Information security policy for the remote banking system
1. Introduction
Analysis of recent attempts to steal money from settlement accounts of corporate clients by making payments through electronic banking systems in the Russian Federation has shown that, in most cases, money from settlement accounts is stolen by:
-
responsible officers of the enterprise that have been granted access to the DS secret (private) key, particularly, current or former ones (directors, accountants, and their deputies);
-
staff IT specialists that have been granted access to DS secret (private) key media (floppy disks, flash disks, hard disks etc.), as well as to computers that have been used to operate the Internet-Bank system;
-
non-staff IT specialists on call which carry out routine maintenance and connect to the Internet, install and update accounting and information software and other software on computers used to operate the Internet-Bank system;
-
intruders by infecting the client's computers with viruses or taking control of the client's computers through vulnerabilities in the system software and applications (operating systems, Web browsers, email clients etc.) to remotely steal DS secret (private) keys and passwords.
In all revealed cases intruders have somehow got access to DS secret (private) keys and passwords and sent payment orders with the correct digital signature to the bank.
Therefore, the Bank hereby informs you that you need to strictly comply with the information security provisions herein contained.
2. General definitions
Information Security means the whole of organisational and technical measures designed to increase IT security. Hereinafter – IS.
Remote Banking System means the whole of remote client services such as: Internet-Bank, Bank-Client, Online Statement etc. Hereinafter – the RBS.
SW means software.
Malware means software of various kinds (including Trojans). Such software can record the sequence of keys pressed on the keyboard, some make screenshots on banks' websites, others download additional malicious codes to the computer in order for the hacker to get remote access etc. All kinds of such software make it possible for intruders to get confidential information and use it, particularly, to steal users' money.
DS means digital signature, i.e. information in electronic form attached to other information in electronic form (signed information) that is used to authenticate the signing person.
3. Important notes
It is essential to understand that:
-
the Bank has no access to the Client's DS secret keys and passwords used to enter the remote banking system (hereinafter – the RBS).
-
The Bank cannot generate the correct DS on an electronic payment order on the Client's behalf.
-
The Client being the sole owner of the DS secret (private) keys is solely responsible for the confidentiality of the secret (private) DS keys.
-
The Bank does not send by email or tell over the telephone the Client's DS secret (private) key or password.
-
The Bank does not request the Client's DS secret key, password, bank card number or PINs by email or over the telephone.
-
If the Client doubts the confidentiality of its DS secret (private) keys or suspects the compromise (copying) thereof, the Client should contact the Bank to block its DS keys.
4. IS measures
4.1. Corporate organisational measures
In order to reduce the risk of unauthorised access to the RBS, the enterprise should:
• make up a list of persons granted access to the RBS and the DS;
• set guidelines for DS media storage and use (Clause 4.4.2. of the document);
• make up a list of events leading to immediate replacement or withdrawal of DS keys (Clause 4.5. of the document).
It is also necessary to inform the employees of the increasing risk of the DS being stolen and used by unauthorised persons by accessing the Internet-Banking system from guest work stations in public places (for example: Internet cafés).
4.2. Internet security policy
-
You should eliminate the possibility of visiting suspicious websites, downloading and installing counterfeit SW on computers used to operate the Internet-Bank system.
-
You should not enter personal data into website registration forms as they are likely to be available to strangers. It also recommended that you should not post your photos in order not to disclose your appearance to strangers.
-
If you have received a message from an unknown address (including email messages, ICQ, Skype and other messages; social media messages), you should not open it. Such messages may contain viruses.
-
Unsolicited messages are called 'spam'. Do not reply if you have received such a message. If you reply, the sender will learn that your email is active and will continue to send you spam further on.
-
Please read service use terms thoroughly including information marked with (*) when you download any content.
-
Please be careful about pop-up windows and do not click unknown links and addresses.
-
Please do not send SMS to unblock Windows or extract files from an archive.
4.3. Access to and protection of computer
-
You should restrict access to the computer on which Internet-Bank is installed. Access to the computer should be restricted to authorised employees only. It is recommended that you should change the password to the operating system on which Internet-Bank is installed on a regular basis.
-
You should control the actions of IT specialists maintaining the computer.
-
Make sure that the computer on which the RBS is installed is not infected with viruses. It is necessary to install and activate antivirus software and ensure the ability of the antivirus software to automatically update virus databases and run a weekly antivirus scans. Please pay attention to the fact that viruses can store and transfer to third parties the information on your password and DS keys.
-
It is recommended that you should install and use a personal firewall on computers connected to the Internet in order to prevent unauthorised access to information stored on the computers.
-
You should use licensed software (particularly, antivirus software), firewalls and tools protecting from unauthorised access.
-
When dismissing an IT specialist who has maintained computers used to operate the Internet-Bank system, make sure that your computers are not infected with malware.
-
When dismissing an employee granted access to passwords and DS keys, you should change the passwords, block the DS operated by such an employee and get a new DS.
4.4. RBS operation policy
4.4.1. Passwords
-
To enter a password, please use the Secure Login function. If you use this function, an on-screen keyboard appears – and you should enter the password by clicking on-screen letters and numbers instead of pressing keys on the keyboard that eliminates virus software ability to intercept the password.
-
Please change the password after you first enter the Internet-Bank system following the secure password policy:
-
Do not use obvious passwords that are easily guessed such as your spouse's, child's, pet's name, telephone number, vehicle registration number, postal code etc. to protect data.
-
Do not tell your password to anyone. If a representative of any company contacts you (for example, on the telephone) and asks you to tell your password, do not disclose your personal data as you do not know for sure who you are speaking to.
-
Do not write your username and password down on paper or in files on your working computer. If you need to store access parameters on paper media, store passwords in sealed envelopes or a safe together with DS keys. Never store passwords on paper media on the desk, under the keyboard etc.;
-
Do not allow browsers to remember your username and password.
-
Do not enter your username and password to the Internet-Bank system on computers located in public places (for example, Internet cafés);
-
Change passwords on a regular basis;
-
Do not use the same username and password for different systems;
-
When you change the password, do not use previous or similar passwords (for example, password1, password2, password3 etc.)
-
If you have received an email message from an online store or a website with registration confirmation that contains a new password, you should visit the relevant site and change the password as soon as possible;
-
Never store your password for RBS BS-Client in file on the local disk or any other easily accessible place. Ensure that only authorised employees can obtain the password to enter the system. If you suspect that anyone has got information about the password, you should change the password or block it by calling the Bank: (495) 694-0098 or (495) 650-90-03. You can also block your password by filing the relevant application with the Bank's office.
4.4.2. Digital signature keys
You should be very careful about the storage of Client-Bank system keys. The key is used to certify a document on behalf of the owner and transfer it to the Bank for execution. In order to increase security, it is recommended that:
-
You should never store the keys on the hard disk of your computer! Use ONLY removable media: flash disks and eToken not accessible by third parties to store files with DS secret (private) keys.
-
Use a E-Token PRO device for the secure storage of DS private keys (security is ensured by a protected data repository accessible only by the E-Token PRO owner who knows the key PIN).
-
Do not hand DS keys over to IT specialists in order for them to check the Internet-Bank system performance, Bank interaction settings etc. If it is necessary, only the DS key owner should connect the medium to the computer, make sure that the key password is entered into the interface of the client-end portion of the RBS and enter the password after making sure it is not overseen.
-
Log out the Internet-Bank system and disconnect the DS medium when leaving your computer even for a few minutes.
4.4.3. Connection control (for Internet-Bank)
-
Ensure that your connection is secure. In such a case, the address bar of your browser starts with https://, and there is a closed padlock icon in the address bar and in the right bottom corner of Internet Explorer.
-
Make sure that you establish a connection with Internet-Bank site at https://bk.gibank.ru/
Caution!
If you detect any suspicious websites with the domain name and appearance similar to those of the Bank’s website, please inform the Bank of such sites.
-
Monitor logins to the system by checking last login time and IP address displayed on the main page.
-
Check the status of your accounts and account statements movement.
-
Do not enter confidential data if the data entry screen differs from standard screens of the Client-Bank system (other text boxes, fonts etc.) or is displayed in an unusual way (the system operating procedure is disturbed). Please inform the Bank immediately of such problems: (495) 694-0098 or (495) 650-90-03. You can also block the RBS system access by filing the relevant application with the Bank's office.
-
Always choose the 'Log Out' menu item after you have finished work in the RBS.
4.5. Call the Bank immediately in the following cases:
NOTE!
You can call the Bank on numbers: (495) 694-0098 or (495) 650-90-03. You can also block the DS key and/or the RBS system access by filing the relevant application with the Bank's office.
Please call the Bank immediately if:
-
You suspect that the password or secret keys have been compromised or you have revealed any other suspicious activity in the RBS.
-
You need to change secret keys in case of dismissal/voluntary termination of authorised employees or IT specialists who have had access to such secret keys.
-
If you suspect that DS secret (private) keys have been compromised (copied) or the operating environment has been compromised (the computer is infected with malware). If you see any suspicious activity on your computer where Internet-Bank is installed (spontaneous cursor movements, opening/closing of windows, typing etc.), turn off the computer immediately and notify the Bank of a suspected attempt of unauthorised system access.
Final provisions
5.1. This Policy comes into force on the date of its approval by the Chairman of the Bank's Management Board and remains in effect until cancelled.
5.2. This Policy is subject to change and amendment in accordance with the Bank-established procedure.
Download: Information Security Policy for the Remote Banking System