Xinjiang Rural Credit Cooperatives’ Online Banking System
With its experience in online banking and certificates, Aspire CA designed several online banking certificate products to ensure the security of online banking user accounts.
File digital certificate: It provides online banking users with file certificate service to improve user account security by means of CMCA digital certificate ‘signature, authentication and double-factor protection (certificate + password).
USB Key certificate: It provides online banking users with USB Keys to ensure finance-level security. Online banking users must pass real-name authentication to ensure account and transaction security. Online banking users can use their real-name digital certificates to enable authentication, payment/transfer traction signatures and SMS verification, thus ensuring account and transaction security.
Competition requirements: At the very beginning of the construction of its online banking system, Xinjiang Rural Credit Cooperatives planned to use digital certificates to ensure system security. According to the Law of
the People's Republic of China on Electronic Signature and relevant requirements of People’s Bank of China for online banking systems, an online banking system shall provide high-level security and superior experience
for its users so as to meet industry and competition requirements.
Service classification requirements: An online banking system provides different operation rights and service rights for different levels of users. Since the current “username + password” login method cannot identify
account security levels, digital certificates are required to verify account security levels, and then make different rights and services available to different accounts.
Security requirements： Digital certificates can ensure the security of online transactions and accounts, keeping users always in a secure environment. Is a user with a digital certificate logs into his/her account from
another PC that is not installed with the certificate, he/she cannot perform any operations except viewing the account. The digital certificate is a “key” to the account which greatly enhances its security.
In March, 2013, Xinjiang Rural Credit Cooperatives chose Aspire CA as its online banking systems’ digital certificate security service provider to provide a online banking digital certificate solution.
1. User side:
Aspire CA provides 4 types of user certificates, i.e. individual user with a file certificate, individual user with a USB Key, business user with a file certificate and business user with a USB Key.
Service portal: It is the online banking website which invokes the controls/suite to ensure the security of operations (e.g. payment and transaction confirmation) clicked by users.
Certificate security suite: It ensures the security of users with USB Keys. It is invoked by the portal to provide such features as application for a certificate, generating asymmetric keys, protecting keys, invoking USB Key driver, safely storing file certificates and certificate security management.
Password protection control: It protects the username + password logins with a security mechanism, and ensures the security of the password and online banking system.
Operation management backend: It reviews and approves paper-based applications for USB Keys, handle real-name authentications of users, automatically reviews rules based on applications for USB keys, and interconnects with OPEN API for certificate authentication, signature authentication, evidence preservation and certificate and usage statistics collection.
OPEN API：It is CMCA’s basic capability that provides its certificate service API for interconnecting with third-party service platforms to provide such features as certificate application, certificate service and certificate management for them.
Authentication middle: It interconnects with the online banking platform for certificate authentication, signature authentication and evidence preservation, and collects certificate and usage statistics via OPEN API.
In June, 2013, the digital certificate solution for Xinjiang Rural Credit Cooperatives’ online banking system was put into operation upon completion of joint debugging.
As of September, 2016, Aspire CA issued over 0.65 million digital certificates to individual and business users of Xinjiang Rural Credit Cooperatives. Serving as user IDs, these digital certificates have enhanced account security and enabled strong logion authentication. They provide users with digital signature service when they perform payment and transfer transactions, thus ensuring the security of online banking operations, confidentiality of transaction data and non-repudiation of transactions.
Xinjiang Rural Credit Cooperatives is a local financial institution which provides RMB deposit, loan and capital settlement and collection & payment services through its cooperative banks in 14 districts, over 83 county unions and nearly one thousand outlets across Xinjiang. In recent years, its operations have grown by leaps with all KPIs hitting their record highs. Xinjiang Rural Credit Cooperatives is on top of the rural small & medium-sized financial institutions operation & risk ranking published by China Banking Regulatory Commission.
Since 2014, Aspire has been contracted by China Mobile Information Security Management and Operation Center to build an app security testing platform and provide app security testing services. Today, the platform has gone through three phases, provided lifecycle protection of apps, improved the security of pre-installed apps on CMCC’s customized devices, CMCC’s self-owned service apps and third-party apps, created a cycle of pre-distribution testing, reviewing upon distribution and post-distribution monitoring, and enabled filing and testing of CMCC’s self-owned services.
As the openness of smart device OSs and number of apps increase, smart devices are becoming more and more important to the public. In the meanwhile, mobile devices are facing a variety of security threats. Malicious software can control our mobile devices, hack our accounts, monitor our calls and send local messages. In addition, along with the rapid growth of various app markets, a wide variety of apps are flooding these app distribution channels, but a large number of apps are being hacked, tampered with and embedded with Trojans for lack of security assessment, certification and monitoring approaches, which are putting device users in great dangers. As the most important carrier for the Mobile Internet, mobile devices are facing great security challenges.
To adapt to this tough environment, China Mobile Information Security Management and Operation Center set a goal of building a closed-loop app security management system for filing and testing of pre-installed apps on CMCC’s customized devices and CMCC’s self-owned service apps as well as pre-distribution testing and reviewing on distribution of third-party apps.
To achieve the goal of building a closed-loop app security management system, China Mobile Information Security Management and Operation Center contracted us to build this platform, provide app security testing services and improve security of apps though platform and team constructions.
Today, the platform has gone through three phases and covered the entire app lifecycle, including pre-distribution security assessment, security testing and security enhancement to protect the app from being hacked or embedded with malicious code, and make sure the business logics in it is free of vulnerabilities and shall not be used to harm end-users’ interests, and post-distribution monitoring of the distribution channel to collect data about app downloads, and identify piracy, malicious code embedding, underreporting and cover-up behaviors, thus achieving the 100% filing rate for self-owned apps of provincial companies.
Statistic data of past three years as provided by the platform and security testing services show that 50% of vulnerabilities have resulted from not taking security requirements into consideration at the R&D stage, and 30% of them have resulted from the lack of a necessary security baseline at the R%D stage which have lead to configuration errors. At the testing stage, security threats have been identified in 75.9% of apps, which indicates that they have been distributed without going through the necessary security assessment.
To address these issues, in its app security management specifications, China Mobile has emphasized on the security management and risk assessment at the app R&D stage. In the meanwhile, China Mobile Information Security Management and Operation Center asked provincial companies to rectify their apps, address security issues and enhance app development guidance. The Center published secure app development guidelines to guide provincial companies to assess apps before releasing them.
Today, China Mobile’s 31 provincial companies have implemented the “app filing + assessment” model to optimize mobile security management. The risk assessment ratio for key existing services and apps is 100%; that for new services and apps is 100%; that for device apps and self-owned apps is 80%, and that for third-party apps is 30%.
In 2015, the Center has received assessment applications for 1591 apps from 21 provincial companies, and organized experts to assess risk of them. The Center has identified 2456 security threats in 972 apps which account for 75.9% of all apps. These threats may cause various problems such as remote control of service systems, leaking of user account information and unsolicited subscription.
Based on the security assessment, countersignature and app enhancement technologies are used to authenticate and control apps. As of March, 2016, over 300 self-owned apps from several provinces and cities such as Beijing, Zhejiang and Jiangsu have been enhanced and countersignatured, and over 50,000 third-party apps from app markets and Migu game market have been countersignature-authenticated to ensure app integrity protection, accountability traceability and realtime app control.
China Mobile Information Security Management and Operation Center, a division of China Mobile, is responsible for information security management for China Mobile Group and its provincial companies.
To improve the quality of data services & products as well as user experience, and identify their problems and bugs, Aspire was contracted by China Mobile to deploy a national-wide data service auto-dial testing network across 30 provinces, and completed several rounds of performance tests of key data services. The company has been serving China Mobile for five years on end by testing China Mobile’s data services (17 CMM’s self-owned services and 260 KPIs) and KPIs of competitors (auto-dial). The tests cover various KPIs such as delay, success ratio, resource consumption, power consumption and network traffic. The tests have revealed the status quo of value-added services in the province and improved their quality.
China mobile’s quality campaign 2010, quality labor competition 2011 and customer experience special operation 2012 greatly improved the quality of data services of its provincial companies. To further improve the quality of its data services & products as well as user experience, identify their problems and bugs, and increase the availability of the end-to-end product process, China Mobile asked its provincial companies in 2014, 2015 and 2016 to enhance their data service auto-dial tests, improve their centralized and automated dial capabilities, and ensure the coverage, timeliness and effectiveness of the tests.
