Electronic banking security - Bank Spółdzielczy w Szczytnie

Electronic banking security

Electronic banking security

Security of online banking transactions

In consideration of your security, we present a practical guide containing basic information and rules to keep in mind. Thanks to them, your money will be even safer. We present information about the use of payment cards, making transactions in online stores, and accessing your money through remote channels – the Internet and phone. It is worth familiarizing yourself with these rules; it is worth remembering.

General Rules 

  1. Remember, no bank ever sends questions to its customers regarding passwords or other confidential data or requests to update them. 
    Banks never provide links to transactional pages in messages sent. Letters, emails, or phone calls regarding such matters should be treated as attempts to solicit confidential information. Do not respond to them by providing your confidential data. Contact your Bank immediately and inform them of the incident. 
  2. Check your Bank's website for the security measures used in the online service. 
    Each time you log in, strictly adhere to the security principles published there. If you notice any irregularities, contact a Bank employee immediately. 
  3. Your computer or mobile phone connected to the Internet must have antivirus software installed and must be kept up to date. 
    It is also necessary to activate critical modules in the protective package, such as antivirus monitor, mail scanner, or firewall. A common mistake is disabling the mentioned modules to reduce system load.
  4. Make online payments only using "trusted computers.” 
    Do not make online payments from computers located in public places, such as internet cafes or schools. 
  5. Contact your Internet provider to ensure they use secure channels for distributing this service. 
    Pay particular attention to the quality and security of the internet services provided by your provider. If you have any doubts, you always have the right to ask the provider about the quality of security they offer. 
  6. Install only legal software on your computer. 
    Unknown origin programs, including those downloaded via Peer-to-Peer (P2P) applications, may be prepared by hackers and contain viruses or other malicious software. 
  7. It is advisable to periodically scan your computer, especially before accessing your bank's website and making any transactions. 
    Most antivirus programs, when the antivirus monitor is on, have detection (detection) capabilities similar to the antivirus scanner and there is no need to scan the computer. However, there are some programs whose antivirus monitor's detection is lower than that of the scanner, creating a security system vulnerability. 
  8. Update your operating system and essential applications for it to function, such as web browsers. 
    Hackers are constantly looking for vulnerabilities in software that are then exploited for internet crimes. Producers of operating systems and applications publish appropriate patches aimed at eliminating vulnerabilities in their products to attacks carried out via discovered holes. 
  9. Do not open messages and their attachments from unknown sources. 
    Such attachments often contain viruses or other software that allows monitoring your activities. 
  10.  Avoid sites encouraging you to view very attractive content or containing attractive offers. 
    Particularly dangerous can be websites containing pornographic content. Additionally, seemingly innocent sites containing “freeware” programs can also be very dangerous, as hackers often decompile them and add malicious code.
  11.  After logging into the transactional system, do not leave the computer, and after finishing work, log out and close the browser. 
  12. If unusual messages or requests to provide personal data or additional fields asking for authorization passwords appear when logging in, report the problem to your Bank immediately. 
  13. Do not access your bank's website via links in emails you receive (Phishing). 
    Use the address provided to you by the Bank when you signed the agreement to open and maintain a bank account. It is also not advisable to use the “Bookmarks” (Firefox) or “Favorites” (Internet Explorer) mechanisms, as there are malicious objects that can modify the saved addresses. 
  14. Never use search engines to find your Bank's login page. 
    Links found in them may lead to fake sites or pages containing viruses. 
