Information security guidelines for customers
transactions – Internet bank and online card payments
1.1 Internet bank
- When entering the bank, make sure that you are prompted for the PIN1 code, not the PIN2 code!
- If possible, avoid conducting bank operations using devices that are not yours (public computers, internet kiosks, friend’s device). If this is not possible, you must be particularly vigilant and not leave the computer unattended while you are logged in to the internet bank. Once you have completed your business, make sure that you are logged out of the internet bank and you have closed the browser window.
- Avoid using the internet bank over unsecured Wi-Fi networks. Instead, set up a personal hotspot through your smartphone, if this is possible.
- Set reasonable limits on cash withdrawal, transfers and card transactions.
- Both in the Internet bank settings and when signing the agreement at the bank, choose the lowest necessary limit on automated payments.
- Examine your credit card statement regularly. It is also recommended to pay attention to smaller amounts.
- Do not use the internet bank if you get an error message from the browser regarding security, connection or certificates.
- If you use links in an email or text message to enter the internet bank, be sure to verify that the link indeed leads to the bank’s website. Banks’ URLs are usually in the form https://www.bankname.ee.
- If you have given other people the right to use online banking on your behalf, check these authorizations from time to time as to whether they are still current.
- Make sure that the invoice you are paying is legitimate and correct. Make sure that you are paying the correct recipient for the good or service. It is also worth noting the country code in the IBAN – if possible, compare the IBAN to the IBAN used previously for same payments to that service provider.
1.2 Card payments online
- When making online payments to Estonian e-stores and service providers, use the provided bank link rather than entering credit card details. If you are purchasing from other countries, prefer the use of a trusted payment intermediary (such as PayPal) – this provides an additional guarantee when you are buying from unknown e-service providers or online retailers.
- When making online purchases, prefer well-known service providers and e-stores. Forgo deep discounts advertised by unfamiliar e-stores – if anything seems to be too good to be true, it probably is.
- If possible, do not enter card data on unfamiliar e-store sites.
- If possible, avoid making online purchases using devices that are not yours (public computers, internet kiosks, friend’s device). If this cannot be avoided, you must be especially vigilant and not leave the computer unattended while you are logged in to the internet bank. Once you have completed your business, make sure that you are logged out of the internet bank and you have closed the browser window.
- Under no circumstance should the online store ask for the codes you use to log in to your home bank. Never enter bank login codes on any other service provider’s website or online store!
- Be careful when making purchases on “Black Friday” and “Cyber Monday”. On these days in particular, deep discount offers from unfamiliar merchants may distract your attention and you may fall victim to a scam.
- Never post pictures of your own payment card or someone else’s on the internet or social media.
2. Bank card transactions – card payments and ATMs
2.1 Card payments in store and at service providers
- Never allow the card to leave your sight. When paying in a store, make sure the seller does not take your card to a back room or other location where you lose sight of the card.
- When making a card payment, ensure that no one can see the PIN code you are entering. If necessary, use your other hand to shield the keypad while you are entering the PIN code.
- Before making a contactless payment, make sure the amount to be paid is correct.
- Never store the PIN code for a bank card in your wallet, and most definitely not on the card itself.
- Notify the bank immediately of lost or stolen cards. Some banking apps allow you to temporarily close your card and re-open it once you have found the card. If you close the card right away, that will significantly reduce the chance of anyone conducting unauthorized operations with funds on your bank account.
- When travelling, make sure that you have a backup payment option besides your everyday card.
- If you are paying by card, take a good look at the payment terminal first. You should be circumspect if there is any unusual hardware connected to the terminal – it could be used to attempt to skim your card data.
- If your card has a contactless function, set limits on the contactless payments. If you do not wish to make contactless payments, disable this function.
2.2 Cash withdrawal
- Your PIN code is personal and confidential. Do not share it with anyone else and do not keep it in your wallet with the card.
- When withdrawing cash, ensure that no one can see the PIN code you are entering. If necessary, use your other hand to shield the keypad while you are entering the PIN code.
- Keep an eye on activity on your bank account! Regularly check your account statement in the online bank to makes sure that no one has withdrawn money unbeknownst to you.
- Make sure that you return the bank card to your wallet after you are done with your transactions at the ATM.
- If you notice anything unusual about the ATM, such as traces of adhesive by the card slot or the keypad has an unusual shape, do not insert the card and contact the bank immediately.
- Notify the bank immediately of lost or stolen cards. Some banking apps allow you to temporarily block your card yourself and reactivate it once you have found the card. If you close the card right away, that will significantly reduce the chance of anyone conducting unauthorized operations with funds on your bank account.
- If possible, configure your telephone so that you can delete its contents remotely if it is lost.
- Download apps only from an official app store secured by the telephone manufacturer.
- Set a PIN code or passcode on your phone. Adjust settings so that the PIN code is not visible on the screen while you are entering it.
- Do not choose your own birthday or that of a family member or any easily guessed number as your PIN code.
- If you used the mobile app to access the bank and the phone was lost or stolen, notify the bank.
- If you do not need Wi-Fi, Bluetooth and NFC at a given time, turn them off. Besides increasing security, this also saves battery life.
- Update your phone’s operating system and software regularly and always install the latest updates.
- Consider replacing the phone if the manufacturer has discontinued security updates for your device. If you phone has obsolete operating system and security features, it might become impossible to access bank services at some point, anyway.
4. Secure authentication
- Never enter Mobile ID and Smart ID PIN codes anywhere but the relevant app on your phone! Legitimate service providers and bank websites will never ask for Mobile ID or Smart ID PIN codes.
- When using Mobile-ID and Smart-ID always make sure that the control code displayed on your phone screen before confirmation matches the code displayed on the internet or mobile bank page.
- When using Mobile-ID and Smart-ID, always make sure what you are confirming: the name of the service and a brief description of the transaction are displayed on the screen. If you are not certain whether the operation is correct, do not enter the PIN code.
- If you did not initiate a transaction but receive a Mobile-ID or Smart-ID prompt, never enter the PIN code. It is likely attempted fraud or an erroneous username entered by another user.
- The Smart-ID self-service website has an option for viewing and if necessary closing your active Smart-ID agreements. It is a good idea to check your Smart-ID agreements from time to time. If you discover anything suspicious there, you should be sure to turn to the Certification Centre or police.
- If your ID card has been lost or stolen, or you suspect that it is, call the ID card help line 1777 right away. First suspend the certificates – this will prevent anyone from using your card electronically. Close the card permanently if you are sure that the card is lost.
- If you use Mobile-ID, and your phone is lost or stolen, likewise call the ID card help line 1777 right away. First suspend the certificates – this will prevent anyone from using your Mobile-ID. Close Mobile-ID permanently if you are sure that the phone is lost.
- Do not choose your own birthday or that of a family member or any easily guessed number as the PIN code for ID card or Mobile-ID
- Do not keep the ID card and its PIN codes in the same drawer or wallet.
- Do not keep Mobile-ID or Smart-ID PIN codes in your phone in an easy to find place such as under Contacts.
with the bank
- Do not automatically trust emails which purport to be from the bank and which ask you to click a link or enter passwords to log in to the bank. If you have any suspicion at all about the email, call bank customer support.
- When communicating with the bank, encrypt any sensitive documents and ask that the bank employee likewise encrypt documents with sensitive content, so that you can open them using your digital identity. You will find information on how to do this on the ID card website https://www.id.ee/index.php?id=36034. In this way, you will ensure the secure transmission of data and even if an email meant for you goes to the wrong recipient, the person will be unable to access the attached encrypted data.
- Do not disclose your passwords, PIN codes or complete bank card data when talking to the bank on the phone. Be particularly mindful of this when talking to the bank in a public place.
- Make sure that your data connected to the internet (computers, smartphones, tablets, vacuum cleaners, security cameras etc.) are always running the latest software. Do not disregard reminders to download new software and do not postpone updates that the device prompts you to install.
- If possible, use antivirus software (especially in Windows computers). If you are already using such software, make sure the software is automatically updated. Anti-virus programs generally install updates several times a day!
- Set up separate user accounts without admin privileges for everyday use. Conduct your everyday transactions (web surfing, emails, documents) under ordinary user accounts – this reduces the risk that someone will hack into your devices and misuse your data. If there are less experienced computer users in your household (children and the elderly in particular), it is particularly important that they follow this rule!
- If you install software on your computer, check its origin: download commercial software only from the manufacturer’s official website. When using freeware, trust only programs with an open source code. Avoid middlemen whose association with the manufacturer is unclear.