Bank of the Ozarks' Online Banking system brings together a combination of industry-proven security technologies to protect data for the Bank and for you, our customer. It features three main categories of security. The first is PassMark™ Login Protection, the requirement that each user choose an image and phrase that no one but the authorized end user should ever have access. Second is transmission security, the need to keep unauthorized agents from intercepting and/or deciphering the transmission of customers' encrypted data while it travels between the customer's computer and the Bank's server. The third category of security deals with information privacy and integrity, the ability to prevent unauthorized agents from viewing and/or writing to customers' data while it is stored on the Bank's server. "End user" will be used to signify an authorized customer using software for the benevolent purposes it was intended, and "agent" will be used to signify a person whose goal it is to exploit a software application for some negative end.
I. PassMark Login Protection
To protect the privacy and security of each end user's personal information, Bank of the Ozarks’ Online Banking offers a login security feature known as PassMark™. PassMark employs dual-authentication to protect end users when they log in to Bank of the Ozarks’ Online Banking. PassMark uses an image and a phrase which helps the end user identify they are accessing our website, not a fraudulent, look-alike site. Additionally, PassMark provides the end user with added safety by helping Bank of the Ozarks to identify each end user, preventing unauthorized access to accounts. When a customer visits a branch office, that customer can identify the bank staff, and the bank staff can, in turn, identify the customer. Your PassMark™ image and phrase works similarly enabling the end user to successfully identify the Bank of the Ozarks website and vice versa. When end users enroll in PassMark, they will select an image and a phrase known only to that end user. Upon login, Bank of the Ozarks will show end users their image and phrase to confirm that successful access to Bank of the Ozarks’ real website and not an impostor site. Bank of the Ozarks can identify the end user by checking the computer(s) that the end user uses to access our website. Typically an end user will access our website from one or two computers, such as a work and home computer. Either way, Bank of the Ozarks’ website will remember the end user’s computer, preventing potential fraudsters from logging in, even if they acquire or guess your login ID and password. Should an end user need to log in from a different computer, such as an Internet café, Bank of the Ozarks will take additional steps to verify that end user’s identity through a series of challenge questions set up at the time of enrollment. Above all, PassMark provides a significant increase in online banking security versus traditional “User ID and password” authentication without much change in the end user’s online experience.
THREE (3) STRIKES AND YOU'RE OUT
If an agent attempts unauthorized entry into a customer's account by trying to guess a login ID and password, Bank of the Ozarks' Online Banking system will disable or destroy the password on the third incorrect attempt, thus invalidating the login combination. The disabling and/or destruction of the password keeps an unauthorized agent from running a 'crack' program, an application that can run through millions of possible passwords eliminating the invalid ones until it arrives at a match. To guard against unauthorized use of your login ID and password, Bank of the Ozarks' Online Banking system disables the password indefinitely until you call the bank and request your login ID and password to be reset. This will occur if you accidentally activate this security feature by unintentionally miskeying a password three times. You will need to call the bank to reestablish the password for your account(s). For example, a common mistake made by end users is having the caps-lock on while keying in a password. Since the password is uppercase and lowercase sensitive and you cannot actually see the characters you are typing, it is easy to think you are typing the password correctly when the caps-lock is engaged.
SUGGESTIONS FOR PASSWORDS
Your password and login ID provide security against unauthorized entry and access to your accounts. Passwords should not be easy to guess; for example, children's or pets’ names, birth dates, addresses or other easily recognized identifications for you should be avoided. Combining cases (utilizing upper and lowercase) within your password, as well as combining alpha and numeric characters, is a good security precaution in selecting a password. Further, passwords should not be stored on the device used to access online banking.
II. TRANSMISSION SECURITY
Transmission security begins with the browser. An end user must be using a browser that supports the Netscape-developed encryption technology known as Secure Sockets Layer (SSL). Versions of Netscape 2.0 or beyond and Microsoft Internet Explorer 3.02 or beyond come equipped with SSL. SSL's specific function is to manipulate data into an unreadable format as it leaves the end user. The temporary scrambling of data in transit is referred to as “encryption.” In the unlikely case that an agent should intercept the data in transit, the encryption makes the data unreadable to a human. Furthermore, data in transit is split up into packets that travel separately and are not reorganized until they filter through the Bank's router and firewall.
As you would expect, the converse of encryption, decryption, must take place before the data is rearranged back into a useful format. The relationship between which computer encrypts data and which computer has the subsequent ability to decrypt that data is tightly regulated by an extension of SSL known as public and private key pair technology. This method consists of two keys, one public and the other private. The public key is published from the Bank's server upon request by the end user, while the private key is held privately at the Bank's server. Once received by the end user's browser, the public key encrypts the data as it leaves for the Bank's server. Then encrypted data can only be decrypted by the private key, based on the mutually exclusive, asynchronous relationship that these two keys share. As Netscape puts it, "Data that is encrypted with the public key can be decrypted only with the private key. Conversely, data encrypted with the private key can be decrypted only with the public key. This asymmetry is the property that makes public key cryptography so useful."
This answers the question that may have occurred to you: "Encryption may make data unreadable to a human, but can another machine intercept the data and unscramble it?" The co-dependency between the public and private key pair makes sure that the only computer capable of decrypting data is the one who provides the means by which it is also encrypted. This raises another question: "How can either party, the recipient of a public key and/or the holder of the private key make any guarantee that either are who they say they are?" Indeed, if substitutions of identity can be made, it makes no difference how well encrypted data travels. To address this issue, Bank of the Ozarks' Online Banking system employs the VeriSign Digital ID, authentication technology.
The reasoning behind the public/private key pair is similar to that of a safety deposit box that can only be opened by two separate keys that are owned by two different people and must be used simultaneously to work the lock. With a safety deposit box, it is relatively easy to make visual confirmation that the person holding the other key is who you think they are and, indeed, someone with whom you want to be sharing this mutual responsibility. The Internet is faceless, however, and a bank's server is likely to get requests all day long from end users all around the world. How does a bank bind the identity of the computer knocking on its server door with a legitimate, authorized end user? And conversely, how does the browser of a legitimate end user verify that it is communicating with its intended destination at the bank?
Bank of the Ozarks' Online Banking servers employ technology called the Digital ID to address the issue of identification. The Digital ID, developed by VeriSign, provides a standard of authentication against which claims of identity can be made and guaranteed. VeriSign, in its white paper, writes, "Digital IDs are electronic credentials that establish an individual's or entity's identity. A server secured with a Digital ID ensures visitors of the site's authenticity and allows the session with the client to be encrypted." It is essentially "third-party evidence" that end users seeking and receiving data are who the server understands them to be, and vice versa.
Here is a section taken from VeriSign's white paper that describes how it works in conjunction with public/private key pair technology.
A Digital ID provides an electronic means of verifying that the individual or organization with whom you are communicating is who they claim to be. The identity of the Digital ID owner is bound to a pair of electronic keys that can be used to encrypt and sign digital information, assuring that the keys actually belong to the person or organization specified.
A CA (Certification Authority) such as RSA attests to an individual's or organization's right to use the keys by digitally signing the Digital ID after verifying the identity information it contains. The assurance provided by the Digital ID depends on the trustworthiness of the CA that issued the Digital ID and the integrity and security of the CA's practices and procedures.
When a connection is established between a client and a secure server, the client software automatically verifies the server by checking the validity of the server's Digital ID. The key pair associated with the server's Digital ID is then used to encrypt and verify a session key that is passed between the client and server. This session key is then used to encrypt the session. A different session key is used for each client-server connection, and the session key automatically expires in 24 hours. Even if a session key is intercepted and decrypted (very unlikely), it cannot be used to eavesdrop on subsequent sessions. SSL is the connection protocol used for this authentication and encryption process.
III. SERVER SECURITY AND INFORMATION PRIVACY/INTEGRITY
Learn how the Bank of the Ozarks website secure server and the information stored on it have employed multiple strategies for your data protection. Read more »