This document is issued by DSBC Financial Group (‘DSBC’). DSBC Financial Europe is established in Lithuania and liaison offices at HongKong and Singapore. DSBC Financial Europe's License is issued by Central Bank of Lithuania and regulated by the European Payment Council. DSBC Financial Europe is a member of the Lithuania Adherence Support Organisation: "Association of Lithuanian Banks".
This document is for information purposes only and does not constitute or form any part of (i) any invitation or inducement to engage in investment activity, or (ii) any offer, solicitation or invitation by DSBC or any of the DSBC Group for the sale or purchase of any products, services and/or any investments.
DSBC provides this document to the recipient on an ‘as is’ basis and except as provided herein, does not warrant that the contents of this document is accurate, sufficient or relevant for the recipient’s purposes.
DSBC may have obtained information in this document from sources including from third party suppliers, it believes to be reliable but which have not been independently verified. In relation to information on products and/or services supplied by a third party supplier, the recipient should obtain further information on these products and/or services directly from the supplier.
Please note that this document may contain hypertext links to websites operated by other members of the DSBC group and third parties respectively. In relation to hypertext links to websites operated by members of the DSBC group, please read the terms and conditions of the linked website. In relation to hypertext links to websites operated by third parties, please note that: (1) the recipient should read the terms and conditions of the website; and (2) DSBC does not have any control whatsoever over these websites and shall not be liable for the recipient’s use of them.
DSBC will use its reasonable endeavours to ensure that the contents of this document are current at the date of its first publication. DSBC gives no undertaking and is under no obligation to provide the recipient with access to any additional information or to update all or any part of the contents of this document or to correct any inaccuracies in it which may become apparent.
DSBC is not responsible for providing the recipient with any legal, tax or other advice regarding the contents of this document and the recipient should make its own arrangements in respect of this accordingly. This document has not been prepared to address the specific requirements or objectives of any particular client. The recipient is solely responsible for making its own independent appraisal of an investigation into the products, services and other content referred to in this document.
This document should be kept confidential and shall be used for internal business purposes only by the recipient to whom it is provided and its officers, employees and agents. This document should be read in its entirety and shall not be photocopied, reproduced, distributed or disclosed in whole or in part to any other person without the prior written consent of the relevant DSBC Group member. This document is proprietary to DSBC and the recipient agrees on request to return or, if requested, to destroy this document and all other materials received relating to the information contained herein.
Except in the case of fraudulent misrepresentation and/or breach of these terms, no liability is accepted whatsoever by DSBC and the DSBC Group for any direct, indirect or consequential loss arising from the use of this document.
Please contact your local DSBC representative for further information on the availability of products and/or services discussed herein in your region.
Ensuring robust security is essential to delivering products via the Internet. As technology develops, so do the various threats that businesses face in this environment and maintaining a suitably secure service requires a sound holistic approach to combating these risks.
DSBC aims to provide our customers with a robust, reliable and secure online environment in which to do business. We seek to achieve this through the adoption of ‘best of breed’ technologies, the formulation of best practice IT policies and procedures, and the dedication of expert resources to their implementation and monitoring.
We employ industry-standard technical solutions to authenticate our customers’ identifies when they log on, in an effort to ensure that their data is transmitted securely and reliably, and that the customer data we hold is protected.
We have back-up and contingency plans to ensure interruptions to the service, for whatever reason, are minimised. Drawing on our considerable experience as providers of secure electronic banking systems, we also operate a control and support structure designed to ensure that we address all aspects of the risks faced in providing transactional banking online.
This brief is designed to describe the technical and operational control features of DSBCnet. This introduction describes the overall control and governance infrastructure within which our Internet applications are developed and managed. Later sections of the document outline the main features of our security infrastructure.
The establishment, monitoring and periodic review of policies and procedures is a cornerstone of DSBC’s approach to the control of operating risks. We have a comprehensive set of IT standards covering material areas of Internet application development, launch, support and maintenance, architecture and the management of IT installations. In particular, security standards and principles are laid down in the Group’s IT Security Policy and Standards. These standards, for which, the Group Chief Operating Officer has overall executive responsibility, are consistent with best industry practices and relevant regulatory requirements in the markets in which we operate.
Responsibility on a day-to-day basis for this policy and, in particular, for ensuring it continues to provide a suitable framework for the management of security risks, rests with the Group Head of IT Security.
Reflecting the rapid changes that occur in Internet technology (and therefore the nature of security risks faced), the policy is under continual review. In addition, formal periodic reviews and revision of policy are scheduled, based upon the input of business and IT Security professionals from around the Group. In this way, we can benefit from the experience of our staff in all the major markets in which we operate to ensure that policy addresses not only global but also local issues.
IT Security professionals are located in the principal regions in which the Group operates. Their primary role is to advise management on IT security issues, but they also have a mandate to perform independent security reviews of Internet applications. Each major release of DSBCnet functionality is preceded by an independent review by IT Security, including a benchmarking against the Group’s IT Security Policy and Standards and platform and application-level vulnerability testing. All major issues are resolved to the satisfaction of IT Security before launch occurs.
To ensure that a balanced and holistic approach to Internet security is maintained, we have established a number of specialist Internet risk functions. These functions work closely with IT Security and provide a critical interface to the business and those responsible for overall operating risks. This ensures that our approach to Internet risks is not isolated from the overall control and governance of our business.
DSBC has a strong and independent Internal Audit function, including a specialist team of IT auditors. Internal Audit work closely with the business to ensure that appropriate levels of technical, project, and operational controls are built into our processes but retain independence.
Internal Audit review significant systems launches prior to implementation, and have a mandate to review any other product/systems developments based on their risk assessment of the development in question.
DSBC maintains regular contact with regulators and benefits from discussions on relevant technical, management and market topics. We have dedicated compliance officers in all major sites responsible for ensuring that our Internet systems satisfy the relevant requirements of regulators in the markets we operate, and we seek to actively participate in relevant industry bodies and on regulatory forums to help develop industry best practices.
DSBC places a strong emphasis on training to ensure that our staff are aware of the importance of security to our business and the nature of the constantly evolving risks we face. Every member of our staff must comply with a comprehensive set of security disciplines to ensure that they operate DSBC’s systems securely.
Vigilance is crucial in combating the security threats faced in the Internet environment. We regularly review our security measures to ensure we stay ahead of the game, and act swiftly if we identify vulnerabilities.
The remainder of this document describes the salient features of DSBCnet security. These features will continue to evolve, however, and those described in forthcoming sections will be supplemented and enhanced.
If there are any aspects of security that do not appear to be covered by this document that you would like to discuss, please contact your local DSBC representative. If it is information that we are comfortable sharing with you, we can hopefully provide the clarification you require. However, we hope you will understand that for your security, there are aspects of our security arrangements that must remain confidential.
The security, reliability and resilience of Internet systems should be founded on ensuring that the underlying infrastructure of the service is secured and appropriate contingency arrangements are in place. This section describes some of the key features of control DSBC employs to meet these requirements. Please note that for security reasons we cannot describe here all the security measures we operate, or elaborate in detail on those we do describe. In addition, in most cases we will not disclose the third party security products we use.
A critical goal for ensuring that a robust and secure Internet service is provided is to secure the underlying infrastructure hosting and supporting the System. There are two key aspects to doing this: securing the perimeter to prevent and detect unauthorised external attempts to gain access to our systems, and controlling the Internet services infrastructure resident behind that perimeter.
When considering the security of an Internet product (as opposed to the underlying infrastructure dealt with in the preceding section), DSBC has identified three key areas of interest:
This section details the security features of the DSBCnet application that aim to address each of these areas, and discusses other security and control features of the System.
Please again note that, for security reasons, this section does not describe the features of the System and controls we operate in full.
Security credentials and two-factor authentication, DSBCnet aims to authenticate users logging onto the system based on a set of credentials, each designed to combat various aspects of the risks faced when authenticating identity over the Internet. DSBCnet seeks to authenticate a user’s identity in a number of ways, each designed to match the risks associated with the service or function being accessed to an appropriate level of security. These methods include traditional usernames and passwords, supplemented by the use of an additional credential we call a Memorable Question that provides added protection against denial of service attacks, and two- factor authentication.
Higher risk services and functions are protected by two-factor authentication. Two-factor authentication represents a significant enhancement to traditional password based security as it is based upon not only something you know—in this case a PIN number— but also something you must physically possess. A potential attacker, therefore, must obtain the physical second factor—the security device and the PIN that protects it before being able to compromise a user’s account, eliminating many of the pervasive risks that arise from the distributed nature of the Internet.
If someone tries to access your DSBCnet user account without the proper credentials, the System will lock the account after a number of unsuccessful attempts.
However, in order to mitigate the risk of someone maliciously locking your DSBCnet user account, DSBC has implemented denial-of-service protection. This aims to ensure that someone who knows only a user’s username is unable to lock out that user’s account simply by entering incorrect values when challenged.
Security sensitive data (e.g. password) is masked on screen when entered. When being transmitted to DSBC from the customer’s browser, the transmission of data is encrypted (via TLS – Transport Layer Security). On reaching DSBC, this data is encrypted within the databases. Even DSBCnet administrators do not have access to this information.
If someone obtained my credentials and was able to access the system, how could I determine whether that had occurred?
There are facilities within the DSBCnet application that the Customer can use to review activities performed by a specific username.
When you log in, your main landing page will indicate the last time this account logged in.
Any business or administrative activities performed by the user account can be viewed by the ‘activity query’ facility.
Both the transmission of security details and all online administrative or transactional activities between the user and DSBCnet are encrypted using the TLS protocol.
Basic encryption involves the transmission of data from one party to another. The sender encodes the data by scrambling it, then sends it on. The receiver must unscramble the data with the correct ‘decoder’ in order to read and use it. The effectiveness of encryption is measured in terms of how complex the key used is. The more complex the key, the longer it would take for someone without the correct decoder to break the code.
TLS is an industry-standard protocol to secure Internet communications between web browsers and DSBC. DSBC currently supports TLS 1.2 and above.
DSBC employs security industry best practices to protect customer or personal data. The Profile Company’s data privacy statement is presented to each user for agreement at the time of registration and details the protection that users are afforded.
In addition, no user’s information is written to disc or stored on Internet-facing web servers. The web servers are separated physically from the back office databases that hold the transaction data. Therefore, no transaction customer information is kept on the web servers.
Sensitive data such as customer passwords are stored in encrypted databases using a hardware security module.
Described below are some of the functional features built into DSBCnet to enable the Customer to more easily control the use of the System.
DSBCnet provides two access levels for customer staff. System Administrators can perform (under either dual or sole control) general administrative tasks such as the set up and entitlement of users to DSBCnet tools, and the suspension or deletion of users.
End users have no access to administrative functions. Either type of individual can be allocated transactional functionality, but the System is flexible enough to allow for the complete segregation of administrative and transactional functions.
The access control tool allows your designated DSBCnet system administrators to determine individual user access rights and entitlements, down to account level viewing and payment authorisation limits.
The number of users required to authorise a payment can be set, as well as the combinations of user levels for differing values of payments. You can establish a system that requires authorisation for payments over a certain value from a separate country or at head office.
This enables complete control of access and authorisation while allowing payments to be processed efficiently.
All critical administrative and business functions in DSBCnet can be controlled on a dual authorisation basis (one user submits a transaction/request; another is required to authorise it). However, the application provides the flexibility for the customer to define whether they require dual authorisation).
In normal operating circumstances we would, however, strongly recommend that the dual control option is selected.
Key administrative and transactional events are logged by DSBCnet and available for viewing online via the activity query log tools. An audit trail is provided allowing for retrospective internal control and financial auditing of System’s activity.
