Security

http://www.msn.es/security/phishing/
http://iblnews.com/noticias/06/129350.html
http://es.wikipedia.org/wiki/Phishing
http://www.consumer.gov/idtheft/ (ENGLISH)

Go up

5. Protections

The protection described below is supplementary and no single one replaces the others

Digital certificate

A digital certificate is a guarantee of the identity of a given sever and associated pages which offer a service in the electronic world (chiefly the Internet).

The digital certificate is issued by a trusted company (Certification Service Provider), such as Verisign or the FNMT (Fábrica Nacional de Moneda y Timbre), which after thoroughly identifying the applicant, assigns them a certificate by creating one.

The digital certificate contains the data on the address to be certified (e.g.: www.SabadellAtlantico.com), the identity of who operates at the said address, the expiry date of the certificate and other technical data. The digital certificate, in turn, is digitally signed by the Certification Service Provider.

The trust in a digital certificate therefore, in addition to the content of same, is due to the trust we have in the Certification Service Provider which has issued and signed it. Certification Service Providers publicly show the processes used to perform the certification: these are the Certification Practices and Policies. In this way, we can evaluate the trust to be placed in a given Certification Service Provider.

How can I validate the pages of an Internet service?

A digital certificate may appear in different situations. The most common is to check whether the pages of a given Internet service belong to their true owner or an impostor who has copied them. Thus, we can ensure that the personal and confidential information we send is received by the proper identity.

It is advisable never to provide confidential data to pages activated via a link contained in an e-mail. We recommend you always access our webpages via the Internet addresses given by the Bank.

Steps to check the pages of an Internet service (secure pages):

1. Check that the address (url) of the pages starts with the prefix https and that your browser shows the locked padlock icon in the lower right of your window ( in Internet Explorer,  in Netscape Navigator).
   
2. Click on the padlock (double click in Internet Explorer and one click in Netscape Navigator) to see the digital certificate and check the identity of who is showing the pages which are going to collect your information:
   
   1. In Internet Explorer:

      Check the address (URL), the issuer of the certificate and validity of same.

      Then select the "Details" tab to check the identity of the party showing the pages displayed and where we enter our information.

      In the upper window which appears, select the "Re:" field. We can now display the information in the lower window. For Banco Sabadell companies, the O field (Organization) must contain the information "BANCO SABADELL" and, as supplementary information, the L, S and C fields are Sabadell, Barcelona and ES respectively.

   2.  In Internet Explorer:

In Netscape Navigator:

 

Click on the "See" in the previous window.

 

This action causes a new window to appear with the information concerning the digital certificate:

Using the same address (URL) check the pages downloaded for the issuer of the certificate and validity of same.

For Banco Sabadell companies, the O (Organization) field must contain "BANCO SABADELL".

3. In other browsers:

 

The way of showing the certificate is similar in other browsers. Remember to check that the O field O (Organisation) shows the expected identity (in the case of Banco Sabadell companies, O = BANCO SABADELL).

Data encryption

In addition, when using secure pages (pages protected by a digital certificate), all the information transmitted between your browser and the server hosting the pages is transmitted in encrypted form, making it immune to interception by third parties.

To achieve maximum encryption protection for secure pages (necessary when using financial services or another type of confidential information), it is necessary to use a browser which provides strong encryptions (bits).

Certification Practices and Policies

Using the certification practices and policies, the Certification Service Providers show the public the mechanisms and steps (identity checks) used to issue the digital certificates on request. Thus, the party checking the certificate can trust the certificates issued by the provider.

In practice, as the policies and practices are long documents, one trusts a certification service provider according to the prior knowledge we have of them, , with Verisign as the most well-known worldwide for certifying pages of portals and servers.

Certification Policies (CP).

The policies indicate what the certification service providers do and the types of services and certificates they issue.

The link below shows the certification policies (CP) of Verisign, world leader in certification services

https://www.verisign.com/repository/vtnCp.html(ENGLISH).

Certification Practices (CPS).

The certification practices detail how the policies are ensured, i.e. what specific procedures and mechanisms are used to issue the digital certificates.

The link below shows the certification practices (CPS or Certification Practice Statements) of Verisign, world leader in certification services:

http://www.verisign.com/repository/CPS/ (ENGLISH)

Links of interest concerning digital certificates and Certification Service Providers

Verisign (ENGLISH)
ACE
Thawte (ENGLISH)
Camerfirma

Personal Firewall

A firewall is a program which blocks non-authorised access from the Internet to our computer and also uncontrolled access (caused by a new virus or malware) from our computer to the Internet.

Nowadays, we can find firewalls in separate programs or forming part of other security programs (such as an antivirus) or in the operating systems themselves (such as Windows XP).

It is called a personal firewall to distinguish it from a perimeter firewall which is generally used to protect an entire group of networked computers against a connection from an unknown network (generally the Internet or another, third party network).

