We are committed to protecting the security and confidentiality of your personal information by providing you with a safe and secure transaction environment.
We utilise a Two-Level Authentication process using a Security Device.
Besides the 1st level of authentication provided through the use of a User ID and Internet Banking PIN, a 2nd level One-Time Password (OTP) generated with your Security Device, is also required to access Personal Internet Banking.
This portable, hand-held electronic device is issued by the Bank to customers who have signed up for Personal Internet Banking.
With the added layer of security provided through the Security Device, we bring you added peace of mind by ensuring that your banking transactions can be performed round-the-clock, 7 days a week, in a safe and secure environment.
Read on to find out more about how we can help you deal with today's internet threats and challenges.
- Internet Threats
- What is phishing?
- How we can help you deal with today's internet threats and challenges?
- How to check if Personal Internet Banking is the intended site?
- Is the security provided by Secure Sockets Layer (SSL) safe enough for banking transactions to be carried out on the internet?
- How can customers be certain that Personal Internet Banking is safe and secure?
- What is a Malware?
- Customer responsibility
- Reporting Incidents
Personal Internet banking is fast becoming a popular platform for banking transactions.
However, the 'open' nature of the internet exposes financial institutions to internet security risks. More recently, there have been reported incidences of a new type of online fraud called phishing (pronounced as 'fishing').
Phishing means creating a replica of an existing web page to deceive consumers into submitting personal or confidential information. Phishing is a term coined by hackers who imitate legitimate companies in emails to entice people to share static passwords or credit card numbers. Other names for phishing are brand spoofing, carding, fake websites, and email scams.
While such fraud or scams have existed for years, digital information communication technologies have made this practice easier for nefarious users to spoof any number of things, including emails, websites, and even entire industries. More often than not, the targets of these scams are financial institutions. Thus, there is a growing need within the financial industry to address this problem by educating users on such risks.
Internet security threat comes in four forms:
Basic phishing involves emails containing fraudulent forms, or links to fraudulent websites. For example, an email may contain a link to what appears to be a legitimate organisation. While the URL initially appears legitimate, it redirects the user to another location where a spoofed website resides.
Victims submit sensitive information through this website, or directly via emails, without realizing that it is instantaneously transmitted to criminals who intend to use the information for malicious purposes.
The email will usually include one of the following messages to trick you to act according to their instructions
- 'Your account is currently being updated as we are introducing a new security system. Follow the instructions below to re-activate your account'
- 'Your credit card is the subject of a police investigation for fraud. Please follow the instructions below'
- 'Our record shows that payment for your internet account is due. We are currently introducing a new e-payment service. Please follow the instructions below to activate your online payment'
- 'You are the lucky winner of our lucky draw. Please submit your credit card details so that we can verify your identity'.
The following are examples of the instructions you may be asked to follow, to deceive you into disclosing details such as your password
- 'Please provide a return email with your account details, password or credit card number. We will re-activate your account as soon as we receive your email'
- 'Please click on the hyperlink below to update your personal details'
- 'Please click on the attachment below. This will automatically generate an alert on our side. We will update your account and inform you'.
Please note that the Bank will NEVER send you any email asking you to divulge any confidential or personal information. You should discard such emails and report them to us.
Hackers will fake or spoof websites of legitimate and existing organisations to deceive customers into thinking they are interacting with the legitimate company.
This can involve receiving an email that contains a link to a website. Once you click on the link, you are redirected to a fraudulent website. You then unknowingly submit sensitive information such as your user identification number, password, credit card number, bank account information, and other forms of financial data.
Fake or spoofed organisations/ industries purportedly exist to mitigate risks, such as escrows* and other third party mediators, that customers may trust.
* Escrow services perform a 3rd party role between an online buyer and a seller. Such transaction usually involves monetary exchanges. Escrow services collect the payment from a buyer on behalf of an online seller, and aid in the delivery of the purchased item to the buyer.
In instances where this third party is illegitimate, you will see neither the purchased item nor will you recover the money paid to the escrow service. This form of industry spoofing can also be carried out through legitimate organisations.
