Security Center
How Scotiaconnect protects your accounts, your data, and every transaction — the full security architecture explained.
Security Measures — Scotiaconnect employs six independent security layers: transport encryption, multi-factor authentication, real-time fraud detection, automatic session control, hardware-secured data storage, and quarterly third-party penetration testing. No single point of failure can compromise client accounts.
Encryption Standards
Every connection to Scotiaconnect — whether you access the platform through a web browser, the mobile app, or a third-party integration — is encrypted using TLS 1.3 with 256-bit AES-GCM ciphers. The handshake rejects any attempt to downgrade to older protocols. Session keys rotate every 60 minutes during active use. Data at rest — account balances, transaction histories, personal identification information — is encrypted using AES-256 with hardware security modules managing key material. Scotiaconnect encryption practices align with NIST SP 800-57 recommendations and FTC data security guidance for financial institutions.
TLS certificates are issued through a globally trusted certificate authority and renewed on a 90-day rotation cycle with automated deployment. Certificate transparency logs are monitored continuously for anomalous issuance. The Scotiaconnect public-facing infrastructure achieves an A+ rating on SSL Labs on every quarterly scan.
Multi-Factor Authentication
Scotiaconnect mandates multi-factor authentication for every account — MFA cannot be disabled by the user. The standard configuration requires two independent factors: a knowledge factor (password or PIN) plus a possession or inherence factor. Possession factors include time-based one-time passcodes delivered through an authenticator app or SMS to the registered phone number. Inherence factors include fingerprint scanning and facial recognition on devices that support biometric authentication through their native OS security frameworks.
Enterprise and business clients can configure additional MFA policies through the Scotiaconnect admin console. Supported options include hardware security keys (FIDO2/WebAuthn), IP-range whitelisting that restricts login to known office networks, and role-based step-up authentication — requiring re-verification before high-value transactions like wires exceeding $25,000. Scotiaconnect logs every authentication event — success, failure, and challenge — with timestamps and device metadata visible in the client's security dashboard.
Fraud Detection & Prevention
Scotiaconnect runs real-time behavioral analytics on every transaction, login attempt, and account modification. The detection engine analyzes multiple signals simultaneously: device fingerprint, geolocation consistency, login time patterns, transaction amount relative to account history, payee novelty, and typing cadence during authentication. When the engine flags suspicious activity, it triggers one of three graduated responses depending on risk score.
Low-risk anomalies generate an informational push notification to the account holder. Medium-risk events — a login from an unrecognized device in a new city — require step-up verification before proceeding. High-risk signals — a wire to a first-time recipient from a new IP address at an unusual hour — place an immediate hold on the transaction and initiate a verification call or in-app challenge. The Scotiaconnect fraud team reviews high-risk holds within 30 minutes during business hours and within 90 minutes outside business hours.
Scotiaconnect personal accounts carry zero-liability protection for verified unauthorized transactions reported within 60 days. Business accounts are protected under the same framework with additional coverage options available through the business checking premium tier.
Account Safety Settings
Every Scotiaconnect account includes a configurable security panel accessible from the online banking dashboard. Clients control device authorization — view and revoke sessions on specific phones, tablets, or computers. Transaction alerts can be tuned per category: deposits, withdrawals above a threshold, wire transfers, failed login attempts, and profile changes. Card controls let you lock and unlock debit and credit cards instantly, set spending limits by merchant category, and restrict international or online transactions without freezing the entire account.
Automatic session timeout terminates idle web sessions after 15 minutes. Mobile app sessions require re-authentication after 5 minutes of background inactivity. Failed login attempts trigger escalating lockouts: three failures cause a 5-minute cooldown, five failures enforce a 30-minute lock, and ten failures require a call to Scotiaconnect support at +1-416-555-0172 to restore access. These thresholds are not configurable — they are fixed as part of the security baseline.
Infrastructure & Resilience
Scotiaconnect operates across geographically distributed data centers with real-time failover. If one facility experiences an outage, traffic shifts to the secondary site within 90 seconds with no data loss. Database clusters use synchronous replication — every write commits to at least two physically separate locations before the transaction confirms. Backups run continuously with point-in-time recovery windows of 15 minutes or less.
Distributed denial-of-service protection scrubs inbound traffic through multiple carrier-grade mitigation providers before requests reach Scotiaconnect application servers. Web application firewalls block OWASP Top 10 attack patterns — SQL injection, cross-site scripting, broken access control — at the edge. The security operations center monitors the platform 24/7 with automated alerting and an on-call incident response team.
Security Features Comparison
| Security Feature | Personal Accounts | Business Accounts | Enterprise Tier |
|---|---|---|---|
| TLS 1.3 Encryption | Included | Included | Included |
| Multi-Factor Authentication | Mandatory | Mandatory | Mandatory + hardware key |
| Real-Time Fraud Monitoring | Included | Included | Included + custom rules |
| Automatic Session Timeout | 15 min web / 5 min mobile | 15 min web / 5 min mobile | Configurable duration |
| Biometric Login | Supported | Supported | Supported |
| Zero-Liability Fraud Protection | 60-day coverage | 60-day coverage | Extended coverage |
| IP-Range Whitelisting | Not available | Available | Included |
| Step-Up Authentication | Not available | Available | Included |
| Card Lock/Unlock | Included | Included | Included |
| Quarterly Penetration Testing | Platform-wide | Platform-wide | Platform-wide |
| Dedicated Security Advisor | Not available | Not available | Included |
What You Can Do Right Now
Enable biometric login on your mobile device through the Scotiaconnect app settings. Review your authorized device list and revoke any sessions you do not recognize. Set transaction alerts for withdrawals above a threshold that makes sense for your spending patterns. Verify that your contact phone number and email are current — Scotiaconnect uses these for MFA codes and fraud verification calls. Choose a unique password that you do not reuse across other services; the Scotiaconnect password policy enforces a 12-character minimum with complexity requirements.
Business account administrators should review user permissions quarterly — remove former employees immediately, verify that each active user's access level matches their current role, and enable IP-range restrictions if your organization operates from known office networks. Scotiaconnect business clients can schedule a security review with a platform specialist through the support hub.
Frequently Asked Questions
What encryption standard does Scotiaconnect use?
Scotiaconnect uses TLS 1.3 with 256-bit AES-GCM ciphers for all data in transit. Data at rest is encrypted using AES-256. Every Scotiaconnect session — web, mobile, and API — negotiates encryption before any account information is exchanged. The platform rejects connections attempting to downgrade to older TLS versions. Certificates are rotated every 90 days through automated deployment.
How does Scotiaconnect multi-factor authentication work?
Scotiaconnect MFA requires two independent verification factors: something you know (password or PIN) plus something you have (device-bound one-time code via authenticator app or SMS) or something you are (biometric — fingerprint or face recognition on supported devices). MFA is mandatory for all Scotiaconnect accounts and cannot be disabled. Business clients can add hardware security keys and IP-range restrictions through the admin console.
Does Scotiaconnect offer fraud monitoring?
Yes. Scotiaconnect runs real-time fraud detection on every transaction, deposit, and login attempt. Machine-learning models analyze behavior patterns — login location, device fingerprint, transaction amount, payee history, and time-of-day normalcy. Suspicious activity triggers graduated responses: informational alerts for low risk, step-up verification for medium risk, and immediate transaction holds with verification calls for high-risk signals.
What should I do if I suspect fraud on my Scotiaconnect account?
Lock your Scotiaconnect card immediately through the mobile app or online banking dashboard, then call Scotiaconnect support at +1-416-555-0172. The fraud team can freeze the account, reverse unauthorized transactions filed within 60 days, and issue a new card number. Scotiaconnect provides zero-liability protection for verified fraud on personal accounts. Do not delete suspicious emails or messages — the fraud team may need them for investigation.
How often does Scotiaconnect undergo security audits?
Scotiaconnect undergoes independent third-party penetration testing quarterly. External security firms test the web platform, mobile apps, API endpoints, and internal infrastructure against OWASP Top 10 vulnerabilities, CWE Top 25 weaknesses, and financial-sector threat models. Audit summaries are published in the annual Scotiaconnect transparency report. The platform achieves consistent A+ ratings on SSL Labs security scans.
What Scotiaconnect Clients Say
Our institution handles sensitive student data and financial aid disbursements. Scotiaconnect's security architecture — mandatory MFA, quarterly audits, real-time fraud alerts — gave our compliance office confidence during the vendor review. Implementation was smoother than any banking transition we have done.— Cynthia L. Mwangi, Academic Dean, Sherbrooke
Bank with confidence — Scotiaconnect has you covered
Every account includes multi-layered security at no extra cost. Open an account and see the security dashboard for yourself.
Open a Scotiaconnect AccountScotiaconnect Security Resources
Clients looking to strengthen account protection should review the Scotiaconnect security settings guide for step-by-step configuration. The Scotiaconnect fraud alerts page explains how to customize real-time notification thresholds. For mobile safety, check Scotiaconnect mobile security to enable biometric lock on your device. The Scotiaconnect password guide covers creating and managing strong credentials. Learn how Scotiaconnect device management lets you review and revoke authorized sessions.
Business administrators should consult Scotiaconnect business security for multi-user access control configuration. The Scotiaconnect compliance standards document details regulatory alignment with OSFI and FINTRAC. Review Scotiaconnect data encryption for technical specifics on cipher suites and key management. Check Scotiaconnect incident response to understand breach notification timelines. The Scotiaconnect transparency report publishes annual security statistics. For phishing protection tips, visit Scotiaconnect phishing awareness. The Scotiaconnect risk assessment tool helps business clients evaluate their exposure.