Fons

Security

  1. Tips for your online security

Read the basic safety tips carefully

Security in remote banking services.
When surfing the Internet and/or receiving e-mails, it is advisable not to enter your Passport, ID card, remote banking access codes, PIN numbers for transactions, or other sensitive data (such as debit and credit card numbers and passwords), in the following cases:

  • On pages that you have accessed via e-mail.
  • In the e-mails you send. It is advisable not to do so, even if someone has requested you to do so on behalf of the Bank.
  • If you doubt the authenticity of the website you are on.

We inform you that the BancSabadell d’Andorra group will never ask you for confidential data, such as passwords or secret numbers, either by e-mail or through forms.

Do not keep your access code (PIN) in a place close to your personal remote banking key card, and avoid making it visible to third parties.

To strengthen your computer’s security

  • Apply and automate regular security updates for your computer’s operating system and applications.
  • Use anti-virus software with a firewall and anti-spyware software and keep them permanently up to date.
  •  Use only trusted software, internet sites and services.
  • We recommend that you refrain from running programs that arrive by e-mail, even if their origin appears to be known, when you are not absolutely sure of their origin.

For further information, you can contact our call centre at 735 666, or consult the recommendations and security information available on the Banco Sabadell Group websites.

  1. System security

At the BancSabadell d’Andorra group, we have incorporated the most up-to-date security technology and some complementary measures.

SSL PROTOCOL, SECURE SERVER

This technology allows data entered on the screen and travelling through the network to be encrypted according to an algorithm, with variable keys for each connection. These keys are really the essential element of what constitutes the security of a “secure server”.

The BancSabadell d’Andorra group is hosted on a secure server and has these keys embedded. These certificates include additional security mechanisms that include fraud prevention, informing about the security level of the page visited. The latest versions of browsers, such as Internet Explorer version 7 or higher, or Firefox from version 3 onwards, support these types of certificates, indicating the authenticity of the website visited.

By clicking on this area, you can get additional details about the certificate used.

If, on the other hand, the address bar is coloured red, do not trust this page, as it could be fraudulent.

If you use versions of browsers that do not support this functionality, the address bar will not be coloured.

ACCESS CODE CONTROLS

The access code you enter at BancSabadell d’Andorra must pass a series of controls: a maximum number of mistakes per day, or accumulated over several days, will cause the access code to be automatically cancelled.

In this case, to reactivate it, you must request it in writing or in person at your BancSabadell d’Andorra branch.

Transactions requiring higher security (transfers, purchase orders, etc.) usually require a second password. This second key corresponds to one of the keys on the ‘A Online key card. This key card is different and personalised for each client. Each such transaction usually requires a different random key. The key card is a crucial security element, you should keep it with you at all times and report its loss or theft immediately to the ‘A Online service at 735666.

When you connect to ‘A Online, you are shown the date and time of your previous connection. Verify that this has indeed been the case. This feature allows you to check that only you know your security keys and that only you have access to the service.

TRANSACTION AMOUNT LIMITS

Some of the transactions also limit the amount per transaction (and the cumulative amount over a period), and in some transactions, above a certain amount, the branch will be immediately notified of the transaction, and if it observes anything out of the ordinary, it will carry out the checks it deems appropriate.

CONCLUSION

The three elements mentioned above, encryption of messages, control of access codes and limitation of amounts provide a level of security that allows the ‘A Online system to be used with confidence.

RECOMMENDATIONS

So far, we have told you about the measures we have taken in our service, but there are also measures you should take on your PC, not so much to protect communication with the bank, but to protect your own computer and the information it contains. Your PC is the only element that the Bank cannot cover for you.

VIRUSES OR MALWARE. It is well known that your PC can be infected by a computer virus or malware via disks, floppy disks or simply by surfing the Internet.

You should install a virus scanner into your PC that runs every time you start up your computer. In addition, you should keep your anti-virus software version up to date.

You should be cautious when visiting unknown websites, especially if you are asked to download files and programmes. A virus or malware is nothing more than a programme dedicated to creating problems in stored information or even in the PC itself.