There have been several instances where illegitimate users claim to be sellers on certain website, posting falsified auction items, keeping the customers’ payments, but never delivering the goods.
Some emails appear legitimate, but when opened, install Trojans and Keystroke sniffers onto customers’ computers so that sensitive information can be stolen. Some even allow computers to be remotely controlled. Criminals can also take money through Salami slicing. These are cases where undetectably small increments of money are taken out of an account over a period of time.
Please contact our 24-Hour Customer Service at 1800 269 2269 or +(65) 6269 2269 (from overseas) to report such incidents immediately.
"Security within everyone’s reach"
As part of our commitment to create a safe and secure transaction environment, we have introduced the Security Device, which is used to generate a One-Time Password (OTP) needed to access your Personal Internet Banking facility. Each Security Device generates a series of passwords unique to an individual’s Personal Internet Banking account. Each One-Time Password is valid for 60 seconds every time.
As the Security Device is needed to validate and authenticate the user for each online transaction, you can be assured of a safe and secure transaction environment.
Phishing normally occurs when a User ID and Internet Banking PIN is revealed. With the Two-Level Authentication via a second One-Time Password, which changes every 60 seconds, phishing can be prevented.
So, thanks to Two-Level Authentication process, you can now manage your Personal Internet Banking transactions with complete peace of mind.
"Ultra-portable, highly secure authentication for peace of mind"
All logins and online banking transactions will require a 2nd level of authentication with a Security Device which is displayed on the screen with a push of the button.
This portable, hand-held electronic device will be given to you free of charge when you sign up for Personal Internet Banking.
The Security Device is required for login and transactions. Each Security Device generates a series of passwords unique to that particular user. The Security Device is used to validate and authenticate the user, therefore providing a safe and secure transaction environment.
What’s more, the Security Device device can be kept close at hand as it is small and portable. You can choose to
- Carry it on a key chain
- Carry in a pocket or purse
- Attach it to your handphone
- Wear it around the neck along with your access card.
The 128-bit Secure Socket Layer (SSL) encryption is the de facto cryptographic standard that we use for securing data communication between the browser and our website. Digital certificate technology is used to ensure transaction privacy, message integrity and server-side authentication. This also serves as an assurance that the website runs legitimately under the care of the Bank.
SSL is the industry-standard method developed by Netscape Communications Corporation for protecting web communications. The SSL security protocol provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. SSL comes in two strengths, 40-bit and 128-bit, which refer to the length of the "session key" generated by every encrypted transaction. The longer the key, the more difficult it is to break the encryption code. Any software with encryption features having key lengths over 40-bit is considered strong encryption by the U.S. Government.
Most browsers support 40-bit SSL sessions, and the latest browsers enable users to encrypt transactions in 128-bit sessions. 128-bit encrypted messages are 309,485,009,821,345,068,724,781,056 times harder to break than 40-bit messages. Thus, it would take the same technology used to crack the RSA 40-bit message 1 trillion x 1 trillion years to crack a 128-bit message*.
* Quoted from VeriSign – www.verisign.com
Always login to Personal Internet Banking by entering the official bank URL (www.anz.com.sg) directly into the browser address field.
Is the security provided by Secure Sockets Layer (SSL) safe enough for banking transactions to be carried out on the internet?
Banks in Singapore generally adopt the Secure Sockets Layer 128-bit encryption standard, an international standard which is considered secure and adequate for encrypting data transmitted over the internet. This standard is also widely used by other financial centres in the world. We will continue to track and apply best practices in encryption standards.
Security issues are of paramount concern to banks in Singapore, whether the consumer uses the traditional channel or the internet. Regardless of the technology or medium, both banks and customers have a responsibility to ensure that transactions are carried out in a safe and secure manner. Customers have to protect their confidential data, such as the password, login information or passwords. Otherwise, they will put themselves at unnecessary risk.
Malware is designed to steal user information by altering the look and feel of bank's websites.
"SpyEye" malware will steal login credentials such as User ID, Internet Banking PIN and One-Time Password (OTP) from the user. It can also disable anti-virus protection and take over control of your computer.
Typically, your computer could get the malware if you have visited an infected website or you have opened an infected email. In addition, social networking sites are also increasingly being used to transmit such malware.
