Safe use of bgk24 system
The recent years have made the Internet one of the major sources of threats. This is partially due to its general availability and the transfer of many everyday activities and economic transactions to the Internet, e.g. financial transactions made via online banking. The infection of ICT infrastructure with malware and attempted frauds may significantly affect the way in which a company operates. In order to make the use of the Internet and online banking safe, it is necessary to become aware of potential threats and take every measure to protect against them.
The systems offered by BGK meet the highest safety requirements. At the same time, one must not forget that the weak link might be the human factor and each ICT environment beyond the control of the Bank. Each Internet User takes care individually for the safety of their own ICT equipment and has an impact on the security of their account in the BGK system. No technical security measure can help if ICT system Users do not observe basic safety rules. A consistent observance of those rules allows to avoid potential threats originating from the Internet.
BGK offers online banking services to institutional clients – including public administration institutions and bodies, local governments, enterprises and banks. You are a group of clients who should follow – with the support of your own internal or external IT departments – restrictive safety rules, at the level required by professional entities.
ICT safety principles
General ICT safety rules observed by an institutional client should include, among others
- Regular cybersecurity training, awareness campaigns and activities to inform employees about current threats related to ICT devices, including threats related to using the Internet and operating mobile devices, etc.
- Regular activities to familiarise all BGK System Users, their supervisors and your management staff with current communications regarding safety, published at the bank’s website.
- Using the same level of security for company mobile devices (e.g. smartphones, tablets, laptops) as is applied to desktop computers, including security software to detect and remove malware and spyware as well as secure the confidentiality of data and protect against their theft.
- Entrusting ICT equipment configuration, including networks and network devices, only to IT specialists.
- Ensuring compliance with industry standards, norms and best practices concerning ICT and information security.
- Conducting regular ICT infrastructure security audits.
- Having a procedure in place for ICT security incidents, e.g. an ICT system breach, suspected malware infection, suspected theft of authentication data to the BGK system, etc.
Basic rules for the safe use of BGK systems applicable to You and BGK systems users authorized by You
- Sign in to the BGK system only from work/company computers.
- Do not leave an account logged on to the BGK system unsupervised.
- After finishing your work, remember to always log out pursuant to the procedure in force at the bank.
- If the BGK system uses an ID card - remove it from the reader immediately after completing the approval of finance orders.
- Secure authentication tools (certificate, token) against unauthorised access.
- Never make login details for the BGK system available to anyone.
- Always use legal software from a trusted source. This applies to the operating system, web browser and any other software used in the ICT system, including mobile devices.
- Use and regularly update an anti-virus software from a reputable developer and security solutions providing protection against malware (e.g. spyware, adware) as well as a firewall. Regularly scan each ICT device using anti-virus software.
- Regularly update all your software, including the operating system and web browser, by installing latest patches published at the websites of relevant software developers.
- Consciously choose your web browser and configure its security parameters on an on-going basis. Use the latest available web browser version. Remember to regularly delete temporary files saved in your web browser’s cache memory to ensure its proper operation. Disable all unnecessary plug-ins in your web browser.
- Before installing any additional software related directly to the BGK system, call the BGK Helpdesk for advice.
- If you suspect that your computer has been infected, immediately notify your IT department. The symptoms indicating that your computer has been infected are usually: significantly slower system operation, changes to the web browser, problems with running some programmes.
- Do not open the website to log in to BGK system from links (e.g. received by e-mail, SMS). Enter the website address manually or sign in via www.bgk.pl.
- Do not copy-and-paste bank account numbers - enter them manually and verify them carefully.
- Do not trust senders of unusual e-mail messages (stating the need to take urgent action, settle a financial obligation, open a password-secured attachment, etc.). Fraudsters are able to draft the message in such a way as to make it seem that it was sent by a trusted person or institution. If you have any suspicions, verify whether it was sent by the actual sender via an independent channel other than the phone number provided in that message.
- Do not open messages (and attachments) received by electronic mail from unknown senders.
- Do not open links/hyperlinks directly from the received e-mail, instant messenger, SMS, etc. Never run computer programmes in this way. Pay attention to the authenticity of communications received by e-mail, as they may contain links to a fake BGK system website; logging in to such a website provides the fraudster access to your login and password.
