When you are logging into online banking, enter only the characters requested by the system. At one login attempt, you will always receive a certain set of characters – e.g. if you make a mistake and the system will ask you to re-enter the password – the characters sequence will be the same as in the first attempt.
Always make sure if there is “https” at the beginning of the login website address (where you enter the user identifier and then the password).
Moje ING: https://login.ingbank.pl/mojeing/app/#login
Cybercriminals want to obtain your login and password! They e.g. display a false screen to log into the online banking system. On such a screen, they may ask you for your password twice, but each time they will ask for a different set of characters.
On the above example, you can see a password field, which each time asks you for a different set of characters. If you add them up, you will get a full password. It is then received by cybercriminals who get access to your online banking.
Beware of false security certificates
When you receive a software download request, e.g. on your mobile – contact the bank. It is a fraud attempt!
By installing the certificate, your phone will get infected. In the installation process, cybercriminals ask for your consent e.g. to viewing and sending text messages. This is how they get access to authorisation codes sent by the bank in text messages, which ultimately means access to your money.
Do not download applications from untrusted sources
Download our mobile application always from the authorised website (App Store, Google Play).
Beware of mobile applications from unauthorised stores.
Application download links can be found on websites designed e.g. to watch videos. Such applications may steal your login data and authorisation messages.
How does it take place? When you log in to the bank on your mobile, the application will display a false login screen. This is how criminals will obtain your login and password. The application will then redirect incoming calls and text messages to the criminal’s telephone number.
- How is the user identified during logging to the system?
In the Moje ING system the user is verified via the User Identifier and a masked access password to the system.
- Does a masked password protect the password against being seen by unauthorised persons?
A masked password is a really good security measure, however, special precautions should be taken during logging into the system in public places. In practice, a masked password does not protect typed characters against being seen, but it prevents unauthorised persons from seeing the full password.
- Is it possible that the same fields of the access password to the system are drawn to be completed again?
A number of possible draws of the mask elements depends on the password length. Repetition of an identical password mask has random nature. The likelihood of occurring the same mask decreases as the password length increases. However, there is still a chance that the identical mask will be repeated again even if the password consists of 30 characters. If the password consists of 10 characters, an identical mask may occur quite often, statistically after less than 300 attempts.
Moreover, if you fail to provide a correct access password to the system, during the next attempt to log in the mask will remain the same until you enter a correct password.
- How does the security of the system look like (algorithms, transmission encryption, etc.)?
You receive access to the system after providing the User Identifier and access password (in a masked form). Communication between your computer and the Bank’s server is encrypted with 128-bit SSL protocol. It guarantees fully secure data encryption, it protects data against changes made from the outside and authenticates computers that communicate with each other. Due to certificates issued by VeriSign you can be sure that you have established fully secure connection with the Bank’s server.
At the moment, instructions in the Moje ING are authorised with authorisation codes. This method enables authorisation of instructions made via the Moje ING with one time authorisation code that is sent to a mobile phone number (of Polish or foreign mobile operator) identified during the service activation and/or to the HaloŚląski Customer Number. If the Bank concludes that the instruction requires authorisation, a code in from of a text message will be sent to you or you will receive a code via the HaloŚląski telephone service (automatic service).
A register of recent operations makes it possible for you to check if there were any attempts of logging into the system by unauthorised persons. Another security is blocking access to the system if during the fifth attempt a correct identifier is provided but the password is incorrect. To increase your security we introduced time parameters that are responsible for the user’s active session time. A web server closes the session automatically if the Moje ING system is not used. It means that if you do not perform any operation for a longer time despite being logged into the system, the web server will close your active session after some time and you will be asked to log into the system again.
Remember that you can also contribute to secure management of funds in your bank account. In order to do so, follow the recommendations below:
- use your access password to the system in a secure way,
- control date of the last logging to the system,
- control a register of recent operations,
- use the Log Out function once you finished using the Moje ING,
- remember to close all browser’s windows after logging out from the Moje ING and before you go away from the computer,
- systematically install patches published by the provider of the operational system and software,
- install anti-virus software and update virus signatures,
- install your personal fire wall that will enable rejecting all non-standards connections from/to your computer,
- take precautions while downloading files from the internet and opening attachments to e-mails received or downloaded from untrusted sources,
- do not use the electronic banking in public places (e.g. internet cafés), such computer workstations may have dangerous software installed to capture your data,
- do not respond to e-mails that ask you to disclose or verify your personal data or confidential information such as login, access password to the Moje ING system, one time password or account number. ING Bank Śląski never sends such e-mails. If you receive such e-mail you should ignore it and notify the Bank about it.
- Does the Bank require additional computer securities from me?
Yes. The Bank requires additional securities as it does not control your computer environment and access to different internet services. You have to make sure that your computer is secure.
- Does the Bank make information on secure use of the internet banking available?
Yes. The Bank publishes all information on that subject on its website and expects its customers to follow it. Information on that subject can be found in that website.
- Is it possible that unauthorised persons see data that is being sent?
No. SSL technologies used for data encryption provide full confidentiality of the sent content. Unauthorised persons are not able to manage the account or see its content.
- How do I know that I have established an encrypted connection?
Data transmission in the Moje ING system is made in https protocol.
It is a variation of a http protocol created to exchange information that requires special protection due to its nature (e.g. financial information). A characteristic feature for https is encrypting the whole transmission with special encrypting keys, which practically make it impossible for unauthorised persons to capture data.
All financial services in the internet are provided with the use of this protocol, such as banking services or payments in on-line stores. If you use services based on https protocol, a virtual encrypted channel is created for the time of connection that connects you with the service server. You can securely submit data via this channel without a risk that the data will leak.
As soon as the encrypted connection is established, your browser in the address bar will display https protocol instead of http. Additionally, a small lock will be displayed on a status bar (at the browser window’s bottom). You can click it and read description of the server’s certificate.
- How can I check if unauthorised persons tried to log into the Moje ING system?
You can check it in the Register of recent operations. It contains, inter alia, information on IP addresses that successfully or unsuccessfully logged into to the system. IP address is a unique number assigned to each computer with access to the internet. Additionally, computer IP address will be also displayed in the screen “Homepage” apart from information on recent loggings.
Presentation of IP addresses enables verification of places from which you logged into the Moje ING system. IP address is assigned by your internet services provider. In line with agreement with your provider you can use a fixed IP address or an assigned dynamic address. In the second case, each time during connecting to the internet, a computer is assigned an IP address from addressed that are at disposal of the internet service provider.
To learn what IP address was assigned to your computer you have to complete a relevant system command. On the basis of currently assigned IP, a scope of addresses that can be assigned to you is determined. These addresses can be determined on certain websites (e.g. www.ripe.net). If you log into the Moje ING system from the same place each time, then IP in the history of logins has to be within addresses offered by the internet provider for this localisation.
- Is the Bank responsible for the customer losses?
The Bank is responsible only for actual and proven losses of customers resulting from incorrect or delayed execution by the Bank of instructions made via the Moje ING system.
- What is the duration of a user’s session in the Moje ING system?
The duration of a user’s session starts at the moment of logging into the ING BankOnLine and lasts:
- 15 minutes – if the user is inactive (if the user wishes to continue using the Moje ING system after this time, the system will ask for the access password again),
- 30 minutes – if the user continues to use the Moje ING system (after this time, the user will be ask to enter the access password again).
- What if I lost my mobile or I had it stolen?
To remove the device from a list of trusted devices log into the Moje ING and select “Details and settings” from the top menu and next select “Security”. Moreover, you can change your PIN to the mobile application in sections “Security” and “Mobile Application”. You can also reset PIN to the mobile application in the “Mobile Application” section.
Our consultants can support you if needed. Call our special infoline for the internet banking customers:
(32) 357 00 10 or 801 601 607 (the costs of calls in accordance with the operator’s tariff)
Do you have any doubts?
If you have encountered any of the above situations or you suspect that your computer or mobile got infected – contact us immediately:
+48 32 357 00 69 (landline and mobile phones)
Upon reporting the issue to the bank you may also try to remove the malicious software on your own.
Find out, how to set a secure and easy to remember password.
Check how our mobile transations authorisation works.
ING Bank Śląski Security Advisories
Check out current information on threats in online banking on our site.
Check out current information on threats in online banking on CERT Polska site.
Polish Bank Association
Check out current information on threats in online banking on Polish Bank Association site.