Security in BBVA net cash · in BBVA net cash, the user’s session is terminated and he is...

Security in BBVA net cash

1. Introduction.................................................................................

2. Measures from BBVA................................................................

2.1 The service........................................................................................

2.1.1 User administration.........................................................................

2.1.2 Activity control...............................................................................

2.1.3 User credentials in BBVA net cash................................................

2.1.4 Identification and authentication.....................................................

2.1.5 Compliance with nacional and international regulations.................

2.2 LaTechnology...................................................................................

2.2.1 Confidentiality and integrity...........................................................

2.2.2 Physical security of Data Processing Centres .................................

2.2.3 Security architecture.......................................................................

2.2.4 Specific protection systems............................................................

2.2.5 Quality as a strategic factor ...........................................................

3. Measures that you should take: user recommedations................

3.1 Protecting your user credentials ........................................................

3.2 Protecting your computer...................................................................

3.3 Secure Internet access and browsing practices...................................

4. Information concerning most frequent viruses and attacks.........

5. Appendix ....................................................................................

5.1 LOPD..................................................................................................

Index

2

3

3

3

3

4

5

5

6

6

6

7

7

7

8

8

8

9

10

11

11

The new possibilities offered in the fast-evolving world of internet are obvious. These possibilities

allow BBVA net cash to complete, day to day, our already comprehensive and flexible range of online

services, but also leave the door open to new and increasingly sophisticated forms of fraud.

In BBVA net cash, we are aware of these threats, and we engage in permanent surveillance and

take all possible precautions to ensure that you may continue to operate securely. This document

contains details of all the initiatives established by BBVA net cash to protect your data and guard

against access by hackers. You will also find a series of recommendations which you should take into

account to ensure that your internet connections and on-line operations are secure.

1. Introduction

Page 2


Introduction

2. Measures from BBVA

Page 3

2.1 The service

2.1.1 User administration

BBVA net cash is a multi-user application. It has different user profiles which the company can assign

to its employees in accordance with their operating structure.

A specific profile, the administrator, defines and administers the company's users in

BBVA net cash. There can be one or several administrators, and there can be different levels of

delegation (without power or with joint or several powers).

Each user is assigned a profile which is defined with the greatest possible amount of detail. The same

procedure is used for the authorisation of operations. These profiles can be:

● No power: cannot authorise operations.

● Authorised officer (attorney): with authority to act jointly or severally.

● Auditor: can even completely halt signed orders until authorisation is granted.

This structure means that the user circuit can be as restrictive as the company wishes, in order to

guarantee at all times that each user:

● accesses only the services and accounts established by the administrator.

● can perform only the queries and operations authorised by the administrator.

● can have, or be without, powers to authorise operations.

● has a financial limit in accordance with the operation and account, as defined by the

administrator.

● only if he is an administrator is he entitled to consult, in addition to his own profile, the list of

defined users in his company, their profiles, accesses to services and powers.

2.1.2 Activity control

Users can monitor the company's operations in BBVA net cash through:

● the statistics module (Files>Statistics): querying operations performed during a certain period.

● Operations auditing (Files>Audit trail): controlling the operations activity of each user of the

company.

● User auditing (Administration and control>User maintenace>User Audit): records which actions

have been taken by each one of the administrators within the user circuit.


Measures from BBVA

2.1.3 User credentials in BBVA net cash

● Signature password: BBVA net cash offers the user different signature options so that he can

select that which best fits his operating requirements. The user will define if his signature mode is via

operations password (a password with nine characters) or by formula signature (applying an

arithmetical formula to the number indicated by BBVA).


Measures from BBVA

● Double security factor: it is, basically, the

incorporation of a security device, in this case the Token

Plus, for validation in the user circuit and the signing of

operations via BBVA net cash. In this way and to this end,

the system asks you to enter the six digit security code

generated by Token Plus (single use) as well as your

signature code. The device is personal and non transferable,

a device per signing user is provided.

