Internet Banking Security Information
We are committed
to protecting the security and confidentiality of your personal information by
providing you with a safe and secure transaction environment.
We are the
first bank in Singapore to introduce a Two-Level Authentication process using a
Dynamic Security Password (DSP). This helps to curb the various internet threats
and challenges that currently affect internet banking today.
Besides the
1st level of authentication provided through the use of a User ID and Static
Password, a 2nd level Dynamic Security Password (DSP) is also required to access
Internet Banking. The DSP is a dynamic one-time password generated via a push of
the button on the DSP device. This portable, hand-held electronic device is
issued by the Bank to customers who have signed up for Internet
Banking.
With the added layer of security provided through the DSP, we
bring you added peace of mind by ensuring that your banking transactions can be
performed round-the-clock, 7 days a week, in a safe and secure
environment.
Read on to find out more about how
we can help you deal with today's internet threats and challenges.
» Internet
Threats
» What
is phishing?
» How
we can help you deal with today's internet threats and challenges
» How
to check if Internet Banking is the intended site?
» Is
the security provided by Secure Sockets Layer (SSL) safe enough for banking
transactions to be carried out on the internet?
» How
can customers be certain that Internet Banking is safe and secure?
»
Customer
responsibility
» Reporting
Incidents
Internet Threats
Internet banking is fast
becoming a popular platform for banking transactions.
However, the "open"
nature of the internet exposes financial institutions to internet security
risks. More recently, there have been reported incidences of a new type of
online fraud called phishing (pronounced as “fishing”).
back
to top
What is phishing?
Phishing means
creating a replica of an existing web page to deceive consumers into submitting
personal or confidential information. Phishing is a term coined by hackers who
imitate legitimate companies in emails to entice people to share static
passwords or credit card numbers. Other names for phishing are brand spoofing,
carding, fake websites, and email scams.
While such fraud or scams have
existed for years, digital information communication technologies have made this
practice easier for nefarious users to spoof any number of things, including
emails, websites, and even entire industries. More often than not, the targets
of these scams are financial institutions. Thus, there is a growing need within
the financial industry to address this problem by educating users on such risks.
Internet security threat comes in four forms:
- Basic
phishing
Basic phishing involves emails containing
fraudulent forms, or links to fraudulent websites. For example, an email may
contain a link to what appears to be a legitimate organisation. While the URL
initially appears legitimate, it redirects the user to another location where
a spoofed website resides.
Victims submit sensitive information
through this website, or directly via emails, without realizing that it is
instantaneously transmitted to criminals who intend to use the information for
malicious purposes.
The email will usually include one of the following
messages to trick you to act according to their instructions:
- “Your account is currently being updated as we are introducing a new
security system. Follow the instructions below to re-activate your account.”
- “Your credit card is the subject of a police investigation for fraud.
Please follow the instructions below.”
- “Our record shows that payment for your internet account is due. We are
currently introducing a new e-payment service. Please follow the
instructions below to activate your online payment.”
- “You are the lucky winner of our lucky draw. Please submit your credit
card details so that we can verify your identity.”
The
following are examples of the instructions you may be asked to follow, to
deceive you into disclosing details such as your password:
- “Please provide a return email with your account details, password or
credit card number. We will re-activate your account as soon as we receive
your email.”
- “Please click on the hyperlink below to update your personal details.”
- “Please click on the attachment below. This will automatically generate
an alert on our side. We will update your account and inform you.”
Please note that the Bank will NEVER send you any email asking
you to divulge any confidential or personal information. You should discard
such emails and report them to us.
- Brand
spoofing
Hackers will fake or spoof websites of legitimate
and existing organisations to deceive customers into thinking they are
interacting with the legitimate company.
This can involve receiving an
email that contains a link to a website. Once you click on the link, you are
redirected to a fraudulent website. You then unknowingly submit sensitive
information such as your user identification number, password, credit card
number, bank account information, and other forms of financial data.
- Industry
spoofing
Fake or spoofed organisations/ industries
purportedly exist to mitigate
risks, such as escrows* and other third party
mediators, that customers may trust.
*Escrow services perform a 3rd
party role between an online buyer and a seller. Such transaction usually
involves monetary exchanges. Escrow services collect the payment from a buyer
on behalf of an online seller, and aid in the delivery of the purchased item
to the buyer.
In instances where this third party is illegitimate, you
will see neither the purchased item nor will you recover the money paid to the
escrow service. This form of industry spoofing can also be carried out through
legitimate organisations.
There have been several instances where
illegitimate users claim to be sellers on certain website, posting falsified
auction items, keeping the customers’ payments, but never delivering the
goods.
- Cyber-mugging
Some emails appear
legitimate, but when opened, install Trojans
and Keystroke
sniffers onto customers’ computers so that sensitive information can be
stolen. Some even allow computers to be remotely controlled. Criminals can
also take money through Salami
slicing. These are cases where undetectably small increments of money are
taken out of an account over a period of time.
Please contact our
24-hour Phone Banking hotline at 1800 226 2676 or
(65) 6226 2676 (from overseas) to report such incidents
immediately.
back
to top
How we
can help you deal with today's internet threats and challenges
Dynamic Security Password (DSP): A solution
to Internet threat
"Security within everyone’s
reach"
As part of our commitment to create a safe and secure
transaction environment, we have introduced the Dynamic Security Password (DSP)
device, which is used to generate a dynamic password needed to access your
Internet Banking facility. Each DSP device generates a series of passwords
unique to that user’s account. Each one-time password is valid for 60 seconds
every time.
As the DSP is needed to validate and authenticate the user
for each online transaction, you can be assured of a safe and secure transaction
environment.
Phishing normally occurs when a static User ID and password
is revealed. With the DSP’s Two-Level Authentication via a second dynamic
password, which changes every 60 seconds, phishing can be prevented.
So,
thanks to Two-Level Authentication process, you can now manage your Internet
Banking transactions with complete peace of mind.
back
to top
What is a Dynamic
Security Password?
"Ultra-portable, highly secure authentication for peace
of mind"
All login and online banking transactions will require a
2nd level of authentication with a Dynamic Security Password (DSP), which is
generated with a push of the button on the DSP device.
This portable,
hand-held electronic device will be given to you free of charge when you sign up
for Internet Banking.
The DSP is required for login and transactions.
Each DSP device generates a series of passwords unique to that particular user.
The DSP is used to validate and authenticate the user, therefore providing a
safe and secure transaction environment.
What’s more, the DSP device can
be kept close at hand as it is small and portable. You can choose to:
- Carry it on a key chain,
- Carry in a pocket or purse,
- Attach it to your handphone; or
- Wear it around the neck along with your access card.
back
to top
Industry’s
strongest 128-bit SSL Encryption
The 128-bit Secure
Socket Layer (SSL) encryption is the de facto cryptographic standard that we use
for securing data communication between the browser and our website. Digital
certificate technology is used to ensure transaction privacy, message integrity
and server-side authentication. This also serves as an assurance that the
website runs legitimately under the care of the Bank.
SSL is the
industry-standard method developed by Netscape Communications Corporation for
protecting web communications. The SSL security protocol provides data
encryption, server authentication, message integrity, and optional client
authentication for a TCP/IP connection. SSL comes in two strengths, 40-bit and
128-bit, which refer to the length of the "session key" generated by every
encrypted transaction. The longer the key, the more difficult it is to break the
encryption code. Any software with encryption features having key lengths over
40-bit is considered strong encryption by the U.S. Government.
Most
browsers support 40-bit SSL sessions, and the latest browsers enable users to
encrypt transactions in 128-bit sessions. 128-bit encrypted messages are
309,485,009,821,345,068,724,781,056 times harder to break than 40-bit messages.
Thus, it would take the same technology used to crack the RSA 40-bit message 1
trillion x 1 trillion years to crack a 128-bit message.*
* Quoted from
VeriSign – http://www.verisign.com/
back
to top
How to
check if the Internet Banking is the intended
site?
Always login to Internet Banking by entering the
official bank URL (www.rbs.com.sg) directly into the browser address field.
back
to top
Is the
security provided by Secure Sockets Layer (SSL) safe enough for banking
transactions to be carried out on the internet?
Banks in
Singapore generally adopt the Secure Sockets Layer 128-bit encryption standard,
an international standard which is considered secure and adequate for encrypting
data transmitted over the internet. This standard is also widely used by other
financial centres in the world. We will continue to track and apply best
practices in encryption standards.
back
to top
How can
customers be certain that Internet Banking is safe and secure?
