Security principles and guidelines

• Guidelines for using the Internet Banking

  • Always protect your login information (login number and password).
  • Keep in mind that passwords should not be disclosed to anybody, not even family members or colleagues at work.
  • Use more complicated passwords. We recommend to add a special character to your current alphanumeric combination. 
  • Disable the “save the password” option in your computer’s settings, especially if your computer is also used by other persons.
  • Only use internet banking on computers and networks that you trust.
  • Always make sure that you are entering the right website. Our internet banking is only available at: https://www.equabanking.cz/
  • Never enter your personal data, access details, logins, passwords,
    PINs or telephone numbers anywhere based on an email you received. The bank will never ask for these personal data in electronic communication.
  • The access to internet banking is protected by means of an automatically generated login number, password and SMS code. You can enable login authentication with biometric or mobile application passcode.
  • Connection to our internet banking and other websites is secured by the SSL (HTTPS) protocol. You can recognize the authenticity of our website by seeing a green symbol of a padlock and the name “Equa bank a.s.” in the address bar. Detailed information including pictures can be found below in Chapter “How to find out whether you are visiting a secure website?”.
  • Keep the operating system and the web browser used on your computer updated.
  • You cannot keep your computer secure without having an up-to-date antivirus and firewall installed on your computer.
  • If you receive spam e-mail containing a link to Equa bank a.s. website, do not respond to the email and do not click on the link – instead, contact our Customer Service. By reporting fraudulent e-mails you are helping protect the bank and other customers as well.

• Most common methods of obtaining sensitive data and how to protect your data

  1. PHISHING

  
  

  Phishing is a fraudulent technique that hackers use to install harmful programs (malware) on your computer or mobile phone or to extract sensitive data (passwords, credit card numbers, bank account numbers, birth numbers, etc.) from you. Most often, fraudulent e-mails ask you to click on a link or open an attachment. These messages may be written in English or Czech. These days many of the Czech messages are very well written, i.e. the text is of a high standard. Taking advantage of the vulnerability of computers, hackers can launch a web camera or microphone remotely or become the administrator of your PC, just by having you click on a link that has a virus.

  Most common methods of spreading fraudulent messages (phishing)

  • Electronic mail (e-mail),
  • Text messages (sms),
  • Social media (e.g. Facebook, twitter, instagram, youtube),
  • Instant messaging (e.g. Whatsapp, telegram, skype, facebook messenger, imessage and others).

  What are practical examples of the most aggressive fraudulent messages?

  • A link to a fake page (e.g. of a bank) that looks similar to the real page and where the user is asked to enter personal data, sign in data, login and password.
  • Payment card fraud is an ongoing trend.
  • An e-mail that says you have to quickly open the attached invoice or you will be at risk of default.
    • A hacker forges the e-mail sender’s name, impersonating a high-level executive in a company.
    • The hacker sends the spoofed e-mail with the attached invoice to the accounting department and states that the invoice has to be paid quickly and secretly.
    • These techniques are also sometimes called spear phishing or CEO fraud.
  • Fake requests to change your password to Internet services or internal corporate systems.
  • A message stating that someone has misused your credit card information and you must send your card number in a reply to the e-mail so that the bank can block your card.
  • Your mailbox is full or your phone data is used up – click here immediately or you will no longer be able to use your e-mail or phone.
  • Your computer has a virus. Click here right away and we will get rid of the virus before it’s too late.
  • A suspiciously good offer (e.g. electronics offered for a low price), a lottery win, inheritance transfer, etc., through which the hacker extracts personal data and sign in data from the user.

  What are practical examples of the most aggressive fraudulent messages?

  Who sent you the message?

  • An unknown sender with whom you have never been in contact before (which means the sender should be verified, e.g. by phone).
  • You know the sender but the nature of the e-mail is markedly different than your normal communication – someone asks you for something unusual, quickly and ideally in secret.
  • The domain of the sender is suspicious (e.g. equbank.cz, equafinance.com, etc.) 
  • Always check the entire e-mail address, not just the sender’s name. An example of an e-mail in an inbox:
  • SECURITY EQUA BANK, a.s. @helpdeskonline24.com>
  • The sender’s name is SECURITY EQUA BANK, a.s. But the domain of the sender’s e-mail address is suspicious.
  • TIP: Do you read e-mails on your phone? Be careful – not everything shows up on a phone’s small screen. Some mobile phones only show the name of the e-mail sender, for example. It’s very easy to spoof an e-mail sender’s name. When you get a suspicious looking e-mail, always click on the sender’s name to show the full e-mail address.

  Content of message

  • The sender asks you to click on a link or open an attachment in order to avoid negative impacts or obtain something valuable.
  • The text contains grammatical errors or typos (but that is not always a sure sign of a fraudulent message – these days many e-mails are written in very good Czech).
  • The sender asks you to carry out unexpected, illogical or suspicious activities.
  • The sender sends you a compromising or interesting photo of someone you know or yourself. The e-mail may have an attachment with a very blurry preview of the photo to make you curious enough to click on it and enlarge it. 

  Attachments

  • The message contains an attachment that is illogical, unrelated to the text of the message and completely unexpected.
  • The attachment extension is potentially dangerous (.exe, .bat, .js, as well as .xlsm, .docm, .zip) 
  • The attachment extension appears to be safe – regular users often do not anticipate any danger here. The attachment may be an image or video file (.bmp, .jpg, .jpeg, .mpg, .avi).

  Links

  • After you move the cursor onto the link, a link to a different domain shows up in the context window – see picture.
  • 
  • The message contains only the link and nothing else.
  • The link goes to a spurious URL, e.g. http://equabank.suspiciousdomain.cz/bezny-ucet instead of http://equabank.cz/bezny-ucet

  Techniques hackers use to get you to click on a fake e-mail:

  • Gaining your trust. 
  • Creating a problem.
  • Emphasizing that time is short – so that you don’t spend much time thinking about it and just open the attachment or click.
  • Offering a reward or compensation.
  • Arousing your curiousity.

  What can you do if you get an e-mail you suspect may be fraudulent?

  • Don’t click on the link or attachment.
  • If you get an e-mail that you think may be fraudulent or you suspect someone has hacked your Internet banking account, please contact the Equa bank client hotline +420 222 010 222 without undue delay.

  How to protect yourself against Phishing

  1. Never respond to links attached to an e-mail that ask you to enter personal data, sign in data, login or passwords.
  2. Never sign in to Internet banking from an Internet address listed in an e-mail.
  3. When accessing an Internet banking site, always write out the Internet address of the service into the URL field in the browser on a newly opened Internet page.
  4. Update your computer operating system, antivirus program and Internet browser version.
  5. Do not use publicly accessible computers when entering personal data or accessing your account online.
  6. Authenticate using secure communication (SSL certificate).

  
  

  2. VISHING – FRAUDULENT PHONE CALLS 

  
  

  Vishing (voice phishing) is a strategy used by frauds to acquire sensitive data or to make a call recipient take action – e.g. send money, share sensitive data, click on a link, or download a file, which the caller has meanwhile sent to his/her victim.

  Lately, there has been a significant increase in the amount of fraudulent phone calls targeting bank customers, which may end up in a theft of funds from the account of the call recipient.

  These are the most frequent methods of deceiving a user of Internet Banking (of any bank) with the use of Vishing:

  • Coaxing sensitive data, such as login data for electronic banking and SMS codes sent by a bank;
  • Coaxing data on a payment card – a card number, CVV code, name of card holder, card validity;
  • Transferring funds to another account, e.g. for the customer to “protect” them from a theft.

  We never request such data and transactions from customers by telephone or e-mail and never will.

  How can it happen that a deceived person voluntarily provides such data to an entirely unknown person?

  • Frauds making phone calls usually act in a professional, trustworthy, and convincing manner.
  • Besides his/her voice one may often hear a background noise, reminding of a large call centre, making an impression of a bank employee, indeed, – whether the caller pretends to be a call centre operator, a staff member of security department or a banker.
  • The telephone number, from which the attacker calls, pretends to be the number of a customer centre of a bank, so the incoming call makes the impression of being a call from the real customer centre of your bank.
  • The fraud creates an unpleasant and unlikely situation for the call recipient, e.g. by informing him/her that security of his/her bank account has been compromised, that his/her funds have been stolen (or threaten to be stolen), or that somebody has concluded a loan with the bank with the use of the identity of the call recipient.
  • Some attackers make phone calls even at night to create more stress for the call recipient and to make the situation more urgent. In the case of fraud, quick action is often a must – the victim does not have much time to think about what he/she is doing and what he/she is communicating to the attacker.

  How to protect oneself against Vishing:

  • Never provide data on your payment card, the Internet Banking, your passwords/PIN codes, your login data, or SMS codes sent by the bank by telephone.
  • Should you feel unsure about the authenticity of the call, hang up, and return a call to the bank.

  The telephone number of our Customer Centre is 222 010 222. When it is you dialling the number, you make sure that it is really you calling Equa bank a.s.

  • Should somebody tell you that your account has been attacked and that you must save your money in that account, neither send it to an unknown account nor arrange a loan, because you are put up to it by the attacker.

  What I need to do if I gave the calling fraud some sensitive data or if I made a payment to an unknown account based on his/her call:

  • Contact your bank – the telephone number of the Customer Centre of Equa bank is 222 010 222.
  • After a discussion with the Customer Centre, the incident may need to be reported to the Police of the CR.

  
  

  
  

  3. SOCIAL ENGINEERING

  
  

  Information security understands sociotechnology as a method to manipulate people with the aim to make them believe the attacker to be somebody else and to manipulate them to give away information or to take certain steps. With the use of such methods, the attacker will try to convince the victim to give away a significant piece of information. For instance, a password of a computer user is given to somebody who introduces himself/herself as a system administrator on the phone. The techniques of social engineering include also Vishing.

  Do not yield to coercion to give away passwords or other sensitive data in person, by telephone or with the use of another electronic device. Should a person set himself/herself up as a higher authority, check him/her with an additional question.
  

  Aside from standard mail, social engineering attacks are most commonly performed using telephone or the Internet (email, chat, Facebook). Experienced social engineers may carry out “face to face” attacks. If the attacker knows his victim personally, he may guess the victim’s password on the basis of the information he gathered about the person. Typically, he tries details such as place of birth, nickname, the name of a village where the victim has a summer house, name of the victim’s dog, etc.

  Social engineers take advantage of people’s common traits, such as their trust in other people, occasional laziness, inability to spot minor differences, the willingness to help others, and fear of getting into trouble. If the attacker has a vested interest in the success of the attack, he may dedicate a longer period of time to building confidence.

  How to defend yourself against Social Engineering

  1. Always protect your login information (login / user name and password).
  2. Do not succumb to pressure to divulge passwords or other sensitive date over the phone. 

  In case the attacker poses as a figure of authority, ask for further details.

  1. Regularly change your passwords and make sure they are sufficiently strong.

• Skimming and guidelines for safe use of payment card

  Skimming refers to a way of obtaining data from the magnetic strip of a card using a reader device, without the user being aware of this. The data are subsequently used to produce a counterfeit card. The reader device, i.e. the scanner, is placed directly on the payment terminal. It consists of a part which reads data from the payment card and a part enabling it to obtain the PIN. Both have to be obtained for the attackers to be able to produce a counterfeit and freely use it. You can encounter skimming not only at ATMs, but also during payment in bars, restaurants, at petrol stations, etc.

  How to protect yourself:

  1. Never leave your card unattended
  2. Keep your PIN secret and do not write it down
  3. Before withdrawing money from an ATM, check the ATM for modifications (e.g. the keypad is covered by a plastic sheet, it is strangely sunk into the board, an unauthorised reader is installed as depicted in the picture, etc.)
  4. While entering PIN on the keypad, cover the number keys with your other hand (in order to prevent others from seeing the numbers you are entering)
  5. Remain vigilant while withdrawing money from an ATM (e.g. watch out for strange persons nearby, unusual lighting on the ATM, etc.)
  6. When paying in a shop, always think about how trustworthy the merchant is. Check the correctness of the details, the date and time and the amount on the receipt after payment. If you have doubts, do not pay by card.
  7. Never make online payments on a computer you do not trust or on a public computer.
  8. Regularly check your account through the internet banking and the account statements. This could help you find out about possible discrepancies early. (You can enable notifications of movements on your account.)
  9. If you lose your card, inform your bank without delay. This will prevent it from being misused. Immediately block the payment card in your internet banking or on the Customer Service phone number: +420 222 010 222.

  
  

  
  

  How does it work?

   The fraudulent reader device is placed over the original device

   

   The device scans the card data while the camera records your PIN number being entered

  

   The device is then connected to a PC to which your card data are downloaded

  

• How to find out whether you are visiting a secure website?

  The internet is full of hackers and fraudsters who want to obtain sensitive data, login details and payment card information by means of creating fake websites, by intercepting communications, or otherwise. You can defend yourself against them by using the SSL certificate, which makes sure the communications are encrypted. The certificate also serves to positively identify specific servers.

  How to verify the website’s security

  If the URL address of a website starts with https://, this means the communication between the browser and the server is secure (encrypted).

  Secure communication
  

  Symbol indicating an invalid certificate​

  The security and validity of a certificate may be verified in the browser by clicking on the lock symbol in the address bar, where you can find more details about the certificate. 

  

  Secure communication

  The certificate details contain information on the owner, the certification authority, and technical information on the connection with the server and the name of the server ( www.equabanking.cz). 

  This is what the address bar in your browser should look like during login into the internet banking: 

  
  

• Guidelines for secure use of the mobile app

  In addition to the guidelines for protection of your login details in the internet banking, please observe the following advice while using the mobile application:

  • Never disclose your authentication details. Change your password regularly.
  • Use more complicated passwords. We recommend to add a special character to your current alphanumeric combination. 
  • Equa Mobile Application can be downloaded only from the App Store (in iOS devices)
    or from the Google Play interface (in Android devices).
  • The bank does not send emails linking to downloads from places other than the App Store and Google Play.
  • Make sure antivirus protection is installed on your mobile device.