Security

Memo on ensuring the security of remote banking systems

The Bank attaches great importance to ensuring the security of access to Clients' funds. Please read the information below carefully and follow our recommendations.
Recently, attempts to steal funds from the accounts of legal entities using remote banking systems have become more frequent in banks.
Please pay attention! According to statistics, the most common attempts to steal funds are carried out by:

  • employees of organizations, including those dismissed, who have or have had access to electronic digital signature (EDS) key media (floppy disks, flash drives, hard/network drives, etc.), as well as access to computers from which work with the remote banking system (RBS) is carried out;
  • IT specialists (staff and freelance) who provide (or have previously provided, including on a once-only basis) various IT services for support, connecting to the Internet, installation, updating and support of various programs (accounting, legal, information, etc.) on computers from which work with the RBS is carried out;
  • fraudsters using the Internet, by infecting computers with various viruses and malware (using “gaps” in the security of computers and the organization’s corporate network), followed by the theft of EDS keys and means of access to the RBS via the Internet.

In all these cases, fraudsters, having taken possession of the EDS keys and the means of access to the Customer's RBS system, send various payments to individuals and legal entities on his behalf to the bank.

After the Bank has given you the means of access to the RBS system (login / password) and electronic digital signature (EDS) keys, the confidentiality of the data received by the Bank on the RBS system depends entirely on how responsibly you treat their use and storage, as well as the protection of computers from which you work with the

RBS system.
In order to reduce the risk of unauthorized access to the RBS system, we recommend that you implement the following organizational and technical measures:

  • 1. Ensure the security of media with EDS keys used in RBS systems:
    1.1. In order to store EDS keys, use only external media (floppy disks, flash drives, USB-eToken), and not computer hard drives/network drives. Access to key media should be strictly limited: persons who have the right to sign documents, an accountant working with the RBS system by proxy – hereinafter referred to as "authorized persons".
    It is a good practice to store the above media in a safe in a sealed container. The integrity of the seal shall be monitored daily, at the beginning of the working day, by the head of the organization or an authorized person. After completion of the work, the key carrier shall be placed in a container and sealed by an authorized person.
    1.2. Do not use media with EDS keys for any other purposes (in particular, do not store any other information on them).
    1.3. Remove media with EDS keys from the computer every time after their use is completed (i.e. media with EDS keys should be on the computer only at the time of signing) – even if work in the RBS system continues, media shall be removed from the computer immediately upon signing documents.
    Avoid (even for a minimum time) the presence of media with EDS keys:
    - installed on your computer if you are not using them;
    - in open access (for example, on a table) at a time when they are not in the "line of sight"; if you need to leave your workplace, put the media with EDS keys in a protected place (for example, in a safe).
    1.4. Do not transfer EDS key carriers to anyone, including IT specialists, to check the operation of the system, make settings for interaction with the Bank, etc. If such checks are necessary, the owner of the EDS (authorized person) is obliged to personally connect the media with the EDS keys to the computer.
  • 2. Ensure the security of access means (login/password) used in the RBS:
    2.1. Do not allow the use of simple passwords (123456, qwerty, etc.) – use various complex combinations of letters (including in different cases) and numbers that are not arranged “in a row” on the keyboard.
    2.2. Regularly (at least once a month) change the passwords used in the RBS.
    2.3. Do not assign the password used in the RBS to any other systems and services.
    2.4. Do not disclose the login or password used in the RBS system to anyone, including IT specialists, to check the operation of the system, make settings for interaction with the Bank, etc. If such checks are necessary, the owner of the access means is obliged personally enter his login and password in the RBS system. Do not write down passwords on paper or in text files on your computer, do not leave them in easily accessible places (on your desktop), and do not share them with third parties. If necessary, keep all passwords written on one sheet in a safe, in a sealed container along with the key carrier.
    We recommend that you immediately change your password and regenerate the EDS keys (using the appropriate capabilities of the RBS system) or contact the Bank to issue new access controls and EDS keys in the following cases:
    - in case of change or dismissal of an employee who even potentially had access to a key EDS carrier;
    - if there is any suspicion of compromise (copying) of EDS keys and/or access means;
    - in case of detection of any malicious programs on the computer used to work in the RBS system.
  • 3. On the computer from which the RBS system is operated:
    3.1. Provide physical access to the computer only to authorized persons. It is recommended to use the following methods to protect physical access to the computer:
    - seal the computer's system unit (or attach a holographic sticker); the integrity of the seal (stickers) is regularly monitored by an authorized person;
    - set the BIOS password to turn on the computer and enter the BIOS settings;
    - set a password to turn on the Windows operating system using the syskey command, which allows you to store computer user passwords in encrypted form;
    - log in to Windows by pressing Ctrl-Alt-Del and entering the user's name and password;
    - avoid the use of "empty" or simple passwords (123456, qwerty, etc.) for all accounts authorized to log in to Windows, as well as periodically change passwords (the recommended frequency of password changes is 1 month);
    - block the "guest" user account;
    - do not allow work under a Windows account with administrator rights – you shall use an account with limited rights in the Windows operating system installed on the computer used to work with the RBS system. It is recommended to use the permissions of the NTFS file system, namely: grant full access to the folder (and all folders and files attached to it) containing the software modules of the RBS system to the user working with the RBS system, and explicitly prohibit access to this folder for all other users;
    - on a computer with the RBS system installed, stop and prohibit the Server service from starting, stop and prohibit the Windows Registry Remote Management service. This will make it impossible to access a computer with the RBS system installed over the network, which, however, will entail a number of restrictions: you will not be able to create shared network folders on this computer and provide access to its local printer over the network for other computers in your organization.
    Nevertheless, the application of this measure is necessary, since it ensures (subject to clauses 3.3, 3.5) the network information security of the personal computer used to work with the RBS system;
    - enable system audit on a computer with the installed RBS system that logs errors, user login and program startup, periodically view the event log and respond to errors;
    - monitor all actions of employees (including IT specialists, administrators), during the entire time they perform any actions on computers used to work with the RBS system. The administrator (IT specialist) shall explain in detail to the authorized person what actions and for what purpose he is currently performing.
    3.2. Ensure timely (if possible, automatic, using Windows Update) downloading and installation of all the latest updates from Microsoft, as well as regular updates of other system and application software as new versions become available.
    3.3. Install and regularly update licensed antivirus software. The antivirus monitor shall be turned on at all times from the moment the computer boots. Regular automatic scanning of the computer's RAM and hard drives for viruses shall be configured.
    3.4. Use specialized security software tools: personal inter-network screens (firewalls), anti-spyware software and other specialized software used to ensure IT security, which shall be updated regularly and configured correctly.
    When setting up a personal inter-network screen, it is necessary to block unauthorized outgoing and incoming traffic on all TCP and UDP ports for all addresses, both the Internet and the organization's internal LAN (configure the personal screen according to the principle: everything that is not allowed is prohibited), prohibit work on ftp and smtp protocols, and allow access only to necessary resources (in particular, to those used by the RBS system).
    If you have a competent system administrator in your organization, you can fine-tune the firewall: open certain ports and addresses for proper computer interaction, for example, with domain controllers, prohibit the installation and execution of any unauthorized programs (tracking virus attacks on the computer), etc.
    If your organization already has a deployed software or hardware network shielding system that protects the network perimeter, then enabling your own firewall on your computer (provided that it is configured correctly and updated regularly) is still a prerequisite – this is your last line of defense.
    For more information on clauses 3.2 – 3.4, please visit the Microsoft website:
    http://www.microsoft.com/Rus/Security/Protect/Default.mspx
    http://www.microsoft.com/Rus/Protect/Computer/default.mspx
    3.5. It is recommended not to visit third-party Internet sites (not related to the RBS system), untrusted sites, not to work with e-mail (especially through publicly accessible Web mail servers: Mail.ru, etc.), not to install and use unlicensed software, instant mail programs (ICQ, QIP, etc.); it is forbidden to use Skype, install games and any programs from pirated CDs, watch videos, listen to music, download and install any programs from the Internet, open and edit DOC, XLS, PDF files unverified by antivirus.
    Attention! The computer used to work with the RBS shall be serviced by a competent system administrator, and the following regular work shall be performed on it: checking the success of the antivirus software and firewall, full scanning of the computer with an antivirus, backing up the software modules of the RBS (to a separate removable media, which shall be stored in a safe in a sealed container), updating the antivirus and firewalls, installation of necessary operating system updates (installation of patches, critical updates of Windows security). During these operations, the key carrier shall be in the safe!
    3.6. In order to prevent money transfers without the Client's consent, based on the Client's application, the Bank may monitor the IP addresses of computers from which the RBS System is accessed on behalf of the Client, as well as carry out operations on the Client's Account within the established limits.

WE STRONGLY ASK YOU TO CONTACT THE BANK IMMEDIATELY IN CASE OF THE FOLLOWING SITUATIONS:

  • Your RBS system is not working for unknown ("unusual") reasons (for example, the Windows operating system does not start, you cannot log in to the RBS system, because there is an "authorization error" indicating an incorrectly typed password, although you type the password correctly on the keyboard, or the login is blocked; it is impossible to contact the banking server of the RBS system, unusual operation of well-known programs, etc.).
  • Unauthorized access to your information has been detected (or suspected) by unauthorized persons (logging in from an atypical IP address or at an atypical time for you, etc.).
  • Unauthorized expense transactions have been detected in the statement.

Please note that timely contacting the Bank will allow you to take prompt measures to prevent fraud and save your funds