Administrator Guide > WebLoan > WebLoan Security |
Several security measures have been put in place to ensure that personally identifiable information presented in a WebLoan application does not pose a security risk to the financial institution or any applicant completing a WebLoan application.
The WebLoan Security topic provides administrators with an overview of the security measures that have been implemented for the following functionality to prevent data breeches in WebLoan and protect the applicant information entered in each WebLoan application:
A new Single Sign-on (SSO) Method is now available to provide financial institutions with a more secure authentication method when WebLoan is accessed from their online banking application. This new method is called directly from the online banking application's server to obtain an authentication token rather than a client-side form that included Lifecycle Management Suite credentials.
![]() |
For a complete overview of the SSO Process, please see the WebLoan Single-Sign-on Specifications document available on the Collaboration Portal. |
![]() |
Due to increased security around certain WebLoan functionality, institutions are required to implement the new SSO method in order to use the following functionality in a WebLoan application:
For more information on the requirements to use the aforementioned functionality, please see the Logic for Copying Data from Core and Previous Applications and Logic for Viewing and Editing Applications sections in this topic. |
Improved security measures have been put in place to prevent unauthenticated users from gaining access to applicant data in WebLoan that is copied from the core or a previous application. These measures eliminate security risks by authenticating the applicant during application initialization and ensuring that the institution has enabled the ability to load demographics from the core and previous applications.
In order to enable the ability to copy information from the core and previous WebLoan applications, the following requirements must be met by the institution:
In WebLoan, the ability to copy demographics and income information from the core is no longer available for an applicant when the following requirements are not met:
The following requirements must be met in order for data such as custom fields, declarations, income, and references to be copied from a previous WebLoan application:
![]() |
A TIN must meet the following requirements in order to be considered valid:
|
![]() |
When an additional applicant is added to a WebLoan application, data for the additional applicant does not populate from the core or previous application even when the primary applicant meets the requirements to populate the data. |
Improved security measures have been put in place to authenticate the applications displayed in WebLoan and prevent unauthorized applicants from being able to open and edit existing applications that do not belong to them.
The applications displayed in the Application Listings page are now directly associated with the account number or valid TIN entered to open WebLoan; therefore, an applicant must meet one of the following requirements in order to be able to view existing applications:
![]() |
A TIN must meet the following requirements in order to be considered valid:
|
The ability to edit existing WebLoan applications is determined by an institution meeting the following requirements:
In WebLoan, if the applicant is not authenticated using the new SSO method and/or the Allow Editing Application parameter is not set to Yes for the institution, the Next button is disabled for the applicant and they are unable to update any existing applications.
When an applicant who does not have the ability to edit/view existing applications clicks a link that navigates from the application, such as List Applications or Logout, a warning message appears to alert that they are about to leave the application. Within this message, the applicant has the option to click Leave to exit the application or Stay on Application to remain on the screen in progress.
![]() |
This message only appears to applicants who do not have the ability to edit/view existing applications. Applicants with viewing and editing capability are navigated away from the application with no warning when links such as List Applications or Logout are clicked since they are able to return the application through the Application Listings page. |
The following security measures have also been implemented to ensure the safety of applicant information in WebLoan:
Security Measure | Description | ||
Encryption Scheme for WebLoan Cookies |
Cookies are used to maintain a WebLoan session for an applicant. To provide a secure encryption scheme that is not susceptible to decryption, all WebLoan values are combined into a single encrypted cookie to prevent the ability to easily obtain the values for each cookie.
|
||
GetDocument Method | When the GetDocument Method is downloaded from the Documents panel, the DocumentId is validated to ensure that the requested document is related to the current in progress application. If the DocumentId is not associated with the application in progress, the document is unable to be opened/downloaded from the Documents panel and the applicant is redirected to the Single Sign-On page. | ||
SetApplication Method | When the SetApplication Method is called from the Application Listings Page, the ApplicationId is validated to ensure it is associated with the current applicant. If a logged-in user attempts to change the ApplicationId to a number that is not associated with the current applicant, an error is received and the requested application is not returned. |
Clickjacking is a technique used to trick a web user into performing actions against their knowledge by clicking on a concealed link within a hidden/invisible web page.
Institutions can eliminate this threat in WebLoan by making an IIS configuration change that prevents WebLoan from opening in an Iframe within their online banking application.
To make this IIS configuration change, perform the following steps: