The security of Internet B@nking is addressed at three levels. First, security measures are in place to prevent unauthorized users from attempting to log-on to the online banking section of the bank's Web site (Individual Security). The second area is the security of the customer information as it is sent from the customer's PC to the Web server (Browser Security). Finally, security measures are in place to prevent intrusion into the environment in which the Internet B@nking server and customer information database reside (Provider Security).
For the customer's protection, and so the bank can research a request for an account and validate confidential account information, an individual Login ID and a Personal Password will be utilized. A computer-generated Login ID will be provided to the customer upon setup. The customer will then use the Login ID along with the last four digits of his or her social security number (as his or her Personal Password) to begin the initial login process. During this process the customer will be prompted to enter his or her own customized Personal Password and the customer's Login ID will be authenticated. Customers may change their Personal Password as often as they would like and will be prompted to make such a change periodically. Also, for their protection, their on-line account will be disabled should they exceed the allowed number of logon attempts. In addition, the customer's Internet B@nking session will be terminated should there be an extended time of inactivity.
Data security between the customer browser and the Web server is handled through a security protocol called Secure Sockets Layer (SSL). SSL provides data encryption, server authentication, and message integrity for an Internet connection. The customer's Internet B@nking session will utilize the SSL to secure the transaction from their browser to the Web server. Once a secure session is established, the data cannot be monitored by other users on the Internet. The SSL Protocol can negotiate an encryption algorithm and session key as well as authenticate a server before the application protocol transmits or receives its first byte of data. All of the application protocol is transmitted encrypted, ensuring privacy.
Encryption is the actual turning of words and numbers into a coded language that can only be read by the customer and the bank through the utilization of Hyper Text Transfer Protocol Secure (HTTPS). HTTPS is the secure version of HTTP, the protocol over which data is sent between the customer's browser and Internet B@nking. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between the customer's browser and Internet B@nking are encrypted.
A cookie is way for a secured server to establish a logon or session ID each time a customer authenticates connectivity. A cookie is placed with the customer's browser each time they sign on. The cookie allows us to maintain continuity in a series of requests and responses. This additional precaution prevents a customer's session from being "taken over" if the SSL or encryption failed; either of which is extremely unlikely.
Requests for online banking information are passed from the Web server to the Internet B@nking server. The computer system does not connect directly to the Internet. It is isolated from the Internet network via routers, filters, and a "firewall". A "firewall" is a device that controls the access that computers on the Internet have to the bank's computer. Use of the "firewall" allows only valid traffic to reach the Web server. Further protection is provided by yet another set of "firewalls" that sit between the Web server and the Application server.