Security
Scotiabank is committed to providing customers with a secure and protected banking and brokerage
environment. Learn about what we do and how you can protect yourself.
Our Online Security Commitment
Steps that Scotiabank takes to make sure your online experience with us is a safe one.
Keeping your financial and personal information secure is one of our most important responsibilities.
Before You Sign-On
The steps we take to ensure a secure online banking and brokerage environment.
There are several steps that we have taken to ensure a secure environment before you can sign-on to
Scotia OnLine®. In addition to providing a protected environment, we require you to have the following to
sign-on to Scotia OnLine:
•
•
•
a ScotiaCardTM, which is your unique identifier when dealing with us,
a password, selected by you;
a supported 128-bit browser.
There are also three additional features of our sign-on page that you should be aware of: our Alerts
System, Express Sign-on feature, and Safe Computing Practices.
Alerts System
We may communicate important information to you directly on the Scotia OnLine Sign-on page.
Urgent, time sensitive information will be denoted by a red exclamation mark within a circle. Other
important messages that are not considered urgent will be conveyed by a blue "i" within the circle. When
you see these symbols, please be sure to read the notice and follow any recommended instructions.
Express Sign-on Feature
This handy feature allows you to securely save your ScotiaCard number on your computer so that you do
not need to have your ScotiaCard with you or enter this information each time you want to sign-on. If you
use this feature, your card number is stored in encrypted and masked formats so that it cannot be read by
others. This feature will not save your password.
If you are using a public access computer or a shared computer with other individuals, it is recommended
that you do not use the Express Sign-on feature.
For more information, please see our Express Sign-on page.
While You Are Signed On
Within Scotia OnLine Financial Services®, we take additional steps to keep your information secure.
Scotia OnLine® is a protected environment that meets the highest Internet security standards. When you
are signed onto Scotia OnLine, we take the following additional steps to protect your information:
128-bit SSL - Industry standard encryption ensures that your information passes between your personal
computer and the Bank's computers securely, preventing others from being able to read or tamper with
your account activity.
•
Timeouts - If you're away from Scotia OnLine for more than 10 minutes, an interruption to
the Scotia OnLine session will occur. (A time-out extension option is available for Scotia OnLine
Brokerage customers.) You will then be required to sign back into Scotia OnLine with your
password.
•
Reference Numbers - After every transaction, we provide a reference number. This will help
you and us in any inquiries you may have.
Optional Features
•
•
Masked Account Numbers - You may have your account numbers partially masked by
asterixes. Therefore, "Shoulder Surfers" will not see your entire account number either on
screen or on any print outs.
Brokerage Trading Access Code - A secondary password may be set up to complete any
brokerage transactions. The feature provides an added layer of security to your online
brokerage session.
Some Applications do not require you to log on to Scotia OnLine
There are some applications on our public site that may be completed without signing on to Scotia OnLine.
The minimum requirement for these applications is a supported 128-bit browser.
We're here to answer your questions, anytime.
Please call 1-800-4-SCOTIA (1-800-472-6842)
or in the Toronto area, 416-701-7200.
Your Security Responsibility
Steps you should take to ensure your information remains secure.
While we take strong measures to ensure the security and confidentiality of your information, it is
extremely important that you also recognize and do your part.
Safe Computing Practices
Updated December 5, 2005
The things that you should do to protect your information online.
It is important that you take steps to protect your information on your personal computer. Scotia OnLine®
Financial Services is a protected environment which meets the highest Internet security standards. While
we take strong measures to ensure the security of your financial transactions and the confidentiality of
your information, it is extremely important that you also take precautions to ensure that your information
remains safe and secure. We advise customers to read about these topics and follow the recommended
safe computing practices:
1. Protect Your Privacy:
•
•
•
•
•
•
•
Use caution before answering online and email requests for your personal information.
Scotiabank will never present you with unexpected webpages or send you
unsolicited emails asking for your confidential information, such as your password,
PIN, Access Code, credit card, account number, etc. We will never ask you to validate
or restore your account access through unsolicited email.
Do not respond to unsolicited emails or websites that request personal information. Report any
suspicious requests to Scotiabank immediately at
1-800-4SCOTIA (1-800-472-6842).
Protect your Scotia OnLine Password.
Your Scotia OnLine password is confidential and must never be shared with any outside person
or company, including:
Account aggregation services that consolidate and display all of your
financial information in one place.
