Building a secure banking environment

DIGIPASS BY VASCO

The world’s leading software company specializing in Internet Security


Online banking
Banks worldwide are increasingly offering services over the
Internet: customers are transferring money from one account
to another, checking their account status or investing in
stock from their PCs at home and in the office. With mobile
telephones in everybody’s pockets, banks are starting to offer
mobile banking services, allowing customers to handle their
banking accounts from their mobile while being on the road.
With all this money being transferred online, online fraudsters
try to intercept financial transactions and turn them to their
benefit. Banks and customers worldwide have lost millions of
dollars through online fraud.
Online threats
Internet fraud is still on the rise and fraud schemes become
evermore sophisticated. Phishing attacks, Trojan horses, key
loggers and man-in-the-middle attacks have resulted in banks
looking for more sophisticated security solutions to protect
themselves and their customers online.
Regulatory compliance
Financial institutions are looking for compliancy with the new
sets of rules for online banking security such as defined by
their local regulation bodies. VASCO’s authentication system
does not only help financial institutions to reduce fraud but also
helps banks to meet legal and regulatory constraints. VASCO’s
solutions also promote the legal enforceability of electronic
agreements and transactions with banking customers.
Two factor authentication
Two factor authentication uses two components to
authenticate a user: something you know and something
you have. Traditional authentication schemes use username
and password to authenticate users. This provides minimal
security, because many user passwords are very easy to
guess, are written down or can be intercepted online.
1 Building a secure banking environment
Secure online banking
User authentication with
one-time password
With VASCO DIGIPASS, static passwords are replaced by the
use of OTPs. A one-time password (OTP) is generated by a
hardware or software DIGIPASS. It is only valid for a limited
period; the password is unique and cannot be reused. By
adding DIGIPASS authentication to e-banking applications, the
bank is able to identify the user when he requests access to
the e-banking application.
Secure online transactions with
e-signature
E-signature offers the best protection to man-in-the-middle
attacks. E-signatures allow the bank to verify whether a
transaction was initiated by the genuine end-user and was
not altered in transit. It ensures that the right amount is
being transferred by the right person to the right account
and prevents the fraudster from submitting transactions or
modifying existing transactions.
What you see is what you sign
As fraud schemes evolve, VASCO continuously looks at
developing new defense mechanisms. A recent evolution is
the use of the ‘What You See Is What You Sign’ (WYSIWYS)
principle. WYSIWYS ensures that transaction data are shown
onto the authenticator’s screen for confirmation prior to
transaction signature. DIGIPASS allowing WYSIWYS uses
devices with large screens, showing the full contents of the
transaction. This allows the user to verify that the content is
correct before signing it.
Securing all channels
Retail banking
Retail banks offer a wide variety of personal banking services
to individuals, including account checking, saving plans, bill
payment, debit and credit cards, loans and mortgages. Today
most of these banking services are increasingly offered online.
Account holders are able to access their banking services
via Internet. As the use of the online banking channels grew,
online fraud schemes surfaced. Banking customers who have
been hacked, not only loose their assets, they also loose trust
in the online banking channels and the bank’s reputation.
VASCO’s strong authentication solutions not only help banks
in securing their online channels, they help the bank in
reinstating customers’ trust in the online banking system.
VASCO offers a variety of strong authentication solutions for
the consumer electronic banking market, including hardware
based authenticators, smart card based solutions, software
and mobile authentication.
Mobile banking
Today’s world is increasingly mobile; as a result mobile
banking is a logical step in offering banking services using
the concept of “bank-away-from-bank”. The adoption of
mobile banking is driven by the “new” anywhere and any time
generation. Mobile banking is introduced for various obvious
reasons like cost savings, time saving, accuracy, quality of
service, elimination of geographical barriers or to enlarge the
customer base in countries where mobile phones are more
popular then PCs.
The challenges faced in m-banking are similar from those in
e-banking. The platform has changed, but fraud schemes are
quite similar. Today, the most common m-banking channels
are: telephone banking, IVR, SMS based solutions, client/
server based applications (downloadable or pre-loaded),
WAP, STK (SIM toolkit) banking and mPKI.
VASCO offers cost-effective and user-friendly solutions to
secure all mobile banking channels. VASCO’s DIGIPASS API
brings one-time password and e-signature functionality to
end-users through their mobile phones and PDA devices,
without the need for any additional hardware.
Corporate banking
Corporate banking environments were the first to see the
benefits of two-factor authentication, such as increased
productivity, when migrating their banking transactions online.
Going online opened the door to new specific attacks such as
spear phishing, targeting corporate e-banking customers.
With spear phishing, e-mails are sent to employees, for
instance working in finance and executing high value
transactions, who based on the e-mail can ask the bank to
initiate a transfer of funds. Corporate e-banking is attractive
to fraudsters not only because there is more money involved
but also the banking systems are less likely to detect fraud
attempts on these accounts.
VASCO’s strong authentication solutions can provide
solutions with a higher level of security (WYSIWYS, non
repudiation, e-signature) matching the higher risk faced by
the average corporate transaction. VASCO offers a variety
of strong authentication solutions for the corporate banking
market such as PKI authenticators, connected readers and
other hardware based authenticators.
Mobile payments
Mobile payments are an emerging and rapidly-growing
alternative payment method. Rather than pay by cash, check,
or credit card, customers can opt to use their mobile phone
to buy goods and services. Because of their quick transaction
speed and convenience, mobile payments are gaining
popularity as a method of paying for items, such as music,
videos, ringtones, online game subscriptions, wallpapers,
transportation fare (bus, subway, or train), parking meters,
books, magazines and tickets.
Mobile payments secured by two factor authentication provide
a secure alternative to credit cards. Since the payment is made
using a mobile phone, no credit card information is stored
by the merchant, eliminating the opportunity for hackers or
employees to compromise card information. Since one-time
passwords are used, the transaction can be verified to have
originated from the exact phone registered for a specific user.
VASCO’s DIGIPASS solution seamlessly integrates with
existing mobile payments application via direct integration
of the DIGIPASS API, VASCO’s development kit. It offers
customers an easy, convenient and secure payment
alternative.
Building a secure banking environment 2

Leveraging EMV card investment
EMV cards are deployed to increase the security of credit
card transaction thanks to the use of chips and encryption
algorithms. EMV cards can be leveraged for the deployment
of two-factor authentication without the cost of issuing any
additional personalized authenticators.
The Chip Authentication Program (CAP), a MasterCard
initiative which received Visa support, offers two-factor
authentication as both a smartcard and a valid PIN must be
present for a transaction to succeed.
VASCO’s CAP-based solutions are suitable for mass
deployment in retail banking. The banking customer’s regular
debit and/or credit card can be used to generate one-time
passwords and e-signatures offering strong authentication.
Each of these authentication mechanisms can also secure
multiple applications - from e-banking to e-commerce.
VASCO can also enhance EMV CAP solutions with unique
authenticators (optical reader, one button) or add-on features
like VASCO strong authentication. These enhancements make
the deployment of EMV card based strong authentication even
more secure and convenient for banks and their customers.
3 Building a secure banking environment
Securing all channels
Preventing ATM fraud
Since the automatic teller machine (ATM) has been introduced
to withdraw cash, theft has been at play. Thieves used to
watch over your shoulder to memorize your PIN and then
tried to steal your debit/credit card. Nowadays more complex
mechanisms such as skimming and ghost ATMs are being
used.
Strong authentication can be added to protect ATMs without
too much hassle: the existing ATM infrastructure does not
need to be adapted, banks can postpone expensive chip and
PIN migration, the conversion to OTP validation instead PIN-
validation can be executed quite rapidly and inexpensively for
banks who already use strong authentication for their online
channels.
Banks can leverage their investments made in strong
authentication in multiple ways. Either they can link multiple
applications, such as the e-banking channels, phone banking
and ATM operations to a single authentication device.
Or they can decide to have a dedicated authenticator for
ATM security.
Customer references Recreated LOGO

Mizuho Bank deploys DIGIPASS to secure Mizuho Direct

Mizuho Bank in Japan is active in retail banking with approximately 500 branches, 25 million retail customers and over
11,000 ATM machines. Mizuho Bank provides online banking services to retail customers and SMBs through Mizuho
Direct. The number of users has steadily increased, reaching over 8 million in November 2009.

Mizuho Bank wanted to provide a secure authentication solution for its retail customers online. The solution had to
provide a high level of security to protect financial and critical transactions, offering a great
flexibility and at the same time remain user-friendly. DIGIPASS GO 6 provides
retail customers with a flexible solution to access their online
banking accounts at their own convenience 24/7.

HSBC Bank Brazil: full integration between its electronic channels with m-banking and DIGIPASS for Mobile

HSBC Bank Brazil is a subsidiary of HSBC Holdings Plc. one of the biggest financial
organizations in the world. HSBC Bank Brazil wanted to enhance its multi-channel
approach by offering secure m-banking services to its retail customers.

To secure HSBC m-banking, the application must be small and generic and fit
for any mobile device. Furthermore the application needed to be chip, device
and telecom provider independent. DIGIPASS for Mobile conveniently provides
secure access to m-banking services any time and anywhere. The technology
has been tested with over hundreds of phones from various manufacterers
and is non-reliant on third parties, overcoming provider dependency and
network limitations.

Building a secure banking environment 4

 Customer references

Caixa Galicia secures customers’ online banking accounts with patented DIGIPASS technology

Caixa Galicia was founded in 1978 and is currently the sixth largest savings bank in Spain. Caixa Galicia looked at
implementing a two-factor authentication method to prevent phishing scams and other fraud schemes enabling retail
and corporate customers to remotely access their online banking account 24/7. Caixa Galicia has two different online
banking services: Caixa Activa and Caixa Gestión. The savings bank wanted one solution suited for both applications
without having to invest in additional infrastructure.

VASCO’s DIGIPASS technology together with the authentication software VACMAN allowed Caixa Galicia to secure access
to their online banking applications for both their retail and corporate customer base without needing to invest in
additional infrastructure and hardware. Because the use of DIGIPASS is self-explanatory it was readily accepted.

Bradesco: Pioneer in the use of DIGIPASS for Mobile in Brazil

Banco Bradesco was founded in 1943 as a commercial bank under the name “Banco Brasileiro de Descontos S.A.”
Its initial strategy consisted of attracting small retailers, government workers and modest land owners as a customer
base. After eight years Bradesco became the largest private sector bank in Brazil. In the early 1990s Bradesco branches
started to operate online. Internet banking was embraced by millions of customers. Bradesco sought for a security
solution that was easy to implement and did not interfere with the customers’ existing systems and routines. At the same
time the solution had to meet the different needs for both corporate and retail customers. Different DIGIPASS solutions
were chosen for corporate and retail banking customers. To protect their online financial transactions corporate clients
use DIGIPASS GO3 while retail clients use DIGIPASS for Mobile.

Reliance Money deploys DIGIPASS GO3 to secure its online trading platform

Reliance Money is a comprehensive financial services and solution provider. Its endeavor is to change the way India
transacts in financial markets and avails financial services. Reliance Money wanted to provide a convenient and secure
authentication solution of its online trading platform to corporate and retail customers. Scalability of the solution and
adequate support were decisive factors. The solution needed to provide a high level of security to protect financial and
critical transactions, offer a great flexibility and at the same time remain user-friendly to ensure user acceptance by
Reliance Money’s multi million customer base. DIGIPASS GO3 provides both corporate and retail customers with a user-
friendly and scalable solution to access their online trading accounts 24/7 at their own convenience.

5 Building a secure banking environment

Server side technology
IDENTIKEY
IDENTIKEY is VASCO’s comprehensive and scalable
authentication server for e-banking, network and application
security offering OTP, e-signature and EMV CAP capability.
IDENTIKEY is based on VASCO’s core VACMAN technology.
It verifies authentication requests from individuals trying to
access banking applications and centrally administers user
authentication policies. IDENTIKEY can be linked to any
web-based banking application via SOAP. In addition to
protecting e-banking applications, IDENTIKEY Server offers
various extensions to secure employee remote access. Home
workers, remote branch offices, and traveling staff can use
the same DIGIPASS technology to safely connect VPN the
banking network and its applications.
RADIUS Server
Standard Radius Setup With Authentication Server
VACMAN
VACMAN is VASCO’s core authentication platform already
integrated by a vast number of leading banks and financial
institutions worldwide. It combines all authentication
applications, including OTP, challenge-response and
e-signature on a single platform. VACMAN is used for the
authentication of millions of end-users. It can seamlessly be
integrated into existing e-banking applications in a time and
cost-effective way. Furthermore, VACMAN is highly scalable:
additional users or applications can easily be added.
VACMAN
RADIUS Client
IDENTIKEY
Building a secure banking environment 6
 Client side technology

DIGIPASS family
VASCO’s DIGIPASS family offers a wide range of end-user authentication devices which all make use of VASCO’s VACMAN core
technology. Customers can choose from a wide range of authenticators (OTP, challenge-response, e-signature or PKI devices), both
software and hardware-based, which best fit their needs. All DIGIPASS devices are fully customizable: available with the customer’s
logo and corporate colors.

One button devices

The DIGIPASS GO family combines ultra-portability with user
convenience. The OTP is generated at the push of the button.

Key features:

• Intuitive use
• Ultra-portable
• Time and event based authentication
• DES/3DES/AES/OATH
• Long life battery

PIN-pad devices
A range of small and user-friendly PIN-protected authentication
devices.

Key features:

• Offers response only OTP, e-signature and

challenge/response functionality
• PIN protection and PIN unlocking
• Simple and intuitive in use
• Time/event and challenge/response based
• Long life battery

Card Readers
A wide range of connected and unconnected card readers

Key features:

• No need to install drivers in unconnected mode

• Smart card based OTP, e-signature, PKI functionality
• Straightforward deployment
• Ease-of-use
• Leverage EMV or PKI cards deployment
• No personalization required

7 Building a secure banking environment

Client side technology

Software DIGIPASS
Software-based DIGIPASS solutions leverage mobile phones
or web-browsers for authentication purposes.

Key features:

• OTP and e-signature capability

• No hardware deployment
• Time and event based authentication
• PIN-protected
• Transparent, user-friendly and ultra-portable

PKI-based solutions
VASCO’s PKI-offering consists of DIGIPASS CertiID, a client-based
software suite, and a range of DIGIPASS PKI devices, the DIGIPASS
Key range. DIGIPASS CertiID provides an answer to the growing need
for digital signature solutions for high risk transactions and document
signing. The DIGIPASS Key range consists of smart card based
solutions and USB devices.

Building a secure banking environment 8


VASCO Consulting Services
VASCO Consulting Services have been designed to
complement our offering of strong authentication solutions
with quality services that help customers to make the most of
their authentication investments.
Whether customers are looking for information about current
security challenges and threats in e-banking, e-commerce
or network security, whether advice is needed prior to an
implementation or during the implementation, VASCO can
offer its expertise.
By sharing expertise, proven methodology and best practices,
VASCO can help its customers in decreasing time to market
of their authentication project.
More detailed information on our consulting offer is available
on: www.vasco.com/consulting
VASCO Professional Services
The implementation of two-factor authentication has many
facets: VASCO Professional Services have been designed to
assist customers in the deployment of their authentication
project. By sharing expertise we help our customers to
minimize the challenges and maximize the results by
providing them peace of mind throughout the deployment of
the project.
The roll-out of a two-factor authentication project is not only
about IT-security, it involves the input from other departments.
As a result it requires a structured approach and careful
thought about project management, fulfillment, marketing,
IT security, deployment, helpdesk support and many others.
Our experts will:
• Manage the authentication project,
• Help customers with technology choices
• Provide advice on marketing strategy
• Integrate the application
• Manage the fulfillment and stock
• Organize helpdesk support.
They will use VASCO proven 4-step methodology, taking the
customer from a generic security enhancement objective
through to a tailored deployment fitting the bank’s and
financial institution’s specific security needs.
9 Building a secure banking environment
VASCO Services
Fulfillment Services
VASCO’s Fulfillment services have been designed to assist
the customer in lowering the supply-chain burden of
authentication projects. Fulfillment services allow banks
or financial instititutions to focus on the core business
activities while VASCO takes care of the personalization and
provisioning of the authentication devices.
• Branding and customization: every DIGIPASS can be
branded reflecting corporate colors and logos in order to
enhance brand recognition for end-users.
• Customized packaging: VASCO offers a wide range of
packaging services, ranging from non-personalized
individual or bulk packaging to fully customized and
branded packaging.
• Refurbishment: tailor made service offering to prolong
DIGIPASS life-cycle and reduce the ecological footprint of
authentication investments.
• Distribution and storage: VASCO can offer supply chain
services, delivering orders anywhere in the world, to a
central location, branch offices or to end-users. We can also
store customer’s stock in secure and adapted warehouses.
• Provisioning: security parameters, whether on software or
hardware authenticators, can be personalized according to
the requirements of security departments.
Secrets are stored onto DIGIPASS hardware using an
approved and audited process. Advanced encryption
methods are used to communicate initial PINs and to
unlock codes by security departments.
VASCO Services

Support
VASCO technical support is available in a number of
pre-defined support packages. Our support plans consists of:

• Standard Monday to Friday business hours support

VASCO’s Security Experts • 24/7 support
• VIP support using SLAs adapted to specific
Academy & e-Learning platform customer needs
• Pay-per-incident
(SEAL) • Remote assistance
New types of online attacks emerge almost every day;
therefore it is critical for IT security professionals to stay
More information on the specific support plans is available
informed and up-to-date on the latest trends. As a leading
on: www.vasco.com/support
Internet security company VASCO considers it its duty to
actively share information on current and emerging IT
security trends and online fraud schemes with its customers,
partners, distributors and resellers and anybody who needs
our advice.
DIGIPASS Plus
DIGIPASS Plus is VASCO’s hosted security solution:
SEAL is VASCO’s worldwide community of security
authentication is provided through an outsourced model.
professionals. The SEAL training offer consisting of general
Banks focus on their core business while VASCO takes
IT security topics and VASCO product training will help people
care of all aspects of securing their e-banking applications
who want to have a career in information security. Through
in a service model. DIGIPASS Plus makes use of VASCO’s
our offering of classroom training, e-learning or DVD-based
proprietary authentication technology.
training and forums, VASCO SEAL allows customers and
partners to:

• Become a VASCO Certified Engineer

• Stay up-to-date on the latest security trends
• Develop new skills in IT security
• Get access to a community with an extensive IT security
knowledge base
• Exchange information with peers

SEAL offering
VASCO’s SEAL comprises the following:

e-learning: more than 120 hours of web-based or DVD-

based IT security training
Classroom training by VASCO security experts
VASCO Certification: SEAL training offers IT security
professionals the opportunity to become VASCO Certified
Engineers
VASCO Authorized Training Centers: training by VASCO
partners
Junior Programs: trainee and scholarship programs for
graduates

More information is available on: www.vasco.com/training

Building a secure banking environment 10

About VASCO
VASCO is a leading supplier of strong authentication and e-signature solutions and services specializing in Internet security
applications and transactions. VASCO has positioned itself as a global software company for Internet security serving customers
in more than 100 countries, including several international financial institutions. VASCO’s prime markets are the financial sector,
enterprise security, e-commerce and e-government.

VASCO Offices
VASCO Sales Presence

www.vasco.com
I nternationa l H Q O perationa l H Q FINANCIAL HQ
CHICAGO BRUSSELS ZURICH
phone: +1.630.932.8844 phone: +32.2.609.97.00 phone: +41.43.555.3500
email: info_usa@vasco.com email: info_europe@vasco.com email: info_europe@vasco.com

YOUR LOCAL OFFICE

BOSTON SYDNEY SINGAPORE
phone: +1.508.366.3400 phone: +61.2.8061.3700 phone: +65.6323.0906
email: info_usa@vasco.com email: info_australia@vasco.com email: info_asia@vasco.com

Copyright © 2009 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights reserved. VASCO®, Vacman®, IDENTIKEY®, aXsGUARD®, DIGIPASS® and ®
logo are
registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries.
VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, updates and upgrades thereof,
including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights in the U.S. and other countries. Microsoft and
Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may be trademarks of their respective owners.