a.trust is an Austrian company that offers all services related to electronic signatures. a.trust works on the basis of the Austrian Signatures Act and the European directive, i.e. it is a certification service provider for the issue of qualified certificates (trust|sign) and secure digital signatures. a.trust maintains a public directory with certificates it has issued and a public, up-to-date revocation list in which the numbers of all revoked and suspended certificates are stored. All the technical and organizational factors and processes of trust|sign descriptive documents are published on the homepage of a.trust.
This type of encryption creates the digital signature that can then be securely sent and read. Here, there is a key pair consisting of a public and freely accessible key and the private key of the user. These keys are managed by certificate authorities (CAs) or trust centers. There, an Internet user can register in person, obtain his/her chip card with the private key and then use it for home banking with HBCI, for example.
The authentication serves as a preliminary step to establish an identity; usually it is a person who wants to prove your identity. During authentication, the person identifies himself/herself through something he or she owns (e.g. a key), knows (e.g. a password) or is (e.g. biometric features). The proof presented in this way is then used for authentication.
Authentication is the process of checking a message as to whether the sender of this message is actually the person who they claim to be. Authentication is made possible by means of digital signatures.
After successful authentication, certain rights are usually granted. For example, the right to access certain files in a computer system. This process is called authorization. In most cases, the granted rights refer to the access to or use of certain resources (e.g. the use of files) or to the carrying out of certain transactions (e.g. transfers up to a predetermined amount).
The backup is a process where if a data loss occurs, the data on a computer system is copied in order to restore a condition closest to the time of the data loss on this system with the aid of the backed up data. The amount of permanently lost data should be kept as low as possible by intelligent backup strategies. Additionally, backups can be used to reset compromised systems to a guaranteed uncompromised condition. In this case, it is important to ensure that backups of a system are present and available in an uncompromised condition.
Abbreviation for: Bank Identifier Code
The BIC is the international sort code for worldwide identification of banking institutions. The BIC consists of a four-digit bank designation, the respective country code, a two-digit place name and the branch designation. For international transfers, the BIC only had to be specified until February 1, 2016.
The name is derived from the word robot and describes a network of computers that are under the control of an attacker and are remotely controlled by him/her. Bot nets are used, for example, to carry out Distributed denial-of-service attacks (DDoS) or to send spam e-mails. Often the malicious software, allowing the attacker to take control of a computer, is installed by careless clicking on e-mail attachments. However, malicious software can also be introduced through websites which take advantage of the vulnerabilities of web browsers. For this reason, it is generally not advisable to work on your own PC with administrator rights.
This payment system has been used since 1997 for paying small amounts in stores for daily needs. It can also be used on the Internet. It is based on a chip on a girocard or other bank customer cards and is also referred to as an electronic wallet. This chip stores a maximum amount of €200 at the bank or at home with a cyberJack® chip card reader. When paying, the cash card chip is debited by the amount due on the merchant's terminal or on the home PC.
Unsuspecting Internet users are now being enlisted as money couriers via mass e-mails sent by fraudsters. The funds captured by online banking fraud are intended to be laundered by third parties. In this case, the victim is lured by lucrative sideline jobs. The intent here is for him/her to provide their own account to receive a sum of money, to take it out and pay it in cash into another account. A specific sum is promised as compensation. Warning: These transactions are liable to prosecution!
A certificate revocation list (CRL) contains information concerning the revoked certificates of a trust center service provider. The revocation of certificates is carried out, for example, in the event of loss or theft of a signature card.
Certification is the process of assigning a unique key pair of a public key encryption to a natural person. This includes the unique identification of this person and proof of ownership of a public key.
A certification service provider is a natural or legal person or other legal body that issues certificates and provides signature and certification services. A certification service provider provides signature products and procedures and is responsible for issuing, renewing and managing certificates (certificate creation and management). It is also responsible for registering the person applying for the certificate (registration authority) and provides a directory and revocation service as well as a consulting service (fee-based hotline).
Chip cards are usually plastic cards with a built-in chip that often has a microprocessor. Today, microprocessors with cryptographic functionality for the encryption of data or cryptographic signatures can be found on chip cards. Especially chip cards with cryptographic functions can be used in conjunction with trusted hardware to make online banking safer.
