6570.0509
Online Banking Security Guide Internet-based version
Contents
Introduction to the Security Guide ... 2
Security Guide ... 2
Using the internet securely ... 2
Security solutions in Online Banking ... 3
What is security in Online Banking? ... 3
Online Banking and certificates... 3
General information about issuing certificates ... 3
Location of certificates ... 4
Definitions ... 4
Validation code ... 4
Startup code ... 4
Keycard ... 4
Certificate ... 4
Secret key and its relation to the password ... 4
Online Banking and the password ... 5
Important information about security ... 5
Personal password and keycard ... 5
Password ... 5
Password composition ... 5
Changing the password ... 5
Password tips ... 5
Storing the password ... 6
Forgotten your password? ... 6
Keycard ... 6
Password compromise and blocking ... 7
Suspicion of password compromise ... 7
Access blocking ... 7
Cancellation ... 7
Cancellation of access blocking... 7
First time access to Online Banking ... 7
Online Banking and certificates... 8
General information about registering users ... 8
How to create your secret validation code ... 8
Validation code – submitting the Validation Code Registration Form ... 9
Creating the certificate ... 12
Daily administration of users in Online Banking ... 12
New Online Banking users ... 12
Renewing a certificate ... 12
Certificate validity period ... 12
Changing and cancelling certificates ... 13
Change of name ... 13
Cancelling user certificates ... 13
Online Banking deregistration ... 13
Backup ... 13
Troubleshooting ... 14
I cannot print the Validation Code Registration Form – what should I do? ... 14
I have forgotten my password – what should I do? ... 14
6570.0509
Introduction to the Security Guide
This Guide describes the following:
• the concept of security
• registration of users
• standard procedures.
You can also find answers to questions in the Online Banking help system which includes general help.
Security Guide
Once you have concluded an agreement with Sydbank on using Online Banking, please note that all users registered in Online Banking must be familiar with the Security Guide.
Using the internet securely
When your computer is connected to the internet, it is in principle accessible to all other users and servers active on the internet at the same time. Today, many technologies are available to protect your computer against viruses and intrusion, but your certainty that no one else can unlawfully access your computer will depend very much on your company’s IT security policy and on your own behaviour as a user.
By observing a few basic rules when you surf the internet or receive e-mails, you can do a lot to protect your computer against intrusion, viruses and other malicious attacks.
Therefore please read the following ten security tips before you start using Online Banking:
1. Always use updated anti-virus software which automatically scans files, e-mail attachments etc, before they are stored on your computer.
2. Make sure that your company’s network is protected by a firewall.
3. Never open an e-mail attachment if you are unsure about its contents. Be particularly suspicious of all unsolicited e-mails and be extra careful about unsolicited e-mails with attachments – do not click on these attachments.
4. When you communicate securely over the internet a padlock icon will be shown at the top or in the bottom right corner of your browser. Click the padlock icon to verify whom you are communicating with. If the certificate was issued by Sydbank, the dialogue box will indicate:
“Issued to: portal4.erhverv.sydbank.dk”.
5. Set your browser to alert you before anything is downloaded to your PC. Only accept downloads from sites/sources you are familiar with and trust.
6. Choose passwords which are difficult to guess and always keep them secret.
7. Store confidential data only on PCs which you control and make sure you erase all data from a PC before it is sold.
8. Always keep your browser, e-mail client and operating system updated to the most recent
versions so that you always have the latest security updates. If you use anti-spyware applications,
make sure that these applications are always updated as well.
6570.0509
9. If you use a wireless network, remember to enable encryption. You can read more about how to protect wireless networks at the Danish website, www.it-borger.dk, under the headings:
“sikkerhed”, “sådan beskytter du dig og dit udstyr” and “det trådløse netværk”.
10. Regularly back up all critical files.
Security solutions in Online Banking
Online Banking is protected by the most recent security technology. The solution consists of a number of sub-components which constitute a highly secure concept:
• All communication is protected by strong encryption (128-bit SSL).
• You identify yourself with a customer ID, a user ID, a password known only to you as well as a key from a keycard.
