As the leading financial institution in Eastern Switzerland, St.Galler Kantonalbank (SGKB) has offered comprehensive financial services to private and business customers for over 150 years. It employs 1,200 people at its headquarters in St. Gallen and the additional 38 branches. About 300 bank employees and about 100 external employees regularly need to access the bank’s applications outside the office. These include cross-border commuters in Austria and Germany and system administrators, some of whom need access to applications from abroad.
Guido Kölliker has been Chief Information Security Officer at SGKB since 1st July 2017 and, in this role, is responsible for the bank’s information security. One of the first challenges as CISO was to improve the security of 2-factor authentication of remote access and more robust control of regional access from abroad. Until then, employees who wanted to log in while on the road did so with an RSA token or SMS as a second factor in addition to the password. The physical token generated a six-digit security code that the user had to enter to log in. The same procedure happened when the SMS generated a four-digit code.
However, the RSA token was unpopular with managers and staff for several reasons. For one, employees had to carry an additional device to access applications. Secondly, the IP-based geo-fencing function was easily bypassed by VPNs and thus did not provide the necessary level of security for access from abroad. Therefore, as an alternative, authentication via SMS was tested as a second factor to replace the additional device and to include the employees’ devices (smartphones).
“As soon as an employee forgot his RSA token at home, he could not work,” Kölliker recalls. “That’s why I was looking for a solution that included the employees’ smartphones. After all, you always pack your smartphone with you. Through SMS, we established the employees’ devices as a second factor, but this method did not offer the desired level of security, as it had been proven to be able to be leveraged in the past.”
Therefore, the new solution had to offer a high level of security, usability, and greater control over foreign access in equal measure. The search for the appropriate technology initially proved challenging. An app-based solution that used background noise for verification was ruled out because the required microphones on the user’s private computer would have caused additional costs. Device-based solutions that used a smart card as a second factor, for example, were also unsuitable because they entailed the same problems as the RSA token and involved much administration.
During the search, Kölliker also conversed with Swisscom, with whom SGKB worked successfully for years. On the one hand, Swisscom operates SGKB’s ICT infrastructure and workplaces; on the other hand, the employees’ workplaces were migrated to Windows 10 at that time and are currently renewing the infrastructure with desktops, laptops, and thin clients. For some time, there had been discussions about the possibility of implementing a robust 2-factor authentication and the renewal of the workplace. However, this was postponed to a later date due to scheduling dependencies.
With Mobile ID, Swisscom offered a solution that met all SGKB’s requirements. It enables in-house remote access control by allowing access authorizations from different countries to be granted and revoked temporarily by the bank’s employees via white/blacklisting. Another significant advance is that verification is not IP-based but occurs via the mobile network. “Trying to fake a different location here would require a high degree of criminal energy, as the location is determined based on the radio tower and the provider of the respective country. This is much more difficult to circumvent,” says Guido Kölliker satisfactorily.
Furthermore, Mobile ID works independently of the terminal device and can be used on the employees’ smartphones without an additional app, significantly reducing costs and administration efforts. When logging in, the user enters their data, receives a notification on the smartphone (regardless of whether it is switched on or off), and confirms the log-in via Mobile ID with a six-digit PIN set individually in advance and can be changed at any time.
The transition to Mobile ID began in September 2018 and went off without any issues, although a few obstacles still arose during the implementation process.
“The requirements for the solution were unique in that SGKB wanted to run the administration of geofencing itself, but the infrastructure was running on Swisscom’s Citrix platform. We haven’t had a situation like this in the past,” comments Swisscom. “We had to make sure that Mobile ID was compatible with the Citrix environment and that the changes from Active Directory were smoothly adopted in the backend of Mobile ID. We had to incorporate these changes on the fly, but we did well within the schedule. In the end, the project was completed as planned."
As part of the transition, the 300 employees and 100 externals who needed to access the banking application while on the road received new Mobile ID-enabled SIM cards for their devices linked to their bank user account. Those who were not customers of Swisscom or Mobile ID partner providers were given an extra SIM card to log in.
Since April 2019, employees have exclusively used Mobile ID as a second factor for logging in while on the move. Guido Kölliker expresses his satisfaction with the changeover: “It was essential to me that the control of foreign access is in our hands and that the employees also follow the path. Otherwise, it would not have worked. That’s why I’m thrilled that we found a solution that was very positively received by the staff and simultaneously offers the security necessary in the banking environment.”
After the successful introduction of Mobile ID for remote employees, Guido Kölliker would like to introduce this form of 2-factor authentication across the board for all office employees by the end of 2019 to strengthen the general security in the bank. He also receives internal support from the HR department, which wants to integrate personal smartphones more strongly into everyday working life to better record working hours, for example. He, therefore, draws a thoroughly positive interim conclusion:
“With Mobile ID, we have shown that bring-your-own-device concepts can also work well in the banking environment without compromising security. In addition, we have laid an important foundation for further digital progress, and, in the future, we will be able to conveniently process qualified electronic signatures or declarations of intent via the smartphone, which in turn will be more convenient for customers."