Information security of Internet-Banking

The use of Internet Banking system becomes more and more secure — it is being upgraded to meet the requirements of the rapidly changing environment and the IT development.

Secure use of Internet Banking is ensured owing to:

Internet Banking server authentication

To ensure protection from attacks aimed at replacement of the Web server and modification of its content during transfer, SSL (Secure Sockets Layer) protocol and open key certificate is used, which is issued to the bank by a Certificate authority — VeriSign.

Internet Banking user authentication

Two-factor user authentication technology is used to organize secure access to the said system. This technology is based on two factors: the availability of the user's personal valid cryptographic key, which is stored in the file container or on a token, and knowledge of the password (PIN-code) for access to this key.

Confidentiality of the data, which is being transferred.

To ensure confidentiality of the data exchanged by the users and the bank via Internet-banking channels, the data is encrypted. Therefore, the opportunity of payment and other information capture and reading is excluded.

Payment document authorization

To ensure authenticity (confirmation of authorship), indisputability and integrity of electronic payment documents, which are generated by customers and submitted to the bank, electronic digital signature mechanism is applied. The validity of digital signature on the payment document is verified during any transactions with the payment document from the side of the bank.

Means of cryptographic protection of information integrated in the Internet-Banking system are certified according to the law of Ukraine.

Recommendations regarding secure work in the Internet Banking system

To ensure secure work in the Internet-Banking system, accept the recommendations from IT security specialists, enabling further mitigation of the risk of fraudulent transactions with accounts accessed via Internet Banking channels.

1.Install licensed antivirus software on the workstation, from which the Internet Banking system is accessed. Support version updates, update virus databases in a regular and timely manner. We recommend that antivirus software supplied by Russian companies should be used, for example, Kaspersky antivirus, Dr. Web antivirus.

2.Install the following on the workstation, from which the Internet Banking system is accessed:

- licensed antispyware;

- personal software firewall*.

* A number of software suites are available in the market, combining the functions of antivirus, firewall, antispyware and other software intended for workstation protection.

Firewall should be set up in such a way as to ensure maximum restriction of incoming and outgoing network traffic. In particular, it is recommended to enable only access to resources of Internet-Banking system and other minimum necessary resources, for example, to update virus signatures databases, to update antispy software, operating systems and other software.

Antivirus and antispy software should be set up to monitor all evenets and enable periodic scanning of the data stored on the PC hard disk, from which Internet Banking system is accessed.

3.Update the workstation system software used to access the Internet-Banking system in a regular and timely manner, in particular, the operating system, web browser, Java computer. It is recommended that automatic software update functionality is enabled.

4.We do not recommend that you install on the workstations, through which Internet-Banking system is used, the software from unverified sources (public software libraries, applications in electronic messages etc). Access to unreliable (unfamiliar) internet resources from such computer is not recommended.

5.When accessing the Internet System, users are stongle recommended not to work in the operating system under the login of the user having extended rights, such as Administrator, in the operating system.

6. When connecting to the web site of Internet Banking system (https://ibank.aval.ua/) ensure correct authentication of web server of Internet-Banking system based upon SSL protocol. Avoid connection to the system web site based upon banner references or references received via email. It is recommended that you should enter the web site address independently and add it to browser favorites. When accessing the web server pay attention to the browser address fields. As the web site of the Internet Banking system has an authentic and valid security certificate from the global Internet certification centre, the first symbols of the address https://, but not http:// should be shown in the browser address field at login (notification may appear in the browser window showing that viewing of pages via secure connection starts).

Web site certificate can be viewed via browser. For this purpose you must press the “lock” in the status field (this icon is located in various places of each browser). ibank.aval.ua web site security certificate will appear on the screen.

The closed lock certificate reflected at secure connection to the system proves that the web site is authentic.

7. It is not recommended to access the Internet-Banking system via references received by email, as well as uncontrolled and unreliable workstations located in Internet cafes, hotels, offices, other organizations.

8. In order to obtain Internet banking system user authentication data (EDS personal key and a respective access password) for its further illegal use, offenders never attack users' workstations.

The key methods for obtaining key information are:

- Mailing forged emails to users with links to the web site masked as the site of the bank;

- Spreading malware #that is, a software virus# via emails or web sites to obtain user authentication data;

- Unauthorized remote PC administration through remote access.

When the customer takes the proposed actions or standard actions, the virus copies the keys and passwords and transfers this information to offenders.

In order to prevent such situations, one should know that the bank never, in no circumstances sends emails requesting to provide the key, password, visit the said electronic address, and does not spread software via email. User shall be responsible for keeping keys and passwords.

In case of receiving such letters, applications or any notifications via email, please inform the bank about this via a letter or phone. The details are specified on the web site of the bank. It is recommended that you should delete suspicious emails without opening them, especially letters from unknown senders with attached files having the extensions *.exe, *.pif, *.vbs, or other executable files.

9. If the workstation used to access Internet Banking system is configured by a third-party expert, we recommend that control over the actions of such expert should be ensured.

10. Recommendations regarding the security in handling authentication data #personal key and access password to it:

- Personal key and data password are most critical in terms of Internet-Banking system security. Personal key is generated at the initiative of the user — its owner under personal control of the latter. The Bank never, in no circumstances has access to users' personal keys. To ensure reliable storage and use of personal keys, it is recommended that you should use the hardware for generation of signatures #tokens# supplied by the bank. The hardware for signature #token# generation is a means of cryptographic protection of the information, the technical implementation of which ensures keeping of the personal key in the protected memory and execution of cryptographic operations in such a way as to prevent copying of the personal key or its location outside the protected memory of the hardware.

- In case that the user chooses to keep the keys in the file container, personal keys should be kept on the mobile medium #a floppy disk, a CD, USB drive# exclusively. It is prohibited to keep EDS keys on a hard disk of workstations #computers# event temporarily.

- The key information medium containing a valid key (mobile information medium, token) must be under continuous control of the user, preventing access to it by third parties. The transfer of the key information medium (token) and/or disclosure of the password to third parties, including the employees of the bank, shall not be allowed in any circumstances;

- The key information medium containing a valid key (moveable information medium, token) must be used only during the work in Internet-Banking system. Do not leave the key information medium (token) connected to the PC, if the work in the system is stopped or not carried out, the PC is used to perform other functions, including on non-working hours;

- Personal keys access password (PIN-code) must not be kept openly (for example, written on paper) and used for other systems and services. The user shall be solely responsible for keeping the access password (PIN-code) and prevention of the key information use by third parties;

- Change the key access password from time to time (at least once a month). The password must consist of the figures, upper and lower register letters, as well as special symbols. When choosing your password, do not use combinations, which are easy to guess, for example, names, birthdates, phone numbers etc;

- In case of the dismissal of users or their transfer to positions not requiring them to use Internet Banking system, the bank should be immediately contacted to block their keys;

- In case that the key is compromised or suspected to be compromised #losses, damage of the key information medium, disclosure of the password or other events and/or actions, which have resulted/may result in unauthorized use of the key#, the bank should be immediately contacted to block the compromised key via phone, mentioning the blocking word, or via an official letter.

11. In case that Internet Banking is accessed from a static IP address or a range of addresses, we recommend that you should contact the bank to restrict the list of IP addresses and/or IP-subnetworks, from which Internet-banking can be accessed. In such case, all attempts to get connected to Internet banking system from all IP addresses and/or subnetworks, except the defined ones, will be blocked.

12. Daily analyze all notices on payment documents accepted and rejected by the Bank, electronic payment documents, and immediately inform the Bank about all cases of unauthorized (transferred) funds.

We wish you successful work!