security in bbva net cash · in bbva net cash, the user’s session is terminated and he is...
TRANSCRIPT
Security in BBVA net cash
1. Introduction.................................................................................
2. Measures from BBVA................................................................
2.1 The service........................................................................................
2.1.1 User administration.........................................................................
2.1.2 Activity control...............................................................................
2.1.3 User credentials in BBVA net cash................................................
2.1.4 Identification and authentication.....................................................
2.1.5 Compliance with nacional and international regulations.................
2.2 LaTechnology...................................................................................
2.2.1 Confidentiality and integrity...........................................................
2.2.2 Physical security of Data Processing Centres .................................
2.2.3 Security architecture.......................................................................
2.2.4 Specific protection systems............................................................
2.2.5 Quality as a strategic factor ...........................................................
3. Measures that you should take: user recommedations................
3.1 Protecting your user credentials ........................................................
3.2 Protecting your computer...................................................................
3.3 Secure Internet access and browsing practices...................................
4. Information concerning most frequent viruses and attacks.........
5. Appendix ....................................................................................
5.1 LOPD..................................................................................................
Index
2
3
3
3
3
4
5
5
6
6
6
7
7
7
8
8
8
9
10
11
11
The new possibilities offered in the fast-evolving world of internet are obvious. These possibilities
allow BBVA net cash to complete, day to day, our already comprehensive and flexible range of online
services, but also leave the door open to new and increasingly sophisticated forms of fraud.
In BBVA net cash, we are aware of these threats, and we engage in permanent surveillance and
take all possible precautions to ensure that you may continue to operate securely. This document
contains details of all the initiatives established by BBVA net cash to protect your data and guard
against access by hackers. You will also find a series of recommendations which you should take into
account to ensure that your internet connections and on-line operations are secure.
1. Introduction
Page 2
Security in BBVA net cash
Introduction
2. Measures from BBVA
Page 3
2.1 The service
2.1.1 User administration
BBVA net cash is a multi-user application. It has different user profiles which the company can assign
to its employees in accordance with their operating structure.
A specific profile, the administrator, defines and administers the company's users in
BBVA net cash. There can be one or several administrators, and there can be different levels of
delegation (without power or with joint or several powers).
Each user is assigned a profile which is defined with the greatest possible amount of detail. The same
procedure is used for the authorisation of operations. These profiles can be:
● No power: cannot authorise operations.
● Authorised officer (attorney): with authority to act jointly or severally.
● Auditor: can even completely halt signed orders until authorisation is granted.
This structure means that the user circuit can be as restrictive as the company wishes, in order to
guarantee at all times that each user:
● accesses only the services and accounts established by the administrator.
● can perform only the queries and operations authorised by the administrator.
● can have, or be without, powers to authorise operations.
● has a financial limit in accordance with the operation and account, as defined by the
administrator.
● only if he is an administrator is he entitled to consult, in addition to his own profile, the list of
defined users in his company, their profiles, accesses to services and powers.
2.1.2 Activity control
Users can monitor the company's operations in BBVA net cash through:
● the statistics module (Files>Statistics): querying operations performed during a certain period.
● Operations auditing (Files>Audit trail): controlling the operations activity of each user of the
company.
● User auditing (Administration and control>User maintenace>User Audit): records which actions
have been taken by each one of the administrators within the user circuit.
Security in BBVA net cash
Measures from BBVA
Page 4
2.1.3 User credentials in BBVA net cash
● Signature password: BBVA net cash offers the user different signature options so that he can
select that which best fits his operating requirements. The user will define if his signature mode is via
operations password (a password with nine characters) or by formula signature (applying an
arithmetical formula to the number indicated by BBVA).
Security in BBVA net cash
Measures from BBVA
● Double security factor: it is, basically, the
incorporation of a security device, in this case the Token
Plus, for validation in the user circuit and the signing of
operations via BBVA net cash. In this way and to this end,
the system asks you to enter the six digit security code
generated by Token Plus (single use) as well as your
signature code. The device is personal and non transferable,
a device per signing user is provided.
Besides, the system will request that you introduce your mobile telephone number so that, in the case of
loss or theft of the Token Plus device, your can receive your security code via SMS and continue to
operate normally.
● The access password has a size of 8 alphanumerical characters to hinder third parties deducing
them through the options test.
● Passwords are stored and encrypted irreversibly in specialised user and identity management
systems, so that nobody can obtain them or ascertain them.
Mandatory to modify the access password in the first access: to prevent user impersonation, the user
is required to modify his access password the first time he connects to BBVA net cash.
Blocking of users:
● Five consecutive errors when entering the user or the activation password leads to the
reference in BBVA net cash being blocked, and it cannot be activated until BBVA generates a
new activation password.
● Three failed attempts in entering the access password and signature password will lead
to the user being blocked.
If necessary, BBVA offers a special type of Token Plus
enabled for visually impaired users.
● For greater security, the access password and the
signature password in BBVA net cash are different.
Although the passwords do not expire, we recommend that
users modify them every month.
Page 5
2.1.4 Identification and authentication
Traceability of transactions: accesses and transactions are recorded in automated operations
records which show the operation made, its date and time and the user who executed it, so allowing the
validity of the operations recorded to be ascertained.
Information on last connection:
● If the user enters for the first time, BBVA net cash will indicate it.
● In subsequent accesses, BBVA net cash will show the user the date and time of his last
connection (Figure 2.1.4.1).
Figure 2.1.4.1
Cookies only enabled during the session: the cookies placed in the user’s operating system, required
for secure browsing on any web site, are only enabled during the connection to BBVA net cash and are
removed when the user disconnects from the application.
Automatic logging off from session: as an additional security measure, after 10 minutes of inactivity
in BBVA net cash, the user’s session is terminated and he is disconnected from the system (Figure
2.1.4.2).
Figure 2.1.4.2
2.1.5 Compliance with national and international regulations
All BBVA services comply with the rules and regulations of the countries in which it operates.
BBVA’s commitment to these regulations is set out in the Code of Conduct, which must be satisfied by
all its employees.
Security in BBVA net cash
Measures from BBVA
● Five consecutive errors when entering the security code generated by Token Plus, leads to
the user in BBVA net cash being blocked.
● The user administrator is entitled to block the access of users from his company, so that
when any employee ceases to work, his access can be cancelled immediately.
Page 6
2.2 Technology
2.2.1 Confidentiality and integrity
Of all user credentials:
● All the user’s operating passwords are stored and encrypted irreversibly in specialised user
and identity management systems, so that nobody can obtain them or ascertain them.
● BBVA’s operational procedures do not require anybody in the Bank to know the operating
passwords of its customers, so nobody knows them or shall request them personally.
Of communications :
● Communications of BBVA transactional and distance banking services use 128 bit SSL
protocol encryption to ensure the confidentiality
and integrity of Internet communications.
● Certificates used by BBVA to provide this
service are generated by Verisign Inc.
● Furthermore, sensitive communications which take place on BBVA’s internal networks are
afforded proper protection in accordance with the operating environment and the protocol
used.
Of information:
● Information stored in systems and internal databases is protected by means of different
security systems, allowing access solely to authorised employees.
● BBVA has an automated information access privilege management system, assuring
controlled and restricted access for authorised personnel.
2.2.2 Physical security of Data Processing Centres
BBVA’s Data Processing Centres are equipped with comprehensive physical security measures to
protect data processing systems, with the following, inter alia, being particularly worthy of note:
● Bunkerised DPC.
● Individualised control of access to the premises and different technical rooms, equipped with
hazardous element detection systems.
● Security guards and video-surveillance equipment guarding the perimeter and interior of the
installations on a 24x7 basis.
● Specific detection and protection systems guarding against intrusion, fire, flood, power cuts
and other catastrophic events.
Furthermore, given that BBVA has two fully operational Data Processing Centres, the safeguarding
and any necessary retrieval of information are guaranteed.
Security in BBVA net cash
Measures from BBVA
Page 7
2.2.3 Security architecture
In order to assure the highest degree of security in the design of its systems, BBVA has arranged a
specific security architecture especially for systems serving customers via internet.
To minimise the degree of exposure towards internet, only the presentation layer (which carries out
user authentication, web applications access authorisation and secure session control functions) is
exposed by means of inverse security proxy.
2.2.4 Specific protection systems
Firewalls and anti-virus/anti-hacker systems permanently updated:
● BBVA segregates its networks and systems with several levels of firewalls.
● What is more, BBVA’s internal systems are permanently protected by antivirus and
hacker detection systems.
● Both types of systems are managed on a 24x7 basis and are permanently updated, thereby
affording permanent protection against new threats.
● All surveillance, alert and security response systems guarding against possible fraud are
monitored and supervised by a group of specialists 24x7x365 in the Data Processing Centre.
Activity registers of all components: BBVA's Distance Banking systems and applications have
activity registers (logs) of all critical components, giving support to attempted fraud detection or
forensic analysis services for activities or operations which are suspected to be or which are reported as
fraudulent.
Periodical revision of service, applying the latest attack techniques: systems providing support to
the Distance Banking services are periodically revised using automatic vulnerability analysis tools.
Internal and external audits: BBVA’s systems and processes undergo security audits by the
independent Audit department and by specific external audits or audits associated with financial or
compliance audits.
2.2.5 Quality as a strategic factor
BBVA’s Data Processing Centre has in place a Quality Management System which complies with
UNE-EN ISO 9001:2000 standards.
DPC personnel is trained in quality processes supporting the ISO 9001:2000 certification, and the
critical support staff holds quality audit certifications.
BBVA forms part of the Information Security Forum, made up of more than 270 of the leading and
largest companies worldwide.
Security in BBVA net cash
Measures from BBVA
3. Measures that you should take: user recommendations
Page 8
3.1 Protecting your user credentials
● Your access and signature passwords in BBVA net cash are personal, non-transferable and secret,
and you must look after them in a secure manner. These passwords are stored in BBVA systems,
encrypted using an algorithm, and therefore nobody – not even BBVA – knows them.
● Your Token Plus security device is personal and non transferable.
● Do not reveal your personal passwords to anybody under any circumstances, and never reveal
them on any Websites other than those within the secure environment of BBVA net cash.
● Choose passwords which are difficult to guess. We also recommend that you regularly change your
password.
● Be wary of pages which request personal data, unless they are related to a service.
● If you receive a message asking you to reveal your personal passwords, do not provide any
information, and immediately contact the BBVA net cash customer service:
3.2 Protecting your computer
● Regularly update your operating system and the version of your browser with the pertinent patches
to guard against possible weaknesses or errors detected.
● Configure your computer and all your programs using the highest security levels.
● Install a firewall and keep it enabled and always updated.
● Install antivirus and anti-spyware programs and keep them enabled and always updated. Check
documents received externally using the anti-virus program.
● Regularly carry out backup copies of your files.
● Avoid downloads from unknown websites, as they could contain viruses or spyware.
● Regularly clean the cookies and temporary files.
Security in BBVA net cash
User recommendations
902 33 53 73
Page 9
Figure 3.2.1
3.3 Secure Internet access and browsing practices:
● Avoid connecting to private content pages from public computers.
● Ensure you are connected using a secure server. A symbol showing a locked padlock should appear
at the bottom of your browser.
● Check the security certificate on the Website, clicking on the locked padlock symbol:
● The expiry date and the domain must be valid.
● The information should show the issuer (Verisign), the validity period and the organisation
for which the certificate has been issued (BBVA).
● Do not use your browser’s “remember passwords” option. If it is enabled, the passwords you
enter for the Website are stored in the computer and when you re-enter your user name, the password
field is filled in automatically. In a shared use computer, this could allow anybody to use your personal
passwords.
● Check the date and time of the last connection.
● In order to terminate your session in BBVA net cash, use the <Log off> button appearing at top right.
