the use of the system “Internet banking" is becoming safer. Information security usovershenstvuetsya given the infrastructure, which is constantly changing, and in connection with the development of information technology.
Secure use of Internet banking is based on modern and naive technologies
To protect against attacks aimed at the substitution of a Bank of Web servers and modifying the content during transmission, the Protocol applies Secure Sockets Layer (SSL) and public key certificate issued by one of the reputable online centers of certification of keys (Certificate Аuthority) – Company.
to securely access the system we use the technology of two-factor user authentication. This technology is based on two factors: the user has a valid personal (secret) cryptographic key stored in the file container or on a token, and knowledge of the password (PIN-code) access this key.
To ensure the confidentiality of the data exchanged by the user with the Bank via the Internet banking, the data is encrypted. Thus, excluded the possibility of interception and unauthorized reading of the payment and other information.
To ensure authenticity (confirmation of authorship), non-repudiation of authorship and integrity of electronic payment documents that are generated by clients and sent to the Bank, applies a digital signature mechanism. The validity of digital signature is checked before any operation on the document processing. Means of cryptographic protection, integrated system of Internet banking for the operations of forming and checking electronic digital signature, certified in accordance with the requirements of the legislation of Ukraine.
To ensure reliable storage and use of personal keys, it is recommended to use mechanical devices to form a signature (a token) provided by the Bank. Hardware device creating the signature (token) — it is a means of cryptographic protection of information, the technical implementation of which ensures keeping of the personal key in protected memory 'memory and cryptographic operations in such a way that makes it impossible to copy the personal key or its location outside the borders of the protected memory' the memory of the device.
If the ‘Internet Banking" is performed with a static IP address or range of addresses, we recommend you to contact the Bank for the establishment of limitation of the list of IP addresses and/or IP-subnetworks which can be accessed to the system “Internet banking". In this case, it will block all connection attempts to the system “Internet banking" with the IP addresses and/or IP subnets other than those specified.
To minimize the risk of fraud on customer accounts by third parties in the event of loss or compromise of one of EDS keys, it is recommended to use the mechanism of group signature. In this case, it will be considered only those payment documents that contain a complete group of signatures and overlap with those signatures in the card with specimen signatures.
Follow these tips to reduce the risk of fraudulent transactions, calculations, accessed via the Internet banking, and to protect the private key and access to it
Daily analyze all messages accepted and rejected by the Bank, electronic payment documents, and immediately inform the Bank on unauthorized crediting (transfer) of funds!
To monitor all events and periodic scanning of the data stored on the hard disk of a personal computer's PC from which you access Internet banking, configure the antivirus and anti-spyware software. Install on a workstation:
Regularly and promptly update the system software the computer's the computer from which you accessed the Internet banking, especially operating system, web browser, Java machine. It is recommended to enable automatic updates of the software.
do Not install on workstations that are to work with the system “Internet banking" of software from untrusted sources (public software libraries, programs in email messages and the like). It is not recommended to implement such a computer’computer access untrusted (unknown) Internet resources.
During access to the system “Internet banking" it is not recommended to work in the operating system with a user account that has elevated privileges in the operating system, for example, “Administrator”.
while connected to the web site of the system “Internet banking" (http://ibank.aval.ua) ensure the correct authentication of the web server system "Internet banking” over SSL. Avoid connecting to the web website via banner links or links received by e-mail. It is better to enter the web address of the website independently and add it to your browser's bookmarks. When you access a web site, pay attention to the browser's address field. Because the web site "Internet banking" has an authentic and valid security certificate from the global Internet certification centre, at the entrance to the site in the browser's address field should display the first symbols of the address https:// instead of http:// (in the browser window can't be the message that starts view pages over a secure’unity). The certificate of the website can be viewed using a browser. To do this, click the “lock” in the status field before the website address. The screen’will display information about the security certificate of the website ibank.aval.ua. Sign closed lock that appears when securely connecting to the system is proof that the web site is authentic.
do Not access Internet banking via links received via mail, and also uncontrolled and unreliable the computer’computers located in Internet cafes, hotels, offices, and other organizations.
sometimes, the Attackers are launching attacks on user workstations to capture data, user authentication systems (personal EDS key and password to access it) for further illegal use. The main methods of obtaining key information:
When you run the client offered, or a standard action copies keys and passwords and then sends this information to attackers. To prevent such situations, the amp’remember that the Bank never, under any circumstances, does not the sending of emails with requests to send key, password, go to the specified email address as well as distribute an email to the computer’utern program. Responsibility for the safekeeping of keys and passwords rests with the user. In case of receiving such letters, applications or any e-mails, immediately inform the Bank by letter or phone that are listed on the website of the Bank. Delete suspicious emails without opening them, especially letters from unknown senders with attached files that have the extension *.exe, *.pif, *.vbs and other files.
If you configured the workstation with which you can access the system “Internet banking”, provides a third-party specialist, ensure control over its actions.
the private key and the password to access it is a critical data from the point of view of safe operation in the system “Internet banking". The private key is generated by the user — its owner under his personal control. The Bank under no circumstances has access to the private keys of users. To ensure safe storage and use of personal keys use the hardware for generation of the signature (a token) provided by the Bank. If the user selects the storage of the key in the file container, personal keys should be kept exclusively on a movable storage media (floppy disk, USB drive). Not allowed even temporary storage of EDS keys on a hard disk of the computers.
a key information Medium that contains a valid key (mobile information medium, token) must be under the personal control of the user, which makes it impossible to access it other persons under any circumstances are not permitted to transfer the key information medium (token) and/or disclosure of the password to third persons, including Bank employees.
a key information Medium that contains a valid key (mobile information medium, token) must be used only while working in the system “Internet banking". Do not leave the key information medium (token) connected to a personal computer’s memory if the system is suspended or not carried out, a personal computer's computer used to perform other functions, as well as after hours.
the access Password (PIN-code) private keys should not be stored in cleartext (for example, to be written on paper) and used for other systems and services. Personal responsibility for the safekeeping of the access password (PIN-code) and the impossibility of using the media key information with another person rests solely with the user.
change the password Periodically access the key (at least once a month). The password must contain digits, uppercase and lowercase letters, and special characters. When selecting a password, do not use combinations that are easily guessed, such as names, birth dates, telephone numbers and the like.
if the release of user or transfer them to positions that do not involve work in the system “Internet banking”, you should immediately contact the Bank to block their keys.
In the case of compromise or suspicion of compromise of the key (loss, damage of the media key information, the disclosure of the password or other events and/or actions that have led or may lead to unauthorized use of a key), you need to urgently contact the Bank for blocking the compromised key, via email or by phone required’sure called interlocking word.