Chip card readers are "chip contacting devices": A chip card reader lets you access a chip card and its functions from your computer, e.g. HBCI cards for electronic banking or cash cards for cashless payment. Chip card readers are divided into security classes depending on the equipment: A so-called class 3 reader has a keyboard and display, a class 2 reader has a keyboard only, and a class 1 reader has neither keyboard nor display.
An electronic key for encrypting messages; ciphered messages are not readable by third parties. The customer and institute key form a key pair. For HBCI banking with a chip card, the customer key is stored in the chip of the HBCI chip card.
Construction kits are software tools that allow even a layman to develop a Trojan with a few clicks of the mouse. The resulting Trojans can be particularly dangerous if they are developed specifically with regard to a potential victim and are not intended for widespread distribution. Because, in this case, virus scanners cannot detect them on the basis of a signature.
Abbreviation for: Card Terminal Application Programming Interface
The CT-API is an open interface which can be used to realize handling and communication with smart cards independent of the application.
Payment card that has a credit limit and which a card holder can use to pay for goods or services at an electronic cash register. When paying with a debit card, the customer's account is charged directly with the amount due - usually after a few working days. This type of payment is therefore often described as "pay now".
Traditional certificates available on paper are documents that confirm a certain property, an ability or right to the holder. These can be passports, diplomas, or insurance contracts. Certificates are signed by a trusted authority. Digital certificates are corresponding digital documents that assign a digital ID to a natural person. This identifier is the public key of the individual key pair that is personally assigned to the certificate holder. The certificate is issued by a certification authority. In this way, the real person can be verified in the virtual world and sign in a legally binding manner. The signature is verified using the public key and the digital certificate.
A directory service is a service of a trust center. In a directory service, the public keys of all certified participants are made available online. Based on the directory service, the recipient of an encrypted message can establish the authenticity of the sender.
Abbreviation for: Dynamic Link Libary-Injection
DLL injection is used to execute malicious code by a trusted process on the client system. This process is forced to download the malicious code that is located in a dynamic-link library (DLL). This can occur, for example, by changing the registry entry that determines which DLLs are to be loaded at the start of a program.
Abbreviation for: Domain Name System-Protokoll
The DNS protocol must be running on every Internet computer and converts hostnames (e.g. www.sicherheitsoffensive2007.de) into IP addresses (such as 126.96.36.199) and vice versa. Without this conversion, there can be no communication on the Internet because the data packets can only be assigned to the correct computer by means of an IP address.
Abbreviation for: Domain Name System-Spoofing
DNS spoofing is a common form of pharming: An attacker manipulates the association between a host name and the corresponding IP address. As a result, the attacker can spoof the identity of two communication partners and thus receive the data packets of both partners.
A duplication check protects home banking with chip cards according to the FinTS standard against replay attacks, i.e. interception and multiple use of the same money transfer. The duplication check consists of a combination of sequence counters and a list of previously submitted sequences.
Abbreviation for: Elektronischer Identitätsnachweis
The online ID card function of the new personal ID card. It allows identification on the Internet and at terminals securely and uniquely with the ID card.
Electronic communication between banks and their customers is known as e-banking. This includes Internet banking, credit applications, conclusion of building loan contracts, securities trading, bank statement service etc.
For this type of payment, the cardholder enters his/her personal identification number (PIN). Following an online check by the card issuing institute and the successful transaction, the merchant has a 100% guarantee of payment.
Abbreviation for: Elektronisches Lastschriftverfahren
In an electronic direct debit (German: ELV), the customer signs the payment receipt and consents to the amount due being collected by direct debit.
Electronic direct debit is not an officially approved payment procedure of Deutsche Kreditwirtschaft. The terminal simply reads the account number and bank routing number of the cardholder from the magnetic strip and the cardholder is legitimized by his/her signature. The transaction is an offline process and contains no guarantee of payment.
Encryption protects your documents against unauthorized access; encryption and decryption also use the interplay of private and public keys:
To encrypt a message targeted at a specific person, the sender uses an individual characteristic of the recipient: the public key. To open the encrypted message, the recipient must activate his/her complementary key, i.e. the private key. Because he/she always has the private key under his/her sole control, no one else can decode the message intended for this recipient. Even if both public and private keys are used for signing and encryption, every qualified certificate contains two key pairs: One for legally binding signing and the other for encryption and authentication.
Abbreviation for: Financial Transaction Service
In 2002, HBCI was renamed to FinTS. The standard defines security procedures for the authentication and encryption of orders etc. These security procedures include the PIN/TAN procedure and chip cards with corresponding readers for which the HBCI has mainly become known.
The former ec card is now called girocard and has become a multi-functional debit card (customer card).
The eurocheque card (ec card) was originally designed as a warranty card for use with eurocheques. Today, it is a multi-functional debit card.
The useful electronic services of this card can be identified by the pictograms on it and the card can now be customized by the issuing institutions. Today's debit cards in the German banking industry can generally handle all electronic payment methods such as electronic cash, electronic direct debit, online direct debit, point of sale without payment guarantee, and cash card. The card-accepting merchant decides on a guaranteed payment or not by means of the selected payment method.
Greylisting is a method of combating spam where a first delivery attempt of an e-mail is temporarily rejected. At the same time, the receiving e-mail server remembers the sender's data and accepts the incoming e-mail on the second delivery attempt. In addition, a mail server working with greylisting usually manages so-called white lists in which trusted senders are entered dynamically. Greylisting is successful in combating spam e-mails as long as the senders do not use real queues for sending e-mails like regular mail servers do.
Abbreviation for: Global System for Mobile Communications-Karte
The cell phone card with a chip, which is used to connect the phone to the digital cellular network. All contacts and text messages are also stored on this card. A PC card reader and the appropriate software, such as smartMate, can also be used to edit and store this data from the PC.
The hash value is the compressed version of a file. The hash value can be regarded as the fingerprint of a file. A person can be precisely identified by his/her fingerprint, a file by its hash value. The hash value arises from the fact that any file of any size is compressed using a mathematical procedure - known as the hash function. The smallest change to the file leads to a completely different hash value. There are various methods of calculating the hash value. The hash function is a one-way function. Such a hash function is not reversible, which means that the restoration of the original text is not possible.
Abbreviation for: Home Banking Computer Interface
HBCI has become a data exchange standard for home banking. The HBCI standard is based on triple protection by means of:
• A chip card
• The password for the card that the customer can choose
• The private and public data keys that are necessary for communication between the customer and the bank (see Encryption). When the connection is established, the user authorizes himself/herself using a password via the HBCI software on the bank server. The server then sends back the limits for all actions to the software. The user can then carry out transactions that are sent summarized in a data segment to the server after completion. In this case, all data is exchanged using backup technology integrated in the software.
Carrying out account queries, transfers and securities transactions from home - this can all be done on the PC over the Internet by means of Internet banking. In order to log onto the bank using the Internet, a personal password must first be entered in the PC card reader. The personal chip card is unlocked and a code it contains is sent to the bank. If the data match, the Internet account is unlocked.
Abbreviation for: International Bank Account Number, deutsch: Internationale Bankkontonummer
The IBAN was developed and introduced to simplify international payments. It consists of a two-digit country code ('DE' for Germany ), a two-digit checksum, the bank sort code, and account number. Since February 1, 2014, the use of the IBAN for transfers by companies and associations has been mandatory. February 1, 2016 was the deadline for private customers.
An image of a computer is a special backup method which can be used to quickly restore a complete computer to an earlier condition. The creation of images is one way to back up a system at a time when the system is guaranteed to be uncompromised in order to have a reliable source of recovery in the event of a compromise.
Abbreviation for: Internet-Protocol-Adresse
A number that allows the addressing of computers (and other devices) in an IP network such as the Internet. Technically, in the current version of IPv4, it is a 32-digit binary number or a period-separated decimal number ranging from 0 to 255. Example: 188.8.131.52
Abbreviation for: Information Technology Security Evaluation Criteria
The ITSEC standard refers to the criteria for evaluating the security of information technology systems. The ITSEC standard is an internationally recognized standard for evaluating secure signature creation components. The ITSEC standard recognizes 7 evaluation levels (E0 to E6) and three security grades (low, medium and high). But ITSEC is not sufficient for evaluating of the overall security environment and is supplemented in regards to chip cards by individual requirements of FIPS 140 and by the British Standard (BS) 7799 at organizational level. In Europe as well as in the US, the ITSEC standard was replaced by the Common Criteria for checking and evaluating the security of information technology for assessing trusted security technologies.
In key certificates, a difference is made between the (qualified) certificate for signing (signature certificate) and the encryption or secrecy certificate. The qualified certificate is the certificate of the public signature key, the encryption certificate is the certificate of the public encryption key. Attribute certificates do not contain a key.
A keylogger is software or a piece of hardware that logs all the keystrokes on a computer and makes them available to an attacker. Keyloggers are used especially for spying on access codes. Hardware-based keyloggers cannot be detected by software. Particularly when using public computers, it is very likely that keyloggers are installed. Consequently, no information that could lead to the disclosure of confidential information should be provided.
In a so-called man-in-the-middle attack, a special method of attack is used in which an attacker compromises the communication between two parties by locating himself between the parties and exercising full control of data traffic. The attacker can be malicious software on the user's computer, which manipulates bank transfer data during online banking, for example. To prevent man-in-the-middle attacks, each user must always check exactly who the direct communication partner is and rely on trusted devices. Generally, your own PC cannot be considered trustworthy.
Abbreviation for: Online Lastschriftverfahren
The online direct debit procedure (OLV) is a registered trademark. This is a payment procedure that provides high security at low cost.
The customer signs the payment receipt and authorizes collection of the amount by direct debit with his/her signature. OLV is available to all ec card holders - even those who do not know their PIN or have concerns about being watched when entering the PIN at the cash desk.
Abbreviation for: Password Authenticated Connection Establishment-Protokoll
Refers to a password-based authentication and key agreement protocol. The protocol was developed by the German Federal Office for Information Security (BSI) for use in the new personal ID card.
Software correction package. Debugging routines or software improvements are normally provided by manufacturers in such correction packages (patches) which also close commonly known vulnerabilities among other things.
A personal firewall is a firewall for a single computer. This is software that is designed to protect the computer against attacks from an unprotected network, e.g. the Internet, and control all network traffic.
Pharming attacks are directed against the DNS (Domain Name System) protocol. It attempts "to sneak" incorrect IP addresses to one of the many DNS servers available on the Internet. For example, this redirects the user to a fake website instead of the website of the bank.
The word "phishing" comes from the combination of the terms password and fishing. Phishing refers to the theft of passwords and other sensitive data, e.g. by means of fake e-mails or websites. In online banking, attackers attempt to capture the PINs and valid TANs of a user which are then used to pilfer accounts.
Abbreviation for: Personal Identification Number
The PIN is the access control to the signing and decryption functions on the chip of the card and activates the (signature) key. A distinction is made between the initial PIN, signing PIN and decryption PIN.
Please note: The Signature Act only defines the conditions under which the signature is recognized as secure. The legal effect of the qualified electronic signature, i.e. the cases in which the qualified electronic signature can replace the handwritten signature, is not defined in the Signature Act. These regulations are laid down in the German Civil Code and the Administrative Procedure Act. The Signature Act is very extensive and often very detailed, yet it does not regulate anywhere near all the applications of digital identities. In fact, the Act solely covers digital certificates for individual persons; computers and software objects are not included. Another limitation is that a personal certificate in Germany also always refers to a single individual only, not a group of persons or a legal entity.
A proxy Trojan carries out a type of man-in-the-middle attack. It switches into the online banking communication between customer and bank. The peculiarity here is that it is usually active on the victim's PC in real time and modifies all communications according to its requirements.
Asymmetric key encryption uses key pairs consisting of a public key and a private key. The public key is not secret and is managed by trust centers. It is necessary for carrying out public operations, such as encrypting messages or checking digital signatures.
The Public Key Infrastructure provides the basis for secure virtual private networks, e-mail communications, portal authentication, and electronic signatures. PKI manages the required certificates and electronic keys. It encrypts confidential information, thus effectively protecting it from attacks. You can now securely carry out electronic business processes. PKI is the umbrella term for the combination of people, hardware, software, policies, and methods. It is involved in generating, issuing, saving, managing and revoking certificates. PKI is mainly structured hierarchically.
Abbreviation for: Personal Unblocking Key
The signatory receives a PUK for the signature PIN (if the card type allows this) and another PUK for the encryption PIN; the functionality is the same. A PIN may be entered wrongly a maximum of 2 times in a row. After the third wrong entry, the function of the card is blocked and can only be unblocked with the PUK. The PUK is numerical in design and sent to the card purchaser in a sealed envelope. The PUK must be kept secure. The unblocking function by means of PUK entry cannot be carried out indefinitely however. Unblocking may only be carried out ten times, i.e. a maximum of 32 times consecutively if an incorrect PIN is entered. If the PIN is not entered correctly after 10 consecutive unblocking attempts, the card is permanently blocked.
A qualified certificate uniquely assigns signature creation data to a person. The certificate is kept in a publicly accessible database (directory service) and is stored on the card of the signatory at the time of the card issuance. Only a certification service provider who has a certificate from the state supervisory authority for issuing qualified certificates may issue a qualified certificate.
A registration authority is the contact point for applying for signature key certificates. The request is forwarded to a certificate authority. It issues the certificate and sends it back to the registration authority for issuing.
Abbreviation for: Regulierungsbehörde für Telekommunikation und Postwesen
The Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railways (short: Federal Network Agency) constitutes the highest hierarchy level of the SigG-compliant trust center in Germany.
If data is intercepted on a line and retransmitted to the institute system, this is called a replay attack: A transfer to the correct recipient is carried out several times against the wishes of the customer.
A revocation service is a 24-hour service of a trust center that can be used to revoke certificates. This is important, for example, if a participant's signature card was stolen or he/she no longer seems trustworthy.
A rootkit is a collection of software tools that attackers employ to cover their tracks after successful infiltration of a system. They are used specifically for future activities such as concealing the logging in of the attacker and hiding files and processes. The rootkit often overrides system commands.
The Secoder standard has been specified by Deutsche Kreditwirtschaft. The aim was to define a simple chip card reader primarily optimized for online banking so that online transactions could be better protected by data visualization on the display of the card reader. A Secoder chip card reader has:
• The Secoder seal of the ZKA (Zentraler Kreditausschuss)
• A keyboard to enter confidential information such as the card PIN
• Display for showing and checking data, e.g. amount due for an online payment using a cash card
• An intelligent firewall, e.g. to block access to the chip card in case of suspected abuse
The secret key is located on the chip card of the user and cannot be read. It is used for generating the signature: When signing the message, a sort of copy of the message is made and encrypted using the secret key. The signed document consists of the original document and the encrypted copy.
Security class 3 readers have a keyboard and their own display on which the data are immediately shown once again before the signature. This enables the user to make sure that his/her input is not tampered with and the correct data are signed.
In addition to the keyboard and display, class 4 chip card readers have a personalized security module with RSA functions. This means that the respective communication partner receives specific proof that a class 4 card reader was used. Proof is achieved through an additional signature, which the security module of the card reader calculates using the respective data. The card reader signature is embedded in the application through application-specific additional functions in the reader.
Abbreviation for: Single Euro Payments Area (Einheitlicher Euro-Zahlungsverkehrsraum)
Ensures more competition on the market and achieves efficiency and Europe-wide standardized procedures and standards for the processing of Euro payments.
IBAN replaces the national account identifier.
The Signature Act (SigV) in conjunction with the Signature Regulation defines a security standard for digital signatures. The Signature Act first distinguishes between a simple, an advanced and a qualified electronic signature. Only the latter is regulated in detail and is therefore considered to be compliant with the Signature Act. The qualified signature must make the identity of the signatory recognizable through a certificate and must be created using a secure signature creation device. The signature creation unit is deemed secure either if it has been evaluated accordingly by a state-approved test authority or if the manufacturer ensures appropriate security. Furthermore, this signature creation device must be at the sole disposal of the signatory. And, lastly, the certification service provider must offer secure infrastructures, procedures and technologies in accordance with the Signature Act and its follow-up regulations.
To verify the digital signature, the signature verification software requires the signature verification key of the sender. This signature verification key is located in the sender's certificate that is sent along with the signed message. The signature software automatically checks the validity and origin of the certificate as well as the integrity of the signed data and outputs the result of the verification in a message.
