Online banking fraud is of enormous concern to individuals, businesses and financial institutions around the world – and South Africa is no exception. Systems are under constant threat of violation, and Standard Bank makes use of the latest international security measures to ensure our banking systems are robust and secure.
In most cases of fraud, user identity passwords are obtained via unscrupulous methods by criminals and then used to transact fraudulently on the victim's banking profile. There are a number of tools you can use to reduce your exposure. These include:
One of the standard security features on Business Online is controlled access through user IDs and passwords. Each operator on your profile has their own personalised password which they use when they access the system.
You can help to reduce your exposure to online threats by implementing sound password protection principles and communicating them to everyone in your organisation who has access to your profile.
Keep your password safe. Never write it down anywhere or tell anyone what it is, not even the bank.
Manually enter your password every time you log on. Do not select the automatic password option.
Make it difficult to decipher. Passwords should be at least 8 characters long and comprise a combination of numbers, letters and punctuation. You can use both upper and lower case to make your password more secure.
Avoid the obvious. Don't use names or numbers that are easily associated with you, like the names of your children or your birthday.
Make your banking password unique. Don't use the same password for all your online accounts.
Change your password regularly. Often a password is compromised without an operator even knowing. Frequent updates will help to minimise the risk of extended malicious usage.
2 Factor Authentication
2 Factor Authentication is a multi-level login procedure that requires a user to provide two passwords before being granted access to a Business Online banking profile. This additional security level helps to reduce the risk of fraud on your online banking portfolio.
The system makes use of two levels of security. The first of these is the self-generated user password. Users choose their own passwords, and may change them at any time.
The second level of security is known as a one-time password, which is generated by a small device called a token. Each registered Business Online user has their own token, which generates random passwords at regular intervals. Only the password provided by the token at the time of logging on will be valid for a particular Business Online session.
Please note the following:
- Tokens may only be registered to one operator. Operators may not lend their tokens to colleagues or borrow other operators' tokens.
- Tokens will be suspended if three incorrect one-time passwords are entered in a row. Suspended tokens can be resynchronised by calling the Business Online call centre on 0860 123 007.
- If an operator leaves their token at home, their one-time passwords can be sent to their registered cell phone number. (This service is only available for one day, or 10 sessions.)
- If a token is lost or stolen, a new token will be provided. A designated person will need to approve the replacement.
Ordering your token
Registering your token
Using your token
Segregation of duties
Online banking activities, particularly sensitive transactions such as making payments and adding or amending beneficiary details, should not be processed without the approval of more than one person in your organisation.
Business Online’s segregation of duties function allows you to separate these transactions into steps, with a separate person being responsible for authorising each of the steps before the transaction can be processed.
Segregation of duties:
- reduces error and improves online banking security
- allows for quality assurance on all transactions
- improves the checks and balances on your business accounts
- ensures a level of confidentiality of the financials of the business
The basic underlying principle of segregated duties is that no employee or group should be in a position both to perpetrate and conceal errors or fraud in their normal course of duties. The same would apply if their user credentials were compromised and used fraudulently.
Ideally, there should be at least three authorising parties to each transaction, the capturer, the releaser and the designated person.
The designated person ensures that valid and authorised accounts, creditors and debtors are loaded, and that only authorised operators gain access to the Business Online profile. The designated person should also ensure that appropriate limits and release levels are created and maintained.
Business Online's audit reports allow you to identify any irregular activity on beneficiary profiles and payment transactions.
We recommend that you review your audit details at least once at the end of each day.
It is important to remember that an interim audit report is not a confirmed payment. The report merely reflects an intention to pay while the required releasing function is still pending.
Final audit reports submitted as confirmation of payment should not be accepted without confirming that the credit is reflected in your account as an electronic payment and not as either a cash or cheque deposit.
With online banking fraud and identity theft playing an ever-increasing role in our electronic banking landscape, it is more important than ever to know exactly who you are dealing with when making and receiving payments online.
With Standard Bank’s Account Verification Service (AVS), you can verify account information across all participating banks in South Africa before making payments or collecting funds.
AVS will verify the following information*:
- Account holder’s name
- ID/company registration number
- Bank account number
- Bank branch code
- Account status (open or closed);
- Length of time the account has been open
- The account type
- Whether the account accepts debits or credits
* Verification fields may differ from bank to bank.
Find out how AVS can help to improve your company’s cash flow management and reduce the risk of fraud associated with online banking by contacting your sales representative or by visiting our FAQ's.
Security Lock out (Access Control)
Business Online's Security Lock out (Access Control) feature allows you to completely deny access to your online banking profile at certain times of the day and on certain days of the week. The Security Lock out feature is an optional add-on, available at no extra cost that allows pre-defined lock-out periods to be set according to your specific business requirements.
This featurealso allows you to impose an immediate lock-out of a user profile or specific operator should the need arise.
The facility provides additional control over your Business Online banking platform, giving you increased peace of mind – especially outside of normal business hours.
Some facts about Security Lock out (Access Control):
- It is an optional feature, available on request
- If you subscribe to this feature it is imperative that you carefully consider your business operational requirements when specifying the Business Online lock-out times for each day of the week
- The lock out times are specified per user profile
- All operators linked to the user profile will be denied access to Business Online during the lock-out time
- Subscribing for this feature does not affect any existing Business Online functionality or other security features
- Extensions to operating times can be arranged on an ad hoc basis, through the bank , should the need arise
- A warning message feature is available to alert operators when lock-out periods are about to commence
- If you do not subscribe, Business Online will continue to be available for 24 hours a day
Contact your Standard Bank representative for more information.
Physical access security policy
Control who can gain access to your premises, particularly to areas where your critical computers are located.
IT security policy
Make sure that your anti-virus, anti-spyware, and intrusion prevention systems are up to date, and ensure your employees keep their login details confidential and change their passwords regularly.