About Us  |  Search  | FAQ  | Contact Us
Secure Banking
Home
Banking
STP
Risk Management
BCM
CLS
Human Resources
e-commerce
Features
Smarts Cards
Interviews
Optimise CRM
Data Warehousing
Disaster Recovery
Swift Messaging
Securities
M-commerce
Africa
Finance
BPM & Workflow
Capital Markets
Global Custody
Outsourcing
 

Last Updated
February 16, 2003

 

 

Secure Banking

Security has always been one of the less glamorous corners of the IT infrastructure on which modern banking depends. But the advent of new security technologies opens up many possibilities for banks to provide a range of leading edge new technology services.

The advent of the Internet as a mass-market communication medium has created demand for better access to banking service, personalisation of services and the development of new online services accessed through the Internet. Customers expect to be able to access their account details, pay bills or gather information about other financial services such as receiving personalised insurance and loan quotes. At the same time, customers expect the highest levels of security to apply, with the minimum of visible interruption to their own web-browsing activities.

Demands for Higher Security

Providing access to banking services via a public and uncontrolled network such as the Internet creates a new set of problems for banking IT managers. Customers expect at least the same degree of security from Internet sites that they would expect the bank to apply to its own internal networks yet they also require access to be relatively simple, and to be spared the burden of memorising lengthy pass words and access codes.

The New Security Technologies: maximising site throughput
At the simplest level, secure access to web sites can be provided using SSL (secure sockets layer), a security protocol built into all web browser and server software. It works by setting up a secure communication channel between the server and the browser, based on secure key codes generated by the server.

The disadvantage of this approach is that the security keys for each user session must usually be generated at the start of the session, by the server. This complex mathematical operation can tie up an undue proportion of server processing time, limiting the number of users who can access the site at once and slowing down the access process. If many customers attempt to access the site at once, queues can build up while each customer’s web browser is issued with an authorisation code.

SSL-based acceleration offloads this processing burden to an external security processor and enables service providers to make the best use of their existing servers and bandwidth, serving more customers more efficiently and maximising the return on investment in the web site. Products like nCipher’s nFast seamlessly integrate with server hardware and software to ensure that a large number of requests for codes can be fulfilled in a very short time.

This is particularly useful in financial services where the load on web sites is extremely variable. Online brokerages see peaks at the start and close of the trading day, or when a particular company’s shares are moving fast. If a whole stock market starts to move fast, trading volumes can climb to many times the typical daily volume. Plus, the ease of online trading has accelerated the growth in share trading volume, with stock trading becoming a profitable hobby for many Americans as they trade shares in the technology companies whose products and web sites they use.

Pure banking sites can also suffer from peaks, usually more predictably at the start and end of the business week, at the end of the month and at the end of financial accounting periods as customers visit the site to settle bills and check their financial status. Use of security accelerator technology can provide these customers with a much more satisfactory experience when they visit the bank’s web site.

Digital Certificates
A more sophisticated form of access control is to use digital certificates. These are codes or combinations of codes which identify a user to a server, but which are carefully managed by a central certificate management server so that they can be withdrawn or the access which they provide limited.

A side effect of using digital certificates is that it makes it more important to protect the server itself the server contains a code which is used to validate certificates and which must not fall into the wrong hands. Again, specialist security hardware can provide the answer, by maintaining the all-important root key away from the main server and keeping a security barrier between it and the main server, which is accessible from outside. This provides many advantages, not least improving the scalability of the system, an important consideration when uptake of Internet services and the range of services themselves.

Incorporating Smart Cards
Digital certificates can be given a physical form by being stored on a token. The most popular form of token is the smart card, a credit-card format card with a small processor and memory chip embedded within its surface. The technical advantages of using smart cards are several, but there are also marketing and branding advantages.

The main technical advantage is that a smart card can store a code much more complex than a person could be expected to remember, it is stored away from the computer so makes it harder to access the account, and that the code can easily be updated or replaced on the memory chip.

The main technical disadvantage is that it requires users to have a card reader attached to their computer though the cost of this is reducing. Smart cards are also useful at the server end to manage the certificate server and access to the web server. Key management hardware such as nCipher’s nFast/KM range uses smart cards to activate the device and enable it to start issuing or validating certificates and codes.

Value-Added Services
Banks have many advantages over other companies when it comes to implementing Internet security. The maturity of proprietary online banking systems and networks and the sophistication of their security gives financial institutions a head start when it comes to applying similar technology to the Internet.

Leadership in technology and security confers many branding advantages on banks, demonstrating the core attributes which build customer confidence in their services. For many financial service institutions, this has created an opportunity to build leadership in the application of new security technologies. A good UK example is Barclays Bank’s Endorse system. This grew out of an internal authorisation system, which was developed to provide an efficient service to issue and check digital signatures (a form of certificate used to validate or sign electronic documents). Users are issued with a signature on a smart card, and nCipher nFast technology generates the codes used.

Barclays has since used the Endorse project as the basis for offering external security services. The first example was a pilot scheme for the UK government which used the Endorse system to secure access to a range of government tax and employment forms over the web.

Checking security
There are many security products on the market and it is hard to validate manufacturers claims. Increasingly, companies are putting their products through government-backed certification schemes. A leading security scheme is FIPS (Federal Information Processing Standard) 140-1, backed by the US and Canadian governments and providing specialist assessment of key-based cryptographic products.

Users of nFast products have the security of knowing that both the software and hardware architecture of the key management products nFast/KM and nFast/CA have been evaluated and passed by FIPS laboratories at the appropriate levels.

Conclusion
Embracing the Internet creates many opportunities but also problems. Adopting the latest security techniques enables financial institutions to be confident in the safety of their systems and also to offer new services, extending the reach of their brands into new and profitable service areas.
 

Prepared by Colin Bastable
European sales & marketing manager
nCipher Corporation

ISSN No:1470-5494 All rights reserved. No part or portion of this publication may be reproduced or transmitted in any form without the express, prior and written permission of the publisher. 

   

Section Menu

Secure Banking
Internet Banking
Clicks not Bricks
Better Infrastructure
Banking Software
Automated Dealing
Synergys going dotty
Focus on Technology
Issues
Web Based Banking
Trading room costs
Offshore fund managers
New age of hacking
Electronic trading
Money laundering
The Perfect Storm
Supplier Financing
Speculative Bubbles
Index Funds
Convenience banking
Two-tier banking
Gaining Clickshare
Cutting out paper
Tracking trends
Integrating
E-commerce
Banking on Security
Real Time
security under scrutiny
Personal touch Banking
ISMA
Sell side value
GSTPA for FX
Informatics
Anti Money Laundering
21st Century Banking

 
 

 
 

 

Home  |  About Us  |  Search  | FAQ  | Contact Us