Press release: Warning to payment service users to protect their personalised security credentials of payment instruments
23.12.2021
The NBR is the national competent authority responsible for overseeing that payment service providers comply with the operational and security requirements applicable to payment services. The NBR monitors developments in this field on a permanent basis.
In the recent period, given the broader use of modern means of payment amid the rapid economy digitalisation and the growth of online commerce , inter alia as a result of health restrictions and the current epidemiological context, the evolution of fraud via electronic card-based payment instruments, internet banking or mobile banking has become increasingly concerning.
An important part of these frauds is based on social engineering (phishing), with payment service users being manipulated by attackers and tricked, under various false pretences, into revealing the security credentials of their payment instruments (card data, PIN codes, activation codes for internet/mobile banking applications, static or dynamic passwords, card registration codes in electronic wallet applications). These are subsequently used to access the customers’ accounts and illegally to take funds from them.
The NBR warns payment service users to protect their personalised security credentials of payment instruments, as this is also a legal obligation. These credentials are confidential and are never requested by the issuer of the payment instrument or by any other authority via e-mail, SMS or web page. Sharing this information may allow potential attackers to access the accounts and initiate fraudulent payment operations.
The NBR recommends all payment service users to pay close attention to the following:
- when accessing available online banking applications, to make sure they have connected to the banks’ official web pages that use secured https:// connections, and check whether the web page name in the address bar reflects beyond doubt the name of the bank;
- they should carefully read the SMS alert messages received from the bank, especially those sending passwords, access or authentication codes, in order to understand the nature of the operation they are about to initiate/authorise.
In case they suspect to be victims of such scams, payment service users must contact the institution that issued the payment instrument as soon as possible, in order to receive specific technical assistance to limit the losses as much as possible, and must notify the criminal investigation bodies about the incident.