You may experience the following if you access your Personal Internet Banking from an infected computer:
- Multiple prompts for login information even after you have entered your login credentials such as the User ID, Internet Banking PIN and One-Time Password (OTP)
- Errors while loading the login page for Personal Internet Banking
- Your computer seems to hang for a short period of time
- See unfamiliar banking processes and messages such as "Security Device validation", or "We are checking your security settings … Please wait ...."
- Receive email messages or SMS for online transactions that you did not perform or account number that you do not know.
If your computer has been infected with this malware, this is a possible message that you will see after you have logged in to Personal Internet Banking.
|We are checking your security settings. Please wait 1-10 minutes. Please be patient don't close and reload the page while we are checking the information.|
You are advised not to proceed with any transactions until your computer or device has been checked and disinfected.
If you encounter a message similar to the above, your computer is likely to be infected with the "SpyEye" malware. You are advised to close your browser immediately and inform the Bank through our 24-Hour Customer Service at 1800 269 2269 or +65 6269 2269 (if overseas). You are also advised to refrain from using this computer for Personal Internet Banking service until it has been checked and cleared of the malware.
- Check that your anti-virus software is always up to date and install reputable anti-spyware software. Run your anti-virus software and scan your entire database files regularly.
- Do not download software from unknown and unsecure websites.
- Ensure that the One-Time Password (OTP) from your Personal Internet Banking Security Device and any SMS messages reflect your actual requests for any online Personal Internet Banking transaction requests.
- Always check your account and transaction history details such as your last login date/time and your account balances and statements regularly to identify any unusual transactions.
- For your security, do not click on links from emails, install any programs from other doubtful origins or perform any online transactions on computers that you suspect are compromised.
- Always access our Personal Internet Banking service by typing in the correct URL (http://www.anz.com.sg).
Note: ANZ is not the source of this malware and our Personal Internet Banking remains secure. ANZ does not ask for your Personal Internet Banking Password or One-Time Password (OTP) in an email or over the phone.
Customer education is critical to the mitigation of the phishing threat. Online users should be aware of how to spot fraudulent emails and websites. URLs can be redirected so that it initially appears legitimate in order to deceive the customer. For example, when a customer submits information on a website, a seemingly legitimate URL can redirect the customer to a different address, which is actually a spoofed website or a criminal email address.
Customers should note that they can often spot grammatical errors on illegitimate sites, as they often originate in foreign countries. They should also delete suspicious emails. Customers should be aware that emails can launch harmful Trojan horses or worms onto customer computer systems. Though not a complete panacea, customers can have some level of protection against threats by proactively securing their own computers with technological measures such as anti-virus software and intrusion detection software.
What is a Trojan horse?
If you recall ancient Greek history, you'll remember that the original Trojan horse allowed an army to sneak right through a highly fortified gate. Amazingly, the attacking army hid inside a giant wooden horse offered as a gift to the unsuspecting victims.
In a similar way, today's Trojan horses try to sneak past computer security fortification, such as firewalls, by employing like-minded trickery. By looking like normal software, Trojan horse program are used to dupe a user into installing the Trojan horse at first. Blending in with the "normal" program running on the computer, the Trojan horse camouflages itself to appear to belong to the system, so users unthinkingly continue their activity, unaware of its presence. Once it gains control of the system, a Trojan horse can cause severe damage, such as ruining the file allocation table on your hard disk. A Trojan horse may be widely redistributed as part of a computer virus.
What is a Keystroke sniffer?
A Keystroke sniffer is a software program that takes images and screen shots of everything one does on one’s computer, from a mouse click to details like a password entry.
What is Salami Slicing?
It involves stealing money in small amounts each time, through many bank accounts. This technique works on the fact that most people will not notice or complain about a small discrepancy in their accounts. For example, a hacker may charge two dollars to each account on a particular scheduled date. With 100,000 accounts each amounting to $2, the total amount of money can be substantial.
