Security of customers’ data is important and Swift is committed to provide the safest and most reliable method of delivering services. This section provides you guidelines and recommendations on the security to access services and applications on www.swift.com that are aligned with Swift’s Customer Security Programme (CSP) control.
1. TLS encryption support
Transport Layer Security (TLS) is the protocol used on the internet today to encrypt end-to-end connections.
Swift as well as Standards bodies such as the Payment Cards Industry Security Standards Council (PCI SSC) and the National Institute of Standards and Technology (NIST) recommend TLS 1.2 supported by all major browsers and Swift products.
This complies with Swift’s Customer Security Programme (CSP) control 2.2, which mandates that all software (including operating systems) and hardware (including network devices) are within the actively supported product lifecycle window of the vendor.
If you are using an outdated web browser or your browser is not configured to use TLS 1.2, Swift recommends upgrading your browser to the latest version of Microsoft Edge or changing the settings of your web browser to enable TLS 1.2.
This applies to browser-based services like Swift Web Access, Swift Certificate centre, Alliance Lite2, Sanctions Screening, etc.
2. Application access control
The swift.com login uses e-mail as username and is secured using a combination of two secrets: a password and a time-based code.
2.1 Email address and password
Users are identified by their email and authenticated first through a password. The strength of this protection will greatly depend on the complexity of the password.
Swift recommends that at least these criteria are met:
- At least 12 characters long
- Combines digits, special characters, uppercase and lowercase letters
- Only used for accessing swift.com services and applications
- Not trivial (e.g. no dictionary words, use of a pass phrase)
Changing your password regularly is another good practice – your administrator may mandate this. Obviously, the complexity of your password is nothing compared to the requirement to keep it secret and not keeping any written copy. For recommendations on strengthening your password management, please see the Registration User Guide.
2.2 Time-based code
The second step consists in providing a one-time code. There are two options to generate the time-based code: a Time Base One Time Password (TOTP) generated by an Authenticator App downloaded on your mobile device or a two-step verification (2SV) code generated by Swift and sent to your device via e-mail, SMS or voice message.
Swift recommends generating a Time-based One-Time Password (TOTP) code directly from an Authenticator App installed on your device. It is the most secure option, faster and more reliable than telephony networks. You may use most Authenticator applications supporting standard TOTP with 8-digit codes. Please see the Registration User Guide for more information on compatible Authenticator Apps.
Note that the Secure Channel Service on swift.com uses an additional authentication to secure each transaction that involves sensitive data. Security Officers accessing the service must use their personal secure code card to generate the required passwords.
3. Visit only trusted websites
- Verify the URL of the web page before entering any personal data such as your e-mail address and password.
- Swift always uses a secure connection to ask for your credentials. URLs used by Swift start with "www2.swift.com" or "login.swift.com".
- Verify the certificate on HTTPS websites. In most browsers, this is done by clicking on the lock symbol either at the top or at the bottom of the browser window.
4. Use a recent browser
Using a recent browser is the best way to avoid common attacks and keep your account safe. Swift strongly encourages you to update it regularly. A recent browser means that you will have access to the latest security standards provided by the vendor. You should also update all the plugins (e.g. Java, Flash) that are integrated within the browser.
5. Preventing from Phishing & social engineering attacks
Phishing is an attempt to get hold of your data with malicious intent in order to abuse your personal details, such as user-id and password. It is the most common way to do social engineering. In practice, it often involves asking you to click on a link to a malicious website that looks like the site of a trusted institution. Phishing can also be performed via phone or chat by people pretending to be a trusted party, such as the helpdesk.
Mail sender and embedded links can easily be spoofed. Therefore, emails sent from Swift are generally digitally signed and as a receiver, you must verify the signature.
Swift will never ask you to change your credentials by email, unless you requested a change yourself. To prevent from phishing attempts, verify the signature (see tip 5022540 for a step-by-step guide, once you are registered).
In case our emails contain embedded links, you must check that:
- The URL (mouse-over the link to see the real URL) starts with one of the below:
- https://login.swift.com/
- https://www2.swift.com/
- https://www.swift.com/
- https://go.swift.com/
- https://go.sibos.com/
- https://info.em.swift.com/
- https://info.em.sibos.com
- https://swift-communities.force.com/
- https://*.mailing.swift.com
- After you click and are redirected, one of the above domains is still shown in your browser’s address bar,
- It uses secure HTTPS protocol, and
- A valid certificate is assigned to Swift’s website.
We use different systems for email send-out, with different signatures & certificates, from
- noreply.security.notification@swift.com
- noreply.cs.deployment@swift.com
- noreply.interface.changes@swift.com
- noreply@portal.swift.com
- SwiftFunds@swift.com
- shareholding@swift.com
- swiftref.ssi@swift.com
- info@em.swift.com
- newsletter@em.swift.com
- operations@em.swift.com
- events@em.swift.com
- info@em.sibos.com
- newsletter@em.sibos.com
- swift.customer.consultation@swift.com
- *@mailing.swift.com
For example, (each address has its own signature):
Swift e-mails are always signed with certificates issued by Comodo/Sectigo Certificate Authority (CA). Your email must be setup to trust the root certificate of the CA and access to the internet in order to download the revocation list (CRL) published by Comodo/Sectigo and/or to allow on-line certificate validation and revocation.
Please refer to your IT/Helpdesk for the setup. If you still face issues after these steps, please contact Customer Support.