We are committed to protecting the security and confidentiality of your personal information by providing you with a safe and secure transaction environment.

We utilise a Two-Level Authentication process using a Security Device.

Besides the 1st level of authentication provided through the use of a User ID and Internet Banking PIN, a 2nd level One-Time Password (OTP) generated with your Security Device, is also required to access Personal Internet Banking.

This portable, hand-held electronic device is issued by the Bank to customers who have signed up for Personal Internet Banking.

With the added layer of security provided through the Security Device, we bring you added peace of mind by ensuring that your banking transactions can be performed round-the-clock, 7 days a week, in a safe and secure environment.

Read on to find out more about how we can help you deal with today's internet threats and challenges.

• Internet Threats
• What is phishing?
  • Basic phishing
  • Brand spoofing
  • Industry spoofing
  • Cyber-mugging
• How we can help you deal with today's internet threats and challenges?
  • One-Time Password (OTP): A solution to Internet threat
  • What is a Dynamic Security Password?
  • Industry’s strongest 128-bit SSL Encryption
• How to check if Personal Internet Banking is the intended site?
• Is the security provided by Secure Sockets Layer (SSL) safe enough for banking transactions to be carried out on the internet?
• How can customers be certain that Personal Internet Banking is safe and secure?
• Customer responsibility
  • How do I prevent my PC from getting infected with viruses and malicious programs?
  • Internet Banking PIN Management
  • Other Security Precautions and Practices while using Personal Internet Banking
• Reporting Incidents

Internet Threats

Personal Internet banking is fast becoming a popular platform for banking transactions.

However, the 'open' nature of the internet exposes financial institutions to internet security risks. More recently, there have been reported incidences of a new type of online fraud called phishing (pronounced as 'fishing').

Back to top

What is phishing?

Phishing means creating a replica of an existing web page to deceive consumers into submitting personal or confidential information. Phishing is a term coined by hackers who imitate legitimate companies in emails to entice people to share static passwords or credit card numbers. Other names for phishing are brand spoofing, carding, fake websites, and email scams.

While such fraud or scams have existed for years, digital information communication technologies have made this practice easier for nefarious users to spoof any number of things, including emails, websites, and even entire industries. More often than not, the targets of these scams are financial institutions. Thus, there is a growing need within the financial industry to address this problem by educating users on such risks.

Internet security threat comes in four forms:

Basic phishing

Basic phishing involves emails containing fraudulent forms, or links to fraudulent websites. For example, an email may contain a link to what appears to be a legitimate organisation. While the URL initially appears legitimate, it redirects the user to another location where a spoofed website resides.

Victims submit sensitive information through this website, or directly via emails, without realizing that it is instantaneously transmitted to criminals who intend to use the information for malicious purposes.

The email will usually include one of the following messages to trick you to act according to their instructions

• 'Your account is currently being updated as we are introducing a new security system. Follow the instructions below to re-activate your account'
• 'Your credit card is the subject of a police investigation for fraud. Please follow the instructions below'
• 'Our record shows that payment for your internet account is due. We are currently introducing a new e-payment service. Please follow the instructions below to activate your online payment'
• 'You are the lucky winner of our lucky draw. Please submit your credit card details so that we can verify your identity'.

The following are examples of the instructions you may be asked to follow, to deceive you into disclosing details such as your password

• 'Please provide a return email with your account details, password or credit card number. We will re-activate your account as soon as we receive your email'
• 'Please click on the hyperlink below to update your personal details'
• 'Please click on the attachment below. This will automatically generate an alert on our side. We will update your account and inform you'.

Please note that the Bank will NEVER send you any email asking you to divulge any confidential or personal information. You should discard such emails and report them to us.
 

Brand spoofing

Hackers will fake or spoof websites of legitimate and existing organisations to deceive customers into thinking they are interacting with the legitimate company.

This can involve receiving an email that contains a link to a website. Once you click on the link, you are redirected to a fraudulent website. You then unknowingly submit sensitive information such as your user identification number, password, credit card number, bank account information, and other forms of financial data.
 

Industry spoofing

Fake or spoofed organisations/ industries purportedly exist to mitigate risks, such as escrows^* and other third party mediators, that customers may trust.

^* Escrow services perform a 3rd party role between an online buyer and a seller. Such transaction usually involves monetary exchanges. Escrow services collect the payment from a buyer on behalf of an online seller, and aid in the delivery of the purchased item to the buyer.

In instances where this third party is illegitimate, you will see neither the purchased item nor will you recover the money paid to the escrow service. This form of industry spoofing can also be carried out through legitimate organisations.

