Secure online banking
Providing you with a safe online banking experience is of a paramount importance to us. Check what else you can do to safeguard your account.
World-class security standards, multi-level authorization features, 24/7 system monitoring by our expert security staff – providing you with the highest level of security when banking online is our top priority. However please beware that your online security depends also on you!
Enable firewalls
Enable firewalls that keep unwanted connections from accessing your data, install anti-virus protection software and ensure your operating system and Internet browser are up-to-date.
Beware of phishing e-mails
Do not reply to e-mails where you are asked to provide your personal data or passwords. Inform us immediately of all cases of this sort.
Do not disclose your confidential data
Do not disclose your card numbers, usernames or passwords to anybody. They should always be memorized and not recorded/written down anywhere. If you need to write them down, make this information encrypted, preventing others from accessing it.
Save passwords
Do not store your passwords in files stored on your computer.
Card number and PIN
Do not keep your PIN, E-PIN or CitiPhone PIN together with your card number.
Card information security
Do not reveal the information stated on your credit card such as its expiry date and the last 3 digits of the credit card number.
SMS authorization
When using SMS service, always make sure that the last digits of the beneficiary’s account number correspond to the account number stated in the activating SMS.
PIN security
Before you start using your PIN, E-PIN or CitiPhone PIN, make sure that nobody has accessed them before.
Strong passwords
Use strong passwords and PINS (e.g. never use your birthday date for your password) and change them regularly.
Suspicious links and attachments
Never open any suspicious links or attachments sent to you via e-mail, SMS or MMS.
Suspicion of loss or interception of the sign-in data
If you suspect or know that your sign-in data have been lost or intercepted, please contact the Bank immediately via Citi Phone (+48 22) 692 20 90
to block access to your account.
Lose a device
If you lose a device which you use for online banking, immediately contact the Bank using the CitiPhone at (+48) 22 692 20 90,
.
Before you log on to Citibank Online:
We protect our website with VeriSign Secure Site certificate that covers: www.online.citibank.pl, www.citibankonline.pl and www.citigold.pl. Extended Validation SSL certificates trigger the browser address bar in high-security browsers to change to a green color.
In case of any doubts as to the authenticity of the certificate, please check for the following:
- certificate issued for www.online.citibank.pl
- certificate issued by Symantec Class 3 EV SSL CA - G3
- certificate valid from October 29, 2015 through December 6, 2017
- owner: Citigroup Inc.
- fingerprint (SHA1) ee e4 43 5c 66 ed 7c c7 cb 67 bd 00 da 99 56 a3 e9 62 e9 1d
If the information provided on the certificate varies from this stated above, please contact Citibank Online (technical support) on (48 22) 692 20 90
Make sure your anti-virus protection software and firewall are active.
If you spot any unusual or suspicious activity, immediately inform us of this fact – (48 22) 692 20 90
Do not access electronic banking using unknown and improperly secured connections (e.g. public Wi-Fi networks).
When you log on to Citibank Online:
Remember that in order to log on to the system you will be asked to enter only your user name and password – if you are asked to provide other information on the logon screen, please contact us immediately on (48 22) 692 20 90.
When you get a new card, you will be asked to enter: your user name, card number and its expiry date, your date of birth and sms password (that will be sent to your phone number).
Make sure that nobody sees your user name or password when you are logging on to the system.
Do not bank online on public Wi-Fi networks (net cafe, library, etc.).
Never leave your computer unattended while you are logged in to Citibank Online.
When you have finished your online banking session, always remember to properly log out before you close the browser window.
Safety of your money
New “Confirm the transaction” service has been designed to help you keep your credit card, debit card and online transfers safe. It ensures quick, two-way communication with the Bank and is designed to monitor your transactions to detect any unauthorized use.
The “Confirm the transaction” service is already available for all Citi Handlowy customers. The service users will be immediately informed of any transactions identified as suspicious.
In reply to our SMS:
- enter 1 to confirm the transaction,
- enter 2 to question the transaction.
SMS will be sent from +48 607 521 371 and we will ask you for no additional information to be provided other than “1” or “2”. By replying to our SMS you can confirm whether the transaction we are asking you about was made by you. The cost of the return SMS according to the rates of your phone operator.
