ABBL
Association des Banques et Banquiers, Luxembourg
The Luxembourg Bankers' Association
Luxemburger Bankenvereinigung
.png)
Greater security for your online banking transactions
Performing banking transactions on the Internet gives the consumer a whole series of advantages:
- maximum convenience (24/7),
- minimum constraints,
- rapid execution times,
- no charges,
- electronic archiving of your transactions.
For some years now, credit institutions have allowed their clients to effect online banking transactions in a simplified and optimised manner.
46% of all businesses in the financial services sector indicated that they provided e-banking and/or e-insurance services to their clients in 2009.
Luxembourg is one of the European countries in which Internet purchasing by residents is the most highly developed. 36% of all Luxembourg residents made a purchase or placed an order online in 2009.
E-banking enables clients:
- to open an account online,
- to access a historical record of the transactions on their accounts,
- to consult detailed statements of their credit and debit cards,
- to pay their bills easily,
- to effect transfers (including standing orders) and receive payments,
- to communicate securely with a customer relationship advisor,
- to maintain and manage a securities portfolio,
- to open new accounts,
- to order different kinds of documents.
Although the use of e-banking is relatively simple and accessible from any work station regardless of your operating system, compliance with various criteria relating to the security of your transactions is imperative.
Credit institutions obviously take many measures to protect your personal data, but your bank has no way of verifying the arrangements that you have made to effect transactions securely from your computer.
You may therefore be potentially exposed to certain risks which your bank cannot itself supervise.
To guard against any possible risk linked to the type of transaction, CASES and the ABBL wish to make a number of recommendations concerning vigilance to optimise the management of your online bank accounts.
We are therefore proposing a number of simple rules to follow and giving you the benefit of a series of information bulletins drawn up by CASES.
Specific rules for e-banking / e-commerce security formulated by CASES:
Identification
Computers do not recognize the identity of their users automatically. Users thus need to identify themselves, via a password, for example.
Unfortunately, this identification is often not taken seriously enough. Most people see it as a necessary evil. As a result, identification by the user frequently ends up being the weak link in information security. Nevertheless, identification is often the only protection that users have against the fraudulent use of their online identity.
Below you will find various identification factors developed by CASES as well as an overview of certain risks that users face.
L'authentification (only available in French)
E-mails: Never trust the appearance of an e-mail
One of the best known methods of deception is to send an e-mail that looks exactly like one from a trustworthy organisation asking you to enter personal information (passwords, credit card number etc.). Sometimes the recipient is also asked to click on a link that leads to a web site that looks confusingly similar to the official site. The scammer has only one purpose in mind - he wants to use your confidential data to access and misuse your accounts. The best protection, therefore, is to learn to detect scam e-mails.
Fiche thématique CASES : E-mails (only available in French)
Test : "décelez les e-mails malveillants" (only available in French)
Secure web pages: detecting the indicators
Make sure that a web page is secure
On commercial or banking websites, you sometimes make use of payment services or consult accounts online. For your own protection, you must make sure that these pages are secure. First of all, type in the address of the site yourself or make sure that it is absolutely identical to the site that you wish to visit. Then check that all of the five following conditions are fully met.
1. https appears at the start of the page address
.jpg)
2. A padlock is present at the bottom and/or top of the secure page
.jpg)
3. The padlock is closed
If the padlock is open or struck through, the site may not be the one which it purports to be. You cannot therefore be certain that the connection is secure and it is better to avoid entering personal data.
4. The closed padlock is linked to a recognized security certificate (or SSL certificate)
To check this, double click on the closed padlock.
A window then opens. Now click on “Display” and the certificate will appear.
5. The security certificate linked to the closed padlock is valid
To satisfy this condition, you must verify the information contained in the security certificate. The name of the holder, issuer and certificate expiry date all appear on the certificate. Knowing that even a person with malicious intent can purchase a certificate, check all the information appearing on it before trusting the connection.
In the above example, we see under [2] that the certificate was issued by a public key infrastructure called LuxTrust to a service which provides services for *.cases.lu [1]. The star means that the certificate is used for several Internet sites belonging to cases.lu. The validity of the certificate can be checked at [3].
The certificates are issued by the certification authorities (CA or AC) such as LuxTrust, Verisign, Cybertrust.
Once all these five conditions have been met, you have an assurance that the connection is secure.
