This page is automatically translated from Romanian into English.

Call Center
  • High waiting time!

    We are currently experiencing a very high number of calls in our Call Center. If you have an urgent problem, call now, otherwise we'll wait for you later. For quick answers try Ask BT or BT Visual Help.

  • 0264 308 308 028 or *8028 The number is available from any national network.
    0264 303 003 Hotline for all Romanians who are out of the country, including assistance in English.
    Fraud assistance
    If you suspect fraud on your account, quickly call 0264 308 055.

    Search with AI Search

    AI Search on Ask BT answers all your banking questions.

    BT Visual Help

    Quickly view your account details, call 0264 308 000 and receive an SMS with the access link.

    BT Responsible Disclosure Policy

    Introduction

    This document contains a set of guidelines regarding the process of responsible disclosure which is defined in the ISO / IEC 29147 as a process through which vendors and vulnerability finders may work cooperatively in finding solutions that reduce the risks associated with a vulnerability. Additionally, this represents the commitment of Banca Transilvania to ensure the continuous improvement of security practices in order to safeguard our clients' information. This policy is intended to provide security researchers guidelines regarding the assets and types of research that are considered in-scope and the vulnerability reporting process.

    Given that the security researcher will comply with the following set of terms, Banca Transilvania will acknowledge that the vulnerability identification has been conducted in good faith and will not pursue any legal action.

    Guidelines

    • Any testing or research must be performed against permitted systems without affecting the functionality of our services.
    • In accordance with the principle of responsible disclosure, the security researcher should establish communication with the designated point of contact and report any vulnerability that has been discovered.
    • If a vulnerability has been discovered, please refer to the Reporting a vulnerability section in order to find details on how to contact us.
    • Please allow our team a reasonable amount of time to respond to your report.
    • Once a vulnerability has been identified, the researcher should cease any activity that could lead to a compromise or could affect the integrity of Banca Transilvania's services and systems.
    • After a vulnerability has been confirmed, we make a commitment towards fixing the issue within 60 days.

    Scope

    The following assets are covered by this policy:

    • All services within AS34184 and AS34358.

    In-Scope Vulnerabilities

    The following vulnerabilities fall under the scope of this policy:

    • Server Security Misconfiguration - Using Default Credentials, CAPTCHA Implementation Vulnerability, Unsafe File Upload, No Rate Limiting on Form, Misconfigured DNS that leads to High Impact Subdomain Takeover, etc.
    • Broken Authentication and Session Management - Authentication Bypass, Account Takeover, Second Factor Authentication (2FA) Bypass, etc.
    • Sensitive Data Exposure - Disclosure of Secrets For Publicly Accessible Assets like hardcoded passwords, sensitive data over unecrypted connection, etc.
    • Server-Side Injection - LFI, RFI, RCE, SQLi, XXE, etc.
    • Cross-Site Scripting – Stored, Reflected, DOM.
    • Denial of Service.

    Out-of-Scope Testing Methods and Vulnerabilities

    The following testing methods (i.e. types of research) and vulnerabilities do not fall under the scope of this policy:

    • Physical testing against Banca Transilvania's Facilities / Property.
    • Phishing (either of an employee or a client/user of Banca Transilvania's services).
    • Email spoofing.
    • Email authentication best practices policies/configurations (DKIM, SPF records, etc.).
    • DDoS.
    • Lack of security headers (Strict-Transport-Security, X-Frame-Options, X-Webkit-CSP etc.).
    • Flaws affecting the users of out-of-date browsers and plugins.
    • A Man-in-the-Middle (MITM) attack proof of concept.
    • Self XSS.
    • Banner grabbing.
    • HTTP trace/options methods enabled.
    • CSRF with minimal impact (login, logout, etc.).
    • Open redirects (POST or header based).
    • Clickjacking or other similar attack methods.
    • Disposable email addresses allowed during registration.
    • Lack of obfuscation.
    • Header injection without a demonstrable impact.
    • Lack of Secure and HTTPOnly cookie flags (critical systems may still be in scope).
    • Static content served over HTTP.
    • Weak password policies.
    • Username and account enumeration.

    Reporting a Vulnerability

    If you have discovered a vulnerability or you have any questions, please contact us at the following email address: cybersec@btrl.ro.

    In order to ensure confidentiality and integrity, please use PGP key 0x6F077A29C359A429 for encrypting the communication. You can find our security.txt file at the following address:

    Security file
    Download

    Confidentiality Obligations

    Could include but not limited to: customer-related information, financial or personally identifiable information, information related to the vulnerable assets.

    The security researcher agrees that they will not disclose any of the above to a third party without Banca Transilvania's agreement. Therefore, any potential vulnerability reports should be treated as confidential information.

    Ask BT is Banca Transilvania's largest online financial education program, with over 2,000 banking questions and answers.
    Search suggestions
    Powered by Azure OpenAI GPT4
    AI Search provides automatically generated responses, using GPT4 technology, which may contain inaccurate or potentially offensive content that does not represent the views of Banca Transilvania. You are solely responsible for your use of the content generated by this service. .
    Terms and conditions

    Disclaimer

    AI Search is a pilot project - in beta - that uses GPT4 technology to simplify the process of finding and understanding banking products.

    AI Search is trained to answer questions that are exclusively related to the banking products offered by BT, but in certain situations and depending on the questions asked, it may also answer general questions. The answers provided are automatically generated and are to be used for information purposes only. The service may sometimes provide inaccurate or potentially offensive content, which does not represent the views of Banca Transilvania. You are solely responsible for your use of the content generated by this service in any way. Do not rely on this service for financial, legal or other professional advice and do not enter personal data or other confidential information into this service.

    Use of AI Search implies acceptance of the Terms and Conditions.

    Access to and use of the service implies your unreserved acceptance of these terms and conditions. If you do not agree to them, please do not use this service. By accepting the terms and conditions to use this service provided algorithmically by an artificial intelligence model, you assume the entire risk as to the quality, safety and performance of this service.

    Banca Transilvania does not provide any guarantee in relation to the answers provided by this service.

    AI Search provides responses algorithmically and these may sometimes contain inaccurate information or potentially offensive language. This information does not express the position of Banca Transilvania and cannot engage the responsibility of the Bank for the content provided.

    AI Search does not provide answers to personalized questions, so by using it you are obligated not to provide or enter any personal data or other confidential information in your messages/questions. In case you do not comply with this obligation, by inserting personal data/confidential information in AI Search, you consent to their processing for the purpose of providing the service (answers to the questions you ask), as well as for the improvement of the algorithmic model of the robot by its developer.

    Any information provided by users during their interaction with AI Search will be treated confidentially and will only be disclosed to recipients who have a right and need to know.

    The content provided by AI Search is for information purposes only.

    Users are responsible for the questions and messages asked when using AI Search. Any abuse or inappropriate language may result in the interruption of the interaction.

    AI Search does not provide financial, legal or professional advice and is not a substitute for consulting human experts or professionals specialising in the field. Users should not rely on the information provided by AI Search in making decisions.

    The Bank reserves the right to discontinue the AI Search service at any time without prior notice.

    Terms and conditions may be revised/updated at any time.