“Offline payment software in the sights of hackers – Swiss companies affected”

Network Safety ConceptThe above headline is taken from a statement by the Reporting and Analysis Centre for Information Assurance (MELANI) from July of this year. The statement describes a new type of hack on companies in Switzerland.

To process mass payments, especially in the case of multibank accounts, companies today generally use offline software for the transmission, approval and execution of electronic payment orders. Transfers are triggered automatically directly from within the ERP software and are transmitted to the bank via secure protocols. This type of payment processing accounts for the majority of the electronic payment orders executed in Switzerland today.

Continue reading

EBICS mobile – any time, any place

EBICS mobile HSHMichael Schunk, Product Manager, PPI AG

The EBICS protocol is designed to transfer large data volumes, call up account information and authorise orders. These are the basic requirements of a treasurer and they are fulfilled by EBICS, guaranteeing the success of EBICS.

In the age of digitalisation, more and more information is provided at increasing speeds. Even EBICS must fulfil this requirement, and its response consists of mobile EBICS apps that inform the customer fast. Continue reading

Subscribe to posts:

Hacker attacks on SWIFT payments

hacker at work with graphic user interface around81 million US dollars – criminals have stolen this enormous sum from the central bank of Bangladesh, not in a movie-style heist but very quietly via hacking. The thieves made more than 30 bank transfers from the account of the Bangladesh Bank at the New York Federal Reserve Bank (Fed) to Philippine accounts. This case and others show that inter-bank payments are a lucrative target, and that the security of the SWIFT international financial network is vulnerable. Penetrating this network certainly requires a lot of effort, however the loot that can be expected is even greater. In view of such professional attacks, the security of payments is at the top of the agenda once again. Continue reading

How to enhance EBICS, Part 8 – Preventing double submissions using EBICS tools: What’s going on?

FINGERPRINT BLACK WHITEIt happened in a blink. The payment orders were accidentally transferred to the bank twice via EBICS. Nobody noticed. A number of such error cases are possible:

  1. A payment was entered and sent twice in the order input.
  2. The file with the payment orders was transferred again – for the second time.
  3. For technical reasons, the payment file was transferred twice because the transfer status of the first transfer was not clear.

A double submission is basically a case of a customer submitting a payment or file with identical data to the bank again within a defined period of time. However, is an identical submission always a double submission that generally must be rejected? No, because some payments are deliberately prepared and transferred multiple times by the submitter. Continue reading

UBS goes EBICS

Service Satisfaction IndicatorPatrik Giger, Head Payment Connectivity Services, UBS Switzerland AG

For the fifth time in a row, UBS was named “Best Domestic Cash Manager Switzerland” in the Cash Management Survey 2015 conducted by Euromoney. This success is a result of many years of focussing on customers’ needs and optimal product and service quality.

One component of this range of services is the infrastructure for connecting customer systems directly, for which an interface based on proprietary data exchange has proven itself over the years. This direct connection is used by customers in Switzerland. Internationally, customers mostly use a connection via SWIFT for Corporates or multi-bank services to exchange payment data and reports with their financial institution. 

It is already possible now for UBS customers to execute their global financial transactions securely – in particular for international branches. A major goal of the new infrastructure is to make the connection to financial institutions more secure, convenient and standardised. Continue reading

Subscribe to posts:

EBICS and TLS 1.2 – somewhat more secure but not without its snags

Safety concept: Closed Padlock on digital backgroundCurd Reinert, Project Manager EBICS-Kernel, PPI AG

Anyone looking at the EBICS specification might be surprised to learn that it still prescribes version 1.0 for the Transport Layer Security (TLS). At one time that was a very wise choice – when the EBICS specification was published, TLS 1.0 was the latest technology. So this was mainly a decision against SSL, which put manufacturers and operators in a nice position e.g. concerning POODLE. EBICS ruled out SSL and so EBICS applications were safe from POODLE. It wouldn’t have had much of a chance with an EBICS client anyway: the attacker makes the client send thousands of requests to the HTTPS server so that, for example, it can access the session cookie. But EBICS doesn’t use session cookies, and the clients aren’t web applications that would execute malicious JavaScript code to send thousands of requests. But try explaining that to the auditors! Continue reading

Subscribe to posts:

Tags: |

EBICS on the Iberian peninsula

puzzle with the national flag of spain and euro banknoteIn 2014, the majority of Portuguese banks opened an EBICS channel based on version 2.4.2 of the protocol. Only the T profile is really used at the moment, however many companies would like to use the personal signatures that foreshadow the operation of the TS profile in the short term.

At the moment, very few Spanish banks offer their business customers the option of managing their financial transactions by means of the EBICS protocol. However, demand is getting more and more significant, as demonstrated by the presence of several participants at an event organised in Madrid by the Spanish Association of Corporate Finance Officers and Treasurers (ASSET) on 20 January.

Read this article in spanish (PDF)

Continue reading

Subscribe to posts:

Internationally in harmony with EBICS BTF

Correct BalanceSabine Wenzel, EBICS Secretary, EBICS SCRL

In 2010, the French CFONB and German DK banking authorities created a joint EBICS committee. One of its visions is to harmonise EBICS. The different procedures that already existed in these countries influenced the EBICS specification and are making it more difficult to implement EBICS. Germany and France use different approaches for the (short) identifiers for business transactions and for the formats to be used. This topic was given further momentum when Switzerland joined the EBICS SCRL. A harmonisation project was initiated with the goal of a standardised procedure for all of EBICS. This consolidation is known as EBICS BTF. Continue reading

Subscribe to posts:

EBICS – Opportunities to internationalise

spherical puzzle with missing piecesThomas Stosberg, GTB Product Management, Deutsche Bank AG

After Germany and France, Switzerland is the third country to join the EBICS community, taking the internationalisation of EBICS a step further. Has EBICS got the potential to become an international standard and is this in the interest of customers and banks? Continue reading

How to enhance EBICS, Part 7 – Automatic bank key update: Is this even possible?

Golden key and puzzleAccording to the EBICS specification, data is always transferred signed and encrypted. This applies to both directions of communication: customer > bank and bank > customer. In Germany, there are theoretically no limitations on the validity of the keys used for this. In France, at least the validity of the certificates is limited. For security reasons, it is absolutely necessary to renew the keys regularly. For the customer side, EBICS already provides functions for an automated key change for an EBICS user that has been initialised. However, the automatic renewal of bank keys is more difficult in practice. A “soft key change” is one solution. Continue reading