  15. Before logging in, check whether the connection to the bank is secure. 
    The address of your Bank’s website should start with the abbreviation: “https://” and not “http://”. The absence of the letter “s” in the abbreviation “http” signifies a lack of encryption, meaning that your data is transmitted over the internet in plaintext, exposing you to great danger. 
  16. Check the validity of the certificate. 
    Before entering your identifier or login and password, check whether the connection to the bank is encrypted. If you find a padlock symbol, click on it twice to check if the displayed certificate is valid and whether it was issued for your Bank. If the certificate has expired or was not issued for your Bank or cannot be verified, refrain from connecting. 
  17. Never share your identifier or password with third parties. 
    The identifier is a confidential number assigned by the Bank, and you cannot change it. 
  18. Do not save passwords used for logging in anywhere, and remember to change them regularly. 
    The ideal solution is to change passwords once a month, but if the system does not force you to do so, change them at least once every two months, using a combination of uppercase and lowercase letters and numbers. 
  19. Check the date of the last successful and unsuccessful login to the system. 
  20. Use the hotline provided by your bank. 
    You always have the right to use your bank's hotline if you have doubts about safe banking transactions conducted via the internet. 
  21. Regularly visit the “Safe Bank” Portal on the ZBP website - www.zbp.pl 
    If you want to know more about safely using electronic banking, including online banking, regularly visit this Portal. There, security experts explain how to avoid dangers lurking in the network.
  22. Exercise caution when providing your card number. 
    You should not share your card number with anyone who calls you, even if the caller claims there are issues with the computer and asks for verification of information. It is not customary for companies to call asking for credit card numbers over the phone. If we initiate a call, we should also not provide the card number over the phone when we are unsure that the caller is trustworthy. 
  23. Never respond to emails that require you to provide information about your card – report such situations to your bank. 
    Also, never respond to emails inviting you to visit a website to verify data, including about cards. This type of fraud is called “phishing.” 
  24. Never provide card information on sites that are not secure. 
    For instance, sites with pornographic content or less-known companies offering branded goods at great prices. Before entering your card number in a form on a site, ensure that the data transmitted from the form is adequately protected (meaning – to simplify – that the address of the site with the form starts with https and that the site has the appropriate certificates – this information is provided by the browser, usually in the status bar at the bottom of the window). 
  25. Do not write the PIN code on the card, nor keep it with the card. 
    In such circumstances, you not only act against the law, but in the case of theft of your wallet or purse and using your credit card, the bank will be relieved of the obligation to cover the resulting damage.
  26. Protect your card number and other confidential codes enabling transactions, such as PIN number, CVV2, or CVC2 – the last three digits of the number located on the signature strip on the back of the card. 
    Criminals can obtain them by capturing images of the card, for example, using a mobile phone with a camera, video camera, or in other ways. 
  27. Make transactions at well-known and verified online stores. In the case of smaller services, investigate their credibility, for example by calling such a service and verifying their offer, transaction and complaint conditions. 
    Ensure that you are not on a website impersonating your bank/store website (a similar name and appearance used by dishonest imitators to confuse and extort money). Familiarize yourself with the terms and conditions of the online store, especially the information regarding the security of transactions. Before making a transaction, ensure that the transmission occurs over a secure connection using the SSL/TLS protocol.
  28. The bank does not provide support through applications using remote desktop connections. If someone offers you such a connection, hang up and contact the Bank.

