Security Tips and Notices

Security Tips and Notices

Safeguarding your internet banking access

At OCBC, we have implemented measures to safeguard your account information. However, to ensure that your online security and account information are not compromised, we recommend that you adopt the following OCBC Internet Banking security guidelines:

1. Before entering your User ID/User name, Password, Organisation ID, you should always ensure that the website you are visiting belongs to OCBC Bank. This can be verified by the URL displayed in your browser as well as the Bank’s name in its digital certificate. This precaution will ensure that you are not revealing your credentials to a website other than OCBC Bank.

2. To ensure that you enjoy the highest level of security possible, all browsers and application software should be upgraded to support SSL 256-bit encryption or a higher encryption standard with the most updated security features available.

3. It is important to protect yourself against any forms of online theft of your User ID/User name, Password and Organisation ID. Each valid User ID/User name , Password and Organisation ID identifies you uniquely as one of our valued customers. Only authorised users are allowed to log in to our secured Internet Banking website(s).

Important tips on how you can safeguard and protect your account information.

(a) Password should be 8 to 12 characters.

    I.   It must contain at least 2 letters and 2 numerals
   II.  Characters cannot be repeated more than twice
   III. First two characters must be different from your User ID
   IV.  Password and Organisation ID cannot be identical
   V.   Password cannot be identical to the previous 10 passwords that you have used
   VI.  Use both upper and lowercases or mix letters with numbers     
   VII. Example of a password: velocity01#
         Password is case sensitive, for example Velocity01# is a different password from velocity01#

(b) Passwords should not be based on user-id, personal telephone number, birthday or any other personal/organisation information.

(c) Passwords must be kept confidential and not be divulged to anyone.

(d) Passwords must be memorised and not be recorded anywhere.

(e) Passwords must be changed regularly or when there is any suspicion that it has been compromised or impaired.

(f) The same Passwords should not be used for different websites, applications or services, particularly when they relate to different entities.

(g) Please do not select the browser option for storing or retaining user name and password.

(h) Please check the authenticity of the bank's website by comparing the URL and observing the bank's name in its digital certificate or by observing the indicators provided by an extended validation certificate.

(i) Please check that the bank's website address changes from http:// to https:// and a security icon that looks like a lock or key appears when authentication and encryption is expected.

(j) Please do not allow anyone to keep, use or tamper with your 2FA (Two Factor Authentication) security token. Do not leave your security device unattended. Keep it under lock and key when you are not using it

(k) Please do not reveal the OTP (One Time Password) generated by the 2FA token to anyone.

(l)  Please do not divulge the serial number of your 2FA token to anyone.

(m) Please check your bank account balance and transactions frequently and report any discrepancy. OCBC Internet Banking will display your last login date and time, whenever you logon, to help you monitor this.

(n) Please inform the bank immediately on the loss of mobile phones or change in mobile phone numbers.

4. Please install anti-virus, anti-spyware and firewall software in your personal/company computers and mobile devices, particularly when you are linked via broadband connections, digital subscriber lines or cable modems.

5. Please update the operating systems, anti-virus and firewall products with security patches or newer versions on a regular basis.

6. Please remove file and printer sharing in your computers, especially when you have internet access via cable modems, broadband connections or similar set-ups.

7. Make regular backup of critical data.

8. Consider the use of encryption technology to protect highly sensitive data.

9. Log off the online session and turn off the computer when not in use.

10. Do not install software or run programs of unknown origin.

11. Delete junk or chain emails.

12. Do not open email attachments from strangers.

13. Do not disclose personal, financial or credit card information to little known or suspect websites.

14. Do not use a computer or device which cannot be trusted.

15. Do not use public or internet cafe computers to access online banking or perform financial transactions.

16. You are advised not to access Velocity@ocbc using unauthorised operating system or programs, as it poses potential risk of malicious software infection.

17. If you notice any unusual/unauthorised transactions, please change your Password and notify us immediately. It is important that you inform us immediately by calling our Customer Service Hotline at 1300-88 7000.