There have been several instances where illegitimate users claim to be sellers on certain website, posting falsified auction items, keeping the customers’ payments, but never delivering the goods.
 

Cyber-mugging

Some emails appear legitimate, but when opened, install Trojans and Keystroke sniffers onto customers’ computers so that sensitive information can be stolen. Some even allow computers to be remotely controlled. Criminals can also take money through Salami slicing. These are cases where undetectably small increments of money are taken out of an account over a period of time.

Please contact our 24-Hour Customer Service at 1800 269 2269 or +(65) 6269 2269 (from overseas) to report such incidents immediately.

Back to top

How we can help you deal with today's internet threats and challenges?

One-Time Password (OTP): A solution to Internet threat

"Security within everyone’s reach"
As part of our commitment to create a safe and secure transaction environment, we have introduced the Security Device, which is used to generate a One-Time Password (OTP) needed to access your Personal Internet Banking facility. Each Security Device generates a series of passwords unique to an individual’s Personal Internet Banking account. Each One-Time Password is valid for 60 seconds every time.

As the Security Device is needed to validate and authenticate the user for each online transaction, you can be assured of a safe and secure transaction environment.

Phishing normally occurs when a User ID and Internet Banking PIN is revealed. With the Two-Level Authentication via a second One-Time Password, which changes every 60 seconds, phishing can be prevented.

So, thanks to Two-Level Authentication process, you can now manage your Personal Internet Banking transactions with complete peace of mind.

Back to top

What is a One-Time Password (OTP)?

"Ultra-portable, highly secure authentication for peace of mind"
All logins and online banking transactions will require a 2nd level of authentication with a Security Device which is displayed on the screen with a push of the button.

This portable, hand-held electronic device will be given to you free of charge when you sign up for Personal Internet Banking.

The Security Device is required for login and transactions. Each Security Device generates a series of passwords unique to that particular user. The Security Device is used to validate and authenticate the user, therefore providing a safe and secure transaction environment.

What’s more, the Security Device device can be kept close at hand as it is small and portable. You can choose to

• Carry it on a key chain
• Carry in a pocket or purse
• Attach it to your handphone
• Wear it around the neck along with your access card.

Back to top

Industry’s strongest 128-bit SSL Encryption

The 128-bit Secure Socket Layer (SSL) encryption is the de facto cryptographic standard that we use for securing data communication between the browser and our website. Digital certificate technology is used to ensure transaction privacy, message integrity and server-side authentication. This also serves as an assurance that the website runs legitimately under the care of the Bank.

SSL is the industry-standard method developed by Netscape Communications Corporation for protecting web communications. The SSL security protocol provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. SSL comes in two strengths, 40-bit and 128-bit, which refer to the length of the "session key" generated by every encrypted transaction. The longer the key, the more difficult it is to break the encryption code. Any software with encryption features having key lengths over 40-bit is considered strong encryption by the U.S. Government.
    
Most browsers support 40-bit SSL sessions, and the latest browsers enable users to encrypt transactions in 128-bit sessions. 128-bit encrypted messages are 309,485,009,821,345,068,724,781,056 times harder to break than 40-bit messages. Thus, it would take the same technology used to crack the RSA 40-bit message 1 trillion x 1 trillion years to crack a 128-bit message^*.

^* Quoted from VeriSign – www.verisign.com

Back to top

How to check if the Personal Internet Banking is the intended site?

Always login to Personal Internet Banking by entering the official bank URL (www.anz.com.sg) directly into the browser address field.

Back to top

Is the security provided by Secure Sockets Layer (SSL) safe enough for banking transactions to be carried out on the internet?

Banks in Singapore generally adopt the Secure Sockets Layer 128-bit encryption standard, an international standard which is considered secure and adequate for encrypting data transmitted over the internet. This standard is also widely used by other financial centres in the world. We will continue to track and apply best practices in encryption standards.

Back to top

How can customers be certain that Personal Internet Banking is safe and secure?

Security issues are of paramount concern to banks in Singapore, whether the consumer uses the traditional channel or the internet. Regardless of the technology or medium, both banks and customers have a responsibility to ensure that transactions are carried out in a safe and secure manner. Customers have to protect their confidential data, such as the password, login information or passwords. Otherwise, they will put themselves at unnecessary risk.

Back to top

Customer responsibility

Customer education is critical to the mitigation of the phishing threat. Online users should be aware of how to spot fraudulent emails and websites. URLs can be redirected so that it initially appears legitimate in order to deceive the customer. For example, when a customer submits information on a website, a seemingly legitimate URL can redirect the customer to a different address, which is actually a spoofed website or a criminal email address.

