Hub Security

Keeping customer information secure is very important to Virgin Money. When you use the Hub you can be confident that we employ the highest level of security to protect your accounts and personal information.

Recently there has been significant activity surrounding the theft of Customer Access Numbers (CAN) and Personal Access Codes (PAC) from customers of other financial institutions. Here are some ways to prevent this from happening to you:

  • About our online security
  • Using the Virgin Money Token
  • How to be sure you are dealing with us
  • Protecting your Personal Access Code
  • How to protect yourself
  • Security and industry related specialists
  • Hoax emails

You are responsible for reading and abiding by our Virgin Money Hub Account Terms and Conditions. For more information, please refer to our Terms and Conditions page.

If you have any other questions about the Hub please contact our Customer Care Team on 13 81 51, or send us an email

About our online security

Your online security is important to us. The Hub uses a robust solution to protect your information.  Some of the security measures we have implemented include:

  • All transactions through the Hub are encrypted using 128 bit SSL encryption. This protects your Personal Access Code and all sensitive information from being accessed by an unauthorised person. We are constantly changing large session keys.
  • Introduction of the Virgin Money Token for customers with a daily Pay Anyone limit of $10,000 or greater.  This works by generating a password that continually changes – this ensures maximum protection for your Hub transactions.
  • Authentication and sessions are managed from the Lender’s systems.
  • Personal Access Codes are required to be complex to minimise the chance of their being compromised.  If multiple 'guessing' attempts are detected, access to the Hub will automatically lock to prevent unauthorised access.
  • The computer network is protected by multiple firewalls of different types and all systems are regularly maintained, audited and scrutinised to actively prevent any unauthorised access from the Internet.  Host and network based intrusion detection systems are employed.
  • All Hub sessions have an automatic time out feature to protect your privacy.

Using the Virgin Money Token

Protecting the integrity of our customers’ financial information is our top priority, as such we have a superior level of online security by way of the Virgin Money Token.

The Virgin Money Token provides what is known as two-factor authentication.  Either a physical token or a soft token application on your smartphone and a remembered identifier (e.g. a Personal Access Code [PAC]) will be required to authenticate some online transactions.  This means that even if another person obtains your Customer Access Number (CAN), UserID (if applicable) and PAC, they will need the Virgin Money Token to be able to make a payment.

Not all transactions need a Virgin Money Token

A Virgin Money Token will not be required for the purposes of logging in to the Hub, rather it will be used to authenticate certain transactions where you are transferring funds to a non-Virgin Money account.  You will be able to check your account balances and move funds between your own accounts without being required to use your Virgin Money Token.

Not all value transactions* will require the use of the Virgin Money Token.  The Virgin Money Token is only required if you have selected a Daily Limits package with a Pay Anyone limit of $10,000 or more. 

The available limit packages are outlined in the table below:

Pay anyone daily limit Authentication method BPAY daily limit
$0 - $0
$2,500 - $10,000
$5,000 - $20,000
$10,500 Token - Application #1 $50,000
$15,000 Token - Application #1 $100,000
$25,000 Token - Application #1 $200,000
$10,000,000 Token - Application #2 $10,000,000

*Value transactions - any transaction where an amount greater than zero is transferred from a nominated account.

Note: Where you decrease your daily limit to a limit which does not require the use of the Virgin Money Token it will be necessary to authenticate the request by entering a One Time Password generated by 'Application #1' from your Virgin Money Token.

Using the Virgin Money Token

When completing transactions, the Hub may prompt you to initiate one of two types of security application using the Virgin Money Token:

  • Token Application #1 (One Time Password) – this issues a unique 8 digit authentication code which customers will enter into the Hub when prompted.
  • Token Application #2 (Transaction Signing) – customers will be required to enter information about their transaction into the Virgin Money Token.  This will be used by the Virgin Money Token to generate an authentication code uniquely tied to that transaction, which customers will then enter into the Hub when prompted.

How the Virgin Money Token works

The Virgin Money Token works by generating a passcode that continually changes.  Based on information registered with the Lender's central Token Management System when your Virgin Money Token is assigned to you, it is possible to match these passcodes with your Hub profile when you transact online. 

The Virgin Money Token can be used with any computer and no special software is required.

How to be sure you are dealing with us

Please follow this advice to be sure you are always dealing with us:

  • always access the Hub by typing or into your web browser, never by following a link. 
  • always ignore any email or other communication to the contrary. 
  • we will never contact you with an invitation to visit our website or ask you to disclose your CAN and PAC. 

There have been cases where hackers have sent communications to customers that appear real, even carrying the logo of the financial institution but are actually forged. By doing this the hackers trick customers into disclosing their CAN and PAC details. 

To be certain you are dealing with Virgin Money double-click on the padlock displayed at the bottom of your browser window and a certificate (refer to the example below) will be displayed. When viewing our certificate always ensure that:

  • it has been 'issued to'
  • the 'issued by' section refers to Entrust Certification Authority
  • the date specified is within a valid date range

This shows that you are dealing with Virgin Money and that your CAN and PAC will be secure as they cross the Internet. If the certificate details differ from this, do not login as you may not be connecting directly to the Virgin Money website. If you encounter this problem, please contact us immediately. 

Extended Validation Certificates

Extended Validation SSL Certificates are an enhanced type of SSL Certificate which allows Internet users to clearly identify and prove the legitimacy of the secure websites they connect to.

When you log on to the Hub you may notice that the web address (URL) bar will turn green. This is to signify that our Hub is a genuine and secure site. If customers’ accidentally navigate to a known fraudulent website the web address bar will turn red.  This feature helps to prevent customers falling for Phishing attacks.

If you encounter any problems please ensure you are using the latest browser with all updates applied and that your operating system also has the latest updates.

Hints on choosing a Personal Access Code (PAC)

Follow the steps below to create a Personal Access Code (PAC) that is both secure and easy to remember:

  • Pick a short phrase or line from a song you can remember easily (i.e. three blind mice).
  • Take the first letter of each word – 'three blind mice' or 'tbm'
  • Now choose a number you can easily remember.  Make sure it isn’t your age, birthday, street or telephone number or any other number that could easily be guessed by someone else.  For example, the date your first car was manufactured, let’s say 1976.
  • Combine the letters and numbers – 'tbm1976'
  • Now add a special character that you can remember, say for example, a ‘$’ sign.

Now the Personal Access Code you have created is 'tbm1976$', which is unlikely to ever be guessed by anyone.

Protecting your Personal Access Code (PAC)

There are things you can do to protect your Personal Access Code.

  • Your Personal Access Code is like a PIN.  It should always remain confidential. Never reveal this code to anyone. Also, you should never write your Personal Access Code down anywhere.
  • Avoid choosing Personal Access Codes that contain words that can be found in a dictionary of any kind – this will make it harder for anyone to guess your Personal Access Code.
  • Do not choose a Personal Access Code that is based on your date of birth or an alphabetical code that is a recognisable part of your name.
  • Change your Personal Access Code regularly – once a month is ideal.  After you’ve changed your Personal Access Code try to use it again on the same day. This will  help you remember the new code.
  • When you select a new Personal Access Code, don’t choose one that is similar to your old Personal Access Code.  For example, if you chose 'tbm1976$' for your first Personal Access Code, it would not be a good idea to simply add ‘one’ to the number – eg 'tbm1977$'.  It is best to start over and choose new letters, numbers and special characters.

How to protect yourself

You play an important role in protecting your online information. 

Online fraudsters attempt to take advantage of customers with poor security on their computers.  For example malicious software downloaded from the Internet or received via attachments to emails can contain malware that could compromise the security of your computer.  Even browsing certain websites could lead to a compromise of your computer's security.  Hoax emails have also circulated the Internet during recent times, enticing customers to disclose personal details at fake websites.
When you type your Customer Access Number (CAN), UserID (if applicable) and Personal Access Code (PAC) into the Hub log in screen, your computer 'encrypts' and sends this information to us via a secure connection.  If your own computer is not protected, it is possible that a hacker could gain control of it and watch everything you type or save on your hard disk, without it being encrypted.  It is critical that you take steps to protect yourself and your computer.

Below are steps you can personally take to help ensure you are protected online:

Possible malware infection signs

If your computer has been infected it may act in an unusual manner.  Below is a list of examples:

  • unusual icons appearing on your desktop or start menu
  • extra toolbars
  • programmes locking up frequently
  • your homepage may change
  • random and/or unusual dialling on your modem

These and other unusual occurrences may mean your online security has been compromised by something that’s been downloaded to your machine.   We recommend that you perform virus and spyware checking - and please do ensure your anti-virus and spyware software has been updated with the latest definitions - contact your computer vendor if you are unsure.

In some cases however, presence of malware may not be so obvious - e.g. keyboard loggers or other spyware programs which are designed to be unobtrusive or covert.

Anti-virus software

You can help protect your computer from viruses that could damage your computer or your programmes by installing anti-virus software.  To maximise your protection, check that your anti-virus software also includes functionality to detect all the latest threats such as worms, and trojan horses.  Ask your vendor if you are unsure.

Ensure the anti-virus software is regularly updated – ideally weekly at a minimum, although daily updates are best.  In most cases these programs can be configured to automatically perform this task.  Regularly perform a full system scan on your computer - again most anti-virus programs provide a function which can run this type of scan automatically.  If you have not used your computer for more than a few days, it is a good idea to allow your anti-virus program to perform an update before you begin using your Internet browser. 

You may wish to consider one of the following online suppliers of anti-virus software.  There are numerous vendors in the market - this is purely a sample.  Please note: we do not receive commission from the sale of any of these products, nor do we make any recommendations, representations, guarantees or warranties about these products.

Anti-virus vendors 

  • F-secure
  • Symantec
  • McAfee
  • Trend Micro
  • Sophos

Free online virus scans 

  • F-secure
  • Trend Micro

Free Anti Virus Vendors 

  • AVG
  • Zone Labs
  • BitDefender

Personal firewall

Use a personal firewall software package.  These programs are designed to prevent hackers from accessing your computer whilst connected to the Internet.  In addition a firewall may also prevent an existing 'keystroke logger' program from sending your confidential information out of your computer to hackers. 

You may wish to consider one of the following online suppliers of firewall software.  There are numerous vendors in the market - this is purely a sample.  Please note: we do not receive commission from the sale of any of these products, nor do we make any recommendations, representations, guarantees or warranties about these products.

Firewall software vendors 

  • McAfee Personal Firewall
  • Norton Personal Firewall
  • ZoneLabs

Free Firewall Vendors 

  • Zone Labs

Anti-Spyware software

Spyware and keystroke loggers are general terms for unauthorised, hidden programs which may find their way onto your computer and track what you are doing on the Internet.  These programs watch everything you type, then send this information out over the Internet to the hacker without your consent or knowledge.  If you type your CAN, PAC or User ID (if applicable) whilst a 'keystroke logger' is planted on your computer, a hacker may then be able to use the Hub as if they were you, and access your accounts.  Some computer viruses can also carry 'keystroke logging' programs, designed to report CANs, PACs, User IDs and passwords back to hackers for later use.

You may wish to consider one of the following online suppliers of anti-spyware software.  There are numerous vendors in the market this is purely a sample.  Please note: we do not receive commission from the sale of any of these products, nor do we make any recommendations, representations, guarantees or warranties about these products.

Spyware protection vendors 

  • Microsoft AntiSpyware
  • Spybot
  • Ad-Ware
  • MacScan

Latest browser and operating systems

Regularly visit your operating system's and browser's vendor website (refer links below) to ensure your computer’s operating system and Internet browser are up to date.  The majority of software vendors such as Microsoft post updates to their products to correct minor defects or security flaws that could potentially affect you. 

Please note: we do not receive commission from the sale of any of these products, nor do we make any recommendations, representations, guarantees or warranties about these products.