Besides, the system will request that you introduce your mobile telephone number so that, in the case of

loss or theft of the Token Plus device, your can receive your security code via SMS and continue to

operate normally.

● The access password has a size of 8 alphanumerical characters to hinder third parties deducing

them through the options test.

● Passwords are stored and encrypted irreversibly in specialised user and identity management

systems, so that nobody can obtain them or ascertain them.

Mandatory to modify the access password in the first access: to prevent user impersonation, the user

is required to modify his access password the first time he connects to BBVA net cash.

Blocking of users:

● Five consecutive errors when entering the user or the activation password leads to the

reference in BBVA net cash being blocked, and it cannot be activated until BBVA generates a

new activation password.

● Three failed attempts in entering the access password and signature password will lead

to the user being blocked.

If necessary, BBVA offers a special type of Token Plus

enabled for visually impaired users.

● For greater security, the access password and the

signature password in BBVA net cash are different.

Although the passwords do not expire, we recommend that

users modify them every month.

2.1.4 Identification and authentication

Traceability of transactions: accesses and transactions are recorded in automated operations

records which show the operation made, its date and time and the user who executed it, so allowing the

validity of the operations recorded to be ascertained.

Information on last connection:

● If the user enters for the first time, BBVA net cash will indicate it.

● In subsequent accesses, BBVA net cash will show the user the date and time of his last

connection (Figure 2.1.4.1).

Figure 2.1.4.1

Cookies only enabled during the session: the cookies placed in the user’s operating system, required

for secure browsing on any web site, are only enabled during the connection to BBVA net cash and are

removed when the user disconnects from the application.

Automatic logging off from session: as an additional security measure, after 10 minutes of inactivity

in BBVA net cash, the user’s session is terminated and he is disconnected from the system (Figure

2.1.4.2).

Figure 2.1.4.2

2.1.5 Compliance with national and international regulations

All BBVA services comply with the rules and regulations of the countries in which it operates.

BBVA’s commitment to these regulations is set out in the Code of Conduct, which must be satisfied by

all its employees.


Measures from BBVA

● Five consecutive errors when entering the security code generated by Token Plus, leads to

the user in BBVA net cash being blocked.

● The user administrator is entitled to block the access of users from his company, so that

when any employee ceases to work, his access can be cancelled immediately.

2.2 Technology

2.2.1 Confidentiality and integrity

Of all user credentials:

● All the user’s operating passwords are stored and encrypted irreversibly in specialised user

and identity management systems, so that nobody can obtain them or ascertain them.

● BBVA’s operational procedures do not require anybody in the Bank to know the operating

passwords of its customers, so nobody knows them or shall request them personally.

Of communications :

● Communications of BBVA transactional and distance banking services use 128 bit SSL

protocol encryption to ensure the confidentiality

and integrity of Internet communications.

● Certificates used by BBVA to provide this

service are generated by Verisign Inc.

● Furthermore, sensitive communications which take place on BBVA’s internal networks are

afforded proper protection in accordance with the operating environment and the protocol

used.

Of information:

● Information stored in systems and internal databases is protected by means of different

security systems, allowing access solely to authorised employees.

● BBVA has an automated information access privilege management system, assuring

controlled and restricted access for authorised personnel.

2.2.2 Physical security of Data Processing Centres

BBVA’s Data Processing Centres are equipped with comprehensive physical security measures to

protect data processing systems, with the following, inter alia, being particularly worthy of note:

● Bunkerised DPC.

● Individualised control of access to the premises and different technical rooms, equipped with

hazardous element detection systems.

● Security guards and video-surveillance equipment guarding the perimeter and interior of the

installations on a 24x7 basis.

● Specific detection and protection systems guarding against intrusion, fire, flood, power cuts

and other catastrophic events.

Furthermore, given that BBVA has two fully operational Data Processing Centres, the safeguarding

and any necessary retrieval of information are guaranteed.


Measures from BBVA

2.2.3 Security architecture

In order to assure the highest degree of security in the design of its systems, BBVA has arranged a

specific security architecture especially for systems serving customers via internet.

