Security recommendations

BBVA takes all measures to ensure secure online banking transactions by means of a Secure Password system.

Your access password for BBVA Net is a private password that must be kept safe. They are stored in our internal systems using non-reversible encryption, so that nobody at BBVA can find out what they are.

BBVA will never request your BBVA Net credentials or any other personal or banking details by email or SMS. If you receive a message of this type, please do not provide any information through these channels.

Web browsers offer the option of saving usernames and passwords of websites that require these. BBVA recommends that you never save your passwords to our Remote Banking service in a computer or a tablet. These devices can be the target of cyber attacks and your passwords may be exposed.

• Use complex passwords that are difficult to guess, containing upper and lower case letters and interspersed numbers and symbols.
• The passwords are secret, do not share them with anyone and change them periodically.
  
• Don't write your password in post-its or notebooks; memorize it or use specialist password managers.
• In shared computers or computers connected to public Wi-Fi networks, do not enter your login passwords or personal details, such as your address, phone number, etc.
• If you receive an SMS to confirm a transaction that you have not made, please contact BBVA Belgium to report that a transaction is being made without your consent.

• Avoid using personal data that can be easily found out for your secret number, such as your birth date or your registration number, and do not share it with anyone.
• When you make an online purchase, make sure the website starts with https (and not http), includes a closed padlock on the navigation bar and displays in a visible place information about the company,, its shipping and returns policy and its policy of cookies.
  
• Be wary of online stores with offers that seem too good to be true (-70%, -80%). Also, look out for spelling mistakes or low quality images.

Some of the most common computer viruses and threats to cybersecurity are:

• Phishing. Phishing is a cybercrime in which a target is contacted by email by someone posing as a legitimate institution to trick individuals into providing sensitive data such as personal or banking information. The recipient of the email is asked to click on a link in the email and, once in the false page, enter the requested information.
• Ransomware. Ransomware typically spreads through phishing emails with links that install infected programs or download infected files. This virus prevents users from accessing their system or personal files and demands ransom payment in order to regain access.
• Trojans. Once inside your computer, a Trojan horse downloads malware to your computer and can enable cyber-criminals to spy on you and steal your sensitive data.

• Operating systems and applications must always be updated.
• It is important to install a firewall and an antivirus and keep them updated.
• Be wary of urgent emails informing you that your account has been suspended and you must reactivate it, or an error has occurred on starting the session or emails requesting you to confirm or update information on your account, and other such requests. These mails are frauds. Remember that BBVA never sends emails or SMSs asking for your confidential personal or financial information.
• Don’t download files on your computer with .exe, .bat, .rar, .zip or .ini extensions if you don’t trust the sender.
• Don’t connect any external device to your devices from an unknown sender, such as flash drives or hard drives.
• Only download applications from official stores, such as Play Store and Apple Store. You should also check the permissions you give to each of these.
• In shared computers or computers connected to public Wi-Fi networks, do not use pages that require you to enter your username and password and do not provide personal details.
  

The service

1. User administration:

BBVA Net Cash is a multi-user application. It has multiple user profiles that the company can allocate to its staff according to its operational structure.

A specific administrator profile specifies and administers the company users of BBVA Net Cash. There may be one or various administrators with different degrees of delegation (without powers or with joint and several or joint powers). Every user is allocated a profile that is defined with the most possible detail.

To authorize transactions, the options are:

• No powers: not able to authorize transactions.
• Authorized rep.: may be joint and several or joint.
• Auditor: can block even signed-off orders until authorization is obtained.

This structure allows a group of users as restrictive as the company wishes, in order to guarantee at all times that:

• They each access only the services and accounts determined by the administrator.
• Only the consultations and transactions authorized by the administrator can be made.
• They may or may not have powers to authorize transactions.
• There is a monetary limit according to transaction and account, as defined by the administrator.
• Only the administrator may see, in addition to their own profile, the list of users in their organization, their profiles, access to services and their allocated powers.

2. Monitoring of activities:

Users can monitor the entity's transactions in BBVA Net Cash through:

• The “Statistics” unit (signatures and files: Statistics): view transactions in a given period.
• “Audit orders” (Signatures and files: Signature and follow-up of files): monitoring of the operations of each user of the entity.
• “Audit users” (Administration: Audit): shows the actions of each administrator within a group of users.

3. User credentials:

BBVA Net Cash has a two-step security process, which essentially consists of a token to validate on the group of users and sign off transactions. The system will ask you to enter a six-digit (single use) security code generated by the device. The token can be physical or installed on your cell phone (by downloading the BBVA Net Cash app).

• Although the passwords do not expire, we recommend that you change them every month.
• The password must be 8 alphanumeric characters, to make it harder to crack.
• Passwords are stored through irreversible encryption in specialist user and identity management systems, so that they cannot be obtained or determined.

The password must be changed upon the first access: to prevent user impersonation, when you first connect to BBVA Net Cash you must change your password.

Block user:

• Failure to correctly enter the user credentials or activation code five consecutive times will block the user on BBVA Net Cash, and will require BBVA to generate a new activation code.
• If the password is entered incorrectly three times, the user will be blocked.
• If the security code generated by the security device is incorrectly entered five times consecutively, the user will be blocked from BBVA Net Cash.
• The user administrator has autonomy to block users from their entity, so if an employee leaves, their access is immediately revoked.

4. Identification and authentication:

Traceability of transactions: accesses and completed transactions are recorded in automated transaction records that collect the completed transaction, the date and time thereof and the user that executed it, to determine the validity of the recorded transactions.

Information on the last connection:

• When the user logs in for the first time, BBVA Net Cash will inform them.
• On successive accesses, BBVA Net Cash will show the user the date and time of their last connection.

Cookies active only while you are logged in: cookies located in the user's operating system, which are necessary to safely browse any website, are active only while the user is connected to BBVA Net Cash and are deleted when the user logs off.

Automatic timeout: as an additional security measure, after 10 minutes of inactivity in BBVA Net Cash, the user's session is ended and they are logged off the system.

5. Compliance with national and international rules:

In all its services, BBVA complies with the rules and regulations of the countries in which it operates. BBVA's commitment to those regulations is contained in the Code of Conduct, which is mandatory for all employees.

Technology

1. Confidentiality and integrity

Of all user credentials:

• All user passwords are encrypted and stored on specialist user and identity management systems, making it impossible to obtain or guess them.
• BBVA's operational procedures do not require anyone at the bank to have customers' passwords, meaning that no one knows them or will ask for them.

of communications:

• BBVA transaction and remote banking services communications are encrypted using SSL protocol to secure the confidentiality and integrity of online communications.
• The certificates used by BBVA to provide this service are generated by Verisign Inc.
• In addition, sensitive communications in BBVA's internal networks are appropriately protected according to the operative environment and protocol used.

Of information:

• The information stored in systems and internal databases is protected by various security systems, and access is permitted only to authorized employees.
• BBVA has an automated management system of information access privileges that guarantees controlled access that is restricted to authorized personnel.

2. Physical security of Data Processing Centers

BBVA's Data Processing Centers are equipped with broad physical security measures to protect data processing systems, including but not limited to the following:

• CPD Tier IV Gold on operational sustainability.
• Individual monitoring of entry to the site and different technical rooms, with hazard detection systems.
• 24/7 physical surveillance guards and closed-circuit television on the perimeter and inside the facilities.
• Specific detection and protection systems for intruders, fire, flood, power cuts and other disasters.

By having two fully operational Data Processing Centers, BBVA guarantees information safeguarding and recovery should it ever be necessary.

3. Security architecture:

In order to ensure maximum security in the design of its systems, BBVA has established specific security architecture especially for systems offering online services to its customers.

Specifically, and to minimize online exposure, it maintains exposure only to the presentation layer (performing user authentication functions, authorization of access to web applications and secure monitoring of sessions) through reverse proxy.

4. Specific protection systems:

Continually updated firewalls and antivirus and anti-intruder systems:

• BBVA separates is networks and systems using multiple levels of firewalls.
• In addition, BBVA's internal systems are permanently protected by anti-malware and intruder detection systems.
• Both types of systems are managed 24/7 and are permanently updated, to offer permanent protection from new threats.
• All monitoring, alert and security response systems to potential fraud are monitored and overseen by a team of specialists working 24/7/365 in the Data Processing Center.

Activity log of all components: BBVA has logs in all remote banking systems and applications for all critical components, which provide support to phishing detection services and forensic analysis of suspicious or reported fraudulent activities or transactions.

Regular service review, applying the latest attack techniques: systems supporting remote banking services are regularly reviewed using vulnerability analysis tools.

Internal and external audit: BBVA systems and processes are subject to regular security audits by the independent audit department and by specific external auditors and financial or compliance audit firms.

Protection of your user credentials

• Use complex passwords that are difficult to guess, containing upper and lower case letters and interspersed numbers.
• Do not share your password with anyone. Passwords are secret and only the owner must know them.
• Don't write down your passwords on post-its or notebooks; memorize it or use specialist password managers. You can find free such programs at www.osi.es.
• Deactivate the option to save the password on your web browser. It is safer to enter it every time you log in.
• Change your passwords regularly. If you suspect that someone has been able to ascertain your password, you must change it as soon as possible.
• Do not use the same password for multiple services (email, evernote, other banks, etc.).
• Your physical security device is personal and non-transferable.
• If you receive a message asking for your password, do not provide any information and immediately contact BBVA Net cash's customer service department.

Protecting your computer

• Keep your operating system and the version of your web browser up to date with the corresponding patches, to protect it from possible gaps or errors.
• Configure your computer and all your programs with the highest levels of security.
• Install a firewall or firewalls and keep them activated and up to date.
• Install anti-malware programs and keep them activated and up to date. Check documents you receive before opening them with your antivirus.
• Regularly back up your files.
• Avoid downloads from unknown websites, as they may contain viruses or spyware.
• Do not connect any external device to your device of doubtful origin, such as memory sticks, hard disks and cell phones.
• Regularly clean cookies and temporary files from your computer.
• Download programs and applications only from official sites.
• Set an unlock pattern on your cell phones and tablets, so they cannot be accessed by a third party.

Secure internet access and browsing practices

• When using shared computers or connecting to public Wi-Fi networks, do not visit websites that require you to use your username and password. Likewise, do not enter personal details such as address, telephone number, etc.
• Avoid connecting to pages with private content from public computers.
• If you have to enter your credentials, check that the server address (URL) starts with https, which means that you are accessing a secure server.
• A closed padlock (rather than an open one for a non-secure server) on the right or on the left of the address (URL) is another sign that the server is secure.
• Check the security certificates of the page by clicking on the padlock icon that appears when entering a secure site, or the certificate from the navigation bar, and check that it has not expired and that the domain certificate is in force. The detailed information shows the issuer (Verisign), the validity period and for whom it has issued the certificate (BBVA).
• Do not choose the “autocomplete passwords” option on your web browser. If it is activated, the passwords that you enter on the website are stored on the computer and, when you enter your username, the password field is automatically filled in. Checking this option on a shared computer could mean that someone else uses your passwords.
• Check the date and time of the last login.
• To securely end your BBVA Net Cash session, click “Sign out” in the top right corner.

Computer viruses are programs whose sole purpose is to install themselves on a user's computer without their permission or knowledge. There are several types of virus, but they usually all have this in common: they propagate and spread in the same computer and through the network.

It is easy to unknowingly contribute to spreading of viruses, by forwarding emails with infected attached files. All users must work togetherand the Internet to prevent it from spreading.

There are several types of virus, including:

Phishing:

The sending of an email that impersonates a very well-known organization and asks the user for information (address, bank details, passwords, etc.). For the user to give the information, they are often asked to click a link in the email and, once they are on the fake website, enter the requested information.

It basically works as follows:

1. Spam is sent out informing BBVA Net Cash users that they need to confirm their login details.

2. The message includes a link to a page from which to confirm their information. Sometimes, the link starts a download of malware.

3. The user clicks on the link that takes them to a “similar" page to the authentic BBVA Net Cash page, and they confidently enter their information.

4. As the page is false and controlled by the fraudsters, they are the ones who actually receive the user's information, and thus have access to the user's account.

Although BBVA will never ask you for your BBVA Net Cash log in by email, here are some tricks to help you to catch this kind of attack:

- Sometimes, the logo is distorted or stretched. They usually also include spelling mistakes or odd expressions.

- They address you as "dear customer” or “dear user” rather than your actual name.

- They warn you that your online banking account/service will be closed unless you reconfirm your login details immediately.

