Security

In recent days, criminals have been calling customers impersonating bank employees - the call is displayed as the real Alior Bank helpline number (e.g. +48 123707000, but criminals can set any). During the conversation, they most often refer to security reasons, such as account hacking and encourage you to quickly provide your data or install software that is actually used to steal funds from the account.

We are reminding:

• Alior Bank employees never order any additional software to be installed on computers or telephones;
• Alior Bank employees never ask for a password to a bank account;
• if you have a return password set, ask the caller who claims to be an Alior Bank employee for it each time (never give it to anyone) - if he does not know it, end the conversation and inform the bank about this event;
• if you do not have a return password, set it - to do this, call the hotline and ask for a password invented by you, which a bank employee will have to provide you every time you call and ask for it;
• if the content of the conversation seems suspicious and unusual to you, and the caller requires you to take action quickly (e.g. providing your data, installing software, providing BLIK codes or one-time codes), hang up and call the bank's hotline to confirm the truth of such a conversation ;

More information about the return password can be found here (PL). If you have any doubts about the conversation you had with a person claiming to be a bank employee, call the hotline at 19 502 or +48 123707000.

Alior Bank is a Polish company and is subject to the Polish Financial Supervision Authority. Deposits collected by customers at Alior Bank, i.e. also at Kantor Walutowy, are covered by the guarantees of the Bank Guarantee Fund. Pursuant to the Act, funds up to EUR 100,000 are returned in 100%. This security section is a trusted channel of communication with Customers regarding the correct and safe use of electronic banking.

 

• Always check whether you are on the correct login page for Kantor Walutowy (https://systemkantor.aliorbank.pl/login). When logging in, pay attention to whether the browser does not display warnings related to the security certificate (go to its details) and to the HTTPS prefix in the login page address, which indicates that the connection to the Kantor Walutowy website is encrypted. Carefully read the content of text messages with one-time codes.
• Read the entire SMS carefully before confirming the operation. Kantor Walutowy will never ask you to confirm an operation that you did not order yourself.
• Remember about regular updates of the operating system and the software installed on it, in particular anti-virus software (including the virus signature database) and the web browser used.
• To log in to Kantor Walutowy, do not use untrusted devices (e.g. in an Internet cafe) or on a computer where another user is logged in - also do not use public Wi-Fi networks for this purpose.
• Watch out for attacks aimed at persuading you to perform some action (e.g. clicking on a link, downloading software, providing your details) that are sent in e-mails, SMS / MMS messages, social networks, messengers or are transmitted over the phone.
• Do not open attachments or follow links from suspicious emails (e.g. with errors, typos, incoherent grammar, from a non-official address, which you did not expect, etc.) and do not reply to them. Fake emails are the most common cause of computers being infected with dangerous malware.
• Your important data (address, PESEL numbers, passwords, logins and other sensitive data) should be properly protected by you. Do not share your data with untrusted entities. Protect your documents, and in the event of their loss or theft, register them immediately. Remember that if criminals take over your data, they may use it to steal your identity or your funds.
• Pay attention to information about new threats - on the website of Kantor Walutowy we regularly inform you how to recognize them and how to avoid them (in the New threats section and through information banners on the login page).
• Pay attention to the content on the Kantor Walutowy login page. If the login process looks different than usual (e.g. it takes much longer, new windows appear), contact the helpline (at 19 502) - it may mean that your computer is infected with malware.
• In case of doubts regarding the authenticity of security messages received by e-mail or other channel, compare them with the information on the website of Kantor Walutowy in the Security section.

Remember about the rules of secure logging into online banking:

• Do not use internet search engines (e.g. Google) or enter "Alior Bank" in the address bar. If you want to log in to online banking, in the address bar of your browser, enter: https://kantor.aliorbank.pl/
• Do not click on links that are supposed to lead to the online banking login page, use the Login button on the website of Kantor Walutowy. If you install a mobile application, in particular a bank application, use the official "Google Play" or "App Store" stores.
• Do not download or install applications from links that you receive in an email or SMS.

Remember that when logging in to the mobile application, you do not have to enter your login or password for online banking. To log in to the mobile application, all you need is a PIN or - if your phone allows this option - a fingerprint or FaceID.

Login securely!
When logging in to Kantor Walutowy, follow the rules below:
Never use links sent in e-mail correspondence or messages sent via instant messengers to log in to Kantor Walutowy. Always use the "Login" button on the main page of Kantor Walutowy (https://systemkantor.aliorbank.pl/login) or by entering the following address directly in the browser window: https://systemkantor.aliorbank.pl/login


When logging in to Kantor Walutowy, remember that Kantor Walutowy never asks you to enter the entire password to your account!

Check that the address on the login page starts with the prefix https, which means the protocol responsible for the security of the connection.


Check if there is a padlock symbol within the web browser window, which guarantees session encryption with a special SSL/TLS protocol, allowing for secure communication. Depending on your browser, the padlock may appear in the address bar or in the status bar at the bottom of the screen.

Click on the padlock to check whether the displayed certificate is valid and whether it has been issued for Alior Bank S.A. and verified/issued by DigiCert Inc.


If you notice that:

• the padlock symbol is not displayed in the address bar of the browser,
• the website's certificate is not issued for Alior Bank S.A or is not confirmed by DigiCert Inc,
• browser warnings about the security of the certificate are displayed,
• the Kantor Walutowy service requires you to authorize a transaction that you did not order yourself and you cannot cancel it in order to proceed, before or after logging in,
• the website of Kantor Walutowy looks different or presents other messages than usual,
• the login process to Kantor Walutowy looks different than usual (e.g. it takes much longer, new windows appear, requests to enter additional data, e.g. a full password instead of a masked one),

stop logging in to Kantor Walutowy and immediately contact the helpline (at the number 19 502) or any branch of the bank. After entering the ID and clicking "Next", check if the security picture you chose is displayed. After making sure. that the displayed image is correct, enter the correct password characters. If the image has not been displayed or is different than the one set by you, stop the login process and contact the hotline (at 19 502). In the next step, you will be asked to confirm your login with an SMS code. If you don't want to enter the code every time you log in, you can add your browser to the trusted list.

In addition, remember the following rules:

• do not use untrusted computers (e.g. in an Internet cafe) and public WiFi networks to log in to Kantor Walutowy,
• do not log in to Kantor Walutowy from a computer where another user is already logged in,
• remember not to share or save in files on your computer the identifier and password used to log in to Kantor Walutowy,
• regularly change your access password ("Change password" option in "Settings"),
• after finishing work at Kantor Walutowy, remember to log out using the "Logout" link. Never use the X (Close) button built into the browser window for this purpose.

Remember that you will never be asked to:

• authorization/approval of ANY operations in Kantor Walutowy,
• which the user did not order independently (voluntarily) - Kantor Walutowy never imposes the need to perform an operation that requires authorization,
• providing the telephone number or type of telephone/operating system used when logging in or after logging into Kantor Walutowy,
• verification of ID, password or payment card details via e-mail,
• confirmation of changing the account format when logging in to Kantor Walutowy,
• adding a trusted template with a foreign account in order to activate funds insurance or activate other services on the client's account,
• enabling the "Allow installation of applications from sources other than the Play Store" option on the phone.

SMS codes
SMS codes are a convenient and safe way to authorize transactions at Kantor Walutowy. The codes are sent to the telephone number indicated by you when completing the application or when signing the contract at the branch. In Kantor Walutowy, one code is used to authorize one specific operation or group of transactions for which it was generated, which ensures maximum protection and security of funds. The content of the SMS code contains information about the operation for which it was generated, so remember to always pay attention to the content of the SMS and compare it with the data of your transaction. In the Kantor Walutowy system, authorization is required for operations related to the outflow of funds from your account, i.e. domestic transfers, defining the recipient, and operations related to security: logging in, activating a payment card, changing the card PIN, changing the telephone number for SMS codes.


Masked password
When logging in to Kantor Walutowy, a masked password is used. Kantor Walutowy requires you to enter selected characters from the password, which protects it against being intercepted by spyware, therefore even if someone suspects the characters you enter, they will still be unable to log in to your account, because Kantor Walutowy requires different characters each time . When logging in, enter the corresponding characters from the password in the next active fields, e.g. if your password is "Alior", and the first and fourth fields are active, then you should enter the letters: "A" and "o".


Masking a trusted phone number
In order to increase the security of transactions carried out in Kantor Walutowy, masking of the trusted telephone number was introduced in the settings of notifications about events on accounts and cards and in the settings of SMS codes.


Safety picture
The image you choose is presented each time you log in to Kantor Walutowy (after entering the ID and before entering the password). Since you choose this image yourself, it makes it easier for you to recognize that the page you are logging in to is the real login page of Kantor Walutowy, and not a page substituted to intercept data. Remember to check whether the image you have selected before entering your password is displayed before entering your password. In the absence of an image or a display other than the one selected by you, stop logging in and contact our helpline (at 19 502) or a branch. To select or change a picture, go to Profile, "Settings", and then select the "Settings" tab. In the "Security image" line, click "Change" and select an image.

The image you choose will be presented each time you log in to Kantor Walutowy, after entering your ID.

Safety certificate
The connection between the Customer's computer and the Bank's server is encrypted with the TLS protocol, as evidenced by the prefix https:// at the beginning of the Internet address. Encryption ensures that your data is protected against possible interception by third parties.


The website certificate is confirmed for Alior Bank S.A. by DigiCert Inc. Thanks to this, you are guaranteed that the website you are logging in to belongs to the institution for which the certificate was issued.


Certificate verification consists in checking several basic data:

• for whom the certificate is issued - should read: "systemkantor.aliorbank.pl, Alior Bank SA",
• who is the issuer of the certificate - it should be: "DigiCert Global CA G2",
• whether the validity date of the certificate has not expired,
• what is the path / hierarchy of the certificate - it should be: "DigiCert Global Root G2 >> DigiCert Global CA G2 >> systemkantor.aliorbank.pl".

Remember to always check the certificate before logging in to Kantor Walutowy. If the data in any of the points is not correct, stop the login process and contact our helpline (at 19 502) or branch.

Notifications
For the safety of your funds, we recommend that you set up notifications that you can receive as an SMS to your mobile phone or as an email to your email address. In order to set notifications, go to Profile, "Settings", and then select the "Notification settings" tab. You will be able to choose what types of events and how you want to receive them.



Automatic logout
If no activity on the logged in account is detected on the side of Kantor Walutowy, the system will be automatically logged out within 5 minutes.

Authorization of transactions in Alior Bank's Kantor Walutowy is carried out using convenient and secure SMS codes.

Remember that the security of this method of authorization also depends on you. Therefore, follow the rules below:

• Remember that Kantor Walutowy never asks you to confirm operations with an SMS code that you have not ordered yourself! Please read the entire text message carefully before confirming the transaction. Check whether you personally ordered such a transaction or operation and compare whether it is consistent with your instruction. In particular, when authorizing transfers or creating templates, verify that the transaction amount and the recipient's account number provided in the SMS message are consistent with the data entered by you.
• Take care of the safety of your mobile phone - do not leave it in places where it may be exposed to theft or unauthorized access. In the event of the theft of the phone, immediately block the SIM card with the mobile operator, and notify the helpline (at 19 502) or an Alior Bank branch.

Pay attention to phishing attempts (by criminals or untrusted entities), access data and authorization codes used to carry out transactions at Kantor Walutowy. Such data can be used, for example, to steal funds. In the event of an unauthorized transaction, such an event should be reported via the helpline (at the number 19 502) or at any branch of the Bank. You will be informed about the further procedure by the Bank's employee.

An example of a fraudulent transaction could be:

• an attempt to extort a one-time SMS code,
• an attempt to phishing login details,
• fake messages (phishing) sent via messengers, social media, SMS, e-mail and other channels,
• any transaction that was not ordered by you,
• each transaction containing data other than those ordered by you.

Kantor Walutowy monitors transactions 24/7. If additional confirmation of the operation is required, Kantor tries to verify it with the Client by: contact center, contact from an Alior Bank Branch Employee.

Risks related to the use of Kantor Walutowy
It should be remembered that electronic access to Kantor Walutowy involves risks - in particular in the event of non-compliance with the security rules set out by the Kantor.

Primarily, these risks include:
1. The risk of data or devices being lost or stolen by unauthorized persons:

• used to log into the system (e.g. ID/password or mobile application PIN),
• used to confirm transactions (e.g. a mobile device with an installed application, a trusted telephone number).

2. The risk of social engineering attacks in which third parties will - impersonating Kantor - persuade the client to approve the operation (e.g. false information about the need to execute the transaction).
3. The risk of the Client unknowingly accepting unintended orders (e.g. without getting acquainted with the operation described in the SMS message with the authorization code).
4. The risk of using devices in Kantor Walutowy that were remotely or physically controlled by third parties (e.g. by means of malicious software such as viruses).

The consequences of the occurrence of the above-mentioned risks may be:

• access of third parties to the Customer's data visible in the systems of Kantor Walutowy,
• the possibility of executing transactions by third parties on behalf of the Customer - including financial ones (e.g. making transfers),
• the ability to approve an unwanted transaction by the customer.

Taking care of the safety of our clients, we have prepared rules for safe use of Kantor Walutowy, the application of which minimizes the possibility of unauthorized access to your funds and data. Be sure to familiarize yourself with them.

If you have any questions/doubts regarding the security of Kantor Walutowy's services or want to report a security-related event, please contact the helpline (at 19 502) or any branch of Alior Bank.

3D Secure:

• secures online transactions with Mastercard® payment cards through additional transaction authorization with a one-time code;
• it is made available automatically for all Alior Bank cards, thanks to which you do not need to take any action to activate the security;
• is free - the bank sends free text messages with codes.

Online stores that have implemented the 3D Secure service place the following markings:



Mastercard SecureCode or Mastercard ID Check - for Mastercard cards, it is a confirmation that payments in these stores can be secured with the 3D Secure service. In fact, it may happen that some online stores, despite being marked, do not require additional authorization with 3D Secure. Using the 3D Secure service is really simple. See for yourself:

Detailed information on using the 3D Secure service:

• To pay by card online, you need to provide the standard details requested by the store, e.g. card number, card expiry date, CVV2/CVC2 code (three-digit number on the back of the card).
• Then you may be redirected to a page where you must enter a six-digit code with which you authorize the transaction. You will receive it via SMS to the mobile number you have given us. This code confirms the correctness of the data, i.e. the card status and the identity of the paying person.

ATTENTION: When making a payment, the bank never asks for a payment card PIN and does not send an authorization code if it is not required by the online store. Only the telephone number correctly assigned to the payment card account enables the use of the 3D Secure service for a given card. If you do not remember which phone number you gave us, please visit the bank branch to verify it.