Internet Banking Security

Your security is our priority

Our internet banking system is protected by a range of advanced and reliable security measures for which we received three times in a row the award: Złoty Bankier in the category: Security – best practices for 2016, 2017 and 2018.

As of 14 September 2019 (PSD2 directive) we have introduced changes that guarantee additional security when accessing the account and increase the security of performed operations.

Discover the ways we make your daily banking and your data secure:

  • comprehensive protection during login process (individual login, password change reminders, security image etc.) - More
  • single-use SMS codes (SMS P@sswords) to authorize transactions - More
  • adjustable transaction limits - More
  • 3D secure - additional safety feature for online card payments - More
  • encrypted Internet connection and security certificates More
  • SMS notifications (MilleSMS) to stay updated on transactions - More
  • 24/7 care line and tech support - More

Secure login

See what we do to give you secure access to internet banking.

How is your identity confirmed?

During login process you will be requested to provide the following data:

  • MilleKod - MilleKod - an 8-digit login stated in your account agreement. You can set your own, friendly name for MilleKod and use it interchangeably with the 8-digit code. To define your own name for MilleKod log in to Millenet and go to Settings > Security settings.
  • Temporary P@ssword is defined by you during account application (4 digits) or received in a secure envelope in the Bank branch (8 digits).
  • P@ssword 1 - individual password you provide each time you log in to Millenet and TeleMillennium care line. You set it during the first login and can change it anytime in Millenet. Additionally, from time to time, the system will remind you to change the password.
  • Identifier - additional login securty measure. It consists of PESEL, ID card or passport number, or if you have a business bank account - of NIP or REGON. Since you need to provide only 2 random digits of the selected identifier to log in, you minimize the risk of others intercepting the entire identifier.
  • SMS P@ssword is a 6-digits password sent in a text message to your phone number defined in the Bank system.

Remember: for security reasons, your access to Millenet internet banking system will be blocked after 5 consecutive failed attempts.

How to increase your safety while logging in even more?

Use password strength meter

The password strength meter will help you set an appropriate password. The more complicated combination of digits you choose, the more secure your password will be. You can change P@ssword 1 in Millenet in Settings > Security settings.

How to increase your safety while logging in even more?

Define the security image

Once you log in to Millenet, you can set a security image in your Security settings. It will be visible every time on the login page - after entering MilleKod. If there is no picture displayed or it does not match, do not continue with the login and call our care line immediately.

Use on-screen virtual keyboard

For increased safety, while entering your P@ssword 1 or selected digits from identifier you can use on-screen keyboard. It's a perfect protection from keyloggers, i.e. software that records the user behaviour and keys struck on a keyboard.

Checksum

  • What is a document checksum?

    Documents in Information about changes section in Millenet have their own, unique checksum (cryptographic hash function SHA 256, SHA being short for Secure Hash Algorithm). Any changes to the document will result in the change of the checksum.

  • Why do I get from Bank text messages with parts of checksum?

    In order to let you check the integrity and authenticity of the documents in Information about changes section, we send text messages with first four and last four characters of the checksum. This way you can be sure to always be in possession of uncorrupted and unchanged documents.

  • How to verify checksum of a document?

    You can check the checksum of any document (SHA 256 function) in the following ways:

     

    Method 1 – Windows:

    1. Run Windows PowerShell from Applications.
    2. In command line type „Get-FileHash -Path z:\desktop\file.jpg -Algorithm SHA256”.
    3. Change file path from „z:\desktop\file.jpg” to the path of a file for which you want to verify checksum.
    4. Select Enter.
    5. The application will run through SHA-256 cryptographic function and output it for you.
    6. Compare the checksum from the SMS with the checksum from the Windows PowerShell. If they are the same, the document downloaded from Millenet is original and has never been changed.

     

    Method 2 – Windows:

    1. Download document from Information about changes section in Millenet.
    2. Hover your mouse over the document icon and click the right mouse button.
    3. Choose options: CRC SHA and SHA-256 from the displayed menu.
    4. A new window will show checksum calculated by the function SHA-256.
    5. Compare the checksum from the SMS with the checksum from the window above. If they are the same, the document downloaded from Millenet is original and has never been changed.

     

    Method 3:

    1. Run the Internet website, which allows you to verify the checksum (using the SHA-256 function) for a given document.
    2. Send the downloaded document to the website from the point above.
    3. This website will show checksum calculated by the function SHA-256.
    4. Compare the checksum from the SMS with the checksum from the website. If they are the same, the document downloaded from Millenet is original and has never been changed.

     

    Method 4 – Mac OS:

    1. Run Terminal from Spotlight, Launchpad or Programs > Tools.
    2. Type „shasum –a 256” and after space type path of a file for which you want to verify checksum.
    3. The application will run through SHA-256 cryptographic function and output it for you.
    4. Compare the checksum from the SMS with the checksum from the Terminal. If they are the same, the document downloaded from Millenet is original and has never been changed.

     

    Method 5 – Linux:

    1. Run the Terminal.
    2. Type path of a file for which you want to verify checksum i.e. „cd download_directory”.
    3. Then type „sha256sum foto.jpg” where „foto.jpg” is the name of a file for which you want to verify checksum.
    4. Select Enter.
    5. The application will run through SHA-256 cryptographic function and output it for you.
    6. Compare the checksum from the SMS with the checksum from the Terminal. If they are the same, the document downloaded from Millenet is original and has never been changed.

Documents in Information about changes section in Millenet are signed by the Bank Millennium with the electronic certificate. The signature includes an embedded Timestamp.

SMS P@sswords

SMS P@ssowrds are free-of-charge, single-use codes sent to your mobile phone number. You will receive them every time you log in to Millenet, activate the app, check transaction history older than 90 days, make a transfer, set a standing order or conclude an agreement online (order a new debit card, buy car insurance etc.). Just type in the 6-digit code you receive in the designated field in Millenet and confirm the operation.

Mobile Authorization in the mobile app is an alternative to SMS P@sswords. Instead of waiting for the SMS to be delivered, you can simply log in to the mobile app and with one click confirm the operation performed in Millenet.

Below you will find more information on Mobile Authorization.

Remember: for security reasons, your SMS P@sswords will be blocked after 3 consecutive failed attempts to provide correct SMS P@ssword.

 

  • How to unlock SMS P@sswords or change mobile number to which they are sent?

    Unlocking the SMS P@sswords and changing the default mobile number is possible in one of 2 ways:

    Przy użyciu H@sła 2 pobranego z bankomatu:

    Through care line:

    • call 801 24 HELP (801 24 4357) or +48 22 598 40 50 (for mobile and international calls),,
    • choose option 3 (for English),
    • choose option 2,
    • enter your 8-digits MilleKod,
    • enter your 8-digits P@ssword 1,
    • you will be contacted with an operator in a while.

    After verifying your information the operator will ask you to state the mobile number to which SMS P@sswords will be delivered. You will confirm the transaction by giving the consultant the activation SMS P@ssword sent to your mobile phone during the call.

    Using P@ssword 2 downloaded from an ATM:

    • print P@ssword 2 from a Millennium ATM using your credit or debit card of Bank Millennium,
    • when you have logged in Millenet the system will ask you to give the number of the mobile phone, to which SMS P@sswords will be sent,
    • after approval of the number you will get an SMS with an activating SMS P@ssword, which you will have to enter in Millenet,
    • at the end of the activation the system will require you to give selected characters from the P@ssword 2 printed out in the ATM.

  • How long does the SMS P@ssword remain valid?

    Password sent by SMS is valid for 5 minutes. New password can be generated after 2 minutes by clicking on Generate new SMS P@ssword without the need to cancel performed transaction.


  • What to do if the SMS with the SMS P@ssword is not delivered?

    If the SMS P@ssword was not delivered to the mobile phone you can generate the SMS P@ssword again without the need to cancel the pending transaction. On the screen for typing the SMS P@sswords select the button Generate new SMS P@ssword.


  • Can I use SMS P@sswords when abroad?

    Yes, just remember to activate roaming service from your mobile network operator. Additionally the Bank enables use of SMS P@sswords through mobile telephones working in networks of operators in the United Kingdom and most European Union countires.


  • Can I make transactions without giving the SMSp@ssword every time?

    This is possible for domestic transfers and top-ups of prepaid phones. For this purpose you must give the transfer beneficiaries and defined phone numbers Trusted status. However defining and editing such trusted beneficiaries does require the SMS P@ssword.


Mobile Authorisation

Mobile Authorization is an alternative to SMS P@sswords used to confirm operations in Millenet. In order to use Mobile Authorization you need to have an active Bank Millennium mobile app where operations will be confirmed.

  • How does Mobile Authorization work?

    1. In order to confirm operation performed in Millenet, log in to the mobile app.
    2. Once you log in, a screen will be automatically displayed showing all operation details.
    3. Select "Confirm" and you are all set! Operation is confirmed and you will see the confirmation both in Millenet and mobile app.

  • How to activate Mobile Authorization?

    You can activate Mobile Authorization conveniently in the mobile app. Go to Settings, select Mobile Authorization and follow the instructions.


Transaction limits

Additional protection of your money is provided by Millenet transaction limit, i.e. so-called Main Limit (daily limit).

It determins the total amount of transactions you can make in one day. The amount of standing orders as transfers rejected due to incorrect data are included in the daily limit. Mentioned restrictions are not applicable to internal transfers between own accounts in Bank Millennium.

The amount of the daily limit can easily be changed in Millenet in Security settings, at a branch or call TeleMillennium. The new limit becomes immediately applicable.

In case of joint account each holder can define the amount of daily transaction limit individually.

3D Secure card payments

3D Secure is an additional protection for your online card payments. Usually, when paying with a card in online stores, you need to provide data such as name and surname, card number and card expiry date. When paying in stores that support 3D-Secure, after providing these details you additionally confirm the transaction with a sing;e-use SMS P@ssword or Mobile Authorisation in the mobile app.

  • 3D Secure service is free of charge
  • available for all Bank Millennium prepaid, debit and credit cards
  • no software installation or service activation is required

Which online stores support 3D Secure?

Stores that participate in MasterCard SecureCode or Verified by Visa programmes. You'll easily recognize them by distinctive logo. In stores that do not support 3D Secure you can pay in a traditional way, by providing card details in the online form.

How does 3D Secure work?

  • 1. Fill-in the form

    Please check if payment information is correct:

    • Merchant name,
    • Date and time,
    • Card number,
    • Amount (final amount of card payment)

    At the same time, a text message will be sent to your mobile phone. Upon its receipt, read it carefully and check whether its details are consistent with those presented in the form.

    If the details are correct, enter the single-use SMS P@ssword from the SMS message or confirm the transaction by means of Mobile Authorisation in the app.

    If the data shown are incorrect, cancel the transaction using the „Cancel" option.


  • 2. Finalizing the transaction

    After a successful verification of the SMS P@ssword enter by you or correctly carried out Mobile Authorization, you will be informed by the store that the transaction has been performed.

    In case any problem occurs in the payment process, the system will inform you by displaying an appropriate message. Remember that for security reasons entering an incorrect SMS P@ssword three times may block your card for 3D Secure online transactions.


  • 3. (optionally) Finalizing the transaction using the mobile application

    If you changed the authorization method to mobile application, after the transaction, instead of SMS Password, you will receive a PUSH message. At the same time, payment details will be shown on your desktop (as it is visible on the screen below). The PUSH message will open a confirmation screen in your app where you can authorize the transaction using your PIN code, Touch ID or Android Fingerprint ID.


Encrypted connection and SSL protocol

The security of the Millenet system is guaranteed by encrypted transmission between your computer and Bank server. The transmission is proptected by 128-bit SSL protocol. The information about the encryption is visible in the prefix https:// at the begining of the website address:

Millennium Bank uses GeoTrust True BusinessID SSL certificate guaranteed by GeoTrust, a renowned company specializing in encrypting and data security. This protection method prevents any unauthorized access to your confidential data. What is more, the certificate ensures that the login page belongs to the institution mentioned in the certificate, i.e. to Bank Millennium.

How to check certificate?

In most browsers, on the left or right side of the address bar you'll see a padlock icon. The padlock should be locked. click on it to display the security certificate and make sure your connection is safe and the website administered by Bank Millennium.

