building a secure banking environment

The world’s leading software company specializing in Internet Security

Building a secure banking environment

DIGIPASS BY VASCO

1 Building a secure banking environment

Secure online banking

Online banking

Banks worldwide are increasingly offering services over the Internet: customers are transferring money from one account to another, checking their account status or investing in stock from their PCs at home and in the office. With mobile telephones in everybody’s pockets, banks are starting to offer mobile banking services, allowing customers to handle their banking accounts from their mobile while being on the road.

With all this money being transferred online, online fraudsters try to intercept financial transactions and turn them to their benefit. Banks and customers worldwide have lost millions of dollars through online fraud.

Online threats

Internet fraud is still on the rise and fraud schemes become evermore sophisticated. Phishing attacks, Trojan horses, key loggers and man-in-the-middle attacks have resulted in banks looking for more sophisticated security solutions to protect themselves and their customers online.

Regulatory compliance

Financial institutions are looking for compliancy with the new sets of rules for online banking security such as defined by their local regulation bodies. VASCO’s authentication system does not only help financial institutions to reduce fraud but also helps banks to meet legal and regulatory constraints. VASCO’s solutions also promote the legal enforceability of electronic agreements and transactions with banking customers.

Two factor authentication

Two factor authentication uses two components to authenticate a user: something you know and something you have. Traditional authentication schemes use username and password to authenticate users. This provides minimal security, because many user passwords are very easy to guess, are written down or can be intercepted online.

User authentication with one-time password

With VASCO DIGIPASS, static passwords are replaced by the use of OTPs. A one-time password (OTP) is generated by a hardware or software DIGIPASS. It is only valid for a limited period; the password is unique and cannot be reused. By adding DIGIPASS authentication to e-banking applications, the bank is able to identify the user when he requests access to the e-banking application.

Secure online transactions with e-signature

E-signature offers the best protection to man-in-the-middle attacks. E-signatures allow the bank to verify whether a transaction was initiated by the genuine end-user and was not altered in transit. It ensures that the right amount is being transferred by the right person to the right account and prevents the fraudster from submitting transactions or modifying existing transactions.

What you see is what you sign

As fraud schemes evolve, VASCO continuously looks at developing new defense mechanisms. A recent evolution is the use of the ‘What You See Is What You Sign’ (WYSIWYS) principle. WYSIWYS ensures that transaction data are shown onto the authenticator’s screen for confirmation prior to transaction signature. DIGIPASS allowing WYSIWYS uses devices with large screens, showing the full contents of the transaction. This allows the user to verify that the content is correct before signing it.

Building a secure banking environment 2

Securing all channels

Retail banking

Retail banks offer a wide variety of personal banking services to individuals, including account checking, saving plans, bill payment, debit and credit cards, loans and mortgages. Today most of these banking services are increasingly offered online. Account holders are able to access their banking services via Internet. As the use of the online banking channels grew, online fraud schemes surfaced. Banking customers who have been hacked, not only loose their assets, they also loose trust in the online banking channels and the bank’s reputation.

VASCO’s strong authentication solutions not only help banks in securing their online channels, they help the bank in reinstating customers’ trust in the online banking system. VASCO offers a variety of strong authentication solutions for the consumer electronic banking market, including hardware based authenticators, smart card based solutions, software and mobile authentication.

Mobile banking

Today’s world is increasingly mobile; as a result mobile banking is a logical step in offering banking services using the concept of “bank-away-from-bank”. The adoption of mobile banking is driven by the “new” anywhere and any time generation. Mobile banking is introduced for various obvious reasons like cost savings, time saving, accuracy, quality of service, elimination of geographical barriers or to enlarge the customer base in countries where mobile phones are more popular then PCs.

The challenges faced in m-banking are similar from those in e-banking. The platform has changed, but fraud schemes are quite similar. Today, the most common m-banking channels are: telephone banking, IVR, SMS based solutions, client/server based applications (downloadable or pre-loaded), WAP, STK (SIM toolkit) banking and mPKI.

VASCO offers cost-effective and user-friendly solutions to secure all mobile banking channels. VASCO’s DIGIPASS API brings one-time password and e-signature functionality to end-users through their mobile phones and PDA devices, without the need for any additional hardware.

Corporate banking

Corporate banking environments were the first to see the benefits of two-factor authentication, such as increased productivity, when migrating their banking transactions online. Going online opened the door to new specific attacks such as spear phishing, targeting corporate e-banking customers.

With spear phishing, e-mails are sent to employees, for instance working in finance and executing high value transactions, who based on the e-mail can ask the bank to initiate a transfer of funds. Corporate e-banking is attractive to fraudsters not only because there is more money involved but also the banking systems are less likely to detect fraud attempts on these accounts.

VASCO’s strong authentication solutions can provide solutions with a higher level of security (WYSIWYS, non repudiation, e-signature) matching the higher risk faced by the average corporate transaction. VASCO offers a variety of strong authentication solutions for the corporate banking market such as PKI authenticators, connected readers and other hardware based authenticators.

Mobile payments

Mobile payments are an emerging and rapidly-growing alternative payment method. Rather than pay by cash, check, or credit card, customers can opt to use their mobile phone to buy goods and services. Because of their quick transaction speed and convenience, mobile payments are gaining popularity as a method of paying for items, such as music, videos, ringtones, online game subscriptions, wallpapers, transportation fare (bus, subway, or train), parking meters, books, magazines and tickets.

Mobile payments secured by two factor authentication provide a secure alternative to credit cards. Since the payment is made using a mobile phone, no credit card information is stored by the merchant, eliminating the opportunity for hackers or employees to compromise card information. Since one-time passwords are used, the transaction can be verified to have originated from the exact phone registered for a specific user.

VASCO’s DIGIPASS solution seamlessly integrates with existing mobile payments application via direct integration of the DIGIPASS API, VASCO’s development kit. It offers customers an easy, convenient and secure payment alternative.


Securing all channels

Leveraging EMV card investment

EMV cards are deployed to increase the security of credit card transaction thanks to the use of chips and encryption algorithms. EMV cards can be leveraged for the deployment of two-factor authentication without the cost of issuing any additional personalized authenticators.

The Chip Authentication Program (CAP), a MasterCard initiative which received Visa support, offers two-factor authentication as both a smartcard and a valid PIN must be present for a transaction to succeed.

VASCO’s CAP-based solutions are suitable for mass deployment in retail banking. The banking customer’s regular debit and/or credit card can be used to generate one-time passwords and e-signatures offering strong authentication. Each of these authentication mechanisms can also secure multiple applications - from e-banking to e-commerce.

VASCO can also enhance EMV CAP solutions with unique authenticators (optical reader, one button) or add-on features like VASCO strong authentication. These enhancements make the deployment of EMV card based strong authentication even more secure and convenient for banks and their customers.

Preventing ATM fraud

Since the automatic teller machine (ATM) has been introduced to withdraw cash, theft has been at play. Thieves used to watch over your shoulder to memorize your PIN and then tried to steal your debit/credit card. Nowadays more complex mechanisms such as skimming and ghost ATMs are being used.

Strong authentication can be added to protect ATMs without too much hassle: the existing ATM infrastructure does not need to be adapted, banks can postpone expensive chip and PIN migration, the conversion to OTP validation instead PIN-validation can be executed quite rapidly and inexpensively for banks who already use strong authentication for their online channels.

Banks can leverage their investments made in strong authentication in multiple ways. Either they can link multiple applications, such as the e-banking channels, phone banking and ATM operations to a single authentication device. Or they can decide to have a dedicated authenticator for ATM security.

Recreated LOGO

Mizuho Bank deploys DIGIPASS to secure Mizuho Direct

Mizuho Bank in Japan is active in retail banking with approximately 500 branches, 25 million retail customers and over 11,000 ATM machines. Mizuho Bank provides online banking services to retail customers and SMBs through Mizuho Direct. The number of users has steadily increased, reaching over 8 million in November 2009.