To minimise the degree of exposure towards internet, only the presentation layer (which carries out

user authentication, web applications access authorisation and secure session control functions) is

exposed by means of inverse security proxy.

2.2.4 Specific protection systems

Firewalls and anti-virus/anti-hacker systems permanently updated:

● BBVA segregates its networks and systems with several levels of firewalls.

● What is more, BBVA’s internal systems are permanently protected by antivirus and

hacker detection systems.

● Both types of systems are managed on a 24x7 basis and are permanently updated, thereby

affording permanent protection against new threats.

● All surveillance, alert and security response systems guarding against possible fraud are

monitored and supervised by a group of specialists 24x7x365 in the Data Processing Centre.

Activity registers of all components: BBVA's Distance Banking systems and applications have

activity registers (logs) of all critical components, giving support to attempted fraud detection or

forensic analysis services for activities or operations which are suspected to be or which are reported as

fraudulent.

Periodical revision of service, applying the latest attack techniques: systems providing support to

the Distance Banking services are periodically revised using automatic vulnerability analysis tools.

Internal and external audits: BBVA’s systems and processes undergo security audits by the

independent Audit department and by specific external audits or audits associated with financial or

compliance audits.

2.2.5 Quality as a strategic factor

BBVA’s Data Processing Centre has in place a Quality Management System which complies with

UNE-EN ISO 9001:2000 standards.

DPC personnel is trained in quality processes supporting the ISO 9001:2000 certification, and the

critical support staff holds quality audit certifications.

BBVA forms part of the Information Security Forum, made up of more than 270 of the leading and

largest companies worldwide.


Measures from BBVA

3. Measures that you should take: user recommendations

Page 8

3.1 Protecting your user credentials

● Your access and signature passwords in BBVA net cash are personal, non-transferable and secret,

and you must look after them in a secure manner. These passwords are stored in BBVA systems,

encrypted using an algorithm, and therefore nobody – not even BBVA – knows them.

● Your Token Plus security device is personal and non transferable.

● Do not reveal your personal passwords to anybody under any circumstances, and never reveal

them on any Websites other than those within the secure environment of BBVA net cash.

● Choose passwords which are difficult to guess. We also recommend that you regularly change your

password.

● Be wary of pages which request personal data, unless they are related to a service.

● If you receive a message asking you to reveal your personal passwords, do not provide any

information, and immediately contact the BBVA net cash customer service:

3.2 Protecting your computer

● Regularly update your operating system and the version of your browser with the pertinent patches

to guard against possible weaknesses or errors detected.

● Configure your computer and all your programs using the highest security levels.

● Install a firewall and keep it enabled and always updated.

● Install antivirus and anti-spyware programs and keep them enabled and always updated. Check

documents received externally using the anti-virus program.

● Regularly carry out backup copies of your files.

● Avoid downloads from unknown websites, as they could contain viruses or spyware.

● Regularly clean the cookies and temporary files.


User recommendations

902 33 53 73

Figure 3.2.1

3.3 Secure Internet access and browsing practices:

● Avoid connecting to private content pages from public computers.

● Ensure you are connected using a secure server. A symbol showing a locked padlock should appear

at the bottom of your browser.

● Check the security certificate on the Website, clicking on the locked padlock symbol:

● The expiry date and the domain must be valid.

● The information should show the issuer (Verisign), the validity period and the organisation

for which the certificate has been issued (BBVA).

● Do not use your browser’s “remember passwords” option. If it is enabled, the passwords you

enter for the Website are stored in the computer and when you re-enter your user name, the password

field is filled in automatically. In a shared use computer, this could allow anybody to use your personal

passwords.

● Check the date and time of the last connection.

● In order to terminate your session in BBVA net cash, use the <Log off> button appearing at top right.


User recommendations

4. Most frequent viruses and attacks

Page 10

Phishing: If you receive an e-mail requesting the confirmation or entering of confidential information

related to your Electronic Banking (password, signature…) you are being the victim of a PHISING

attack. Basically, it is defined as the attempt to obtain access information through the

impersonation of the image and name of the sender financial institution, in our case, BBVA.

