Security

Image of a zebra
Image of a zebra

At Investec we take security very seriously. Risk management is a fundamental part of our business, and looking after our client’s online security is no different. We combine expertise from the security, risk and fraud disciplines to balance client experience with best-of-breed technology and procedural controls. Threats to our client’s data are very real and we endeavour to adapt our security architecture to manage associated risks against the backdrop of an ever evolving threat landscape.

You will see changes to our online and client-related controls as we work to proactively balance security and usability, while managing risk. We encourage clients to provide feedback so we can protect our most vital assets collaboratively.

  • Our security

    Investec Online although very convenient for clients, poses certain security challenges since we cannot physically see the client on the other end.

    Our security includes key controls to address the following:

    • Identification: Singling out a particular client through the anonymity of the Web
    • Authentication: Verifying this client is who they say they are
    • Authorisation:  Providing access to required services coupled with levels of authentication
    • Privacy:  Non-disclosure of sensitive information during the communications

    Credential management, data and transaction encryption, logging and pro-active monitoring are just some of the controls in use.

    Coupled with these are a suite of controls aimed at detecting and responding to potential fraudulent activity, notifying both you the client and us that something may be wrong.

    Username and password 

    Your username is the first piece of information that identifies you to Investec. Your passwords is the second piece of information that protects your account, and should only be known by you, so keep it safe and secure. Our systems provide the ability, and encourage our users, to create complex passwords that are difficult to guess and time consuming to crack by attackers.

    2nd factor authentication

    Passwords can be guessed or disclosed so it is necessary to boost the strength of the client identification process as we open access to more risky activities online. Two-factor authentication (2FA) refers to something you have, like your phone, to provide another level of authentication so we don’t rely on your password alone (something you know) to authenticate you on our systems. This makes it far more difficult for your online identity to become compromised.

    SMS One Time Password

    SMS notifications are enabled to alert you to activity on your online account. If you receive an SMS from us indicating activity in your account and it is not you, contact us immediately.

    We send notifications to your cell phone indicating you have logged in to the tablet application. This notification will activate at minimum every hour. If you receive one of these notifications and did not login, it may be an alert that someone has obtained your credentials or compromised one of your registered devices so please contact us immediately.

    An important fraud detection control is to alert you when changes are made to your account. As with the current online banking, SMS notifications are sent to confirm the riskier transactions of payments and beneficiary administration.

    Mobile Authentication Messages

    Much like OTP, the mobile authorization message security facility makes use of your mobile phone as the 2nd factor in your authentication. What makes this different to OTP is that this message is fully out-of-band, meaning it is not part of the communications between your browser and Investec at the time of request. This makes it more difficult for well-known man-in-the-middle malicious activities.

    For clients making use of the mobile device applications, mobile authorisation messages are used to confirm payments or changes to beneficiaries on the clients account.

  • Mobile security

    Mobile security looks to make use of your physical device, in conjunction with credentials, to secure your access to our online services. Mobile devices increase security in one aspect as they are typically devices only used by you, and so if secured correctly they mitigate the risk of phishing as they do not rely on the client to enter the address to our site.

    However these devices are more prone to being lost or stolen, and the network with which you connect to our online services cannot always be trusted. Due to the fact that the device is typically always with you, but also limited in keyboard size and functionality, our security mechanisms need to be provide a balance between security and usability.

    For security reasons, we recommend that you use a passcode or PIN to lock your device if you are using the Investec App. See FAQs for specific instructions on how to set a PIN lock on your device.

    Tablet app security

    The App is based on the same certification level as that of our online banking channel. The use of a USSD message/ one time password for the first time in a session ensures safer transaction activity or card PIN request. Our tablet application uses the same security credentials as Investec Online. You will not need to register your tablet app on Investec Online


    Phone app security

    Mobile device enrolment

    Mobile device enrolment takes place through a secure channel and turns your phone into a trusted physical device, which in conjunction with a pin provides two-factor authentication. If you ever lose your device you can call our call centre or disable the authorised device yourself via Online Banking, meaning it can no longer be used to access our online services.


    Device pin


    The device pin is used to unlock the mobile application on your device and the underlying security mechanisms. This pin is requested each time the mobile application is launched on your mobile device.

  • What can you do?

    Here are six tips to help you stay safe online:

    1. Ensure that you use a good antivirus on your personal computer or mobile device.
    2. Ensure that all the software on your computer is always up-to-date and that all the security updates are installed
    3. When using public Wi-Fi, ensure that the connection is encrypted.
    4. Select passwords that are not easily guessable as simple words or based on information that can be obtained about you such as your school’s name.Using a sentence that is easy to remember such as “this is my secure password” is much harder to guess or crack than a normal password like “Password123”
    5. Never save your passwords in your browser.When you receive a warning on your computer that a certificate is untrusted when browsing to a website, don’t ignore the warning, especially when accessing online banking services
    6. If you are using a Windows computer, or any computer for that matter, your user that your use to browse the Internet should not be part of any system privileged user group. This will go a long way in protecting your computer against malware infections.

    Some tips on privacy:

    • Limit the amount of personal information you leave on social networking sites, and ensure that these sites are limited to only those you want to view your details to do so.
    • Never divulge your PIN or password to ANYONE - we will never ask for these.
    • Never hand your card to anyone.Always check your statements and report any transactions you don’t recognise to our 24/7 call centre.
    • If any transactions on your account are highlighted to our monitoring systems we may need to contact you to validate these. Ensure that when your details change that Investec is informed.
    • Multiple 3rd party companies have facilities where your credit rating can be monitored for a nominal fee. Its good practice to regularly check your credit rating for any financial criminal activity that may have taken place with your personal details.
    • Identity theft occurs in the hundreds of thousands each year. Ensure your valuable documents such as passports, Identity Books / cards and drivers licenses are securely stored when not in use.
    • Never throw any printed statements or papers containing personal information away unless you have shredded them. We recommend that cross-cut shredders are used – the smaller the pieces the better.
    • Never respond to unsolicited text messages or emails, however legitimate they may appear.We will never ask you to provide us with your credentials via an email.
    • Never send personal information or credit card details in an email.
    • Always look for the padlock next to the web address in your browser. We use a VeriSign Class 3 Extended Validation secure certificate.
    • If accessing your accounts in a public place, or using a public computer, be vigilant in who is looking over your shoulder.
  • What we are doing?

    As an international financial services organisation the security of our clients’ money and personal information is paramount. We apply multiple levels of security based on industry standards and leverage various leading security technologies and practices. Fraudsters are getting better and more advanced every day, and as such our security evolves to combat them. We have some of the industry’s leading security personnel constantly working on our mechanisms and practices ensuring we are protected. We also work with other financial institutions to collaboratively address fraud across the industry.

    Some of the controls we deploy are generally good practice such as encryption and auditing. All online systems are subjected to security assessments through development and in production on a regular basis. We follow a risk-based approach to security, meaning the more sensitive assets such as client information are behind more layers of security. The same applies to our online services; the more risky the activity, the more security is involved. You will experience differences in the authentication and authorisation mechanisms across devices. This is normal and due to the capabilities, risk and services associated with each channel.

  • Online fraud

    Criminals are in it for the money and there are many ways for them to make money online:

    • Steal your passwords and bank details with viruses, fake emails and fake websites
    • Ask you to provide security details
    •  Send spam with bogus offers and products
    • Take over your computer and use it to attack other people's computers
    • Use viruses to display unwanted adverts on your PC

    Keyboard logging

    Although keyboard logging is a real threat the software has evolved to the point where it can capture screen shots and mouse clicks as well as key strokes. So it can easily capture your pin even through the use of a scrambled pin pad.

    Therefore the previous 5 digit pin which can be more easily brute-forced or guessed has been replaced with a stronger password much harder for an attacker to guess. With the use of a password, it would be cumbersome to enter it via an on-screen keyboard, hence the removal of the pin pad.

    Phishing

    Fraud continuously evolves and adapts to the security that is implemented to combat it; as a result what was effective in the past may not be the solution for the future and as such we have removed the Passphrase from our online banking. The passphrase does not provide the same protection against phishing attacks as it used to.

    The following steps mitigate the risk:

    • Make sure you are visiting the real Investec site by looking the address bar and ensuring you are visiting https://login.secure.investec.com.
    • In most modern browsers the address bar will be green if the website is legitimate so that is something to look out for as well:
    • We have recently launched our iPad app that allows you full transactional capability. Since the iPad application does not rely on the client to enter the address, it is immune to phishing attacks and is by far the best solution to the phishing problem.
    • We are in the process of developing a smart phone application that will allow you to authenticate your login to online banking without the use of an OTP. This is called “full out-of-band” authentication and will be released soon. So even if an attacker has managed to steal your credentials via a phishing site, you will still need to authenticate the transaction via the application, which will alert you when something suspicious is happening and prevent the transaction from going through.

    Spyware

    “Spyware’ are programs or files that often arrive hidden as part of a bigger, ‘legitimate’ program or file.

    A good up-to-date local anti-virus in most cases will catch and remove these programs, but there are always the unfortunate few who get caught before the antivirus is updated.

    You can often tell when your machine has been compromised, if you see pop up advertising, your device settings have been changed and it won’t let you change them back, your web browsers suddenly have new ‘features’ you didn’t install yourself and lastly, your machine seems to be much slower than normal.

    Social engineering

    Social engineering is the act of manipulating people into divulging confidential information without them even aware of it at the very least, or mistakenly thinking they are talking to a legitimate representative. This information is then used in a bigger, more complex fraud in most cases.

    If you ever receive a call from any authority, insist on calling them back. Never use the number provided unless you can independently verify it is correct.

    Always be aware of how much personal information your provide strangers, however legitimate or nice they may seem and be wary of providing credit card details over the phone