Internet Banking Security - Client Awareness

1. Introduction

In line with BNP Paribas' policies on internet security, Connexis® Cash maintains the highest security standards to avoid fraudulent actions and exposure of confidential data.

Despite these measures the risk related to internet banking cannot be completely excluded The document at hand aims to propose a number of recommendations to make our clients aware and protect them against these risks and rogue practices.

2. Internet Banking Risks

2.1 Malware

Malware, short for malicious software, is software used or programmed by attackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Malware is a general term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, Trojan horses, key-loggers, spyware and other malicious programs.

Fraudsters mostly use Phishing or Social Engineering technics to install malware on your computer.

2.2 Social Engineering

Social engineering is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures.

The fraudster attempts - by posing as a trustworthy counterparty - to piece together enough information to infiltrate an organization's infrastructure.

Important Information: A few clients have reported illegitimate calls of people pretending to be from BNP Paribas and soliciting to reveal client credentials.

2.3 Phishing

Phishing is a technique of fraudulently obtaining private information. Typically, the fraudster sends an e-mail that appears to be legitimate requesting "verification" of information and warning of some dire consequence if it is not provided. The e-mail usually contains a link to a fraudulent web page that seems genuine - with company logos and content - and requests personal data, which is then used to commit identity theft and/or commit fraudulent actions.

Important Information: Recently a number of suspected Malware fraud cases were detected. It is believed that computer users, when logging on their internet banking account, were lured into inputting their logon credentials (e.g. logon ID, password, and one-time password (OTP) generated from the security device) to a fake web page.

3. Connexis Cash Security Practices

3.1 Access Management

Access to the Connexis Cash is secured via industry compliant strong 2-factor authentication, generating One-Time Passwords valid for a limited time period. Transactional activity is further protected via a challenge/response mechanism.

The security tokens are provided by VASCO a world leader in authentication and e-signature solutions. Moreover, the tokens are locked after a number of failed attempts.

The connectivity with the Connexis Cash platform is secured via the HTTPS protocol using 256-bit encryption. Connexis Cash only uses encrypted cookies.

3.2 Workflow Management

The workflow management capabilities of Connexis Cash enable clients to benefit from extensive segregation of functions capabilities, hereby replicating and enforcing your internal control framework but also limiting the actions that can be undertaken by a single user.

BNP Paribas recommends to respect the 4-eyes principle for all key services like entitlements management, payment authorization, and beneficiary management.

3.3 Security Management

In order to uphold the security level of the Connexis Cash at all times, several structural measures have been implemented:

  • Annual penetration testing by an external, specialized security firm, a different firm is used every year to ensure the broadest coverage possible
  • Monthly external scans of the perimeter of the Connexis Cash infrastructure
  • Pro-active secure coding and subsequent code auditing to ensure only secure code is brought in production
  • Frequent organizational audits and technology monitoring

3.4 Certifications

As part of its commitment to quality BNP Paribas has sought certification for the key processes related to the exploitation and development of the Connexis Cash platform:

  • ISO:9001 certified - standard for quality management
  • ISO:20000 certified - standard for IT service management
  • ISO:27001 certified - standard for information security management

4. Client Recommendations

In order to avoid fraudulent actions and exposure of confidential data, BNP Paribas recommends its clients to take a number of guidelines into account related to workflow management and the protection of the their infrastructure summarized in 10 recommendations.

RECO 1 - Implement 4-eyes Principle

Respect the 4-eyes principle for all key services like entitlements management, payment authorization, and beneficiary management

RECO 2 - Review User Access

IT admin must review user access at least once a year

RECO 3 - Use Up-to-date Software Versions

Software includes operating systems (e.g. Microsoft Windows), browsers (e.g. Internet Explorer, Firefox, Chrome) and other critical software (e.g. Java, Flash, Antivirus, Firewall and Anti-Spyware)

RECO 4 - Keep Personal Information Private

Tokens and passwords are personal and can never be disclosed to anyone.

RECO 5 - Protect Your Workstation Against Hacking And Malware

Protect your computer from hackers, viruses and malicious program by performing Antivirus and Anti-Spybot scans on a regular basis. If your antivirus or antispyware program detects a suspicious file, immediately delete said file and close the website that has downloaded that file. If the computer has been compromise, do not hesitate to change all your passwords.

RECO 6 - Do Not Leave Your Workstation Unattended

Do not leave workstations unattended when logged-in and always remember to log-off when e-banking transactions have been completed.

RECO 7 - Only Visit Trusted Websites

Only visit trusted websites and do not download any files or programs from unknown or suspicious websites. Always be careful when opening an unknown file, a strange e-mail or a new program or when clicking certain links.

RECO 8 - Do Not Respond To Suspicious Emails From BNP PARIBAS

Always verify that the email sender is trustable before opening any attachment, and do not respond or click on any links provided in e-mail messages that appear to be sent by BNPP, asking you to enter personal data, bank account / card numbers or Internet Banking codes.

RECO 9 - Do Not Act On Suspicious Calls From BNP PARIBAS

If someone calls you up, pretending to work for or to act on behalf of BNP Paribas, and asks you to provide personal data and/or initiate/authorize transactions, refrain from taking any action at all and contact your L1 Support entry point (See RECO 10).

RECO 10 - In Case Of Doubt, Contact BNP PARIBAS

Immediately abort any transaction and take contact with BNP Paribas in case of doubt, especially when the procedure for signing differs from the usual procedure. It is advised to check whether or not all on-going transactions are legitimate. Please contact your L1 Support entry point in case of doubt.

Disclaimer

This document has been prepared by BNP PARIBAS for informational purposes only. Although the information in this document has been obtained from sources which BNP PARIBAS believes to be reliable, we do not represent or warrant its accuracy, and such information may be incomplete or condensed. This document does not constitute a prospectus or solicitation. All estimates and opinions included in this document constitute our judgment as of the date of the document and may be subject to change without notice. Changes to assumptions may have a material impact on any recommendations made herein.

It may not be reproduced (in whole or in part) to any other person without the prior written permission of BNP PARIBAS.

© 2013 BNP PARIBAS. All rights reserved.