Security Advice Centre

December 2012

Security Procedures to Protect Confidential Information

The following information is provided to let our commercial customers know how we protect your information and steps that you and your company can do as well to minimize the risk of fraud.

Additional Authentication is Available

We offer two-factor authentication as an option to help safeguard transactions and administrative functions.  The two-factor authentication provides you with a PIN (that you may choose) and a Digipass token device which randomly generates a new number every few seconds.  This greatly reduces risk because with two-factor authentication it would be difficult for an unauthorized user to acquire the PIN and the token fraudulently.

Protection of Your Token Device and PIN

PINs are 6 numeric digits and repeating any digit more than once is not recommended. It is also recommended that birthdays, marriage dates or dates of any significance to the user should not be used as PINs as these can be easily determined.

You should not allow anyone to keep, use or tamper with your security token. Also, you should not reveal the one-time password (OTP) generated by the token or the serial number of the token to anyone.

Effective Use of a PIN

Here are suggested tips for the effective use of PINs:

1. PINs should not be based on user-id, personal telephone number, birthday or other personal information
2. PINs must be kept confidential and not be divulged to anyone
3. PINs must be memorised and not recorded anywhere
4. PINs should be changed regularly
5. The same PIN should not be used for different websites, applications or services, particularly when they relate to different entities

Auto Logoff

Our system automatically logs you out after a period of inactivity. The system provides alerts prior to logout. However, whenever you walk away from your computer, it is recommended you logoff your session on MaxTrad.

Password Expiration and Lockout

Our system prompts you to change your password at least every 30 days. Please refer to additional tactics section below on guidelines for creating new passwords.

 

In addition, the system provides three attempts to enter the correct authentication credentials after which the user id is locked out at which point a system administrator must reactivate the user id.

Use of Security Questions

Security or challenge questions are used for password retrieval/reset. If you forget your password, the website will ask a question and if answered correctly, you'll get or reset the password.

128-bit Secure Socket Layer (SSL) Encryption

RBS utilizes state-of-the art security technology to protect your data and transmissions over the internet. Any application or enrollment forms on the RBS web site use Secure Socket Layer (SSL) technology to transfer your information across the internet to and from us.  This technology establishes an encrypted link between your browser and our web server which ensures all data passed between our servers and your browser remains private and safe and integral.

SSL Server Certificate Warning

Security awareness is provided to internet banking customer such that customers are made aware of and shown how to react to SSL server certificate warnings. Check the authencity of a financial institution's website by comparing the URL and the financial institution's name in its digital certificate or by observing the indicators provided by an extended validation certificate.

Always check that MaxTrad's website address changes from “http://...” to “https://...” at the beginning of a URL and that a security icon that looks like a lock or key appears when authentication and encryption is expected. If you do not see the “https://...” close out your browser session immediately and call the RBS help desk to report the incident.

Even if you see “https://...” and a warning is shown that the SSL certificate does not belong to RBS, you should terminate the session immediately and contact RBS help desk to report the incident.

Audit Logs

Our system provides you with access to audit logs so you can see what activity has taken place per user.

Dual Controls

We offer commercial customers dual controls on our systems to initiate and release or approve transactions or make administrative changes. We offer flexible tools for multi-level and group level controls. This allows you to put in controls where one person alone cannot submit a transaction or make an administrative change to a user such as adding or deleting a user or changing their entitlements.

Inside RBS

A fundamental element of safeguarding your confidential information is to provide protection against unauthorized access or use of this information. We maintain physical, electronic and procedural safeguards that comply with federal guidelines to guard your nonpublic personal information against unauthorized access or use. Our employees are subject to a corporate code of ethics and other policies that require maintaining the confidentiality of customer information.

RBS will continue to enhance and maintain prudent security standards and procedures to protect against unauthorized access or use of your nonpublic personal information and records. These security procedures also protect former customers and consumers who have applied for an account or service at RBS for as long as the information is retained.

When We Will Contact You

From time to time, RBS may contact you unsolicited via phone call or email to inform you of a system issue, inform you about new products and services, or in an effort to continue to build the relationship.  At no time will you ever receive a call or email from RBS asking you for your login credentials.  If you receive a suspicious phone call or email asking for your authentication credentials you should decline to do so and contact RBS as you normally do for support.