We recommend that you do the following
- Equip your personal computer with the latest virus detection software and anti-spyware so as to protect yourself against any virus attacks and other malicious attacks
- Install a personal firewall to protect against hackers, virus attacks or Trojan horses
- Update the anti-virus, anti-spyware and firewall products with security patches or newer versions on a regular basis
- Avoid downloading any files from websites or people you are not familiar with
- Avoid using programs that allow you to automatically receive or preview files
- Avoid opening email attachments from strangers or unintended senders
- Delete all junk and chain emails.
Protect and secure your User ID and Internet Banking PIN (for ATM, Phone Banking, Personal Internet Banking). You can protect your User ID and Internet Banking PIN and other security information in these ways
- Do not allow anyone to use your Security Device or know your Internet Banking PIN or any other sensitive information
- Memorise your Internet Banking PIN and other security information and destroy the notification immediately. You should not write or keep a record of your User ID and together with your Internet Banking PIN
- Do not leave your Security Device lying around
- Do not use easy to remember dates or numbers, like your identity card number or birth dates, as your User ID or Internet Banking PIN.
- Change your Internet Banking PIN periodically
- Avoid having the same password for different websites, applications or services
- Do not store your User ID/ Internet Banking PIN in the Internet Explorer Browser – Auto Complete Function
- Never reveal your Internet Banking PIN to anyone. The Bank will never request for your Personal Internet Banking, Phone Banking or ATM PIN for any reason
- Do not choose option to save your User ID or Internet Banking PIN in your internet browser.
- Disable file and printer sharing in your computer while online, especially if you are connected to the Internet via a cable modem, broadband connection or similar set-ups
- Avoid installing or running software application from unknown sources
- Do not enter or disclose your personal data to unfamiliar web sites
- Avoid accessing online banking or performing financial transactions from public terminals, computers or devices which cannot be trusted e.g. Internet Cafés
- Never leave your computer unattended. Ensure your computer is properly logged-off from any online session or shut down while it is not in use
- Check the balance of your bank account(s) as well as transaction records frequently and report any discrepancy
- Backup any important data regularly
- Consider using additional encryption technology to protect highly sensitive data.
Inform us immediately by calling our 24-hour customer service at 1800 269 2269 or +(65) 6269 2269 (from overseas) if
- Security Device is lost or has been stolen
- You suspect someone else has access to your Internet Banking PIN or any other confidential information
- You find out any unusual transaction records in your Personal Internet Banking.
In order to expedite our investigations, we may need you to furnish us your details and descriptions of the incident. We would provide you with an interim update of our investigations, while we are working towards getting a final resolution. As the nature of each incident varies, the incident could be further escalated to other department, such as technical support team or application team, and thus the time required to fully resolve the issue will be on a case-by-case basis.
To enhance your online security, the new generation Security Device is required for Transaction signing when performing certain online transactions.
Transaction signing provides you with an additional level of security as you will need to input information specific to the transaction into the new generation Security Device to generate a 6-digit dynamic One-Time Password (OTP). This One-Time Password (OTP) will then allow the transaction to proceed.
You will require the use of the new generation Security Device from mid-November 2012 for these Online Banking Transactions below:
- Addition of new third party payees for Bill Payment and Funds Transfer.
- Performing third party Funds Transfer for amounts above the defined threshold.
- Updating your personal particulars.
Frequently asked questions on Security Device and Transaction signing
1. What is this new generation Security Device?
This new generation Security Device enables you to generate a One-Time Password (OTP) during online transactions, which works similarly to the previous device.
In addition, this Security Device comes with a multi-button interface with enhanced security feature called Transaction signing which uses transaction-specific information to generate a secure One-Time Password (OTP). This feature will allow us to progressively provide more secure transaction services in the near future and transaction signing authentication capabilities to provide greater peace of mind.
This enhanced security feature is intended for certain online transactions such as setting up of new third party payees and ad-hoc transfers of funds. It is also intended to thwart man-in-the-middle security threats. With this new security feature, more banking transactions can be performed through self-service channels.
2. I am an existing ANZ Personal Internet Banking customer, when will I receive my new device?
ANZ will be issuing the new generation Security Device to existing ANZ Personal Internet Banking customers in phases between September to October 2012.
This new Security Device will be issued to all new ANZ Personal Internet Banking customers from September 2012.