In order to use the “Confirm the transaction” service, please make sure we have your up-to-date contact details. You can verify your contact details after you have logged on to Citibank Online.
During transactions or operations, such as a transfer to a new payee, or card linkage to a currency account, the Customer receives a text message. The message contains, among others, the title of the operation, the date and time of the operation, and a 6-digit verification code which the customer should use to confirm the transaction. For Citibank Online transactions, the code should be entered in a separate pop-up window.
Before you confirm the transaction, please make sure that you have ordered it and check the transaction details.
For selected operations, the text message also contains four last digits of the number of the bank account to which a transfer is to be made. In such a case, they should be verified against the last digits of the account in Citibank Online or Citi Mobile and, above all, against the original number of the bank account (specified on an invoice or another document).
For security reasons, each one-time activation code has a very short validity in order to prevent any unauthorized use.
3D secure is an additional security used by VISA and MasterCard in the case of payments made with payment cards online.
When paying with their card online, in the shops which have implemented the 3D Secure service, the client receives from the Bank a free text message containing an 8-digit code. The transaction may be executed only when the client enters the 8-digit code received in the message.
Each 3D Secure code has strictly specified, short validity – in order to additionally limit the possibility of operations by an unauthorised person.
Citi Handlowy is the only financial institution in Poland to receive both certifications – ISO 27001 Information Security and BS 25999 Business Continuity Management. Our security procedures have been assessed to meet the highest international standards.
ISO 27001 standard certifies that the information security procedures applied by the bank meet the world-class best practices. Certification covers all branches and all business activity of the bank.
BS 25999 Business Continuity Management certification issued by BSI Management Systems Polska Sp. z o.o. accredited by UKAS (United Kingdom Accreditation Service). Certification covers Citi Handlowy, its subsidiaries and Citi companies operating in Poland. BS 25999 is the world's first British standard for business continuity management (BCM) been developed to help minimize the risk of disruptions in business operations.
-
ISO 27001 Certificate
No IS 545351 -
BS 25999 Certificate
No BCMS 545376
All data from customer identification to ending your online session is secured by the 3.0 SSL (Secure Socket Layer) Protocol that uses advanced cryptographic technology with a 128-bit encryption.
Our site is secured by VeriSign Class 3 Extended Validation SSL SGC CA certificate. This is a code signing certificate guarantying that all confidential transactions made using Citibank Online are SSL encrypted. Every time before you log on to Citibank Online, please check if the certificate has not expired and who issued the certificate.
Our sites are securely protected by an SSL certificate from VeriSign that covers the following addresses: www.online.citibank.pl, www.citibankonline.pl oraz www.citigold.pl. SSL certificates with Extended Validation enable the most visible security indicator: the green address bar in high-security browsers, assuring users that your site is secure and your identity has been authenticated to the industry’s highest standards.
If you have any doubts about the certificate, please check if the certificate information corresponds to the following:
- certificate issued for www.online.citibank.pl
- certificate issued by Symantec Class 3 EV SSL CA - G3
- certificate valid from October 29, 2015 through December 6, 2017
- owner: Citigroup Inc.
- fingerprint (SHA1) ee e4 43 5c 66 ed 7c c7 cb 67 bd 00 da 99 56 a3 e9 62 e9 1d
In order to log on to Citibank Online, you will be asked to enter your user name and password that you set up during registration process. You are the only person who knows your access codes.
Do not disclose your online banking password or username to anybody.
Regularly check your online banking logon password.
As a security measure, your online banking session will automatically "time out" after 8 minutes of inactivity. This security feature is intended to prevent third parties from unauthorized access to your accounts.
Daily sum of transaction performed in Citibank Online cannot exceed the limit set by the account holder.
- Remember to regularly check whether the account numbers of your defined payees have not changed.
- Before you confirm a transaction, always check whether the account number to which you transfer the funds is the same as the number of the payee stated in the SMS that you received.
- Check the account and transaction history on your each debit card against any suspicious activity. You can stay on top of all your transactions if you activate the Citi Alerts Premium service.
- When banking online, never use the copy/paste button to enter the payee’s account number – always enter the number by yourself and double check it.
- Search your transaction history against any operations that have not been made by yourself. Pay special attention to the transactions made with your debit or credit card. If you find any irregularity, please inform us immediately.
- Never let any unauthorized persons to access the computer that you use to do your online banking.
