Mon - Fri : 08:00 - 16:00
info@pbs.ba
+387 33 278 520

Raising awareness of clients about the security of information and information systems

 

Identity theft and online fraud are becoming one of the fastest growing criminals in the world and in Bosnia and Herzegovina.

In Privredna banka Sarajevo d.d. We take the protection of your data very seriously.  We believe that the protection of your personal data is the obligation of each of our employees, and the Bank, in accordance with its annual plan, conducts training and training of all its employees, and invests significant financial, technical and human resources in the implementation of state-of-the-art solutions that achieve adequate data protection of our valued clients.  As the number of reported frauds and attacks increases day by day, we also encourage our clients to take the necessary steps to protect themselves and their data.

Below we give you a few brief information and ways to protect yourself.

  1. No employee of Privredna banka Sarajevo will contact you by phone or e-mail to request confidential or personal information, such as account numbers, unique identification number, identification number or other identification document, etc. If you decide to contact Privredna banka Sarajevo by e-mail, please do not send confidential information via regular e-mail that is not encrypted and protected.  If you need to send verifiable or personal information, contact the Bank to tell you what is the safe way to do so.
  2. Use antivirus protection on your computers and smartphones.  This is the first and most important step you need to take to protect your computers and the data stored on them from malicious attackers, viruses and other malicious code.  There are a large number of antivirus software providers on the market, some of which are paid for and others are free.  If you use the free option, make sure the software is released by a trusted manufacturer and research the company and their product before installing it on your devices.
  3. Use only licensed, verified software for operating systems and other applications on your computers, and update them regularly according to manufacturer's recommendations.
  4. Do not open e-mails from suspicious senders and/or with suspicious attachments. Special caution should be exercised before opening and/or downloading attachments or clicking on links that came with e-mail, even if they are from a known sender. If you are not completely convinced of the harmlessness of the attachment or link, and you cannot contact the sender to confirm, it is necessary to delete the message.  Never go to pages where you use confidential information through the links you received in the email, but only by typing the address in your internet browser.
  5. Destroy all confidential information in electronic or paper form in an adequate way if you no longer need it (portable media for storing data, paper documents and bank statements, old computers and the like).
  6. Establish adequate systems and controls to the business in order to reduce the risks associated with electronic fraud, especially if you receive the documentation as a basis for payment by e-mail, because using various techniques, attackers can easily modify the data of the money transaction specified in the mail, thus leading you to make the payment to the bank accounts of the attacker, instead of your business partner.  Clients are advised to establish control and verification of the validity of the account to which the funds are transferred.
  7. Use diverse and high-quality passwords.  This applies in particular to important pages that contain account information, card numbers and other personal data. Change passwords frequently and don't use the same passwords for different logins/accounts. Do not store or display passwords in a readable format outside an adequately secured environment.  Don't share your passwords with other employees or family members.  Do not use proper names, names of children or pets in your passwords and avoid using ordinary and standardized words. When choosing a password, use a combination of numbers, special characters, and lowercase and lowercase letters. Passwords should be changed if the slightest suspicion arises that their confidentiality or integrity has been violated.
  8. Do not use public computers or open wireless networks (Wi-Fi) to send confidential information or sensitive transactions via electronic banking.  If you access the Internet through public, unprotected networks, you should be aware that malicious attackers can easily access your devices and access your confidential information.
  9. It is very important to be sure in every phone conversation who you are talking to and not to disclose information if you are not able to identify the person on the other side.  The bank will never ask you to disclose confidential information over the phone.
  10. Regularly review your transactions and statements provided by the Bank.  Report any perceived irregularity or suspicion to the Bank immediately, so that they can prevent malicious attackers in time and together from obtaining your confidential information and using it for criminal purposes.  Attempting to steal is a crime.  For registration or more information, please contact us by phone 033 278 520 or info@pbs.ba.

Phishing

Social engineering

Spoofing

Phishing or online phishing (phishing from the English word fishing, meaning fishing) is a type of scam in which attackers try to "catch" the victim by falsely impersonating and different "baits". Phishing can be used by stealing money or causing other damage to a person (burglary in the victim's e-mail account, identity theft, etc.). The sender leads the victim to disclose personal information (usually financial) by entering it at the internet address specified in the e-mail. The above address (link) is a very similar name to the actual address. The techniques used by unauthorized users for this purpose are very complex which causes a significant number of victims of phishing attacks. The number of phishing attacks and their sophistication is growing every day, and the amount of messages sent counts in the millions.

What does a phishing message look like?
• The message may look like a notice from a bank, online store, etc., but the victim is forced to click on the link that is the "hook" on which the perpetrator of the internet crime extracts the requested data from the victims.
• The victims then enter personal information on it (the message often states that the user needs to confirm or change the data)
• When a user enters information on a fake page, the information reaches the owner of the fake site
• A fake website looks (almost) identical to the real one, but the URL in its address bar is different

Social engineering is a type of attack aimed at persuading users to meet the attacker's demands. This is primarily a way of collecting data that an attacker would not be able to reach legally. In doing so, the attack is directed to the weakest link of the entire chain – the human factor.

The most common methods of fraud are:
Misrepresentation – the most common method of attack, a procedure in which an attacker poses as another person;
Persuasion/persuasion – persuasion or persuasion is the procedure in which the attacker persuades and persuades the victim to perform the actions ordered by the attacker.
Creating an appropriate situation – the attacker creates a "breeding ground" to carry out the attack in a way that exploits the victim's weaknesses, bonding with the victim to get information, exploiting the victim's unwillingness or negligence to make the wrong move, and the like.
Moral responsibility – the victim tries to help the attacker because it feels that this is her moral obligation, the victims are not even aware that in this way they are giving out useful information to the attacker.
Desire to help – exploiting the victim's desire to help others. It is often the case that the attacker convinces the victim that he will do the same in a situation when the victim needs help.
Exploiting old connections and corruption – the attacker creates a relationship that is sufficient to gain trust or bribes the user, who gives him the desired information.

How to carry out the attack:
Telephone engineering – one of the most common and easiest ways to perform social engineering; the attacker calls one of the employees and easily gains his trust with his communication skills;
Waste search – one of the ways of collecting information is to search for waste, where by learning a lot of useful information for carrying out attacks;
Using the Internet – there are numerous ways of collecting information via the Internet, and the most common is by sending false messages, which encourage the user to disclose very important and secret information.
Peering – a type of social engineering in which an attacker tries to read the victim's movements in order to obtain the desired data (e.g., observing hand gestures when typing a password when logging into the system).
Forensic analysis – useful information can be obtained by an attacker by reviewing carelessly discarded data storage media.

Spoofing in a broader sense means that you have received a message in electronic form from a person you know and trust. In fact, you get a message from a person who somehow stole the virtual identity of a person you know. By typical false representation, a malicious attacker tries to extract your confidential information.
There are three types of spoofing on the Internet:
Email spoofing – By changing the headboard of an email, you get a message that resembles or is the same as an email coming from a bank or other institution. A typical example of this is spam. More than 80% of electronic mail on the Internet is spam. The most common messages you receive in these emails are that your password has expired or for security reasons you need to change the password in your bank account.
IP spoofing ( internet protocol spoofing) – Everything you do on the Internet arrives or is sent in packets, and each packet carries the address of its sender. The idea of internet criminals is to create packages with a fake source address. This type is used in an attack on the network infrastructure, where attempts are made to fool the recipient's computer operating system and its authentication systems so that the attackers take control of computers and the local area network.
URL spoofing – This is an attempt to display the Universal Resource Locator (URL) or address of a fake website as the URL of a real page. For this method, security vulnerabilities in internet browsers are most often used. You get fake web addresses most often in emails and you go to them by recklessly clicking on the links in the e-mail.

Preventing payment card misuse

Dear clients,

At a time when the use of payment cards has become a necessity, and every day misuse of the same happens, we would like to send some useful tips for carefree use of payment cards both at ATMs and POS devices, as well as for secure payment via the Internet.

  1. For each individual card, a unique PIN (Personal Identification Number/ Personal identification number) is assigned, which must be remembered, and the notice on which it is recorded must be destroyed. The PIN should never be written on a card or any other document, stored on a mobile device and the like. Therefore, it is necessary to take all necessary measures to make the card and PIN safe and inaccessible to third parties.
  2. When entering the PIN, it is necessary to cover the keyboard with a free hand in order to prevent third parties from coming into possession of it.
  3. When using the card on POS devices, the user must not allow the card to go out of his sight, because at these points of sale the cards are most often forged by copying data from the magnetic stripe. Otherwise, do the same at your own risk.
  4. For each transaction, request a Transaction Certificate and keep it from your records and do not throw it away until you have torn it into small pieces.
  5. If you want to use an ATM, and you have noticed that a certain person nearby is behaving suspiciously, or you have noticed suspicious accessories installed at the ATM, in which case, choose another ATM where you will make the transaction. It is advisable to notify the bank if you have noticed that something suspicious has been installed on the ATM.
  6. When paying online, avoid:
    – unverified websites,
    – use of computers accessible to third parties,
    – using computers that do not have antivirus software installed,
    – use of public, unprotected wi-fi networks.
  7. So, buy/pay on well-known and verified websites (the website on which you make a payment starts with "https") and always print the complete available supporting documentation!
  8. Never give the card to someone to photocopy it or to copy data from it, and do not send it scanned by e-mail, because it contains the full number of your card and on the back of the card there is a CVV /CVC number /code (Card Verification Value/Code). CVV/CVC is a three-digit number in a white square with the help of which payment via the Internet is made, i.e. when the card is not physically available and where it is not possible to require a PIN.
  9. In the event that the card is lost, misplaced, stolen or you have a suspicion of card misuse and that any unauthorized person has learned the PIN or card number, it is necessary to block the card without delay by calling +387 (0)33 652 888. Blocking the card prevents its continued use. The same applies in the event that the ATM kept the card for an unknown reason.

BASIC PASSWORD POLICY

Each user of the information system has a username and password to access the computer (operating system), as well as a user code, name and password for accessing individual applications.  The basic rules, which guarantee a greater degree of security and reduce the likelihood of breaking a password, include the following:

1. Minimum password length

A short password is the easiest to crack, and therefore the minimum password length is 10 characters, but it is recommended to use even longer passwords.

2. Password complexity

Lozinke ne smiju biti jednostavne i moraju sadržavati najmanje jedno veliko slovo, jedan specijalni znak (iz skupa karaktera !”#$%&()“*+,-/:;<=>?_) i jedan broj.

Also, one should not use the names of close people, pets and dates, because such passwords are easily detected through social engineering.

An example of a complex password is h0bo3n!Ca. At first sight meaningless and difficult to remember, this password is derived from the word octopus. The starting point is a term that we easily remember, but then by some of our algorithms we perform character substitution.

3. Password duration

Frequentpassword change reduces the likelihood of its detection, so it is necessary to set up a system password expiration in your information system after a minimum of 60 days.

Also, it is recommended to impose a system ban on the use of at least 6 last passwords and passwords (old and new) must be distinguished in at least three characters.

4. Password lock

It is recommended to enforce a password lock policy after 5 failed attempts. Also, it is recommended that the password lock is unlimited, that is, there is no automatic unlocking (users must contact the administrator).

5. Password confidentiality

Users are responsible for their password and are in no case allowed to disclose it, even to system administrators or Bank officials. Users may not disclose their password to third parties, as in this case they will be held responsible for changes and/or errors that occur in the system during their absence under their application.

6. Password retention

Passwords are not left on pieces of paper that are glued to the screen or left on tables, in unlocked drawers and the like. The user is responsible for the confidentiality of his password and must find a way to hide it.

If the user forgets the password, the system administrator will allow him to enter a new one.

Due to the numerous vulnerabilities arising from inadequate use of passwords, in addition to the above recommended system-imposed policies, all users should additionally adhere to the following recommendations when managing passwords:

  • All passwords must be confidential;
  • Passwords shall not be stored or displayed in a legible form outside an adequately secured environment;
  • Passwords must not be shared by multiple users to ensure verifiability;
  • Use different passwords for different systems;
  • Do not use proper names, names of children or pets in your passwords and avoid using ordinary and standardized words;
  • Passwords should be changed if the slightest suspicion arises that their confidentiality or integrity has been compromised;
  • At the first use, it is necessary to change the initial and standard passwords, as well as other passwords provided by IT equipment manufacturers and suppliers or service providers, which access the Bank's resources;
  • If employees notice irregularities in the application of the password policy or believe that there has been an abuse of access rights, they are obliged to immediately report this security incident to the IS Security Officer;
  • When leaving the workplace, you are obliged to lock or shut down your computer;

Picture