Registration and Security guidelines for swift.com
This page contains information and recommendations from SWIFT about the secure access to our website.
How to become a swift.com user?
How do I register on swift.com?
You can find detailed instructions about how to register in the swift.com Registration User Guide.
How are applications on swift.com protected?
Broadly speaking we can distinguish two types of Swift.com content: public content and applications.
The public content is accessible to everybody and includes information that SWIFT wants to distribute to a wide audience.
The applications are used to exchange information between SWIFT and a specific target audience that is authorised to access this information. These applications may contain information that should not be disclosed to unauthorised persons. The exchange of this information is protected by encryption of the data transport and by authentication of the individual who gets access to the applications.
Secure access to applications on swift.com
- Applications on swift.com with confidential data are secured by 128-bit Secure Socket Layer technology which encrypts all data exchange between your browser and swift.com, and require login with user-ID and password to verify the identity of the user.
- Make sure your browser supports 128-bit encryption and use strong passwords to protect your identity credentials. All modern browsers (for example Internet Explorer 11 and Firefox 40 or higher) do so and by default support strong encryption.
User-ID and password
- To access applications that use confidential data, you must register on swift.com with a User-ID and a password.
- SWIFT enforces using strong passwords.
- A password is only accepted if it is at least 8 characters in length. It must contain at least one uppercase, one lowercase character, and one non-alphanumeric character such as + - ( ) ! =
Change your password periodically.
- You should change your password periodically. When you register on swift.com you can choose the expiration time of your password.
- You can set the password expiration time to 3 months, 6 months, one year or two years.
- When your password has expired, you need to use the “Forgot your password” link on the login screen to specify a new password.
Additional one-time password for secure channel
- The secure channel application on swift.com uses a one-time password to secure each transaction that involves sensitive data. The persons who have access to this secure channel application must use their personal secure code card to generate the required one-time passwords.
2-step verification is a security measure that helps protect your account from unauthorised access if someone manages to obtain your password. An additional layer of security requires a verification code to be entered along with your username and password.
This code can be delivered to you by SMS, voice mail, or e-mail. SMS and voice mail are the preferred means of delivering the verification code. This is because your e-mail address is already linked to your swift.com account and an external means of providing the authentication code is favoured.
Please set up 2-step verification as soon as possible as at any time it can be made mandatory by swift, or by your administrator.
What can you do to protect yourself against phishing?
What is phishing?
- ‘Phishing’ stands for an attempt to get hold of your data with malicious intent, in order to know and abuse your personal details, such as user-ID and password. In practice it often involves asking you to use a link to a website that is an exact copy the site of a trusted institution.
- Recent statistics gathered by the Anti-Phishing Workgroup (APWG) show the continuous importance of this security threat on the Internet.
Verify the URL of the pages you use.
- Verify the URL of the web page before entering any personal data such as your e-mail address and password.
- SWIFT always uses a secure connection to ask for your e-mail address and password. The URL used by SWIFT starts with https://www2.swift.com/ or https://login.swift.com/.
Verify the certificate of the secure website.
- In most browsers this is done by clicking on the lock symbol either at the top or the bottom of the browser window. Certificates from SWIFT are issued by Akamai Technologies.
Use a recent browser.
- Upgrade your browser to a recent version that includes anti-phishing features, for instance Internet Explorer 11 and Firefox 40 or higher.
Use a login-seal to protect the login page on swift.com
- A login-seal is a private image or text that you can upload to swift.com, and that is displayed on the login page.
If you see this login seal on the login page, you are sure that it comes from swift.com and is not a phishing attack. Even without being registered on swift.com, you can setup a login-seal.
- To setup a login-seal click on the Customer Login button on the swift.com home page. This will display the login screen where you will see the link to setup a login-seal.
- The maximum size of an image that I can upload as login-seal is 5 Mb.
- SWIFT will set a cookie on your PC with a reference number to the login-seal to be displayed.
- Only swift.com knows which login-seal corresponds to this reference number, so only swift.com will be able to display the correct image or text that you have defined.
- Anybody who uses your PC will see the login seal. Therefore, do not use confidential data as your login-seal.
What if you do NOT see the login-seal?
- You may be looking at a page that is a phishing attempt if you did setup a login-seal from this PC before. Therefore you should NOT login with this page and instead contact your local SWIFT support center.
You may report the phishing attempt to firstname.lastname@example.org.
- You are using a PC that is different from the PC on which you have setup the login-seal. In this case, you need to setup a login-seal also on this PC.
- You have deleted all cookies on your PC. In this case, you need to setup a login-seal again.
- You are using a different type of browser on the same PC. In this case, you need to setup a login-seal again with this type of browser.
- You are using a different user-account on the same PC. If you may use different accounts of windows on the PC, your login-seal cookie may not be found by the browser. In this case, you need to setup a login-seal also with this user-account.
How do I recognise a phishing e-mail?
- Phishing e-mails are sent to get hold of your personal data.
- SWIFT emails will never ask you to reply to an email with any personal information or data.
- When you need to communicate personal information, use only a secure access to one of the applications on swift.com.
- How to trust the e-mail you receive for a password reset?
- When you receive an e-mail with a URL to the password reset screen on swift.com, you should verify the URL. SWIFT always uses a secure connection to ask for a new password. The URL used by SWIFT starts with https://www2.swift.com/ or https://login.swift.com/.