See how the certificate may look like in different browsers:

PDF documents security certificates

Each PDF document downloaded from Millenet is encrypted with Bank Millennium security certificate. Therefore, you can easily verify whether anybody has interfered with its content after signing.

Bank Millennium uses 4 certificates in order to sign PDF documents. All of them have the same parameter "O" (Organisation) Bank Millennium S.A and other information which create a unique digital signature.

How to verify the authenticity of a certificate?

Download PDF document from Millenet and open it by Adobe Acrobat Reader (the following instructions apply to the Adobe Acrobat Reader DC). You can download free Adobe Acrobat Reader DC software from Adobe.com.

Follow the instruction:

1
2
3
4

Select Signature Panel in the upper right corner of the document and then right-click on the certificate's name Rev 1: Signed by... and choose Show Signatures Properties...

In this dialog box click on Show signer's Certificate

In Details tab you can check the document's certificate. Compare this data with 4 certificates which Bank Millennium uses to sign PDF documents. You can find them below.

One of the four certificates below must simultaneously meet all of the following data: Subject, Issuer, Serial numer, SHA1 digest.

1

Select Signature Panel in the upper right corner of the document and then right-click on the certificate's name Rev 1: Signed by... and choose Show Signatures Properties...

2

In this dialog box click on Show signer's Certificate

3

In Details tab you can check the document's certificate. Compare this data with 4 certificates which Bank Millennium uses to sign PDF documents. You can find them below.

4

One of the four certificates below must simultaneously meet all of the following data: Subject, Issuer, Serial numer, SHA1 digest.

Certificates used by Bank Millennium:

  • Potwierdzenie integralnosci

    Issuer: Certum Digital Identification CA SHA2

    Certificate data (Adobe Reader terminology):

    Subject:
    CN = Potwierdzenie integralnosci
    L = Warszawa
    OU = DBC
    O = Bank Millennium S.A.
    C = PL
    email = wydruki@bankmillennium.pl

    Serial number = 50e7f7474e89f7d708ebf3a48aacaebf

    SHA1 digest = 99e88efb4245472d484a7e185669cd75ad16e2d4

    Issuer: CN = Certum Digital Identification CA SHA2


  • Bank Millennium S.A.

    Issuer: Certum Digital Identification CA SHA2

    Certificate data (Adobe Reader terminology):

    Subject:
    CN = Bank Millennium S.A.
    S = mazowieckie
    L = Warszawa
    OU = DBC
    O = Bank Millennium S.A.
    C = PL
    email = wydruki@bankmillennium.pl

    Serial number = 4b6d6af35efc020596fcf1b23b9cbd87

    SHA1 digest = eec003e3a7ed453c5f0d00c69ad77365e9380cc5

    Issuer: CN = Certum Digital Identification CA SHA2


  • Bank Millennium S.A. (OU Bank Millennium S.A.)

    Issuer: Entrust Class 3 Client CA - SHA256

    Certificate data (Adobe Reader terminology):

    Subject:
    CN = Bank Millennium S.A.
    OU = Bank Millennium S.A.
    O = Bank Millennium S.A.
    L = Warszawa
    C = PL
    email = wydruki@bankmillennium.pl

    Serial number = 00a49cf0a1a21f11430000000055650b72

    SHA1 digest = 729874d43763ef7939693ba4359c843d5ae96a9a

    Issuer: CN = Entrust Class 3 Client CA - SHA256


  • Bank Millennium S.A. (OU Potwierdzenie integralnosci)

    Issuer: Entrust Class 3 Client CA - SHA256

    Certificate data (Adobe Reader terminology):

    Subject:
    CN = Bank Millennium S.A.
    OU = Potwierdzenie integralnosci
    O = Bank Millennium S.A.
    L = Warszawa
    C = PL
    email = Potwierdzenie_integralnosci@bankmillennium.pl

    Serial number = 0097043ce1b76289740000000055651069

    SHA1 digest = 06d487530239a5a7c0932ff9be24da95de1b5754

    Issuer: CN = Entrust Class 3 Client CA - SHA256


Safety rules

Read 10 friendly tips for safe online banking:

  • 1. Never enter all digits of your identifier when you lon in to Millenet

    • Millenet requests only 2 characters from your identifier, e.g. 2 digits from your PESEL
    • Upon failed login, Millenet will keep requesting you to enter the same two characters from your identifier, until they are entered correctly
    • If you notice that the system asks you to enter more than 2 characters, immediately stop the login and contact the Bank

  • 2. Never enter your phone number when you log in to Millenet

    • The Bank never requests your phone number when you log in, except when you print out P@ssword 2 for activation and change your contact phone number
    • Do not give access to your phone to third party

  • 3. Do not install software from untrusted sources on your computer or mobile

    • Do not launch programmes received by email
    • Do not open files with .exe extension of unknown origin. Often times, programmes with .exe extension, may install "in the background" additional spying software or software that provides full on-line access to your computer
    • Do not use P2P software (peer-to-peer)

  • 4. Check webite certificates and address

    • The connection between your browser and our server is encrypted with 128-bit SSL protocol. Small locked padlock on the bottom of the browser means that the connection is encrypted More about certificates
    • Always check if the Bank website address begins with https://

  • 5. Do not reveal personal details by e-mail

    • Bank Millennium will never ask you to provide by e-mail confidential data such as date of birth, Mother's maiden name, PESEL number, MilleKod, passwords, payment cards numbers, card validity dates, or CVV authorisation codes
    • When receiving emails with attachments from unknown source never open them. Very often such attachments contain viruses or spyware software and may be installed automatically on your computer.

  • 6. Regularly update your computer system

    Updates of your system that have impact on its security. If, for instance, you use Microsoft Windows, you can take advantage of the automatic Windows update option.


  • 7. Never reveal your P@ssword and remember to change it from time to time

    • Change passwords at least once per month (in Millenet system you can set password change reminder every 7 to 60 days)
    • Never write down your passwords nor send it via e-mail
    • Use passwords that are hard to guess, that vary from each other, from your phone number and from MilleKod

    Don't forget: Always verify details of the operation given in an SMS P@ssword or displayed on the Mobile Authorization screen to be sure that you are confirming the right operation. In the case of Mobile Authorization the screen with operational details presents more details on the performed operation.


  • 8. Use anti-virus software and presonal firewall

    • You should never disable your anti-virus! When the anti-virus software is disabled, spy software may be installed on your computer
    • Use personal firewall software, i.e. software that will warn you each time somebody tries to connect remotely to your computer or send information from your computer outside

  • 9. Use only trusted devices

    Do not enter confidential data (identifier, MilleKod, P@ssword 1) on computers, tablets and smartphones you do not trust or which are shared by many users, especially devices in internet cafes and other public places. Such devices may contain software that intercepts data.


  • 10. Always use "log out" option

    Always remember to end your work in Millenet system by clicking on "Log out" button in order to terminate session correctly. Do not use different browsers windows with active Millenet sessions.


Make sure your data and money are safe

Beware of phishing attempts

Pay special attention if:

  • you receive an e-mail from the bank-looking address with request for update, verification or confirmation of information and log in via website given in the mail
    (fraudsters may request for the complete PESEL number or providing another new digits from the ID multiple times)
  • you receive message on Facebook with request for transfering certain amount on your friend's behalf
    (fraudsters may request for all details needed for login under the excuse of a small loan or paying for the courier etc.)
  • website on which you begin to perform payment looks different than login to Millenet or will be available on different link than usually
    (fraudsters may also request for all details needed for login as well as for complete PESEL number)

Protect yourself from viruses and false software

  • install anti-viral software on each device that you use for accessing electronic banking
  • always use only the recent, certified version of anti-viral software
  • do not install apps from uncertain sources, e.g. outside Google Play or AppStore
  • pay attention to the app's appearance and grammar correctness of texts
  • do not provide other data than usual, especially complete PESEL number
  • always thoroughly check the content of the SMS containing the SMS P@ssword or the operation details if you confirm a transaction in Millenet by means of Mobile Authorisation in the app.

If you think your data might have been taken over, contact the Bank immediately or change login data on another device you own. Do not access electronic banking from devices accessed by many people, especially in the public places. They may contain data intercepting software.