Internet browsers: 

  • Internet Explorer™
  • Firefox®
  • Safari™
  • Opera™
  • Google Chrome™

Operating systems: 

  • Windows   
  • Apple
  • Linux

Installing software or email attachments

Be extremely careful when installing software onto your computer.  We recommend only installing software from original installation CDs or from reputable sources. 

If you receive a program via email or Internet download, it is wise to think twice before opening or installing it.  Unless you explicitly trust the sender of the program (try contacting them by telephone to be sure) it could actually be a dangerous virus or a 'keystroke logger'. 
Remember many viruses spread via email by 'faking' the name of the sender to trick the recipient.  If you aren’t sure, contact the sender by telephone and ask for an explanation.  Do not click on any link in an email that asks you to respond with personal information, or requests you to pay bills or log onto a secure service.  Always delete your junk mail.

Important note: We will never send you an email asking you to reconfirm your security details or to divulge your passwords, CAN, PAC or User ID (if applicable) via email.  If you are ever in any doubt about the authenticity of any communications that are or seem to be from us please contact us immediately by telephone. 

Beware of online employment scams

In these types of scams, criminals post fake job advertisements on online recruitment websites or in newspapers.  The advertisements are from bogus overseas companies looking for people to act as distribution agents.  These agents are required to have an Australian bank account into which they receive funds on behalf of the company and then transfer it overseas, retaining 5-10% of the funds as their commission.

The bogus overseas company will then email the applicant.  This email typically contains a virus or trojan keyboard logger which once opened, attempts to install itself onto the applicant's computer without their knowledge.  This software then captures the applicant's keystrokes, including online banking CAN and PAC details, and sends them back to the fraudster.  The fraudster is then able to login to the customer’s accounts and transfer funds directly to their account, effectively making the victim an accessory to money laundering. 

Be cautious when using public or shared computers

If you access your accounts using a computer in an Internet café, a library or your workplace, try to ensure the computer has the latest anti-virus, firewall, anti-spyware and browser software installed.  

In addition you should take a few simple precautions to ensure that your Hub access is not compromised.  These precautions include: 

  • Make sure no-one watches you enter your CAN, User ID (if applicable) and PAC
  • Don't save your password on the computer
  • Close all browsers and open a single new browser for your Hub session.  Close the browser when you are finished using the computer
  • Regularly change your PAC.

If you're ever in any doubt about the security of a computer, we recommend you don't use it to access your secure information.

Computer access

Never leave your computer unattended when you are logged in, and make sure that you 'Log Off' when you’ve finished.  This will prevent an unauthorised person gaining access to your information.  Note: the Hub will automatically sign you out after 10 minutes of inactivity to protect your privacy. 

Security and industry related specialists
Like Virgin Money there are many organisations concerned about online security. Below are just a sample of some Australian and international organisations which provide useful information to help protect your information online:

  • Apple Product Security
  • AusCERT
  • Australian Bankers Association
  • Australian High Tech Crime Centre
  • Australian Securities and Investments Commission (Consumer and Investors Division)
  • Microsoft Australia Security
  • Stay Smart Online
  • ScamWatch

Fraud Warning - Hoax Email Alert

Hub customers are advised that hoax (spam) emails can be circulated that appear to be sent from Virgin Money or other legitimate businesses that attempt to trick you into providing your personal information such as your Customer Access Number (CAN), Personal Access Code (PAC) and Virgin Money Token passcode.

Please follow this advice to be sure you are always dealing with us:

  • Always access the Hub by typing or into your web browser, never by following a link
  • Ignore any email or communication that advises you to act differently; for example, asking you to click on an embedded hyperlink to take you to the website instead
  • Stop and think when receiving an email or viewing a website that looks suspicious. If you are concerned about the site's authenticity, stop and ask for assistance by calling us on 13 81 51
  • All customers should keep their browser, operating system, anti virus and firewall software up to date.

If you have, or even believe you have inadvertently responded and/or activated any link or attachment within the email, we request that you change your Personal Access Code immediately and contact our Customer Care Team on 13 81 51.