- Regularly change your passwords.
- Immediately change your personal data such as your PINs, Citibank Online password or username if you suspect someone could have accessed them.
For safety reasons, any change in your personal data, such as postal address, e-mail address, mobile phone number, date of birth, or your mother’s maiden name, will be confirmed via SMS or e-mail. This communication will also warn you in case someone else would have tried to make changes in your personal data. We would like to remind you that you can also update your e-mail address and postal address via Citibank Online.
Safety of your computer
Antivirus software, having an updated information on malware programs is the first line of defense against the threats related to Internet usage. Antivirus software vendors offer protection solutions based on daily anti-malware database updates.
Antivirus protection software offer also such functionalities as:
- Preventing users from visiting dangerous websites and downloading dangerous files
- Protection solutions against privacy violation and identity theft
- E-commerce and online banking protection
- Permanent digital files deletion, containing personal and confidential information
- Spam avoidance (phishing threat)
- Incorporated firewall
Update your anti-virus software regularly. This way you can protect your computer against viruses and Trojans to a significant extent. If possible, activate automatic virus database updates and regular computer scans.
Remember to update the operating system on your computer, tablet or phone (if you use Windows, activate automatic updates). This will allow you to avoid any security holes in the system through which unauthorized people or programs may access your device.
You should also update the web browsers and mobile applications for online banking.
Make sure that the software you use comes from a legal and reliable source. If you use mobile applications, make sure that they are downloaded from official application stores (App Store, Google Play).
Firewalls protect against unwanted Internet connections - both outgoing and incoming. It is also a useful tool supporting the protection of your privacy against persons who might steal confidential data.
Windows operating systems are provided with in-built firewalls. If you are using other systems or if you simply want to use more extensive protection mechanism, we recommend the:
Loss of the phone to which one-time activation codes are sent.
If you lose the phone to which the Bank sends one-time activation codes, contact the Bank immediately
at (+48 22) 692 20 90 in order to block the account or change the User Name and Password used to log into online banking. In specific cases, a change of the contact telephone number and a visit to a branch of the Bank may be necessary.
If you don’t have the possibility of contacting the Bank, make sure that you change the User Name and Password using Citibank Online (after logging in, go to Products and Services -> My Citibank Online and then Change User Name and Change Password). Remember to change this type of data on a trusted and well-secured device.
Loss of the device which you use to access online banking.
If you lose the device which you use to access online banking, where your online banking encryption data could be stored, contact the Bank immediately at (+48 22) 692 20 90 in order to block the account or change the User Name and Password used to log into online banking. In specific cases, a change of the contact telephone number and a visit to a branch of the Bank may be necessary.
If you don’t have the possibility of contacting the Bank, make sure that you change the User Name and Password using Citibank Online (after logging in, go to Products and Services -> My Citibank Online and then Change User Name and Change Password). Remember to change this type of data on a trusted and well-secured device.
A new wave of phishing attacks that target online banking users has been reported in Poland.
Cyber criminals claiming to be from a legitimate source such as a government institution (e.g. Ministry of Finance, Ministry of Digital Affairs or Tax Authorities) may contact you via email in an attempt to get you to open an attachment that contains malware. For example, the scammers pretending to be from the Ministry of Finance send you an email with the attachment to inform you that you have not reported your income. Opening the attachment results in your computer being infected with GozNym or ISFB malware that is known for attacking online banking users.
Scammers may try to trick you using different methods that are designed to gain your trust and make you less vigilant. They often play on your emotions such as fear to push you to act impulsively (e.g. threat of financial penalty, criminal responsibility, financial or data loss, etc.).
Here are a few useful tips that you should follow to ensure that your online banking experience is safe:- Never fully trust that an email or text message is from whoever it says in the From field.
- Always double-check the sender’s email address, links and other information contained in the email either on the official site of the institution the email is coming from or by calling such institution.
- Spot phishing e-mails by looking for spelling mistakes or grammatical errors.
- Do not open any attachments or click any links from unknown or untrusted sources.
- Be suspicious of any email asking you to click a link that takes you to a page where you are asked to provide your personal details, usernames or credit card numbers.
- Always verify the details contained in the text message that appears to be sent from your bank (one-time authorization codes or information on potential fraud).
