at our telco, the second is a service called NoMoRobo, and the third is a low-power computer running a program called Network Caller ID. The article that follows talks about how to implement this and other topics on telephone spam:
- Turning on Call Blocking at Telco
- Sign up with NoMoRoBo
- Political Robo Calls
- Using Call Tracing to Prepare to Turn over to Law Enforcement
- File a Complaint with FCC
- Alternatives for Blacklist Devices
- Installing Network Caller ID Package and Enabling Blacklist Hang-up
- Results from Installing NCID
Turning on Call Blocking at Telco
The first step was logging on to our telco and searching through the features on our account to find call blocking; our telco allows us to block up to ten specific numbers, or block anonymous calls, but not both. Since most of the calls were coming from spoofed numbers, I checked the box for blocking a specific list and started filling in the numbers off of our caller ID. This step cut the volume of scam calls from 10 per day to 2 per day. The remaining scam calls were mostly ones that were anonymous and did not spoof the caller ID.
For this call blocking, it is probably best to put in at least your own phone number, since this spoofing attack is not likely to be widespread enough to end up in one of the blacklists described below.
In the Google Voice interface, you can block individual phone numbers that have called your Google Voice number. This is an important step, as many of the “Google Listing” spam appears to use Google Voice directly as a way to avoid having Google Voice forward to your external phone numbers.
Change to a Telephone Provider that Supports NoMoRoBo and Other Call Blocking Features
If your telephone provider does not support NoMoRoBo or provide any other call blocking features, consider switching to a provider that does provide call blocking features. Strictly for cost reasons ($30/month) we switched to voip.ms, a voice over IP service (VOIP) that supports NoMoRoBo. Voip.ms also provides a lot of call blocking features that Verizon/Frontier did not offer; it is not as robust as the NCID solutions that I describe later, but it does allow 500 block numbers instead of the 10 or 20 that Verizon/Frontier allowed, and it has the capability to do “regular expressions” for evaluating the caller ID line. The cost will be about $5/month for our typical use, with about $85 in initial costs for hardware and setup.
To make this work on all of the phones in our house, I installed an Obi202 box (about $70 of the $85 total cost)to connect the VOIP line to our home phone wiring. Setting this up requires some technical skills. You should be comfortable configuring IP addresses and opening ports on a router before you attempt this.
There are three caveats to going to a VOIP service:
- They don’t claim to provide telco level reliability for 911 calls. You can set it up, but you should not go this route unless you have a backup approach for calling 911–a cell phone will do fine.
- Setting up your outbound caller ID takes some doing, and requires a one-time $10 charge.
- If you are on Frontier, when you port your number, they will close all of the services on your account including Internet and TV, and the customer service people do not know that two months in to the transfer from Verizon to Frontier. Getting Internet working again will require several calls.
All said, the transfer to VOIP has worked well, and it appears to do a better job of spam call blocking; I think voip.ms is transfers calls to NoMoRoBo faster than Verizon/Frontier, as the hang-up occurs midway through the first ring most of the time, and I think it may actually hang up before the first ring in some cases.
Sign up with NoMoRoBo
The second step was easy and fairly effective. Because the robo-dialer scam problem has gotten so bad, some business have started to help address the problem. Nomorobo is one such service. I’m not sure how they make their money at this point, but I suspect that they will start offering subscriptions or will offer the service through telcos at some point. In any case, my wife signed us up and it works similar to the Network Caller ID (NCID) system described below, but it is much easier to set up. The service is currently limited to phone lines that can ring simultaneously in two places–primarily VOIP. The phone rings once and then Nomorobo looks at the caller ID and hangs up if the number is on their list.
In practice, Nomorobo has hung up on some calls from numbers that were not in my NCID log yet, and in other cases, it hung up on phone calls that were legitimate; there is no way to white-list numbers that I can find. Fortunately, the NCID log is easy to use, so I could recognize the number and call it back.
Not all telcos support NoMoRoBo; in particular Google Voice and MagicJack do not at this writing. See the NoMoRoBo Supported Carriers list in the sign screen to check for yours.
Political Robo Calls
The legislation that requires legitimate telemarketers to honor the Do Not Call list exempts charities and political robocalls. Because NoMoRoBo is an opt-in service, NoMoRoBo has the option to block political robo calls, but you must check off an item in your profile to do so. In practice, it isn’t all that effective at blocking political robo calls, and may be the subject of some manipulation. In a recent primary, NoMoRoBo did not stop many (if any) of the robo calls from PACs on one side of the contest, but it did stop the second and subsequent in-person calls from a resident of my town who was a volunteer for the other candidate. As I maintained my NCID blacklist, it was reasonably effective at blocking the PAC robo calls, b
File a Complaint with FCC
The third step initially felt like a waste of time, but has turned out to be quite important; you should file a complaint on the FCC web site. This may not do anything in the short run, but will help in the longer term; the FTC has actually sponsored a contest for solutions on dealing with “Rachel Robocalls” and now publishes a list of phone numbers associated with complaints. The list is updated monthly, and is very useful; since I installed it on the Network Caller ID server described below, it has caught almost 100% of spam calls. There are Android apps that appear to use this list as well. Filing a complaint with the FCC is an important part of fighting robocalls.
Using Call Tracing to Prepare to Turn over to Law Enforcement
The next step took a little bit more research, and may cost me some money. After a scam call that used a spoofed caller ID (a felony), I pressed *57 which initiates a telephone company trace that is kept for 90 days and which the telco can turn over to law enforcement. Some sites indicate that telcos charge for this while our telco web site is silent about any extra charges for traces. It will take a while to find out whether or not this does anything, and whether or not there is enough information to pass on to law enforcement.
Alternatives for Blacklisting Devices
There are both commercial and open source software devices that will allow you to blacklist specific phone numbers or in some cases patterns. The commercial devices are easier to set up, but don’t necessarily allow you to specify patterns while the open source devices (Network Caller ID) are more flexible but are also more complex to set up. The next sections describe both some commercial devices and an open source device that I am using successfully.
I have not used these devices, but they have been recommended in other reviews, and the features are features described are features that I have found to be useful in my NCID set up.
- Digitone Call Blocker Plus. This is a central device; you may have to go to it to add a number.
- Panasonic Home Monitoring telephones with Call Blocking. These are generally limited to 250 numbers; my block list is rapidly approaching that length. Phone systems have the advantage of allowing you to add block numbers from any handset.
Open Source Devices
Open source software is available for doing call blocking. These can be configured to run on a Raspberry Pi, an old laptop (especially if it has a modem) or any computer that is left running. The adventurous might even be able to get it running on an old router or Western Digital NAS device.
- Network Caller ID (NCID). I use this very successfully; instructions for configuring this on a Raspberry Pi is discussed below.
- Telemarketing (Junk) Call Blocker. I have not used this.