Avoid installing programs of unknown origins on your PC.

Back up your PC files on a regular basis. 

  1. Security measures

Glossary of terms

Below you will find a series of tips to help you preserve the confidentiality and security of your Internet browsing and the Remote Banking Services of the BancSabadell d’Andorra group:

  • Do not trust e-mail messages from unknown sites or containing inconsistent information.
  • Never give out your ID and password or other personal data when asked to do so through SMS, fax, e-mail, or through a link in an e-mail that does not have a secure address (https:).
  • Remember that your access code is personal and non-transferable. If possible, change it regularly.
  • Store your key card carefully and do not allow third parties to access it. These cards are the key that allows transactions to be carried out. Do not let third parties see or access your key card and do not make copies.
  • Use anti-virus and anti-spyware software and update it frequently, preferably automatically.
  • Upgrade your browser and operating system with the security improvements provided by the manufacturers, and always follow their instructions.
  • If you have a permanent connection (ADSL, cable or similar) it is advisable to install a personal firewall.
  • Take extra precautions when using public or shared computers.
  • If you detect or suspect security problems, contact BancSabadell d’Andorra immediately.
  • Security Policy
  • Applicable law and jurisdiction

You can contact the BancSabadell d’Andorra group for security reasons through different channels. If you use the electronic form, please select the option “Security” as the reason for your communication.

  • Do not trust e-mail messages sent by unknown sites or containing inconsistent information. E-mail messages from unknown addresses are likely to contain computer viruses or malware, especially when the subject or topic we look at before opening contains inconsistent information: it may be written in unusual language or may not be related to the topics normally discussed with the sender. It should be borne in mind that even if the sender of the message is known, when the subject or topic displayed is not consistent with the sender, the message could have been sent by a computer virus or malicious programme, from the sender’s own computer or some other infected computer with knowledge of the sender’s e-mail address.

Never provide your ID and password or other personal data when requested through SMS messages, fax, e-mail, or through a link contained therein that does not have a secure address (https:). The BancSabadell d’Andorra group does not usually request confidential or personal data such as passwords, account numbers, card numbers, etc. through SMS, fax, e-mail or forms. The BancSabadell d’Andorra group will only direct you to its websites via secure pages (https:), which will display a closed padlock on your browser. Check that your forename and surname and the last login date and time are correct when you log on to the Electronic Banking service.

Remember that your access code is personal and non-transferable. It is recommended to change it periodically to prevent access by third parties. Also, remember to memorise it and avoid writing it down. As an additional measure, you should refrain from choosing a number related to your personal data, and any other code that would be easily predictable by third parties (date of birth, telephone number, series of consecutive numbers, repetitions of the same digit, etc.). Nor should the codes or keys be written down on any physical medium, or be close to complementary identification elements (cards).

Store your key card carefully and do not allow third parties to access it. These cards are the key that allows transactions to be carried out.

Do not let third parties see or access your key card and do not make copies. Check whether the date and time of the last access you can see when you log in to the remote banking services actually matches the last time you used them. If you suspect that the date and time of the last access does not match an access made by you, please notify BancSabadell d’Andorra immediately.

Use anti-virus and anti-spyware software and update it frequently, preferably automatically. The proliferation of computer viruses is becoming increasingly common. Make sure you have a good anti-virus software and, most importantly, keep your virus detection databases up to date. Having an anti-virus software may do you little good if you do not have the latest detection databases for the latest viruses.

In addition, do not install software from unknown sources or browse sites that you do not trust. It is also desirable to have protection against Spyware. You can use an anti-virus programme that also protects you against Spyware or use a specific Spyware programme.

Upgrade your browser and operating system with the security improvements provided by the manufacturers, and always follow their instructions. Improvements and new versions of browsers and the operating system are released periodically and provide greater security when browsing and using the Internet. Read the product manufacturers’ recommendations and update your browser and operating system according to their instructions.

If you have a permanent connection (ADSL, cable or similar) it is advisable to install a personal firewall.

As long as your computer is connected to the Internet, it can communicate with any user on the network. To prevent unwanted access to the information on your computer, it is recommended that you install a personal firewall, especially if you use a permanent connection (ADSL, cable or similar).

Take extra precautions when using public or shared computers. Use public computers only for non-private matters. Remember that you may be observed by third parties or even by electronic surveillance means.

If you detect or suspect security problems, contact BancSabadell d’Andorra immediately. You can contact the Bank through different channels. If you use an online form, please select the option “SECURITY” as the reason for your communication.

Security Policy

BSA has incorporated the most advanced security technology to date, in addition to a series of complementary measures to guarantee the confidentiality of transactions. The user shall meet the following conditions:

  • In general: the User must have the devices and elements that at all times are specified as “system requirements” on the pages of the Portal and, for security reasons, must have the most modern browser versions. The User is expressly warned that he/she may not leave his/her computer when making transactions on the website.
  • The BancSabadell d’Andorra, S.A. group reserves the right to adopt all the security rules and measures it deems appropriate at any time in order to guarantee the proper use and confidentiality of the service. The User authorises the BancSabadell d’Andorra, S.A. group not to execute the requests or orders received when the identification is not correct or when there are reasonable doubts about the identity of the person issuing them.
  • The User irrevocably authorises the BancSabadell d’Andorra, S.A. group to record and file the communications and transactions that take place through the Portal.
  • It is well known that a PC can be infected by a computer virus via disks or simply by surfing the Internet. The User must install a virus scanner in his or her PC that runs every time he or she starts up the computer, and must keep it permanently updated, making frequent backup copies of the files contained in the User’s computer.
  • The BancSabadell d’Andorra, S.A. group does not guarantee or control the absence of viruses or other elements in the services provided by third parties through the Portal (files, e-mails, electronic documents, etc.), nor does it guarantee or accept responsibility for any alterations or defects that may occur in the User’s computer system due to any computer virus or harmful element that may have affected or been transmitted by third parties through the Portal. The User should be cautious when visiting unknown websites, especially if they encourage the User to download files and programmes from the network. A virus is nothing more than a programme dedicated to creating problems in stored information or even in the PC itself. The user shall avoid installing programs of unknown origins on their PC.
  • ‘A Online: Users who are also customers of the ‘A Online’ service must take the necessary measures to duly safeguard the personal identification elements of the service and immediately resort to the service suspension or blocking systems provided for this purpose. Furthermore, it is recommended not to type or use identification elements on computers in public places or locations that could facilitate the interception of communications or the viewing of passwords by third parties. Nor shall the secret number or access codes be written down on any document or object that the User keeps or carries on him/her or close to digital identification cards, and we also expressly warn against using key numbers related to personal data, as they could be easily deduced or predicted (date of birth, telephone number or similar).

Applicable law and jurisdiction

The general conditions are governed by Andorran law, and the parties shall submit any dispute that may arise in relation to the portal to the Courts and Tribunals corresponding to the domicile of the BancSabadell d’Andorra, S.A. group.

  1. Precautions

Computer viruses and malware

Viruses and malware are small programs that install themselves on the computer without the user’s knowledge and have malicious purposes, such as destroying or stealing information or causing malfunctions in the computer or in the network to which it is connected.

A virus, in addition to acting on the affected machine, spreads to other computers to which the machine may be connected using a variety of methods that have evolved over time. Years ago, viruses were mainly spread via floppy disks. With the advent of networks, the Internet and e-mail, viruses found their ideal means of propagation, although physical storage devices continue to be used. New viruses appear on the Internet every day, although not all of them are equally dangerous. To avoid infection, a number of precautions should be taken:

  • Browse only known and trusted websites, as some viruses and malware are hidden on websites of dubious trust.
  • Do not use files or programmes of unknown origin.
  • Do not open e-mails from unknown sources.
  • Be wary of emails from people you know that have an incoherent or unexpected title. Before opening these messages, contact the alleged sender and check that they have actually sent the message, as it could be a message sent by a virus.
  • Have a known anti-virus programme and keep its virus detection databases permanently updated. It is not enough to have the latest version of antivirus software. To be effective against the latest viruses, you will need to keep your databases up to date.
  • Do not directly open attachments inside e-mails. It is safer to save them on the computer first and open them from outside the e-mail programme. Experienced users should protect sensitive information by using encryption software.

