1

Parex bank experience withDigipass tokens

Deniss Vorona

Online Banking Project Manager

2

Who We Are

• A leading Latvian bank

• Branches and Representative offices in Europe (Latvia, Lithuania, Estonia, UK, Germany, Sweden,..), Russia and other CIS countries, Japan.

• Two subsidiary banks offer services in Lithuania (Parex Bankas) and Switzerland (AP Anlage und Privatbank)

3

History:Milestones

• 1992: first client

• 1994: first payment card

• 1996: first Digipass tokens are used for fax banking

• 2001: first user performs online banking transaction

4

History:Previous Security Schemes

• Homebrew code card, which required manual computation with factored in payment parameters. It was used for:

– Fax banking

– Remote banking application (modem-based)

• PGP for email banking

5

History:Digipass Tokens Advantages

• Secure

• Easy to use

• Mobile

• Unconnected

• No installation/software support

• Cannot be copied

• Adheres to Electronic signature law

6

History:A Simple Solution

• A separate application, not connected to banking system

• Manual signature verification

• Printing slips of verification success

7

Token Usage

• Online banking (digi.parex.lv)

– Login (dynamic password)

– Document signatures

• Fax banking

• Access to the safes

8

Token Applications

• Dynamic password (time-based response only)

• Signature

9

Signature Parameters

• Payer account number

• Amount

• Currency code

• Beneficiary account number

10

Online Banking Login

11

Online Banking Login

12

Payment Signature

13

Payment Confirmation - Go3

14

System Architecture

Online banking Core banking system

Authorization server Administrative tool

15

Authorization Server Functions

• Token data

• Token lock/unlock

• Logging

• Signature rights management

• Document uniqueness control

16

Separate Server Advantages

• Authorization server has stable and strict interfaces which are very rarely changed

• Easy to offer Digipass-based services in other banks within Parex Group

17

Simple Architecture

Operator tool

Authorization server Administrative tool

18

Tokens Used

Tokens issued in the past:

• DP500

• DP560

Tokens issued now:

• DP700

• Go3

19

Tokens Used

• Dp500– A good model with a

calculator– Not supplied anymore

20

Tokens Used

• Dp560– Dp500 successor– Stylish design– Good for the average

user– Better battery life– Messages in several

languages

21

Tokens Used

• Dp700– Good for heavy use– Best for signatures– Messages in two

languages– Target audience:

businesses, active users

22

Tokens Used

• Go3– Easy to use– Target audience:

private customers

23

Transaction Statistics

0

500000

1000000

1996

1998

2000

2002

2004

2006

1996 < 1000

1997 ~ 80000

1998 ~ 190000

1999 ~ 350000

2000 ~ 550000

24

Situation in Latvia

• At least 9 out of 23 commercial banks offer services using Digipass tokens

• ID-cards (smart cards issued by the state) are not used to secure online banks

• State web sites tend to use Online banks to secure e-services

25

Implementation Challenges

• Clear strategy• Difficult to phase out old services• Managers are hard to convince• Clients are hard to convince - not all are security-

conscious• Price

26

Implementation Challenges

• Planning token configuration for the future

• User experience

• Instructions

27

Questions?

Don’t hesitate to ask!

28

Conclusion

Think about security before

your clients have to!