iBanking international security standards

Digital signature and encryption
They are supported in accordance with the applicable international standards (XMLDSIG and XAdES (XAdES-BES, XAdES-EPES, XAdES-T, XAdES-C). Crypto functions use RSA and AES algorithms.

Code protection 
Code protection is applied (obfuscation, encryption …). The system supports licensing, trial version (time limit, the number of application’s uses, etc..). Minification has been completed on the code that is available to end-users (JavaScript). The first level of minification is removing spaces and comments, followed by removal of excessive use of dots, commas and curly braces, as well as changes of the names on the local variables in the classes of those functions that are referenced only within familiar surroundings.

Security of the transactions 
Different security measures are used depending on how the user authenticated himself during the transaction, or while logging to the system:

If the user is authenticated by the certificate:

  • On the client side the account is signed with the client certificate and has been encrypted
  • On the server side, the account is decrypted, and after a successful decryption, validity of the signature

If the user is authenticated by the username/password, batch/PIN or Unique Master Citizen Number/PIN:

  • The client side sends the user account , while the server side checks whether the user account that the client has     sent corresponds to the user account kept in a predetermined account in the iBanking data base.
  • On the server side it is checked whether the sent predefined account belongs to the user who sent the account

If the user is authenticated by the SMS code:

  • While generating the SMS code, the account is recorded in the iBanking data base, and upon the confirmation of
  • sending, only XML is sent with the ID of the account and information on the SMS code.
  • The validity of the SMS code via OTP module during sending the account is checked.

Use of the “4-eyes”principle
„4 eyes“ principle is used for the function of issuing certifications to the retail customers. The first system administrator can generate a certification request, send that request to the Certificate Authority, receive the generated certificate, write it to the medium and activate it. When second system administrator confirms the previous activation of the certificate, the certificate becomes valid for use.