1. Secure the access to applications
1.1 User-id and password
The main method to protect an account is to use a combination of user-id and password. The strength of this protection will greatly depend on the complexity of the password.
SWIFT recommends that at least these criteria are met:
- At least 8 characters long
- Combines digits, special characters, uppercase and lowercase letters
- Only used for accessing swift.com
- Not trivial (e.g. dictionary words)
Changing your password regularly is another good practice – your administrator may mandate this.
Obviously the complexity of your password is nothing compared to the requirement to keep it secret. The best way to do that is to memorize it and not keeping any written copy.
1.2 2-step verification
2-step verification is a security measure that helps protect your account from unauthorised access if someone manages to obtain your password. An additional layer of security requires a verification code to be entered along with your username and password.
This code can be delivered to you by SMS, voice message, or e-mail. SMS and voice message are the preferred means of delivering the verification code. This is because your e-mail address is already linked to your swift.com account and an external means of providing the authentication code is favoured.
Note that the secure channel application on swift.com uses a one-time password to secure each transaction that involves sensitive data. Security officers accessing the application must use their personal secure code card to generate the required one-time passwords.
2. Visit only trusted websites
2.1 Check the URL
- Verify the URL of the web page before entering any personal data such as your e-mail address and password.
- SWIFT always uses a secure connection to ask for your e-mail address and password. The URLs used by SWIFT start with "www2.swift.com" or "login.swift.com".
2.2 Verify the certificate on HTTPS websites
In most browsers this is done by clicking on the lock symbol either at the top or the bottom of the browser window.
2.3 Use a login-seal
You have the ability to define a seal that will be displayed to you every time you access the swift.com login page. When you see this login-seal you are sure to be at the right place to enter your credentials. SWIFT recommends using it to improve security.
To learn how to set up a login-seal, please see this page.
3. Use a recent browser
Using a recent browser is the best way to avoid common attacks and keep your account safe. SWIFT strongly encourages you to update it regularly. A recent browser means that you will have access to the latest security standards provided by the vendor. You should also update all the plugins (e.g. Java, Flash) that are integrated within the browser.
4. Phishing & social engineering
4.1 What is phishing?
Phishing is an attempt to get hold of your data with malicious intent, in order to abuse your personal details, such as user-id and password. It is the most common way to do social engineering. In practice it often involves asking you to click on a link to a website that looks like an exact copy of the site of a trusted institution. Phishing can also be performed via phone call by people pretending to be a trusted party, such as the helpdesk.
4.2 How to recognize a phishing attempt?
Phishing attempts are targeted to get hold of your personal data. Be aware that SWIFT emails or calls will never ask you to give your credentials or any personal information. When a website asks you to enter your credentials, make sure that the URL starts with "login.swift.com" or "www2.swift.com". If you need to communicate personal information, use only a secure access to one of the applications on swift.com.