3. Will I still be able to use my current device once I have received the new generation Security Device?
You can continue to use your current old device up till end December 2012. You are strongly encouraged to activate and start using the new Security Device upon receipt.
You will be required to activate the new Security Device online after you have received it. The activation can be done on ANZ Singapore. Once your new Security Device is activated, your old device will be deactivated and will cease to be active.
4. How will I know that a new generation Security Device was sent to me?
If you are already issued with the new Security Device, you will be prompted to activate your new device.
5. Why are there so many buttons on this device, when I need to use only one?
The remaining buttons enable ANZ to provide you with new and improved features – for your greater online security. These new additional security features will be offered to you in the near future.
6. The new generation Security Device is much larger than the previous version. Can I request for the previous version of the device instead of this one?
As part of our commitment to provide more secure Personal Internet Banking services to you, the Bank will be replacing the old device with the new generation Security Device from September 2012 onwards.
7. What is the lifespan and durability of this new Security Device?
The lifespan of this device is dependent on the battery life – which is estimated to be between 5 to 7 years. Frequency of usage will also affect the longevity of the battery life.
The device is water-resistant but not waterproof. Please keep it dry and do not submerge your new Security Device in water.
8. What happens if the One-Time Password (OTP) generated by the Security Device is not accepted when I attempt to log in to my account?
This new Security Device is a sensitive electronic device that can be affected by many factors including temperature fluctuations, humidity and undue stress. This may lead the device to be temporarily de-synchronised, causing the OTP generated to be rejected by our system.
Should this happen, simply press the OTP button again to generate the next One-Time Password (OTP), which can then be used to re-attempt your login.
If you encounter errors while logging in with a correct One-Time Password (OTP) generated from your Security Device, please contact our 24-hour customer service hotline at 1800 269 2269 or +65 6269 2269 (if overseas) to re-synchronise your device.
9. Is there a replacement fee for the device if I lose it?
The first new generation Security Device issued to you is complimentary. The replacement fee is SGD20 nett if you require a replacement.
10. How do I get a replacement for my lost or damaged new generation Security Device?
If you lose or damage your Security Device, please complete and return the duly signed 24- Hour Banking Services Form for ANZ Personal Internet Banking :
- via post
- or visit any ANZ branch.
11. What is Transaction signing?
Transaction Signing provides you with an additional level of security for your online transactions. You will need to key in information specific to the transaction into the new Security Device to generate a 6-digit One-Time Password (OTP). This OTP will then allow the transaction to proceed.
This feature will allow us to progressively provide more secure transaction services in the near future. The Transaction Signing authentication capabilities will give you greater peace of mind when transacting online.
12. I have requested for a new generation Security Device but have not received it. What should I do?
If you have not received your new Security Device for more than 2 weeks, please call our 24-hour customer service hotline at 1800 269 2269 or +65 6269 2269 (overseas) for assistance.
Personal Internet Banking customers will receive their new Security Device at their primary account mailing address.
- For Singapore registered addresses, you will receive your new Security Device within 5 business days from the date of issuance.
- For overseas addresses, you will receive your new Security Device within 14 business days from the date of issuance.
13. What should I do if I have entered an incorrect Transaction Reference Number into my Security Device during the Transaction Signing process?
You can press the ‘OTP’ button to backspace and delete your last entry. If you would like to clear your previous entry, press and hold the ‘OTP’ button.
14. What should I do if I have tried multiple times with the One-Time Password (OTP) and the input on ANZ Personal Internet Banking is not accepted?
- Please ensure that the OTP you have entered matches the OTP on your Security Device.
- Please follow the on-screen instructions and repeat the process to generate a new OTP.
If the One-Time Password (OTP) is still not accepted, please call our 24-hour Customer Service Hotline at 1800 269 2269 or +65 6269 2269 (if overseas) for assistance.
15. Will I still be able to use my current device for ANZ Personal Internet Banking?
You can continue to use your current device for logging on to ANZ Personal Internet Banking to perform transactions that do not require Transaction Signing.
You need Adobe Reader to view PDF files. You can download Adobe Reader free of charge.