- Various Android applications
Network Caller ID (NCID)
Network Caller ID (NCID) is a great open source package for setting up sophisticated call blocking. The remainder of this article is dedicated to setting up NCID on a Raspberry Pi low-power server.
Installing Network Caller ID Package and Enabling Blacklist Hang-up
Network Caller ID (NCID) is much more technical than all of the previous solutions, but is by far the most flexible. For users that are comfortable with using the command line, this is pretty easy, but it will be difficult for users that don't regularly use command-line utilities. The open source program Network Caller ID (NCID) allows you to hook up a modem to a phone line and then automatically hang up calls that match rules in a blacklist file. This program will address anonymous calls and repeated spoofed calls simultaneously--something I can't do at through the telco web site. Call blocking at my telco won't allow me to block numbers that have a leading 1, as in 1-xxx-xxx-xxxx where the caller ID spoofers put a 1 in front of the area code. NCID will allow me blacklist these numbers.
NCID is available for Linux, Mac and Windows. To find installation instructions for your particular platform and/or distribution, search on ncid, ncid-client, ncid-mythtv, and ncid-pop. For the most recent versions of Ubuntu, this may be part of the standard repository. There is a binary available on the NCID web site for Cygwin, so it should be possible to run NCID on an old Windows laptop if you don't want to load a Linux distribution, though I have not tried this.
NCID has an app for Android that allows you to send caller ID and SMS text information from your cell phone to NCID and then to your computer display, allowing you to know when your cell phone rings when it isn't right next to your desk. I haven't configured this feature.
NCID won't completely block the call, but will automatically hang up after the first ring if the call matches one of the rules in your
Installing NCID on a Raspberry Pi Server
For my NCID installation, I used a TrendNet TFM-561U modem which was about $25 at a local computer store. I attached it to a Raspberry Pi low power server that I use for a few utility functions that aren’t computationally intensive. NCID was’t available in the standard Raspian repositories, but I was able to get useful instructions from the NCID web site, but these have subsequently been deleted..
The first step is to download the .deb packages for your architecture from Sourceforge and then use
gdebi to install the .deb packages:
dpkg -i ncid_1.8-1_armhf.deb dpkg -i ncid_gateway_1.8-1_armhf.deb apt-get install -f
Originally, I ended up having to use the gdebi package to install NCID, but have successfully used
dpkg. Gdebi attempts to do more resolution of package dependencies than dpkg, and has a reputation for doing a less brute-force job than apt.
To use NCID, you have to configure
/etc/ncid/ncidd.conf to make a couple of changes to turn on blacklist call hangup and configure your modem:
- Uncomment the line for
set ttyport = /dev/ttyACM0to enable the TrendNet modem. Which line you uncomment or change will depend upon your platform, distribution and modem type.
- Uncomment the line for
set hangup = 1to cause NCID to hang up on calls that match a black list.
- I did not need to modify the init string for the modem, but one article reader had to add
AT+VCID=1to the modem initialization.
Configuring the NCID Blacklist
To start hanging up on anonymous and blacklisted numbers, I made the following changes to the
^UNKNOWN ^unknown ^Unknown ^No Caller ID ^OUT-OF-AREA ^UNAVAILABLE ^CONSUMER SVCS ^DMCR ^RING ^000
"OUT-OF-AREA" has blocked some legitimate calls from Google Voice numbers. I had to add these numbers to the
Make sure to include numbers both with and without the preceding 1 for long distance.
If you have problems with NCID hanging up on ALL calls, look in your
ncidd.blacklist for something like
as this appears to cause it to hang up on all calls.
You should download and format the FTC complaint list as described in the related article Download and Format the FTC Robocall Complaint List for NCID. This list has caught almost 100% of robocalls since I installed it on my NCID server in early November, 2015.
Installing and Configuring NCID Clients
Although we now have caller ID on all of our phones, I wanted to have it display on my computer terminal. For this I downloaded and installed the NCIDPop package for Mac OS X. The first time it came up, it brought up a configuration dialog where I had to put in the IP address of the Raspberry Pi server that had the modem attached to it. NCIDPop also has a feature where it can use the
say text to voice command to read the phone number to you. In some cases, this is annoying, but in others it is useful.
The NCID Android application can optionally transfer calls on your Android phone to the NCID server. This can be useful in keeping track of robo callers and adding them to the black list. There are a number of other features that I'm not using at this point.
It was nice to be able to put caller ID on all computers using only one modem.
Results from Installing NCID
After installing Network Caller ID, it took me a few days of adding rules for various marketing robo dialers. After five months, I probably spend about two minutes per day adding new spam phone numbers to the
At this point NCID is automatically hanging up on about 50% of all robo dialer calls and is allowing almost all legitimate calls through. NoMoRobo catches a few that NCID does not, and both miss about 10-20% of the spam calls. NCID hung up on two legitimate calls that I can't figure out what rule caused the hangup. I have programmed it to hang up on all calls that come in without caller information including "OUT OF AREA"; this is a problem for Google Voice and other voice over IP (VOIP) telephone numbers and has blocked a small number of legitimate calls. You can avoid this for specific numbers by putting the number in the
Results from NCID and NoMoRoBo
## Error in `[<-.data.frame`(`*tmp*`, combinedDf$NCID_Action == "Allowed Call Through" & : missing values are not allowed in subscripted assignments of data frames
As calls come in during the month, I add all spam calls that got past NCID into the NCID blacklist. The number of valid calls can be calculated by joining the NCID blacklist file with the NCID call log on the phone number as shown in Figure 1. The average numbers are annoying:
- About 2.9 calls per day are valid.
- About 0.098 spam calls per day are stopped by NCID based upon the local blacklist phone number (after November 1, 2015).
- About 0.15 spam calls per day are stopped by NCID based upon the FTC complaint list (after November 1, 2015).
- About 0 calls per day are spam calls that are either blocked by NoMoRoBo or get through to ring multiple times.
- After February 2015 83% of calls were valid, while 17% were spam calls.
It is important to note in Figure 1 that many of the calls are labeled as “NoMoRoBo or Pass-through Spam” are stopped at one ring by NoMoRobo. Unfortunately, I don’t have a way to identify these; I may eventually look at the NCID code to see if there is a way to identify calls that only ring once, and use a different code in the
In early 2016, the phone line was ported from Verizon to a VOIP provider. This broke the NCID installation, but also caused NoMoRoBo to be more effective; the VOIP ring was delayed a few tenths of a second, allowing NoMoRoBo to block the call before the VOIP line rings and NCID blocks the call. The increased effectiveness of NoMoRoBo was a disincentive to fix NCID, and thus much of the data for 2016 is missing.
Because specific numbers were calling frequently, it became worthwhile to block a small set of numbers in the VOIP provider’s filter. The dramatic drop in call volume on October 24, 2018 is due to this block list. The logging capability in NCID was extremely useful in coming up with the list to block.
