Security

The Internet has emerged as a widely accepted medium for online commerce. Security protocols adopted by Intuit, Microsoft and CheckFree, the three companies that worked with the financial services industry to define the OFX specification for Internet-based financial transactions, utilize state-of-the-art security technologies. For instance, on October 12, 2005, the FFIEC issued new guidance for the electronic banking environment. This guidance resulted in the addition of Multi-Factor Authentication (MFA) techniques to OFX.

Online banking security for transactions over the Internet has three main components: authentication, privacy and message integrity. Secure Sockets Layer (SSL), used by OFX, is a standard security protocol for Internet-based transactions that provides authentication, privacy (data encryption) and message integrity.

Authentication enables the recipient of a message to verify the identity of the sender. For example, a financial institution or third party processor authenticates a customer by requiring the use of a password and user ID with each transaction. A customer’s application authenticates a financial institution or third party processor by verifying the institution's digital certificate.

Privacy refers to safeguarding the message so it can be read only by the intended recipient. OFX messages are strongly encrypted to provide privacy. SSL provides for encrypted data transmission using a variety of strong symmetric encryption algorithms and key sizes.

Message integrity assures the recipient of a message that the message was not altered after it left the sender. OFX uses a cryptographically secure hash function to compute a message authentication code, providing integrity verification.

Online banking transactions are also protected by multiple security features in the OFX software including prompts and controls that allow users to monitor closely online activity and to confirm only authorized transactions, and by financial institution's secure internal servers.

OFX products establish a 128-bit connection with the Financial Institution's OFX server even if the server will allow a lesser connection from another client source.

Digital Certificates for Server Authentication in OFX

Secure Sockets Layer (SSL) is a standard security protocol for Internet-based transactions. The SSL protocol provides data encryption, authentication and message integrity. Cryptographic algorithms in SSL include those developed by RSA Data Security, Inc. and others.

Authentication enables the recipient of a message to verify the identity of the sender. Digital certificates are digital documents that bind a public key to an identity and can be used for authentication purposes in cryptographic protocols. Digital certificates contain the following data:

Subject’s name, company and address
Subject’s public key
Issuer name
Valid dates

This data is combined and digitally signed (see "Public key cryptography," below) by a trusted third party called a certificate authority (CA). Anyone who verifies the CA's signature on the certificate is assured that the identifying information contained therein corresponds to the accompanying public key. VeriSign, Inc. is one such company that operates as the certificate authority for these certificates.

A digital certificate binds an identity (or subject) to a public key. Conceptually, the process of issuing a certificate is: the subject uses Web server software to generate a key pair and a certificate signing request (CSR); the subject applies for a certificate directly to the CA and includes the CSR along with application information; finally, the CA verifies the identity of the subject and then issues the certificate to the subject. By signing the issued certificate, the CA vouches for the subject’s identity.

The OFX server will have the private key that corresponds to the public key in the SSL certificate. This private key must be kept secure, which requires proper analysis of network security, security practices and procedures, physical security, and key back-up. Many organizations use expert security consultants to provide guidance in these areas.

If the SSL certificate is compromised, that is, if the private key is exposed, the certificate should be taken out of service (revoked by contacting VeriSign or other issuer) and replaced with a new certificate.

Today, some SSL Certificates commonly accepted by OFX clients include:

VeriSign OFX CA Generation 2
Entrust.net Secure Server CA
RSA Secure Server CA
VeriSign International Global Server CA

General security-related terms are below.

Public key cryptography is cryptography that uses two cryptographic keys instead of one. One key, the "private key," is kept secret by the key-pair owner, and used to decrypt messages that were encrypted with the other, "public key." Messages encrypted with the public key can only be decrypted with the corresponding private key. This greatly facilitates key management because public keys can be widely distributed without fear of losing security. Conversely, messages can be "encrypted" with the private key and "decrypted" with the public key. The latter process provides no secrecy since the public key is widely available, but does provide assurance that the (sole) owner of the private key was the one who performed the "encryption." This is called a "digital signature."

Hash
A hash is a cryptographically secure checksum which has the following properties: