Secure Document Exchange with It’s Me 247

Introduction

The following guidelines pertain to the exchange of, or request for, secure documents (i.e. check images) between It’s Me 247 and third-party IP vendors or home banking providers. This involves a certain level of advanced integration between It’s Me 247 and the third-party solution.

Purpose

 

The purpose of these guidelines is to ensure

  1. That documents are securely exchanged
  2. Sensitive data is kept confidential
  3. Requests are properly authenticated
  4. Integrity checks ensure data is unaltered in transit

Guidelines

Due to the risk inherit in exchanging sensitive documents over the public Internet, integrations that do not adhere to these standards will not be implemented by CU*Answers without client (CU) indemnification.

The following are requirements for integration with It’s Me 247 for the purpose of transmitting or receiving sensitive documents. If your solution does not meet these criteria it will need to be modified by you or indemnified by the credit union before integration can take place. All integration proposals will be evaluated for compliance.

  1. Connections between servers or between server and client browser must be secured using at least 128-bit strength SSL. Connections less than 128-bit will not be accepted.
  2. The URL address used to retrieve the document must not be presented in clear text to the client browser at any time during the transaction. Protecting the URL will prevent over-the-shoulder attacks and browser-history attacks. Possible solutions to clear text URLs are to use them server-side only, or to encrypt the URL.
    • The URL address should not include any sensitive information in plain text, such as account numbers.
  3. The exchange process should include an integrity-verification device. Common methods include the addition of an MD5 hash, or checksum, in the URL to validate the integrity of the request and to prevent URL “hacking” in an attempt to gain access to another member’s records.
    • Do NOT use only predictable values to generate the MD5 hash. CU*Answers recommends using two known values and one randomly generated value to create hashes. This prevents reverse engineering of the MD5.
    • Do not use proprietary algorithms for generating MD5 hashes. Please see RFC1321 “MD5 Message-Digest Algorithm” for details.
  4. Requests for a document should be properly authenticated as valid and originating from a specific authorized organization.
  5. Access to document-serving or -brokering applications must be administratively controlled and not available “at large” to the Internet. All access should be logged.
  6. Member authentication is the responsibility of the credit union home banking provider. CU*Answers does not assume liability for errors in user authentication made by the third-party home banking provider.
  7. All servers integrating with It’s Me 247 must be secured according to vendor and industry best-practices. Further, these servers must incorporate up-to-date anti-virus scanning technology. CU*Answers may request a written statement of compliance from the third-party.

Preferred Solution

CU*Answers’ has developed (using an NSA contractor) a secure and robust API that satisfies these requirements in a comprehensive industry-standard manner using FIPS-approved triple DES encryption. The API exists on the third-party server (as a .dll) and provides encryption of the actual data payload (not just the transport layer as in SSL), encrypts the URL, verifies the requestor’s identity, and maintains data integrity. We highly recommend this solution as it can quickly integrate into existing security architectures, is appropriate for requests originating from It’s Me 247 or the third-party, and is the most comprehensive solution we’ve yet seen.

This solution has been in production use for over two years and is now available to third parties for integration with their platforms (currently limited to Windows, but support for UNIX is planned.) Supporting documentation is available for approved integration projects.

For technical integration questions, please contact cryptoapi@cuanswers.com.

Updated
September 26, 2014