The BANCOMAT chip card for withdrawals and payments is a secure device. The security of the BANCOMAT card is certified by the Politecnico di Torino. The only possible fraud involves unauthorized use of the card due to non-receipt, loss, or theft.
The only way to prevent unauthorized use of the BANCOMAT card is to keep its PIN secret. PIN stands for Personal Identification Number, a personal identification code. This code is personally given by the Issuing Institution to the cardholder so that the BANCOMAT card can be used exclusively by them.
The cardholder is responsible for every withdrawal or payment transaction performed using the PIN.
Therefore, the PIN must be securely protected and must not be stored in any form together with the BANCOMAT card.
The cardholder is responsible for their PIN: every transaction made with the BANCOMAT card following PIN entry (i.e., with cardholder authentication) is considered to have been made by the cardholder.
The PIN is stored inside the BANCOMAT chip card in a secure memory area. This area is used exclusively by the card itself and is inaccessible from the outside. The security of the PIN is certified by the Politecnico di Torino. The PIN cannot be retrieved from the BANCOMAT card chip.
The limited number of PIN entry attempts (BANCOMAT allows only 3 attempts) makes it highly unlikely to be guessed (a fraudster has only 3 attempts out of 10,000 possible combinations). By protecting our PIN, we protect our accounts.
The BANCOMAT card operates based on a cryptographic key (each card has its unique key). This key is stored inside the BANCOMAT chip card in a secure memory area.
This area is inaccessible from the outside. The security of the key is certified by the Politecnico di Torino. Therefore, the BANCOMAT chip card cannot be cloned.
The BANCOMAT app is designed and developed according to state-of-the-art security principles. This ensures that the BANCOMAT app is resistant to cyber-attacks. For installation, it also requires the smartphone to meet specific security criteria. Make sure to download the latest version of the app from official stores to guarantee maximum security.
The intrinsic security of the app must be accompanied by awareness of the tool’s capabilities, as well as the risks related to using consumer devices for managing bank accounts and payments.
The app alone cannot counter fraud attempts carried out through phishing or social engineering. These attacks focus not on the payment tool (smartphone or app) but on the person who holds the tool. Recognizing a phishing attempt is essential to avoid putting your accounts at risk.
Fraud attempts through phishing or social engineering always involve direct contact with the victim. This contact can occur through various channels: email (common phishing), phone (vishing or voice phishing), SMS (smishing or SMS phishing), or social media (social media phishing).
Common reasons for contact include:
In the event of a phishing attack on the BANCOMAT app, the attacker’s goal is always to obtain the information needed to activate the app on their own mobile device and perform payment transactions on behalf of the victim.
This information consists of:
The app activation is therefore based on two codes: one displayed in the user’s home/mobile banking; one received via SMS by the user.
If the app activation is completed successfully, it is possible to make payments and money transfers directly from the app.
Once the app is activated, confirmation of payment or money transfer operations is provided directly through authentication within the app.
1
Requests for home banking access codes. The fraudster could obtain the activation code for the BANCOMAT app.
2
Direct requests for the BANCOMAT app activation code.
The app activation is based on two codes: one displayed in the user’s home/mobile banking and one received via SMS by the user.
If the app activation is completed correctly, it is possible to make payments and transfer money directly from the app.
Neither the Bank nor BANCOMAT will ever ask a user for the activation code or verification code of the BANCOMAT app. These are personal codes and must be protected by the user just like the PIN code of the BANCOMAT card or the device codes of the bank account.
In case of suspected phishing, it is advisable to immediately end the communication and promptly inform your Bank of the incident through the communication channels provided by the Bank itself.Se l’attivazione dell’app viene completata correttamente, è possibile effettuare pagamenti e trasferimenti di denaro direttamente dall’app.
Né la Banca, né BANCOMAT chiederà mai ad un utente il codice di attivazione o il codice di verifica dell’app BANCOMAT. Rappresentano codici personali e devono essere protetti dall’utente alla stessa stregua del codice PIN della carta BANCOMAT o dei codici dispositivi del conto bancario.
In caso di sospetto phishing, è opportuno chiudere immediatamente la comunicazione e informare tempestivamente la propria Banca dell’accaduto tramite i canali di comunicazione predisposti dalla Banca stessa.