Useful links on viruses

The following links are provided for information purposes only:

Alerts

http://www.alerta-antivirus.es

http://www.hispasec.com

http://www.virusprot.com

 

Manufacturers

http://www.trendmicro.es

http://www.mcafee.com (ENGLISH)

http://www.pandasoftware.es

http://www.symantec.com (ENGLISH)

http://www.avp-ec.com

http://www.norton.com (ENGLISH)

http://esp.sophos.com

 

Useful links on “Spyware”

http://lavasoft.de/spanish/default.shtml

http://microsoft.com/athome/security/spyware/software/default.mspx (ENGLISH)

http://ca.com/products/pestpatrol (ENGLISH)

http://www.webroot.com/es/index.php

 

Useful links on encryption

http://www.pgp.com/products/personal/index.html (ENGLISH)

http://www.pgpi.org (ENGLISH)

 

Attempted theft of access codes or other sensitive information (“Phishing”)

 One of the existing frauds on the Internet is the creation of fake websites and/or portals and the falsification of e-mails. Combined, these two techniques are used to fraudulently obtain access codes to third-party services and applications, or other sensitive information such as account and card numbers (including expiry date), in order to access your information or carry out transactions on your behalf. The way access codes are stolen using this technique is by creating an address and a website on the Internet with a name almost identical to that of the company or website they are trying to impersonate. The name differs in a few characters, often just one.

The fraudulent address shows a website that has been created to look identical or very similar to the real one. Victims of the scam receive e-mails allegedly sent by the real company (in this case, the e-mail address is completely imitated), inviting them to go to the fraudulent pages, asking for their ID, password or other access data, for some important reason. By entering the information on the fraudulent pages, the information will have been stolen and the real site will be accessible for performing the functions or transactions that the stolen information allows. Some variants of the above technique consist of requesting the same information by SMS, fax or telephone.

How to prevent it

Follow the instructions above and the security information and communications provided by the BancSabadell d’Andorra group. Please contact the Bank if you have any questions. You can contact us through different channels. If you use the electronic form, please select the option “Security” as the reason for your communication.

Relevant links about attempts to steal access codes and confidential information (“Phishing”).

The following links are provided for information purposes only:

http://www.msn.es/security/phishing

http://es.wikipedia.org/wiki/Phishing

http://www.consumer.gov/idtheft (ENGLISH)

  1. Protections

The protections described below are complementary to each other, and none of them replaces the others.

Digital certificate

A digital certificate is a guarantee of the identity of a given server and associated sites providing a service in the electronic world (mainly the Internet).

The digital certificate is issued by a trusted company (Certification Service Provider), such as Verisign or the FNMT (Fábrica Nacional de Moneda y Timbre), which, after thoroughly verifying the identity of the applicant, assigns the certificate by creating it.

The digital certificate contains the data corresponding to the address to be certified (e.g. www.bsandorra.com), the identity of the entity operating at the address, the expiry date of the certificate and other technical information.

The digital certificate is digitally signed by the Certification Service Provider.

The trustworthiness of a digital certificate will therefore be determined by the information contained in it and by the trustworthiness of the Certification Service Provider that has issued and signed it. Certification Service Providers publicly display the processes used to perform certification: these are the so-called Certification Policies and Practices. In this way, we can assess the trustworthiness of a given Certification Service Provider.

How to verify the website of an online service

A digital certificate can be displayed in different situations. The most common is for verifying that the pages of a given Internet service belong to whom they should belong to and not to an imposter who has copied them. In this way, we ensure that the personal and confidential information we provide will be received by the appropriate entity.

It is advisable never to provide confidential data to websites reached through a link contained in an e-mail. We recommend that you always access the pages of our websites via the Internet addresses provided by the Bank.

Steps to verify the pages of an Internet service (secure pages):

Check that the address (URL) of the pages begins with the prefix https and that your browser shows the icon with a locked padlock in the bottom right-hand side of your window (Internet Explorer, Netscape Navigator).

Click on the padlock (double-click in Internet Explorer and one click in Netscape Navigator) to view the digital certificate and verify the identity of the owner of the web page that will collect your information:

  • In Internet Explorer: Check the address (URL), the issuer of the certificate and its validity. Next, select the “Details” tab to be able to check the identity of the submitter of the web pages where you enter or display your information. In the upper window, select the “Subject” field. You can then view the corresponding information in the window below.
  • In Netscape Navigator: Click on the “View” button in the previous window. This action will bring up a window with information about the digital certificate: Check the address (URL) of the pages being visited, the issuer of the certificate and the validity of the certificate. 
  • In other browsers: The way the certificate is displayed in other browsers is similar.

Data encryption

In addition, by using secure pages (pages protected by a digital certificate), all information transmitted between your browser and the server hosting the pages is transmitted in encrypted form. In this way, information is protected against interception by third parties.

To achieve maximum encryption protection for communications with secure pages (a protection required for the use of financial services and any other sensitive information), it is necessary to use a browser that provides strong encryption (128-bit encryption).

Certification Policies and Practices

Through certification policies and practices, Certification Service Providers openly disclose to the public the mechanisms and steps (identity checks) they use to issue digital certificates to those who request them. In this way, anyone wishing to verify a certificate can rely to a greater or lesser extent on the certificates issued by the provider.

In practice, since policies and practices are lengthy documents, one trusts the certification service providers, depending on how well-known they are, with Verisign being the best known worldwide for the certification of portals and server service pages.

Certification Policies (CP).

The policies indicate what certification service providers perform and the types of services and certificates they offer.

The following link shows the Certificate Policies (CP) of Verisign, a world leader in certification services https://www.verisign.com/repository/vtnCp.html (ENGLISH).

Certification Practices (CPS)

Certification practices detail how policies are ensured, i.e. what specific procedures and mechanisms are used for issuing digital certificates.

The following link shows the Certification Practice Statements (CPS) of Verisign, a world leader in certification services:

http://www.verisign.com/repository/CPS/ (ENGLISH).

Relevant links about digital certificates and Certification Service Providers:

  • Verisign (ENGLISH)
  • ACE
  • Thawte (ENGLISH)
  • Camerfirma

Personal Firewall

 A personal firewall is a programme that blocks unauthorised access from the Internet to your computer and also blocks uncontrolled access (caused by a new virus, programme or malicious code) from your computer to the Internet.

Today, firewalls can be found in separate programs or integrated within other security programs (such as an antivirus) or in the operating systems themselves (such as Windows XP).

It is called a personal firewall to distinguish it from perimeter firewalls, which usually perform this function for the protection of an entire group of networked computers against connections from unknown networks (usually the Internet or third-party networks).

By using a personal firewall, you can control connections to the Internet or other networks to and from all programmes on your computer. When the firewall is installed, all connections are forbidden, and you should explicitly authorise only those connections that are usual for your computer usage. When the firewall warns us of an attempt to initiate a connection that has not been expressly authorised, we will have to indicate whether we want to authorise it or not, depending on whether the connection is related to our current computer use, otherwise, the connection was produced due to an external agent (attempted access from the Internet, virus or similar). A personal firewall is a programme designed for users who are new to the Internet.

It is also advisable to periodically update your firewall version, according to the recommendations of the firewall manufacturer.

Relevant links about firewalls.

The following links are provided for information purposes only:

http://www.pcactual.com/Actualidad/Reportajes/Seguretat/Virus/20030130012/6

http://www.zonealarm.com

http://www.symantec.com/region/mx/product/consumer/NPF/

http://www.protegirse.com/outpost/

 

  1. Best practices

Browser and operating system security updates

To prevent security problems arising from vulnerabilities that are occasionally discovered in the software you use, it is a good idea to visit the manufacturer’s security websites of the programmes you use, especially for your browser and the operating system itself.

Browser.

The browser, as the main tool for accessing the Internet, is the main programme that needs to be kept up to date with the latest security recommendations.

Use strong encryption (128-bit encryption) for communications with secure pages (https).

Regularly visit your browser manufacturer’s websites and update your browser according to the security recommendations that appear.

Relevant links about new versions and security updates for the browser.

The following links are provided for information purposes only:

http://windowsupdate.microsoft.com

http://www.microsoft.com/downloads/search.aspx?langid=18&displaylang=es

http://wp.netscape.com/es/es/index.html

http://wp.netscape.com/security/index.html (ENGLISH)

http://www.netscape.com/download (ENGLISH)

Operating system.

Some operating systems, such as Windows with its Windows Update functionality, have utilities to check for operating system updates, including security updates. Make use of such utilities or periodically visit your operating system manufacturer’s websites and update according to security recommendations.

Relevant links about security updates for the operating system.

The following links are provided for information purposes only:

http://windowsupdate.microsoft.com

http://www.microsoft.com/spain/technet/seguretat/default.asp

http://www.microsoft.com/security/ (ENGLISH)

 

Use of strong encryption (128-bit encryption) when communicating with secure pages

Strong encryption (implemented through the use of 128-bit encryption keys) is achieved through the combined use of server-specific software that displays secure pages and the use of browsers capable of using encryption.

Due to its strength, its use is usually only authorised for the servers of financial institutions and other companies with similar security requirements. On the other hand, they are free to use for any browser. Therefore, the remote banking services of financial institutions are usually capable of using strong encryption.

The use of strong encryption in communications with these services depends on the browser having a strong encryption capability.

Check that you are using a version of your browser with strong encryption capability (128 bit). If this is not the case, upgrade to a version that allows it.

 

How do I know if a server supports strong (128-bit) encryption?

Normally, a server using strong encryption will advertise this on its pages, usually in a specific security section. If this is not the case, you will need to have a browser with strong encryption to identify the type of encryption used by a particular server.

How do I know if I am using strong (128-bit) encrypted communications?

 To find out if we are exchanging information using strong encryption, we must first check that the padlock in the bottom right-hand corner of the browser window is locked. Once this is done:

  • In Internet Explorer: Hover the mouse over the padlock until the full encryption key appears, which must be 128 bits.
  • In Netscape Navigator: click once on the locked padlock. A window will open indicating the type of encryption, which should be 128-bit (high-grade encryption).

If you have a strong-encryption-enabled browser, you can still communicate securely with servers that do not have strong encryption. In this case, the highest type of encryption supported by the server will automatically be used for communication, and a value of less than 128 (usually 40 or 56 bits) will be displayed as the encryption key size.

How do I upgrade my browser to use strong (128-bit) encryption?

Visit the download and update pages of your preferred browser manufacturer and check for 128-bit versions or updates for your browser. Please note that you will only be able to communicate via strong encryption with servers that have this feature.

Relevant links about 128-bit encryption

The following links are provided for information purposes only:

http://www.microsoft.com/windows/ie_intl/es/download/128bit/intro.asp

http://www.aola.com/netscape/download/

Backup copies

In order to be able to recover the information available on the computer before a problem occurs, we must make backup copies and always keep them up to date. An important aspect of successful backup recovery is their storage location. The copies shall be kept in a separate location from the equipment containing the original data so that, in the event of an incident, the copies are not also lost. This is especially important in the case of a laptop computer, for which it is not advisable to keep its backup in the same case or bag.

Backup copies are created on removable media, which can be removed from the computer that contains the original data. These removable media can be floppy disks, recordable CDs or DVDs, tape drives, ZIP drives, USB (Universal Serial Bus) devices such as external disks, persistent storages, etc.

Relevant links about backups

The following links are provided for information purposes only:

http://www.conozcasuhardware.com/quees/almacen4.htm#backups

http://www.iomega-europe.com/eu/en/products/products_en.aspx (ENGLISH)

http://www.pricingcentral.com/best/backup_utility_software.html (ENGLISH)

Close Bitnami banner
Bitnami