HTTPS - HyperText Transfer Protocol Secure
HTTPS is a network protocol used for secure web navigation. It provides possibilities for authentication and encryption of websites, which require a measure of security in their communication with websurfers. For this purpose, HTTPS uses asymmetrical cryptographic methods for authentication and symmetrical cryptographic methods to encrypt exchanges.
Before entering a password or performing an e-commerce or e-banking transaction, always make sure that you are on an HTTPS and not on an HTTP site. This is not at all complicated.
Doubtful connections: do not hesitate to inform your bank
If anything strikes you as strange during an e-Banking or e-Commerce session or if you notice a security risk, please inform your bank.
Examples of unusual processes:
• the session is interrupted,
• the session takes longer than usual and, for example, a download message is displayed.
If you see anything unusual or believe that your session is not secure, you can bar your e-Banking account yourself providing your bank offers this service.
Depending on the bank, there is a tab in the application named “Security” or “Options” on which you can carry out the barring process.
The “golden rules” of IT security - 1. Passwords
Only you may know your access data such as your user name or password. Never disclose these to a third party. Never write your access data down. If you do not follow this rule, at least keep the data separate and, above all, away from your desk or computer.
If a person discovers your password, the greatest risk is that this person will misuse your identity. Therefore choose as random a password as possible and follow the recommendations below:
- It should consist of numbers, upper and lower case letters and symbols
- It should contain at least 8 characters (the more the better)
- It should not be a word that can be found in a dictionary
- You should change your passwords frequently, and no less than twice a year. The more important the application or system is for you, the more frequently you should change your password.
- it should be random
- It should not relate to personal information
- You should define a different password for every application and system
Fiche thématique CASES : Les mots de passe (only available in French)
The “golden rules” of IT security - 2. Virus Protection
Even a computer must be immunised to remain healthy and armed against worms and viruses. You must install an anti-virus program to surf the Internet safely and you must update it regularly. You can also use anti-virus services provided by your ISP.
Fiche thématique CASES : L'antivirus (only available in French)
The “golden rules” of IT security - 3. Firewalls
The firewall is one of the most important counter-measures to protect your information system against deliberate attacks by malevolent persons or worms.
Here are the three most important measures:
• An up to date anti-virus system • An up to date operating system (patch) • A correctly configured firewall.
A firewall is a physical (hardware) or logical (software) device which provides protection for personal computers. It can also be used as an interface between one or more corporate networks to monitor and possibly block data circulation by analysing the information which is contained in the data flows (network partitioning).
It therefore enables attacks or suspect connections to be blocked; these may come from viruses, worms or Trojans. They can also be traced. At the same time, a firewall often serves to prevent the uncontrolled leakage of information to the outside world. Install a firewall and configure it correctly. This will enable you not only to block attacks or suspect connections which may come from viruses, worms or Trojans, but also to avoid leakage of your personal and confidential information.
Fiche thématique CASES : Le firewall (only available in French)
The “golden rules” of IT security - 4. Anti-spyware
Make your e-banking / e-commerce transactions secure by installing an anti-spyware which scans your computer at regular intervals to detect the possible presence of malicious software.
Spyware is a software used to secretly monitor users’ activity, either autonomously or as part of a computer program that is actually intended for another purpose. Spyware is programmed to glean personal information from users, to spy on their activities and transfer the collected data to the program’s designer or a third party in order to feed into a data base. The recipients of the data can then clone users’ web surfing habits or online shopping activities.
Spyware generally gets on a system via Internet browsing or by downloading freeware or adware.
Many virus scanners also include anti-spyware. But this protection is not always sufficient. In order to ensure that one hasn’t inadvertently installed spyware, it is recommended to periodically run an anti-spyware program, especially after having installed dubious software.
Fiche thématique CASES : Le spyware (only available in French)
The “golden rules” of IT security - 5. Security patches
To beat the cyber criminals who look for and find flaws in operating systems every day, you must update your browser constantly. Also apply appropriate patches. Like every anti-virus, your system needs maintenance. Performing the necessary updates will enable you to beat risks such as worms, viruses and Trojans.
Fiche thématique CASES : Les patchs de sécurité (only available in French)
The “golden rules” of IT security - 6. Protection against Social Engineering (Phishing, Pharming, etc.)
