1 Parex bank experience with Digipass tokens Deniss Vorona Online Banking Project Manager
Dec 19, 2015
1
Parex bank experience withDigipass tokens
Deniss Vorona
Online Banking Project Manager
2
Who We Are
• A leading Latvian bank
• Branches and Representative offices in Europe (Latvia, Lithuania, Estonia, UK, Germany, Sweden,..), Russia and other CIS countries, Japan.
• Two subsidiary banks offer services in Lithuania (Parex Bankas) and Switzerland (AP Anlage und Privatbank)
3
History:Milestones
• 1992: first client
• 1994: first payment card
• 1996: first Digipass tokens are used for fax banking
• 2001: first user performs online banking transaction
4
History:Previous Security Schemes
• Homebrew code card, which required manual computation with factored in payment parameters. It was used for:
– Fax banking
– Remote banking application (modem-based)
• PGP for email banking
5
History:Digipass Tokens Advantages
• Secure
• Easy to use
• Mobile
• Unconnected
• No installation/software support
• Cannot be copied
• Adheres to Electronic signature law
6
History:A Simple Solution
• A separate application, not connected to banking system
• Manual signature verification
• Printing slips of verification success
7
Token Usage
• Online banking (digi.parex.lv)
– Login (dynamic password)
– Document signatures
• Fax banking
• Access to the safes
8
Token Applications
• Dynamic password (time-based response only)
• Signature
9
Signature Parameters
• Payer account number
• Amount
• Currency code
• Beneficiary account number
10
Online Banking Login
11
Online Banking Login
12
Payment Signature
13
Payment Confirmation - Go3
14
System Architecture
Online banking Core banking system
Authorization server Administrative tool
15
Authorization Server Functions
• Token data
• Token lock/unlock
• Logging
• Signature rights management
• Document uniqueness control
16
Separate Server Advantages
• Authorization server has stable and strict interfaces which are very rarely changed
• Easy to offer Digipass-based services in other banks within Parex Group
17
Simple Architecture
Operator tool
Authorization server Administrative tool
18
Tokens Used
Tokens issued in the past:
• DP500
• DP560
Tokens issued now:
• DP700
• Go3
19
Tokens Used
• Dp500– A good model with a
calculator– Not supplied anymore
20
Tokens Used
• Dp560– Dp500 successor– Stylish design– Good for the average
user– Better battery life– Messages in several
languages
21
Tokens Used
• Dp700– Good for heavy use– Best for signatures– Messages in two
languages– Target audience:
businesses, active users
22
Tokens Used
• Go3– Easy to use– Target audience:
private customers
23
Transaction Statistics
0
500000
1000000
1996
1998
2000
2002
2004
2006
1996 < 1000
1997 ~ 80000
1998 ~ 190000
1999 ~ 350000
2000 ~ 550000
24
Situation in Latvia
• At least 9 out of 23 commercial banks offer services using Digipass tokens
• ID-cards (smart cards issued by the state) are not used to secure online banks
• State web sites tend to use Online banks to secure e-services
25
Implementation Challenges
• Clear strategy• Difficult to phase out old services• Managers are hard to convince• Clients are hard to convince - not all are security-
conscious• Price
26
Implementation Challenges
• Planning token configuration for the future
• User experience
• Instructions
27
Questions?
Don’t hesitate to ask!
28
Conclusion
Think about security before
your clients have to!