Precautions when using digital channels

The use of digital channels for the marketing of retail banking products and services changes the way bank customers access information. Before the conclusion of a contract or the acquisition of a banking product or service, customers must:

  • Read carefully all the information provided by the institution;

  • Clarify all doubts with the institution;

  • Evaluate in advance the conditions presented by the institution, carefully analysing the respective costs, remuneration and risks involved;

  • Ensure that all pre-contractual and contractual information is provided on a durable medium so as to be able to consult it later.

Bank customers should pay attention to and adopt the security procedures that are provided to them by their institution.

 

Precautions to be followed when carrying out banking operations through digital channels

In addition to the usual care associated with the product or banking service to be carried out, bank customers must:

  • Protect the equipment with a password that prevents it from being used by third parties;

  • Not allow the session of the site or applications with confidential information to start automatically;

  • Protect their equipment with antivirus and antispyware programs and keep these programs up-to-date;

  • Protect electronic communications, always keeping the firewall active;

  • Avoid using public equipment (shared computers and tablets) to perform banking operations or payments.

  • Protect wireless communications (WiFi) by adopting secure protocols and avoid using public hotspots;

  • Always check that the address of the institution’s website where they are entering their personal and confidential information is ‘https’. The ‘s’ stands for ‘security’, which ensures a secure connection to the institution’s online service. This system is part of the ‘digital certificate’ of the institution’s website, which can be consulted by clicking on the symbols of the closed padlock or the key that should appear in the lower right-hand corner (or upper right-hand corner, depending on the program used) of the internet browser;

  • If you open an email message whose content is suspicious, in particular because you do not know the origin of the message, you should not click on the indicated links, you should not execute the requested actions (not running suggested programs) and should not open the attachments;

  • Not download email attachments without first running the antivirus;

  • Not open email messages of a dubious nature, and should delete them immediately. It is important to keep in mind the type of language used (less careful, dubious expressions), the language and graphic presentation of the email messages received as false messages often adopt less formal and less correct language.

  • Install only trusted applications obtained from official app stores. Not all applications are safe and may contain malicious software;

  • Check the permissions of access to your data required by the applications and should not download applications whose permission requirements seem excessive;

  • Not disclose passwords to third parties. Passwords are personal and non-transferable;

  • Not choose passwords that are too obvious (for example, 123456, ABCDEF, QWERTY) or associated with easily obtainable personal information (birthdays, children’s or spouses’ names, mobile phone numbers);

  • Not write passwords and other confidential information on paper, nor store this information on email messages or on the mobile phone;

  • Not send the IBAN, personal data (identification number, tax number, date of birth, full name, etc.), confidential codes and other sensitive elements via email or mobile phone messages;

  • Not enter confidential data and other information, such as the mobile phone number, on websites whose authenticity is not ensured.

  • Observe the security procedures that are transmitted to you by the institution, observing them whenever you carry out banking operations through digital channels;

  • Contact your institution immediately if you detect unauthorised or unrecognised movements, keeping frequent and careful control of your accounts;

  • Notify the financial institution of any suspected fraud before proceeding with the banking operation.

 

Precautions to be observed in homebanking

Regardless of the equipment used (computer, tablet or smartphone), when using the homebanking service to perform financial operations, bank customers should also observe the following guidelines:

  • You must never access the institution’s homebanking service through an existing link in an email message, addresses recorded in ‘Favorites’ or ‘History’, or search engine results. Bank customers must always write in full the electronic address (URL) they want in the browser so as to avoid access to programs that allow the appropriation of confidential information or to be redirected to a webpage that looks the same as the financial institution’s webpage, but which is false (‘mirror page’);

  • You must never disclose all of the coordinates of the homebanking security card (your financial institution will never ask for it);

  • You must avoid using the homebanking service in public equipment (shared computers or tablets);

  • After using the homebanking service, you must end the session and leave the institution’s webpage by clicking on the respective icons;

  • You must never use the same password for accessing your institution’s homebanking service that you use in connections that require less security (for example, passwords used in social networks);

  • You must regularly check the movements of your bank account (or payment account) and check the date and time of the last access to the homebanking service;

  • You must report to the institution, as soon as possible, the loss, theft or misappropriation of the security card or other security item used to carry out financial operations through the homebanking service.

 

Precautions to be observed in internet payments

Regardless of the equipment used (computer, tablet or smartphone), when making payments over the internet with a payment card, bank customer should also take the following precautions:

  • You must always enter the web address (URL) in the browser, not searching for an existing link in an email message, in addresses recorded in the ‘Favorites’ or the ‘History’ or search engine results;

  • You should preferably use payment cards with increased security features, such as cards with a credit limit, a reduced validity period, and additional authentication procedures (procedures that allow strong customer authentication). Bank customers can also choose to create a virtual card (via ATM or homebanking), which allows them to carry out the same operations without ever disclosing the actual data of their payment card;

  • You should avoid making card payments over the internet on public equipment (shared computers and tablets);

  • You should always keep records of operations carried out with the card via the internet, including the information of the beneficiary entity and respective electronic address;

  • You should regularly check the movements of your bank accounts (or payment accounts) and verify the movements made with the card;

  • You must inform the payment service provider issuing the card, as soon as possible, of the loss, theft or misappropriation of the card, using the contacts made available by the card issuer or the contacts disclosed for that purpose on the Bank Customer’s Website.

 

Security procedures to be adopted by credit institutions

Institutions should have reliable, resilient and secure systems and adopt the best national and international safety practices.

Institutions should:

  • Implement, monitor and regularly review a security policy for products and services provided through digital channels;

  • Inform customers in advance of the technological requirements and security measures to be adopted;

  • Promote awareness campaigns and dissemination of security procedures that should be adopted by customers when a specific security threat is identified;

  • Implement robust authentication procedures that allow a more secure verification of the bank customer’s identity, such as strong customer authentication mechanisms, in the case of payments;

  • Adopt appropriate technical or organisational measures to ensure the integrity and confidentiality of their customers’ personal data.

Strong customer authentication

Authentication procedure, at the request of the institution, in which customers use two or more of the following items:

  • Something that only the customer knows – for example, a password, a code, a personal identification number (PIN);

  • Something that only the customer has – for example, an authentication device (token), a smart card, a mobile phone;

  • A characteristic that is inherent to the customer – for example, a biometric feature, namely a fingerprint.

These elements must be independent, i.e. the breach of one of them must not compromise the reliability of the other(s). In addition, at least one of these elements must be non-reusable and non-reproducible (with the exception of the characteristic inherent to the customer) and not susceptible of being stolen via the internet.

The use of these elements constitutes an authentication code. In cases where strong customer authentication is legally required, customers must use the authentication code to validate the payment transaction they intend to carry out.

For example, under this more robust authentication mechanism, when making a card purchase via the internet, in addition to indicating the details of their payment card, bank customers are required to enter a unique code that is sent via SMS. In this case, bank customers must have previously associated their mobile phone number with the card.