Secure payment transactions for SMEs

Electronic payment transactions, i.e. online banking, have become indispensable in every company. It is too convenient and comfortable to have direct access to the company's finances at any time.

Due to its direct enrichment potential, however, online banking also represents a coveted target for attackers. From phishing attacks to social engineering attacks to specifically programmed online banking malware, the attack vectors are diverse.

Financial institutions themselves comprehensively protect customers' data and finances with modern and new security systems.

Secure data storage

Swiss financial institutions have very high security standards by international standards. Protected data centers and security systems ensure that customers' data and finances are kept safe. External control bodies and ISO standards guarantee standardization in this regard.

Protected data access

Financial institutions ensure the highest possible level of security as soon as customers log in to e-banking. As a rule, a multi-stage system is used. Attackers must be able to successfully overcome each individual security hurdle in order to access the customer's data and finances. In detail, the login procedures differ from each other, which is an advantage in terms of security: Attack attempts cannot be transferred one-to-one from one e-banking system to the other.

Financial institutions typically offer customers a choice of enrollment methods, often based on history or different customer requirements.

Secure data transmission

The data between the e-banking server and the customer's device is encrypted in both directions with at least a 128-bit key. This modern and widely used technology guarantees a high security standard, which protects the recorded and transmitted data from manipulation.

Transaction monitoring

If a financial institution has a transaction monitoring system, payments sent by the customer are subject to a special set of checking routines before they are executed. Unusual transfers, such as foreign payments, are subjected to special scrutiny before execution.

Furthermore, it is of great importance that bank customers also adequately protect both their computers and their infrastructure and observe basic rules of conduct.

In order to operate online banking securely, the following important points must be observed in addition to a secure infrastructure when logging in, during online banking and also when logging out:

When logging in:

• Secure navigation to the financial institution: The address to the online banking of the financial institution should always be entered manually in the address line of the browser. Never should a link be used, certainly not if it has been delivered by e-mail, for example! Furthermore, online banking should only be used from a known and secure computer (i.e. not in Internet cafes, on public hotel computers, etc.).
• Checking the secure connection: Care must be taken to ensure that online banking is accessed exclusively via a "secure" TLS connection and that the certificate is genuine and valid. (see section "Certificate check").
• Attention in case of system interruption or unusual error messages: If there is a system interruption when logging on to e-banking (e.g. sudden white screen) or if unusual error messages appear (e.g. "The system is currently overloaded. Please be patient and try again later"), the connection should be terminated immediately and the financial institution notified.

During online banking:

Stay focused: During the active e-banking session, watch out for unusual occurrences such as automatic entries, inexplicably changed transactions, unsolicited confirmation messages or the like. In addition, open e-banking sessions should never be left unattended so as not to provide unauthorized third parties with an opportunity for misuse.

When logging out: 

• Correctly terminating the online banking session: The online banking session should always be terminated correctly using the function provided for this purpose (usually marked "Logout", "Log-out" or "Exit").
• Clearing the browser cache: After each logout of the online banking session, the browser cache should be cleared. At https://www.ebas.ch you will find further practical and up-to-date information on the necessary measures and rules of conduct for the secure use of online banking applications.

Certificate Exam

Every browser verifies the certificate properties "Trustworthiness of the certificate issuer", "Validity of the certificate" and "Address of the web server" when establishing an encrypted connection (TLS). If these three verifications could be performed successfully, the browser does not display any error messages when establishing the TLS connection.

A correctly established TLS connection to the correct website, based on a genuine and valid certificate, can be identified by the following three unique browser characteristics:

1. Lock icon in the address bar: The connection was encrypted with valid SSL certificate.
2. Correct name of the financial institution (displayed either next to the lock or after clicking on the lock under "Issued to:"): The identity of the certificate owner (bank) has been confirmed.
3. Correct domain name in the address: You are really on the side of the financial institution.

The authenticity of the certificate on which the connection is based can also be verified manually. For this purpose, the fingerprint of the certificate is verified. The fingerprint is a character string consisting of the letters A to F (no distinction is made between upper and lower case letters) and the digits 0 to 9. The fingerprint is verified by comparing this character string with a reference string that the user has received from the financial institution. If the string read from the certificate matches the string received from the financial institution, the certificate is genuine.

Login procedure / authentication means

Various logon procedures and technologies are used to log on to online banking. The standard is two-factor authentication, in which a one-time access key is usually provided on a second device (token) or smart card (second factor "have") in addition to the contract number and password (first factor "know").

Transaction confirmation / transaction signature 

To protect against unintentional payments, the so-called transaction confirmation (also called payment confirmation or transaction signing) is often used. In this process, certain outgoing payments must be additionally checked and explicitly approved for execution by the user before they are transferred. The check can include elements such as currency, amount as well as parts of the payee's account number.

Offline payment software

With offline payment software, payments can be recorded without an Internet connection and then transmitted collectively to the financial institution in the standardized ISO 20022 format. Furthermore, these programs often also offer interfaces to various accounting programs and financial institutions, which makes work in this regard much easier and less prone to errors.

Implementation and control

The infrastructure used for online banking must be adequately protected. (cf. chapter 5.5 "Use of workplace clients", Information Security Manual, ISBN: 978-3-033-07646-4).

The circle of users for online banking must be restricted as far as possible and responsibilities must be clearly regulated and documented. In addition, online banking users must be trained in secure handling. Particular attention should be paid to the login process and the handling of the associated authentication means. If possible, a separate online banking access should be set up for each user - group accounts or shared accesses should be avoided.

The introduction and use of offline payment software should be investigated.

The control looks like this:

• Is appropriately protected infrastructure used for online banking?
• Is the online banking user group restricted as far as possible and are responsibilities clearly regulated and documented?
• Is the most secure logon procedure (authentication means) used according to the requirements?
• Are online banking users trained, and are the rules of conduct for logging in and out of online banking consistently applied?
• Are any required authentication means (token, smartcard, etc.) securely applied and stored?
• If offered by the financial institution: Is transaction confirmation enabled?
• Has the implementation/use of offline payment software been explored?

Info at www

• Lucerne University of Applied Sciences and Arts, "eBanking - but secure!" platform: https://www.ebas.ch
• Swiss Financial Market Supervisory Authority: https://www.finma.ch
• Payment-Standards.ch: https://www.paymentstandards.ch
• ISO 20022: https://www.iso20022.org

Companies are well advised to protect themselves appropriately. Guidance on this is provided by the Information Security Handbook for Practice (online order: www.sihb.ch). The completely revised and updated edition has recently been published. The above article is from the chapter "Secure payment transactions (online banking)".

Author

Oliver Hirschi, lecturer and head of "eBanking - but secure!", Lucerne University of Applied Sciences and Arts. He helped establish this HSLU service and has been managing the platform for over ten years. In addition, he is the part-time owner and managing director of SecAware GmbH. He is also co-author of the 9th edition of the "Information Security Handbook for Practice".