How banks ensure the security of their clients: 

  • Basic client identification: – identifier + PIN, token, token + PIN 

  • Data transmission encryption protocol on the Internet – SSL 
  • Access based on certificates 
  • Codes sent via SMS 
  • One-time codes authorizing transactions 
  • Electronic signature, hash function, and its application 
  • Microprocessor cards with stored certificates 
  • Transaction limits
  •  Automatic session expiration after user inactivity 

What data is attractive to hackers: 

  • all personal data 

  • passwords 
  • credit card numbers 
  • electronic documents containing bank data

Computer security on the Internet 

1. What protects us 

FireWall

A firewall is one way to protect computers, networks, and servers against intruders. A firewall can be either a computer hardware with special software or just software blocking unauthorized access to our resources. A few years ago, software serving as a firewall was available and dedicated specifically for important servers or large networks. However, with the rapid pace of technological growth, a firewall is becoming essential software for any home computer connected to a LAN or the Internet. A firewall on such a home computer checks all incoming and outgoing network traffic, restricting and denying access both ways to unknown programs or users. 

Antivirus Programs 
This is software designed to detect, secure, combat, remove, and repair damage caused by computer viruses. If the initiated application contains malicious software, the program will take appropriate action to exclude the virus and allow access to the running program. An important function of any antivirus is a sufficiently frequent update of virus definitions contained in the program. This serves to “stay up-to-date” in the world of viruses. Thanks to updated definitions, the program gathers information about the latest viruses and receives instructions that allow it to combat and repair them. Reputable companies producing antivirus software use daily updates of virus definitions in their products. 

 

Anti-spam Programs 
These are types of software aimed at blocking unwanted electronic correspondence. The programs filter messages and use blacklists of addresses and domains used by spammers. Most of this type of software have the ability to set custom rules that we can modify and specify, e.g., keywords occurring in advertising materials, thereby blocking our mailbox from messages containing these words in the title of the delivery. However, these programs are not foolproof and sometimes can block correspondence that should be delivered. 

IDS 
This is an Intrusion Detection System whose goal is to identify dangerous activities occurring in the network. It searches for all forbidden or suspicious movements in the network that may pose a threat to the system. 
It detects unsuccessful attack attempts or preparations for a full intrusion, such as port scanning or mapping the network by searching for its critical servers, services, and applications. The task of the IDS probe system is to collect information, and the task of the management system is to process the collected information and extract attack signals from them.

2. Internet Threats 

Viruses 
A computer virus is a self-replicating segment of executable code embedded within another program or coupled with it. A virus cannot act alone; it needs a carrier in the form of a computer program. When this program is executed, the malicious code of the virus usually runs first, followed by the legitimate program. 
After successful infection, further action depends on the specific type of virus and includes: 

  • Replicating only in the infected system. 
  • Infecting further files during their execution or creation. 
  • Deleting or damaging data in systems and files. 
  • Wasting system resources without causing damage. 

Depending on the types of viruses, they can be divided into: 

  • disk viruses – infect the boot sectors of floppy disks and hard drives 
  • file viruses – infect executable files of a given operating system 
  • BIOS viruses – destroy the computer's BIOS (software responsible for proper configuration and start of the system) 
  • macro viruses – attack through non-executable files, e.g., Word or Excel document files, infection occurs via macros contained in these documents 
  • mobile viruses – currently rare, but in the future will pose a significant threat due to the development of software for phones 

Worms 
A worm is a self-replicating computer program, similar to a computer virus. The main difference between a virus and a worm is that while a virus needs a carrier that modifies by attaching its executable code to it, a worm is self-sufficient in this regard and spreads across all networks connected to the infected computer. In addition to its primary function of replication, a worm may have other built-in functions, such as destroying the system, sending mail, and through it infecting subsequent computers, or installing trojans. Currently, worms utilize all available means of dissemination, such as LAN networks, the Internet, email, file-sharing networks, mobile phones. For several years, worms have wreaked havoc around the world: they spread trojans, spam, assist in carrying out DoS attacks, cause system outages, and overload internet channels. 

Spyware 
Spyware is a type of malicious program encompassing an application that collects and sends information about its user's computer system without their consent. In addition to violating privacy, spyware programs generate unnecessary and burdensome network traffic, and in the event of coding errors, can damage the operating system.

Spoofing 
Spoofing is one of the more effective and frequently used methods of unauthorized information acquisition. It involves "masquerading" as another computer in the network. A hacker, sending packets with a fake source address, deceives the receiving computer, which incorrectly identifies the sender and sends all packets directly to the attacker. In this way, the hacker's computer can "pretend" to be, for example, a server, allowing access to all confidential data. Many versions of software have already emerged for this type of action. It can be installed both on the attacking computer and on access devices such as routers. An attack on a router can be very dangerous because all traffic generated in it can be controlled by the hacker. Fortunately, most branded routers have security against spoofing. 

Sniffing 
This technique was created for administrators, involving "eavesdropping" on all packets circulating in the computer network. Analyzing such packets allows for easy detection of any irregularities in the functioning of the network. Through monitoring network performance, the administrator identifies its weak and strong points. Sniffing as an administrative tool creates enormous diagnostic potential. The advantages of Sniffing have also been noted by hackers. The ability to intercept all information exchanged over a network is a huge incentive. To analyze the "tracked" packets, hackers have created their own software that allows them to capture important information, such as passwords, credit card numbers, or personal data. The use of a secure connection type SSL limits the threat associated with sniffing. 