Security issues are of paramount concern to banks in Singapore,
whether the consumer uses the traditional channel or the internet. Regardless of
the technology or medium, both banks and customers have a responsibility to
ensure that transactions are carried out in a safe and secure manner. Customers
have to protect their confidential data, such as the password, login information
or passwords. Otherwise, they will put themselves at unnecessary risk.
back
to top
Customer responsibility
Customer
education is critical to the mitigation of the phishing
threat. Online users should be aware of how to spot fraudulent emails and
websites. URLs can be redirected so that it initially appears legitimate in
order to deceive the customer. For example, when a customer submits information
on a website, a seemingly legitimate URL can redirect the customer to a
different address, which is actually a spoofed website or a criminal email
address.
Customers should note that they can often spot grammatical
errors on illegitimate sites, as they often originate in foreign countries. They
should also delete suspicious emails. Customers should be aware that emails can
launch harmful Trojan
horses or worms onto customer computer systems. Though not a complete
panacea, customers can have some level of protection against threats by
proactively securing their own computers with technological measures such as
anti-virus software and intrusion detection software.
back
to top
How do I prevent
my PC from getting infected with viruses and malicious
programs?
We recommend that you do the following:
- Equip your personal computer with the latest virus detection software and
anti-spyware so as to protect yourself against any virus attacks and other
malicious attacks.
- Install a personal firewall to protect against hackers, virus attacks or Trojan
horses.
- Update the anti-virus, anti-spyware and firewall products with security
patches or newer versions on a regular basis.
- Avoid downloading any files from websites or people you are not familiar
with.
- Avoid using programs that allow you to automatically receive or preview
files.
- Avoid opening email attachments from strangers or unintended senders.
- Delete all junk and chain emails.
back
to top
Password management
Protect and secure your
password (for ATM, Phone Banking, Internet Banking). You can protect your
password and other security information in these ways:
- Do not allow anyone to use your Dynamic Security Password, or know your
Static Password or any other sensitive information.
- Memorise your Static Password and other security information and destroy
the notification immediately. You should not write or keep a record of your
User ID and Static Password together with your Dynamic Security Password
device.
- Do not leave your Dynamic Security Password device lying around.
- Do not use easy to remember dates or numbers, like your identity card
number or birth dates, as your Static Password or password.
- Change your Static Password periodically.
- Avoid having the same password for different websites, applications or
services.
- Do not store your User ID/ Static Password in the Internet Explorer
Browser – Auto Complete Function.
- Never reveal your Static Password to anyone. The Bank will never request
for your Internet Banking, Phone Banking or ATM Password for any reason.
- Do not choose option to save your ID or Password in your internet browser
back
to top
Other Security
Precautions and Practices while using Internet Banking
- Disable file and printer sharing in your computer while online, especially
if you are connected to the Internet via a cable modem, broadband connection
or similar set-ups.
- Avoid installing or running software application from unknown sources.
- Do not enter or disclose your personal data to unfamiliar web sites.
- Avoid accessing online banking or performing financial transactions from
public terminals, computers or devices which cannot be trusted. E.g. Internet
Cafés.
- Never leave your computer unattended. Ensure your computer is properly
logged-off from any online session or shut down while it is not in use.
- Check the balance of your bank account(s) as well as transaction records
frequently and report any discrepancy.
- Backup any important data regularly.
- Consider using additional encryption technology to protect highly
sensitive data.
back
to top
Reporting Incidents
Inform us
immediately by calling our 24-hour Phone Banking hotline at
1800 226 2676 or
(65) 6226 2676 (from overseas) if:
- Your Dynamic Security Password or Static Password is lost or has been
stolen.
- You suspect someone else has access to your Static Password or any other
confidential information.
- You find out any unusual transaction records in your Internet Banking.
In order to expedite our investigations, we may need you to
furnish us your details and descriptions of the incident. We would provide you
with an interim update of our investigations, while we are working towards
getting a final resolution. As the nature of each incident varies, the incident
could be further escalated to other department, such as technical support team
or application team, and thus the time required to fully resolve the issue will
be on a case-by-case basis.
back
to top
|