If you believe you may have fallen victim to a phishing scam, please call or visit us immediately.
Please be advised that criminals have intensified attacks on users of electronic banking in Poland.
Internet users may have received recently e-mail messages from senders passing off as various institutions (e.g. companies supplying electricity or courier and postal service firms). These messages contain malicious software or links to such software. The user is asked to click on the link attached to the message to check the status of the shipment or invoice. After clicking on, the link the user is transferred to a website that infects his or her computer with a virus.
To verify whether an e-mail message may be phishing, you must pay attention to such elements as:
- Do you expect such correspondence? Does the company that contacted you publish on its website warning about false correspondence?
- Sender address (in the case of phishing, after expanding it shows a different domain or country than the domain of a real company that the criminals pass off as).
- Grammar and logic errors in the message (e.g. date instead of address).
If you receive this type of message, do not click on the attached links or open the attached documents. If you expect this type of e-mail messages (e.g. you have a contract with the energy supplier), we suggest that you find on your own the proper website instead of using links sent in e-mails.
Please be informed that a GozNym malware, attacking computers of electronic banking system users, has been spotted.
How GozNym malware works?
Computers get infected in case user opens an attachment from an infected email. Activated malware checks what banking platforms is used by the user. Next, when user attempts to log in to his electronic banking platform gets redirected to a fake transactional service and the genuine banks electronic banking platform gets blocked.
How to prevent malware installation?
Do not open suspicious links and attachments sent via email.
Do not reply to any emails in which you are asked to provide your personal data or access codes.
Install and make work an anti-virus protection software, that has an updated malware database.
For more information on electronic banking safety features please visit following tabs: Basic Security Tips and Additional Security.
Please be informed that a new digital banking attack scenario has been developed by hackers in Poland.
According to the information provided by The Polish Bank Association hackers send SMS messages informing that smartphone system update is required otherwise it won’t be possible to use some features of the device. In the SMS sender field it appears either an unknown phone number or ANDROID tag. Massage contains also a link to a fake website to download the update. Device get infected with the malware Trojan when user unlocks option of installing applications from untrusted sources, and installs an application that requires access to sending and receiving SMS messages or even calling premium numbers (high connection charges).
Installation of this malware allows hackers to take control over the device and at any attempt to logon to online banking platform it will inform about the need of an additional one-time authorization code verification send to user’s device by the Bank via an SMS. It’s an attempt of stealing user’s codes and log on data, which once accessed by hackers will allow them to perform unauthorized transactions or change account settings.
Therefore, to avoid this malware software, users should beware of any suspicious requests to provide their one-time authorization codes and shall not click on any suspicious links in messages send by unknown senders. Information regarding operational system update is never being sent via an SMS. Any mobile application should be installed only from a trusted platform such as Google Play or AppStore. To improve device safety the option allowing app installation from untrusted sources should be switched off.
A new type of malware attacks has been spotted recently targeting the Polish online banking users.
The malware used by hackers displays a pop-up box after you have logged on to your online banking system. The box states that you may additionally insure the transactions you make online and asks you to add a new account number to your list of predefined payees.
Please be kindly informed that we do not offer such insurance! You should cease the transaction and notify us immediately of any such attempt since your computer may be infected with malware.
It is important that you carefully check all the details and the account numbers that you add to your list of predefined payees. Please be reminded that all the transaction details are stated in the SMS One-time Authorization Code that contains:
name of the bank
transaction details (e.g. name, the last four digits of the account to be added)
transaction date
code.
For enhanced security of your computer, please scan your computer regularly against any attacks using antivirus software.
A new type of malware has been spotted that may attack the online banking users.
The malware allows hackers to steal your user name and password as you enter them during the logon process. Once you have logged on to the system, you will be asked to install antivirus software on your mobile phone. To trick a user attackers may use a malware which looks identical to the original online security software of known and popular antivirus software vendors (for example Trusteer Rapport, McAfee, Kaspersky etc.).
First, the user is asked to select the operating system and then to enter the phone number that he/she uses to confirm the banking transactions. Later, the user receives the SMS containing the link to the fake software. Once the fake software has been downloaded and activated on your computer, the hackers will be able to fully control your device, stealing all your confidential data, including one-time SMS authorization codes.
Remember, Bank is never sending links to any antivirus software. We recommend installing antivirus software for your mobile device downloaded from official application stores (App Store, Google Play) only.
If you believe you have been a victim of a malware attack, please contact Citibank Online at (48 22) 692 20 90
A new type of malware called Dyre has been spotted that may attack the online banking users.
There are a number of ways your computer can get infected with the malware, including, for example, opening e-mail attachments that direct you to an unwanted site (phishing e-mails). Once the virus has been installed on your computer, the hacker will be able to steal your username and password as you enter them during the logon process.
While logging on to the online banking system, you may be informed that it will take longer than usual to complete the logon process. During this time the hackers will use your user name and password to make changes and transactions in the system.
Therefore, beware of emails from unknown senders that contain suspicious attachments or links. If you have received a phishing email, please do not open it - just delete it immediately. Additionally, we recommend you use an antivirus program to make sure your computer is safe.
If you believe you have been a victim of a malware attack, please contact Citibank Online at (48 22) 692 20 90
CERT Polska has spotted a new wave of malware, mainly Tinba, attacks targeting the Polish online banking users.
In the new attack scenario, the malware used by hackers changes the number of the account which you are currently transferring money into. The change occurs upon you confirm the funds transfer and takes place without any outward signs visible to the user.
It is therefore important that you carefully check the account number and the funds transfer amount with the confirmation SMS details.
A new wave of malware attacks has been spotted recently targeting the Polish online banking users.
In the new attack scenario, the malware used by hackers displays a pop-up box after you have logged on to your online banking system. The box states that you may additionally insure the transactions you make online and asks you to add a new account number to your list of predefined payees.
Please be kindly informed that we do not offer such insurance and you should notify us immediately of any such attempt. It is important that you carefully check all the account numbers added to your list of predefined payees!
Please remember not to install any anti-virus protection software or certificate to use Citibank Online on your computer or smartphone.
The only way to safely do your mobile banking is to download our Citi Mobile app from App Store, Google Play or BlackBerry App World.
Users of mobile banking are targeted by ZITMO, malicious software that poses a threat to funds deposited into bank accounts. The victims are urged to install the malicious software or “e-certificate” which enables hackers to access the accounts.
For more information on the fake anti-virus protection software and e-certificate, please visit CERT’s site.
If visiting our websites you spot any information urging users to install the certificate, please:
- report the fake site by filling out the form,
- contact Citibank Online support services on (48 22) 692 20 90
We will take appropriate action to block the fake website and eliminate the source from which the scam e-mails are sent.
For information on malware removing, please visit CERT’s site.
The Bank has noticed a new attack scenario carried out by VMZeus malware. In this scenario, the customer is asked to allegedly confirm their contact number using a single-pass code. In reality, this number is substituted in the system for a number controlled by criminals.
We recommend paying particular attention to any operations related with changing the contact telephone number in online banking. Substitution of the telephone number may lead to a situation in which the criminal obtains all information necessary to carry out an unauthorised transaction and transfer financial resources.
Any suspicious situations should be reported by:
- filling out this form
- sending us printed pages via facsimile (+48 22) 692 98 03 or
- submitting print-outs of pages to any Bank Branch.
New malware known as Android.BankBot.34.origin has been observed on the Internet. It can obtain users’ private data from infected devices and, as a consequence, steal funds from online and mobile accounts associated with these devices.
The following actions can facilitate installation of this type of software:
- enabling the option to install applications from untrusted sources in the operating system,
- permitting programme installation by confirming authorisation,
- adding a programme as “device administrator” in a separate dialog box.
At the same time, we recommend:
- not installing on your mobile devices applications from suspicious sources which disable the function allowing for omission of Google Play while downloading software,
- paying particular attention, while installing an application, to the list of functionalities to which a given application will refer.
The Polish Bank Association would like to inform you about a new type of malware known as Banapter. It threatens Customers who use online banking via popular Internet browsers: Firefox, Internet Explorer or Opera.
Criminals use spam e-mail to infect Customers’ computers. These e-mails reach random recipients, but many of them are also received by customers of Polish banks.
Fraudsters send fake e-mails urging you to provide confidential information. Such e-mails usually contain attachments and/or request for confidential personal details. They may also contain a link to a fake Citibank Online site which looks almost identical to the proper one.