18. Your usage of Velocity@ocbc is subject at all times to the Accounts and Services and Transaction Banking Services Terms and Conditions. You should therefore read carefully and adhere to the recommended security practices. The Bank is not responsible for any loss or damage in connection to the use of Velocity@ocbc services unless such loss is attributable to our negligence or wilful default.

19. As a user of Velocity@ocbc, you have the right to (1) suspend your Internet Banking Access immediately should you suspect any unusual activity and/or unauthorised access, (2) terminate this service, (3) request for a new set of Velocity@ocbc password and (4) obtain information from the Bank regarding your online transactions.

WARNING: All claims will be investigated and if found to be false, will be rejected. If payment had been made on the claim, it must be refunded to the Bank. All expenses incurred in the investigation and in recovering the payment will be borne by the maker of the false claim. Police report will be lodged against all false claims.

Security policy

We are committed to protecting the security and confidentiality of your personal/organisation information so as to provide you with a safe and secure online environment. Our website uses commercially proven security hardware and software products. These security products include routers, firewalls, intrusion detection systems and secure operating system to safeguard your interest.

Industry standard Secure Socket Layer (SSL) communication protocol is the de facto cryptographic standard that we use for securing data communication between the browser and our website. Digital certificate technology is used to ensure transaction privacy, message integrity and server-side authentication. This also serves as an assurance that the website runs legitimately under the care of OCBC Bank.

All connections must pass through at least one router and one firewall to gain access to the server. The firewall checks for the appropriate source address and restricts unauthorised access to the appropriate server.

Additional technical security features include DigiCert digital certificates, 256-bit encryption, one-way hashing of all user passwords and automatic logoff after 15 minutes.

OCBC's Business Internet Banking – Velocity@ocbc is regularly reviewed and audited by external and internal auditors to ensure that your interest is safeguarded.

Apart from the security measures put in place by the Bank, you play an equally important role in ensuring your online security and account information is not compromised.

You should adopt the following recommended practices in protecting the security of your system:

(a) Do not share your User ID/user name or password with anyone.

(b) Do not display your account information in a manner that is visible to others and your PC should   never be left unattended. For your protection, Velocity@ocbc will automatically terminate your session if there is no activity for a period of time.

(c) Always use the recommended browser. All browsers and application software should be upgraded to support SSL 256-bit encryption.

(d) Always check that our website address changes from http:// to https:// and a security icon, usually in the form of a lock or key, appears when authentication and encryption is expected.

Security tips

Learn more of safeguarding your online banking transactions by simply clicking one of the following:

Security tips on email and other online threats

Security tips on website security certificate warnings


Enquiries and Complaints

If you should encounter any problems or have any enquiries relating to the usage of Velocity@ocbc, specifically on matters concerning but not confined to payments or any transactions initiated through Velocity@ocbc, or suspected fraudulent transactions, kindly contact us at 1300-88-7000 (within Malaysia)/ (603) 8317 5200 (outside Malaysia) from Monday to Friday, 9am to 6pm (excluding public holidays), or send us an email to We will endeavour to reply to your emails within 24 hours on receipt, with the exception of weekends or public holidays which we will respond at the start of the next business day.

Dispute Resolution

We will promptly attend to any claim or dispute which you may have in respect of or arising out of Velocity@ocbc Service.

Contact us via our official channels by:

• approaching the Bank’s branch staff; or
• calling the Bank’s Customer Servicec Hotline 1300-88-7000 (within Malaysia)/ (603) 8317 5200 (outside Malaysia) from Monday to Friday, 9am to 6pm (excluding public holidays); or
• e-mail to; or
• writing to the Bank

Kindly provide the bank with details of your specific complaint/ dispute and any supporting documents to help expedite the investigation.

We will immediately investigate any claim/dispute brought to our attention and will attempt to revert to you within fourteen (14) working days from the date of receipt of notification, or inform you of any further action you can take which will include going to a third party (for complaints requiring investigations conducted by a third party, this may take more than 14 days). Soon thereafter, we will consult you in good faith with a view to reaching a quick and amicable resolution of the matter, satisfactory to both parties.

Alternatively, if you wish to seek the views of the authorities on our handling of a complaint, you can approach the Ombudsman for Financial Services at the following address.

Ombudsman for Financial Services
Level 14, Main Block
Menara Takaful Malaysia
No. 4, Jalan Sultan Sulaiman
50000 Kuala Lumpur

Advisory on Phishing Scam

Although phishing is now widely known, it is not the only online scam that exists. To counter this problem, it is strongly encouraged that you exercise caution, and prudence to protect yourself from such scams. Knowing how some of these work, will equip you with the knowledge to recognize the tell-tale signs of a scam and safeguard yourself against online fraud.

It is important that you regularly read and understand the information and security warning posted in the OCBC's website.

1. Customers are reminded that the bank will not make unsolicited requests for customer sensitive information through e-mail or on phone unless it is the customers who initiated the contact; and making clear that under no circumstances would the institution ask customers to reveal their PINs.

2. Customers are advised to personally enter the domain name of the bank in their browsers when logging onto the bank’s website; customers should not accept links or redirections from other websites or media for the purpose of logging onto the bank’s website.

3. Customers are advised to look for the SSL encrypted connection, indicated as https:// or a padlock, as well as check the institution's name in the website server digital certificate.

4. Customers are advised to be always on the alert for phony websites and suspicious emails (which may contain malicious software) purporting to be from the bank, they should report these immediately by contacting the bank.

How Malicious Software, commonly known as "Malware" Works

• Hackers send phishing (please refer to the next section for more details) emails that may appear to originate from trusted companies. The email may appear to be an invoice or an accounting document. The malicious software could be hidden in the attachments in the email.

• If the attachment is opened/downloaded by the user, the malicious software will be downloaded onto the computer.

• Hackers may also entice victims into clicking on malicious links in the phishing emails to download the malicious software onto their computers.

• Once the malicious software is downloaded, it automatically installs.

• Installed malicious software then searches for files or activity related to online banking, extracting usernames, passwords and two factor authentication to conduct fraudulent money transfers:

• you may receive multiple prompts to login even when you have already entered your login information

• you may be asked to enter all your login information on one page, instead of two. e.g. the fraudulent website will ask for your Organisation ID, User ID, Password and One-Time-Password or Security Code all on a single page. On the legitimate Velocity@ocbc website, the login process is done over two pages:

    • First page: Organisation ID, User ID, Password
    • Second page: One-Time-Password or Security Code

• you may be prompted to enter the One-Time-Password or Security Code from your hardware token even if you did not perform any online transactions from your account.

Other known names of malware include Spyware and Adware. Click here for more information.

What is Phishing?

Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organisation. For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts. Phishing attacks may also appear to come from other types of organisations, such as charities. Attackers often take advantage of current events and certain times of the year, such as:

• natural disasters (e.g. Hurricane Katrina, Indonesian tsunami)
• epidemics and health scares (e.g. H1N1)
• economic concerns (e.g., IRS scams)
• major political elections
• holidays

Please stay vigilant and learn how to protect yourself.

Advisory on Phone Scam

Beware of phone calls tricking you to reveal or log in to websites with your banking login credentials to transfer funds. (15 July 2016)

Please stay vigilant and learn how to protect yourself.

Advisory on Business Email Compromise Scam Alert

Beware of email purporting to be from your supplier of senior executive tricking you to transfer payment to a fraudulent bank account (21 July 2016).

Please stay vigilent and learn how to protect yourself

Advisory on Trickbot

Beware of phishing emails sent to your office email. Financial malware resides in these email andd intercepts communications between your browsere and the Bank's website and inject fake screens or pop-ups to lure you into divulging your login credentials to gain unauthorised access to your bank account. Learn how to protect yourself.