BW-Bank - Vasco

DIGIPASS BY VASCO
BW-Bank case study
BW-Bank: online banking security for all
BW-Bank is the first bank in Germany to replace TAN-lists with one of the world’s leading security practices: strong authentication.
All BW-Bank customers received a BW-Bank TAN generator, a model from the DIGIPASS family. At the bank’s side, the VACMAN
Controller software suite has been implemented to verify all authentication requests.
Meanwhile, all online banking customers use DIGIPASS to access their online banking accounts. And with success: since October
2007, BW-Bank has reported just one case of online fraud.
BW-Bank started offering the innovative and secure TAN-generator to its
online banking customers since September 2006. Customers received a
small handy device, the size of a matchbox, to generate random transaction
numbers (TAN) for secure online banking. A simple keypad and graphic
interface, makes its use very straightforward. The generated transaction
numbers can be easily read from the highly readable display.
Whenever a customer wants to conduct an online transaction, he uses his
personal BW-Bank TAN-generator. TAN numbers are calculated by using a
formula that uses a secret key, a transaction number. This involves the use
of, among others, user-specific information, the current time and transaction
data which have to be put in manually into the calculation of the TAN. As a
result, a 6-digit transaction number is displayed on the device with limited
time validity and it can only be used to sign the current transaction. This
ensures that the process meets the highest safety standards. This is also
confirmed and by recognized experts. The security procedures with the
TAN generator successfully passed the analysis of the Fraunhofer Institute
of Secure Information Technology: “The security procedures with the
TAN- generator of BW-Bank provide effective protection against all known
attacks on online banking”.
At the very beginning of the introduction of the security device, customer
response was very positive: in the first four months following the launch,
already 10,000 customers requested the DIGIPASS device for secure
online banking. Over the next 18 months more than 160,000 TAN lists
were replaced by the TAN-generator, and more than 200,000 business
customers were issued with a TAN generator.
To allow all its customers the benefit of secure online banking, BW-bank
currently offers three different types of TAN-generators. The basic model is
a DIGIPASS 251 customized with the bank’s corporate colors. For people
with physical disabilities or visual impairments, the bank offers DIGIPASS
300, with extra large buttons and display. And BW-bank even caters to the
needs of the blind with a speech enabled DIGIPASS 301 Comfort Voice
device. A voice guides the user through the procedure in the same way as
with phone banking; increasing customer confidence in the solution.
From the outset, BW-Bank, devoted much attention to the user acceptance
of the TAN-generator. “A sales representative will support a new feature
requiring explanation only if he is convinced of the effectiveness of the
solution,” says Mr. Wegmann, project manager at BW-Bank and responsible
for the security of electronic distribution channels in the area of retail and
investment clients. Therefore the bank conducted an internal research to
ensure the acceptability of the solution before TAN-lists were replaced by
the DIGIPASS devices. Furthermore, the bank informs its users about every
aspect of the TAN-generator on its website www.bw-bank.de/tan-generator.
Of course not everyone was completely convinced of the advantages of
the TAN-generator device. Some customers were not aware of the existing
threats a pre-printed TAN-list posed and others did not easily want to give
up a method they had been using for the last twenty years.
TAN-lists did have some advantages, insecure though they were. “It could
be copied, cut into two pieces or you could write out a few of the numbers
and keep them in your purse”, Wegmann admits. “We therefore not only
had to convince the customer of the benefits of the TAN-generator, but we
also had to change his old habits.”
The use of the TAN-generator for each customer application is very
simple and almost self-explanatory, increasing user acceptance. Even the
media played an important role. Wegmann says: “Media coverage about
phishing threats, Trojans and Man-in-the-middle attacks have significantly
contributed to a change of consciousness. Meanwhile, we have even
won one or two customers, thanks to our high-level of security for online
banking accounts.”
In comparison with the logistical and user
acceptance efforts involved with the
introduction of the TAN-generator and
the replacement of all paper-based TANlists, the technical implementation of
the solution was a breeze. In just three
months, the integration of the VACMAN
Controller was completed. Furthermore,
the bank could always rely on VASCO’s
fast and reliable support.
Since the rollout of the devices, the
authentication procedure for customers
has posed no problems at all. Failure
rates are below 0.1%, which is a very
good value for a small hardware product
used by customers. The interaction between
Case Study
DIGIPASS BY VASCO
BW-Bank case study
the TAN-generator and the application is running smoothly, and the bank
now hardly receives any questions from customers about its use, according
to Wegmann. “We had our doubts at first, of course, and therefore expected
a high volume of support requests. But this has been very limited. Our BWBank Service Center today reports hardly any issues with the use of the
TAN-generator itself.”
Even from a financial point of view, the TAN-generator proves to be an
interesting alternative. According to a study of the S-CERT, the total cost
of a paper-based TAN-list is estimated at € 4,50. A customer of BWBank consumed an average of 1.5 TAN lists per year. This resulted in an
annual cost of € 6,75 per customer. “With the TAN generator, we assume
the device has an average life span of 5 years. Hence, the introduction of
the TAN generator wasn’t only worthwhile in terms of security, but also in
economical terms.”
OBJECTIVE
Replace unsafe TAN lists and secure online transactions by private clients
against all types of online fraud.
CHALLENGE
A rollout to more than 200,000 end users required not only technical
competence, but above all very easy-to-use and reliable systems as well as
a high user acceptance among employees and customers.
SOLUTION
BW-Bank opted for the combination of the VACMAN controller and the
DIGIPASS technology of VASCO. Since the introduction of this solution, the
bank has recorded just one single case of online fraud.
About BW-Bank
BW-Bank is an operationally independent unit within the Landesbank Baden-Wurttemberg (LBBW) in the business of retail and corporate customer business with a
special focus on the SME business activities in Baden-Wuerttemberg. In the area of the state capital Stuttgart, BW-Bank, LBBW also fulfills the role of a savings bank.
In the context of these tasks, the BW-Bank offers all types of banking and financial transactions.
About VASCO
VASCO is a leading supplier of strong authentication and e-signature solutions and services specializing in Internet Security applications and transactions. VASCO has
positioned itself as global software company for Internet Security and designs, develops, markets and supports patented DIGIPASS®, DIGIPASS PLUS®, VACMAN®,
IDENTIKEY® and aXsGUARD® authentication products. VASCO’s prime markets are the financial sector, enterprise security, e-commerce and e-government.
www.vasco.com
BRUSSELS (Europe)
phone: +32 2 609 97 00
email: [email protected]
BOSTON (North America)
phone: +1 508 366 3400
email: [email protected]
S Y D N E Y ( Pa c i f i c )
phone: +61 2 8061 3700
email: [email protected]
SINGAPORE (Asia)
phone: +65 6323 0906
email: [email protected]
VACMAN®, IDENTIKEY®, aXsGUARD®, and DIGIPASS® are registered trademarks of VASCO Data Security. All trademarks or trade names are the property of their respective owners.
VASCO reserves the right to make changes to specifications at any time and without notice. The information furnished by VASCO in this document is believed to be accurate and reliable.
However, VASCO may not be held liable for its use, nor for infringement of patents or other rights of third parties resulting from its use. © 2009 VASCO. All rights reserved.
Case Study

Download Report