Search

Two-Factor Authentication For Internet Banking PDF E-mail

The Business Challenge

DS3 helps one of the major banks in Asia Pacific to strengthen its internet banking system.

The bank is already operating an Internet Banking service for their Corporate Banking Customers. Its current Internet Banking Service site is SSL protected, while the access is controlled via a user ID and password combination, which are stored in the application server. The communication between the application server and the back-end mainframe is not encrypted or signed.

Now, the bank intends to extend its internet banking service to its private banking customers and eventually to its consumer banking customers. Therefore, it needs to strengthen the security of its system to guarantee a better and more secure online transaction service to its customers. Recently, it has purchased 2-factor tokens from VASCO security, and is very keen to integrate these tokens to the system as one way to improve the security.

In order to provide a better service, the bank also intends to provide online service via other electronic means such as phone and mobile banking. In this way, the vision to provide a modern electronic banking platform becomes a reality.

Our Solution

After studying the system, DS3 found 3 major problems in the system:

  • User ID and passwords are not end-to-end protected, leaving room for sniffers to be placed at the web server to steal the login credentials.
  • The authentication database is not cryptographically protected, leaving room for attackers to carry out an off-line dictionary attack.
  • The communication between the application server and back-end mainframe is not protected, leaving room for fake transactions to be injected into the back end system.

By integrating the DS3 Authentication Server into the system, the bank is able to achieve the following objectives:

Objective 1 : Strengthening the security of the Internet Banking Site
With DS3 Applets sitting in the browser to perform the password encryption, the end-to-end security to prevent any possibility of sniffers was achieved. The User ID-password database was migrated from the Application Server to the Authentication Server. In the Authentication Server, the password is stored hash-encrypted. Hence, it is much more difficult to carry out a dictionary attack.

Objective 2: Supporting all customers: Corporate, Private and Banking Customers The corporate, private and banking customers are different and should be segregated. Therefore, to add support for private and banking customers, the bank needed to scale up its system. With the multiple-domain capability featured in the DS3 Authentication Server, this task was made easier. The bank could easily assign different type of customers to different domain, and enforce different password policies and access rights to each domain. New domains could also used to manage the helpdesks personnel, relationship managers or the administrators of customers' domain.

Objective 3: Migrating to 2-factor authentication as a better way of security
VASCO token is fully supported by the DS3 Authentication Server. Therefore, there was no problem in integrating 2-factor authentication to the current system. These tokens are managed from a single point token management system. In the future,if the bank wishes to assign a different type of token to different type of customers, it can do so conveniently, without any hassles.

Objective 4: Allowing other forms of electronic access (i.e. Phone Banking and Mobile Banking)
The DS3 Authentication Server is a network appliance that is able to accept secure connections from various applications to perform authentication. This means thatthe Bank customer is able to login to the Mobile Banking system in the same way that he/she login to the Internet Banking System. This also means that the security policy is enforced uniformly across the applications an a hacker is unable to attack the Mobile banking account, should the Internet Banking account is locked.

The Results

  • First bank in Asia to offer Two-Factor Authentication (2FA) at login for both corporate and retail banking customers.
  • Greater security that leads to higher customers' trust.
  • Enhance the bank reputation as a bank who providesthe best protection for the customers.
 

DS3 is member of

    IBM Information Governance Council  

Follow us on