Unique Internet Password (IPIN)

• Your security is governed by your Unique Secure IPIN (Internet Password)
• To select your IPIN online, you will have to verify your personal information and generate an Online Authorisation Code (OAC) that will be sent to your Mobile phone/E-mail address. You will then have to reconfirm the details and select your IPIN

When creating a Password, make sure…

The IPIN is a combination of a minimum of eight characters consisting both alphabets and numerals. We strongly recommend that you alter your IPIN at regular intervals with your own combination so that nobody but yourself knows what your password is.

Make sure the password is complicated enough for anybody to even guess the password.

Citibank Online Security Measures

Protecting you and providing a secure environment is a top priority for Citibank. Some of the measures are:

Secured login

• All information passed on between Citibank and your personal computer is "scrambled" and "reassembled" using 128-bit encryption, the highest level of encryption commercially available
• You can access your account by using only the Citibank-issued Card number and PIN/password. You have to enter the Internet Password (IPIN) every time you login to Citibank Online

Automatic time out

• Once logged into Citibank Online, if there is no activity for 5 minutes, your secured Citibank Online session will be automatically terminated to help protect against unauthorised access

Automatic lock out

• If the Internet Password (IPIN) has been entered incorrectly six consecutive times, Citibank will lock any further online access to the accounts
• If you have been locked out of your accounts due to incorrect PIN/password entry, contact your local Citibank Customer Service Officer

Digital Certificate from VeriSign

• Digital Certificates provide you the evidence of the server's authenticity which safeguards users from trusting unauthorised sites and allows the session to be encrypted
• This is provided by a third party, the Certification Authority, which in this case is VeriSign
• You will see a 'closed lock' icon at the bottom of the Internet Banking screen
• Clicking on the lock will allow you to see the VeriSign Certificate authenticating the site
• While we have gone to extraordinary lengths to make sure your online transactions are secure, you could also do a few things to ensure the security of your transactions

What you can do?

General Security

Some of the most effective things you can do to protect yourself are simple to do. Here are some steps you should take:

• Keep your Internet Password (IPIN) confidential
• Use a secure password, which cannot be easily guessed. Do not use commonly used passwords like your vehicle registration number, birthdays, etc.
• Log off from Citibank Online after you complete your transactions every time. Do not just close your browser
• Avoid accessing Citibank Online from a public/shared computer
• Login regularly to monitor your transactions
• Never fill an E-mail with input fields that ask you for sensitive data such as User ID, Passwords, PINs, ATM and Account Number Information
• Look for the padlock symbol on the bottom bar of the browser to ensure that the site is running in secure mode before you enter sensitive information
• Please bookmark/add to your favourites the following URL to access information and transact on your account with Citibank www.citibank.com/india

Browser Security

Although Internet browsers have built-in security, small Internet files are downloaded to your computer whenever you are online. Some of the files may pose a security risk. Enhance your security by taking some of the following actions:

• Clear your browser's cache and history after each session so that your account information is removed, especially if you are using a shared computer
• Use an Internet browser that supports 128-bit encryption
• If you use Internet Explorer, configure the browser not to remember passwords (disable AutoComplete)

Navigate Safely

Navigate the Internet safely to reduce the likelihood of online fraud. Avoid fraudulent websites.

To ensure that you are going to an authentic Citibank site, type in the entire Citibank website address into your browser instead of clicking on the link directly. For this, you would have to type in "http://www.citibank.com/india" into the browser address field.

Beware of pop-up windows that ask for your account number and PIN (Personal Identification Number). Citibank Login pages are always on a web page and never in a pop-up window.

If you suspect a website is fraudulent, leave the site. Do not follow any of the instructions it may present to you.

Citibank will ask you to fill any account details only on either www.citibank.com/india or any Citibank URL starting with www.online.citibank.co.in.

E-mail Security and Phishing

Online Identity Fraud also known as "Phishing" occurs when fraudsters pose as trusted organisations and send out thousands of fraudulent E-mails to random E-mail addresses.

How can you tell the difference between a genuine Citibank E-mail and fraudulent one?

