Information and guidelines for secure access to swift.com applications
1. Secure the access to applications
1.1 User-id and password
The main method to protect an account is to use a combination of user-id and password. The strength of this protection will greatly depend on the complexity of the password.
SWIFT recommends that at least these criteria are met:
At least 8 characters long
Combines digits, special characters, uppercase and lowercase letters
Only used for accessing swift.com
Not trivial (e.g. dictionary words)
Changing your password regularly is another good practice – your administrator may mandate this.
Obviously the complexity of your password is nothing compared to the requirement to keep it secret. The best way to do that is to memorize it and not keeping any written copy.
1.2 2-step verification
2-step verification is a security measure that helps protect your account from unauthorised access if someone manages to obtain your password. An additional layer of security requires a verification code to be entered along with your username and password.
This code can be delivered to you by SMS, voice message, or e-mail. SMS and voice message are the preferred means of delivering the verification code. This is because your e-mail address is already linked to your swift.com account and an external means of providing the authentication code is favoured.
Note that the secure channel application on swift.com uses a one-time password to secure each transaction that involves sensitive data. Security officers accessing the application must use their personal secure code card to generate the required one-time passwords.
2. Visit only trusted websites
2.1 Check the URL
Verify the URL of the web page before entering any personal data such as your e-mail address and password.
SWIFT always uses a secure connection to ask for your e-mail address and password. The URLs used by SWIFT start with "www2.swift.com" or "login.swift.com".
2.2 Verify the certificate on HTTPS websites
In most browsers this is done by clicking on the lock symbol either at the top or the bottom of the browser window.
2.3 Use a login-seal
You have the ability to define a seal that will be displayed to you every time you access the swift.com login page. When you see this login-seal you are sure to be at the right place to enter your credentials. SWIFT recommends using it to improve security.
1.1 User-id and password
The main method to protect an account is to use a combination of user-id and password. The strength of this protection will greatly depend on the complexity of the password.
SWIFT recommends that at least these criteria are met:
At least 8 characters long
Combines digits, special characters, uppercase and lowercase letters
Only used for accessing swift.com
Not trivial (e.g. dictionary words)
Changing your password regularly is another good practice – your administrator may mandate this.
Obviously the complexity of your password is nothing compared to the requirement to keep it secret. The best way to do that is to memorize it and not keeping any written copy.
1.2 2-step verification
2-step verification is a security measure that helps protect your account from unauthorised access if someone manages to obtain your password. An additional layer of security requires a verification code to be entered along with your username and password.
This code can be delivered to you by SMS, voice message, or e-mail. SMS and voice message are the preferred means of delivering the verification code. This is because your e-mail address is already linked to your swift.com account and an external means of providing the authentication code is favoured.
Note that the secure channel application on swift.com uses a one-time password to secure each transaction that involves sensitive data. Security officers accessing the application must use their personal secure code card to generate the required one-time passwords.
2. Visit only trusted websites
2.1 Check the URL
Verify the URL of the web page before entering any personal data such as your e-mail address and password.
SWIFT always uses a secure connection to ask for your e-mail address and password. The URLs used by SWIFT start with "www2.swift.com" or "login.swift.com".
2.2 Verify the certificate on HTTPS websites
In most browsers this is done by clicking on the lock symbol either at the top or the bottom of the browser window.
2.3 Use a login-seal
You have the ability to define a seal that will be displayed to you every time you access the swift.com login page. When you see this login-seal you are sure to be at the right place to enter your credentials. SWIFT recommends using it to improve security.
4. Phishing & social engineering
4.1 What is phishing?
Phishing is an attempt to get hold of your data with malicious intent, in order to abuse your personal details, such as user-id and password. It is the most common way to do social engineering. In practice it often involves asking you to click on a link to a malicious website that looks like the site of a trusted institution. Phishing can also be performed via phone or chat by people pretending to be a trusted party, such as the helpdesk.
4.2 Secure mailing practices
Mail sender and embedded links can easily be spoofed. Therefore mails from info@mailing.swift.com are digitally signed and as a receiver you must verify the signature.
SWIFT will never ask you to change your credentials by email, unless you requested a change yourself.
4.3 How to prevent a phishing attempt?
Verify the signature.
In case emails contain embedded links, you must check that:
The URL (mouse-over the link to see the real URL) starts with one of the below:
https://login.swift.com/
https://www2.swift.com/
https://www.swift.com/
https://swift.emsecure.net/
After you click and are redirected, one of the above domains is still shown in your browser’s address bar,
It uses secure HTTPS protocol, and
A valid certificate is assigned to SWIFT’s website.
4.4 Email signature & certificate
SWIFT use different systems for email send-out, with different signatures & certificates.
From:
operations@mailing.swift.com
security.notification@swift.com
cs.deployment@swift.com
interface.changes@swift.com
SWIFTFunds@swift.com
shareholding@swift.com
swiftref.ssi@swift.com
Comments
Post a Comment