Security login procedure for mobile devices

  CitiDirect Mobile

• The sites https://m.citidirect.com and https://m.citidirectbe.com are protected by a Symantec Class 3 EV SSL CA – G3 security certificate.
• Connection with the mobile banking service is protected by the TLS secure protocol, which ensures the confidentiality and integrity of transmitted data with the use of advanced encryption methods.
• In CitiDirect Mobile, authentication is based on a "Challenge/Response" scheme and utilizes a SafeWord card, which generates dynamic one-time passwords and is secured with a PIN code.
• In order to make access difficult for a third party, CitiDirect Mobile has a functionality which ends an inactive session after 5 minutes.
• After a User logs in to CitiDirect Mobile, the system displays a message about the last unsuccessful login attempts.
• While using CitiDirect Mobile a User may only operate within the limits of entitlements you specify (up to 9 transaction authorization levels can be defined) just like in the main version of the system.
• CitiDirect Mobile does not require storing any User data on the mobile device or in the browser cache.
• CitiDirect Mobile operates fully on the side of the server and as such leaves no data that could identify the Client on the mobile device. As a result, the Client’s data will not be visible even if your mobile device is lost or stolen. In addition, even if an unauthorized person opens the CitiDirect Mobile site, the authentication process, which uses a SafeWord card, will significantly limit their access to applications for malicious purposes.

All information, from Client identification through the end of session in CitiDirect, is secured with the TLS (Transport Layer Security) protocol, which ensures confidentiality of transmitted data with the use of advanced encryption methods.

TLS also protects data integrity. One of its elements is the Message Authentication Code (MAC), which checks if no unauthorized data modification occurred during transmission.

  CitiDirect BE Tablet

• The CitiDirect BE Tablet application is protected by a security certificate issued by Symantec Class 3 EV SSL CA – G3.
• Connection to the tablet banking service is protected by the TLS secure protocol, which ensures the confidentiality and integrity of transmitted data with the use of advanced encryption methods.
• In the CitiDirect BE Tablet application, authentication is based on a "Challenge/Response" scheme and utilizes a SafeWord card, which generates dynamic one-time passwords and is secured with a PIN code.
• While using CitiDirect BE Tablet a User may only operate within the limits of entitlements you specify (up to 9 transaction authorization levels can be defined) just like in the main version of the system.
• In order to make access difficult for a third party, the application has a functionality which ends an inactive session after 5 minutes.
• The CitiDirect BE Tablet application does not require storing any User data on the mobile device.

When using CitiDirect on a mobile device you should adhere to the following security rules:

• Do not search for the CitiDirect Mobile login address using the search function of your web browser.You should enter that address directly in the web browser and pin it as a shortcut on the screen of the device (smartphone/tablet/computer) you use to login for mobile access.
• Avoid using the online banking service via public Wi-Fi networks.
• Before you log in check if there is a padlock icon in the top left corner of the screen.
• Remember that a web browser is all you need to use CitiDirect Mobile – you do not have to install any additional software.
• If you want to use the mobile banking service for tablets, download the CitiDirect BE Tablet application from an authorized AppStore, GooglePlay or Windows Store site.
• Do not install any software from untrusted sources and block such possibility on your device.
• Before you install any application check the list of functionalities it will be allowed to access on your device. Do not install it if you have any doubts.
• Do not allow any installed application to have "device administrator" entitlements, unless it is required.
• Update the original producer’s system software on your device.
• Make sure you have an anti-virus program installed.
• Never leave your mobile device unattended.
• Protect your devices by setting a screen lock and a password.
• Protect your SafeWord card and PIN code. If your are to connect with the mobile banking service from a public place, make sure nobody can intercept the PIN code for your SafeWord card.
• Do not disclose your SafeWord card or PIN code to another person and never write down your PIN code.
• Immediately change the PIN code of your SafeWord card if you suspect it has been compromised.

  How can I change the PIN code for my SafeWord card?


How can I change the PIN code for my SafeWord card?
1. Turn on your SafeWord card with the ON button.
2. Enter your current 4-digit PIN code.
3. Press the "Pin" button on the SafeWord card keyboard
4. When you see the "NEW PIN" message, enter your new 4-digit PIN code.
5. When you see "AGAIN," re-enter your 4-digit PIN code– the same as in the previous step.
6. The card will confirm that your PIN code has been successfully changed by displaying "SUCCESS" on the screen.

• If your SafeWord card is lost you should immediately contact CitiService (call (22) 690 19 81 or 801 24 84 24 or send a message to: citiservice.polska@citi.com) to block access to the online banking service.
• If you notice any unusual activity on your account, receive a phone call from someone you suspect of impersonating our employee or observe any event which may threaten data security please immediately call CitiService (22) 690 19 81 or 801 24 84 24 or send a message to: citiservice.polska@citi.com.