|
DSSS helps one of the major banks in Asia Pacific to
strengthen its internet banking system.
The bank is already operating an Internet Banking service
for their Corporate Banking Customers. Its current Internet
Banking Service site is SSL protected, while the access
is controlled via a user ID and password combination,
which are stored in the application server. The communication
between the application server and the back-end mainframe
is not encrypted or signed.
Now, the bank intends to extend its internet banking
service to its private banking customers and eventually
to its consumer banking customers. Therefore, it needs
to strengthen the security of its system to guarantee
a better and more secure online transaction service
to its customers. Recently, it has purchased 2-factor
tokens from VASCO security, and is very keen to integrate
these tokens to the system as one way to improve the
security.
In order to provide a better service, the bank also
intends to provide online service via other electronic
means such as phone and mobile banking. In this way,
the vision to provide a modern electronic banking platform
becomes a reality.
After studying the system, DSSS found 3 major problems
in the system:
- User ID and passwords are not end-to-end protected,
leaving room for sniffers to be placed at the web
server to steal the login credentials.
- The authentication database is not cryptographically
protected, leaving room for attackers to carry out
an off-line dictionary attack.
- The communication between the application server
and back-end mainframe is not protected, leaving room
for fake transactions to be injected into the back
end system.
By integrating the DSSS Authentication Server into
the system, the bank is able to achieve the following
objectives:
With DSSS Applets sitting in the browser to perform
the password encryption, the end-to-end security to
prevent any possibility of sniffers was achieved. The
User ID-password database was migrated from the Application
Server to the Authentication Server. In the Authentication
Server, the password is stored hash-encrypted. Hence,
it is much more difficult to carry out a dictionary
attack.
The corporate, private and banking customers are different
and should be segregated. Therefore, to add support
for private and banking customers, the bank needed to
scale up its system. With the multiple-domain capability
featured in the DSSS Authentication Server, this task
was made easier. The bank could easily assign different
type of customers to different domain, and enforce different
password policies and access rights to each domain.
New domains could also used to manage the helpdesks
personnel, relationship managers or the administrators
of customers' domain.
VASCO token is fully supported by the DSSS Authentication Server.
Therefore, there was no problem in integrating 2-factor
authentication to the current system. These tokens are managed
from a single point token management system. In the future,
if the bank wishes to assign a different type of token
to different type of customers, it can do so conveniently,
without any hassles.
The DSSS Authentication Server is a network appliance
that is able to accept secure connections from various
applications to perform authentication. This means that
the Bank customer is able to login to the Mobile Banking
system in the same way that he/she login to the Internet
Banking System. This also means that the security policy
is enforced uniformly across the applications an a hacker
is unable to attack the Mobile banking account, should
the Internet Banking account is locked.
- First bank in Asia to offer 2-factor authentication
at login for both corporate and retail banking customers.
- Greater security that leads to higher customers'
trust.
- Enhance the bank reputation as a bank who provides
the best protection for the customers.
|
]
Back to Top
