Secure banking

• You shouldn’t confirm transactions or logins to Internet Bank or app, which are not initiated by you under no circumstances.
• You shouldn’t ever disclose your personal data or data used for login to Internet Bank and app to other persons, including family members, friends or bank employees, unless you are calling to the bank.
• Do not write down, send by e-mail, SMS, etc. or otherwise save any confidential codes and passwords to unlock the screen of your computer or mobile phone. Create complex passwords, that are difficult to guess, memorise them and change them regularly. When creating PIN codes, be sure to make PIN codes in random number combination. Do not use combinations, such as 1111, 1234, dates of birth other personal details etc.
• Remember that your User ID number is as important as your personal code, thus pay a great deal of attention to its security.
• Keep in mind that after login you will have access to many services including external ones which do not require additional authentication.

We will also automatically block access to Internet Bank if incorrect login data (User ID or code from the PIN code generator) is entered 5 times in a row.

You can unblock it by calling us at 6132222 / 6310310 (from 8:00 to 20:00 on working days, and from 9:00 to 16:00 on Saturdays). In case of a repeated block, you will have to visit the bank’s branch. You should book a visit in advance. Have you discovered any unauthorised transactions on your account performed prior to the blocking of Internet Bank access? Review your account statement and submit the information to us.

The login session is terminated when no activity happens for 5 minutes. You will be asked to re-enter your login details. Time limits are used for security reasons, to prevent Internet Bank access if a user forgets to log off from his/her account after finishing using the Internet Bank.

Once you finish Internet Bank session, log off (by clicking 'Logoff') and close the browser.

When accessing Internet Bank via a laptop or stationary computer, follow these safety measures:

• Install antivirus software and configure it to automatic update of the virus definitions database (at least one auto-update per day).
• Install the local firewall. It should be configured so that it prevents connections from the Internet to your computer.
• Use the latest browser and operating system available.
• Turn on automatic updates for all software. If it cannot be updated automatically, regularly check on its ESTest software.
• Set your browser to block pop-ups.

• Make sure you are using antivirus software that automatically updates the threat library at least once a day.
• Use a firewall that prevents logging in to your computer remotely.
• Make sure your Operating System and browser are up-to-date.
• Turn on automatic updates for your software. If automatic updates are not possible you should check for updates on a regular basis.
• Set your browser to block pop-ups.
• More information on the ways to secure your device and to safely use other Internet services is available on the following websites:

https://www.ria.ee/en.html

• Download applications only from trusted sources such as the App Store, Google Play or Windows Phone Apps – Microsoft store.
• Do not allow other persons to use your phone or tablet were Swedbank App is installed.
• Do not reveal the screen lock codes to other persons and do not allow to unlock your phone with other persons’ biometric data.
• Use antivirus software.
• Always adhere to the requirements or security alerts of the manufacturer of your phone device.

What are safe browsers?

We encourage you to update your browser and operating system version as soon as update is released. These updates can be set up automatically for better security and experience in our digital channels. We officially support these browser versions:

• Google Chrome 85 and later;
• Microsoft Edge 85 and later;
• Mozilla Firefox 80 and later;
• Safari 14 and later.

What else should you know about security?

• Do not share your personal authentication means. If you want to give your family members or your employees rights to manage funds on your accounts, please, request the Bank to grant them respective rights. They will be able to use company’s accounts on behalf of their own and by using their own personal authentication means. You can revoke these rights at any time. It is also possible to order a supplementary card linked to your account for a family member to use. Sharing the same authentication mean between the employees or family members is strictly forbidden.
• Remember, that security of all your data (User ID, PIN codes, mobile phone number provided to the bank, personal number, etc.) is the key for protecting an access to your money.
• If you’re using a public computer, avoid entering personal information as there might be malware that records your details.
• Do not keep User ID number together with authentication means and their confidential codes.
• Never send authentication data by email.
• Never disclose your login information, unless you are initiating the call with the bank. No one has the right to request you to provide your personal number and authentication mean by phone. If you receive a call from a person stating he is an employee of the bank, end the conversation immediately.
• Your Smart-ID or PIN code generator PINs should not coincide with any part of your phone number or the sequence of numbers.
• Always compare control number and read “see what you sign” if available.
• By entering PIN2 of Smart-ID you are usually confirming a payment or an agreement. Be extra careful when doing it.
• You will get an SMS when new Smart ID account is created. Contact bank immediately if it wasn’t you who created Smart ID.

When shopping online, be prudent with your personal and financial data. Properly assess the threats, which you may encounter on the internet. We recommend to ensure protection of personal devices and always follow these safety tips:

• Shop in reliable shops only. It is always safe to buy goods and services in well-known Estonian and foreign e-shops with a good reputation. Take a critical approach to unknown sellers and try to find out more information about their activity. Study public internet feedback about a specific online shop. Find out whether the website presents detailed contact data of its administrator (address, phone, email, etc.), and make sure it does not contain various errors in their links (additional words or letters, strange symbols), popup windows, advertisings, a great number of links instead of informative content.
• Be cautious about discounts. You have found a high-quality product offered at a particularly low price? Before making a payment order, be sure that the company that offers the product really exists and is trustworthy. Be careful about advertisements in social networks. They may lead you to a fake online shop.
• Safe shopping by card. When shopping in foreign e-shops, the most common way of payment is by card. In this case you will have to indicate the details of your payment card. If an online shop participates in international security programmes, special logos such as “MasterCard SecureCode”, and “Verified by Visa” for Visa cards are used in this shop. You may be redirected to Internet Bank to confirm payment transaction by logging in. Learn more about “Safe online shopping” programme here. Before making payment in online shop, please evaluate safety of such online shop and study public internet feedback about its activity.
• Safe payment via electronic banking system. When shopping in Estonian online shops, usually you will be redirected to Swedbank Internet Bank account. You will recognise it from the Swedbank logo and Internet Bank address: https://www.swedbank.ee/banklink confirms that payment is made directly through the bank system. After you enter your login details, the website will automatically display the generated payment form.
• Third party providers. As of 14/09/2019, when you shop online, you might be offered to use payment initiation service, offered by payment institution (PISP), other than the bank, to pay for goods or services. If you choose to initiate payment from your account, kept with the bank, you might be asked to fill in the payment order form in the PISP’s environment, and give your consent to transfer data, necessary for performance of payment transaction, and later to confirm payment order with the Swedbank Internet Bank authentication mean. If you have noticed any transaction in the account statement, not authorised by you, inform us immediately by calling 6132222 (for business clients) or 6310310 (for private clients).

It is important for us at Swedbank that our customers can feel safe and secure when managing their monetary affairs with our electronic channels. Therefore, we seek to ensure the highest security level in IT systems. Despite this, an error may slip by. If you have found a security flaw, we would like to hear more about it to be able to correct the problem as soon as possible.

How do you report?

Send an email to us in your local language at responsible-disclosure@swedbank.com. Optionally, you can use our public PGP key to protect the information you send over. Make sure to have included the following information:

• Detailed description of the vulnerability containing such info as URL and type of vulnerability;
• The necessary information that we need in order to reproduce the problem;
• If applicable, a screenshot of the vulnerability you have found;
• Contact information, name and surname, email, phone number, and your public PGP key (if you have one).

This personal data submitted by you will be processed by Swedbank in order to inform you about the analysis of IT security flaws noticed by you and their correction, and, if necessary, to contact you regarding the revision of the information submitted by you. More information about Swedbank’s data processing procedure is available here.

What can you report?

You can report security flaws that you have found in any of our services. Examples of security flaws are cross-site scripting, flaws in encryption or flaws with security implications in logic controls. The reporting service is not designated for other logical errors, errors in texts, questions about our services, questions about the security of our services or similar.

What can you expect from Swedbank?

We will confirm that we have received your description, continuously keep you updated while we process the issue, and inform you when the issue is fixed. Claims for compensation as a condition for sending in a vulnerability are not accepted.

What is required from you?

It is important for both us and our clients that you follow good practice, i.e. that:

• You do not use the vulnerability to access or attempt to access information that does not belong to you;
• You do not use the vulnerability to remove or modify information;
• You do not affect the availability of our services;
• You give us an opportunity to fix the reported vulnerability before going public with it.

Can you file a report anonymously?

Yes, but then we cannot respond back and keep you updated on the status.

PGP key

Use this PGP key if you want to send us an encrypted e-mail. But using it is not required.

Key ID: 0x0AD6CCAF

Control code: 2D14 4030 6D4B 68C3 F286 3AC6 333B E8E4 0AD6 CCAF