Collapse All Expand All

Several security measures have been put in place to ensure that personally identifiable information presented in a WebLoan application does not pose a security risk to the financial institution or any applicant completing a WebLoan application.

The WebLoan Security topic provides administrators with an overview of the security measures that have been implemented for the following functionality to prevent data breeches in WebLoan and protect the applicant information entered in each WebLoan application:

• New Single Sign-On Method
• Logic for Copying Data from Core and Previous Applications
• Logic for Viewing and Editing Applications
• Additional Security Measures
  • Clickjacking Prevention

New Single Sign-On Method

A new Single Sign-on (SSO) Method is now available to provide financial institutions with a more secure authentication method when WebLoan is accessed from their online banking application. This new method is called directly from the online banking application's server to obtain an authentication token rather than a client-side form that included Lifecycle Management Suite credentials.

Back to top ^ 

Logic for Copying Data from Core and Previous Applications

Improved security measures have been put in place to prevent unauthenticated users from gaining access to applicant data in WebLoan that is copied from the core or a previous application. These measures eliminate security risks by authenticating the applicant during application initialization and ensuring that the institution has enabled the ability to load demographics from the core and previous applications.

In order to enable the ability to copy information from the core and previous WebLoan applications, the following requirements must be met by the institution:

• The new SSO Method must be implemented for the institution.
• The Load demographics and income from core and previous application parameter must be set to Yes within the Origination tab of the Solution.Origination page in System Management.

  

In WebLoan, the ability to copy demographics and income information from the core is no longer available for an applicant when the following requirements are not met:

• The applicant is authenticated using the new WebLoan Single Sign-on method.
• The Load demographics and income from core and previous application parameter is set to Yes within the Origination tab of the Solution.Origination page in System Management.

The following requirements must be met in order for data such as custom fields, declarations, income, and references to be copied from a previous WebLoan application:

• The applicant is authenticated using the new WebLoan Single Sign-on method.
• The Load demographics and income from core and previous application parameter is set to Yes within the Origination tab of the Solution.Origination page in System Management.
• The applicant has entered a valid TIN.

  A TIN must meet the following requirements in order to be considered valid: Must include nine digits Cannot include a repetition of the same digit (ie. 000000000, 111111111, 555555555) Cannot include a value of 012345678 Cannot include a value of 123456789

Back to top ^ 

Logic for Viewing and Editing Applications

Improved security measures have been put in place to authenticate the applications displayed in WebLoan and prevent unauthorized applicants from being able to open and edit existing applications that do not belong to them.

The applications displayed in the Application Listings page are now directly associated with the account number or valid TIN entered to open WebLoan; therefore, an applicant must meet one of the following requirements in order to be able to view existing applications:

• An Account Number is entered to open WebLoan.
• If an Account Number is not entered, a valid TIN has been entered to open WebLoan.        

  A TIN must meet the following requirements in order to be considered valid: Must include nine digits Cannot include a repetition of the same digit (ie. 000000000, 111111111, 555555555) Cannot include a value of 012345678 Cannot include a value of 123456789

The ability to edit existing WebLoan applications is determined by an institution meeting the following requirements:

• The new SSO Method is implemented for the institution.
• The Allow Editing Application parameter is set to Yes within the General tab of the WebLoan Settings page in System Management.

  

In WebLoan, if the applicant is not authenticated using the new SSO method and/or the Allow Editing Application parameter is not set to Yes for the institution, the Next button is disabled for the applicant and they are unable to update any existing applications.

Warning Message when Leaving the Application

When an applicant who does not have the ability to edit/view existing applications clicks a link that navigates from the application, such as List Applications or Logout, a warning message appears to alert that they are about to leave the application. Within this message, the applicant has the option to click Leave to exit the application or Stay on Application to remain on the screen in progress.

Back to top ^ 

Additional Security Methods for WebLoan

The following security measures have also been implemented to ensure the safety of applicant information in WebLoan:

Security Measure	Description
Encryption Scheme for WebLoan Cookies	Cookies are used to maintain a WebLoan session for an applicant. To provide a secure encryption scheme that is not susceptible to decryption, all WebLoan values are combined into a single encrypted cookie to prevent the ability to easily obtain the values for each cookie. WebLoan cookies are also now stored as session cookies in order to be erased when a user closes the browser at the end of the session.
GetDocument Method	When the GetDocument Method is downloaded from the Documents panel, the DocumentId is validated to ensure that the requested document is related to the current in progress application. If the DocumentId is not associated with the application in progress, the document is unable to be opened/downloaded from the Documents panel and the applicant is redirected to the Single Sign-On page.
SetApplication Method	When the SetApplication Method is called from the Application Listings Page, the ApplicationId is validated to ensure it is associated with the current applicant. If a logged-in user attempts to change the ApplicationId to a number that is not associated with the current applicant, an error is received and the requested application is not returned.

Clickjacking Prevention

Clickjacking is a technique used to trick a web user into performing actions against their knowledge by clicking on a concealed link within a hidden/invisible web page.

Institutions can eliminate this threat in WebLoan by making an IIS configuration change that prevents WebLoan from opening in an Iframe within their online banking application.

To make this IIS configuration change, perform the following steps:

• From the server where the Lifecycle Management Suite is installed, open IIS Manager and navigate to the website hosting the WebLoan application.
• Double-click .
• Within the HTTP Response Headers grid, right-click and select Add... to add a custom HTTP Response Header.
• In the window that appears, enter the following values:

  

• Click OK to add the HTTP Response Header and prevent WebLoan from displaying in an Iframe.

Back to top ^ 

 

 

---

©2018 Temenos Headquarters SA - all rights reserved.

Send Feedback