Banking information security system
The XELIOS BAFIS solution covers the following:
- Remote access.
- Logical Authentication of bank staff .
- Enterprise password management (Single sign on).
- Data Encryption.
- Secure management of digital certificates.
- Fraud: Skimming and Phising .
1. Security on remote access
Ensuring security for remote users is essential in today’s enterprise and is exemplified in the financial institution. The financial institution has an obligation is to verify the individual’s identity and credentials used during a transaction can only be used once. The simple placement of a fingerprint on a sensor ensures only the genuine individual is granted access.
The specialized, military grade sensors utilized in BAFIS have secure logic and storage functions to ensure that only the correct fingerprints will open the secure partition and generate a user certificate. This eliminates any known technique to intercept and substitute data.
Today’s financial institution requires integration compatibility with existing authentication systems. Xelios has experience integrating with de-facto standard applications such as Tivoli and RADIUS as well as in-house proprietary solutions.
2. Logical Authentication of on premises staff
Today’s financial institution requires a fully scalable authentication method that dynamically adjusts to the volume of demand. The method should allow secure authentication of users who are connected within the facility and comply with applicable mandates and regulations. The solution should be interoperable with the existing infrastructure to meet within established acceptable budgetary constraints
To satisfy the requirements of our financial services clients we provide the highest level of security while simultaneously reducing the burden on staff to perform their duties in a secure manner. Utilizing a combination of card or token (what I have) + Fingerprint Biometrics (what I am) + PIN (what I know) the authentication can match the specific task at hand. Generally, the critical and sensitive tasks will utilize a tri-factor authentication while less sensitive, but still private tasks will employ bi-factor authentication (e.g. fingerprint and SmartCard) Utilizing fingerprint authentication ensures genuine user identity. The BAFIS audit trails are in compliance with the rules of GLBA, SOX, LSF and LOPD, and the flexible framework supports the evolution of of both mandated regulations and internal polices most effectively.
The BAFIS solution has proven to be fully interoperability with existing IT infrastructure and has unparalleled ease of use for IT Managers to assume full control after three days of training.
XELIOS has responded to all requests regarding bank authentication regulations (GLBA, SOX, LOPD, etc.), and meets or exceeds the speed and handling requirements of the day to day business with uncompromised levels of security.
3. Enterprise Password Management (Single Sign-On or SSO)
Many organizations recognize that the Primary Login (Windows Login) is not sufficient. It is required to audit the use of system resources and data access based on the positive confirmation of an employee’s ID and their access rights.
LBAFIS SSO module ensures that fingerprint recognition provides a fully accountable and effective Login method compliant with data protection regulations and policies. At the same time that security is substantially improved by hiding various, changing passwords behinds the encrypted fingerprint data the user experience has been simplified with dramatically reduced calls to help desk for all too frequent password incidents.
To positively validate the identity of staff a single layer of authentication is no longer sufficient to secure sessions to performing the various job functions. It is becomes increasingly essential to ask for a additional checks to launch internal bank applications with their own security controls to access customers data .Where the primary session is protected by Fingerprint + Card + Pin many customers select a configuration where only the card and fingerprint are required to access internal sub-systems. This provides new levels of convenience and data access without sacrificing the security of the overall system.
A key strength of the Xelios BAFIS system is to ensure seamless interoperability with existing systems, especially internally developed applications and various 3rd party vertical applications. The goal is not to change the current IT infrastructure but to work from within it, so not to exceed the established budget. By working within the legacy IT infrastructure minimal changes and disruptions occur during the roll-out phase.
XELIOS Biometrics’ SSO solution supports over 200 different market applications such as SAP R3, Microsoft Exchange, SQL Server, emulators, Citrix Metaframe, etc. This access automation provides increased password security. Possession of the SIM card and the fingerprint enables the authorized user to automatically and securely log in to internal applications and sub-systems without even seeing the password provided to those downstream application servers and systems.
When using fingerprint the password is securely hidden behind the fingerprint and SIM/token login process. The system can then take over the classical RSA key password for a 2048 or 4096 bits. This makes it possible, in case the system is attacked or attempted to be circumvented, for authentication systems to demand the RSA key .
Automating access and strengthening the security of passwords are essential steps in the elimination of fraud. Furthermore, efficiency and cost reduction is improved by dramatically minimizing help desk calls for lost or expired passwords. This ultimately results in a faster response to the customer thus improving overall customer service.
4. Encryption of sensitive data
Encryption of the data to increase confidentiality is an issue that constantly appears as a concern to the financial institution. When information is shared between authorized end points it should be guaranteed that digital information does not leave the bank. In this case, it should be the identity of the person authorized that allows the real time decryption by just placing their finger on the sensor.
Confidentiality of data is paramount. A solution is most effective when encryption is transparent to the user, can be shared and is secure enough to prevent the information from leaving the entity in which it is stored.. The engineering teams of Sagem Sécurité (now Safran Morpho), cryptography experts, and XELIOS, specialize in the integration of protective devices within the information systems that meet all these demands with excellent results.
Institutions utilizing a PKI and where each user has their digital certificates, the encryption system is secured based on the authentication system (Fingerprint + SIM card) and the use of user digital certificates. The role of the certificates is to keep the encrypted data within the institution.
Therefore, if a user copies the encrypted data onto their USB key (which is encrypted automatically), they will only be able to use that data in that bank site.
5. Tracking the use of certificates
We must link the bank users certificates to the authentication system and to allow better control over the identity of the staff sending e-mails. Increasingly, as more certificates are used this implies that if a session is active anyone can use those certificates.
With our solutions, you must submit your fingerprint to unlock the certificate and be granted the assigned rights.
Skimming and Phishing are increasingly becoming critical challenges to the financial institution. Currently most of the functionality of automatic teller machines (ATM) is based on customer recognition through credit/debit cards and a corresponding secret key (PIN). This system raises a number of safety deficiencies as these cards can be stolen, forged or lost. This results in additional costs to the institution beyond the original fraud as resolution customer support to manage these issues has its own costs.
XELIOS eliminates fraud by use of a military grade biometric sensor called the BioPAD ® device. This device allows undeniable user identification by recognizing a fingerprint in a completely secure and closed environment.
This sensor has been specially developed to work with all manner of fingeprints from both young and old, blue and white collar workers. A fake finger cannot penetrate the sensor security layers and even an amputated finger will be rejected in less than 3 seconds.
Once the user has been identified, he/she can access banking services in the ATM without using a card. By using biometric technologies for identification and validation of users it increases system security and eliminates the risk of theft or fraud that occur today with current credit/debit cards (Skimming).