Identity theft and online fraud are becoming one of the fastest growing criminals in the world and in Bosnia and Herzegovina.
In Privredna banka Sarajevo d.d. We take the protection of your data very seriously. We believe that the protection of your personal data is the obligation of each of our employees, and the Bank, in accordance with its annual plan, conducts training and training of all its employees, and invests significant financial, technical and human resources in the implementation of state-of-the-art solutions that achieve adequate data protection of our valued clients. As the number of reported frauds and attacks increases day by day, we also encourage our clients to take the necessary steps to protect themselves and their data.
Below we give you a few brief information and ways to protect yourself.
Phishing or online phishing (phishing from the English word fishing, meaning fishing) is a type of scam in which attackers try to "catch" the victim by falsely impersonating and different "baits". Phishing can be used by stealing money or causing other damage to a person (burglary in the victim's e-mail account, identity theft, etc.). The sender leads the victim to disclose personal information (usually financial) by entering it at the internet address specified in the e-mail. The above address (link) is a very similar name to the actual address. The techniques used by unauthorized users for this purpose are very complex which causes a significant number of victims of phishing attacks. The number of phishing attacks and their sophistication is growing every day, and the amount of messages sent counts in the millions.
What does a phishing message look like?
• The message may look like a notice from a bank, online store, etc., but the victim is forced to click on the link that is the "hook" on which the perpetrator of the internet crime extracts the requested data from the victims.
• The victims then enter personal information on it (the message often states that the user needs to confirm or change the data)
• When a user enters information on a fake page, the information reaches the owner of the fake site
• A fake website looks (almost) identical to the real one, but the URL in its address bar is different
Social engineering is a type of attack aimed at persuading users to meet the attacker's demands. This is primarily a way of collecting data that an attacker would not be able to reach legally. In doing so, the attack is directed to the weakest link of the entire chain – the human factor.
The most common methods of fraud are:
• Misrepresentation – the most common method of attack, a procedure in which an attacker poses as another person;
• Persuasion/persuasion – persuasion or persuasion is the procedure in which the attacker persuades and persuades the victim to perform the actions ordered by the attacker.
• Creating an appropriate situation – the attacker creates a "breeding ground" to carry out the attack in a way that exploits the victim's weaknesses, bonding with the victim to get information, exploiting the victim's unwillingness or negligence to make the wrong move, and the like.
• Moral responsibility – the victim tries to help the attacker because it feels that this is her moral obligation, the victims are not even aware that in this way they are giving out useful information to the attacker.
• Desire to help – exploiting the victim's desire to help others. It is often the case that the attacker convinces the victim that he will do the same in a situation when the victim needs help.
• Exploiting old connections and corruption – the attacker creates a relationship that is sufficient to gain trust or bribes the user, who gives him the desired information.
How to carry out the attack:
• Telephone engineering – one of the most common and easiest ways to perform social engineering; the attacker calls one of the employees and easily gains his trust with his communication skills;
• Waste search – one of the ways of collecting information is to search for waste, where by learning a lot of useful information for carrying out attacks;
• Using the Internet – there are numerous ways of collecting information via the Internet, and the most common is by sending false messages, which encourage the user to disclose very important and secret information.
• Peering – a type of social engineering in which an attacker tries to read the victim's movements in order to obtain the desired data (e.g., observing hand gestures when typing a password when logging into the system).
• Forensic analysis – useful information can be obtained by an attacker by reviewing carelessly discarded data storage media.
Spoofing in a broader sense means that you have received a message in electronic form from a person you know and trust. In fact, you get a message from a person who somehow stole the virtual identity of a person you know. By typical false representation, a malicious attacker tries to extract your confidential information.
There are three types of spoofing on the Internet:
Email spoofing – By changing the headboard of an email, you get a message that resembles or is the same as an email coming from a bank or other institution. A typical example of this is spam. More than 80% of electronic mail on the Internet is spam. The most common messages you receive in these emails are that your password has expired or for security reasons you need to change the password in your bank account.
IP spoofing ( internet protocol spoofing) – Everything you do on the Internet arrives or is sent in packets, and each packet carries the address of its sender. The idea of internet criminals is to create packages with a fake source address. This type is used in an attack on the network infrastructure, where attempts are made to fool the recipient's computer operating system and its authentication systems so that the attackers take control of computers and the local area network.
URL spoofing – This is an attempt to display the Universal Resource Locator (URL) or address of a fake website as the URL of a real page. For this method, security vulnerabilities in internet browsers are most often used. You get fake web addresses most often in emails and you go to them by recklessly clicking on the links in the e-mail.
Dear clients,
At a time when the use of payment cards has become a necessity, and every day misuse of the same happens, we would like to send some useful tips for carefree use of payment cards both at ATMs and POS devices, as well as for secure payment via the Internet.
Each user of the information system has a username and password to access the computer (operating system), as well as a user code, name and password for accessing individual applications. The basic rules, which guarantee a greater degree of security and reduce the likelihood of breaking a password, include the following:
A short password is the easiest to crack, and therefore the minimum password length is 10 characters, but it is recommended to use even longer passwords.
Lozinke ne smiju biti jednostavne i moraju sadržavati najmanje jedno veliko slovo, jedan specijalni znak (iz skupa karaktera !”#$%&()“*+,-/:;<=>?_) i jedan broj.
Also, one should not use the names of close people, pets and dates, because such passwords are easily detected through social engineering.
An example of a complex password is h0bo3n!Ca. At first sight meaningless and difficult to remember, this password is derived from the word octopus. The starting point is a term that we easily remember, but then by some of our algorithms we perform character substitution.
Frequentpassword change reduces the likelihood of its detection, so it is necessary to set up a system password expiration in your information system after a minimum of 60 days.
Also, it is recommended to impose a system ban on the use of at least 6 last passwords and passwords (old and new) must be distinguished in at least three characters.
It is recommended to enforce a password lock policy after 5 failed attempts. Also, it is recommended that the password lock is unlimited, that is, there is no automatic unlocking (users must contact the administrator).
Users are responsible for their password and are in no case allowed to disclose it, even to system administrators or Bank officials. Users may not disclose their password to third parties, as in this case they will be held responsible for changes and/or errors that occur in the system during their absence under their application.
Passwords are not left on pieces of paper that are glued to the screen or left on tables, in unlocked drawers and the like. The user is responsible for the confidentiality of his password and must find a way to hide it.
If the user forgets the password, the system administrator will allow him to enter a new one.
Due to the numerous vulnerabilities arising from inadequate use of passwords, in addition to the above recommended system-imposed policies, all users should additionally adhere to the following recommendations when managing passwords: