HDFC Secure NetBanking Usage Guidelines

DONTS.md

• Avoid accessing NetBanking from shared computer networks such as cyber cafes or public Wi-Fi networks like hotels/airports, etc.
• Do not click on links in the emails or sites other than www.hdfcbank.com to access your NetBanking webpage.
• Don’t write your passwords anywhere or share your computer with unknown sources.
• Do not disclose your passwords, OTPs, Debit Card Number, CVV etc to anyone (including Bank Staff).
• Don’t respond to emails that request personal information.
• Do not choose passwords that are easy to guess like your date of birth, spouse’s name etc.
• Never download an attachment if it is not from a trusted source.
• Don’t leave your account unattended after logging in.

DOS.md

• Keep your Customer ID and IPIN confidential and do not disclose it to anybody, including Bank staff.
• Always visit the HDFC Bank's NetBanking site through HDFC Bank's home page by typing the bank's website address (www.hdfcbank.com) on to the browser's address bar. Check the URL as https://netbanking.hdfcbank.com to verify the Bank’s NetBanking page and the PAD Lock symbol at the top left of the browser.
• Disable the "Auto Complete" feature on your browser.
• Use a virtual keyboard feature while logging into your NetBanking account.
• Always type in your confidential account information. Do not copy paste it.
• Monitor your transactions regularly. Use HDFC Bank's "InstaAlerts" service and bring any fraudulent transaction to the notice of the bank.
• Always logout when you exit NetBanking. Do not directly close the browser.
• Change your IPIN as soon as you receive it by logging into your NetBanking account. Memorize your IPIN, do not write it down anywhere.
• Ensure your computer has a firewall and the latest version of anti –virus software installed.
• Keep changing your IPIN regularly.
• On the bank’s website, check for a valid SSL security certificate (https). The “S” added to http represents a secure website.
• Check your account statements periodically to ensure that all entries are correctly captured. In case of any discrepancy, inform the Bank immediately.

The state of financial cyberecurity awareness in India:

1. "public wifi networks" are safe, and should not be clubbed with "cyber cafes"

2. HDFC regularly sends links that using hdfcbk.io, which is an official but unacknowledged domain

3. "Don’t respond to emails that request personal information." is bunked by HDFC team regularly asking for KYC documents over WhatsApp

4. "Never download an attachment if it is not from a trusted source." is blaming the victim.

5. "Check the URL as https://netbanking.hdfcbank.com/" is actually a message that pops up on the new website, which is now.hdfcbank.com

6. Auto-complete disabling is a bad idea

7. Virtual Keyboard is security theater

8. "Type in your confidential account information" does not define confidential account information, and why it is considered confidential

9. 'bring any fraudulent transaction to the notice of the bank.' how needs to be defined

10. "Keep changing your IPIN regularly." utterly pointless security theater

11. "check for a valid SSL security certificate" Your browser will give you a warning. teach people to use that warning instead of checking the padlock.

"Don’t leave your account unattended after logging in." is actually good, but is lost in the sea of useless information