Security Statement | First Pacific Bank

First Pacific Bank utilizes several layers of technology to strengthen the confidentiality of its transactions across the Internet. First is log-in protection, the requirement that each user maintains a strictly private password and log-in ID to which no one but the authorized client should ever have access. Second is transmission security, the need to keep unauthorized agents from intercepting and/or deciphering the transmission of clients’ encrypted data while it travels between the client’s computer and the bank’s server. Third is information privacy and integrity, the ability to prevent unauthorized agents from viewing and/or writing to clients data while it is stored on the bank’s server.

“Clients” will be used hereinafter to signify an authorized bank client using software for the benevolent purposes it was intended and “agent” will be used to signify a person whose goal is to exploit a software application for some negative end.

Log-In Protection For the Client
Every client of First Pacific Bank must privately maintain a combination of password and log-in ID. Because the client is assigned the original password by the bank’s administrator, this calls for the client to change the password once logged onto the system and before any transactions can be requested. This forces the client to establish an absolutely private password. Also, any subsequent changes to the password (say a client loses or forgets the password) which requires back office processing by the administrator at the bank will force a change once the client uses the new password to log in.
- Login-In Attempts
  If an agent attempts unauthorized entry into a client’s account by trying to guess a password, the Online Banking system will disable or destroy the password on the third incorrect attempt, thus invalidating the log-in combination. The disabling and/or destruction of the password keeps an unauthorized agent from running a “crack” program, an application that can run through millions of possible passwords eliminating the invalid ones until it arrives at a match. To guard against unauthorized use of your log-in ID and password, the Online Banking system disables the password. This will also occur if you accidentally activate this security feature by unintentionally miss-keying a password three times. We understand how important it is for you to be able to access your accounts online when you need to. If you have forgotten your password and have not locked out, follow the steps on the “Forgotten Password” feature. If you are not able to reset your password please contact Online Services at First Pacific Bank at 562-947-1920, so that we may assist you with resetting your password.
- Suggestions for Passwords
  Your password and log in ID provide security against unauthorized entry and access to your accounts. Passwords should not be easy to guess; for example, children’s or pet’s names, birth date, addresses or other easily recognized identifications for you should be avoided. Additionally combining upper and lower cases within your password is a good security precaution in selecting a password.
  
  Note: You will be required to combine alpha and numeric characters as well as special characters.
Transmission Security
Transmission security begins with the browser. A client must be using a browser that supports the Netscape-developed encryption technology known as Secure Sockets Layer (SSL). Versions of Netscape 2.0 or beyond and Microsoft Internet Explorer 3.02 or beyond come equipped with SSL. SSL’s specific function is to manipulate data into an unreadable format as it leaves the client’s PC. The temporary scrambling of data in transit is referred to as “encryption”. In the unlikely case that an agent should intercept the data in transit, the encryption makes the data unreadable to a human and nearly impossible for a computer to decrypt. Furthermore, data in transit is split up into packets that travel separately and are not reorganized until they arrive at the bank’s web server. So if the encryption code should be solved, the agent is likely to only be in possession of individual packets that would be out of context with the whole data.

As you would expect, the converse of encryption (or decryption), must take place before the data is rearranged back into a useful format. The relationship between which computer encrypts data and which computer has the subsequent ability to decrypt that data is determined by an extension of SSL known as public and private key pair technology. This method consists of two keys, one public and the other private. The public key is published from the bank’s server upon request by the client’s web browser (i.e. Netscape or MS Internet Explorer). The private key is held privately at the bank’s server. Once received by the client’s browser, the public key is used to encrypt the data as it leaves for the bank’s server. The encrypted data can only be decrypted by the private key, based on the mutually exclusive, asynchronous relationship that these two keys share. As Netscape puts it, “Data that is encrypted with the public key can be decrypted only with the private key. Conversely, data encrypted with the private key can be decrypted only with the public key. This asymmetry is the property that makes public key cryptography so useful”.

This answers the question that may have occurred to you: “Encryption may make data unreadable to a human, but can another machine intercept the data and unscramble it?” The co-dependency between the public and private key pair ensures that the only computer capable of decrypting data is the one which provides the means by which it is also encrypted. This raises another question: “How can either party, the recipient of a public key and/or the holder of the private key make any guarantee that either are who they say they are?” Indeed, if substitutions of identity can be made, it makes no difference how well encrypted data travels. To address this issue, the Online Banking system employs the VeriSign Digital ID authentication technology.
- The VeriSign Digital ID
  Certain information in this section has been provided by VeriSign’s white paper dated 11/13/97 concerning internet security. For further information refer to www.VeriSign.com.
  
  The reasoning behind the public/private key pair is similar to that of a safe deposit box that can only be opened by two separate keys that are owned by two different people and must be used simultaneously to work the lock. With a safe deposit box, it is relatively easy to make visual confirmation that the person holding the other key is who you think they are and, indeed, someone with whom you want to be sharing this mutual responsibility. The Internet is faceless, however, and a bank’s server is likely to get requests all day long from clients everywhere. How does a bank bind the identity of the computer knocking on its server door with a legitimate, authorized client? And conversely, how does the browser of a legitimate client verify that it is communicating with its intended destination at the bank?
  
  The Online Banking system employs technology called the Digital ID to address the issue of identification. The Digital ID, developed by VeriSign, provides a standard of authentication against which claims of identity can be made and guaranteed. VeriSign, in its white paper, writes that “Digital IDs are electronic credentials that establish an individual’s or entity’s identity. A server secured with a Digital ID ensures visitors of the site’s authenticity and allows the session with the client to be encrypted”. It is essentially “third party evidence” that clients seeking and receiving data are who the server understands them to be, and vice versa.
  
  The following is a section taken from VeriSign’s white paper that describes how it works in conjunction with public/private key pair technology.
  
  A Digital ID provides an electronic means of verifying that the individual or organization with whom you are communicating is who they claim to be. The identity of the Digital ID owner is bound to a pair of electronic keys that can be used to encrypt and sign digital information, assuring that the keys actually belong to the person or organization specified.
  
  A CA (Certification Authority) such as VeriSign attests to an individual’s or organization’s right to use the keys by digitally signing the Digital ID after verifying the identity information it contains. The assurance provided by the Digital ID depends on the trustworthiness of the CA that issued the Digital ID and the integrity and security of the CA’s practices and procedures.
  
  When a connection is established between a client and a secure server, the client software automatically verifies the server by checking the validity of the server’s Digital ID. The key pair associated with the server’s Digital ID is then used to encrypt and verify a session key that is passed between the client and server. This session key is then used to encrypt the session. A different session key is used for each client-server connection, and the session key automatically expires in 24 hours. Even if a session key is intercepted and decrypted (very unlikely), it cannot be used to eavesdrop on a subsequent session. SSL is the connection protocol used for this authentication and encryption process.
Server Security And Information Privacy / Integrity
The Online Banking system operates off a server that is physically separate from the bank’s mainframe and is protected by a firewall. Having encrypted the data and verified that the sender and receiver can be appropriately identified by each other, the web server and the information stored on it are protected in the following way.

To help protect your money and personal data against any type of intruder or attack, the Bank uses a system of filtering routers and firewalls. Requests must filter through a router and firewall before they are permitted to reach the server. A router is a piece of hardware which works in conjunction with the firewall and a piece of software to block and direct traffic coming to the server. The configuration begins by disallowing all traffic and then opens holes only when necessary to process acceptable data requests, such as retrieving web pages or sending client requests to the bank.

Note: We believe that the above technologies are the most effective and efficient tools available to secure and protect your Online Banking transactions.

Revised 02/14