How does 3D Secure work in Bank Millennium?

3D Secure transactions are made with an additional security mechanism in the form of authorisation with single-use SMS P@sswords or authorisation in the mobile application.

During card payments, e.g. at an online shop, the Bank may send to the mobile phone number predefined by you a single-use secure SMS P@ssword with request to enter it on the dedicated and secured website or send PUSH message with request to approve the transaction with PIN code or to scan the fingerprint (if your device supports this function).

Provided financial data will then be sent to a secure authentication server. On this very first stage it will be possible to immediately verify if the card was not stolen, lost or cancelled for other reasons.

What do you need to make an Internet payment?

To ensure the highest level of security of your online card transactions, it is necessary to activate the SMSP@ssword service. Detailed information about activation process are available in section Transaction confirmation.

In order to use a more convenient way of accepting online card transactions, you have to activate Bank Millennium mobile application and change 3D Secure settings in the application settings (tab Settings > Transaction acceptance).

The mobile phone number defined at the Bank is used in the Millenet system to confirm transfer orders, sign agreements and to receive transactions notifications.

You will learn how to activate SMS P@ssword service in the Access and login tab.

How does 3D Secure work?

When making payments, e.g. in an online shop, upon selection of the card payment method and entering the required data, transaction authorisation will follow (for sites participating in the MasterCard SecureCode or Verified by Visa. For sites not participating in the MasterCard SecureCode or Verified by Visa confirmation of payment will be processed as usual).

To make a 3D Secure payment follow the instructions:

1. Fill-in the form

Please check if payment information  are correct:
- Merchant name,
- Date and time,
- Card number,
- Amount (final amount of card payment)

At the same time, a text message will be sent to your mobile phone. Upon its receipt, read it carefully and check whether its details are consistent with those presented in the form. 

If the data are correct, provide the one-time SMSP@ssword from the text message and confirm the transaction by selecting the "Accept" option.

If the data shown are incorrect, cancel  the transaction using the „Cancel" option.

2. Finalizing the transaction

After positive SMSP@ssword  validation you will be informed that the transaction has been successfully completed.
In case any problem occurs in the payment process, the system will inform you  by displaying an appropriate message. Remember that for security reasons entering an incorrect SMSP@ssword three times may block your card for 3D Secure online transactions.

3. (optionally) Finalizing the transaction using the mobile application

If you changed the authorization method to mobile application, after the transaction, instead of SMS Password, you will receive a PUSH message. At the same time, payment details will be shown on your desktop (as it is visible on the screen below). The PUSH message will open a confirmation screen in your app where you can authorize the transaction using your PIN code, Touch ID or Android Fingerprint ID.

• Maximum security – transactions protected by two independent access channels: web browser and mobile phone. Card holder will be identified on grounds of card number, expiry date, CVV2/CVC2 code and additionally on the basis of a secure, single-use SMS P@ssword sent to the mobile phone number pre-defined at the Bank or authorisation in the mobile application.
• No additional cost – 3D Secure provides the highest level of security without additional costs . The Bank does not charge for the service. All the text messages sent to the card holder and PUSH messages sent to the devices with active mobile application are free of charge.
• Convenience – the payment form is automatically filled in with the data submitted by the shop, you should only enter 6-digit password from the text message or PIN code/scan your fingerprint in the mobile application of your device.

3D Secure is available to Bank Millennium customers who meet  the conditions below:

• Has an active Millennium prepaid, debit or credit card (Visa or MasterCard),
• Has access to the Millenet transactional system for individuals/business customers,
• Has activated the SMSP@ssword service,
• (optionally) has Bank Millennium mobile application.

When you log into the system, never give your entire PESEL and phone number. Remember that Millenet requests only 2 digits from your identifier.

Beware of the following situations:

• upon failed login, Millenet will keep requesting you to enter the same two digits from your identifier, until they are entered correctly,
• if you notice that the system asks you to enter more than 2 digits, immediately stop the login and contact the Bank.

We ask kindly to report us such issues notification of suspected abuse, through Millenet system or to number 801 24 HELP (801 24 4357).

Do not give your phone number in part or in full when you log in!

Beware of the following situations:

• if you see that Millenet asks you about your phone number during login, immediately stop the login process and contact the Bank,
• the Bank never requests your phone number when you log in, except when you print out password 2 for activation and change your contact phone number,
• do not give access to your phone to people whom you do not trust and do not install any software or applications from unknown sources.

Do not install software from untrusted sources on your computer or mobile.

The simplest way to install malicious software on your system is to make you install it yourself.Be very careful with software downloaded from the Internet.

• Do not launch programmes received by email
• Do not open files with .exe extension of unknown origin. Often times, programmes with .exe extension, may install "in the background" additional spying software or software that provides full on-line access to your computer
• Remember that use of P2P software (for instance, Bearshare, KaZaA, eMule, DC++ etc.) exposes your computer to security risks
• Do not install software on your mobile unless you know its origin

Verify the certificate of the page.

Verify the certificate of the page and never reply to e-mails in which you are asked to provide confidential data!

The connection between your browser and our server is encrypted with 128-bit SSL protocol. Small locked padlock on the bottom of the browser means that the connection is encrypted. Please check if while connecting to our transactional system the padlock looks as following:

Opera 10:

Mozilla Firefox 3.0.0.x: 

By double clicking on the padlock we can see the certificate of the page. The certificates should be issued to www.millenet.pl as follows:

MS Internet Explorer:

Opera 10.0:

Remember, that Bank Millennium never asks to provide confidential data by e-mail, so never reply to e-mails in which you are asked to provide your confidential data as for instance:

• personal data,
• Mother's maiden name,
• banking account number,
• MilleKod,
• passwords,
• payment cards numbers,
• card validity dates,authorisation codes CVV2 of payment cards (last 3 digits on the right of signature fields).

When receiving emails with attachments from unknown source never open them. Very often such attachments contain viruses or spyware software and may be installed automatically on your computer.

Regularly update system installed on your computer.

You shall be interested with the updates of your system that have impact on its security.

If you use Microsoft Windows, you should use automatic Windows update option.

Access to this option you can get by:

• Choosing option Windows update from your Windows Start menu.
• Or typing to your browser address: http://windowsupdate.microsoft.com.

You can also read about security on the Microsoft Windows pages:

www.microsoft.com/security/protect/default.asp

If you use another operating system then you shall check web site of its developer and if possible you shall subscribe to the mailing list about system updates.

Take care about your passwords security and compare content of SMSp@assword with content of internet page!

• Never reveal your passwords to anybody
• Change passwords at least once per month (in Millenet system you can set password change reminder every 7 to 60 days)
• Never write down your passwords nor send it via e-mail
• If you think that somebody could know your password - change it as soon as possible
• Use passwords different from each other and from Millekod being not easy to guess

Remember: before confirming each operation (eg. transfer), with typed SMSP@ssword, please compare content of SMS with content of internet page, in order to make sure, that proper operation is being confirmed.

 Use anti-virus software.

Unfortunately sometimes it can happen that dangerous software may appear in your system - virus or software that allows to remotely take control of your system.

Good anti-virus, regularly updated, will help you to fight against such programs and to prevent them to come on your PC. Even if you have such a dangerous program installed, anti-virus will warn you while it would be executed.

You should never disable anti-virus! 10 seconds without antivirus is enough to install spy software on your computer.

Examples of anti-virus scanners avaiable online:

• Skaner internetowy Mks vir

Examples of anti-virus software:

• Avast Home Edition
• Norton AntiVirus
• Kaspersky Anti-Virus Personal
• Mks_vir
• Avast

Use personal firewall system.

Personal firewall is a software that will warn you when somebody will try to connect remotely to your computer. You will be also warned if some about the sending of information to the network.

Using personal firewall requires little bit better understanding of the system installed on your PC in order to know which programs can be allowed to connect to the network and which are to be blocked. It is worth to invest in such knowledge to make the attacks targetting to your personal data more difficult.

Examples of such programs are:

• Sunbelt Personal Firewall
• Comodo Free Firewall

Pay attention to the address of the page that you are connecting to.

The correct address of our transactional site begins with www.bankmillennium.pl

If another address is presented in the address field in the web browser you should be very suspicious and you should not enter any data.

If somebody would try to re-direct address www.bankmillennium.pl to another address, the following security alert should pop up:

Mozilla Firefox 2.0.0.x:

It is very important to read carefully the communicate of the browser and to accept only certificate with correct data of the page.

By clicking on the button View Certificate you can see to whom the certificate has been issued.

Avoid using publicly available PCs for Millenet access.

Do not enter confidential data (Millekod, passwords) from the computer with public access, in particular from internet cafes and other public places. There can be installed a software for data interception.

Always end your usage of Millenet system by selecting "Logout" option.

Always remember to end your work in Millenet system by clicking on "Logout" button in order to terminate session correctly. Do not use different browsers windows with active Millenet sessions.