(Information correct as at May 2007.)
For your convenience there are two ways to access the iBusiness Banking Security Policy:
1. The Security Policy is set out below.
2. In PDF format by clicking here
Your security when using electronic banking systems
First Trust Bank iBusiness Banking service uses the public Internet to connect your PC with the Bank. Your browser will establish a secure session with our server. This link is protected using SSL technology that encrypts the session. An encrypted session is shown as a padlock, which is commonly displayed in the bottom corner of the browser window. iBusiness Banking Users are required to authenticate themselves with the iBusiness Banking service using secret credentials before being granted access to the iBusiness Banking site.
There are a number of other issues to consider when using the Internet to conduct electronic business activity. We would strongly advise you to consider these issues and regard the points raised as good practice to enhance your security in the ebusiness space.
It is important that your PC is protected against virus infection. There have been a number of viruses written in the recent past specifically designed to capture sensitive personal information and transmit this back to a fraudster over the Internet. To counteract this threat you need to install suitable antivirus software on any PCs used to access the Internet. It is important that you receive regular updates on the newest virus threats from the anti-virus
software supplier and your anti-virus software is updated to reflect these threats. If you operate a business that has its own Internet infrastructure, a suitable anti-virus product should also be considered to protect your Internet gateway.
PCs that are connected to the Internet are vulnerable to probing or unauthorised access by hackers and malicious software (known as ?malware?). Personal firewalls for individual PCs and enterprise firewalls for businesses will help to protect against unauthorised people or applications abusing your PC. A firewall is particularly important if you access the Internet by a high speed or broadband connection.
Spyware can be defined as software which tracks and stores information on a computer without the explicit knowledge or agreement of the User. Small units of software known as cookies are an example of this and in many cases can be used for legitimate purposes such as improving your browsing experience by learning and retaining your browsing preferences.
More malicious forms of spyware can be delivered in a number of ways perhaps via URL links or attractive looking ?free? downloads from an Internet site, they may record keystrokes and personal data entered into the PC and then transmit it to a host server. Spyware is designed to run invisibly although some may cause performance degradation on a PC. Most software security packages include antispyware along with anti-virus and firewall applications.
User awareness and personal security
It is important that your employees who are using the Internet understand the common risks and types of attack directed at individuals and companies by fraudsters. Best practice would dictate that you adopt an Internet and email usage policy that is understood by all employees. Some important awareness issues are listed below for your information.
Most viruses arrive either as attachments to emails or are downloaded through hyperlinks over the Internet. In either case it normally requires human intervention to either open an infected email attachment or click on a hyperlink to activate a virus. Every Internet User should be aware of the common characteristics of viruses and know what to do if they see or receive anything suspicious.
iBusiness Banking, like many online e-commerce systems relies upon User authentication to restrict access to the service. Personal Access Codes, Passphrases and other authentication devices must be treated as confidential to the assigned User. Simple and effective controls should be applied to securing these authentication credentials.
Examples of such controls include:
Each system User must have their own Personal
Do not write passwords down.
Make passwords hard to guess.
Change passwords regularly (or immediately if you
suspect a password has become known).
Lock up any authentication devices when not in use.
Do not divulge your password to anyone else.
Phishing refers to a type of fraud where criminals will send out mass emails purporting to come from a legitimate bank or financial institution. The email will be very convincing in both looks and content and will ask the User to give away their banking authentication details, Credit Card numbers, PIN numbers or any other variation of these personal details. All Internet Users should be aware that NO legitimate bank will ever ask for any PIN, Personal Access Code, password/Passphrase or Credit Card details for any banking system in this way (the banks already hold this information securely on their computer systems). Personal authentication credentials must only be used to log in to trusted and known bank websites.
Bogus websites and ?man in the middle? attacks
All Internet Users should be careful when accessing online banking services. User authentication information must only be input to legitimate sites. Sometimes criminals will attempt to ?spoof? a website by setting up a bogus web page under a URL or Internet address that looks very similar to a legitimate web address. They then attempt to harvest personal authentication details from unwitting users and in turn use this information to gain access to the legitimate Internet banking services to steal money and other personal information. Internet Users should be educated to remain vigilant and check the Internet address on their browsers for any unusual character strings. Best practice is to only use known addresses stored in browser favourites or to manually type in a trusted web address each time Internet banking services are used. Search engines and links through from email messages should not be used.
All Internet Users should understand what actions are necessary in your company to report any suspicious Internet or email activity observed while working with or related to your online banking systems. Any suspicious activity must be reported immediately to First Trust Bank iBusiness Banking helpdesk either by telephone on 0870 243 0331 or by email to email@example.com.
Where possible, any evidence in the form of email messages, Internet pages etc should be preserved as evidence.
In many technology driven business models the human administration processes supporting the technology systems are often given little consideration. Yet these processes can represent the greatest potential threat to system security. You should make sure there are sufficient organisational controls, segregation and management checks over your payment systems.
Questions to ask of your business include:
How many people does it take to set up and authorise a payment? Is this the
best way to conduct your business?
Is there adequate segregation of duties to ensure that one person
cannot complete a payment cycle (and therefore potentially a fraud) without
Is there robust logging, audit trailing and checking performed on your systems
that will detect abnormal or fraudulent activity?
Apart from being best practice, robust payment system controls are increasingly being regarded as regulatory/legislative requirements in many industries. There is often a direct legal responsibility placed on business managers to provide satisfactory compliance with these rules. Make sure you know your responsibilities!
Modern computer systems have been designed with intuitive interfaces that deliver maximum benefit to Users and require minimal effort or computer knowledge to operate efficiently. As a result, most PC Users do not clearly understand the internal workings of their computer or its software.
Modern cyber criminals exploit this lack of awareness and use technical vulnerabilities to proliferate cyber crime against businesses and their customers.
As a modern business manager engaging in e-commerce activity, you need to ensure that your PC systems are kept up to date with the latest operating system security patches.
If you are in any doubt about what is required to do this, we recommend you engage the services of a recognised and competent computer security consultancy for advice and assistance.
Back to top