Find Locations | Site Map | Customer Service
 

  Mid Penn Bank On-Line Security Policy

Mid Penn Bank’s On-Line Banking System brings together a combination of industry-approved security technologies to protect data for the bank and for you, our customer.  It features multi-factor authentication, including PassMark™ Security and a password-controlled system entry, an RSA-issued Digital ID for the Internet Banking Service (IBS) server, Secure Sockets Layers (SSL) protocol for data encryption, and a router loaded with a firewall to regulate the inflow and outflow of server traffic. 

There are four primary areas of concern when it comes to securing data over the Internet:
- Secure log-in and user authenticity.
- Encryption while data is in transit.
- Routing unwanted traffic away from the bank.
- Physical security of the IBS server and internal configurations.

SECURE ACCESS AND VERIFYING USER AUTHENTICITY:
Authentication is a process where a person or computer program proves their identity in order to access information.  The person’s identity is a simple assertion, the login ID for a particular computer application, for example.  Proof is the most important part of the concept and that proof is generally something known, like a password; something possessed, like an ATM card; or something unique about your appearance or person, like a fingerprint.  Strong authentication processes require at least two of these proofs. Mid Penn Bank’s On-Line Banking System uses strong authentication. 

Mid Penn Bank’s On-Line Banking System integrates PassMark Security’s industry leading strong, risk-based authentication security system with its retail and small business on-line banking solutions, compliant with guidance put forth by the FFIEC.

Prior to beginning a session with the IBS server, users are required to enter their Log-In ID, but not their password.  If the computer is recognized, an image and phrase will be presented to the user.  The image and phrase are chosen by the customer upon enrollment, and help to identify to the user that they are on Mid Penn Bank’s website, not a fraudulent look-alike site.  Once the customer’s chosen image and phrase are confirmed, the user can safely enter a password to enter the IBS server.  If the computer that the customer is using is not recognized, the user will be asked a “challenge question” to confirm identity and determine if the user would like to recognize this computer in the future.  Correctly answering the challenge question will allow the user to proceed with log-in. Challenge questions and answers are chosen by the customer during the enrollment process, at the customer’s first log-in attempt.

Our On-Line Banking System also uses a “3 strikes and you’re out” lock-out mechanism to deter users from repeated login attempts.  After three unsuccessful login attempts, the system locks the user out, requiring either a designated wait period or a phone call to the bank to verify the password before re-entry into the system.  Upon successful login, RSA’s Digital ID authenticates the user’s identity and establishes a secure session with that visitor. The Bank also sends an e-mail to the end users notifying them that they have recently been locked out of the On-Line Banking System and requests that users notify the bank immediately if they did not lock themselves out or made no attempt to log into the system.

YOUR PASSWORD: 
Another important security measure rests with you.  Your transactions are protected by your individual password, be sure to keep your password a secret.  Memorize it and, if you need to keep a written record of it, store it away from your computer and do not carry it in your wallet.  Make sure no one watches you enter it, and remember to exit the Internet browser when leaving the computer unattended for any period of time or finishing your banking transactions.  Mid Penn Bank uses “Password Re-Aging” which simply means that every 180 days, you will be required to change your password for extra protection.  You will not be able to use the same password that you had been using during the past 180 days.  Also for your protection, once you have entered your On-Line Banking Session with your password, your session will automatically log off after 120 minutes, whether your session is in use or not.  For your protection, your password should not be a word found in the English dictionary.

SECURED DATA TRANSFER OVER THE INTERNET:
Once the server session is established, the user and the server are in a secured environment.  Because the server has been certified as a 128-bit secure server by RSA, data traveling between the user and the server is encrypted with Secure Sockets Layers (SSL) protocol.  With SSL, data that travels between the bank and customer is encrypted and can only be decrypted with the public and private key pair.  In short, the IBS server issues a public key to the end user’s browser and creates a temporary private key.  These two keys are the only combination possible for that session.  When the session is complete, the keys expire and the whole process starts over when a new end user makes a server session.

U.S. LEVEL ENCRYPTION: 
All On-Line Banking transactions and information is protected by 128-bit encryption provided by VeriSign.   While in this secure area, your computer screen will show a closed “lock” if you are using the Netscape Internet browser or the Internet Explorer browser. This 128-bit encryption is the most powerful method of scrambling information between you and the bank.  In fact, it is actually viewed by the government as a munition, making it strictly guarded and difficult to export.  Our On-Line Banking System requires this level of encryption.  

ROUTER AND FIREWALL:
All “requests” must filter through a router and firewall before they are permitted to reach the server.  A router, a piece of hardware, works in conjunction with the firewall, a piece of software, to block and direct traffic coming into the server.  The configuration begins by disallowing ALL traffic and then opens holes only when necessary to process acceptable data requests, such a retrieving web pages or sending customer requests to the bank.

PHYSICAL SECURITY OF THE IBS SERVER AND INTERNAL CONFIGURATION:
Constant monitoring of the IBS server and internal configuration is performed by the IBS service provider for any unusual activity.

By using the above technologies, your On-Line Banking transactions are secure.

Last revised:  November 28, 2007