Internet Banking Security
The security of Texas Gulf Bank Connection is addressed at three levels. First, security measures are in place to prevent unauthorized users from attempting to login to the online banking section of the bank's Web site (Individual Security). The second area is the security of the customer information as it is sent from the customer's PC to the Web server (Browser Security). Finally, security measures are in place to prevent intrusion into the environment in which the Internet Banking server and customer information database reside (Provider Security).
For the customer's protection, and so the bank can research a request for an account and validate confidential account information, an individual login ID will be utilized. A temporary computer-generated password will be delivered via the United States Postal Service after the initial account set-up has been completed. The customer will be prompted during the initial login process to enter their own customized password. The customer's user password will be authenticated during the login process. They may change their password as often as they would like and will be prompted to make such a change periodically. Also, for their protection, their on-line account will be disabled should they exceed the allowed number of logon attempts. In addition, the customer's PC banking session will be terminated should there be an extended time of inactivity.
Data security between the customer browser and the Web server is handled through a security protocol called Secure Sockets Layer (SSL). SSL provides data encryption, server authentication, and message integrity for an Internet connection. Netscape Communications developed SSL to ensure private and authenticated communications. The customer's Internet Banking session will utilize the SSL to secure the transaction from their browser to the Web server. Once a secure session is established, the data cannot be monitored by other users on the Internet. The SSL Protocol can negotiate an encryption and session key as well as authenticate a server before the application protocol transmits or receives its first byte of data. All of the application protocol is transmitted encrypted, ensuring privacy.
Encryption is the actual translation of words and numbers into a coded language that can only be read by the customer and the bank. If the key in the lower left corner of the PC monitor appears filled or "enclosed" in Netscape Navigator and the lock appears solid in Microsoft Explorer, then the information is being encrypted. When not in a secure session, Netscape's key appears broken and Microsoft's lock does not appear at all.
A cookie is way for a secured server to establish a logon or session ID each time a customer authenticates connectivity. A cookie is placed with the customer's browser each time they sign on. The cookie allows us to maintain continuity in a series of requests and responses. This additional precaution prevents a customer's session from being "taken over" if the SSL or encryption fails; either of which is extremely unlikely.
Requests for online banking information are passed from the Web server to the Internet Banking server. The computer system does not connect directly to the Internet. It is isolated from the Internet network via routers, filters, and a "firewall." A "firewall" is a device that controls the access that computers on the Internet have to the bank's computer. Use of the "firewall" allows only valid traffic to reach the Web server. Further protection is provided by yet another set of "firewalls" that sit between the Web server and the Application server.