Mizuho Bank wanted to provide a secure authentication solution for its retail customers online. The solution had to provide a high level of security to protect financial and critical transactions, offering a great flexibility and at the same time remain user-friendly. DIGIPASS GO 6 provides retail customers with a flexible solution to access their online banking accounts at their own convenience 24/7.

HSBC Bank Brazil: full integration between its electronic channels with m-banking and DIGIPASS for Mobile

HSBC Bank Brazil is a subsidiary of HSBC Holdings Plc. one of the biggest financial organizations in the world. HSBC Bank Brazil wanted to enhance its multi-channel approach by offering secure m-banking services to its retail customers.

To secure HSBC m-banking, the application must be small and generic and fit for any mobile device. Furthermore the application needed to be chip, device and telecom provider independent. DIGIPASS for Mobile conveniently provides secure access to m-banking services any time and anywhere. The technology has been tested with over hundreds of phones from various manufacterers and is non-reliant on third parties, overcoming provider dependency and network limitations.


Customer references

Caixa Galicia secures customers’ online banking accounts with patented DIGIPASS technology

Caixa Galicia was founded in 1978 and is currently the sixth largest savings bank in Spain. Caixa Galicia looked at implementing a two-factor authentication method to prevent phishing scams and other fraud schemes enabling retail and corporate customers to remotely access their online banking account 24/7. Caixa Galicia has two different online banking services: Caixa Activa and Caixa Gestión. The savings bank wanted one solution suited for both applications without having to invest in additional infrastructure.

VASCO’s DIGIPASS technology together with the authentication software VACMAN allowed Caixa Galicia to secure access to their online banking applications for both their retail and corporate customer base without needing to invest in additional infrastructure and hardware. Because the use of DIGIPASS is self-explanatory it was readily accepted.

Bradesco: Pioneer in the use of DIGIPASS for Mobile in Brazil

Banco Bradesco was founded in 1943 as a commercial bank under the name “Banco Brasileiro de Descontos S.A.” Its initial strategy consisted of attracting small retailers, government workers and modest land owners as a customer base. After eight years Bradesco became the largest private sector bank in Brazil. In the early 1990s Bradesco branches started to operate online. Internet banking was embraced by millions of customers. Bradesco sought for a security solution that was easy to implement and did not interfere with the customers’ existing systems and routines. At the same time the solution had to meet the different needs for both corporate and retail customers. Different DIGIPASS solutions were chosen for corporate and retail banking customers. To protect their online financial transactions corporate clients use DIGIPASS GO3 while retail clients use DIGIPASS for Mobile.

Reliance Money deploys DIGIPASS GO3 to secure its online trading platform

Reliance Money is a comprehensive financial services and solution provider. Its endeavor is to change the way India transacts in financial markets and avails financial services. Reliance Money wanted to provide a convenient and secure authentication solution of its online trading platform to corporate and retail customers. Scalability of the solution and adequate support were decisive factors. The solution needed to provide a high level of security to protect financial and critical transactions, offer a great flexibility and at the same time remain user-friendly to ensure user acceptance by Reliance Money’s multi million customer base. DIGIPASS GO3 provides both corporate and retail customers with a user-friendly and scalable solution to access their online trading accounts 24/7 at their own convenience.


Customer references

IDENTIKEY

IDENTIKEY is VASCO’s comprehensive and scalable authentication server for e-banking, network and application security offering OTP, e-signature and EMV CAP capability. IDENTIKEY is based on VASCO’s core VACMAN technology. It verifies authentication requests from individuals trying to access banking applications and centrally administers user authentication policies. IDENTIKEY can be linked to any web-based banking application via SOAP. In addition to protecting e-banking applications, IDENTIKEY Server offers various extensions to secure employee remote access. Home workers, remote branch offices, and traveling staff can use the same DIGIPASS technology to safely connect VPN the banking network and its applications.

