Security Mechanisms in CitiDirect®
CitiDirect has the following 6-level security system:
User Identification and Verification
Access to CitiDirect is granted to Users who log into the system with their SafeWord card or Mobile Token (token).
CitiDirect Mobile Token is login credential that enables users to login both to CitiDirect® desktop and mobile. CitiDirect Mobile Token enables users to easily and quickly – in just a few minutes – confirm their identity and gain secure access to CitiDirect from their computer or mobile application. Combined with CitiDirect biometric authentication (fingerprints or face recognition), it offers a convenient way to login to CitiDirect.
Each SafeWord card generates dynamic, one-time passwords, which significantly reduce the risk of unauthorized access to CitiDirect, for example as a result of password theft or cracking. In addition, the SafeWord card is protected with a 4-digit PIN code, known only to its holder. Card holders may change their PIN codes at any time.
CitiDirect Mobile Token is login credential that enables users to login both to CitiDirect® desktop and mobile. CitiDirect Mobile Token enables users to easily and quickly – in just a few minutes – confirm their identity and gain secure access to CitiDirect from their computer or mobile application. Combined with CitiDirect biometric authentication (fingerprints or face recognition), it offers a convenient way to login to CitiDirect.
Each SafeWord card generates dynamic, one-time passwords, which significantly reduce the risk of unauthorized access to CitiDirect, for example as a result of password theft or cracking. In addition, the SafeWord card is protected with a 4-digit PIN code, known only to its holder. Card holders may change their PIN codes at any time.
User Entitlement Levels
User entitlements are controlled via their access profiles, which determine a specific level of access to functionalities in CitiDirect. Access profiles assigned to Users define: access to particular accounts and transaction types, operations allowed under transactions with a predefined limit, authorization schemes and limits, etc.
Multi-level Transaction Authorization
Even the best designed internal processes can prove insufficient, for example when a single person has full control over transactions in the system. That is why we recommend authorization schemes that require the transactions to be accepted by at least one additional User.
The Bank offers as many as 9 authorization levels. If a higher authorization level is required when making payments in CitiDirect, the security level can be significantly improved.
We recommend our Clients to define at least 1 transaction authorization level.
The Bank also offers other risk mitigating functionalities, like blocking manual submission of payment orders by Users, requiring authorization of created payment templates or defining payment limits. In order to configure such additional security mechanisms, please contact your Relationship Manager.
The Bank offers as many as 9 authorization levels. If a higher authorization level is required when making payments in CitiDirect, the security level can be significantly improved.
We recommend our Clients to define at least 1 transaction authorization level.
The Bank also offers other risk mitigating functionalities, like blocking manual submission of payment orders by Users, requiring authorization of created payment templates or defining payment limits. In order to configure such additional security mechanisms, please contact your Relationship Manager.
Encrypted Session and Digital Security Certificate
All information, from Client identification through the end of session in CitiDirect, is secured with the TLS (Transport Layer Security) protocol, which ensures confidentiality of transmitted data with the use of advanced encryption methods.
TLS also protects data integrity. One of its elements is the Message Authentication Code (MAC), which checks if no unauthorized data modification occurred during transmission.
Our electronic banking system https://portal.citidirect.com is secured with a Symantec Class 3 EV SSL CA – G3 digital certificate. This is the digital signature of a site which confirms that the User is in a service owned by Citi Handlowy. The certificate ensures that all confidential transactions executed via CitiDirect are encrypted.
Before you log in to the service, check if the certificate is valid and verify its issuer.
TLS also protects data integrity. One of its elements is the Message Authentication Code (MAC), which checks if no unauthorized data modification occurred during transmission.
Our electronic banking system https://portal.citidirect.com is secured with a Symantec Class 3 EV SSL CA – G3 digital certificate. This is the digital signature of a site which confirms that the User is in a service owned by Citi Handlowy. The certificate ensures that all confidential transactions executed via CitiDirect are encrypted.
Before you log in to the service, check if the certificate is valid and verify its issuer.
Automatic Session Expiration
Every session will be automatically ended after 20 minutes of inactivity to prevent a third party from accessing the accounts if the User forgets to log out.
Blocking Users
In order to ensure the security of your funds the User will be automatically blocked after 5 unsuccessful attempts to log in and/or after 12 months since:
- the last login date – concerns Users who have logged into the system or
- the date of creating the user in the system – concerns Users who have never logged into the system.
In order to maintain access to the CitiDirect system we advice to log into the system at least once every 3 months. A blocked SafeWord card should be replaced with a new one if a User intends to use the CitiDirect system in the future. This intention should be expressed in a separate application.
If your SafeWord card is lost or damaged User should immediately contact CitiService (call (22) 690 19 81) to block access to CitiDirect.