Stealware 
Stealware (from English "Stealing Software") is used to steal money from users. The stealing module tracks all actions performed by the user in the system. When the user wants to pay for a service online, the corresponding stealing module activates and redirects the payment to the appropriate account. Currently, there are not many Stealware modules, but their number is rapidly increasing.

Phishing 
This is a deceitful acquisition of sensitive personal information, such as passwords or credit card details, by pretending to be a trustworthy person who urgently needs this information. It is a type of attack based on social engineering. Today, cybercriminals use phishing techniques for financial gain. Common targets are banks or online auctions. A phisher usually sends spam to a large number of potential victims, directing them to a website that pretends to be a real online bank, while actually intercepting the information entered there by the victims. A typical scheme involves information about the supposed deactivation of an account and the need to reactivate it by providing all confidential information. Imitating the website of the online bank is also a frequent method; the user enters all the required information to log in correctly, but this does not happen, and the data entered by the user is acquired by the phisher.

Trojan horses 
A Trojan horse is a computer virus, although its functioning principle significantly differs from that of a traditional virus. A Trojan horse does not replicate or spread on its own. The victim's computer is infected only through the deliberate installation of the carrier program by the user. This carrier can be any program installed on the computer. During installation, the Trojan horse, which is integrated into the code of the program, installs itself in the background and is not visible to the user. Very often, these viruses are distributed via email in the form of infected animations or images, although perhaps the most insidious type of Trojan horses are programs posing as antivirus tools. The targets of Trojan horse attacks can vary, mainly it is to take control of the infected computer or gain access to the information stored on it. 

Spam 
Spam is unwanted correspondence sent electronically in the form of email. It is usually sent in bulk. The essence of spam is to send a large number of commercial messages with the same content to unknown people. The content of these messages does not matter. Spam can be compared to leaflets left at our door or attached to our correspondence. In most cases, spam serves commercial purposes; in electronic correspondence, it encourages us to purchase certain articles or lures us with a winning trip. Sometimes, however, spam is a tool for attacking us by trying to extract confidential information while impersonating a bank or other institution. 

Adware 
Adware is a type of software that is made available for free in its full, functional version, and whose author or producer earns money from advertisements commissioned by sponsors, most often displayed in the program's window. Examples of adware include Opera, Eudora, GetRight, Gozilla, Gadu-Gadu. The adware status is usually the default option where the user can opt out of annoying ad banners by purchasing a traditional license to use the program. Such programs often contain hidden monitoring functions of the user's activities, thus we are dealing with spying on the user and the status of the program changes from adware to spyware.

Hybrid attack 
A hybrid attack is a dictionary attack considering possible permutations and disturbances, e.g., transforming passwords into cracker slang, adding digits or other non-alphanumeric characters to passwords.

Dictionary attack 
A dictionary attack involves attempting unauthorized login to a computer system without knowing the access password. Instead of a password, successive words found in a file – a dictionary – are substituted. A dictionary file can contain up to several thousand words. The larger it is, the greater the probability of hitting the correct password. The primary defense method against such attacks is frequent password changes. It is important that the passwords used are not simple words found in the dictionary, e.g., home, bike, etc. The system administrator should enforce a password change for users, e.g., once a month. A good idea is to include both upper and lowercase letters in passwords as well as non-standard characters like %#@.

Peer-to-Peer (P2P) – this is a communication model in the network, e.g., the internet, between users, where each user has equal rights. The most commonly encountered P2P model is programs used for file sharing on the Internet, where each user acts as both a server – source of downloaded files and a client – a user downloading files from other client sources. Data exchange in the P2P model always occurs without the intermediation of a central server. Moreover, the P2P model is a structure characterized by high variability, depending on how many users are logged in at any given moment.