The basic functioning design is as follows:

1. A mass dissemination via message (spam) which states that the BBVA net cash users must

confirm their access information.

2. The message includes a link to a page from which the confirmation of information must be

made. Sometimes, the link initiates the download of malicious software.

3. The user enters the link leading to a “similar” website to the authentic BBVA net cash website

and with complete confidence the user enters their information therein.

4. As the website is false and is controlled by the swindlers, it is they who are actually receiving

the user information, and have free access to the actual accounts of the affected user.

Although BBVA never requests your BBVA net cash access passwords and signature by e-mail we

have included here some tips so as to recognise these types of attacks:

1. Sometimes the logo appears distorted or stretched. Furthermore, it contains spelling mistakes or

phrases in disuse.

2. You are referred as “Dear customer” or “Dear user” rather than by your real name.

3. You are notified that your electronic banking account/service will be closed unless you

reconfirm your access information immediately.

4. The tone of the email sounds threatening.

5. The text makes reference to “security commitments” or "security threats” which require

immediate effect.

6. The URL is not https:// and the security padlock does not appear in the bottom bar of the

browser. Those fake links include this icon within the window to fool the user.

Pharming: Consists of intercepting the step between the mnemotechnical name of the URL and the IP

address returned, sending the user to a replica of his bank’s website where the criminals obtain the

user’s confidential data. Unlike phishing no email is received, the user is redirected to a bogus page

when he/she types in the URL in the browser.

Trojans: This type of virus is hidden in the user’s computer and gradually stores the passwords when

the user connects to financial institutions, etc. When enough data have accumulated they are sent to the

cyber-criminal.

Man in the middle: The hostile agent is able to read, insert and modify data exchanged between the

Customer and the Bank. It is thereby able to modify the data of a transaction in the background (e.g.:

account to credit, amount, etc.), without the user realising it. The user defines and signs a transaction on

the screen, although the Bank is really sent a transaction modified by the hostile agent.


Most frequent viruses and attacks

5. Appendix

Page 11

5.1 LOPD

At BBVA we guarantee the protection of our customers’ data. The seal of the Spanish Association of

Electronic Commerce (AECE) endorses us as the first financial institution to apply its Ethical Code for

the Protection of Data on the Internet. The website of BBVA, Banco Bilbao Vizcaya Argentaria. S.A.,

at BBVA net cash, does not automatically register any data regarding the identity of visitors to its

pages. With on-line banking services, in order to uphold the security and confidentiality of the

transactions, the system requires the prior identification and authentication of the user, through the

request for access codes. In those circumstances in which the user requests information on services or

products, or seeks to proceed with claims or enquiries by means of the submission of forms displayed

on the web pages of BBVA, it will be necessary in all cases to gather those personal details as

appropriate in order to reply to the request.

All these data are treated with the utmost confidentiality, being used for the purposes for which they

have been requested, within the framework of the Organic Law on the Protection of Personal Data and

other concurrent legislation.


Appendix

In response to this communication the customer service department of BBVA net cash will initiate a performance

protocol against the established fraud: a specialist team will be in charge of analysing the case. If the suspicion is

confirmed, you will be recommended to:

● Format the hard drive.

● Install an updated antivirus.

● Install firewall software.

● Install an anti-spy ware program.

● Permanently update the software of your computer equipment.

In all confirmed cases, the access password of the user concerned will be changed.

BBVA net cash has a specific section on security in your private home page. You will find information concerning

viruses and the most frequent types of attack, recommendations, information on operating system updates and

antivirus software. Regularly access this section.

So as to prevent these attacks, take note of the above recommendations and advise us of any situation or suspicious

communication you may receive:

902 33 53 73

Security in BBVA net cash · in BBVA net cash, the user’s session is terminated and he is...

Documents

Transcript of Security in BBVA net cash · in BBVA net cash, the user’s session is terminated and he is...