On-line Banking
HomePrivacy PolicySite MapAnPost Logo
| Share |
Because business is built on trustTM
Skip navigation links
Home
Company
Products
Solutions
InfoCentre
Customer Service
Contact Us
On-line Banking 

Securing and Certifying On-line banking Transactions

While planning a new online business banking service, one of Ireland’s leading banks was faced with the challenge of securely authenticating customers over the internet.A key objective was to avoid imposing a complex and expensive infrastructure which typically arises in a traditional two-factor authentication solution, employing hardware tokens such as smartcards. Furthermore the bank wished to deploy legally robust electronic signatures for customer originated transactions to achieve reliable audit and non-repudiation properties for such transactions. Finally,  ease of use was critical for  the diverse range of business customers expected to  sign up for the new service.

An innovative solution that leveraged a variety of specialist skills and experiences was required. Post.Trust was in a unique position, having all of  the requisite skills and a product set to provide such a solution, meeting all of the bank’s requirements.

Solution Overview

Post.Trust Qualified Digital Certificates used together with the Post.Trust hosted Arcot WebFort™ (www.arcot.com) internet authentication platform enables Post.Trust to provide a cost-effective, highly secure internet access solution for on-line business banking transactions.

The solution uses a bespoke registration system customised to dovetail with the bank’s existing business processes, so as to minimise inconvenience for customers. Existing bank customers whose identity has already been verified to conform with anti-money laundering legislation requirements when opening anaccount,aredeemed to have completed the face-to-face identity verification mandated for issuance of Qualified Digital Certificates. Each customer who successfully registers for the online business banking service is then issued with a Qualified Digital Certificate and a PAC (Personal Access Code) secured software based container wallet stored on a compact disk (CD).

Authentication to the bank’s business banking website requires the presence of the CD and the PAC(Personal Access Code) to be entered. Each financial transaction subsequently carried out by the bank’s customers online is digitally signed using an Advanced Electronic Signature based on the Qualified Digital Certificate contained in the wallet. This ensures the existence of a legally sound electronic transaction record which can   subsequently be relied upon in the event of any future dispute.

Secure Website Access

The Post.Trust solution provides the bank’s customers with secure online access to their account over the internet using a hybrid closed PKI (Public Key Infrastructure) system which employs the Arcot WebFort™ secure authentication platform. Users are issued with a secure software based credential known as an ArcotID contained in an encrypted wallet which in this case is distributed on a CD (although it can be distributed through other means including over the internet). The ArcotID functions as a digital ID token for enforcing access control rules on web sites and utilises a unique and highly innovative cryptographic camouflage technique which is resistant to many forms of known attack including brute force PIN guessing and man in the middle (MITM).

Post.Trust X.509 Qualified Digital certificates are also stored in the encrypted wallet and are used for digitally signing transactions following successful authentication of the ArcotID and access to the web site.

Access to the ArcotID is controlled through use of a secret Personal Access Code (PAC) which is known only to the user. The system also provides a real time host based revocation facility for the ArcotID tokens and additionally a configurable lock-out functionality for incorrect PAC entry.

  • Arcot WebFort secret PAC based on-line access control system
  • PIN based X.509v3 Qualified Digital Certificate container
  • Immediate ArcotID and Certificate Revocation
  • Incorrect PAC lockout configuration

Simple and Flexible Solution

While security is critical, the Arcot ID is more flexible and much easier to use than alternative multi-factor authentication methods. The certificates are stored in secure encrypted wallets and are only accessible through an on-line authentication process. To access their on-line account the customer only needs to have their ArcotID available and know the  corresponding  PAC.

An Arcot wallet can be revoked from the central host system when an employee leaves the company, rendering that person’s wallet and certificates immediately unusable.

Fraud Prevention

This solution has a strong advantage in today’s environment where phishing is a major security threat to eCommerce. Phishing  is the act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers,which the legitimate organisation already stores. The web site, however, is bogus and set up only to steal the user’s information. Because it is relatively simple to make a web site look like a legitimate organisation’s site by mimicking the HTML code, the scam counts on people being tricked into thinking they are interacting with the legitimate organisation.

The solution provided by Post.Trust does not rely upon simple usernames and passwords, nor does it require hardware tokens such as one-time password generators or smartcards. The bank system can only be accessed with the combination of the ArcotID and the user’s PAC. So even if a fraudster created a fake web site and enticed customers to enter their PAC it would be no use without the corresponding ArcotID held locally.

The Arcot WebFort™ solution is one of the strongest in the market today and also provides protection against sophisticated man-in-the-middle (MITM) and man-in-the-browser (MITB) attacks where one-time password (OTP) tokens and grid cards cannot. The solution automatically verifies legitimate consumer or enterprise portals ensuring customers are connecting to the intended application and not a counterfeit site.

Qualified Digital Certificates

Qualified Digital Certificates are different from standard digital certificates in that a much higher level of assurance is provided as to the quality of the issuing Certification Authority organisation, including the  verification procedures used to authenticate a recipient’s identity.

The Qualified Digital Certificates used in this case are supplied by Post.Trust as the Certificate Authority which is regularly audited and certified by Certification Europe (www.certificationeurope.com), an independent organisation who are accredited by the Irish National accreditation Board (INAB) to conduct such audits. The Post.trust digital certificates are thus certified as compliant with the EU Directive for Digital Signatures 1999/93/EU. This directive is the basis for the Irish eCommerce Act, 2000 which gives legal basis in Ireland to the use of Advanced Electronic Signatures based upon Qualified Digital Certificates.
Accreditation
Electronic Signatures Directive logo      ISO 27001 logo
Contact Us
19-24 St Andrew Street, Dublin 2, Ireland
View Map
T: +353 (0) 1890 617 171
Quick Links
News Alerts
Code of Practice
News Updates
Adobe® Certified Document Services logo

Adobe, the Adobe logo, Acrobat and Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries.