Security principles and guidelines

• Guidelines for using the Internet Banking

  • Always protect your login information (login number and password).
  • Keep in mind that passwords should not be disclosed to anybody, not even family members or colleagues at work.
  • Disable the “save the password” option in your computer’s settings, especially if your computer is also used by other persons.
  • Only use internet banking on computers and networks that you trust.
  • Always make sure that you are entering the right website. Our internet banking is only available at:https://www.equabanking.cz/
  • Never enter your personal data, access details, logins, passwords,
    PINs or telephone numbers anywhere based on an email you received. The bank will never ask for these personal data in electronic communication.
  • The access to internet banking is protected by means of an automatically generated user name and password. In addition, you can enable login authentication via SMS. We recommend that you enable this option.
  • Connection to our internet banking and other websites is secured by the SSL (HTTPS) protocol. You can recognize the authenticity of our website by seeing a green symbol of a padlock and the name “Equa bank, a.s. [CZ]” in the address bar. Detailed information including pictures can be found below in Chapter “How to find out whether you are visiting a secure website?”.
  • Keep the operating system and the web browser used on your computer updated.
  • You cannot keep your computer secure without having an up-to-date antivirus and firewall installed on your computer.
  • If you receive spam e-mail containing a link to Equa bank a.s. website,¨do not respond to the email and do not click on the link – instead, contact our Customer Service. By reporting fraudulent e-mails you are helping protect the bank and other customers as well.

• Most common methods of obtaining sensitive data and how to protect your data

  Phishing

  Phishing refers to a method of obtaining sensitive data (passwords, credit card numbers, etc.) on the Internet. It consists in sending email messages, usually written in bad Czech or in English, which look like an official request from the bank or from a similar institution. The addressees are asked to enter their personal data on a linked website. Such a website may, for example, imitate the internet banking login window, where the user enters his or her login name and password. By doing this, the user divulges these details to the attackers, who are then able to use them and freely dispose of the account.

  Pharming

  A more insidious form of Phishing, which helps the attackers to obtain sensitive data. The attacker redirects the client to a fake website (e.g. IBS) and thus tricks the user into divulging his or her login details. Such websites are usually unrecognisable from the real website of the bank. Not even experienced users can reliably spot the difference (in contrast to phishing, a similar method).

  Most common tricks used in fraudulent e-mails:

  • Imitating the bank.
  • A link to a fake website which is very similar to the original website and where the user is prompted to enter his or her personal data, access details, logins and passwords.
  • Request for a quick response, where the e-mail is applying pressure on the user, threatening e.g. that his or her account will be blocked if (s)he does not login to the account by the end of the day. 

  How to protect yourself against Phishing and Pharming

  1. Never click on links in emails which require you to enter personal data, access details, logins or passwords.
  2. Never login into the internet banking using internet addresses given in an email.
  3. When entering the internet banking website, always enter the service’s internet address (URL) in the address bar of your browser in a newly opened tab.
  4. Keep your operating system and antivirus updated and use the latest version of your web browser.
  5. Do not use publicly accessible computers to enter personal data or to manage your account.
  6. Verify secure communication (the SSL certificate) in case it is offered.

  Social Engineering

  Social engineering, in the context of information security, refers to psychological manipulation of people into believing the attacker is a different person with the goal of making them perform certain actions or divulge confidential information. These methods involve the attacker trying to persuade the victim to divulge an important information. For example, a password may be disclosed to somebody who calls the victim on the phone, posing as the system administrator.

  Aside from standard mail, social engineering attacks are most commonly performed using telephone or the Internet (email, chat, Facebook). Experienced social engineers may carry out “face to face” attacks. If the attacker knows his victim personally, he may guess the victim’s password on the basis of the information he gathered about the person. Typically, he tries details such as place of birth, nickname, the name of a village where the victim has a summer house, name of the victim’s dog, etc.

  Social engineers take advantage of people’s common traits, such as their trust in other people, occasional laziness, inability to spot minor differences, the willingness to help others, and fear of getting into trouble. If the attacker has a vested interest in the success of the attack, he may dedicate a longer period of time to building confidence.

  How to defend yourself against Social Engineering

  1. Always protect your login information (login / user name and password).
  2. Do not succumb to pressure to divulge passwords or other sensitive date over the phone. 

  In case the attacker poses as a figure of authority, ask for further details.

  1. Regularly change your passwords and make sure they are sufficiently strong.

• Skimming and guidelines for safe use of payment card

  Skimming refers to a way of obtaining data from the magnetic strip of a card using a reader device, without the user being aware of this. The data are subsequently used to produce a counterfeit card. The reader device, i.e. the scanner, is placed directly on the payment terminal. It consists of a part which reads data from the payment card and a part enabling it to obtain the PIN. Both have to be obtained for the attackers to be able to produce a counterfeit and freely use it. You can encounter skimming not only at ATMs, but also during payment in bars, restaurants, at petrol stations, etc.

  How to protect yourself:

  1. Never leave your card unattended
  2. Keep your PIN secret and do not write it down
  3. Before withdrawing money from an ATM, check the ATM for modifications (e.g. the keypad is covered by a plastic sheet, it is strangely sunk into the board, an unauthorised reader is installed as depicted in the picture, etc.)
  4. While entering PIN on the keypad, cover the number keys with your other hand (in order to prevent others from seeing the numbers you are entering)
  5. Remain vigilant while withdrawing money from an ATM (e.g. watch out for strange persons nearby, unusual lighting on the ATM, etc.)
  6. When paying in a shop, always think about how trustworthy the merchant is. Check the correctness of the details, the date and time and the amount on the receipt after payment. If you have doubts, do not pay by card.
  7. Never make online payments on a computer you do not trust or on a public computer.
  8. Regularly check your account through the internet banking and the account statements. This could help you find out about possible discrepancies early. (You can enable notifications of movements on your account.)
  9. If you lose your card, inform your bank without delay. This will prevent it from being misused. Immediately block the payment card in your internet banking or on the Customer Service phone number: +420 222 010 222.

  
  

  
  

  How does it work?

   The fraudulent reader device is placed over the original device

   

   The device scans the card data while the camera records your PIN number being entered

  

   The device is then connected to a PC to which your card data are downloaded

  

• How to find out whether you are visiting a secure website?

  The internet is full of hackers and fraudsters who want to obtain sensitive data, login details and payment card information by means of creating fake websites, by intercepting communications, or otherwise. You can defend yourself against them by using the SSL certificate, which makes sure the communications are encrypted. The certificate also serves to positively identify specific servers.

  How to verify the website’s security

  If the URL address of a website starts with https://, this means the communication between the browser and the server is secure (encrypted).

  Secure communication
  

  Symbol indicating an invalid certificate​

  The security and validity of a certificate may be verified in the browser by clicking on the lock symbol in the address bar, where you can find more details about the certificate. 

  

  Secure communication

  The certificate details contain information on the owner, the certification authority, and technical information on the connection with the server and the name of the server ( www.equabanking.cz). 

  This is what the address bar in your browser should look like during login into the internet banking: 

  
  

• Guidelines for secure use of the Mobile Banking

  In addition to the guidelines for protection of your login details in the internet banking, please observe the following advice 
  while using the mobile banking:

  • Never disclose your authentication details. Change your password regularly.
  • Use more complicated passwords.
  • Equa Mobile Banking can be downloaded only from the APPstore (in iOS devices)
    or from the Google Play interface (in Android devices).
  • The bank does not send emails linking to downloads from places other than the Appstore and Google Play.
  • Make sure antivirus protection is installed on your mobile device.