DSBCnet enforces idle (inactivity) session timeouts. If a session remains inactive for a set period of time, the session will be terminated and the user will be required to log back into the application. Moreover, the pages the user has viewed during the session expire to prevent it from being stored in the browser, where they could be accessed later by another user.
This section contains a series of questions relating to security not explicitly covered in the preceding sections that may be of interest to you.
The simulation of genuine business websites by fraudsters is increasingly common. The aim is to trick users into entering confidential security information to the fake site in the belief they are logging onto a genuine service, thus compromising these credentials. To combat this, DSBCnet has a server certificate that verifies the service hosted is a genuine DSBC service when a user logs in.
Care must be taken, however, when relying upon server certificates. Each user must be diligent to ensure when establishing an HTTPS connection that he/she trusts the certificates being presented. When connecting to the DSBCnet website, if a warning message appears, you should review the warning very carefully prior to accepting and creating a trust relationship. If you establish a trust (by accepting a new certificate) with a malicious entity, then all the information you enter is at risk.
It is worth noting that, although the spoofing technique described above could lead a user to compromise his/her security credentials, the use by DSBCnet of two-factor authentication ensures that this method alone will not allow an attacker to compromise transactional services.
DSBC is on the public domain, therefore you will not need to specify the bank’s IP address.
Cookies are pieces of information stored directly on the computer you are using and can contain information about your computer preferences that allows customisation of the site for your use. Cookies can contain expiration dates and specific instructions on which web sites can read them.
They are used to provide you with a more efficient and more consistent experience at a site.
Yes, but only transient cookies that are automatically deleted when you close your browser. The Profile Company’s cookies are used to provide you with a more efficient and consistent experience at our site. Cookies contain information about your computer preferences that allows customisation of the site for your use. However, for DSBCnet, cookies are used for session management purpose.
A session cookie is used to manage the user’s sessions while they are logged on. The data held in the cookie is not directly recoverable - it is a reference to the user's profile and this is held securely on our own servers. We do not store any sensitive customer information in the cookie itself.
There is more than one cookie created on login, but they are all transient. For example, a separate cookie is set when the user accesses the market data tab on the personal page.
Both the session cookie and the market data cookie are transient and will be removed at the end of the session.
There may also be some RAM memory still used after the program has finished, but this is normal and is reused by other applications as and when required.
Some DSBCnet applications may load files (e.g. copies of statements) to temporary Internet file folders. These files will need to be manually removed by the user his/herself.
The following steps are taken:
DSBC monitors the login process and if response times exceed a threshold, then we will investigate.
DSBC monitors processor utilisation and if thresholds are exceeded, then DC Operations will investigate.
Both systems are monitored twenty-four hours a day, seven days a week.
Ensuring that online banking can be carried out in a secure environment is ultimately dependent not only upon the service provider designing, building and managing robust systems, but also upon users exercising sensible security precautions.
DSBC expects that users will comply with the basic principles of good Internet security when operating DSBCnet. For example, we do not expect our users to disclose their passwords to anyone and will exercise suitable controls over the physical security of tokens issued by the bank to customers.
This also extends to the need for customers to exercise robust security precautions in the operation of their own computer systems (commensurate with their relative complexity).
For example, we expect customers to install and maintain network firewalls and perform virus checking regularly.
Some of these security requirements are set out in this brief, called the Access Control Procedures. We also expect customers to follow any security requirements we may issue from time-to-time regarding the operation of the system.
DSBC recognises the importance of assisting our customers to protect themselves from a wide range of IT security risks.
We have a security awareness web site that can be accessed via DSBCnet, which we would encourage all customers to use.
Additional materials related to this area and other key aspects of Internet security, such as the use of email and the Internet and materials detailing the nature of security threats faced, including issues such as social engineering, will also be available online to DSBCnet users. In addition, guides on improving security practices can also be provided on request by your DSBC representative.