Security principles and guidelines

• Guidelines for using the Internet Banking

  • Always protect your login information (login number and password).
  • Keep in mind that passwords should not be disclosed to anybody, not even family members or colleagues at work.
  • Use more complicated passwords. We recommend to add a special character to your current alphanumeric combination. 
  • Disable the “save the password” option in your computer’s settings, especially if your computer is also used by other persons.
  • Only use internet banking on computers and networks that you trust.
  • Always make sure that you are entering the right website. Our internet banking is only available at: https://www.equabanking.cz/
  • Never enter your personal data, access details, logins, passwords,
    PINs or telephone numbers anywhere based on an email you received. The bank will never ask for these personal data in electronic communication.
  • The access to internet banking is protected by means of an automatically generated login number, password and SMS code. You can enable login authentication with biometric or mobile application passcode.
  • Connection to our internet banking and other websites is secured by the SSL (HTTPS) protocol. You can recognize the authenticity of our website by seeing a green symbol of a padlock and the name “Equa bank a.s.” in the address bar. Detailed information including pictures can be found below in Chapter “How to find out whether you are visiting a secure website?”.
  • Keep the operating system and the web browser used on your computer updated.
  • You cannot keep your computer secure without having an up-to-date antivirus and firewall installed on your computer.
  • If you receive spam e-mail containing a link to Equa bank a.s. website, do not respond to the email and do not click on the link – instead, contact our Customer Service. By reporting fraudulent e-mails you are helping protect the bank and other customers as well.

• Most common methods of obtaining sensitive data and how to protect your data

  1. PHISHING

  Phishing is a fraudulent technique that hackers use to install harmful programs (malware) on your computer or mobile phone or to extract sensitive data (passwords, credit card numbers, bank account numbers, birth numbers, etc.) from you. Most often, fraudulent e-mails ask you to click on a link or open an attachment. These messages may be written in English or Czech. These days many of the Czech messages are very well written, i.e. the text is of a high standard. Taking advantage of the vulnerability of computers, hackers can launch a web camera or microphone remotely or become the administrator of your PC, just by having you click on a link that has a virus.

  Most common methods of spreading fraudulent messages (phishing)

  • Electronic mail (e-mail),
  • Text messages (sms),
  • Social media (e.g. Facebook, twitter, instagram, youtube),
  • Instant messaging (e.g. Whatsapp, telegram, skype, facebook messenger, imessage and others).

  What are practical examples of the most aggressive fraudulent messages?

  • A link to a fake page (e.g. of a bank) that looks similar to the real page and where the user is asked to enter personal data, sign in data, login and password.
  • Payment card fraud is an ongoing trend.
  • An e-mail that says you have to quickly open the attached invoice or you will be at risk of default.
    • A hacker forges the e-mail sender’s name, impersonating a high-level executive in a company.
    • The hacker sends the spoofed e-mail with the attached invoice to the accounting department and states that the invoice has to be paid quickly and secretly.
    • These techniques are also sometimes called spear phishing or CEO fraud.
  • Fake requests to change your password to Internet services or internal corporate systems.
  • A message stating that someone has misused your credit card information and you must send your card number in a reply to the e-mail so that the bank can block your card.
  • Your mailbox is full or your phone data is used up – click here immediately or you will no longer be able to use your e-mail or phone.
  • Your computer has a virus. Click here right away and we will get rid of the virus before it’s too late.
  • A suspiciously good offer (e.g. electronics offered for a low price), a lottery win, inheritance transfer, etc., through which the hacker extracts personal data and sign in data from the user.

  What are practical examples of the most aggressive fraudulent messages?

  Who sent you the message?

  • An unknown sender with whom you have never been in contact before (which means the sender should be verified, e.g. by phone).
  • You know the sender but the nature of the e-mail is markedly different than your normal communication – someone asks you for something unusual, quickly and ideally in secret.
  • The domain of the sender is suspicious (e.g. equbank.cz, equafinance.com, etc.) 
  • Always check the entire e-mail address, not just the sender’s name. An example of an e-mail in an inbox:
  • SECURITY EQUA BANK, a.s. @helpdeskonline24.com>
  • The sender’s name is SECURITY EQUA BANK, a.s. But the domain of the sender’s e-mail address is suspicious.
  • TIP: Do you read e-mails on your phone? Be careful – not everything shows up on a phone’s small screen. Some mobile phones only show the name of the e-mail sender, for example. It’s very easy to spoof an e-mail sender’s name. When you get a suspicious looking e-mail, always click on the sender’s name to show the full e-mail address.

  Content of message

  • The sender asks you to click on a link or open an attachment in order to avoid negative impacts or obtain something valuable.
  • The text contains grammatical errors or typos (but that is not always a sure sign of a fraudulent message – these days many e-mails are written in very good Czech).
  • The sender asks you to carry out unexpected, illogical or suspicious activities.
  • The sender sends you a compromising or interesting photo of someone you know or yourself. The e-mail may have an attachment with a very blurry preview of the photo to make you curious enough to click on it and enlarge it. 

  Attachments

  • The message contains an attachment that is illogical, unrelated to the text of the message and completely unexpected.
  • The attachment extension is potentially dangerous (.exe, .bat, .js, as well as .xlsm, .docm, .zip) 
  • The attachment extension appears to be safe – regular users often do not anticipate any danger here. The attachment may be an image or video file (.bmp, .jpg, .jpeg, .mpg, .avi).