In response to China Mobile’s call, provincial companies started to deploy their data service dial testing systems to dial-test the experience of data services, and collect their quality data.
Technical characteristics of the project: the data service experience dial testing system features a one-level architecture that consists of the front-end and back-end systems. The front-end system is a distributed system that complies with technical specifications by interconnecting with the back-end data sync interface to automatically receive test data such as KPIs, dial-testing scripts and dial-testing tasks. It can run scheduled tasks and send the testing results to the back-end system for analysis. The entire dial-testing process is completely automated with minimum human intervention and higher efficiency. In addition to automatic task scheduling and running for auto-dial, the front-end system can also send heartbeat and alarm information to the back-end system for it to monitor the front-end system, and ensure its stable operation and accuracy of testing results. The current technical challenge is that the front-end system synchronizes dial-testing scripts and dial-testing tasks with the back-end system, and runs the scripts according to tasks. When running a script, the front –end system converts the test instruction into the call of the device API for auto-dial testing, and sends the results to the back-end system. The entire process is completed by the device itself. This imposes higher requirements on the development of device’s underlying capabilities and system architecture. Hence, the solution features a layered architecture, a highly cohesive and transparent storage system as well as service and functional components for high scalability. Security can ensure data processing consistency. The front-end system shall upload testing results immediately to prevent tampering, and encrypt uploaded data. Compatibility makes the front-end system compatible with Android and iOS as well as various emerging devices. Openness brings mainstream open technologies to support various data services and interoperability with other systems. As regards reliability, the system features a low-power design that support 24*7 operation, is able to record testing results in a timely manner, and resume measurement from breakpoints. During operation, the front-system can send alarms to the back-end system to ensure system security. Scalability is ensured by its component philosophy, separated platform and app components to make the system adaptable to future services and changes. New services and functions can be inserted into the system as components without impacting the system architecture, thus enabling rapid functional expansion. The company delivered a complete set of standards and dial testing models for a full-featured, clearly-structured and highly scalable dial testing platform to promote the planning and construction of the platform, improve the effectiveness and quality of network maintenance, and lower operating costs. Aspire also designed a realtime warning system to improve system’s lifecycle dial testing capabilities, monitor and analyze the quality of company’s products, identify quality issues and help improve user experience.
We helped customers build a complete data service product system, assess their product development strategies based on KPIs, improve products’ user experience and competitive edge, and build standardized metrics to provide strong support for operations and data services’ user experience.
Quality management division, data departments and marketing departments of provincial companies, China Mobile.
The end-to-end paperless system for China Mobile’s business halls can transform a large number of paper documents into electronic documents to enhance the automated audit process, improve the audit efficiency, and reduce the workload of the clerks. In addition, leveraging the system to reduce paper usage is also in line with the “energy saving and environment-friendly” philosophy.
The paperless integrated security appliance uses PKI/CA and electronic signature technologies to authenticate users in a paperless way, and make sure that the digital signatures in electronic documents have the same legal force as those in paper documents, thus avoiding business disputes and legal risks.
At the end of the existing service handling process in a China Mobile’s business hall, the clerk still needs to print out paper documents which shall be confirmed and signed by the customer, affixed business hall’s handling seal by the clerk, and handed over to the customer and business halls for archiving purposes. As a service channel of China Mobile, a business hall handles a large number of paper documents each day, and therefore expects to improve its costs, efficiency and security.
Office costs include paper, warehouse and labor costs which are very high and not in line with the “energy saving and environment-friendly” philosophy.
Paper documents need to be handed over manually which has lowered the efficiency.
The existing paper document management has caused serious information security issues. Customer data are handed over and stored too many times which may lead to leakage of customer’s sensitive information. Warehousing poses many physical security threats. Seals may be forged, and therefore are insecure.
The project should feature new technologies, new ideas, environment-friendliness, cost-effectiveness and improved user experience. New business hall services are an inevitable trend.
Actions taken by the customer:
The paperless integrated security appliance provides service interfaces for service software to invoke. It has four major features, i.e. certificate management, signature authentication, evidence preservation and key hosting.
