DBS iBanking Security Guidelines
DBS Bank takes every step to ensure security standards. It is the endeavor of the Bank to prevent unauthorized access to your information. The Bank does not contact you by Email, SMS or Phone calls seeking details on your account, your card or your Personal Identification Numbers.
If you receive any such request or feel suspicious about any Email, SMS or Phone call, do not respond. Please report all such incidents to our customer service line, or email us.
In addition, we continually assess new technology for protecting information. The result is a "distributed security" network, one that ensures protection throughout the banking process, on your computer, during the transmission of information, and in the bank's own computer systems.
Distributed security measures, rather than rely on one security measure uses many lines of defense to protect your account information, including encryption, firewalls, timed log off, virus protection, a secure login process and One Time Password (OTP). Whether you're registering for iBanking, transferring money or paying your bills, you can depend on your accounts and your account information being safe.
DBS Bank takes numerous steps to keep your accounts and personal information secure, but you also play a role in maintaining the security of your banking information.
Please be sure your browser complies with industry security standards, such as Secure Socket Layer (SSL). In addition, we recommend the following to maintain the security of your Internet Banking Service:
DBS Bank takes numerous steps to keep your accounts and personal information secure, but you also play a role in maintaining the security of your banking information. Here's what you can do:
DBS Bank uses Secured Socket Layer (SSL) encryption for customer online transactions, and each session uses a unique master key to encrypt messages. Encryption is a communications process that scrambles private information to prevent unauthorized access as information is being transmitted between your browser and DBS Bank. Once you sign off, the master key used for that session becomes useless, since it is only good for one session.
Before you are able to login to Internet Banking, you must be using an Internet browser that supports 128-bit encryption, the highest level of security available.
DBS Bank's computer system does not connect directly to the Internet, as every system that interacts with the Internet is at risk of attack from hackers. To protect our systems that interact with the Internet, we use firewall technology to prevent unauthorized access. A firewall is a system that blocks unauthorized interactive access from individuals or other networks.
We recommend Internet Banking users complete online transactions and log off before visiting other sites or turning off their PCs. We also suggest they do not visit other sites when logged on to the Internet Banking Service.
In addition, you may not always be at your own computer when you bank online. Therefore, it's important to sign off when you're finished banking. If you forget to do so, DBS Bank automatically signs you off after 10 minutes of inactivity.
From time to time we at DBS Bank will provide information on security related news items that we feel you should be aware of. These security updates will be presented on this page.
A phishing attack is an online fraud technique which involves sending official-looking email messages with return addresses, links and branding that all appear to come from legitimate banks, retailers, credit card companies, etc. Such emails typically contain a hyperlink to a spoof website and mislead account holders to enter customer names and security details on the pretence that security details must be updated or changed. Once you give them your information it can be used on legitimate sites to take your money.
Vishing is an adaptation of phishing attacks that uses telephone or VoIP (Voice over IP tools). You may receive an email or SMS asking you to call a free phone number to confirm your details, or you may receive a phone call with a recorded message asking you to input your account details. Once you have done this, the attacker is free to use your personal information to attack your account.
To protect yourself use only the published official call centre numbers of your financial services company and be cautious in giving out your personal information over the telephone. Remember DBS Bank will never ask you for your password over the phone.
You may already have heard of 'advance fee fraud', where emails offering large sums of money are sent to thousands of email addresses, but a modest 'fee' is required in order to cover legal fees, open an account or pay customs charges. Sometimes the money offered is as a result of a lottery for which you have never bought a ticket. Sometimes the money is held in an account overseas but the account owner cannot access it, they promise a percentage of the money in return for your help. In both cases various fees have to be paid.
Do not respond to these emails. They are part of a fraud and you will not receive any of the promised money.
Online thieves often direct you to fraudulent Web sites via email and pop-up windows and try to collect your personal information. One way to detect a phony Web site is to consider how you arrived there. Generally, you may have been directed by a link in a fake email requesting your account information. However, if you type, or cut and paste, the URL into a new Web browser window and it does not take you to a legitimate Web site, or you get an error message, it was probably just a cover for a fake Web site.
Date: 14 April 2014 Alert Level: Green Criticality: Low
Description: A vulnerability known as the Heartbleed bug as been discovered on OpenSSL implementations of SSL and TLS, which is used to encrypt communications between computers and web servers. This vulnerability allows attackers to obtain secret information such as credentials from web servers.
DBS iBanking does not use OpenSSL and is not vulnerable to Heartbleed. We have multiple layers of security in place to protect our customers such as 2FA for online banking transactions. Protect yourself and your iBanking account with the following key pointers.
*Use different usernames and passwords for your online banking accounts from other non-banking related accounts.
*Change your passwords regularly.
*Do not reveal your iBanking username, password or token PIN to anyone.
*Call us immediately at 1800 209 4555, if you notice unknown transactions appearing on your account.
*Always protect your computer by using an anti-virus software and keep it updated with the latest anti-virus signatures
Before you can use the Service, you must obtain a User ID and Password. Our DBS Bank - iBanking permits you to set a User ID and Password of your choice. The Password is case sensitive and must be 6 to 12 characters in length. It must contain both alpha and numeric characters. Your Password enables us to identify and authenticate your use of the Service. Because your Password will permit entry into the Service and allow transfers to be made from / to your accounts, you agree to keep your Password confidential. Creating a good Password and keeping it a secret is essential to keeping your computer account secure. As you are responsible for what occurs with your User ID, it is strongly recommended that you follow these guidelines to prevent someone from obtaining your Password and abusing your account.
If you forget your User ID, you can visit www.dbsbank.in and select "Retrieve your Internet Banking User ID" link.
If you forget your Password, you can visit www.dbsbank.in and select "Reset your Internet Banking Password"
When you sign in to iBanking from the DBS Bank web site, your user name and password are sent over the Internet from your computer to our server using Secure Socket Layer (SSL) technology. SSL encrypts your personal information before it leaves your computer, ensuring that no one else can read it.
Once you have signed in, you can check that your Internet Banking session is secure in two ways:
In addition, we suggest you do not keep sensitive information on any of your hard drives, and keep financial data on a removable diskette in a secure location.
Do not give or disclose any part of your User ID and Password to anyone. Bank employees will request your User ID when accessing your account profile, but should never ask for your Password.
Do not have your account information, including your computer screen, out in an open area accessible by others.
Do not send your User ID and Password or account information over any public or general e-mail system.
Do not release any personal information on the phone, in the mail, or over the Internet unless you initiate the contact or are certain you know whom you're dealing with.
Contact us immediately if there are charges on your account you don't recognize.
Do not leave your computer unattended while you are connected to the Internet Banking Service.
Be sure to log off of the Internet Banking Service when you have completed your session. If you forget to log off and there has been no activity for 10 minutes, DBS Bank will automatically end the session. After your service has "timed-out," you will need to log back on with your User ID and Password.
You authenticate your Internet Banking session by entering your unique User ID and Password, both of which are encrypted as they pass over the Internet and before they are stored on our system.
If you forget to log off or if your Internet Banking session is inactive for more than 10 minutes, DBS Bank does it for you by ending your current banking session. Once the account has been automatically terminated, no one will be able to access your secure information. You will need to log back in with your User ID and Password to access your Internet Banking Service.
From 30 November 2014, DBS iBanking will no longer be supported on selected web browsers.
Due to unsecure elements of older versions of selected web browsers, we will be discontinuing support for DBS iBanking on those browsers. Examples are IE6 and below.
We recommend that you download and install the latest version of popular web browsers to ensure optimal customer experience with DBS iBanking. If your browser is up to date, and you are unable to access DBS iBanking, please contact us.
"POODLE" Vulnerability Information
Date: 16 October 2014 Threat Type: Security Vulnerability Alert Level: Amber Criticality: Low
Description: A vulnerability known as “POODLE” has been discovered on the SSL3 (Secure Sockets Layer v3) used by old versions of web browsers such as Internet Explorer 6 on Microsoft XP. SSL is used to establish an encrypted link between a website and a web browser (such as Internet Explorer) to keep the customer’s credentials and transactions secure. With the “POODLE” vulnerability present on SSL3, an attacker may be able to take control of the customer’s SSL channel which will then allow him to steal secret information such as account details.
How can you protect yourself from this?
At DBS, we are committed to developing web applications that provide optimal customer experience with modern and latest browsers. DBS iBanking also have layered security controls such as 2FA and OTP that keep online banking transactions secure. For added security, we will also discontinue support for the now insecure SSL3 encryption protocol from 30 November 2014. This means that DBS iBanking including selected features on the DBS website will no longer be accessible by older version browsers such as Internet Explorer 6 on Windows XP.
Date: 4 March 2015
Threat Type: Security Vulnerability
Alert Level: Amber
Description: A vulnerability known as “FREAK” has been discovered on OpenSSL implementations of SSL (Secure Socket Layer) and TLS (Transport Layer Security) which are used to encrypt communications between a website and a web browser (such as Internet Explorer, Safari) to keep the customer’s credentials and transactions secure. The vulnerability is present on websites that that use OpenSSL and accept weak encryption key length of 512 bits. When exploited, an attacker can break this weak encryption key which will allow him to steal secret information from web servers, such as the customer’s login credentials.
DBS/POSB iBanking and IDEAL do not use OpenSSL and RSA 512 bit encryption key and are not vulnerable to “FREAK”. You are assured that we have multiple layers of security in place such as 2FA for online banking transactions, to protect your online banking transactions.
However, it has also been reported that “FREAK” affects Apple’s Safari browser and Google’s Android browsers and could enable an attacker to spy on communications of users of these browsers. Both Apple and Google have since announced that a patch/software update is underway, to help mitigate this risk.
How can you protect yourself from this?
You are reminded to remain cautious when banking online: