Internet B@nking Security
The security of Georgia Bank & Trust's Internet B@nking is addressed at three levels. First, security measures are in place to prevent unauthorized users from attempting to log-on to the online banking section of the bank's Web site (Individual Security). The second area is the security of the customer information as it is sent from the customer's PC to the Web server (Browser Security). Finally, security measures are in place to prevent intrusion into the environment in which the Internet B@nking server and customer information database reside (Provider Security).
For the customer's protection, and so the bank can research a request for an account and validate confidential account information, an individual Login ID and a Personal PIN will be utilized. A computer-generated Login ID will be delivered via the United States Postal Service after the initial account set-up has been completed. The customer will then use the Login ID sent along with the last four digits of his or her social security number (as his or her Personal PIN) to begin the initial login process. During this process the customer will be prompted to enter his or her own customized Personal PIN and the customer's Login ID will be authenticated. Customers may change their Personal PIN as often as they would like and will be prompted to make such a change periodically. Also, for their protection, their on-line account will be disabled should they exceed the allowed number of logon attempts. In addition, the customer's PC banking session will be terminated should there be an extended time of inactivity.
Data security between the customer browser and the Web server is handled through a security protocol called Secure Sockets Layer (SSL). SSL provides data encryption, server authentication, and message integrity for an Internet connection. Netscape Communications developed SSL to ensure private and authenticated communications. The customer's Internet B@nking session will utilize the SSL to secure the transaction from their browser to the Web server. Once a secure session is established, the data cannot be monitored by other users on the Internet. The SSL Protocol can negotiate an encryption algorithm and session key as well as authenticate a server before the application protocol transmits or receives its first byte of data. All of the application protocol is transmitted encrypted, ensuring privacy.
Encryption is the actual turning of words and numbers into a coded language that can only be read by the customer and the bank. If the key in the lower left corner of the PC monitor appears filled or "enclosed" in Netscape Navigator and the lock appears solid in Microsoft Explorer, then the information is being encrypted. When not in a secure session, Netscape's key appears broken and Microsoft's lock does not appear at all.
A cookie is way for a secured server to establish a logon or session ID each time a customer authenticates connectivity. A cookie is placed with the customer's browser each time they sign on. The cookie allows us to maintain continuity in a series of requests and responses. This additional precaution prevents a customer's session from being "taken over" if the SSL or encryption failed; either of which is extremely unlikely.
Requests for online banking information are passed from the Web server to the Internet B@nking server. The computer system does not connect directly to the Internet. It is isolated from the Internet network via routers, filters, and a "firewall". A "firewall" is a device that controls the access that computers on the Internet have to the bank's computer. Use of the "firewall" allows only valid traffic to reach the Web server. Further protection is provided by yet another set of "firewalls" that sit between the Web server and the Application server.