For additional information, you may be interested in other articles on NCID and stopping phone spam:
- Current Month Phone Spam Call Blocking Effectiveness shows the effectiveness of the various call blocking methods on our residential land line.
- Stopping Rachel from Cardholder Services covers multiple ways to address phone spam, including setting up an NCID server.
- Download and Format the FTC Robocall Complaint List for NCID shows how to download and format the FTC complaint list to give you a list of spammers before they call you.
- Using NCID on Two Phone Lines shows how to add a second modem to your NCID configuration.
- Written by Bruce Moore
- Hits: 98906
Toastmasters Leadership Institute (TLI)--Vice President of Education Training
On July 25, 2014, I delivered the training module for the Vice President of Education section of the District 50 Vista Division TLI. The slides for that presentation are in the PDF TLI_VP_Education_2014_07_25.pdf.
This presentation covers the following topics:
- The Distinguished Club Program (DCP)
- The DCP points for which the VP Education is responsible
- How to log into Toastmasters international and process an award
- The requirements for each award, developing a success plan
- The Successful Club and Better Speaker speech series
The slides were prepared using LaTeX and Beamer, two tools that are widely used in graduate programs in Computer Science, Mathematics and related disciplines, but which are rarely used elsewhere. If you are interested in the source for this presentation, send me a email and I will send you the source.
- Written by Bruce Moore
- Hits: 76010
Creating a Website for Your Small Business or Organization
Creating a website for a small business is quite manageable for moderately technical business owners, but many will want to contract out many or all of the set-up tasks. The article that follows provides instructions on how to set up a site; you can use this to develop your site or as the template for a statement of work with your website development firm.
The article discusses the following steps:
- Choosing a Domain Name
- Purchasing Your Domain Name and Choosing a Web Hosting Provider
- Defining Requirements and Choosing a Content Management System (CMS)
- Choosing a Web Hosting Provider and Plan
- Installing Plugins
- Creating Content
- Setting Up Domain Name Services (DNS)
- Obtaining a Secure Sockets Layer (SSL) Certificate
- Installing an SSL Certificate
- Setting up Search Engine Optimization
- Installing a Favicon
- Installing Apple-specific Icons
Choosing a Domain Name
Selecting a domain name can be one of the most time consuming steps in the process; most of the good short domain names in the
.org namespaces are already taken. In many cases, the choice of a domain name is inextricably tied to the name of the company. There are many web sites that allow you to search for available domain names, but some of them will register an available domain name while you are searching, and will then charge you to purchase it, so first do a search on the reputation on the various web sites available for choosing a domain name.
Purchasing Your Domain Name and Choosing a Web Hosting Provider
Once you have decided upon a domain name, you must purchase it from a domain name registrar. Most registrars also offer web hosting services and most web hosting firms will handle the domain registration for you. Using the same firm as the registrar and hosting firm offers convenience, but if you have problems with the hosting aspect of the relationship, it may be more difficult to move your site to another hosting firm.
Although it is cheaper to sign up for a one year contract, for a first site, it is better to go month-to-month so that you can change hosting firms easily in the event that you encounter support problems with the vendor.
Talk to friends that host web services and find out what their experience has been with their domain name registrar. If you want to see what registrar is used for a site that you respect, Domain Tools will do basic lookup of domain registration information.
There are dozens of registrars/hosting firms. I spoke to a number of colleagues who manage various commercial and organizational web sites and came up with the following list. There are many hosting firms and prices vary widely, so shop around and look for promotions.
- Network Solutions provides one-stop-shopping for registrar and hosting.
- GoDaddy provides one stop shopping for registrar and hosting.
- iPage is a smaller and less expensive provider with somewhat less extensive services than Network Solutions and GoDaddy.
- Firehost is oriented to high security environments and is relatively expensive.
- Host Gator is a large hosting firm similar to iPage.
- Verio is a large hosting firm similar to Go Daddy and Network Solutions.
- Zyon is a small and less expensive hosting firm similar to iPage.
- Sprocket Networks is a medium sized firm that is oriented to unusual and highly customized needs.
If you are setting up a web site for a volunteer organization that is part of an "umbrella" organization, you may be able to get hosting services through the umbrella organization. Toastmasters International clubs can host sites on Freetoast Host free of charge, although the club will have to purchase a domain name separately if the club does not want to use the default club number domain (eg 2364.toastmastersclubs.org) provided by Freetoast.
Defining Requirements and Choosing a Content Management System (CMS)
The vast majority of small websites and most large web sites are built upon a content management system (CMS). Although there are many, the most popular are Wordpress, Joomla, and Drupal, in order of decreasing popularity and increasing capability and complexity. All three are open source, are written in PHP and use cascading style sheets (CSS).
Before choosing a CMS, make a list of your major requirements and look for plugins for each CMS to accomplish the goals for your site. Table 1 provides a template that you might use as a starting place for gathering requirements for your web site and choosing the content management system.
Wordpress is the CMS used by the wordpress.com blog hosting site. It was developed primarily as a blog hosting CMS, but has a number of e-commerce plugins that allow it to be used in more business oriented environments.
Joomla has a reputation as being somewhat more complex than Wordpress but for having a wider variety of plug-ins to allow a more complex web site. That may or may not be true at this point.
This site was implemented in Joomla.
Drupal has a reputation as being somewhat more complex and somewhat more capable than Wordpress and Joomla. It may have the most robust version control capability. It is oriented to larger web sites with custom development projects.
|Easy implementation of SSL (HTTPS)||Builtin||Builtin|
|Structured Data/microdata||Several extensions||Some capability built in 3.3. Several extensions|
|Google Author structured data||Several extensions||Several extensions.|
|Multiple domains with different look and feel on one web site||Builtin, but non-trivial configuration.||Several extensions.|
|Language support and translations|
|Version control||Several extensions||Several extensions. Not a strong point.|
||Several extensions||Password and Google, and Google two-factor built in. Several extensions|
||Several extensions||Users and groups built in. Different menus based upon logged in user. Several extensions.|
|Web application firewall
||NinjaFirewall||Akeeba Admin Tools|
|Backup and Recovery||Google "wordpress backup" for instructions and extensions.||Akeeba Backup|
|Photo albums||Several extensions||Several extensions|
|Mapping||Several extensions||Several extensions|
||Several extensions||Several extensions|
|Suitability for mobile browsers||Extensive capabilities.||Some capability built in. Several extensions.|
|Template or theme with attractive design for your needs||Many developers. Google/Bing "wordpress themes"||Many developers. Google/Bing "joomla templates"||Many developers. Google/Bing "drupal templates themes"|
||Several extensions||Several extenstions|
|Shopping cart||Several extensions||Several extenstions|
|Reservations||Several extensions||Several extensions|
|Sports Scoring||Several extensions||Several extensions|
Choosing a Web Hosting Provider and Plan
Many small businesses purchase the domain name from the same firm that hosts their web site. It makes sense to see what promotions for either web hosting or domain name rental are running at any particular time. Most hosting firms use one of the major CMS offerings by default. It will be easier if the hosting firm that you use offers the CMS that you plan to use. There are three major types of hosting plans from least expensive to most expensive:
- Web server only (about $10/month)
- Virtual private server (VPS, about $30/month)
- Physical server (about $50/month)
Unless you have unusual software needs or high traffic, the domain only service is probably sufficient in all ways but may present some problems for email. A hosting service may operate a hundred domains on a single server; if one of those domains is used for spam, the spam email blacklisting services will blacklist the IP address–not the domain, and email from your domain will be blocked as well as the spam originating domain. This can present a problem even for forwarding email; a volunteer group where I’m an officer has forwarding addresses for officers that won’t forward to Verizon email accounts because the server where our domain is hosted has been blacklisted for another domain that is hosted there.