Customers should note that they can often spot grammatical errors on illegitimate sites, as they often originate in foreign countries. They should also delete suspicious emails. Customers should be aware that emails can launch harmful Trojan horses or worms onto customer computer systems. Though not a complete panacea, customers can have some level of protection against threats by proactively securing their own computers with technological measures such as anti-virus software and intrusion detection software.

Back to top

Trojan horses

What is a Trojan horse?

If you recall ancient Greek history, you'll remember that the original Trojan horse allowed an army to sneak right through a highly fortified gate. Amazingly, the attacking army hid inside a giant wooden horse offered as a gift to the unsuspecting victims.

In a similar way, today's Trojan horses try to sneak past computer security fortification, such as firewalls, by employing like-minded trickery. By looking like normal software, Trojan horse program are used to dupe a user into installing the Trojan horse at first. Blending in with the "normal" program running on the computer, the Trojan horse camouflages itself to appear to belong to the system, so users unthinkingly continue their activity, unaware of its presence. Once it gains control of the system, a Trojan horse can cause severe damage, such as ruining the file allocation table on your hard disk. A Trojan horse may be widely redistributed as part of a computer virus.
 

What is a Keystroke sniffer?

A Keystroke sniffer is a software program that takes images and screen shots of everything one does on one’s computer, from a mouse click to details like a password entry.
 

What is Salami Slicing?

It involves stealing money in small amounts each time, through many bank accounts. This technique works on the fact that most people will not notice or complain about a small discrepancy in their accounts. For example, a hacker may charge two dollars to each account on a particular scheduled date. With 100,000 accounts each amounting to $2, the total amount of money can be substantial.

Back to top

How do I prevent my PC from getting infected with viruses and malicious programs?

We recommend that you do the following

• Equip your personal computer with the latest virus detection software and anti-spyware so as to protect yourself against any virus attacks and other malicious attacks
• Install a personal firewall to protect against hackers, virus attacks or Trojan horses
• Update the anti-virus, anti-spyware and firewall products with security patches or newer versions on a regular basis
• Avoid downloading any files from websites or people you are not familiar with
• Avoid using programs that allow you to automatically receive or preview files
• Avoid opening email attachments from strangers or unintended senders
• Delete all junk and chain emails.

Back to top

Internet Banking PIN Management

Protect and secure your User ID and Internet Banking PIN (for ATM, Phone Banking, Personal Internet Banking). You can protect your User ID and Internet Banking PIN and other security information in these ways

• Do not allow anyone to use your Security Device or know your Internet Banking PIN or any other sensitive information
• Memorise your Internet Banking PIN and other security information and destroy the notification immediately. You should not write or keep a record of your User ID and together with your Internet Banking PIN
• Do not leave your Security Device lying around
• Do not use easy to remember dates or numbers, like your identity card number or birth dates, as your User ID or Internet Banking PIN.
• Change your Internet Banking PIN periodically
• Avoid having the same password for different websites, applications or services
• Do not store your User ID/ Internet Banking PIN in the Internet Explorer Browser – Auto Complete Function
• Never reveal your Internet Banking PIN to anyone. The Bank will never request for your Personal Internet Banking, Phone Banking or ATM PIN for any reason
• Do not choose option to save your User ID or Internet Banking PIN in your internet browser.

Back to top

Other Security Precautions and Practices while using Personal Internet Banking

• Disable file and printer sharing in your computer while online, especially if you are connected to the Internet via a cable modem, broadband connection or similar set-ups
• Avoid installing or running software application from unknown sources
• Do not enter or disclose your personal data to unfamiliar web sites
• Avoid accessing online banking or performing financial transactions from public terminals, computers or devices which cannot be trusted e.g. Internet Cafés
• Never leave your computer unattended. Ensure your computer is properly logged-off from any online session or shut down while it is not in use
• Check the balance of your bank account(s) as well as transaction records frequently and report any discrepancy
• Backup any important data regularly
• Consider using additional encryption technology to protect highly sensitive data.

Back to top

Reporting Incidents

Inform us immediately by calling our 24-hour customer service at 1800 269 2269 or +(65) 6269 2269 (from overseas) if
 

• Security Device is lost or has been stolen
• You suspect someone else has access to your Internet Banking PIN or any other confidential information
• You find out any unusual transaction records in your Personal Internet Banking.

In order to expedite our investigations, we may need you to furnish us your details and descriptions of the incident. We would provide you with an interim update of our investigations, while we are working towards getting a final resolution. As the nature of each incident varies, the incident could be further escalated to other department, such as technical support team or application team, and thus the time required to fully resolve the issue will be on a case-by-case basis.

Back to top

You need Adobe Reader to view PDF files. You can download Adobe Reader free of charge.