Security in BBVA net cash
User recommendations
4. Most frequent viruses and attacks
Page 10
Phishing: If you receive an e-mail requesting the confirmation or entering of confidential information
related to your Electronic Banking (password, signature…) you are being the victim of a PHISING
attack. Basically, it is defined as the attempt to obtain access information through the
impersonation of the image and name of the sender financial institution, in our case, BBVA.
The basic functioning design is as follows:
1. A mass dissemination via message (spam) which states that the BBVA net cash users must
confirm their access information.
2. The message includes a link to a page from which the confirmation of information must be
made. Sometimes, the link initiates the download of malicious software.
3. The user enters the link leading to a “similar” website to the authentic BBVA net cash website
and with complete confidence the user enters their information therein.
4. As the website is false and is controlled by the swindlers, it is they who are actually receiving
the user information, and have free access to the actual accounts of the affected user.
Although BBVA never requests your BBVA net cash access passwords and signature by e-mail we
have included here some tips so as to recognise these types of attacks:
1. Sometimes the logo appears distorted or stretched. Furthermore, it contains spelling mistakes or
phrases in disuse.
2. You are referred as “Dear customer” or “Dear user” rather than by your real name.
3. You are notified that your electronic banking account/service will be closed unless you
reconfirm your access information immediately.
4. The tone of the email sounds threatening.
5. The text makes reference to “security commitments” or "security threats” which require
immediate effect.
6. The URL is not https:// and the security padlock does not appear in the bottom bar of the
browser. Those fake links include this icon within the window to fool the user.
Pharming: Consists of intercepting the step between the mnemotechnical name of the URL and the IP
address returned, sending the user to a replica of his bank’s website where the criminals obtain the
user’s confidential data. Unlike phishing no email is received, the user is redirected to a bogus page
when he/she types in the URL in the browser.
Trojans: This type of virus is hidden in the user’s computer and gradually stores the passwords when
the user connects to financial institutions, etc. When enough data have accumulated they are sent to the
cyber-criminal.
Man in the middle: The hostile agent is able to read, insert and modify data exchanged between the
Customer and the Bank. It is thereby able to modify the data of a transaction in the background (e.g.:
account to credit, amount, etc.), without the user realising it. The user defines and signs a transaction on
the screen, although the Bank is really sent a transaction modified by the hostile agent.
Security in BBVA net cash
Most frequent viruses and attacks
5. Appendix
Page 11
5.1 LOPD
At BBVA we guarantee the protection of our customers’ data. The seal of the Spanish Association of
Electronic Commerce (AECE) endorses us as the first financial institution to apply its Ethical Code for
the Protection of Data on the Internet. The website of BBVA, Banco Bilbao Vizcaya Argentaria. S.A.,
at BBVA net cash, does not automatically register any data regarding the identity of visitors to its
pages. With on-line banking services, in order to uphold the security and confidentiality of the
transactions, the system requires the prior identification and authentication of the user, through the
request for access codes. In those circumstances in which the user requests information on services or
products, or seeks to proceed with claims or enquiries by means of the submission of forms displayed
on the web pages of BBVA, it will be necessary in all cases to gather those personal details as
appropriate in order to reply to the request.
All these data are treated with the utmost confidentiality, being used for the purposes for which they
have been requested, within the framework of the Organic Law on the Protection of Personal Data and
other concurrent legislation.
Security in BBVA net cash
Appendix
In response to this communication the customer service department of BBVA net cash will initiate a performance
protocol against the established fraud: a specialist team will be in charge of analysing the case. If the suspicion is
confirmed, you will be recommended to:
● Format the hard drive.
● Install an updated antivirus.
● Install firewall software.
● Install an anti-spy ware program.
● Permanently update the software of your computer equipment.
In all confirmed cases, the access password of the user concerned will be changed.
BBVA net cash has a specific section on security in your private home page. You will find information concerning
viruses and the most frequent types of attack, recommendations, information on operating system updates and
antivirus software. Regularly access this section.
So as to prevent these attacks, take note of the above recommendations and advise us of any situation or suspicious
communication you may receive:
902 33 53 73