• The first time you log in to Online Banking, you must use the validation code that you have created and activate the keycard.
• A certificate is issued to each user (the certificate is used to attach a digital signature to all financially binding transactions and file transmissions).
What is security in Online Banking?
The security system in Sydbank’s Online Banking serves to protect all data communication between you and Sydbank.
To ensure the security of data, Online Banking uses encryption and electronic signatures.
Encryption ensures that only the sender and recipient can read the contents of a transmitted file. The files are encrypted with the sender’s public key, and since the files can only be unencrypted by means of the recipient’s secret key, only the recipient will be able to read the contents of the files.
Electronic signatures are attached to the files by means of the user’s secret key. The signature can be read only if it is unencrypted with the same user’s public key.
The electronic signature ensures that the recipient knows who has sent the file and that the recipient cannot read the file if it has been modified during transmission.
Online Banking and certificates
General information about issuing certificates
Before a user can access Online Banking an electronic certificate must be issued. Before the Bank can issue a certificate to the user, the Bank must be certain that the user is indeed who he or she claims to be. This is ensured by two elements:
1. a validation code known only to the user
2. a startup code sent directly to the user by the Bank.
6570.0509
Location of certificates
When creating certificates you must specify where each user’s certificate is to be located. The location will depend on eg the company’s data access and backing up policies. The internet-based version of Online Banking will suggest that certificates be placed on the local drive. If the user accepts this default suggestion, the user will be able to use Online Banking only on the local computer. If the company requires that all certificates are centrally located, each user must manually specify the correct drive and folder.
Definitions
Validation code
The user must construct a secret validation code which is entered in Sydbank’s Validation Code Program. The user must remember this validation code as he will need to re-enter it later.
The Validation Code Program serves two purposes:
• The validation code must be kept secret from others.
• The Validation Code Program prints a Validation Code Registration Form on which the user’s identity must be certified.
By converting the validation code into a validation code checksum the validation code is kept secret.
Startup code
The user receives a startup code from the Bank in a sealed envelope. This code must be used when the user logs in to Online Banking for the first time. The startup code and the validation code verify that the user is really who he claims to be.
Keycard
The user receives a keycard from the Bank. The keycard must be activated when the user logs in to Online banking for the first time. The keycard has a number assigned to the user. The keycard must be used each time a user logs in to Online Banking.
Certificate
The first time the user logs in to Online Banking, he must enter his secret validation code and the startup code provided by Sydbank and activate his keycard. If the validation code and the startup code are correct an electronic certificate will be issued. At the same time, the user must specify a password to be used to access the certificate and this password must be used for future logins to Online Banking.
Secret key and its relation to the password
The user’s secret key is used to generate the electronic signature and the signature is unique for each
payment signed. The secret key is protected by a password known only to the user. The user’s secret
6570.0509
key remains with the company and is unknown to everybody else, including the Bank.
Therefore it is extremely important that the user never gives his password to anybody, including persons of authority – the password is strictly personal.
The user may change his personal password in Online Banking at any time. It is recommended that the user changes his personal password:
• at regular intervals and in accordance with the company’s IT security policy, and
• whenever there is reason to believe that another user may have seen the password being entered.
Read more about the personal password below.
Online Banking and the password
The password to Online Banking is used:
• to log in to Online Banking with the keycard
• to confirm payments.
Important information about security
Personal password and keycard
Password
The user chooses his password. The password is strictly personal and may not be given or shown to anybody. If access to the system by others is required, for instance during holidays, Sydbank must issue new user IDs and letters of attorney to these new users – even in case of temporary arrangements.
Therefore we recommend that the company allows for cover during illness and holiday periods in con- nection with registering and deregistering users in Online Banking.
Password composition
The password may consist of both numeric characters and lower/upper case characters and it must be at least eight characters long but not more than sixteen. Read more in the section “Password tips”.
Changing the password
The user may change his password in Online Banking at any time. It is the responsibility of the company to lay down rules governing the frequency with which users must change their passwords.
Instructions for changing passwords are available in Online Banking’s help function.
Password tips
When you choose your password, please observe the following rules:
• The password must be relatively long.
6570.0509
The longer the password, the more combinations an unauthorised individual will have to try before finding the right combination.
• The password must be easy to remember.
If a password is difficult to remember you may want to write it down, which inevitably implies a security risk.
• The password must be difficult for others to guess.
Do not use personal numbers and names as your password.
NB: Do not use passwords based on personal data such as your own or your children’s birthdates or civil registration numbers.
It is not advisable to use the names of your nearest relatives or friends.
Also do not use text located in the immediate vicinity of your computer such as book titles or the names of shops which can be seen from the window.
Avoid using passwords that also are used to log in to other systems. If the password is compromised on one system, a person with malicious intent is likely to try out the password on several of the systems you are using.
Finally, do not use passwords that are easy to spot while you are typing them in, eg
”1111111111111111”.
Storing the password
You must be able to remember your password, or in other words: Do not write it down thereby potentially giving others access to the password. Obviously, if you write down the password on a piece of paper and stick it to your screen where it is always at hand others will be able to easily access Online Banking and make transactions in your name. It is your responsibility as a user not to make it possible for others to acquire your password.
When entering your password also remember to cover your hands so that others cannot see what you are entering. If you choose eg ”1111111111111111” as your password it will be easy for others to recognise during entry.
Never disclose your password to others, including your colleagues, persons claiming to be from the police or the Bank. The Bank will never ask for your password.
Forgotten your password?
If you have forgotten your password you cannot use Online Banking. Your password cannot be recovered.
Therefore you must create a new certificate. This means that you will need your validation code again and a new startup code from the Bank. If you have forgotten your validation code as well you must send a new Validation Code Registration Form to the Bank. Contact Hotline to receive a new startup code by post.
Keycard
When the user logs in to Online Banking, he must use a key from the keycard and his password.
A new keycard will automatically be sent to the user before the keys on the keycard are used up. The
6570.0509
old keycard may not be thrown away before the new one has been activated. The user may order new keycards in Online Banking.
For security reasons, each key is used only once and in any order.
The keycard is personal and must be kept safe.
Password compromise and blocking
Suspicion of password compromise
On the suspicion of password compromise, either of the following steps must be taken immediately:
• the user must change his password
• the certificate must be blocked or cancelled.
Access blocking
There are several ways of blocking a customer’s or user’s access to Online Banking:
• The user may block the customer/user via the Online Banking system during Online Banking office hours.
• The customer/user may block the customer and user by contacting Hotline during Hotline office hours on tel +45 74 36 25 10.
• Via the 24-hour Spærreservice (block service), tel +45 75 94 50 93. Spærreservice cannot answer any technical questions – for these you must contact Hotline.
If the access is blocked, the customer/user will receive a written confirmation of the blocking.
Cancellation
To disable a certificate, ie render the compromised certificate invalid, the user must contact Hotline on tel +45 74 36 25 10 during Hotline office hours.
Cancellation of access blocking
The confirmation of the blocking will be accompanied by a form which must be completed to cancel the blocking. The form must be sent to Sydbank when the customer/user wishes to cancel the blocking. If the user has forgotten his validation code the user must also submit a new Validation Code Registration Form. This form can be printed out from Sydbank’s Validation Code Program.
Please note that the blocking cannot be cancelled via Hotline or Spærreservice (block service).
First time access to Online Banking
Below you can read about how to access Online Banking for the first time as a user.
Before you can use Online Banking, the Bank must have received and registered the Online Banking
6570.0509
Agreement, Letters of Attorney to Conduct Online Banking Transactions and the Validation Code Registration Form.
The first thing you need to do as a user is to create your certificate.
Online Banking and certificates
You create and update your certificate in Online Banking. In addition, you must use Sydbank’s Validation Code Program to create a validation code.
General information about registering users
Each user will receive a sealed envelope containing customer ID, user ID and a startup code. The user needs this information to create a personal certificate in Online Banking. The creation of the certificate is described in detail below.
To create a certificate for Online Banking you must:
• receive a startup code from the Bank in a sealed envelope, and
• create a secret validation code in Sydbank’s Validation Code Program and send the Validation Code Registration Form to the Bank.