BY using a personal firewall we can control the connections made with the Internet or with other networks and towards all the programs on our computer. When the firewall is installed, all the connections are prohibited and those generally used must be expressly authorised according to how we use our computer. When the firewall notifies us of an attempted connection which has not been expressly authorised, we must indicate if we wish to authorise it for our present purpose or if the connection is due to an external agent (attempted access via the Internet, virus or similar). The personal firewall is a program intended for users already familiar with the Internet.

It is also advisable to periodically update the version of our firewall, in accordance with the manufacturers’ recommendations.

Useful links about firewalls.

Below we provide several links for informative purposes:

http://www.zonealarm.com

http://www.symantec.com/region/mx/product/consumer/npf/

http://www.protegerse.com/outpost/

Go up

6. Good Practices

Security updates for the navigator and the operating system

To prevent any possible problems arising from the vulnerabilities that are occasionally discovered in the software used, it is a good idea to visit the security pages of the manufacturers of the programmes that you use, in particular the navigator and the operating system itself.

Navigator.

The navigator, as the main tool for Internet access, is the programme that it is most important to keep updated with the latest security recommendations.

Use strong encryption (128 bit encryption) for communications with secure pages (https).

Periodically visit the manufacturer’s Internet pages and update the programme following the security recommendations that appear there.

 Links of interest concerning new versions and security updates for the navigator

In continuation, and merely for informative purposes, we indicate the following links:

http://windowsupdate.microsoft.com

http://www.microsoft.com/downloads/search.aspx?langid=18&displaylang=es

Operating system.

Some operating systems, such as Windows with its Windows Update function, have utilities for verifying the existence of operating system updates, including security updates.

Make use of these utilities or periodically visit the manufacturer’s operating system Internet pages and update the system according to the security recommendations that appear there.

Links of interest concerning security updating for the operating system

In continuation, and merely for informative purposes, we indicate the following links:

http://windowsupdate.microsoft.com

http://www.microsoft.com/spain/technet/seguridad/default.asp

http://www.microsoft.com/security/ (ENGLISH)

Use of strong encryption (128 bit encryption) in communications with secure pages

Strong encryption (implemented through the use of 128 bit encrypted codes) is achieved by means of the combined use of specific software in servers that have secure pages and the use of navigators with the capacity to work with encryption of this kind.

Because of its strength use is usually only authorised for servers where the pages belong to financial entities and other companies with similar security requirements. On the other hand use is unrestricted for the navigators.

To this end, the remote banking services of financial entities are usually capable of using strong encryption. The use of strong encryption for the communications carried out by these services will, then, depend on your navigator having strong encryption capacity.

Make sure that you use a version of your preferred navigator that has strong encryption capacity (128 bits). If it does not then update your navigator to a versions that will allow for strong encryption.

How to know whether a server allows strong encryption (128 bits)

A server that uses strong encryption will usually announce this on its pages, usually in a specific security section. If this is not the case you must have a navigator with strong encryption to verify the type of encryption that a determined server uses.

How to know if you are using communications with strong encryption (128 bits)

In order to know whether you are exchanging information by means of strong encryption you must first observe whether the padlock at the bottom right hand corner of the window of your navigator is closed. Once this has been done:

 

• For Internet Explorer, by moving the mouse, place the courser over the padlock, leaving it there for an instant, until the length of the encrypted code appears. This should be 128 bits.

   

   

• For Netscape Navigator, click once on the closed padlock. A window will then open that will indicate the type of encryption, which should be 128 bits (high grade encryption).

   

If you have a navigator that is enabled to use strong encryption you can also communicate in a secure manner with servers that do not have this characteristic. In this case it will automatically be used for communications of the type of encryption that is higher than that which is supported by the server and as the code length of the encryption will appear a value that is lower than 128 (normally 40 to 56 bits).

How to update your navigator so that it can use strong encryption (128 bit)

Go to the download and update pages of the manufacturer of your favourite navigator and search for the 128 bit versions or updates for your navigator. Remember that you will only be able to communicate with those servers that have this characteristic.

Links of interest concerning 128 bit encryption

In continuation, and merely for informative purposes, we indicate the following links:

http://www.microsoft.com/windows/ie_intl/es/download/128bit/intro.asp

http://www.aola.com/netscape/download/

Backup copies

In order to be able to recover the information available in the computer prior to the appearance of a problem, you should make backup copies and keep them up to date.

An important aspect for being able to achieve the recuperation of backup copies is where you keep them. The copies must be kept apart from the equipment that contains the original data so that, in the case of an incident, the copies are not also lost. This is particularly important in the case of a laptop computer, a situation where it is recommended that you avoid keeping the backup copies in the same bag or case as the laptop.