The certificate management feature manages all digital certificates used by the electronic document system throughout their lifecycles, including certificate application and revocation. Certificates managed by it include seal keeper’s’ role certificates and business hall’s seal certificates.
The signature authentication feature signs all digital certificates invoked during electronic document management, and verify the validity of digital signatures. It invokes the digital certificates and private keys stored in the key hosting feature to sign seals and electronic documents that need signing, and authenticates the signatures of signed seals and electronic documents. The system can ensure the security and validity of the signatures and signature authentication process.
The evidence preservation feature preserves such data as signatures, signature certificates and signing times in the evidence database. When there is a dispute on an electronic document, the preserved data can be used as the digital signature evidence to restore the digital signature and verify the validity of the electronic document.
The key hosting feature stores and manages all digital certificates and private keys in the electronic document system. It keeps private keys safe and provides online key invoking service.
The integrated security appliance has ensured the security of electronic documents, and made sure that the digital signatures in electronic documents have the same legal force as those in paper documents, thus avoiding business disputes and legal risks. By optimizing the paperless process for business halls, it has improved the business efficiency, reduced customer waiting times and enhanced user experience and service quality. In the meanwhile, it has greatly saved labor and paper costs.
Aspire Electronic Seal System
Electronic seals are designed for organizations that need to sign or audit a large number of contracts or agreements. Based on digital certificates, they provide organizations with a legitimate, efficient and environment-friendly electronic signing solution. According to the Law of the People's Republic of China on Electronic Signature, qualified CAs issue digital certificates to ensure legitimacy of electronic contracts which can replace the traditional paper-based signing approach, improve productivity and lower OPEX.
Typical customers: Migu Games, Engineering Department of CMCC Jiangsu Co. Ltd.
1. They need to sign a large number of contracts or agreements: As their online operations keep growing, these organizations need to sign a large number of contracts or agreements, and therefore need a legitimate, efficient and environment-friendly electronic signing solution.
2. They need to remotely sign contracts or review documents remotely: Since their business partners are scattered across the country, they need sign and review contracts or agreements in a timely, effective and retraceable manner.
3. Environment-friendly: They need to respond to the call for environment-friendliness by cutting down on paper waste, paper printing and waste of mailing resources as well as the consumption of labor, space and financial resources.
Aspire electronic seal system provides electronic seals and signatures that allow customers to remotely and rapidly sign a large number of contracts or agreements with the highest input-output ratio, ensure integrity and confidentiality of electronic documents as well as authenticity of document senders’ IDs and non-reputation of signers.
The PKI-based electronic seal system uses digital certificate and signature technologies to affix a seal to electronic document and embed a digital signature to ensure its authenticity, uniqueness and non-reputation as well as non-reproducibility of the seal, and comply with the Law of the People's Republic of China on Electronic Signature.
The electronic seal system provides the following features:
ü Basic features: user information management, certificate lifecycle management, document management, certificate management, seal management and signature & seal authentication and management.
ü Service features: seal development, document signature, signature & seal authentication, user authentication and evidence preservation.
ü The electronic seal system supports electronic seals and handwritten signatures.
ü The electronic seal system allows the user to sign documents on various devices such as his phone, PAD or PC.
Electronic seals has enabled customers migrate to paperless offices, protect the environment, cut d own on the waste of natural resources, and remotely sign documents. Customers no longer need to travel around to sign contracts, which has greatly improved their productivity, saved their time and ensured security of the contract signing process. The system uses advanced digital signature technology to ensure that the signed documents cannon be tampered with and the seals cannot be forged, thus making the documents unique, and putting an end to forged documents. It allows customers to monitor the entire contract-signing process, including electronic seals, electronic storage, processing and retrieving of contracts. Customers can find the details of each signing process, thus ensuring its non-reputation.
MM: Providing electronic seal services for individual and business developers.
Migu Games: Providing electronic seal services for CPs and channel partners.
Miogu Reading: Providing electronic seal services for authors.
Migu Cartoon: Providing electronic seal services for developers.
Engineering Department of CMCC Jiangsu Co. Ltd.: The electronic seal system is used in the project approval and signing process, and store electronic seals of project documents.
Shenzhen Shouihuobao Internet Financial Services Co., Ltd.: Electronic seal services are making a success in the Internet financial sector.