If you receive a scam e-mail claiming to be from Citi Handlowy or Citigroup, we kindly ask you to:
- report the fake e-mail by filling out the form,
- contact Citibank Online support services on (48 22) 692 20 90
In case of reporting any fraudulent activity, the bank in cooperation with local law enforcement officials will take appropriate action to block the fake website and eliminate the source from which the scam e-mails are sent.
If you think you may have provided confidential information in response to such fake e-mail, you are asked to immediately contact CitiPhone on (801 32 2484 or 48 22 692 2484).
Malware such as trojans/keyloggers can be secretly installed on your PC. This software enables hackers to see the text you type on your computer or scan your computer in search of credit card or bank account information, as well as spy your Internet habits and behavior.
Malware may be served as hidden codes within a website, email or email attachment’s code. Therefore it is essential that you regularly update your anti-virus software and firewalls installed on your computer.
If your anti-virus software detects and removes a trojan horse, please remember to immediately change your Citibank Online user name and password.
The Internet users were informed some time ago of the security gap in popular Internet Explorer web browser. The gap can let an attacker to take control of a computer if the user clicks on a link to a malicious website. Therefore you should immediately update your Internet Explorer browser using Microsoft website.
News
When banking on your smartphone or tablet it is worth making an effort to secure the device you are using.
Smartphones and tablets are like computers. They have an operating system (e.g. Android or iOS), a memory to store data and applications. The security features and OS settings of our mobile devices that have been implemented or configured by their manufacturers to protect both installed applications and stored data. To keep our data safe, the operating system restricts access to applications from the level of other programs – applications only operate in their dedicated space, which means that one application cannot use resources used by other applications.
Sometimes users decide to modify the settings of the operating system using a practice called rooting (Android) or jailbreaking (iOS). As a result, the device operates in administrator mode, which makes it significantly easier for a third party to intercept the control of the mobile device as certain security features are disabled.
Rooting and jailbreaking pose a great threat also to the security of the mobile banking application as certain limitations are turned off and other applications can gain full access to all the resources of the device and interfere in the space dedicated to the banking application. Users are not prohibited from switching to such mode, however for a person without sufficient programming expertise and lacking the necessary knowledge of the operating system installed on the device the risk that the device will be infected with malicious software and, as a result, the control of the device is taken over by a third party is considerably higher.
In order to improve the security of its mobile banking service, Citi Handlowy has recently implemented in the Citi Mobile® application a mechanism which detects rooting / jailbreaking activities on a device. If such activities are detected, the user will see a threat warning before logging in to Citi Mobile®. Such message may also appear when Citi Mobile is trying to start in administrator mode even if the user did not intentionally make any of the above changes in the operating system. This situation can be caused by a virus installed on the device.
This message will appear only once and the user has to decide if he or she is aware of the risk and whether he or she wants to continue or to stop using Citi Mobile® on that device.
If such a threat message is displayed, we recommend not to use the mobile banking service on that device. If you have any doubts or if you suspect that a virus may be involved, please contact the Bank for advice what to do next.
Archive
Recently there have been many phishing incidents reported targeting online banking users. The incidents aim to obtain sensitive information such as your bank account usernames, passwords or your card credentials. Criminals are sending scam emails claiming that you have been locked out of your account due to, e.g. unauthorized use of your bank account. They try to trick you into clicking a link that will take you to a phishing site controlled by the fraudster, enabling them to steal security details that can be used to access the victim’s bank account online. If you ever receive such email, please contact us immediately.
Please remember that Citi Handlowy will never ask you for the following via an email or text message:
- to provide sensitive information such as your logon details, one-off text message authorization codes, your card credentials, PINs or your mobile phone details (such as your phone number, brand or device model)
- to install/update your software or security certificates on your computer/phone.
We advise you to carefully read any text messages received from the bank and verify the text message information against the details of the transaction that you are making using online banking or mobile apps. This refers to both, one-time text message authorization codes where you should carefully verify the transaction details, as well as information messages. Should you have any doubts, please contact us immediately.
In order to ensure peace of mind for our clients, we are continually improving our online banking security measures. Recently, we have implemented a new security tool that will ensure your information is kept as secure as possible online: in the event of a failed logon attempt, you will be automatically informed of this fact via a text message. If you are not sure if the logon attempt was made by you, please start your antivirus software scan and change your username and password.