Backup copies can be made on mediums known as "removables", which can be extracted from the computer which contains the original data. These removable mediums may be floppies, recordable CD’s or DVD’s, tape units, ZIP units, USB (Universal Serial Bus) such as external disks, persistent memories, etc.

Links of interest concerning backup copies

In continuation, and merely for informative purposes, we indicate the following links:

http://www.conozcasuhardware.com/quees/almacen4.htm#backups

http://www.iomega-europe.com/eu/en/products/products_en.aspx (ENGLISH)

http://www.pricingcentral.com/best/backup_utility_software.html (ENGLISH)

Go up

7. Electronic Signature 

Banco Sabadell has initiated the use of the electronic signature in its dispatches of e-mail

The electronic signature of the e-mails guarantees the identification of the issuer, who has received the validation of his e-mail address by means of the Verisign,

electronic signature, the digital certification authority with worldwide recognition, and which at the same time technically guarantees that the content of the message has not been altered on route by a third party.

Additionally, for greater ease and better identification of the issuer, every e-mail message issued includes at the foot a random image which is associated to the receiver, with a number which increases with every dispatch and which helps to quickly identify the origin of the message.

The image is always the same for a specific issuer and receiver, but the number increases with each dispatch.

Example of an e-mail signed electronically

The following gives an example of how to distinguish an e-mail signed electronically in «incoming mail». The e-mail is shown with an icon that differentiates it as an electronically signed e-mail:

In the Microsoft Outlook e-mail programme:

- When opening the « incoming mail », we can observe a different icon for messages signed electronically:

- On "double-clicking" on the message, we can also see that the message on the right has an icon corresponding to the electronic signature:

In the Thunderbird e-mail programme:

- On selecting the message, we observe that it shows a different icon on the right that indicates that the message has been signed electronically:

If we double click on the icon located on the right hand side of the message, in both mail systems we will obtain information on the electronic signature and on the certificate issued by Verisign:

In the Microsoft Outlook e-mail programme:

Aparecerá la siguiente ventana:

Pulsando el botón para obtener más detalles, nos aparecerá la ventana siguiente, en la que pulsando el botón para ver el certificado, podremos obtener los detalles del mismo en una nueva ventana:

Donde finalmente, después de pulsar sobre la pestaña «Detalles» y sobre la línea «Asunto», podremos observar todos los detalles correspondientes al certificado obtenido de Verisign, acreditando así la autenticidad del emisor (dirección emisora del correo electrónico, conteniendo el sufijo «@bancsabadell.com», y el resto de información del emisor y de Verisign).

En el programa de correo Thunderbird:

Aparecerá la ventana siguiente:

Indica que el mensaje está firmado electrónicamente, con una firma válida, quién lo ha firmado (dirección emisora del correo electrónico, conteniendo el sufijo «@bancsabadell.com») y el resto de información del certificador Verisign.

Si pulsamos el botón para ver el certificado de la firma electrónica, podremos ver sus detalles en una nueva ventana.

Donde, finalmente, después de pulsar en la pestaña "Detalles" y sobre la línea «Asunto», podremos observar todos los detalles correspondientes al certificado obtenido de Verisign, acreditando la autenticidad del emisor (dirección emisora del correo electrónico, conteniendo el sufijo «@bancsabadell.com», y el resto de información del emisor y de Verisign).

En otros programas de correo:

En otros programas de correo, la forma de reconocer la autenticidad de los mensajes firmados electrónicamente es similar.

La mayoría de los sistemas de correo que no necesitan de un programa de correo para ser accedidos, sino que se acceden con un navegador web (sistemas de correo del tipo «webmail»), no disponen de las facilidades anteriores para reconocer los correos firmados. En este tipo de sistemas de correo podemos ayudarnos de la medida adicional que se explica a continuación para validar mejor al emisor de un correo, aunque este mecanismo para reconocer al emisor del correo electrónico no es tan seguro como el anterior

Medida adicional de confianza:

Como medida adicional de confianza, para facilitar el reconocimiento de los mensajes firmados electrónicamente por las sociedades del grupo, al pie del mensaje firmado encontraremos una imagen, escogida aleatoriamente en función de la dirección del destinatario, de forma que cada destinatario recibe una imagen diferente, que siempre será la misma mientras no cambie su dirección de correo electrónico de destino. Sobre esta imagen aparece un número secuencial, que se incrementará con cada envío que se reciba en la misma dirección de destino.

De esta forma, un destinatario siempre recibirá la misma imagen añadida al pie del mensaje firmado y, sobrepuesto, un número que se incrementará en cada envío.

Al lado de la imagen y el número secuencial figuran los datos correspondientes al certificado digital emitido por Verisign que se ha utilizado para firmar electrónicamente el mensaje.

Ejemplo de pie de mensaje:

Go up