• Citigroup frequently communicates with its clients via E-mail. The majority of these communications are to provide you with information and updates about our services
• All E-mails from Citibank carry the last 4-digits of your Card/account number at the top of the E-mail. This is intended to assure you that these mails have indeed originated from Citibank
• Citibank will never send you an E-mail requesting confidential account information. Delete such E-mail even if they appear to have come from Citibank
• Fraudulent E-mails usually contain a link to a look-alike website to mislead you into entering sensitive financial information such as your account number and Internet Password (Internet Password (IPIN)). This will enable the fraudsters to capture your account information to access your bank accounts. Citibank will ask you to fill any account details only on either www.citibank.com/india or any Citibank URL starting with www.online.citibank.co.in
• If the link from an E-mail goes to a login page or a pop-up window, do not enter your account number and PIN. Always type in the entire website address www.citibank.com/india to access Citibank Online
• Citibank will never send you urgent or time-sensitive E-mails that ask you to provide, update or confirm sensitive data like your Citibank Card number or Internet Password (IPIN), APIN, TPIN or expiration date, etc.
• Check the sender E-mail address to verify that it is from a valid E-mail account. Never open E-mail attachments from sources that you cannot trust
• Always scan E-mail attachments for viruses before opening them. If you are unsure about the source of an attachment, delete it
• Be alert for scam E-mails. These are designed to trick you into downloading a virus or jumping to a fraudulent website and disclosing sensitive information

What you should do in case of E-mail or phishing threats:

If you suspect you have been sent a fraudulent E-mail, contact your local CitiPhone Officer immediately or send a secure mail once you have signed on to Internet Banking.

Virtual Keyboard Login

One more security feature from Citibank, designed to protect your account or Card information and password from falling into the wrong hands.

With the new Citibank Online Virtual Keyboard login screen, all you need to do is to use your mouse instead of your keyboard to enter your password information. "The Virtual Keyboard is dynamic and the position of characters change every time". This is for added security purposes.

The VIRTUAL KEYBOARD protects you from malicious 'Spyware' and 'Trojan Programs' designed to capture your keystrokes and thus reveal your secret password. The VIRTUAL KEYBOARD eliminates this risk and makes your Citibank Login that much safer and provides for a secure online banking experience.

How to use the Virtual Keyboard login screen to log on to Internet Banking?

• Use your mouse to enter your Card number and password
• Press the relevant keys on the login screen keypad

Protecting Your Computer

• Do not select the option auto save on browsers for storing or retaining user name and password when logging into online banking
• Make sure your computer has the most current anti-virus software. Anti-virus software needs frequent updates to guard against new viruses. Make sure you download the anti-virus updates as soon as you are notified that a download is available
• Make sure your computer's Operating System and browser software are updated with the latest security patches
• Install a personal firewall and the latest anti-virus software to help prevent unauthorised access to your home computer, particularly when they are linked via broadband connections, digital subscriber lines or cable modems. Be sure to update the anti-virus and firewall products with security patches or newer versions on a regular basis
• Clear your browser's cache and history after each session so that your account information is removed, especially if you are using a shared computer
• If you are using a Windows OS, ensure File & Print sharing is disabled while online, particularly if you are linked to the Internet via any broadband connection, digital subscriber lines or cable modems
• Make regular backups of critical data
• Consider the use of encryption technology to protect highly sensitive data

Protect Your Account Information

Identity thieves can access information through a number of sources, including the Internet, databases, recycling bins, the trash and even the mail from your own mailbox. Using personal identification information from your Credit Card, driver's license, thieves can impersonate unsuspecting individuals. They will try to spend as much money as possible, in the shortest amount of time, before moving on to the next victim. Some thieves go as far as opening new bank accounts, accessing the current account and taking out loans, leaving victims with bad credit and a lot of financial repair work.

Following are the list of steps to prevent account number theft:

Citibank Security Measures

• We use strong encryption technology (SSL 128-bit encryption) to protect you whilst Banking online
• Citibank Online uses "time out" technology, which means that your Internet Banking session will automatically terminate after 5 minutes if no activity occurs

Additional Tips

• Change your Citibank PIN on a regular basis
• Never disclose your PIN to anyone, not even to a Citibank representative
• Beware when using public or shared computers to conduct Internet Banking. Check that they use up-to-date anti-virus software and firewalls
• Safeguard your account information, just as you would do with any other sensitive personal information
• Never give your account information to telemarketers or to callers claiming to need to confirm or verify your account information
• Don't carry your chequebook around with you unnecessarily
• Don't leave bill payments or other cheques in your mailbox
• Always review your monthly account statement, or go to your financial institution's website to view your account activity more frequently. Report any unauthorised transaction or suspicious activity to your financial institution immediately
• Report lost or stolen cheques and chequebooks immediately to your financial institution
• Tear or shred any old cheques or account statements before throwing them away
• Consider using electronic alternatives to paying by cheque when making purchases or paying bills This substantially reduces, or even eliminates, the number of people that see the personal and account information that is printed on your cheques
• If you believe your account information has been stolen, contact Citibank immediately

Create a Strong Password

Protect your password like you would do with your Personal Identification Number, to your ATM/Debit Cards or Credit Cards. Be especially suspicious if someone claiming to be with Citibank asks for it - we should already have it! With your password, anyone can access your account pretending to be you.

Securing your password

• The IPIN should be a minimum of 8 characters
• The IPIN should be alphanumeric
• The IPIN should not contain leading or trailing white spaces
• In the IPIN, consecutive characters should not be the same
• Change your IPIN after your first login and change it at least once a month
• Change your IPIN after you access Citibank Online Internet Banking using shared PCs
• Destroy the IPIN mailer after memorising it
• Keep your IPIN a secret and don't disclose it to anyone (including Citibank employees)
• Do not write the IPIN on your ATM/Debit Card or Citibank Credit Card
• Do not hand over your ATM/Debit Card or Citibank Credit Card to anyone
• Use a different password for each of your accounts

Tips to ensure your password is secure

• Use a different password for each of your Internet accounts
• Don't store your passwords near your computer or on your desk where others might easily find them
• If you get an E-mail that looks like it's from your Internet Service Provider or someone else with whom you have an account asking to confirm your password, don't respond until you've checked with the company directly
• Don't create passwords that are similar to your real name, a commonly used nickname, or your online screen name
• Use both letters and numbers and a combination of lower- and upper-case letters if the passwords are case-sensitive
• Use a phrase or a series of letters and/or numbers that you can easily remember but that would be hard for others to guess

Login Precautions

Internet Banking brings you a lot of convenience! Ensure you don't ever have to regret it by following these simple, easy-to-keep tips!

Login with caution

• Avoid using shared computers when accessing Citibank Online
• Avoid logging into Citibank Online or using critical passwords at Internet Cafés, Libraries, and other public sites to avoid the risk of information being copied and re-entered after you leave
• Change your password regularly
• Contact Citibank immediately if you suspect your Internet Banking password has been compromised
• Use a password on your computer to prevent unauthorised individuals from accessing your information
• Disable the 'AutoComplete' function within your browser
• Always remember to Log off Internet Banking and close your browser when you have finished your online banking

Personal Firewall & Browsers

Personal Firewall:

A firewall is a software that acts as a gatekeeper, controlling the information that goes to and from your computer.

Firewalls are effective in preventing malicious access to your computer and will also prevent your computer from passing on potentially sensitive information to unauthorised sources.

You should install a personal firewall especially if you use a broadband connection.

Browsers:

Although Internet browsers have built-in security, small Internet files are downloaded to your computer whenever you are online. Some of the files may pose a security risk.

Enhance your security by taking the following actions:

• Clear your browser's cache and history after each session so that your account information is removed, especially if you are using a shared computer
• Use an Internet browser that supports 128-bit encryption
• If you use Internet Explorer, configure the browser not to remember passwords (Disable AutoComplete)

Reporting Incidents

If you suspect that there has been any unauthorised breach of your account(s) online, or that an online transaction has taken place that you did not initiate, you should notify Citibank immediately by calling our 24-Hours CitiPhone banking.

• Security incidents will be escalated to our technical support staff for evaluation. If any breach of security appears to have occurred, the bank will investigate it further
• Citibank will provide you an interim update of our investigations and the status of your case. Final resolution of any incident, though, will depend on the nature and complexity of the incident, as well as the details surrounding the case
• While we investigate, our officers may ask you to provide more details surrounding the incident to allow us to resolve your case as quickly and as efficiently as possible

Anti-Virus Protection

Computer viruses can seriously affect your computer's performance. We recommend the following measures to minimise the likelihood of your computer getting infected.

• Install anti-virus software on your computer
• Configure the anti-virus software to automatically update the virus definitions regularly and to notify you when new updates are available
• Perform a complete scan of your computer at least once a week
• Configure the anti-virus software to scan all in-coming and out-going E-mails

Anti-Spyware Protection

Although anti-virus software provides protection against viruses, they do not offer protection against spying or Trojan horse programs. In addition to having a personal firewall installed, an ad/spyware scanner software is recommended to protect you against spying software.

• Use Anti-Spyware software to do a full system scan to detect any ad/spyware on a regular basis. Ensure that you update your software regularly

Fraudulent E-mails

Recently, E-mail users have been targeted by a global Internet scam. Intended to collect critical personal and financial information, the scam begins with a fraudulent E-mail that appears to be from a legitimate bank.

How do I tell the difference between a genuine Citibank E-mail and a fraudulent one?

• As a provider of online banking services, Citigroup does frequently communicate with its clients via E-mail. The majority of these communications are to provide you with information and updates about our services
• If we request information from you, we'll always direct you back to a Citibank site using links. These are for your convenience - you can also reach our site using your bookmarks (You can add any of the Citibank URLs to your list of favourites or bookmark them) www.citibank.com/india
• If you use a link in an E-mail from us, you can make sure that you are on a Citibank page by comparing it against the known URL you use to access your online banking application

You can tell that you're dealing with Citibank because:

• Citibank will never send you an E-mail asking for your passwords, Credit Card numbers or other sensitive information
• If we request information from you, we'll always direct you back to a Citibank site using links
• If you use a link in an E-mail from us, you can make sure that you are on a Citibank page by comparing it against the known URL you use to access your online banking application

Important security tips:

• Don't provide any personal information
• Review the URL provided to ensure it leads to a valid website
• Review the sender E-mail address to verify that it is from a valid E-mail account
• Act quickly if you suspect fraud
• Use a strong password
• Change your Citibank Online Password often
• Leave suspicious sites
• Be alert for scam E-mails
• Open E-mails only when you know the sender
• Be careful before clicking on a link contained in an E-mail or other message
• Do not send sensitive personal or financial information unless it is encrypted on a secure website
• Make sure your home computer has the most current anti-virus software. Install a personal firewall to help prevent unauthorised access to your home computer
• Monitor your transactions

Do's and Dont's

What Citibank will do?

• Citibank will ask you to only enter your Citibank Card number and IPIN when you sign on to Citibank Online (www.citibank.com/india, www.online.citibank.co.in)
• Citibank will send you E-mails with text links and banner links to information or promotions about Citibank products. Such promotions might invite customers to register their name and contact details (such as phone numbers or E-mail address on E-mail)
• Citibank will send you E-mails with text links and banner links for your convenience and you can always type in Citibank URLs directly into your Internet browser. Taken only to the two websites
• Citibank will ask you to fill any account details only on either www.citibank.com/india or any Citibank URL www.online.citibank.co.in

What you should do?

• All forms should be filled only on Citibank website starting with www.online.citibank.co.in
• Make sure that the URL provided in the E-mail to ensure it leads to a valid website. All genuine Citibank URLs will begin with www.online.citibank.co.in
• Open E-mails only when you know the sender. Be especially careful about opening an E-mail with an attachment. Even a friend may accidentally send an E-mail with a virus
• Check the sender E-mail address to verify that it is from a valid E-mail account
• Type the entire Citibank website address to your browser to sign on to Citibank Online (Internet Banking) page
• Keep your operating system and browser up-to-date. Software updates often include security enhancements that you can usually download free from the particular software provider
• Leave suspicious sites
• Be alert for scam E-mails
• Open E-mails only when you know the sender
• Be careful before clicking on a link contained in an E-mail or other message
• Do not send sensitive personal or financial information unless it is encrypted on a secure website
• Make sure your home computer has the most current anti-virus software. Install a personal firewall to help prevent unauthorised access to your home computer
• Monitor your transactions

What Citibank will not do?

• Citibank will never send you urgent or time-sensitive E-mails that ask you to provide, update or confirm sensitive data like your Citibank Card number of IPIN, APIN, TPIN or expiration date, etc.
• Citibank will never send you an E-mail with any input fields asking for personal, account or other sensitive information

What you should not do?

• Never fill an E-mail with input fields that ask you for sensitive data such as User ID, Passwords, PINs, ATM and account number information
• Never fill in a form that you have accessed via an E-mail link with sensitive data such as User ID, Password, PINs, ATM and account number information unless you are on the secure Citibank website
• Don't click on links in unsolicited E-mails, especially those asking for personal information. Even if you don't supply it, just clicking can enable thieves to access your computer, record your keystrokes and capture passwords you use to sign on to various websites
• Do not open or follow instructions on any E-mail asking you to verify information. Citibank will never send any E-mail asking you to verify any sensitive information

General Security Tips to avoid Online Fraud

• Be alert for scam E-mails (phishing, hoax or spoof). These are designed to trick you into downloading a virus or jumping to a fraudulent website and disclosing sensitive information
• Be very suspicious of any E-mail from a business or person that asks for your passwords, account or Credit Card information over the phone or via the web, unless you've initiated the transaction. Or of anyone who sends you personal information and asks you to update or confirm it
• Use a secure password, which cannot be easily guessed. Do not use commonly used passwords like your vehicle registration number, birthdays, etc.
• Leave suspicious sites. If you suspect that a website is not what it purports to be, leave the site immediately. Do not follow any of the instructions it presents
• Do not send sensitive personal or financial information unless it is encrypted on a secure website. Regular E-mails are not encrypted and are more like sending a post card. Look for the padlock symbol on the bottom bar of the browser to ensure that the site is running in secure mode before you enter sensitive information
• Make sure your home computer has the most current anti-virus software. Install a personal firewall to help prevent unauthorised access to your home computer. This is especially important if you connect to the Internet via a cable modem or a digital subscriber line (DSL) modem

If you are required to enter personal information to perform a transaction, it is always done on a site secured with SSL technology. You can identify a secure site when you see a padlock icon at the bottom of your screen. Most importantly, if you click on the padlock, a security certificate will pop up.

Phony Websites

Phony websites are just what they say. They are fraudulent websites created to look identical to those of a legitimate bank or trusted company. Phony websites, also known as 'spoofed websites' use an organisation's website graphics and logos, but are actually set up in an attempt to steal sensitive personal and financial information. Every online customer must be aware of and vigilant against phony websites. Unfortunately, they are becoming more common and much more sophisticated.

Once you're at one of these spoofed sites you might unwittingly enter even more personal information that will be transmitted directly to the person who created the site who might then use this information to purchase goods, apply for a new Credit Card, or steal your identity.

How can you be tricked?

Phony websites and fraudulent E-mails can look genuine for the following reasons:

• They appear to be the official site of a well-known and respected institution
• They have the names of real people
• They have the right logos and branding
• They use links to pages on the real website and have official-looking fine print
• They use genuine pages copied to a new fake address
• They lure customers through "spam" E-mail

What kind of mails?

Fake security and maintenance upgrades

• "Your account has been randomly selected for maintenance and placed on 'Limited Access' status, please enter your account details to re-activate your service"
• "Please provide your account details to re-activate your account following the introduction of a new security system which will help you avoid fraudulent transactions and keep your investment safe"

False bills and charges

• "Your domain name registration is due for renewal, please enter the following information exactly as it appears on your Credit Card statement. This will be compared to the information your bank has on file for your Card to verify your payment"
• "You have won a free gift (or prize), simply complete your Credit Card details for postage and handling costs and we'll send it out to you"

Tips to avoid Phony Websites:

• Avoid clicking on links provided in a suspicious looking E-mail
• Save or "bookmark" frequently visited and trusted websites to your list of favourites, then access those sites through your saved links
• Inspect a URL carefully for the presence of an "@" symbol, for example billing@citibank.com. This is a common sign of fraudulent websites. Even if the URL contains the phrase "Citibank" it does not ensure that Citibank is the website
• Be very suspicious of websites that display an IP Address, or numerical address (e.g., 192.134.2.1), in your web browser's address bar instead of a domain name (e.g., citibank.com/india)
• Safely access your accounts online by opening up a new web browser each time

Phishing

'Phishing' is a form of social engineering attack that exploits the means to mask an identity on the web. Victims are encouraged to visit phony websites that spoof those of legitimate organisations, often through a spam E-mail.

Lured to a phishing site, users are asked to enter some sort of exploitable personal information, such as a PIN, password or bank account number.

The majority of active web users have encountered some sort of phishing lure and more are being trolled past their noses everyday.

So far, the lures are not very attractive and very few surfers have been caught. But the phishers are becoming more prevalent and more skilful and real people are starting to lose real money.

How does phishing work?

Phishing works by the malicious user sending millions of bogus E-mails that appear to come from popular websites or from sites that you trust, like your bank or Credit Card company. The E-mails and the websites they often send you to, look official enough that they deceive many people into believing that they're legitimate. Believing that these E-mails are legitimate, unsuspecting people too often respond to the E-mail's requests for their Credit Card numbers, passwords, account information, or other personal information.

Tips to help protect yourself from phishing

• Never respond to requests for personal information via E-mail. If in doubt, call the institution that claims to have sent you the E-mail
• Visit websites by typing the URL into your address bar
• Check to make sure the website is using encryption
• Routinely review your Credit Card and bank statements
• Report suspected abuses of your personal information to the proper authorities