VACMAN

VACMAN is VASCO’s core authentication platform already integrated by a vast number of leading banks and financial institutions worldwide. It combines all authentication applications, including OTP, challenge-response and e-signature on a single platform. VACMAN is used for the authentication of millions of end-users. It can seamlessly be integrated into existing e-banking applications in a time and cost-effective way. Furthermore, VACMAN is highly scalable: additional users or applications can easily be added.


Server side technology

VACMAN

RADIUS Client

RADIUS ServerIDENTIKEY

Standard Radius Setup With Authentication Server


Client side technology

One button devices

The DIGIPASS GO family combines ultra-portability with user convenience. The OTP is generated at the push of the button.

Key features:

• Intuitive use• Ultra-portable• Time and event based authentication• DES/3DES/AES/OATH• Long life battery

PIN-pad devices

A range of small and user-friendly PIN-protected authentication devices.

Key features:

• Offers response only OTP, e-signature and challenge/response functionality• PIN protection and PIN unlocking• Simple and intuitive in use• Time/event and challenge/response based• Long life battery

Card Readers

A wide range of connected and unconnected card readers

Key features:

• No need to install drivers in unconnected mode• Smart card based OTP, e-signature, PKI functionality• Straightforward deployment• Ease-of-use• Leverage EMV or PKI cards deployment• No personalization required

DIGIPASS family

VASCO’s DIGIPASS family offers a wide range of end-user authentication devices which all make use of VASCO’s VACMAN core technology. Customers can choose from a wide range of authenticators (OTP, challenge-response, e-signature or PKI devices), both software and hardware-based, which best fit their needs. All DIGIPASS devices are fully customizable: available with the customer’s logo and corporate colors.


Client side technology

Software DIGIPASS

Software-based DIGIPASS solutions leverage mobile phones or web-browsers for authentication purposes.

Key features:

• OTP and e-signature capability• No hardware deployment• Time and event based authentication• PIN-protected• Transparent, user-friendly and ultra-portable

PKI-based solutions

VASCO’s PKI-offering consists of DIGIPASS CertiID, a client-based software suite, and a range of DIGIPASS PKI devices, the DIGIPASS Key range. DIGIPASS CertiID provides an answer to the growing need for digital signature solutions for high risk transactions and document signing. The DIGIPASS Key range consists of smart card based solutions and USB devices.


VASCO Services

VASCO Consulting Services

VASCO Consulting Services have been designed to complement our offering of strong authentication solutions with quality services that help customers to make the most of their authentication investments.

Whether customers are looking for information about current security challenges and threats in e-banking, e-commerce or network security, whether advice is needed prior to an implementation or during the implementation, VASCO can offer its expertise.

By sharing expertise, proven methodology and best practices, VASCO can help its customers in decreasing time to market of their authentication project.

More detailed information on our consulting offer is available on: www.vasco.com/consulting

VASCO Professional Services

The implementation of two-factor authentication has many facets: VASCO Professional Services have been designed to assist customers in the deployment of their authentication project. By sharing expertise we help our customers to minimize the challenges and maximize the results by providing them peace of mind throughout the deployment of the project.

The roll-out of a two-factor authentication project is not only about IT-security, it involves the input from other departments. As a result it requires a structured approach and careful thought about project management, fulfillment, marketing, IT security, deployment, helpdesk support and many others.

Our experts will:

• Manage the authentication project, • Help customers with technology choices• Provide advice on marketing strategy• Integrate the application• Manage the fulfillment and stock• Organize helpdesk support.

They will use VASCO proven 4-step methodology, taking the customer from a generic security enhancement objective through to a tailored deployment fitting the bank’s and financial institution’s specific security needs.

Fulfillment Services

VASCO’s Fulfillment services have been designed to assist the customer in lowering the supply-chain burden of authentication projects. Fulfillment services allow banks or financial instititutions to focus on the core business activities while VASCO takes care of the personalization and provisioning of the authentication devices. • Branding and customization: every DIGIPASS can be branded reflecting corporate colors and logos in order to enhance brand recognition for end-users.• Customized packaging: VASCO offers a wide range of packaging services, ranging from non-personalized individual or bulk packaging to fully customized and branded packaging.• Refurbishment: tailor made service offering to prolong DIGIPASS life-cycle and reduce the ecological footprint of authentication investments.• Distribution and storage: VASCO can offer supply chain services, delivering orders anywhere in the world, to a central location, branch offices or to end-users. We can also store customer’s stock in secure and adapted warehouses. • Provisioning: security parameters, whether on software or hardware authenticators, can be personalized according to the requirements of security departments. Secrets are stored onto DIGIPASS hardware using an approved and audited process. Advanced encryption methods are used to communicate initial PINs and to unlock codes by security departments.


VASCO Services

VASCO’s Security Experts

Academy & e-Learning platform

(SEAL)

New types of online attacks emerge almost every day; therefore it is critical for IT security professionals to stay informed and up-to-date on the latest trends. As a leading Internet security company VASCO considers it its duty to actively share information on current and emerging IT security trends and online fraud schemes with its customers, partners, distributors and resellers and anybody who needs our advice.

SEAL is VASCO’s worldwide community of security professionals. The SEAL training offer consisting of general IT security topics and VASCO product training will help people who want to have a career in information security. Through our offering of classroom training, e-learning or DVD-based training and forums, VASCO SEAL allows customers and partners to:

• Become a VASCO Certified Engineer• Stay up-to-date on the latest security trends• Develop new skills in IT security• Get access to a community with an extensive IT security knowledge base• Exchange information with peers

SEAL offering

VASCO’s SEAL comprises the following:

e-learning: more than 120 hours of web-based or DVD- based IT security training

Classroom training by VASCO security experts VASCO Certification: SEAL training offers IT security

professionals the opportunity to become VASCO Certified Engineers

VASCO Authorized Training Centers: training by VASCO partners

Junior Programs: trainee and scholarship programs for graduates

More information is available on: www.vasco.com/training

Support

VASCO technical support is available in a number of pre-defined support packages. Our support plans consists of:

• Standard Monday to Friday business hours support• 24/7 support • VIP support using SLAs adapted to specific customer needs• Pay-per-incident• Remote assistance

More information on the specific support plans is available on: www.vasco.com/support

DIGIPASS Plus

DIGIPASS Plus is VASCO’s hosted security solution: authentication is provided through an outsourced model. Banks focus on their core business while VASCO takes care of all aspects of securing their e-banking applications in a service model. DIGIPASS Plus makes use of VASCO’s proprietary authentication technology.

Copyright © 2009 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights reserved. VASCO®, Vacman®, IDENTIKEY®, aXsGUARD®, DIGIPASS® and ® logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries.

VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights in the U.S. and other countries. Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may be trademarks of their respective owners.

About VASCOVASCO is a leading supplier of strong authentication and e-signature solutions and services specializing in Internet security applications and transactions. VASCO has positioned itself as a global software company for Internet security serving customers in more than 100 countries, including several international financial institutions. VASCO’s prime markets are the financial sector, enterprise security, e-commerce and e-government.

VASCO Offices

VASCO Sales Presence

www.vasco.com

BOSTONphone : +1 .508 .366 .3400ema i l : i n f o_usa@vasco . c om

SYDNEYphone : +61 .2 .8061 .3700ema i l : i n f o_aus t r a l i a@vasco . c om

S INGAPOREphone : +65 .6323 .0906ema i l : i n f o_as i a@vasco . c om

INTERNAT IONA l HQCH ICAGOphone : +1 .630 .932 .8844ema i l : i n f o_usa@vasco . c om

YOUR LOCAL OFFICE

OPERAT IONA l HQBR USSE lSphone : +32 .2 .609 .97 .00ema i l : i n f o_eu r ope@vasco . c om

F INANC IA l HQZUR ICHphone : +41 .43 .555 .3500ema i l : i n f o_eu r ope@vasco . c om

building a secure banking environment

Documents