Recommendations on data security

Home / Electronic banking / Рекомендации по безопасности

Recommendations on data security for the Clients of CJSC ICB “EVROPEYSKIY”, who use the systems of “Internet Bank” (IBANK2).

The systems of “Internet Bank” are designed to prepare, transmit through communication channels and store financial documents, saved in electronic view (electronic document).

The security of electronic documents’ interchange is provided by means of their encoding and application of electronic digital signature, which is the analogue of autographic one.

Encoding and signing of electronic documents is done with the help of secret electronic digital signature key, which is contained in a specially chosen diskette (key diskette). An access to the secret key is protected by parole, known only by the owner of the key diskette. It is impossible to put a signature in an electronic document, if there is no access to the secret key and parole.

Fulfillment of the following recommendations is the necessary security condition for settlement of accounts in “Internet Bank” systems.

To apply cryptographic defense “AGAVA-C 5.0”, certified by FSS of the RF (certificate of correspondence N СФ/114-0805), in “Internet-Bank” system it is necessary to download ibank2agava.dll library and copy it to:

for Windows 2000/2003 – in folder C:/WINNT/SYSTEM32
for Windows 95/98/XP/ – in folder C:/WINDOWS/SYSTEM32

To exclude the access of unauthorized persons to your key diskettes, it is necessary to follow next security requirements for key diskettes:

Keep key diskettes and access paroles in inaccessible place (personal safe is the best one).
Access parole is to be kept separately from key diskette: never write access parole down on the key diskette label.
Having finished or interrupted the work in the System (even for some minutes), do not forget to take key diskette off the disk drive (reader) and put it in your secret place.
Use key diskette only for signing electronic documents.
Do not copy key diskette and do not handle it to anyone even for a short time.
In case of the change (e.g. discharge) of a person, who signs electronic documents, immediately inform Electronic Banking Department (тel. : (4012) 57-39-58 or 57-39-82) and create new keys.
In case you loose key diskette or have a suspicion, that key diskette may be in possession of unauthorized persons even for a short time period, immediately inform Electronic Banking Department (тel. : (4012) 57-39-58 or 57-39-82).

When choosing an access parole for electronic digital signature key, it is recommended to fulfill the following rules for parole selection:

Choose your parole independently and never tell it to someone.
Try to remember your parole. If you nevertheless have written the parole down on the paper, keep it in the place, inaccessible for unauthorized persons.
A parole must contain not less than 6 (six) different symbols.
Change the parole necessarily in case it is known to unauthorized person.
We do not recommend to use as your parole:
symbol sequence consisting only from digits (including dates, phone numbers, vehicle identification numbers, etc);
sequence of repeated letters and figures;
symbols in a row on a keyboard or in an alphabet;
names and surnames;
identification tax payer numbers or other Client’s requisites.

It is necessary to provide computer security for the computer, working in the System:

Only authorized persons shall have access to the computer.
All the security patches, recommended by producer of operational system of the computer, shall be installed.
Antivirus software with regularly updated database shall be installed.
Programs, received from unauthorized sources, shall not be started up in the computer (major threat may occur from the programs received via e-mail or from Internet).
It is advisable to install personal Internet screen.

Users of “Internet Banking” module for “iBank2” System are recommended to follow Internet security measures when linked to Internet.
According to data from the Bank of Russia, violators create web-sites in Russian Internet segment that imitate representations of some Russian credit organizations. There is a possibility for this tendency to proceed. For the purpose of counteraction against such negative occurrences, the Bank of Russia has placed in its web-site the constantly renewed list of addresses (domain names) of official Web-sites of credit organizations.