- The tone of the email is threatening.

- The text refers to “security commitments” or “security threats” and requires immediate action.

- The URL is not https:// and the security padlock does not appear in the browser box. False links include this kind of icon within the window to deceive you.

Ransomware:

It is a lucrative kind of tech crime. They are usually disguised as “package delivery services” or any other credible excuse, and are spread by email with links that install infected programs or download infected files. This virus blocks access to your computer's files and demands a ransom which once paid is supposed to provide a password to unlock them.

Below is a series of tips to protect yourself from ransomware:

• Do not follow links or download files attached to emails that you think are suspicious.
• Use only legal software and keep it permanently updated.
• Install antivirus software and keep it up to date.
• Back up files regularly. If your system becomes affected by a virus, you will be able to recover the information without having to pay a ransom.

Trojans:

They enter a personal computer and conceal themselves in a program. They transform the computer's behavior so that everything that it does can be seen on the criminal's computer. To prevent your computer from being infected by a Trojan, follow the same instructions as above for ransomware:

• Do not follow links or download files attached to emails that you think are suspicious.
• Use only legal software and keep it permanently updated.
• Install antivirus software and keep it up to date.

Hoaxes:

These are emails containing false gossip for the sole purpose of circulating and propagating low quality information online.

In general, they are not too harmful and are easy to delete.

To prevent these attacks, follow our recommendations and inform us of any suspicious situation or communication:

As soon as you inform us, BBVA Net Cash's customer service will launch its anti-fraud protocol: a group of specialists will be allocated to your case.

If your suspicions are confirmed, you are advised to:

• Format your hard disk.
• Installing up-to-date anti-malware.
• Keep your software up to date.

In all confirmed cases, the login password of the affected user will be changed.

Protection of your user credentials

• Use complex passwords that are difficult to guess, containing upper and lower case letters and interspersed numbers.
• Do not share your password with anyone. Passwords are secret and only the owner must know them.
• Don't write down your passwords on post-its or notebooks; memorize it or use specialist password managers. You can find free such programs at www.osi.es.
• Deactivate the option to save the password on your web browser. It is safer to enter it every time you log in.
• Change your passwords regularly. If you suspect that someone has been able to ascertain your password, you must change it as soon as possible.
• Do not use the same password for multiple services (email, evernote, other banks, etc.).
• Your physical security device is personal and non-transferable.
• If you receive a message asking for your password, do not provide any information and immediately contact BBVA Net cash's customer service department.

Protecting your computer

• Keep your operating system and the version of your web browser up to date with the corresponding patches, to protect it from possible gaps or errors.
• Configure your computer and all your programs with the highest levels of security.
• Install a firewall or firewalls and keep them activated and up to date.
• Install anti-malware programs and keep them activated and up to date. Check documents you receive before opening them with your antivirus.
• Regularly back up your files.
• Avoid downloads from unknown websites, as they may contain viruses or spyware.
• Do not connect any external device to your device of doubtful origin, such as memory sticks, hard disks and cell phones.
• Regularly clean cookies and temporary files from your computer.
• Download programs and applications only from official sites.
• Set an unlock pattern on your cell phones and tablets, so they cannot be accessed by a third party.

Secure internet access and browsing practices

• When using shared computers or connecting to public Wi-Fi networks, do not visit websites that require you to use your username and password. Also, do not provide your personal details such as address, telephone number, etc.
• Avoid connecting to pages with private content from public computers.
• If you have to enter your credentials, check that the server address (URL) starts with https, which means that you are accessing a secure server.
• A closed padlock (rather than an open one for a non-secure server) on the right or on the left of the address (URL) is another sign that the server is secure.
• Check the security certificates of the page by clicking on the padlock icon that appears when entering a secure site, or the certificate from the navigation bar, and check that it has not expired and that the domain certificate is in force. The detailed information shows the issuer (Verisign), the validity period and for whom it has issued the certificate (BBVA).
• Do not choose the “autocomplete passwords” option on your web browser. If it is activated, the passwords that you enter on the website are stored on the computer and, when you enter your username, the password field is automatically filled in. Checking this option on a shared computer could mean that someone else uses your passwords.
• Check the date and time of the last login.
• To securely end your BBVA Net Cash session, click “Sign out” in the top right corner.