There are three general categories of Internet security concern that are addressed in this white paper. The first is Log-In protection, the requirement
that each user maintain a strictly private password and Log-In ID to which no one but the authorized customer should ever have access. Second is transmission security, the need to keep unauthorized agents from intercepting and/or deciphering the transmission of customers' encrypted data while it travels between the customer's computer and the bank's server. Third, and lastly, is information privacy and integrity, the ability to prevent unauthorized agents from viewing and/or writing to customers data while it is stored on the bank's server.
"Customer" will be used to signify an authorized bank customer using software for the benevolent purposes it was intended and "agent" will be used to signify a person whose goal it is to exploit a software application for some negative end.
- LOG-IN PROTECTION FOR THE CUSTOMER
Every customer must privately maintain a combination of password
and Log-In ID. Because the customer is assigned the original password by
the bank's technical representative, BankAtEase forces the customer to change the password once logged
onto the system and before any transactions can be requested. This forces the customer
to establish an absolutely private password. Also, any subsequent changes to the
password (say a customer loses or forgets the password) which require back office
processing by a representative at the bank will force a change once the customer
uses the new password to log on.
Three (3) Strikes And You're Out
If an agent attempts unauthorized entry into a customer's
account by trying to guess a password, BankAtEase will disable or destroy the password
on the third incorrect attempt, thus invalidating the Log-In combination. The disabling
and/or destruction of the password keeps an unauthorized agent from running a 'crack'
program, an application that can run through millions of possible passwords eliminating
the invalid ones until it arrives at a match. To guard against unauthorized use
of your log-in ID and password, BankAtEase disables the password
indefinitely until you call the bank and request your log-in and password to be
reset. This will occur if you accidentally activate this security feature by unintentionally
mis-keying a password three times. You will need to call the bank to reestablish
the password for your account(s). For example, a common mistake made by customers
is having the caps-lock on while keying in a password. Since the password is case
sensitive and you cannot actually see the characters you are typing, it is easy
to think you are typing the password correctly when the caps-lock is engaged.
Suggestions for Passwords
Your password and logon ID provide security against unauthorized entry and access
to your accounts. Passwords should not be easy to guess; for example, children's
or pets names, birth dates, addresses or other easily recognized identifications
for you should be avoided. Combining upper and lower cases within your password
as well as combined alpha and numeric characters is a good security precaution in
selecting a password (for example: sp3aKer is a good password for "speaker" All
passwords should be a minimum of 6 characters.
- Transmission Security
Transmission security begins with the browser. A customer must be using a browser
that supports the Netscape-developed encryption technology known as Secure Sockets
Layer (SSL). Versions of Netscape 2.0 or beyond and Microsoft Internet Explorer
3.02 or beyond come equipped with SSL. SSL's specific function is to manipulate
data into an unreadable format as it leaves the customer's PC. The temporary scrambling
of data in transit is referred to as 'encryption'. In the unlikely case that an
agent should intercept the data in transit, the encryption makes the data unreadable
to a human and nearly impossible for a computer to crack. Furthermore, data in transit
is split up into packets that travel separately and are not reorganized until they
arrive at the bank's web server. So if the encryption code should be solved, the
agent is likely to only be in possession of individual packets that would be out
of context with the whole data.
As you would expect, the converse of encryption, decryption,
must take place before the data is rearranged back into a useful format.
The relationship between which computer encrypts data and which computer
has the subsequent ability to decrypt that data is determined by an extension
of SSL known as public and private key pair technology. This method consists
of two keys, one public and the other private. The public key is published
from the bank's server upon request by the customer's web browser (i.e.
Netscape or MS Internet Explorer). The private key is held privately at
the bank's server. Once received by the customer's browser, the public key
is used to encrypt the data as it leaves for the bank's server. The encrypted
data can only be decrypted by the private key, based on the mutually exclusive,
asynchronous relationship that these two keys share. As Netscape puts it, "Data
that is encrypted with the public key can be decrypted only with the private
key. Conversely, data encrypted with the private key can be decrypted only
with the public key. This asymmetry is the property that makes public key
cryptography so useful.
This answers the question that may have occurred to you:
"Encryption may make data unreadable to a human, but can another machine intercept
the data and unscramble it?" The co-dependency between the public and private key
pair ensures that the only computer capable of decrypting data is the one who provides
the means by which it is also encrypted. This raises another question: "How can
either party, the recipient of a public key and/or the holder of the private key
make any guarantee that either are who they say they are?" Indeed, if substitutions
of identity can be made, it makes no difference how well
encrypted data travels. To address this issue, BankAtEase employs the VeriSign Digital
ID, authentication technology.
The VeriSign Digital ID (all quotes in this section are taken from VeriSign's white
paper at https://www.VeriSign.com
as of 11/13/97.)
The reasoning behind the public/private key pair is similar to that of a safety
deposit box that can only be opened by two separate keys that are owned by two different
people and must be used simultaneously to work the lock. With a safety deposit box,
it is relatively easy to make visual confirmation that the person holding the other
key is who you think they are and, indeed, someone with whom you want to be sharing
this mutual responsibility. The Internet is faceless, however, and a bank's server
is likely to get requests all day long from customers all around the world. How
does a bank bind the identity of the computer knocking on its server door with a
legitimate, authorized customer? And conversely, how does the browser of a legitimate
customer verify that it is communicating with its intended destination at the bank?
BankAtEase servers employ technology called the Digital ID
to address the issue of identification. The Digital ID, developed by VeriSign, provides
a standard of authentication against which claims of identity can be made and guaranteed.
VeriSign, in its white paper, writes that "Digital ID's are electronic credentials
that establish an individual's or entity's identity. A server secured with a Digital
ID ensures visitors of the site's authenticity and allows the session with the client
to be encrypted". It is essentially "third party evidence" that customers seeking
and receiving data are who the server understands them to be, and vice versa.
Here is a section taken from VeriSign's white paper that describes how it works
in conjunction with public/private key pair technology.
A Digital ID provides an electronic means of verifying that the individual or
organization with whom you are communicating is who they claim to be. The identity
of the Digital ID owner is bound to a pair of electronic keys that can be used to
encrypt and sign digital information, assuring that the keys actually belong to
the person or organization specified.
A CA (Certification Authority) such as VeriSign attests to an individual's or organization's
right to use the keys by digitally signing the Digital ID after verifying the identity
information it contains. The assurance provided by the Digital ID depends on the
trustworthiness of the CA that issued the Digital ID and the integrity and security
of the CA's practices and procedures.
When a connection is established between a client and a secure server, the client
software automatically verifies the server by checking the validity of the server's
Digital ID. The key pair associated with the server's Digital ID is then used to
encrypt and verify a session key that is passed between the client and server. This
session key is then used to encrypt the session. A different session key is used
for each client-server connection, and the session key automatically expires in
24 hours. Even if a session key is intercepted and decrypted (very unlikely), it
cannot be used to eavesdrop on subsequent sessions. SSL is the connection protocol
used for this authentication and encryption process.
- Server Security and Information Privacy/Integrity
Having encrypted the data and verified that the sender and
receiver can be appropriately identified by each other, the web server
and the information stored on it are protected in the following ways. BankAtEase
operates off a server that is physically separate from the bank's mainframe and
is protected by a firewall.
In addition a router with firewall
are installed that sit between the Internet and server. This router, loaded with
a firewall as well as an additional firewall are configured to only allow HTTP traffic,
from the Internet.