  Links

  • After you move the cursor onto the link, a link to a different domain shows up in the context window – see picture.
  • 
  • The message contains only the link and nothing else.
  • The link goes to a spurious URL, e.g. http://equabank.suspiciousdomain.cz/bezny-ucet instead of http://equabank.cz/bezny-ucet

  Techniques hackers use to get you to click on a fake e-mail:

  • Gaining your trust. 
  • Creating a problem.
  • Emphasizing that time is short – so that you don’t spend much time thinking about it and just open the attachment or click.
  • Offering a reward or compensation.
  • Arousing your curiousity.

  What can you do if you get an e-mail you suspect may be fraudulent?

  • Don’t click on the link or attachment.
  • If you get an e-mail that you think may be fraudulent or you suspect someone has hacked your Internet banking account, please contact the Equa bank client hotline +420 222 010 222 without undue delay.

  How to protect yourself against Phishing

  1. Never respond to links attached to an e-mail that ask you to enter personal data, sign in data, login or passwords.
  2. Never sign in to Internet banking from an Internet address listed in an e-mail.
  3. When accessing an Internet banking site, always write out the Internet address of the service into the URL field in the browser on a newly opened Internet page.
  4. Update your computer operating system, antivirus program and Internet browser version.
  5. Do not use publicly accessible computers when entering personal data or accessing your account online.
  6. Authenticate using secure communication (SSL certificate).

  
  

  2. SOCIAL ENGINEERING

  Social engineering, in the context of information security, refers to psychological manipulation of people into believing the attacker is a different person with the goal of making them perform certain actions or divulge confidential information. These methods involve the attacker trying to persuade the victim to divulge an important information. For example, a password may be disclosed to somebody who calls the victim on the phone, posing as the system administrator.

  Aside from standard mail, social engineering attacks are most commonly performed using telephone or the Internet (email, chat, Facebook). Experienced social engineers may carry out “face to face” attacks. If the attacker knows his victim personally, he may guess the victim’s password on the basis of the information he gathered about the person. Typically, he tries details such as place of birth, nickname, the name of a village where the victim has a summer house, name of the victim’s dog, etc.

  Social engineers take advantage of people’s common traits, such as their trust in other people, occasional laziness, inability to spot minor differences, the willingness to help others, and fear of getting into trouble. If the attacker has a vested interest in the success of the attack, he may dedicate a longer period of time to building confidence.

  How to defend yourself against Social Engineering

  1. Always protect your login information (login / user name and password).
  2. Do not succumb to pressure to divulge passwords or other sensitive date over the phone. 

  In case the attacker poses as a figure of authority, ask for further details.

  1. Regularly change your passwords and make sure they are sufficiently strong.

• Skimming and guidelines for safe use of payment card

  Skimming refers to a way of obtaining data from the magnetic strip of a card using a reader device, without the user being aware of this. The data are subsequently used to produce a counterfeit card. The reader device, i.e. the scanner, is placed directly on the payment terminal. It consists of a part which reads data from the payment card and a part enabling it to obtain the PIN. Both have to be obtained for the attackers to be able to produce a counterfeit and freely use it. You can encounter skimming not only at ATMs, but also during payment in bars, restaurants, at petrol stations, etc.

  How to protect yourself:

  1. Never leave your card unattended
  2. Keep your PIN secret and do not write it down
  3. Before withdrawing money from an ATM, check the ATM for modifications (e.g. the keypad is covered by a plastic sheet, it is strangely sunk into the board, an unauthorised reader is installed as depicted in the picture, etc.)
  4. While entering PIN on the keypad, cover the number keys with your other hand (in order to prevent others from seeing the numbers you are entering)
  5. Remain vigilant while withdrawing money from an ATM (e.g. watch out for strange persons nearby, unusual lighting on the ATM, etc.)
  6. When paying in a shop, always think about how trustworthy the merchant is. Check the correctness of the details, the date and time and the amount on the receipt after payment. If you have doubts, do not pay by card.
  7. Never make online payments on a computer you do not trust or on a public computer.
  8. Regularly check your account through the internet banking and the account statements. This could help you find out about possible discrepancies early. (You can enable notifications of movements on your account.)
  9. If you lose your card, inform your bank without delay. This will prevent it from being misused. Immediately block the payment card in your internet banking or on the Customer Service phone number: +420 222 010 222.

  
  

  
  

  How does it work?

   The fraudulent reader device is placed over the original device

   

   The device scans the card data while the camera records your PIN number being entered

  

   The device is then connected to a PC to which your card data are downloaded

  

• How to find out whether you are visiting a secure website?

  The internet is full of hackers and fraudsters who want to obtain sensitive data, login details and payment card information by means of creating fake websites, by intercepting communications, or otherwise. You can defend yourself against them by using the SSL certificate, which makes sure the communications are encrypted. The certificate also serves to positively identify specific servers.

  How to verify the website’s security

  If the URL address of a website starts with https://, this means the communication between the browser and the server is secure (encrypted).

  Secure communication
  

  Symbol indicating an invalid certificate​

  The security and validity of a certificate may be verified in the browser by clicking on the lock symbol in the address bar, where you can find more details about the certificate. 

  

  Secure communication

  The certificate details contain information on the owner, the certification authority, and technical information on the connection with the server and the name of the server ( www.equabanking.cz). 

  This is what the address bar in your browser should look like during login into the internet banking: 

  
  

• Guidelines for secure use of the mobile app

  In addition to the guidelines for protection of your login details in the internet banking, please observe the following advice while using the mobile application:

  • Never disclose your authentication details. Change your password regularly.
  • Use more complicated passwords. We recommend to add a special character to your current alphanumeric combination. 
  • Equa Mobile Application can be downloaded only from the App Store (in iOS devices)
    or from the Google Play interface (in Android devices).
  • The bank does not send emails linking to downloads from places other than the App Store and Google Play.
  • Make sure antivirus protection is installed on your mobile device.