How You Can Protect Your Information

Although RBS has taken reasonable and appropriate measures to ensure that your personal information is secure, we cannot guarantee that the nonpublic personal information you provide will not be intercepted by others and decrypted. We are not liable for a breach of security that occurs for reasons outside of our control.

As your banking partner, we offer the following educational tips to build your knowledge and awareness around security.  These are for educational purposes only and not meant to be used as a prescriptive solution with any warranties around eliminating fraud.

Create a Security Policy and Perform Regular Assessments

Here are high level suggested steps for a security policy.

1. Identify and locate your assets. - This pertains to both information and material goods. Assess the importance and value of these assets.
2. Perform a Threat Risk Assessment. - Categorize the likelihood of these assets being stolen and identify the resulting damage to the organization if such an occurrence comes to pass.
3. Perform an informal site survey of your organization.
4. Institute a standard for classifying all information - Is it confidential, private, unclassified, etc., and a means to identify which employees, or group of employees have access to this information.
5. Ascertain who needs access to external resources and what resources need to be made available.
6. Ascertain who needs access to your banking systems and services and make sure the removal of access to those services is part of your HR exit process.
7. Create a disaster recovery plan.
8. Appoint someone to be responsible for security policy enforcement.
9. Understand that the implementation of any security policy needs regular validation.
10. Perform Regular Assessments – Make sure your policy is working the way you intend it

Check your statements

Financial crime can go undetected for long periods, simply because victims are not aware it has happened. It may be weeks or months before fraud is spotted.

It's therefore vital that you carefully check all bank statements when you receive them. Make sure that all entries you see are correct. If there are transactions that you don't recognize, please report the details immediately.

If you receive incomplete statements, or fail to receive a bank statement or any other expected financial information, immediately contact us.

If you are in the process of changing your address, make sure you arrange to have all your mail forwarded and inform all parties you deal with.

Additional Tactics to Protect Your Information

1. Use strong passwords
1. Use letters from a phrase or song lyric - for example the nursery rhyme 'The Grand Old Duke of York he had ten thousand men' would give you the phrase 'TGODoYhhttm'. The mix of upper case and lower case letters helps to make the password even more secure
2. Use a mixture of characters - including upper and lower case letters, as well as numbers. Some sites will allow you to use symbols such as "/" "~" or "&" for even better security.
3. Don't use your PIN - or reuse any other passwords
4. Don't use family names or birthdays - they are easy for attackers to get this information over the internet, especially if you use your own name or birthday
5. Don't use dictionary words - attackers will often use dictionaries of commonly used passwords. So avoid passwords which contain 'real' words (such as 'hello' or 'password'), names, or words in foreign languages
6. Don't misspell common words - attackers are likely to try these combinations as well, especially sequences which replace letters such as 'I' with '1' or 'e' with '3'
2. Do not select the browser option for storing or retaining user names and passwords
3. Utilize a firewall - A firewall is software which helps protect your computer from online attacks. Any computer you use to access the internet should have a firewall installed.
4. Utilize Anti-virus and Anti-Spyware software and update the anti-virus and firewall products with security patches or newer versions on a regular basis.
5. Don’t access sensitive systems on an open network
6. Don’t let your family use your work PC for personal use
7. Make regular backups of critical data.
8. We recommend you log off the online session when you walk away from the computer and turn off the computer when not in use.
9. Make sure your computer operating system is up to date and has the latest patches
10. For additional security, we recommend you remove file and printer sharing in your computers, especially when you have internet access via cable modems, broadband connections or similar set-ups.
11. Do not install software or run programs of unknown origin.
12. Delete junk or chain emails and do not respond to them.
13. Do not open email attachments from strangers.
14. Do not disclose personal financial or credit card information to little-known or suspect websites.
15. Do not use a computer or a device which cannot be trusted.
16. Do not use public or internet cafe computers to access online banking or perform financial transactions.
17. Consider the use of encryption technology to protect highly sensitive data.

Contact Us

RBS encourages you to help us protect your information and to keep your information accurate. If you suspect someone has made unauthorized transactions on your RBS accounts, or if you believe that any information about you is not accurate, contact your usual RBS support contact.

If you send us email, we may retain the content of the email and your e-mail address in order to respond to questions or concerns that you may have. Since we cannot ensure our response back to you is secure, we will not include nonpublic information such as account numbers in the response.