Moreover you must activate your keycard. The keycard has a number to assign the keycard to your user.
The above information proves to the Bank that you are indeed who you claim to be when you use Online Banking.
This information proves to the Bank that you are indeed who you claim to be when you use Online Banking.
How to create your secret validation code
• You create your secret validation code in Sydbank’s Validation Code Program.
• You must have the sealed envelope containing the codes/instructions ready. It contains some of the
information you must enter to create your validation code.
6570.0509
Validation code – submitting the Validation Code Registration Form
Start Online Banking at sydbank.dk.
Mouse over the “Log på” tab to see the sub menu and click “Online Banking”.
First you will see the login screen.
6570.0509
• On the login screen, choose ”Subscription” and ”New user”
The “Validation code program” window will open:
• Click ”Create validation code”
Instructions will follow.
• Click ”Next” in the bottom right corner to proceed to ”Customer information”
• Enter your customer information. Your customer ID appears from the information contained in the
sealed envelope/instructions
6570.0509
• Click “Next”
• Enter your user information. Your user ID appears from the information contained in the sealed en- velope/instructions
As part of your user information you must enter your validation code. For verification purposes you must enter the validation code twice.
• Click “Next”
• Print the Validation Code Registration Form
Sign the Validation Code Registration Form as the user. A person authorised to sign for the company
or a person authorised to sign Validation Code Registration Forms must verify your identity.
6570.0509
Send the signed Validation Code Registration Form to the Bank which will then register the information.
Please note: It is very important that you remember the validation code entered. You do not need the code verification checksum. However the Bank needs this checksum, as the Bank must not know your validation code. The checksum is calculated automatically on the basis of the secret validation code.
Creating the certificate
When the Bank has received and registered the information from the Validation Code Registration Form, you may start Online Banking to create your certificate.
• Enter customer ID, user ID and startup code
• Click “Log in”
Follow the on-screen instructions.
Daily administration of users in Online Banking
New Online Banking users
When the company wishes to register a new user in Online Banking, it must first contact the Bank.
The Bank will forward new letters of attorney and a list of the users registered with the Bank.
The new user can create a validation code by clicking ”New user” on Online Banking’s login screen.
When the Bank has received and registered the Letter of Attorney and the validation code, it will send a startup code in a sealed envelope and a keycard to the new user. The new user can now create his certificate in Online Banking, activate his keycard and subsequently use the system.
Renewing a certificate
Certificate validity period
Certificates are valid for two years and must be renewed before expiry. You will be notified automatically two months before the expiry date.
When the time comes to renew the certificate, you must simply follow the on-screen instructions.
6570.0509
Please note that if the certificate is used on other computers, you must remember to copy the certificate to the other computers.
It is important to renew the certificate before the expiry date shown by the system. If you do not renew the certificate before it expires you will have to create a new certificate.
Changing and cancelling certificates
Change of name
If a user changes his name the user’s certificate information must be changed as well. This can be done by contacting Hotline on tel +45 74 36 25 10.
When the Bank has registered the user’s new name, the user must subsequently renew his certificate.
Cancelling user certificates
A user’s certificate may be cancelled by the customer or by the user, either in writing to Sydbank or by contacting Hotline on tel +45 74 36 25 10. You may also contact the 24-hour Spærreservice (block service) on tel +45 75 94 50 93. Spærreservice cannot answer any technical questions – for these you must contact Hotline.
A user’s certificate will be disabled after cancellation. The user can no longer use the certificate and as such Online Banking.
A cancellation must always be effected if:
• the company no longer wants a particular user to use Online Banking
• a user leaves the company
• the company ceases to exist.
Online Banking deregistration
Termination of the Online Banking Agreement must be made in writing to the Bank and deregistration will be made in accordance with the Online Banking Terms and Conditions.
When the agreement is terminated the associated users will be deregistered.
Backup
In connection with Online Banking only the certificates are stored locally on the company’s computers.
Therefore it is only necessary to make backup copies of the certificates.
6570.0509
