Internet Banking Security

Logging

A new and clearer way of presenting and entering the additional identifier (e.g. PESEL)

We have improved the graphic presentation and the method of entering the additional identifier in the logging process. Your identifier (e.g. PESEL, number of personal identity card, passport, REGON or NIP) will be presented in accordance with its actual number of digits to improve clarity and to facilitate logging.

login- pesel

Define your own alias for MilleKod

You can define your own name for MilleKod after logging and selecting the tab: My settings/ Security settings. You can use it interchangeably with MilleKod because MilleKod stays always active. Remember that your personalised name for MilleKod must be made up of at least 8 and not more than 16 characters (digits or letters) and cannot be easily deciphered by others.

login - virtual keyboard

Login to IVR is performed using MilleKod number received in agreement and there is no possibility to use own name for MilleKod.

Set up captcha

After logging, you can also define captcha. Simply select the tab: My settings/Security settings. After it has been defined, captcha will be shown at your login screen, after entering MilleKod.

Use the virtual keyboard for logging

During logging, you can use the virtual keyboard, which provides additional protection against keyloggers in electronic banking.

login - virtual keyboard and security image

SMSP@ssowrds

SMSP@ssowrds are one-time codes sent to your moblie phone number.

SMSp@sswords are used for authentication of operations in Internet Banking system for individuals.

What are the advantages of SMSP@sswords?

  • Security. SMSP@ssord is unique for each operation. You can authorize only the operation for which it was generated. In addition to this higher security level is provided by introducing two separate devices necessary to perform an operation.
  • No additional cost. SMSP@ssword service will be fully free of charge. Bank will pay for sent SMS's.
  • You do not have to remember additional passwords. Bank will send SMSP@ssword always when you perform operation that should be authorized.
  • You can activate SMSP@ssword at any moment.

Login - P@ssword 1

Every client recieves an unique MilleKod used as a username in the login process. Every user recieves also P@ssword1 which is used in the verification process. During the first login the system will force the user to change the P@ssword1.

P@ssword1 is an individual code consisting of 8 digits, used to Millenet login purposes.

The client can change P@ssword1, and what is more the system once in while remindes the user to change the password.

In order to increase the security level after the third failed attempt to login  the system will block the access to Millenet for that specific user.

Security certificates

The security of the Millenet system is guaranteed by encrypted transmission using 128-bit SSL protocol. 

The information about the encryption method is prefix https:// in the begining of the webpage address 

 

Millennium Bank uses GeoTrust True BusinessID SSL certificate guaranteed by GeoTrust, a company specializing in encrypting and data security. This protection method prevents any unauthorized access to the client's confidencial data. What is more the certificate ensures that the login page belongs to the institution mentioned in the certificate.

 

Internet Explorer

certyfikaty

 

Google Chrome

opera_certificate1

 

Mozilla Firefox:

firefox_6_certyfikat

Daily limit

Daily transaction limit (main limit) defines the amount limit for transactions executed  in a specific day. The amounts of the incoming transfers and standing orders are included in the daily limit. Mentioned restrictions are not applicable to transfers between owned accounts in Millennium Bank.

In case of joint account each owner defines individually the amount of daily transaction limit.

It is an additional protection for the customer. The amount of the daily limit can be changed individually by customer (Profile -> security settings - confirmed by SMSp@sswords) or when visiting Bank's branch. User can check the used amount of the daily limit in the following Millenet section: Profile -> Security settings -- field Daily limit usage.

Maximum amount of daily limit is defined in price list.

3D Secure

Bank Millennium brings to Customers the new 3D Secure service (Three Domain Secure). The service offers a new dimension of security for online payments made with debit and credit cards.
  • How to use it?

    How does 3D Secure work in Bank Millennium?

    3D Secure transactions are made with an additional security mechanism in the form of authorisation with single-use SMS P@sswords or authorisation in the mobile application.

    During card payments, e.g. at an online shop, the Bank may send to the mobile phone number predefined by you a single-use secure SMS P@ssword with request to enter it on the dedicated and secured website or send PUSH message with request to approve the transaction with PIN code or to scan the fingerprint (if your device supports this function).

    Provided financial data will then be sent to a secure authentication server. On this very first stage it will be possible to immediately verify if the card was not stolen, lost or cancelled for other reasons.


    What do you need to make an Internet payment?

    To ensure the highest level of security of your online card transactions, it is necessary to activate the SMSP@ssword service. Detailed information about activation process are available in section Transaction confirmation.

    In order to use a more convenient way of accepting online card transactions, you have to activate Bank Millennium mobile application and change 3D Secure settings in the application settings (tab Settings > Transaction acceptance).

    The mobile phone number defined at the Bank is used in the Millenet system to confirm transfer orders, sign agreements and to receive transactions notifications.

    You will learn how to activate SMS P@ssword service in the Access and login tab.


  • 3D Secure payments step-by-step

    How does 3D Secure work?

    When making payments, e.g. in an online shop, upon selection of the card payment method and entering the required data, transaction authorisation will follow (for sites participating in the MasterCard SecureCode or Verified by Visa. For sites not participating in the MasterCard SecureCode or Verified by Visa confirmation of payment will be processed as usual).

    To make a 3D Secure payment follow the instructions:

    1. Fill-in the form

    Please check if payment information  are correct:
    - Merchant name,
    - Date and time,
    - Card number,
    - Amount (final amount of card payment)

    At the same time, a text message will be sent to your mobile phone. Upon its receipt, read it carefully and check whether its details are consistent with those presented in the form. 

    If the data are correct, provide the one-time SMSP@ssword from the text message and confirm the transaction by selecting the "Accept" option.

    If the data shown are incorrect, cancel  the transaction using the „Cancel" option.


    2. Finalizing the transaction

    After positive SMSP@ssword  validation you will be informed that the transaction has been successfully completed.
    In case any problem occurs in the payment process, the system will inform you  by displaying an appropriate message. Remember that for security reasons entering an incorrect SMSP@ssword three times may block your card for 3D Secure online transactions.


    3. (optionally) Finalizing the transaction using the mobile application

    If you changed the authorization method to mobile application, after the transaction, instead of SMS Password, you will receive a PUSH message. At the same time, payment details will be shown on your desktop (as it is visible on the screen below). The PUSH message will open a confirmation screen in your app where you can authorize the transaction using your PIN code, Touch ID or Android Fingerprint ID.


  • Benefits

    • Maximum security – transactions protected by two independent access channels: web browser and mobile phone. Card holder will be identified on grounds of card number, expiry date, CVV2/CVC2 code and additionally on the basis of a secure, single-use SMS P@ssword sent to the mobile phone number pre-defined at the Bank or authorisation in the mobile application.
    • No additional cost – 3D Secure provides the highest level of security without additional costs . The Bank does not charge for the service. All the text messages sent to the card holder and PUSH messages sent to the devices with active mobile application are free of charge.
    • Convenience – the payment form is automatically filled in with the data submitted by the shop, you should only enter 6-digit password from the text message or PIN code/scan your fingerprint in the mobile application of your device.

  • Who can use the service?

    3D Secure is available to Bank Millennium customers who meet  the conditions below:

    • Has an active Millennium prepaid, debit or credit card (Visa or MasterCard),
    • Has access to the Millenet transactional system for individuals/business customers,
    • Has activated the SMSP@ssword service,
    • (optionally) has Bank Millennium mobile application.

Security rules

  • Login

    When you log into the system, never give your entire PESEL and phone number. Remember that Millenet requests only 2 digits from your identifier.

    Beware of the following situations:

    • upon failed login, Millenet will keep requesting you to enter the same two digits from your identifier, until they are entered correctly,
    • if you notice that the system asks you to enter more than 2 digits, immediately stop the login and contact the Bank.

    We ask kindly to report us such issues notification of suspected abuse, through Millenet system or to number 801 24 HELP (801 24 4357).


  • Phone security

    Do not give your phone number in part or in full when you log in!

    Beware of the following situations:

    • if you see that Millenet asks you about your phone number during login, immediately stop the login process and contact the Bank,
    • the Bank never requests your phone number when you log in, except when you print out password 2 for activation and change your contact phone number,
    • do not give access to your phone to people whom you do not trust and do not install any software or applications from unknown sources.

  • Software installation

    Do not install software from untrusted sources on your computer or mobile.

    The simplest way to install malicious software on your system is to make you install it yourself.Be very careful with software downloaded from the Internet.

    • Do not launch programmes received by email
    • Do not open files with .exe extension of unknown origin. Often times, programmes with .exe extension, may install "in the background" additional spying software or software that provides full on-line access to your computer
    • Remember that use of P2P software (for instance, Bearshare, KaZaA, eMule, DC++ etc.) exposes your computer to security risks
    • Do not install software on your mobile unless you know its origin

  • Certificate and Email

    Verify the certificate of the page.

    Verify the certificate of the page and never reply to e-mails in which you are asked to provide confidential data!

    The connection between your browser and our server is encrypted with 128-bit SSL protocol. Small locked padlock on the bottom of the browser means that the connection is encrypted. Please check if while connecting to our transactional system the padlock looks as following:

     

    MS Internet Explorer 7.0:

    Opera 10:

    Mozilla Firefox 3.0.0.x: 

     

    By double clicking on the padlock we can see the certificate of the page. The certificates should be issued to www.millenet.pl as follows:

    MS Internet Explorer:

     

    Opera 10.0:

     

    Remember, that Bank Millennium never asks to provide confidential data by e-mail, so never reply to e-mails in which you are asked to provide your confidential data as for instance:

    • personal data,
    • Mother's maiden name,
    • banking account number,
    • MilleKod,
    • passwords,
    • payment cards numbers,
    • card validity dates,authorisation codes CVV2 of payment cards (last 3 digits on the right of signature fields).

    When receiving emails with attachments from unknown source never open them. Very often such attachments contain viruses or spyware software and may be installed automatically on your computer.


  • System update

    Regularly update system installed on your computer.

    You shall be interested with the updates of your system that have impact on its security.

    If you use Microsoft Windows, you should use automatic Windows update option.

    Access to this option you can get by:

    You can also read about security on the Microsoft Windows pages:

    www.microsoft.com/security/protect/default.asp

    If you use another operating system then you shall check web site of its developer and if possible you shall subscribe to the mailing list about system updates.


  • SMSP@ssword and P@ssword1

    Take care about your passwords security and compare content of SMSp@assword with content of internet page!

    • Never reveal your passwords to anybody
    • Change passwords at least once per month (in Millenet system you can set password change reminder every 7 to 60 days)
    • Never write down your passwords nor send it via e-mail
    • If you think that somebody could know your password - change it as soon as possible
    • Use passwords different from each other and from Millekod being not easy to guess

    Remember: before confirming each operation (eg. transfer), with typed SMSP@ssword, please compare content of SMS with content of internet page, in order to make sure, that proper operation is being confirmed.


  • Anti-virus software and presonal firewall

     Use anti-virus software.

    Unfortunately sometimes it can happen that dangerous software may appear in your system - virus or software that allows to remotely take control of your system.

    Good anti-virus, regularly updated, will help you to fight against such programs and to prevent them to come on your PC. Even if you have such a dangerous program installed, anti-virus will warn you while it would be executed.

    You should never disable anti-virus! 10 seconds without antivirus is enough to install spy software on your computer.

    Examples of anti-virus scanners avaiable online:

    • Skaner internetowy Mks vir

    Examples of anti-virus software:

    • Avast Home Edition
    • Norton AntiVirus
    • Kaspersky Anti-Virus Personal
    • Mks_vir
    • Avast

     

    Use personal firewall system.

    Personal firewall is a software that will warn you when somebody will try to connect remotely to your computer. You will be also warned if some about the sending of information to the network.

    Using personal firewall requires little bit better understanding of the system installed on your PC in order to know which programs can be allowed to connect to the network and which are to be blocked. It is worth to invest in such knowledge to make the attacks targetting to your personal data more difficult.

    Examples of such programs are:

    • Sunbelt Personal Firewall
    • Comodo Free Firewall

  • Page address

    Pay attention to the address of the page that you are connecting to.

    The correct address of our transactional site begins with www.bankmillennium.pl


    If another address is presented in the address field in the web browser you should be very suspicious and you should not enter any data.


    If somebody would try to re-direct address www.bankmillennium.pl to another address, the following security alert should pop up:

     

    MS Internet Explorer 7.0:

    Mozilla Firefox 2.0.0.x:

     

    It is very important to read carefully the communicate of the browser and to accept only certificate with correct data of the page.

    By clicking on the button View Certificate you can see to whom the certificate has been issued.

     


  • Publicly availble PCs

    Avoid using publicly available PCs for Millenet access.

    Do not enter confidential data (Millekod, passwords) from the computer with public access, in particular from internet cafes and other public places. There can be installed a software for data interception.


  • "Logout" option

    Always end your usage of Millenet system by selecting "Logout" option.

    Always remember to end your work in Millenet system by clicking on "Logout" button in order to terminate session correctly. Do not use different browsers windows with active Millenet sessions. 


In this section you will find information how to gain access Millenet, login to transactional system, security issues etc.
  • How to obtain access to the Millenet system?

    Client may get access to Electronic Banking Channels at any Bank Millennium branch, courier process or with prepaid card. Client receives MilleKod and P@ssword1 allowing him to login to Millenet. 


    MilleKod is a unique 8-digit system identifier for every Client in Millenet. It is possibile to set more friendly name for the MilleKod number. Your own name for MilleKod must consist of a minimum of 8 and a maximum of 16 numbers or characters and must be unique in the system.


    P@ssword1 shall be required at the first logging into Millenet. Upon the first logging the system will force User to change P@ssword1 into his private one.


    Client can also sets the Daily tranasactions limit for the system. Daily transactions limit constitutes daily limit for transactions, which may be ordered through the Millenet system.


  • What is the purpose of P@ssword1 and how to change or unblock it?

    P@ssword1 is used for logging into the Millenet system. Bank's Client receives the above password in protected paper envelope, in SMS message (during first login), in Millenet message or in return transfer in online process. P@ssword1 should be used no later than 90 days from the date of issue. Additionally, in the case of delivery in the form of SMS, the message is valid for 15 minutes from the time of sending by the system. After this time, P@ssword1 will expire and it is needed to contact with the Bank in order to receive a new one.


    The Millenet system forces change of P@ssword1 upon Client's first logging. At any time Millenet User may change P@ssword1 in My settings > Password Manger.


    The system will block P@ssword1 after three failed attempts.

    • When User recalls correct P@ssword1, it may be unblocked at 801-24-HELP (0-801-24-4357).
    • If the User forgot P@ssword1, he should contact Bank's in order to receive a new envelope with P@ssword1.

  • What are SMSp@sswords?

    SMSp@sswords are one-time codes sent via SMS to a mobile phone.
    SMSp@sswords are used to confirm operations in the Millenet online banking system for individual and self-employed Customers.


  • Why is the Bank is using SMSp@sswords for authorization?

    The one-time codes sent via SMS are an innovative, convenient and secure method of authorising bank transactions.
    In fact it brings only benefits:

    • you do not have to remember any numbers,
    • you do not have to carry any additional devices with you,
    • all you need to do a transaction is your mobile phone.

  • How to activate SMSp@sswords?

    To activate you need to define your mobile phone in the Bank system. New customers can activate service during first visit in Bank branch while signing the agreement. Existing customers can do this using P@ssword2 downloaded from an ATM:

    • print P@ssword2 from a Millennium ATM using your credit or debit card of Bank Millennium,
    • when you have logged in Millenet the system will ask you to give the number of the mobile phone, to which SMSp@sswords will be sent,
    • after approval of the number you will get an SMS with the first SMSp@ssword, which you will have to enter in Millenet,
    • at the end of the activation the system will require you to give selected characters from the P@ssword2 printed out in the ATM.

  • How to use SMSp@sswords?

    Using SMSp@sswords is very simple and intuitive.

    • Before starting the transaction make sure that you have with you the mobile phone defined earlier in the system.
    • After approval of transaction details in Millenet, SMSp@ssword will be automatically sent to the pre-defined mobile phone.
    • Now it is only necessary to check if the data contained in the SMS message are consistent with the data on the computer screen and type-in the SMSp@ssword.
    • After the system has verified SMSp@ssword the transaction will be executed.

  • I do not have a mobile phone. How will I be able to perform transaction?

    A mobile phone is essential to use SMSp@sswords and confirm operations. There is also possibility of defining trusted beneficiaries, where executing transfers will not require SMSp@sswords, mobile would not be necessary.

  • What is P@ssword2 necessary for?

    P@ssword2 is used only for activation/change mobile phone number for SMSP@sswords service.


    You can print P@ssword2 in Bank Millennium's ATM machine using option Electronic Banking Channels > P@ssword 2 printout.


    During first logon to Millenet after P@ssword2 printout system will give you possibility to set/change mobile phone number for SMSp@sswords.


  • Can I activate SMSp@sswords without generating P@ssword2 from an ATM with my debit card?

    Yes, activation is possible through telephone service:

    • call 801 24 HELP (0 801 24 4357) or +48 22 598 40 50 (for mobile and international calls),
    • choose option 3 (for English),
    • choose option 2,
    • enter your 8-digits MilleKod,
    • enter your 8-digits P@ssword1,
    • you will be contacted with an operator in a while,
    • after verifying your information the operator will ask you to state the number of the mobile phone, to which SMSp@sswords will be delivered,
    • you will confirm the transaction by giving the consultant the activation SMSp@ssword sent to your mobile phone during the call.

  • What transactions will be confirmed with the SMSp@ssword?

    SMSp@ssword authorisation will be required for following transactions:

    • ordering a transfer from the Customer's account to accounts of other Customers,
    • defining, editing and deleting Standing Orders,
    • defining, editing and deleting Trusted Beneficiaries, granting Trusted status to a Beneficiary defined earlier,
    • change of settings in options: Personal Data, Security Settings,
    • defining and changing settings of the MilleSMS service,
    • top-up of Pre-paid mobile phones,
    • accepting the Bank's offer as regards credit products,
    • agreement constitution with the service supplier,
    • issuing supplementary cards to main credit cards,
    • Internet payment transfer confirmation.

  • Can I make transactions without giving the SMSp@ssword every time?

    This is possible for domestic transfers and top-ups of pre-paid phones. For this purpose you must give the transfer beneficiaries and defined phone numbers Trusted status. However defining and editing such trusted beneficiaries does require the SMSp@ssword.

  • How much do the SMSp@sswords cost?

    You do not pay anything for SMSp@sswords. Service activation is free-of-charge and the Bank will pay for the SMS messages sent with SMSp@sswords.

  • Can SMSpasswords be sent by SMS to fixed-line phones?

    No, only a mobile phone may be defined in the system and only to such numbers may SMSp@sswords be sent.

  • What to do when I change the number of my mobile phone?

    If the phone number has changed, then the new number should be defined in the system to continue using SMSp@sswords. This can be done in one of 2 ways.

    Using P@ssword2 downloaded from an ATM:

    • print P@ssword2 from a Millennium ATM using your credit or debit card of Bank Millennium,
    • when you have logged in Millenet the system will ask you to give the number of the mobile phone, to which SMSp@sswords will be sent,
    • after approval of the number you will get an SMS with the first SMSp@ssword, which you will have to enter in Millenet,
    • at the end of the activation the system will require you to give selected characters from the P@ssword2 printed out in the ATM.

    Through telephone service:

    • call 801 24 HELP (801 24 4357) or +48 22 598 40 50 (for mobile and international calls) and ask for activation of SMSp@sswords,
    • the operator will forward you to the automatic service, where you will need to state the full MilleKod and P@ssword1,
    • after verifying P@ssword1 the operator will ask you to state the number of the mobile phone, to which SMSp@sswords will be delivered,
    • you will confirm the transaction by giving the consultant the activation SMSp@ssword sent to your mobile phone during the call.

  • What to do if my mobile phone is lost or stolen?

    Apart from blocking the number with the mobile network operator you need to block it in Millenet. After logging on to Millenet select the option MilleSMS > SMSp@sswords. Here select Delete this number.

    However please remember that to later define the mobile phone number you will need P@ssword2 printed out from an ATM, or will have to call the Bank's phone service.


  • What to do to get an SMSp@ssword?

    If SMSp@sswords were activated and the mobile phone number was defined, then during performance of every transaction, which requires the SMSp@ssword to be stated, it will be sent automatically by SMS to the mobile phone.

  • What to do if I lock the SMSp@ssword?

    Unlocking the SMSp@ssword is possible in one of 2 ways:

    Using P@ssword2 downloaded from an ATM:

    • print P@ssword2 from a Millennium ATM using your credit or debit card of Bank Millennium,
    • when you have logged in Millenet the system will ask you to give the number of the mobile phone, to which SMSp@sswords will be sent,
    • after approval of the number you will get an SMS with an activating SMSp@ssword, which you will have to enter in Millenet,
    • at the end of the activation the system will require you to give selected characters from the P@ssword2 printed out in the ATM.

    Through telephone service:

    • call 801 24 HELP (0 801 24 4357) or +48 22 598 40 50 (for mobile and international calls),
    • choose option 3 (for English),
    • choose option 2,
    • enter your 8-digits MilleKod,
    • enter your 8-digits P@ssword1,
    • you will be contacted with an operator in a while,
    • after verifying your information the operator will ask you to state the number of the mobile phone, to which SMSp@sswords will be delivered,
    • you will confirm the transaction by giving the consultant the activation SMSp@ssword sent to your mobile phone during the call.

  • How long does the SMSp@ssword remain valid?

    The password sent in an SMS message remains valid for 15 minutes from the time it was sent by the Bank. This time is sufficient to receive the message and approve the transaction. If for some reason this period is exceeded you can generate the SMSp@ssword again without the need to cancel the pending transaction, by selecting Generate new SMSp@ssword.

  • What to do if the SMS with the SMSp@ssword is not delivered to the mobile phone?

    If the SMSp@ssword was not delivered to the mobile phone you can generate the SMSp@ssword again without the need to cancel the pending transaction. On the screen for typing the SMSp@sswords select the button Generate new SMSp@ssword.

    Generating a new SMSp@ssword is possible 2 minutes after this screen appears.


  • Can I use SMSp@sswords when abroad?

    Yes, just remember to activate roaming service from your mobile network operator. Additionally the Bank enables use of SMSp@sswords through mobile telephones working in networks of operators in the United Kingdom.

  • Can I give 2 phone numbers e.g. a separate one for the business account?

    No, for one MilleKod only one mobile phone number can be given.

    Note! Assigning the number to another user, e.g. co-owner of the account, will result in deactivation of the number under the previous MilleKod


  • What is the daily transactions limit? How to change it?

    Daily Limit defines the amount limit for transactions executed in a specific day.

    The amount of the incoming transfers and standing orders are included in the daily limit. Mentioned restricions are not applicable to transfers between owned accounts in Millennium Bank.

    The amount of the daily limit can be changed only in the Bank's branch.


  • Can you change the settings for idle periods in the Millenet system?

    Upon logging into the Millenet, any longer idle period in operation results in automatic logout from the system for security reasons.


    Idle time may be changed in option My settings > Password Manager by setting the time in minutes (maximum idle time in the system is 15 minutes).


  • What is the purpose of "Password Reminder Frequency" option?

    Password Reminder Frequency option available in the My settings > Security settings bookmark sets how often the system will remind Millenet User about changing the password for security reasons.
    Proper message will be displayed to the User immediately upon logging into the system and will require entering new P@ssword1 or cancelling the change.


  • May I change the information displayed in "My finances" bookmark?

    Millenet User may select the information to be displayed in My finances option at bookmark My settings > Display options. Having selected the options of User's interest and having confirmed the changes with Save button, new settings will be entered.

  • I have a few savings and checking accounts. May I choose which account will be displayed as the first one on the order screen?

    User may choose the account that will be displayed as the first one at bookmark My settings > Display options - option Default account. After choosing proper account and confirming changes with Save button, the new settings will be introduced.

  • How to use Millenet system safely?

    When using the Millenet transaction system, Bank's Client should check whether system logging and operation are in the secure session (https protocol displayed in the website address and "padlock" icon - in case of Mozilla Firefox and Internet Explorer by the website address field and whether the correct Website address is displayed starting from https://www.bankmillennium.pl/osobiste/...
    Please, follow also 10 security principles available at the Millenet address - 10 security rules and see movies on security, courtesy of Microsoft, available on the Microsoft's Security movies site.

     


  • I was log out automatically. Why?

    After a certain period of time when the user stays idle (which means that the user did not change the viewing page) the system will automatically log out. The time after the user is log out can be changed in My settings > Security Settings > Idle time.
    In case of the automatic logout please check if your operation was properly executed.