Social Engineering is a piracy technique which consists in profiting from the credulity of a user to obtain confidential information from him/her about a target information system. The pirate’s main aim is to obtain information which gives him valid access to the information system that he wishes to penetrate.
Be careful if you are asked to provide information!
Do not disclose your user name or password to anyone. No serious entity will ask you for this information (even over the telephone). This remark also holds good even when the request seems credible and includes apparent identification features of the entity which it claims to be, for example a source electronic address, an Internet site looking like the official site etc.
If in doubt do not answer and put the question to the appropriate authority so as to ascertain whether the request is serious or not.
Determine whether the supplier is serious
When making online purchases, make sure to deal only with serious suppliers. Only enter your bank card number on web pages which use a secure protocol. These can be recognised by the small padlock which appears on the lower edge of the navigator or protocol indicated in the URL (which becomes HTTPS instead of HTTP).
Always disconnect from Internet sites
You are advised to use the disconnection menus whenever you quit web applications such as web mails or a connection to an e-banking site.
If you do not use the disconnection, traces of the session may still be accessed by a computer hacker who will be able to exploit the identifiers for malicious purposes.
Keep track of your bank accounts
Several weeks can elapse between the collection and use of the stolen identifiers and detection of the damage by the user. It is therefore important to keep a careful watch on movements of money on your bank accounts to make sure that no abnormal transaction has taken place and to be able to file a complaint if necessary. You should consult and validate the transactions performed on your bank account at least once a month.
Fiche thématique CASES : Les erreurs humaines (only available in French)
Articles
-
20/04/2012
On 11 April 2012 the Governing Council of the European Central Bank (ECB) endorsed for public consultation the “Recommendations for the Security of internet payments”, in the context of the work undertaken by the European Forum on the Security of Retail Payments. Its purpose is to facilitate common knowledge and understanding of issues related to the Security of electronic retail payment services and instruments.
-
30/08/2011
Dans le cadre d'opérations via E-banking, les transactions et les données personnelles sont sécurisées sur 3 niveaux :
- opérationnel (le logiciel E-banking),
- au niveau de l'internet (connexion sécurisée) et
- au niveau des serveurs internet de la banque.
Mais la sécurité nécessite également la vigilance de l'utilisateur qui doit s'assurer de sécuriser son ordinateur et tout appareil permettant de se connecter en ligne (GSM, smartphone, tablette, etc) et ainsi adopter les mesures de sécurité adéquates.
-
19/07/2011
Le 18 juillet 2011, François Biltgen, ministre des Communications et des Médias, a présenté ensemble avec des représentants de Cases, du Centre de communications du gouvernement (CCG), du Centre des technologies de l’information de l’État (CTIE) et du Haut-commissariat à la protection nationale (HCPN), les mesures du gouvernement pour renforcer la lutte contre les cyberattaques.
More On
• Phishing ou hammeçonnage par e-mail : procédé illégal consistant à extorquer des fonds ou à dérober des identifiants de connexion à différents services en lignes en abusant de la crédulité des victimes.
• Cheval de Troie : programme installé par un pirate informatique, résidant au sein d'un ordinateur victime, généralement à l'insu de l'utilisateur. Souvent dissimulé au sein d'un autre programme. Il est le point d'entrée de nombreux pirates informatiques sur un système cible.
• Defacement: une défiguration (defacement) est une forme de cyberdélinquance de type cybervandalisme, voire cyberterrorisme, dirigé contre un site Web correspondant
• Le vol physique: Un voleur s'empare des biens d'autrui par la force ou à l'insu de ce dernier. Un vol peut s'effectuer sur tous les éléments constitutifs du parc informatique. Ces vols peuvent être commis dans les locaux de l'entreprise ou lors du transport du matériel informatique.
• Cyberdélinquance: internet a ouvert des perspectives nouvelles aux citoyens et aux entreprises. Cependant, cet objet d’innovation technologique a également conduit à l’émergence d’une nouvelle forme de délinquance, communément qualifiée de « cyberdélinquance ».
• 
Ensemble des fiches thématiques CASES (aspects juridiques - les technologies - les risques, vulnérabilités et impacts - les menaces - les contres-mesures)
.png)
Agendamore events
Want to know the next steps?
Last udpate April 2012
How to safely bank online
Making SEPA a Reality - The definitive Guide to the SINGLE EURO PAYMENTS AREA
Subscribe to the ABBL Newsletter