Let's say you want to sign a document electronically: After creating the electronic data, insert your signature card into the card reader. From your application program, click the command for signing the document. Provided it is an approved technical signature component, the contents of the document will be displayed again by means of the so-called display component (secure viewer) of your signature application software. Now check what you see on the screen because this is the content relevant for the electronic signature. If you confirm the contents and want to sign, you have to enter the PIN of your signature card.
Signatures that are not based on a qualified certificate and/or have not been created with technical components and procedures recommended by a trust center for creating secure signatures are called simple digital signatures.
The smart card is a clever, intelligent card: The golden chip on the card contains a "small computer" (processor chip card with cryptic co-processor) together with the "SECCOS" operating system, and can read, store, process, and output data. This intelligence of the chip is specifically used to safeguard the interaction of chip card, application (e.g. non-cash payments, online banking, e-ticketing), chip contact unit (e.g. external card terminal on the PC, the ATM card reader) and infrastructure (e.g. background system of the credit institute, e-ticketing system) against abuse. Used as a synonym for chip card.
Abbreviation for: Sichere Signaturerstellungseinheit
This was defined in the "Directive 1999/93/EC Community framework for electronic signatures" as configured software or hardware that is used for the storage and application of the signature key (signature creation unit) and complies with the requirements of Annex III of the Directive.
Abbreviation for: Secure Socket Layer / Transport Layer Security
SSL is a standardized protocol for encrypting messages on the Internet. The protocol was developed by Netscape and ensures a complex 128-bit encryption of data.
TLS is the standardized form of SSL.
The same key (DES) is used for encryption and decryption. It is also referred to as private key communication. The handover of the keys or key exchange (sender/receiver) must take place via secure transfer because, otherwise, anyone who gets hold of the key would be able to read the data exchanged between the sender and receiver. The symmetric key procedure is about 1,000 times faster than the asymmetric key encryption procedure. The DES key is regenerated on the PC of the signatory for each encryption process using random numbers.
Abbreviation for: Transaktionsnummer
A TAN is employed in electronic processes and is used for authorizing a transaction. In online banking, each transaction can be completed by the user only by entering a correct TAN, for example. In addition to the traditional TAN process, there are also extensions such as eTAN (electronic TAN), iTAN (indexed TAN) and mTAN (mobile TAN).
Abbreviation for: Technische Richtlinie
Technical policy of the German Federal Office for Information Security (BSI), which describes the requirements for chip card readers with new personal ID card support.
Triple-DES means the 3-fold application of the DES algorithm. The Data Encryption Standard ( DES) is a widely used symmetric key encryption method. In the DES-DES method (DDV), the electronic signature and encryption are carried out by means of Triple-DES. In the RSADES hybrid method (RDH), the encryption uses Triple-DES and the electronic signature uses RSA. RSA is an asymmetric cryptosystem, named after its inventors Rivest, Shamir, and Adleman. Whether DDV or RDH is used in HBCI with chip cards depends on the chip card generation.
Trojans are programs that either seem to have a useful function or are installed as a virus unnoticed on the user's computer. Their purpose is to spy on user data, e.g. by logging password entry. Trojans are often used for attacking online accounts.
Trust centers ensure the general security of a Public Key Infrastructure and constitute the central institutions of trust by making a binding, dedicated assignment of key pairs to persons (certification). Taken literally, certification means confirmation. Trust centers certify that a public key belongs to the owner of the key pair. To provide this assignment of keys and owners, trust centers reliably verify the identity of their customers. The trust center requires the particulars of an application form and the submission of a valid ID document to verify the information. In addition, the trust center needs a copy of this ID document signed by the applicant. Only after the trust center has determined the identity of the customer beyond reasonable doubt does it create a signature card with the relevant certificates individually for the customer.
The validity period denotes the period of validity of a subscriber certificate within a PKI. For a signature certificate in accordance with the German Signature Act, the validity period is 3 years, for example.
A virus scanner is a piece of software that protects a computer from malicious programs such as viruses and Trojans. Because new viruses come into circulation every day, a daily update of the virus scanner is important. This guarantees the best possible protection against malicious code, but nevertheless it is possible for a computer to become infested if it is infected by a virus as yet unknown to the virus scanner.
A whitepaper is a document that covers specific topics in fluent language without marketing fillers, e.g. (case) studies, use cases, analyses or market research. The narrowly defined topic is discussed on up to 15 pages. Whitepapers are increasingly used as a means of communication.