For the aim of your secured connection to the System:

Compose the following address: https://ibank.icbe.ru (or ip:194.165.61.3) in browser address line or choose it in the list of earlier visited web-sites in browser memory.
Do not enter the System and other credit organizations’ web-sites through references, received in e-mails or on web-sites you visit in Internet:
Having entered the System main page check the correspondence of linking certificate to the drawing below (for that purpose point the mouse to the lock in the lower stripe of the screen and click the left mouse key):

Information about secure System use

Considering that the majority of Clients operate their accounts using modern technologies of banking service, “Evropeyskiy” Bank informs about necessary security measures when using the systems of electronic banking

Despite the fact that attempts of illegal receipt of personal information of the users of remote service systems have recently become more frequent in the Russian bank system, there has not been a single case of Clients funds’ embezzlement with the use of this system in CJSC ICB “EVROPEYSKIY”.

Our specialists have investigated all potentially possible situations for the moment. The analysis has shown that funds’ embezzlement from bank accounts may be done by:

Authorized persons of corporate Clients, having the access to secret EDS keys of organization. As a rule they are dismissed directors, book-keepers and their deputies, as far as organization shareholders.
Regular IT-specialists of corporate Clients, having technical access to data carriers (diskettes, flash-cards, hard disks, etc) with Client’s secret EDS keys used for operating electronic banking system
Supernumerary IT-specialists, which are called for to render service to corporate Client’s computers involved in operating electronic banking system. As a rule, they are non-resident specialists, who arrange preventive measures and link to Internet, setup or update of accounting or information-legal programs, setup, update or install other software.
Violators by way of Internet infection of corporate Clients’ computers by harmful programs. Using vulnerabilities of system and applied software (operational systems, web-browsers, e-mail clients, etc), violators infected corporate Clients’ computers by Trojan programs with further remote abduction of Client’s secret EDS keys and paroles.
Violators by way of distribution of e-mail messages, where they under any excuses (such as technical rearmament of organization, update and revise of credit organization database, etc) proposed to enter with computer keyboard the confidential information to the screen field forms during imitated performance of interaction with a credit organization (for example, through created duplicate of the Web-site). Simultaneously duplicated Web-site may sent to Client’s computer harmful programs in the form of computer viruses or “bookmarks”, performing hidden functions in the background work regime to get unauthorized access to private information.

In all discovered cases the violators have in one way or another got the access to secret EDS keys and paroles of corporate Client, and sent payment orders with correct Client’s EDS to the bank. Successfully checked EDS, but suspicious and absolutely unusual for that very Client payment orders, in the major cases have been rejected by bank managers on the stage of taking the decision on documents’ execution.

“EVROPEYSKIY” Bank takes measures targeted to avoid such situations:

Operating “iBank2” System is done through secured connection
Every time a Client enters the page of “iBank2” System, the check of security certificate authenticity is done.
Every time a Client is identified when registering EDS key
Once a year there is a change of all Client’s EDS keys
At a Client’s telephone call and/or at suspicion of unauthorized access, all electronic calculations of this Client are blocked
Besides, a Client may additionally secure oneself following our security Recommendations, i.e. follow the rules of informational security, access order to the operating computer and secret EDS keys, use licensed software, use and constantly update personal security means (Internet screens, antivirus software).
A Bank is also rendering the service of IP-filter for every Client – the mechanism of Client’s limited access from particular IP-addresses/subnets
A Bank is rendering the extra service of SMS-Banking for efficient Client’s annotation by SMS about entering the System, funds’ movement, remains, etc.

Recommendations on informational security when using ICQ:

Load ICQ program only from official author Web-site.
To make a transaction, register a separate number and use it only for negotiating transactions.
Use complicated unique paroles (like J@s5L%x$) not less than 6 symbols. Do not save parole (do not put a correspondent mark in program options).
It is not worth using the computer, which is used for operating Internet-bank for the sake of electronic payments’ security.
Do not link to a bank from the computers used in public places (such as internet-cafes, clubs, etc).
Do not insert references to internet resources in the messages. If there is such a reference, never click it (there could be a possible transfer to infected web-page or loading of harmful program).
Your computer shall be protected: there shall be appropriate settings of operational system, antivirus (working in monitoring regime), setup of producer’s updates of software and antivirus databases, use of firewall (Internet screen).

We thank you for your attention and remind that your security is in your hands.

At any questions you may get the answer at Electronic Banking Department: tel.: 573-958, 573-982.

What we do better than the others