Software that records your password so that you don't need to enter it the
next time you access a website.
Services that collect your card number and password, or any other
confidential information, to perform transactions on your behalf or to collect
payment from you.
Any other agreements you may make or services you accept which include
your consent to having your Internet activity monitored.
In divulging your password, you contravene the terms of your ScotiaCard
Cardholder Agreement and you will be fully liable for any unauthorized
access to your accounts and all associated losses arising from these
disclosures.
Pick a password that is difficult to guess by using a combination of letters and numbers
(nothing obvious). In fact, if you're still using a numeric password, please change it now.
Memorize your Scotia OnLine password and keep it secret. If you suspect your password has
been compromised, please change your password immediately or call 1-800-4SCOTIA (1-800472-6842).
For special numeric-only codes, which are different from your sign-on password (such as your
Access Code), select a code that is easy to remember but do NOT select your birth date,
•
•
•
•
•
•
•
•
•
•
telephone number, license plate, address or other easy-to-guess combinations. If you have
numbers in your sign-on password, don't use them in your Access Code. Memorize your Access
Code, do not write it down and NEVER tell anyone what it is.
Never send confidential information (such as account numbers of any type, ScotiaCard,
password, Access Code, etc.) via email.
Avoid using software that records your passwords so that you don't need to enter them the
next time you access a website from the same computer. This type of software could give
other users of your computer access to your accounts.
Note: Scotia OnLine's Express Sign-on Feature is safe to use, as it does not record your
password.
Avoid accidentally agreeing to have your Internet activity monitored by other parties by
carefully reading the terms of any software you download and free services you accept online
before you download them.
Always type in the website address or use your bookmarks to access Scotia OnLine:
www.scotiaonline.scotiabank.com
Do not leave your computer unattended while logged on to Scotia OnLine.
Always log off when you're finished your Scotia OnLine session.
Clear your browser's cache after each Scotia OnLine session. Each time you access the
Internet, your browser automatically saves a copy of the web pages you've visited. Diligently
clearing your browser's cache after each session is an important step in safeguarding your
account information.
Keep your ScotiaCard in sight at all times during transactions and never lend your card to
anyone.
Review your account statements and/or online account transaction details promptly and report
any discrepancies immediately. With Scotia OnLine, you can review your up-to-date account
transactions and therefore identify any discrepencies immediately. Contact numbers can be
found on your statements.
Report lost or stolen ScotiaCards to 1-800-4SCOTIA
(1-800-472-6842) immediately.
2. Use Anti-Virus Software:
Whenever you use your personal computer and the Internet, there is a potential risk of contracting a
computer virus or the possibility of infiltration by intrusion software commonly known as "Trojan Horses".
Computer viruses can modify programs, delete files and erase the contents of hard drives. "Trojan Horses"
can have similar effects and may be able to capture keystrokes, including passwords or other secret
information. Spyware and other deceptive software can also conduct certain activities on your computer
without your knowledge or consent.
The potential consequences of any of these threats could include damage to your personal computer,
compromise of your secret information and the inability to use Scotia OnLine.
For these reasons, we advise our customers to follow these practices:
•
•
•
•
Install and frequently update a proven anti-virus product, such as McAfee
VirusScan1 or Norton AntiVirus1. Most popular anti-virus products include some spyware
scanning capabilities.
Only accept or download software from a source that you believe to be trusted.
Never accept files or attachments when accessing websites, newsgroups and chat rooms
unless you are very sure of their authenticity.
Ensure you are using a legally licensed operating system.
Warning about 'free' services and software offering faster web surfing and email virus
scanning: We strongly advise you to carefully read the terms of any free services you accept or software
you download online before you accept them. They are known to sometimes include your consent to
having all of your Internet browsing activity, including secure transactions monitored. In consenting to
such terms, you may allow the service provider to collect highly personal information such as your bank
account and credit card numbers and passwords. Your Scotia OnLine password is confidential and must
never be shared with any outside person or company. In divulging your password, you contravene the
terms of your ScotiaCard Cardholder Agreement and you will be fully liable for any unauthorized access to
your accounts and all associated losses arising from these disclosures.
Find out more about spyware and deceptive software:
•
How to Protect Your Computer from Spyware and Adware
3. Protect Your Internet Connection:
There are additional vulnerabilities associated with having a computer directly connected to the Internet
for an extended period of time. This applies to all users but it is extremely important for users with cable
modem or digital subscriber line (DSL) Internet access. These methods of connection do not require
'dialing' into the Internet and thus are sometimes described as 'always on' connections. Unfortunately, as
long as the computer remains 'on' and connected to the Internet, malicious parties have a continuous
window of opportunity for attacks on the user's personal computer.
If you use a cable modem or DSL connection for Internet access, you can limit this security risk by
disconnecting from the Internet when your session is complete, or by turning off the cable or DSL modem.
However, if you want to continue to take advantage of the 'always on' feature of cable and DSL
connections or if you run extended dial-up sessions on the Internet, we recommend the following security
measures be taken:
• Disable File Sharing on Your Personal Computer
File sharing is a feature of Windows‡ that allows other computers to access your personal
computer, even from across the Internet. Microsoft‡ has provided instructions on how to
disable file sharing in Windows Help (Click Start, Help, then choose the 'Index' tab and type
"file sharing, disabling").
•
•
•
•
Our recommendation is to disable file sharing. However, if you choose to retain this option for
your particular environment, exercise due care and apply appropriate security measures.
Install a Personal Firewall
Install and frequently update a proven personal firewall product, such as Personal Firewall
Plus1 Zone Alarm1 or Black Ice1 , that can be configured to prevent unauthorized access to
your personal computer and keep it up-to-date.
Get Computer Security Updates
Ensure that you are using a legally licensed operating system. You may be able to improve
the security of your system by getting updates to help correct issues that may make your
computer vulnerable to virus or worm attacks. As such, you should diligently apply security
patches as they become available. Find out more:
o Windows users: Microsoft Security
o Macintosh users: Apple Product Security
o If you have a wireless network, there are additional measures that should be taken
to protect your Internet connection:
Use encryption - Enable the highest level of encryption available for your router; newer
wireless routers typically use Wi-Fi Protected Access (WPA), and older versions use Wired
Equivalent Privacy (WEP). This will encrypt all data transferred between your personal
computer and wireless router. In addition, devices without your encryption key cannot
connect to your wireless router.
Change your default password - All wireless routers are given a default administrator
password by their manufacturers, so make sure to change this password to prevent
unauthorized access to your wireless router.
•
•
Change SSID (Service Set Identifier) - The SSID is the name of your wireless network. In
order for a computer to connect to your wireless network, the SSID must be known. You
should change the manufacturer's default SSID name to a unique name that will not be easily
guessed, and has no direct connection to you or where you are located (e.g. don't use your
last name or street address).
Switch off SSID broadcasting - You can further secure your network by disabling SSID
broadcasting, which will hide your network from outsiders. It would be very difficult for an
outsider to access your network once you have changed your SSID and turned off
broadcasting, as they would have to start guessing the name of your network to access it.
4. Use Supported Browsers:
Encryption is the process of protecting information as it moves from one computer to another so that it is
unreadable to everyone except the receiver. The stronger the level of encryption used by your web
browser, the more difficult it is for unauthorized parties to break the encryption and decipher the message
in transit.
Scotia OnLine is fully tested before supporting new browser versions. When accessing Scotia OnLine, you
are required to use one of our recommended browsers with 128-bit encryption. Find out more about
supported browsers, how to check your encryption level and download the latest version by going to
http://www.scotiabank.com/cda/content/0,1608,CID4357_LIDen,00.html.
Related References:
There are a number of web sites that provide more information on Internet Security and Safe Computing.
The following references are a few you may want to review:
•
•
•
High-Speed Security Issues at Sympatico.ca
Surf Safe at Rogers.Home.com
Microsoft Security - Protect Your PC
Related Software Websites:
•
•
•
•
•
•
McAfee‡
Symantec‡
Zone Alarm
BlackICE
Microsoft Security
Apple Product Security
Related Topics:
Scotia OnLine Security: More about the safeguards in place for Scotia OnLine Financial Services.
Scotiabank Group Privacy Code: More about how Scotiabank is committed to keeping your personal
information confidential and secure.
While Scotiabank believes these safe computing practices and included links provide reasonable but not
absolute protection, the Bank makes no representation or warranty as to their intended use or fitness for
purpose.
1
Norton AntiVirus and Symantec are trademarks of Symantec Corporation
McAfee and McAfee VirsusScan are trademarks of Network Associates, Inc
Windows and Mircrosoft are trademarks of Microsoft Corporation.
Zone Alarm is a trademark of Zone Labs, Inc.
BlackICE is a trademark Internet Security Systems, Inc
General Security Practices
Additional information that will help safe-guard your personal and financial information.
You play a role in protecting the security of your personal information. In addition to following Safe
Computing Practices, here are some other best practices that can help you keep your information secure.
Do
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Stay informed and follow any new security practices that may emerge over time.
Protect your PIN and Passwords: (online, phone, ABM, direct payment, wireless). Keeping your
PIN and passwords secure is the key to keeping your money safe.
Memorize your PIN (Personal Identification Number) and TeleScotia and Scotia OnLine
passwords. Choose PIN/passwords that cannot be guessed by others and do not write them
down.
Be discriminating. Be sure who you're dealing with and don't give out your personal
information freely. Find out why it's needed and how it will be used, and then determine if it's
relevant to provide. Do not give out personal information on the phone, through the mail or
over the Internet unless you have initiated the contact or know with whom you are dealing.
Destroy old and expired bank and credit cards.
Shred documents that contain personal information (i.e., bank statements).
Destroy carbons and receipts that may contain account numbers and/or signatures.
Tear up or shred any pre-approved credit card offers to which you do not respond.
Protect your Social Insurance Number and those of your children and other family members by
not carrying them in you wallet. Keep a list of all your card numbers and ID in a safe place.
Minimize the identification information and number of cards that you carry. Do not carry your
Social Insurance card, passport or birth certificate unless needed that day.
Report lost or stolen cheques, credit or debit cards immediately.
Notify your bank or the police of suspicious activity.
Store cancelled cheques, chequebooks and account statements in a safe place.
Retrieve and review your mail promptly.
Review your credit report at least once every year. Make sure all information is up-to-date and
accurate.
Review your bank account and credit card statements promptly. Know when to expect them
and inquire with the bank/company if you do not receive them when expected (within a
reasonable amount of time).
Sign the back of any new cards (both credit and debit cards) as soon as you get them as well
as activate new credit cards immediately if the feature is offered.
If you use your VISA card online, register for Verified by VISA, a free service that provides an
extra layer of protection and guards against unauthorized use online.
Educate your children about sharing personal information.
Follow Safe Computing Practices.
Don't
•
•
•
•
•
Don't respond to unsolicited emails that request personal information such as your banking
card number, ABM PIN, online/telephone banking passwords, credit card numbers etc.
Do not leave your bank and credit cards unattended and do not let them out of your sight
when making a purchase.
Never leave cards unattended at work (the workplace is a common place for theft).
Don't email confidential information such as account numbers, date of birth, etc.
Do not leave personal information (bank statements) lying around.
Useful Links
•
•
•
•
Canadian Bankers Association
RCMP
Phone Busters
Consumers Measures Committee
Identity Theft
Learn about it and how to protect your identity.
Identity theft is the use of someone’s personal information without their knowledge or consent to commit
a crime such as fraud or theft. Identity theft can start whenever a criminal gets access to someone else’s
information, and it is one of the fastest-growing crimes in Canada.
Protect Yourself and Minimize the Risk
There are important steps you should take to protect your information.
•
•
•
Follow Safe Computing Practices to protect your information online.
Follow General Security Practices to protect your information in other ways.
Learn about how to identify and avoid Phishing Scams.
Know that Scotiabank will never present you with unexpected webpages or send you
unsolicited emails asking for your password, Personal Identification Number (PIN), credit card,
account numbers, etc.
Report any suspicious requests to Scotiabank immediately at 1-800-4-SCOTIA.
Do not respond to unsolicited emails or websites that request personal information.
What to Do If it Happens to You
If you believe that you are a victim of identity theft and you are a Scotiabank customer, please contact
your branch or call 1-800-4-SCOTIA (1-800-472-6842) immediately.
•
•
•
•
•
Contact each financial institution, credit card issuer or other company that provided the
identity thief with unauthorized credit, money, goods or services.
Contact both of Canada’s national credit reporting agencies, Trans Union Canada and Equifax
Canada. Ask each agency to send you a copy of your credit report, and discuss with them
whether you should have a fraud alert placed on your file.
Report the incident to your local police department.
Report the incident to PhoneBusters, a national anti-fraud call centre jointly operated by the
Ontario Provincial Police and the Royal Canadian Mounted Police, which has a mandate to
gather information and intelligence about identity theft, and will provide advice and assistance
to identity theft victims. You can call PhoneBusters toll-free at 1-888-495-8501.
If your government-issued documents were lost or stolen, report them to the responsible
ministry or department and request new documents.
Identity Theft Statement
The Identity Theft Statement is a form that you can use to notify financial institutions, credit card issuers
and other companies that you have become a victim of identity theft. It also allows you to provide
information that may be needed for an investigation of the incident.
Scotiabank and many other Canadian financial institutions accept the Identity Theft Statement. The
statement and instructions are available at the Consumer Measures Committee website
at www.cmcweb.ca.
Phishing Scams
This kind of identity theft scam attempts to persuade its victims to fill out a form with details of their bank
accounts, credit card numbers and other personal information. Learn how not to be a victim.
"Phishing" is the name given to the kind of identity theft that attempts to persuade its victims to fill out an
online form or respond to an email with details of their bank accounts, credit card numbers,
passwords and other personal information. People can be fooled into doing this when they believe that
they are reconfirming information needed by a reputable institution with which they are doing business.
January 26, 2006 Update:
Scotiabank will never send you unsolicited emails asking for confidential information, such as your
password, PIN, credit card and account numbers. We will never ask you to validate or restore your
account access through email.
There are fraudulent emails that appear to have been sent by Canadian banks including Scotiabank.
Please do not respond to emails asking you to verify confidential information by clicking on a link in the
email. The link leads to a modified webpage that looks like a Scotiabank webpage asking customers to
validate personal information such as their bank card number, password and PIN.
Report any suspicious requests to Scotiabank immediately at 1-800-4-SCOTIA.
Do not respond to emails or web sites requesting personal information.
Here are a few other practices that will assist you in avoiding these scams:
Recognition
•
•
•
•
•
•
•
Actions
Be suspicious of any email with urgent requests for personal financial information.
An unexpected web site, web page or email appearing to be from a legitimate company (such
as Scotiabank) may try to entice you to provide your personal information by claiming to verify
security information or account details, possibly to avoid interruption of a service.
Phishers typically include upsetting or exciting (but false) statements in their emails to get
people to react immediately (ie. threatening to discontinue access, or close an account).
They typically ask for information such as usernames, passwords, credit card numbers, social
security numbers, social insurance numbers, etc.
Phisher emails are typically NOT personalized, while valid messages generally are. In addition,
many phisher emails contain spelling and grammatical mistakes.
Ensure that you are on a legitimate web page, examine the name after "https://" or "http://"
and make sure that it is a recognized domain name. For example, the Scotia OnLine Sign-on
page always starts with "www.scotiaonline.scotiabank.com/". Exact spelling is important - any
slightest deviation from this would indicate a suspicious site.
To access Scotia OnLine, always type out the address "www.scotiaonline.scotiabank.com".
•
•
•
•
•
•
Don't use the links in an email to get to any web page, if you suspect the message might not
be authentic.
If you do have a relationship with the company mentioned in the email, call the company on
the telephone, or log onto the website directly by typing in the Web address in your browser.
Avoid filling out forms in email messages that ask for personal financial information.
You should only communicate information such as credit card numbers or account information
via a secure website.
If you are concerned that you may have received a fraudulent email or disclosed confidential
information regarding your Scotiabank account, please contact Scotiabank immediately at
1-800-4-SCOTIA (1-800-472-6842).
Please follow Safe Computing Practices to help protect your information.
Need to Report Online Fraud?
Find out who to contact and other steps you should take to report online fraud.
Online fraud is a type of fraud scheme that uses email and websites that appear to represent trusted
organizations, such as Scotiabank, requesting personal or financial information from you for the purpose
of committing fraud. Here's how you report online fraud.
Who Do I Contact
Call 1-800-4-SCOTIA (1-800-472-6842), press 3 then 1, immediately if you are a Scotiabank
customer and you believe that you have been a victim of online fraud, or you wish to report online fraud
claiming to originate from Scotiabank. You should also contact each financial institution, credit card issuer
or other company where you believe your personal information may have been compromised. Learn how
to spot online fraud, visit Phishing Scams.
Related Websites
Here are some organizations that can provide you with more information, including tips on how to avoid
becoming a victim of online fraud and how to report it.
•
•
•
•
•
•
Phonebusters
Reporting Economic Crime Online
Royal Canadian Mounted Police
Consumer Measures Committee
Canadian Council of Better Business Bureaus
Anti-phishing Working Group