Security mechanisms in the Pl@net system

1 Can an electronic banking be secure?
2 Authentication and authorization
3 Rules worth remembering
3.1 Can you trust the computer you use to log in?
3.2 Can anybody see?
3.3 Check the website address, check whether the SSL protocol is used
3.4 Check the server certificate
3.5 Do not share your logging password
3.6 Check logging dates
3.7 Check the image
3.8 Check what you sign
3.9 Log out from the service.
4 What security measures are applied?
4.1 Logging into the system
4.1.1 Masked passwords
4.1.2 Which authentication/authorization method to choose?
4.2 Transaction authorization
4.2.1 Authorization with an electronic signature
4.2.2 Authorization with SMS codes
5 Notifications

1 Can an electronic banking be secure?

Yes, provided that the Internet banking user ensures the computers applied for the Internet banking needs are safe, and observes the rules of the secure usage of such services.

BGŻ Optima has made every effort in order to develop effective security mechanisms that simultaneously do not impede the service usage too excessively.
 Back

2 Authentication and authorization

To start using the Internet banking system, it is necessary to log onto the system. This process is described as authentication. At the moment some external operation is to be performed in the system, the system will ask you to confirm this operation, i.e. to authorize the transaction. It constitutes an additional security measure against an operation execution by unauthorized persons. The authorisation procedure may be compared to e.g. affixing a signature under a transfer instruction in a branch.
The Internet banking system offers one authentication method in the system, which entails a respective transaction authorization manner:
  • Logon using a masked password and transaction authorisation with an SMS code.
 Back

3 Rules worth remembering

3.1 Can you trust the computer you use to log in?
No security system is fully effective if you can't trust the computer you use to log into the bank. Along with the Internet development new threats have appeared, which a few years ago were yet unknown. Viruses, root kits, Trojan codes, key loggers, phishing, farming, spoofing ... - all these, and other threats not listed here may cause inefficiency of security measures applied. Therefore, regardless of an operating system and web browser you use, take care to:
  • update the system and web browser on current basis,
  • install an antivirus software in the system along with up-to-date virus bases,
  • make sure the computer is secured as recommended by the manufacturer of the operating system you use
If your computer behaves atypically, operates more slowly than usual, advertisement windows pop up, strange errors occur - it may mean that your computer has been infected. You can?t ignore such symptoms.
With special reservations the usage of publicly available computers, in cyber caf?s for instance, should be treated. Such computers are often improperly secured, therefore, using the electronic banking system with their agency may be risky
Why is it so important? If "malicious" software operates on the computer or in the WiFi network, it may track the connection with the bank, collect passwords you enter, steal your files and even modify the data you enter.
 Back
3.2 Can anybody see?
Although the security mechanisms used by the Pl@net system make "looking over a shoulder" an ineffective method of attack, however, it is a good practice to check whether anybody from the environment you work in, shows excessive interest in your activity on the computer.
When you log on using a masked password, the system demands entering only selected characters from the password, what lowers, but does not eliminate the risk of cracking the password. Still, logging onto the system does not mean a possibility to carry out any operations that require authorization with a code sent in the form of an SMS message. One code enables authorisation of one operation only.
 Back
3.3 Check the website address, check whether the SSL protocol is used
Enter the electronic banking website by typing its full address or use the service link at the bank's websites. Do not use any reference links in electronic messages, or other websites, unless you trust them entirely.
Always check whether the address of the website you've found yourself at is https://planet.bgzoptima.pl
Please verify also whether the connection is initiated using the SSL protocol - in this situation, the address starts with https://. Additionally, web browsers notify about the fact that the initiated connection is a secure one - e.g. through placing a padlock icon on the status bar or through the change of the address bar color.

Why is it so important? One of password stealing techniques is to provide the website that appears identical to the bank's website. To encourage you to visit that website, you may receive emails in which you will be requested to log in under the provided address to verify the data. The address provided in such emails can be very similar to the genuine address, and so many people may be easily misled in this way. Having the custom to check the website address, you may prevent such fraud attempts.
If data are sent through an unencrypted connection (without using the SSL protocol) it can be intercepted while being sent over the Internet. This is the reason why verification whether the SSL protocol is used is so essential.
 Back
3.4 Check the server certificate
Check whether you are actually connecting to the server of BNP Paribas Bank Polska S.A.. It is possible by always verifying the certificate before logging on to the system. To do so, please click the certificate icon that appears after entering the BiznesPl@net address to the browser. Such an icon always shows up when you access encrypted websites i.e. starting with https:// (e.g. a padlock symbol in the Internet Explorer browser)
  • the certificate has been issued for planet.bgzoptima.pl,
  • certificate validity has not ended,
  • the certificate has been issued by VeriSign.
VeriSign is recognized by web browsers as a trusted certification authority. Therefore, any information about problems with verification of the certificate correctness shall arouse your concern. To verify the certificate, click the padlock icon that should appear after entering the Pl@net address to the browser. Such an icon always appears when you access encrypted websites i.e. starting with https://
In Internet Explorer 6 the yellow padlock icon appears on the right bottom, on the status bar (if the status bar is not visible, select Status Bar option from View menu), and in Internet Explorer 7, 8 and 9 on the right of the address field.

       

After clicking the padlock icon, a window with certificate information will appear.

In Mozilla Firefox 4.0 or 5.0, site identity can be verified by using so-called site identity button. This button is located in the address bar, on its left side, next to the web address. When viewing a website, the site identity button will display in one of three colours: grey, blue or green. When the site identity button is green, it means that this site displays fully verified information on its owner identity, and the connection with it is encrypted.



After clicking on the site identity button, information on the site certificate is displayed.

Why is it so important? Certificate issuance does not require any specialist equipment or software. Anybody may issue on its own a certificate for any domain. In relation to substitution of the website address you may encounter a situation when you connect with a server of a name very similar or even identical to the name of this server, with which you wanted to connect ; you use a encrypted connection, however, it is not this server, but server provided by someone who wants to steal your money. Only verification of the certificate correctness enables you to check whether the server is authentic.
 Back
3.5 Do not share your logging password
Individual customers:
If you log in using a masked password, while logging you have to enter only some characters from your password. Remember that the bank never needs your entire password, except for a case of changing it to the new password. The password (in a masked form) is only used while logging into the electronic banking system, nowhere else in the system, nor outside the system, it is required.
Why is it so important? It happens that frauds ask the bank customers to enter their passwords for ostensible verification. This way they acquire customer passwords which could be used to access the customer accounts.
 Back
3.6 Check logging dates
After logging to the system, check the last logging dates, both the successful and unsuccessful attempts. If the dates are different from what you remember to be, this should arouse your concern. You can contact the bank to explain the doubts.
Why is it so important? If the last logging date is different from what you remember to be, it probably means that someone accessed your account. In such a situation you should contact the bank to explain the situation. Unsuccessful logging attempts unrelated to your actions may show that someone was trying to crack your password.
 Back
3.7 Check the image
One of the website graphic features is the image, which you can customize. If the image displayed is not the one you have selected it may mean that the website you are reviewing is not the genuine bank's website. In such a case you should refrain from performing any operation until the doubts are dissolved.

Why is it so important? The digital certificate allows you to verify whether the connection has been initiated with the appropriate server. Certificate verification may be difficult, thus, to facilitate it, a customized image was added, which is easier to recognize. Remember, however, that the image verification should not be used instead of the server certificate's verification.
 Back
3.8 Check what you sign
External operations carried out in the Internet banking service must be confirmed by you through appending an electronic signature or entering a code sent via text message (SMS). Always remember to check the data presented in the form for signing an instruction.If you use the transaction authorisation method with SMS codes, before signing any instruction, please make sure that the operation details contained in the authorisation SMS code comply with the data you have entered in the system.
 Back
3.9 Log out from the service.
When you finish to use the electronic banking service, always log out from it through selecting an appropriate option. Although it is not necessary, you may also close all web browser windows. To be on the safe side, you can do it on public computers. Never leave a computer with an initiated session in the electronic banking system unattended.
Why is it so important? Logging into the service you initiate so called session. It ends in the moment you select logging out option, close a web browser or upon the lapse of a given inactive time limit. If the session is not closed, someone might use it to make operations on your bank account.
 Back

4 What security measures are applied?

4.1 Logging into the system
In the user authentication process it is verified whether the person logging into the system is the person as whom he/she poses.
The Internet banking system has one method of authentication in the Internet banking service:

Individual customers:
  • Masked password
For a masked password the system displays a window, in which you should enter the missing characters on definite positions in the password. As a result, even if somebody spies on or intercepts a password, he/ she will not be able to use it in the next logging attempt as the next time the system will ask to enter other characters from the password.



Then (Companies) the system will display a form where you can find a field to enter a one-time SMS code delivered to a predefined telephone number.



Moreover, a separate SMS code is generated to each operation that requires authorisation.

 Back
4.1.1 Masked passwords
A masked password is a password, from which you must enter only password characters demanded by the system at logon. As a result, even if someone overlooks the characters you have entered, they will not find out your full password, only a fragment of it. However, remember that if somebody will spy on you for a longer time, or there is a spying software operating on the computer you use for logging that records the characters entered, with time your entire password will be known. This is the reason why the password should be changed from time to time, in particular, if it was used in a situation when somebody could spy it on or the computer used was not a reliable one.The advantage of using the masked password is that it does not require installing any additional components on the computer you use.
The Bank does not store the full form of your masked password. The only moment the password appears in the system in its full form is the process of its change. During this operation the system generates a definite number of masks, which will be next used in the process of the user authentication. For each of these masks an abbreviation of a corresponding password part is saved in the base. As a result when later the user authentication is performed, the system may verify whether s/he entered a correct password, without a need to store the password in an open form in the base.
Remember that choosing a masked password as an authentication method simultaneously results in using SMS codes in the process of orders authorization.
 Back
4.2 Transaction authorization
Transaction authorization aims at confirming operations ordered by an authenticated user. This is an additional security measure that prevents anybody from withdrawing money from your account even if he/ she gets to know your logging password.
 Back
4.2.1 Authorization with SMS codes
If you use SMS codes, a separate password is used each time to confirm transactions that require authorisation. In typical implementations of this transaction authorization method a single-use code, which is not related to transaction parameters, is sent directly to the server along with other operation parameters. In the Internet banking system, to increase its security, the password is not sent to the server. Instead, an authorization code, which connects transaction parameters with a valid single-use password, is sent. An authorization code is calculated with the HMAC algorithm. The server verifies whether the code sent is correct, and if it is a proper one, the transaction is executed.
 Back

5 Notifications

It is possible to set notifications of security-related events in the Pl@net system:
  • Notifications about successful logging into the Pl@net system;
  • Notifications about unsuccessful attempt to log into the Pl@net system;
  • Notification about blocking the access to the system;
You may receive selected information in a form of a text message send to the mobile phone number you defined in the system or as an e-mail send to the e-mail address you indicated.
To set notifications, log into the system, select the "Other" tab, and then click on "Notifications". You will choose the notification manner at your own discretion.

Please note! If you received a notification, but you did not log into the system at a given moment, please contact Call Centre of BGŻ Optima or any of our branches to explain any doubts.

E-mail notifications are free, whereas for each text message notification we charge a fee as per the binding Table of Commissions and Fees.
 Back