- Never write down your access login and passwords on paper and never save them in text files – you are putting them at risk of being intercepted.
- Do not use the same password in different systems/services. Passwords used at work must be unique in every system/application, and different from any other password - including those used privately.
- Do not connect to the BGK system via networks other than work/company network, including wireless networks (e.g. accessible at hotels, airports, networks of other counterparties, etc.).
- It is essential that you define IP addresses, so as to restrict the possibility of logging in to the BGK system from other addresses (applicable to bgk24).
- Never send any personal data, passwords, logins, credit card numbers, etc. via e-mail or text message.
- Remember that the Bank does not verify the accuracy of your authentication data by e-mail or text messages on a mobile phone, therefore never respond to such e-mails and text messages.
- The Bank will never ask you to provide authentication data: a password, a PIN code or a single-use code.
- When using multiple websites at the same time, always check whether any of the websites (tabs in the web browser) has been replaced with a different website. Failure to notice that a website has been replaced with the fraudster’s website may contribute to the unintentional logon to the fake substituted BGK system website and provide the fraudster access to your login details.
- Before sending/authorising a transfer, make sure that the entered account number of the recipient was not substituted by malware. Check the account number against the source document.
- Monitor the account and operations history on an on-going basis.
- Regularly check to make sure that account numbers assigned to defined counterparties were not substituted.
- Immediately report any suspicious and unusual behaviour of the BGK system, suspected computer infection and unauthorised change of data in the BGK system (transfers, counterparties) to the Bank.
Recommended internet browser settings
Check if your browser settings are compliant with the guideline below
MS Internet Explorer:
- Browser cache memory - In Tools menu select: Internet options / Advanced / in the Security section select: "Do not save encoded websites to the (hard) drive".
- Handling TLS protocol - In the Tools menu select: Internet options / Advanced / in the Security section select: "Use TLS 1.0 encoding", "Use TLS 1.1 encoding", "Use TLS 1.2 encoding".
- Temporary internet files (cache memory) - In Tools menu select: Internet options / General / in Browsing history section / Delete, select: "Delete files". In Tools menu select: Internet options / General / in Browsing history section / Settings select: "Check for newer versions of stored websites: every time I visit the website".
- Anti-phishing protection - In Tools menu select: Filter phishing pages, select: "Activate checking the Web automatically".
- Browser cache memory - In the menu select: Options / Advanced / Network, and in the "Cache memory content" select: "Clear now". You can also limit the use of cache memory or deactivate it altogether.
- Handling TLS protocol - In the menu select: Options / Advanced / Encoding, select "Activate TLS 1.0 support".
- Temporary internet files (cache memory) - In the menu select: "Clear browsing history" - select "Cookies" and "Cache memory" and click "Clear now". You can also define the period, from which the cache memory will be deleted.
- Anti-phishing protection - In the menu select: Options / Security select: "Block pages reported as posing threats" and "Block pages reported as attempts at internet fraud".
- Browser cache memory - In the menu select: Settings / Show advanced settings / in Privacy section choose "Content settings..." and select: "Allow for storing data locally".
- Handling TLS protocol - In the menu select: Settings / Show advanced settings / in HTTPS/SSL section choose "Verify server's certificate expiration date"
- Temporary internet files (cache memory) - In the menu select: Tools and command "Clear browsing data". In the opened popup window, you can choose the types of information and time scope, from which you want to delete data.
- Anti-phishing protection - In the menu select: Settings / Show advanced settings / in Privacy section choose "Activate protection against phishing and malware".
- Browser cache memory - In the menu select: Settings and in the Privacy and security tab, in the Cookies section, select the option "Enable establishing local data".
- Handling TLS protocol - In the menu select: Settings / Preferences / Advanced, and in the Security tab, select the option Security protocols, and select: "Activate TLS 1 support", "Activate TLS 1.1 support" and "Activate TLS 1.2 support".
- Temporary internet files (cache memory) - In the menu select: Settings and the option Clear browsing history, then open the drop-down list Details and select "Delete all cache memory".
- Anti-phishing protection - In the menu select: Settings / Preferences / Advanced and in the Security tab, select: "Activate protection against phishing and malware".
- Browser cache memory - In the menu select: Preferences / Security / in the Accept cookies section, you can choose if and when Safari is supposed to accept cookies from the opened pages.
- Handling TLS protocol - In the menu select: Preferences / Advanced / in the Proxy section, select Change settings. A popup window will open - choose the tab Advanced and select: "Use TLS 1.0", "Use TLS 1.1", "Use TLS 1.2".
- Temporary Internet files (cache memory) - In the menu select: Preferences / Security and Show cookies. You can delete selected or all cookies.
- Anti-phishing protection - In the menu select: Preferences / Protection and select the box "Show warning when visiting a fake page".
Minimum browser versions required for correct support of BGK systems:
- MS Internet Explorer 7;
- Mozilla Firefox 3;
- Opera 11;
- Chrome 12;
- Safari 4.
If a browser is in a different version and the instructions above do not apply, we recommend using the instructions on websites of their respective developers.
Information and security warnings published at www.bgk.pl/bezpieczenstwo must be monitored on an on-going basis.
Reporting security problems and cooperation with the Bank
Users of the individual BGK system should report security problems and suspicious events in the following forms:
- by telephone:
- by sending an e-mail to the following address:
- by reporting information about the incident via a contact form available at www.bgk.pl.
In each situation raising concern, especially when the anti-virus software has detected malware, there is a suspicion that login details, i.e. login and password, may have been leaked, you should immediately contact the bank. Where there is a need to block the access of Users whose login details have been leaked, it is necessary to file a request to once again grant access to indicated Users.
In the case of detecting malware, receiving information from the bank about suspicious transactions or any occurrences to the IT system or BGK system that raise doubts, it is necessary to immediately conduct an analysis aimed at:
- browsing the order history, verifying all transfers currently visible in the transfers online banking system – both those already executed and those awaiting acceptance – in terms of whether they have been modified by a virus or an unauthorised person, especially the correctness of the banking account of the transfer's beneficiary;
- verifying the details of defined counterparties – in particular whether their account numbers have been modified by a virus or an unauthorised person.
In the case of detecting an unauthorised entry, modification or deletion of a transfer order or modification of the counterparty, it is necessary to immediately notify the bank about such occurrence and not allow the suspicious order to be signed/authorised or not allow the use of modified details of the counterparty in new transfer orders. In the case of detecting the entry of an unauthorised transfer order or unauthorised modification of a transfer order and when the relevant transfer has already been accepted and sent, it is necessary to immediately inform the bank thereabout and report a suspected offence to law enforcement authorities.
If it is suspected that the ICT system has been attacked or there was an attempt to manipulate the BGK system, ICT devices that may have been targeted in the attack must be disconnected from the network (no data should be removed from the infected computer and it should not be scanned; these actions may make it difficult or impossible for law enforcement authorities to investigate the incident). In such case, it is recommended for specialised IT personnel to carry out an in-depth analysis of ICT system’s security.
Bank Gospodarstwa Krajowego is not liable for the actions of a User of a computer used to log in to the BGK system as well as for the consequences of interference in the computer system or the Internet connection by third parties.
The above rules should be treated as basic security guidelines, whereas the threats described below are only examples which the bank indicates for informational purposes – they do not exhaust this extensive area.
Most common threats
It is crucial to realise that each of us is currently exposed to cyber threats. It is also important to realise that criminals do not necessarily have to employ complicated schemes and that what makes most thefts possible is the human factor and failure to observe basic security rules.
Criminals operate in various ways and reports of their endeavours are regularly published in the media. Fraud attempts targeted at the clients of online banking are ultimately aimed to execute payments or withdrawals from the account to the benefit of criminals (e.g. to an account in another bank).
Criminals most commonly use social engineering, understood as a set of methods aimed to induce a specific action, e.g. to obtain information. This technique utilises interpersonal skills and the ability to manipulate people,
in combination with IT knowledge provides a wide spectrum to gain knowledge about Users, their ICT systems, operating methods and data held.
At present, the applied attack methods oftentimes are an interpretation of several known – including those described below – methods of phishing for confidential data (e.g. login, password, single-use authorisation code in the electronic banking system) or manipulation (e.g. fake invoices, impersonating superiors) that, in consequence, enable those who employ such methods to break into the system or divert funds. Below there are several of many forms of fraud that are used.
A form of fraud where a criminal impersonates another person or institution to obtain specific information (e.g. login details, credit card details) or persuade the victim to perform specific actions. It is a type of attack based on social engineering. It may be carried out by persuading the potential victim to enter a fake website or log in to electronic banking – the address or appearance of which may be confusingly similar to the actual login website. Phishing may also consist in an attempt to persuade someone to divulge confidential login details and authorise a transaction via e-mail or by phone.
It is important to always enter the address of the BGK system login website manually or log in via www.bgk.pl (“Login zone” tab). Login shortcuts saved in the web browser or clicking on links received in e-mails, instant messages, text messages, etc. are susceptible to manipulation and used by criminals.
When sending fake e-mails, criminals use various methods based on social engineering to elicit trust, interest or fear, for example:
- sender is a publicly known entity providing mass services (postal operator, energy provider, phone operator, etc.),
- message pertains to a particularly attractive but time-limited offer,
- message informs about an outstanding invoice,
- pertains to an allegedly sent message that was not delivered to the addressee,
- pertains to the need to provide login details to the electronic banking system due to a malfunction of this system, so as to “verify them for security reasons” or “reinforce security measures used in the logon process”, etc. However, it is necessary to remember that the bank never sends such messages!
When using ICT devices, it is also important to develop a critical approach to any unexpected correspondence (e-mails, text messages, phone calls from unknown numbers, etc.) that raises suspicions or requires its recipient to take urgent action. Never open attachments and click on links included in such messages; never download and launch software from the Internet on your own (this task should be left to IT personnel); never provide login information or any other sensitive data by phone.
By clicking on unverified links, opening attachments to e-mails, launching software downloaded from the Internet, entering suspicious websites, you are putting yourself at significant risk of infecting your computer with malware (computer virus). In the case of some threats, even a reputable and correctly configured anti-virus software will not provide protection against the installation of a virus in the ICT system. Such infection is also possible due to failure to update either the operating system or any other computer programme in use; this is due to the existence of the so-called software exploits that were not eliminated by means of an update. That is why using the latest versions of software is so important.
There are many types of malware, but it is important to realise the consequences of its operation after it has successfully infected the system:
- it may send data saved or entered on the computer device, enabling the execution of payments in electronic banking, to criminals,
- it may substitute the beneficiary’s bank account when using the “copy – paste” method to enter that number in the transfer order,
- it may infect other files upon their launch or creation,
- it may replicate in the infected system,
- it may delete or damage data,
- it may encrypt the contents of a computer device (e.g. to demand ransom in exchange for providing a password to decrypt the device),
- it may slow down the operation of a computer device.
Recently, many infections result in the installation of ransomware/cryptolocker. A computer infected in this way becomes encrypted and to be decrypted, it requires entry of a password that is known only to the criminals responsible. In exchange for providing the password, criminals demand ransom – most often in a cryptocurrency (e.g. bitcoin). Examples of ransomware/cryptolocker type malware include: Cerber, Locky, CryptXXX, CrypMIC, PCrypt, Petya, Mischa, Crypt0L0cker. Such infection may result in the inability to use computers and, if there is no up-to-date backup copy of the system and data, may result in the loss of data.
Fake invoices / impersonating superiors
Criminals are able to easily draft an e-mail message or text message in such way, so as to make it appear to come from the correct address or phone number of the addressee’s superior. Before executing unusual orders given to us in such messages sent by electronic means, always – either personally or via another independent channel – verify whether those orders are accurate. It may be useful to gain more in-depth knowledge on this subject by entering “fake CEO fraud” in the search engine.
Any and all new payments (e.g. the first invoice from the relevant counterparty) or changes to the counterparty’s bank account number must be confirmed via an independent channel. It is important to make sure that the communication does not consist in replying to the address of the sender of the message that contains information about a new bank account of the counterparty; neither should it be a contact made by telephone to the number indicated in such a message. If the message was sent by a fraudster, both the sender’s address and the counterparty’s phone number indicated in that message could be fake.