VPS and physical servers can encounter some email blocking problems as well. Many email systems do reverse domain name service (rDNS) on email, expecting something like
mail.domain.com. If the rDNS returns
cpanel.domain.com the email that you send may be blocked. In this case you can probably get it unblocked with an email to the receiver’s email administration.
For VPS and physical server installations, most services will offer Web Hosting Manager/Cpanel for an additional fee. These provide a web-based administration interface that simplifies many administration tasks and are well worth it.
Once you have the credentials to log in to your web hosting account and the CMS is installed it is time to install plugins to provide the capabilities that you identified in the Defining Requirements and Choosing a Content Management System (CMS) section.
Because this site was developed with Joomla, the discussion about plugins that follows is done in Joomla, but the general approach will apply to all three CMS offerings. Generally speaking, each of the tools will offer these basic capabilities.
Templates and Themes
The template determines how the site looks, menu placement and provides some capabilities. It is possible to change the template or theme after building the site, but it is best to start out with a template that you like.
Although administrator tools are not required, the free and low-cost administrative and backup tools from Akeeba are well worth the money. The most important functions are the
- Web application firewall which traps a number of different types of attacks
- Generator for .htaccess
- Secure file permissions
Structured data tells search engines like Google and Bing how to identify things like your business hours, location and name. In some cases this is built into the CMS, and in other cases it requires a plugin.
Caching and Performance
If you need reservations, sports scoring or other capabilities, install the plug-ins for those capabilities as well.
All of the previous steps sound long and complicated, but implementing these steps is relatively quick. While the write-up for this step is short, it is by far the most time-consuming part of the site development process. You will need to write articles about the people in your company, directions, maps, and appropriate subject matter. You should create graphics or photos as appropriate.
In all cases, make sure to give each article a good
description and good
keyword values. The search engines will probably use the description as the synopsis for the page in search results, so spend some time writing good descriptions. Similarly, make sure to provide a good description of each image in the
alt tag for the image, as the search engines will use this to index the image.
Setting Up Domain Name Services (DNS)
When you are ready for your site to go live, it is time to set up the domain name services (DNS). If you purchased domain registration and web hosting from the same firm, this is probably already done, and you can skip to the next step. If you used different firms, you will need to log on to your account at the domain registrar's web site and enter the name of the domain name server at your hosting firm. If you are parking additional domains on your web site, you will need to log on to the Web Hosting Manager software at your web site or have technical support do this for you. In WHM, use the DNS Functions->Park a Domain dialog as shown in Figure 1.
Obtaining a Secure Sockets Layer (SSL) Certificate
Although most web sites still run un-encrypted HTTP, most large firms are forcing all of their traffic to use the encrypted HTTPS protocol--Google is probably the most conspicuous firm to do this. You should go to the trouble to do this, as it makes it much harder for criminals to implement a man-in-the-middle attack on your customers. If you expect mobile users and especially users who will access your site using public Wifi, you really, really should go to the trouble to implement HTTPS. There are Certificate Authorities (CA) that will issue a free low-verification certificate that is sufficient for the needs of volunteer organizations.
SSL certificates are used for both encryption to secure communications and trust to verify that you are looking at the website of the real business and not an imposter. Originally, certificates were issued as Class 1 and Class 2, but that has been superceded by Domain Validation (old Class 1), Organizational Validation (old Class 2), and Extended Validation (more rigorous than old Class 2).
If you are running a web site that does not do transactions, a Domain Validation certificate is probably sufficient for your needs.
If you are doing E-commerce or allowing logins, you should get an Organizational or Extended Validation certificate. In these certificates, the CA will check drivers licenses, passports, company incorporation documents, banking records and other items to verify that you are who you say you are and that you are not a cybercriminal. Make sure that the addresses and phone numbers on your domain registration match the incorporation and drivers license/passport documents; you pay for the application for the certificate, not for the issuance of a certificate. If your doc is not in order, they won't give you the certificate and you may have to pay for a new verification of documents.
The certificate authorities offer a variety of features and packages, so if you have multiple domain names, multiple servers and multiple applications like web, email, and a web application server, it makes sense to carefully analyze your requirements and shop around. Some extended valuation certifications may have free features that justify the cost even though you might not otherwise want to pay for an EV certificate. Table 2 below gives a summary of the validation levels and some of the common features that are included in the different offerings from certificate authorities. Generally speaking, certificates in the upper left corner of the table are the least expensive, and certificates get more expensive as you move down and to the right in the table; certificates in the lower right of the table are the most expensive.
|Validation||Single Domain||Multiple Domain||Multiple Domain Wildcard||Unified Communications|
|Only valid for one domain name, i.e. www.domain.com. If used to secure both website and email as handled in a typical web hosting package, will have to point email to "www.domain.com" instead of "mail.email.com" and set up appropriate aliases in configuration.||Would allow same certificate for www.domain.com and mail.domain.com. All domains must be known and listed at time of issuance.||Would allow same certificate for www.domain.com and mail.domain.com. Could add a domain after issuance of certificate.
Will not support multiple levels like mail.division.domain.com.
|Would allow same certificate for www.domain.com, mail.domain.com, and in addition multiple levels like mail.division.domain.com.|
|Domain Validation (Old Class 1)||Low cost or free. Verification limited to determining if applicant is the webmaster for the domain.
Appropriate for small business and organization web sites that don't do transactions. Gives lock icon shown in Figure 2.
|Commonly offered. Inexpensive choice for organizations that don't do transactions. StartSSL offers free one year certificate.||Technically possible, but not commonly offered.||Technically possible, but not commonly offered.||Technically possible, but not commonly offered.|
|Organizational Validation (Old Class 2)||Moderate cost, significant documentation required.
Appropriate for small businesses that do transactions, but lower value and volume. Gives lock icon shown in Figure 2.
|Commonly issued.||Commonly issued. May be a free feature with some certificate authorities.||Commonly issued. Usually an additional cost.||Not commonly offered.|
|Extended Validation (more rigorous than Old Class 2)||High cost. Extensive documentation required.
Appropriate for businesses that do transactions of high value or high volume. Gives lock and green bar icon shown in Figure 3.
|Commonly a free feature of Extended Validation certificate.||Commonly a free feature of Extended Validation certificate.||Sometimes a free feature of Extended Validation certificate.||Usually used by enterprises that are using Microsoft Exchange for email.|
There are numerous Certificate Authorities. The Table 3 below is not a complete list, but includes some of the major CAs
|Certificate Authority||Web Address||Comments|
|StartSSL||https://www.startssl.com/||Offers free 1-year Class 1 Certificate. This is good for encryption and is reasonable for a web site that does not do the payment transactions. They also offer Class 2 Extended Validation Certificates.|
|Comodo||http://www.comodo.com/||Offers free 90-day certificate; paid after 90 days.|
|Go Daddy||http://www.godaddy.com/ssl/ssl-certificates.aspx||Go Daddy offers one stop shopping for domain registration, web hosting and SSL certificates.|
|Symantec (Thawte, Verisign, Geotrust)||http://www.symantec.com/verisign/ssl-certificates||Offers features necessary for large institutions, but not necessarily useful for small businesses.|
Installing an SSL Certificate
The following tutorial is for using Web Host Manager assuming that you are not using the certificate vendor associated with your hosting company. For other environments the procedure will be different.
- Generate a certificate signing request (CSR) via SSL/TLS->Generate a Certificate Signing Request as shown in Figure 4.
You will need a CSR for your web domain and potentially for email and FTP servers.
- Optionally, mail.yourdomain.com
- Optionally, imap.yourdomain.com
- Optionally, ftp.yourdomain.com
Setting up Search Engine Optimization
The final step in creating your web site is to register with the various search engines and work on the search engine optimization (SEO) for your web site. SEO is a complex topic by itself, and is discussed in a different article. See Search Engine Optimization and Analysis for Small Banks and Small Businesses.
Unfortunately, even these samples are intimidating for someone who isn't an attorney.
- GeneratePrivacyPolicy.com is fairly comprehensive, but doesn't have check boxes for Google Analytics compatibility.
- (sic) iubenda is geared to Google Analytics, but it is accessed through a link to their site (it resides on their server) and contains their logo in the policy. It costs $27 per year if you want to remove the iubenda logo from the policy.
Installing a Favicon
A “favicon” is the little icon that appears on the left side of each tab in Firefox, Chrome, Internet Explorer and until recently, Safari browsers (I'm sure Apple is getting a firestorm of criticism for this change in Mavericks). A favicon makes it much easier for users to identify which tab they want to select. Favicons must be square, so when you get a graphic designer to do a logo, make sure that the designer provides at least one version that is square. To create the favicon file, the easiest thing to do is to use one of many web sites that will convert an image file to a favicon-format file. Google “favicon convert image” and you will find a number of sites that will do the conversion. Favicon.htmlkit.com is one example of many. If you have graphics editing software, that software may have built-in capabilities as well.
If you don’t have the funds for a logo designed by a graphic artist and don’t have any skills in this area, there are some inexpensive apps that will help you to create a basic but useful favicon. Art Text 2 Lite is a free app for OS X that will generate a simple icon with letters and background–see the Intentional Genealogist web site for an example of the output from this tool.
Once you have the
favicon.ico file, you will need to upload it to a particular location on you web server. For Joomla this is
yourtemplate is the directory for all of the active template on your site. If you use multiple templates, you will need to install the favicon in each template.
To test this, you should bring up your web site in a browser that you don't normally use--it can take a while for the browser cache to expire and for default favicon for your CMS to be replaced by the custom favicon.
Installing Apple-specific Icons
Apple iOS devices allow users to add a web site to the home screen of an iPhone or iPad–making this feature work well requires some specialized files and HTML markup on your web site. The article Configuring Web Applications in the Apple iOS Developer Library gives a description of what iOS devices look for when a user adds a web site to the home screen on the user’s iPhone or iPad. Some websites, indicate that some Android devices take advantage of this support as well. Mathias Bynens somewhat dated article Everything you always wanted to know about touch icons gives a good description of how this works.
Since iPhones and iPads come in a variety of resolutions, you will need to make serveral versions of this icon. The easiest way to do this is to use the
convert command from the ImageMagick package to generate the various files from your square icon file. For Windows, ImageMagick is available in the Cygwin set of Linux/Unix utilities. On OS X, it is available through MacPorts, a port of a number of utilties that do not come in OS X.
convert "$1" -background white -alpha off -resize 60x60! touch-icon-iphone.png
convert "$1" -background white -alpha off -resize 76x76! touch-icon-ipad.png
convert "$1" -background white -alpha off -resize 120x120! touch-icon-iphone-retina.png
convert "$1" -background white -alpha off -resize 152x152! touch-icon-ipad-retina.png
convert "$1" -background white -alpha off -resize 60x60! apple-touch-icon.png
convert "$1" -background white -alpha off -resize 76x76! apple-touch-icon-precomposed.png
convert "$1" -background white -alpha off -resize 76x76! apple-touch-icon-76x76.png
convert "$1" -background white -alpha off -resize 120x120! apple-touch-icon-120x120.png
convert "$1" -background white -alpha off -resize 144x144! apple-touch-icon-144x144.png
convert "$1" -background white -alpha off -resize 152x152! apple-touch-icon-152x152.png
convert "$1" -background white -alpha off -resize 180x180! apple-touch-icon-180x180.png
convert "$1" -background white -alpha off -resize 57x57! apple-touch-icon-57x57-precomposed.png
convert "$1" -background white -alpha off -resize 76x76! apple-touch-icon-76x76-precomposed.png
convert "$1" -background white -alpha off -resize 120x120! apple-touch-icon-120x120-precomposed.png
convert "$1" -background white -alpha off -resize 152x152! apple-touch-icon-152x152-precomposed.png
convert "$1" -background white -alpha off -resize 180x180! apple-touch-icon-180x180-precomposed.png
The script above will run on Linux, OS X, or under Cygwin on Windows. The
-background white -alpha off parameters deal with the transparent background of a PNG file. Apple converts a transparent background to black, which may not work well for your particular icon. You can substitute whatever color you wish. The exclamation mark after the size forces the image to a square output file, so if your logo is not square, it will look a little strange. The above resolutions and file name conventions are perhaps overkill, but these are all of the ones that I’ve found in web searches and in the 404 errors on my web site; hopefully these will cover all current and older devices.
Once you have generated all of the icons you will need to upload them to your web site in the location(s) referenced in the
link statements in your web pages, or to the root directory of your web site, which is much more likely for a personal or small business web site. You probably will not be able to use the graphical user interface for your CMS to upload files to the root directory of the site (not the root directory of the server), so the
scp secure copy file program will be the easiest way to do this:
Once you’ve set this up, monitor the 404 redirect portion of your CMS to see if there are any 404 errors for the any of the touch icon files, and address the problem as necessary.
- Written by Bruce Moore
- Hits: 82956
Preparing for a Fair Lending Examination Statistical Analysis
At the Independent Bankers Association of Texas (IBAT) Lending Compliance Summit in April, 2014 and at the Southwest Graduate School of Banking (SWGSB) Alumni program in May, there was much discussion about the regulatory focus on Fair Lending in general and the statistical analysis that is being done to identify disparate treatment. The article that follows is the first in a series of three that discuss how banks can prepare for an examination and minimize the likelihood of problems, how a bank might proceed with an in-house study to identify and fix any disparate treatment problems and finally, how some statistical examples to help explain several questions that came up at the IBAT and SWGSB gatherings. For additional reading, you may wish to look at How a Bank Can Get in Trouble with Fair Lending Statistical Analysis and Doing Your Own Fair Lending Statistical Analysis.
The discussion of preparing for a disparate treatment statistical analysis is divided into the following sections:
- Fix Data Quality Problems
- Include Calculated Items from Credit Report
- Perform Analysis of Indirect Loans by Dealer/Originator
- Estimate Negative Equity for Indirect Loans
Fix Data Quality Problems
When I worked in IBM’s Global Business Intelligence Systems datamining group, we had a saying:
There are customers that know they have a data quality problem, and there are customers that don’t know that they have a data quality problem.
A dataset can be pristine and balance to the penny from an accounting perspective, and yet be a nightmare from the viewpoint of performing any statistical analysis. If a regulatory statistical analyst receives a poorly prepared dataset, the analyst will will spend so much time cleaning up data that little time will be available to distinquish between unusual datapoints that can be discarded as mistakes and others that contain important information and must be included.
The FDIC Compliance Manual -- January 2014 describes risk factors for discrimination to be used in planning an examination on page IV-1.6:
C2. Prohibited basis monitoring information required by applicable laws and regulations is nonexistent or incomplete.
C3. Data and/or recordkeeping problems compromised reliability of previous examination reviews.
Don’t send a poorly prepared dataset for statistical analysis. As a banker, you are much better off if the analyst has more time and spends more time looking for data elements to explain racial/ethnic/gender patterns in your dataset. If the analyst spends hours cleaning up a poorly prepared dataset, expect to have examination problems.
All of these data quality analysis steps can be performed in Excel, though the corrections should be done on the source system so that you don’t have to repeat the clean-up process every year. Most IT personnel would probably choose to use a programming or scripting language that allows regular expressions and other features that make data manipulation easier.
Catch up on Returned Mail Address Clean-up
All returned mail identifies an address problem--either an old address, an incorrect one, or one that is entered so badly that even the U.S. Post Office can’t figure out what it is--and I am amazed at what the Post Office can deliver correctly. Before you do a data pull for any type of statistical analysis, make absolutely sure that you are caught up on fixing returned mail.
The statement mailing firm that you use probably does address standardization as part of the service that they provide, but the standardized addresses probably don't make it back to your core system. Investigate ways to get the standardized addresses into your core system.
If you don’t use address standardization software to identify and correct spelling, format and abbreviation problems in addresses, at least do a pull and get a count of addresses by city and state. Sort the list by the cities with only one account--these are probably misspellings. If you don’t have address standardization software, you will be amazed at how many ways people can spell "Dallas" and "Houston." The Post Office correctly delivers a lot of mail that is badly misspelled. Make sure that all of the states abbreviations are valid.
If you don't have standardization software, you can use a geocoder to attempt to find the latitude and longitude of the address; if the geocoder can't figure out the latitude and longitude, it is either a Post Office Box, a Military address, or an invalid address. The next article in this series, Doing Your Own Fair Lending Statistical Analysis, has a significant discussion about geocoders and geocoding.
Verify Date Formats and Content
Most core systems do a very good job of preventing bogus dates from being entered, but you should check to make sure--especially for ancillary systems and datasets provided from third party vendors. At a minimum, check the following:
- Verify that all dates are valid dates. For example, 2/30/2014 is clearly an invalid date, but could get into a poorly designed software system, or be part of an incorrectly generated data extract from a third party system.
- Verify that all dates are in the right order. For example, the loan payoff date should always be after the loan opening date. There are a variety of other date relationships that should be maintained, but which sometimes aren’t.
Include and Standardize Indirect Dealer/Originator Names
If you do indirect lending, make sure to include the name of the dealer or originator of the indirect loans, and that the loan type and originator are coded correctly and consistently.
Verify Interest Rates Against Rate Sheet
Take an extract of your historical rate sheets, merge the rate sheet with your loan data by time of loan origination, calculate the difference between the rate sheet for the time period of loan and then rank by absolute value of the difference. Look at the extreme values--these are probably mistakes. Investigate the reason for the largest differences and add a code or comment to explain why these particular loans have unusual deviations from the rate sheet. If they are mistakes, work with the borrower to correct the loan.
Code Collection and Other Loan Modifications Correctly
Make sure that all loan modifications and rework of loans that were messed up somewhere along the line are coded in a way that they can be easily identified and understood. It should be easy for an analyst to figure out that a goofed up loan entry that was corrected and re-issued under another number can be legitimately excluded as an outlier.
Handle Significant Digits Properly When Exporting--Don’t Truncate or Round
In the core systems, numbers can be stored in a variety of ways--some quantities are stored as floating point, some as decimal, some as integers, and occasionally as characters. Each of these data types works differently for rounding and in some cases may just truncate everything to the right of the decimal point. If you extract using a data type that truncates or take a number with 5 decimal places and round it to 2 decimal places, you can introduce some unusual patterns in your dataset.
Always export in the data type that is used to store an element, and always export the number of digits that are stored without rounding wherever possible.
Include Calculated Items from Credit Report
Perhaps the biggest problem that you may encounter in a Fair Lending statistical analysis will be loan decisions that are based upon information that is present on a text-based credit report. If you calculate loan to value, debt to equity, or medical bill charge-offs to total charge-offs from a credit report, but don’t include that in the extract, you will almost certainly have problems during an examination. If these ratios have a strong statistical relationship with race/ethnicity/gender (likely, since income has a strong relationship), race/ethnicity/gender will show as a statistically significant, and you will have have to spend a lot of time and money providing a corrected extract plus the aggravation of dealing with examiners over Fair Lending disparate treatment issues.
If you include the additional credit worthiness-related variables that you used in the underwriting process, race/ethnicity/gender will probably not show up as statistically significant, and your Fair Lending examination will probably go as smoothly as Fair Lending examinations can go.
If your origination system does not calculate all of the ratios that you use, pressure them to add the additional ratios so that it is easy to extract them. This isn’t so much to make Fair Lending examinations easier, as it is to make fraud and abuse analysis easier for you to do. You should use the Fair Lending dataset for a fraud and abuse analysis; you will probably quickly recover the cost of preparing the data set and will start using your fraud and abuse dataset as the one you submit for Fair Lending analysis.
Perform Analysis of Indirect Loans by Dealer/Originator
If you have an indirect auto loan program, this is an area where race/ethnic/gender discrimination may be occurring without your knowledge or control. It is also an area where there is significant opportunity for fraud and abuse by an auto dealer, or specific employees at an auto dealer. The analysis that you do for indirect lending should be at least quarterly, as salespeople move from one dealership to another fequently--a dealer that has demonstrated exemplary performance for years can go south quickly when a new sales person comes onto the floor.
The discussion that follows is really oriented toward dealer-level fraud and abuse problems rather than Fair Lending, but if a dealer or an employee at a dealer is willing to commit fraud or abuse, discrimination based upon race/ethnicity/gender would not be a far stretch and vice versa. To get to this point, you will have put in a fair amount of work; you should reap the benefit of that labor, and a simple fraud and abuse analysis is the way to do it. For regulatory purposes, this analysis may or may not constitute a review of Fair Lending practices that would require you to correct any problems found; that is a question for your attorney.
Look at Fraud and Abuse Metrics
For a simple fraud and abuse analysis that can be done in Excel, calculate and rank dealers by the following quantities:
- First payment defaults
- Defaults immediately after end of recourse period
- Defaults and delinquency by age
For a dealer that ranks at the top of each list, investigate individual loans that have defaulted or are delinquent. It is likely that this work will be financially rewarding to the bank.
Rank by Dealer Participation Fee
Rank the loans by dealer participation for each dealer, and for all dealers. For the highest participations, are there any patterns? A high dealer participation could be an indicator for negative equity rolled into a deal for benign reasons, it could be negative equity rolled into a deal in anticipation of bankruptcy, it could be good negotiating on the part of the dealer, or it could be the result of discrimination based upon race/ethnicity/gender.
Estimate Negative Equity for Indirect Loans
If you have an indirect lending program, negative equity rolled into a deal is a strong predictor of a lot interesting behavior. Estimating negative equity is painful if not impossible, as vehicles rarely sell for the Manufacturer’s Suggested Retail Price (MSRP) and there really isn’t a good way to capture the "value" of the vehicle. If you do capture MSRP and Kelly Blue Book (KBB) or a similar metric, it is worth calculating the difference between the purchase price and the MSRP/KBB as a proxy for negative equity.
Try to figure out a way to estimate the negative equity rolled into a loan. The dealer knows this exactly, but most lending systems don’t really have a way to record it. If high dealer participations are due to negative equity, you have a credit risk problem to monitor; if high dealer participations are not due to negative equity rolled into a deal, you absolutely have a customer satisfaction problem (the painfully high loan rate that gives the dealer the room to roll in negative equity or over charge has your name on it each month--not the auto dealer’s name) and you may have a Fair Lending problem.
Although this article is about preparing for a Fair Lending examination statistical analysis, there is little in the steps to this point that is directly related to Fair Lending--most of this preparation is related to general data quality and to simple fraud and abuse analysis. Everything in this article can be done using Excel, though there are other tools that your IS staff may have that are better suited to the task.
- Written by Bruce Moore
- Hits: 81504
Search Engine Optimization and Analysis for Small Banks and Small Businesses
To prepare for a sales call on a bank in a small Texas town, I plugged the bank’s name into Google--I got a list of many banks, but the one I wanted didn’t appear on the first page, or the second. I couldn’t find anything on this bank until my third Google query. Clearly, this bank had not done the basics of search engine optimization (SEO). Most Texas banks rank at the top of the page for a name query on Google, Bing or both. Unfortunately, some Texas banks cannot be found when searching for them by name on Google and Bing, let alone by “bank city.”
This article is for executives at these banks, for business owners whose business doesn’t show up on a name search in Google and for loan officers trying to help a borrower improve a business’s marketing. The steps outlined in this article would be useful in formulating the tasks in a Statement of Work for the development or maintenance of a web site.
For professionals and businesses that have blogs on other web sites, there is a short discussion of Google Author Tools to help in getting information on your off-website blog postings.
Search engine optimization is one of those things that is easy to do--if you know how to do it. There are thirteen basic steps:
- Register your domain with Google Webmaster Tools
- Register your alternate or old redirected domain(s) with Google Webmaster Tools
- Install a site map on your site
- Register the site map with Google Webmaster Tools
- Set up the robots.txt file on your web site
- Repeat the preceding steps with Bing Webmaster Tools
- Review Google and Bing webmaster tools periodically to identify any errors and to see if the search engines have identified malware on your site (indicating that it has been compromised)
- Make sure that metadata is filled in
- Improve your site with structured data
- Set up Google Author structured data for off-site blogs
- Set up Google Places and Bing Places for Business
- Register with Google Analytics or another analytics provider
- Install Analytics code
Register Your Domain
Purchasing your domain name from Go Daddy, Network Solutions or one of the many web hosting firms does not register the domain name with the various search engine providers--a search engine provider won’t start to scan your website until you register the domain name with them. Registration must be done by someone who has the system authorities to put a small randomly named HTML file into the root web page of the server. The search engine uses this file to prove that the person registering the site is actually the site owner. Once the site is registered, the search engine will start to scan and index it over a period of several days. The sections that follow discuss thing that you should do to control what gets scanned and how to improve your web site to appear higher in search results.
When you register your domain, note that http://yourbank.com, http://www.yourbank.com, and https://www.yourbank.com are all different web sites as far as the search engines are concerned. Decide which one you want the search engine to use in presenting results and identify it as your canonical domain name during the registration process. If you force all traffic to https (a good idea), register only your https domain and make sure to redirect all http traffic on your web site to https.
Register Your Old or Alternate Domains
About ten percent of Texas banks have changed domain names and redirect to a new domain name. Make sure to keep both the new and old domain names registered with each search engine, and make sure to modify the settings on the old domain’s search engine registration so that the search engine knows to point old index references to the new domain name.
Make sure to update the domain name that is used for regulatory reports, as it will be used by third party bank analysis web sites. About 5% of Texas banks have obvious typos in the domain names that are present in the FFIEC database, and another 5% have old and unused domains listed with FFIEC. Part of the algorithm for search rank is based upon other sites linking to your site; if the link is based upon the web site that is listed in FFIEC data, it will point to the wrong location and you won’t get any benefit from the third party link.
Create a Site Map and Register it with Google Webmaster Tools
You’ve probably seen a “site map” link on many web pages and wondered why on earth people put this page out there. It isn’t for humans--it’s for the robots that scan and index your web site. Make sure to generate sitemaps for both text and images, especially if you have relevant graphs or photos of your buildings. Include information about how frequently each page is updated, as this will influence how frequently the search engines scan your site.
For instance, the page with your interest rates should probably show an update frequency of daily or weekly, while the page with your loan application probably would show a monthly or longer update frequency. Figure 1 below shows an example of an automatically generated site map that tells the search engine what URLs are present, the date of last modification, the expected change frequency, and the priority of each page.
Figure 2 below shows an example of the image sitemap for a web site. Notice that this does not include a listing of the logos and stock images for the web site--just the important images for the site. On a bank web site, this might include photos of branches but omit stock photos of office settings.
Once you’ve created the site maps, register them with Google Webmaster Tools. This will tell the search engine robots how often to scan each of the pages on your web site.
Set up the robots.txt File on Your Web Site
The root directory of each web site should contain a robots.txt file--try https://www.google.com/robots.txt. This tells well-behaved robots what parts of your web site to scan and index, and what parts not to scan. At the bottom of the robots.txt file, you should have URLs for your site maps--this tells robots for search engines with whom you haven’t registered where to find your site maps and how frequently to scan and index your site.
It doesn’t make sense for a robot to try to scan and index the Internet banking part of your web site, so that should probably be disallowed. Note: The robots.txt file does not provide security--badly behaved robots can still access any part of your site that is public.
Figure 3 below shows an example of a portion of the Bank of America robots.txt file where the bank has excluded search engine scanning and indexing for a number of login-based portions of the web site and for the mobile version of the web site--they don't want desktop users to stumble upon a version of a page that was designed for a cell phone. If you look at the bottom of the robots.txt file (not shown in the figure) you will find the reference to the sitemap and a comment about the Borneo content management system (CMS) that Bank of America apparently uses and which automatically generated the robots.txt file. The CMS software commonly used by small businesses (Joomla, Wordpress or Drupal) generally does not generate the robots.txt file.
Repeat the Preceding Steps with Bing Webmaster ToolsOnce you’ve completed the steps to register your web site with Google Webmaster Tools, you will have covered the basic set-up for about 75-90% of web searches in the United States. To get most of the remaining searches, register with Bing Webmaster Tools. The process and mechanics are very similar, but getting the site map and robots.txt file set up for Bing is a slightly more tedious and error prone process.
Review Web Master Tools Reports
Once you have your site registered with the various search engines, someone should be assigned to review at least the Google webmaster tools each day, starting with the “Security Issues” section. If your site has been compromised, you will hopefully have found it before the Google robot does; if the Google or Bing robots do find malware on your site, you have an “all hands on deck” level problem.
Don’t be Target and discover the malware weeks after the compromise. Figures 4 and 5 below show the malware reports for Google and Bing webmaster tools respectively.
Both Google and Bing webmaster tools provide information on the number of times your web site’s pages were listed in a search, the average rank and the number of times users clicked on the link for the page. They both also list the keywords used in searches.
Make Sure that Metadata is Filled in
Once you have the basics set up, it is time to turn to the content of your website itself. Use the various webmaster tools to tell you what metadata is missing from your site. At the very least, each page should have a
keywords tag and for images, the
alt tag (this gives a description of the image). Use relevant words—don’t stuff in words that are unrelated to your site, as this will actually hurt your search ranking.
As your site is scanned by the robots, the webmaster tools will start to list the terms that the search engines are using to index the site; if there are concepts and terms that aren’t listed, look at the content of the actual pages and improve the copy to make sure that relevant terms are included in the text of the articles and product descriptions on your site.
description may be used for the synopsis of the web page that Google presents. For example, the search query “loan fee amortization” will probably show the entries in Figure 6 somewhere in the search results. The second item references an article on this web site. The full description tag reads:
This page describes the procedure for calculating the fee amortization and effective yield for loans that involve up-front fees. This is also sometimes called level yield.
Improve your Site with Structured Data
Once you have the content on your site set up and the basic metadata in place, you can start to enhance how your site is displayed by the search engines. To do this, start to set up structured data which is sometimes referred to as microdata. If you Google “bank of the west” you will (probably) see a well organized search result for a Bank of the West web page as the first result, as shown in Figure 7. You may get a California bank or a Texas bank, depending upon what Google thinks you want. In either case the display is probably due to a good implementation of structured data on this web site.
Your structured data should include implementations for the bank, branch locations, hours, key people listed on your web site, products and promotional offers.
- Structured data for an organization.
- Structured data for an address.
- Structured data for hours of operation.
- Structured data for a person.
- Structured data for an product.
- Structured data for an offer.
There are three ways to mark up pages--microdata (recommended by Google), microformats and RDFa. A discussion of the differences is beyond the scope of this article. For small business web sites, the format will probably be determined by the plugin that you select with the exception of the About, Contact and People pages on the site which will probably be coded by hand. For more examples, use the search terms rich snippets, microdata, and structured data.
Set up Google Author Structured Data for Off-site Blogs
Small business owners and professionals who maintain blogs on other web sites should consider setting up Google authorship links. This will alter the search results display to give the name of the author and potentially a photo of the author. Through Google Webmaster Tools, you can get some basic impression and click-through statistics on blog entries where you might otherwise have no meaningful information. To set this up, follow these steps:
- Create a Google+ profile
- Add the sites where you blog in the “Contributor to” section of your profile
- Somewhere in each external blog post, add
<a href=https://plus.google.com/u/0/xxxx?rel=author>A link to your Google+ profile</a>where xxxx... is your Google+ profile ID.
- On your website, install the necessary plug-in to your Joomla, Wordpress or Drupal web site to automatically generate the Google+ link for the author
Once you have this set up, you can use the author stats in Google Webmaster Tools to keep track of the number of times your external blog appears in a Google search, its average position in search results and the number of times people click through to the blog entry. This will help you gauge the effectiveness of your marketing efforts on external web sites, but it will not give you information on the search terms used.
To understand how Google uses authorship in display, Figure 8 below provides an example from the query “loan fee amortization” and the resulting article on this web site. Note the author prefix and the name of the author. In some cases Google will display the photo from the Google+ profile. Note also that in this case, the display synopsis is taken directly from the
description metadata tag.
Set up Google Places and Bing Places for Business
Once your web site is in order, you should begin to look at locality improvements to search and set up Google Places and Bing’s counterpart, Places for Business. This will help for queries like “bank grapevine texas.”
Sign up for Google Analytics or Another Analytics Provider
Once you have the basics of your search engine optimization done, you should sign up with an Analytics provider like Google Analytics, which is free. The steps to authenticate ownership of the site are similar to the steps for setting up Google Webmaster Tools. Once the webmaster has enrolled your site, have one or more people in your marketing department set up to use the web analytics tool to understand how your web site is used.
The web analytics tool should inform your product development and product bundling—the order in which people view the articles on my web site has absolutely influenced my product development plans. How to use web analytics is beyond the scope of this article.
Install Analytics Code
The steps in this article provide the basic search engine optimization steps that will get your bank or business listed at or near the top—when someone is looking for your organization by name. The steps in this article should be viewed as a starting point for search engine optimization.
- Written by Bruce Moore
- Hits: 12885