St.Galler Kantonalbank AG (SGKB) was looking for a new solution to better secure and control access to the bank’s own applications while on the move and from abroad. With Swisscom, SGKB established a bring-your-own-device concept for employees and combined user-friendliness with a high level of security that meets the strict requirements in banking – at lower costs and with less administrative effort.
As the leading financial institution in Eastern Switzerland, St.Galler Kantonalbank (SGKB) has been offering comprehensive financial services to private and business customers for over 150 years. It employs a total of 1,200 people at its headquarters in St. Gallen and in the additional 38 branches. Of these, about 300 bank employees and about 100 external employees regularly need to access the bank’s applications outside the office. These include cross-border commuters in Austria and Germany as well as system administrators, some of whom need access to applications from abroad.
Security at the expense of user-friendliness
Guido Kölliker has been Chief Information Security Officer at SGKB since 1 July 2017 and in this role is responsible for the bank’s information security. One of the first challenges as CISO was to improve the security of 2-factor authentication of remote access as well as stronger control of regional access from abroad. Until then, employees who wanted to log in while on the road did so with an RSA token or SMS as a second factor in addition to the password. The physical token generated a six-digit security code that the user had to enter to log in. The same was true for the SMS, which generated a four-digit code.
However, the RSA token was unpopular with both managers and staff for several reasons. For one, it meant an additional device that employees had to carry with them at all times in order to access applications. Secondly, the IP-based geo-fencing function was easily bypassed by VPNs and thus alone did not provide the necessary level of security for access from abroad. Therefore, as an alternative, authentication via SMS was tested as a second factor to replace the additional device and to include the employees’ private devices (smartphones) more.
“As soon as an employee forgot his RSA token at home, he could not work,” Kölliker recalls. “That’s why I was looking for a solution that included the employees’ smartphone. After all, you always pack your private smartphone with you. Through SMS, we established the employees’ devices as a second factor, but this method did not offer the desired level of security, as it had been proven to be able to be leveraged in the past.”
Wanted: security, usability and control
The new solution therefore had to offer a high level of security, usability and greater control over foreign access in equal measure. The search for the appropriate technology initially proved difficult. An app-based solution that used background noise for verification was ruled out because the required microphones on the user’s private computer would have caused additional costs. Device-based solutions that used a smart card as a second factor, for example, were also unsuitable because they entailed the same problems as the RSA token and involved a lot of administration.
During the search, Kölliker also got into conversation with Swisscom, with whom SGKB has already been working successfully for years. On the one hand, Swisscom operates SGKB’s ICT infrastructure and workplaces; on the other hand, the employees’ workplaces were migrated to Windows 10 at that time and are currently renewing the infrastructure with desktops, laptops and thin clients. For some time, there had been discussions about the possibility of implementing a strong 2-factor authentication together with the renewal of the workplaces. However, due to scheduling dependencies, this was postponed to a later date.
With Mobile ID, Swisscom had a solution on offer that met all of SGKB’s requirements. It enables in-house control of remote access by allowing access authorisations from different countries to be granted and revoked temporarily by the bank’s own employees via white/black listing. Another significant advance is that verification is not IP-based, but takes place via the mobile network. “Trying to fake a different location here would require a high degree of criminal energy, as the location is determined on the basis of the radio tower and the provider of the respective country. This is much more difficult to circumvent,” says Guido Kölliker with satisfaction.
Furthermore, Mobile ID works independently of the terminal device and can be used on the employees’ smartphones without an additional app, which greatly reduces the costs and administration effort. When logging in, the user enters his or her data, then receives a notification on the smartphone (regardless of whether it is switched on or off) and confirms the login via Mobile ID with a six-digit PIN, which is set individually in advance and can be changed at any time.
Adaptation to the individual requirements
The changeover to Mobile ID began in September 2018 and went off without a hitch, although a few obstacles still arose during the implementation process.
“The requirements for the solution were unique in that SGKB wanted to run the administration of geofencing itself, but the infrastructure was running on Swisscom’s Citrix platform. We haven’t had a situation like this in the past,” comments Swisscom. “We had to make sure that Mobile ID was compatible with the Citrix environment and that the changes from Active Directory were smoothly adopted in the backend of Mobile ID. We had to incorporate these changes on the fly, but we managed to do so very well within the schedule. In the end, the project was completed as planned.
As part of the changeover, the 300 employees and 100 externals who need to access the banking application while on the road received new and Mobile ID-enabled SIM cards for their private devices, which were linked to their user account at the bank. Those who were not already customers of Swisscom or Mobile ID partner providers were given an extra SIM card to log in.
Since April 2019, employees now exclusively use Mobile ID as a second factor for logging in while on the move. Guido Kölliker expresses his satisfaction with the changeover: “It was particularly important to me that the control of foreign access is in our hands and that the employees also follow the path, otherwise it would not have worked. That’s why I’m very happy that we found a solution that was very positively received by the staff and at the same time offers the security necessary in the banking environment.”
Only the first step
After the successful introduction of Mobile ID for remote employees, Guido Kölliker would like to introduce this form of 2-factor authentication across the board for all employees in the office as well by the end of 2019 in order to strengthen the general security in the bank. He also receives support internally from the HR department, which also wants to integrate private smartphones more strongly into everyday working life in order to better record working hours, for example. He therefore draws a thoroughly positive interim conclusion:
“With Mobile ID, we have been able to show that bring-your-own-device concepts can also work very well in the banking environment without compromising security. In addition, we have laid an important foundation for further digital progress and, in the future, we will be able to conveniently process qualified e-signatures or declarations of intent via the smartphone, which in turn will be more convenient for customers.