Description of Safeguard and Protection Systems
The system has comprehensive and coherent security solutions in any area impacting system's operations:
- safe access to the system
- safe internet technologies
- authorization of transferred orders / instructions
- infrastructure security
- organizational security
- technical security.
SYSTEM ACCESS CONTROL AND SECURE LOGGING IN
To ensure logging in security every person authorized to use the BusinessPro system is provided with an individual identifier and a password.
It must be remembered that the password is always confidential and should be known to one and only assigned user. Compliance with the above rule ensures protection against unauthorized access to data. The individual identifier and the password are provided to the BusinessPro user as a starting packet in a properly protected envelope delivered personally by an authorized representative of the Bank. Upon receipt of the starting packet the first logging in the system can be made.
Logging in to the Business Net can be done using:
- masked password
- cryptographic card (Crypto Card)
- qualified certificate
At the same time the password and PIN code can be entered from the computer or monitor keyboard.
During the first logging in the system automatically forces a change of the password. In compliance with the security policy of the Bank the required password must contain a minimum of 10 characters of which there is at least one small and one capital letter and one digit.
On Client's request to increase safety level the TCP/IP addresses of working stations from which access to the system is possible can be defined.
SECURE AND SAFE INTERNET TECHNOLOGIES
Safe and secure communication with the Bank through the BusinessPro is based on:
- WEB servers certification (Thawte Server CA),
- application of SSL 3.0 coding technology with the 128 bits key,
- protection of transmitted data against manipulation or loss,
- control of activity in the system with the use of session keys,
- system logs - users and system all activity log.
Cryptographic (encryption) Protocol SSL (Secure Socket Layer) in the BusinessPro system uses two encryption methods: a public key and a symmetric (secret key) encryption method.
The Protocol ensures certification, Clients' authorization as well as confidentiality of information transfer and data integrity.
In the Internet browsers such as Internet Explorer and Netscape a display of an icon with closed padlock in the right bottom corner denotes security of connection. SSL makes use of the so called certificates of authenticity (COA) issued to institutions by the established for this purpose independent Certification Authorities (in case of the BusinessPro - Thawte Server CA). The Bank's Certificate contains its public key.
In the first stage of establishing the SSL connection server and browser exchange certificates i.e. equivalents of an identity document for the WWW server and for the Bank's Client. The length of certificates keys used for encrypting transmission is important for the security of transferred data and information.
In the BusinessPro system the key length is 128 bytes providing thus at present a very high security level.
SECURITY OF DATA ACCESS AND FUNCTIONALITY
The BusinessPro system enables precise defining of users' authority both as regards each of the functions offered by the system, as well as data concerning individual accounts. Such facility is implemented by:
- configuration of access profile regarding accounts data and their management like e.g. the authority for inspection of accounts' funds and for entering orders,
- configuration of access profile with regard to functionality like e.g. the authority to sign and send orders to the Bank.
In order to facilitate work with application we make available functionality of the managing user, the so called "super user" which allows for management of selected employees' authorizations without contacts with the Bank. The "super user" function enables the Client to independently restrict functionality available to the user and even to block login in. At any time, upon the proposal sent to the Bank the user's authorizations can be changed.
AUTHORIZATION OF ORDERS, ACCEPTANCE SCHEMES AND LIMITS
The internet banking system BusinessPro allows for configuration of any acceptance schemes while maintaining competences established in the company. Our solutions enable our Clients to:
- set up separate acceptance schemes for orders, applications as well as for the information sent to the Bank,
- make configuration of acceptance schemes for each account,
- carry out verification and validation of schemes,
- make preview of acceptance schemes (to check if a given group of persons may authorize an order).
To increase even more the security level for transactions and operations the BusinessPro enables definition of any transaction acceptance schemes together with determination of limits. It is also possible to:
- establish amount limits,
- convert limits into any currency,
- set up date limits e.g. one-off, overnight, weekly and monthly transaction amounts
- control the use of limits use - the system systematically controls the defined transaction limits for each account separately.
ELECTRONIC (DIGITAL) SIGNATURE
Transactions carried out with the BusinessPro system assistance have an irrefutable proof of their performance by a given person - that is an electronic (also known as digital) signature.
Features of the electronic signature:
- identifies owner of the signature,
- makes a clear-cut distinction between a final declaration of will and projects,
- enables confirmation that the declaration truly originates with the user who is signed on the order sent to the Bank,
- constitutes a proof that the declaration of will was made and its content is the same as in the order.
State-of-art internet technology of the BusinessPro system makes putting the electronic signature safe and simple. The signature is put in a new window which further increases a security level. The user can at any moment view the prepared order in a formatted and signed form. The on-screen keyboard used when entering a password to the electronic signature key prevents and protects the system against capturing characters entered on a standard computer keyboard like e.g. the so called "Trojan Horses".
ELECTRONIC SIGNING OF DOCUMENTS
The process of order signing is based on the private key available only to the user and on a public key located in the bank's server and used for checking of signature's authenticity. Signature generation consists in calculating a control sum of the transmitted file and signing information with the individual (private) key. The private key can either be logged in any data carrier (cryptographic card, hard disk, pen drive etc.) or stored in the Bank's repository.
When using signature with the key in the Bank's repository, or on an external data medium then to increase further the system security level, the signature is additionally authorized by the SMS code sent to the predefined confidential phone number.
The length of cryptographic card keys used by the BusinessPro system is 2048 bytes what at present gives the highest security level applied in electronic banking. The BusinessPro user can take advantage of many keys for electronic signature as well as various possibilities of their selection, hiding, altering and blocking. A new key may be signed with the existing active key.
INFRASTRUCTURE PROTECTION AND SAFE-GUARDS
- firewalls system - protects the BusinessPro against unauthorized access
- load balancing, failover and geographic clusters - protect the internet banking BusinessPro system against failure effects so that the user has at any time access to the system without having a second system as reserve
- system of monitoring activity of users and the system - ensures security with regard to control of a comprehensive correctness and accuracy of the BusinessPro performance and integrity and undeniability of data (Clients' orders in particular). The system stores in memory all traces of user's activity and operations performed (like e.g. attempts to log in into the system, readout of the account's history, making of a transfer etc.). The data include also IP addresses of stations from which operations have been performed.
- consistent operational procedures for the BusinessPro system administrators, Clients' Advisors and the Business Line staff
- user's ID locking - in the case of providing erroneous data (by default three times) an automatic access lock out is effected
- automatic log out - when in a given time interval there was no user's activity the user is automatically logged out
- the safeguards system used by the BusinessPro is in full conformity with the world standards for protection of banking data centers,
- access to the IT and other technological zones is under close control