Security_in_E_Banking

Security Measures in Internet Banking Objective: “Internet banking is a faster means of banking which can be made safe through various security measures” Following points are considered to elaborate the statement: * Security in Internet banking * Security threats in Internet banking * Solutions to implement security Introduction: The rapid advancement in technology has touched nearly every area of life. The Internet and web technologies have already left their indelible mark on the way the world functions. Banking is no exception to this paradigm. In the financial services industry, the Internet and, in particular, the World Wide Web, serve as a new channel for transmitting financial information.With the popularity of PCs, easy access to Internet and World Wide Web (WWW), Internet is increasingly used by banks as a channel for receiving instructions and delivering their products and services to their customers. One of the main concerns of Internet-banking is security. Without great confidence in security, customers are unwilling to use a public network, such as the Internet, to view their financial information online and conduct financial transactions. The banks therefore should implement various available security techniques to gain clients trust and confidence. Internet Banking The Internet banking is just the extension of the normal or traditional banking services. Internet banking, sometimes called online banking, uses the Internet as the channel to conduct banking activities. Internet-banking can mean the provision of information about a bank and its services via a home page on the World Wide Web (WWW). The main reason behind the success of Internet banking is the numerous benefits it can provide, both to the banks and to customers of financial services. Internet banking provides both traditional as well as new services to the users. It consists of various informational, communicative and transactional services such as view account balances, access transaction details, downloading financial information ,transfer funds between accounts, schedule future funds transfers, pay utility bills electronically, schedule automatic payments of bills, booking tickets, recharging prepaid mobiles etc. Because the account is available 24/7, you have the benefits of accessibility and convenience. Need of Security: Security is a crucial requirement in Internet banking system due to the fact that the sensitive financial information that these systems transmit travel over untrusted networks where it is possible for anyone with local or even remote access to any part of the path followed to get that information. Therefore the security is required to protect customers' private financial information to protect against frauds. Also banking institutions offering Internet-based products and services should have reliable and secure methods to authenticate their customers. Security is defined as a state of being secure from any threat. The various targets of attack in Internet banking includes the customer’s PC, the bank’s web server as well as the data while it is in transit over the Internet channel between customer PC and the web server. Following figure shows three targets of attack in Internet banking. Therefore the security must be implemented for the client, the transmission channel and the web server which contains the banks web site as well as all financial database. Types of Security Threats Following are some of the security threats in Internet banking: * Identity Theft: Stealing personal information. For e.g a hacker may steal userid and password information of some another person to make his own bill payment or to transfer the funds to his account without knowing to the original user. * Phishing: Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords or credit card details by masquerading as a trustworthy entity. Phishing is typically carried out by e-mail or instant messaging, where it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Attempts to deal with the growing number of reported phishing incidents include user training, public awareness, and technical security measures. * Attacking Server: Servers are prone to virus attacks which results in destroying server resources such as client database on the server. For e.g. Denial of service attacks means sending infinite number of requests to the bank’s server that it could not handle and thus it’s resources are crashed. Therefore the server becomes unavailable to legitimate clients. * Key loggers: Key loggers are software program that gets installed on the client’s computer without knowing to him. It records each keystroke made on a particular computer while the client is entering his userid and password on the website. It is used to steal login information of a customer. Factors of Security Any Internet banking system must solve the issues of authentication, confidentiality, integrity. While implementing security following factors must be taken into considerations: * Authenticity : Bank & client should be able to verify the identity of each other. * Confidentiality : Data should be accessible to only authorized customer and bank only. * Integrity : Integrity means making sure that the message received is in the original format First, the authentication of an online bank takes the form of a known Uniform Resource Locator (URL) or Internet address, while a customer is generally authenticated by his or her login ID and password to ensure only authenticated customers can access their accounts. Second, messages between customers and online banks are all encrypted so that a hacker cannot view the message even if the message is intercepted over the Internet. The particular encryption standard adopted by most browsers is called Secure Socket Layer (SSL). It is built in the web browser program and users do not have to take any extra steps to set up the program. The encryption ensures the confidentiality and integrity of data. Third, banks have built firewalls, which are software or hardware barriers between the corporate network and the external Internet, to protect the servers and bank databases from outside intruders and ensure that only the legitimate Internet users are allowed to access the system. Internet Channel Security: The security to the data while transmission on unsecured public channel is provided by means of cryptography. Cryptography enables you to store sensitive information or transmit it across insecure networks so that it cannot be read by anyone except the intended recipient. It ensures confidentiality and integrity of data. Cryptography consists of Encryption & Decryption process. Encryption: Encryption is the process of modifying information so that it can not be read by anyone except the intended recipient. This is done by applying mathematical algorithms that require a key to lock, or encrypt, the original data. The sender performs encryption of plaintext data. The encrypted data i.e ciphertext passes over the Internet channel. Decryption: Decryption is the process of converting data from unreadable format to understandable & readable format. The receiver gets encrypted data i.e ciphertext . The receiver then decrypts this data to get original data by using the specific key and algorithm. Encryption & Decryption Process Hello Hello Ifmmp Encryption Decryption Ciphertext Sender Two different kinds of encryption exist with two separate purposes. One purpose is to keep information private. The other is to verify the identity of both parties in a transaction. Both kinds of encryption are typically used together to protect messages and validate the parties involved. These two fundamental types of encryption are symmetric and asymmetric. i.Symmetric key encryption : It is also known as secret key(or private key) cryptography. It requires both the sender and receiver to have the same key (the integers that drive the encryption algorithm). The sender encrypts the message and the receiver decrypts the message using the same key. The advantages of secret key cryptography are that it is secure, widely used, and fast. The disadvantages are that key administration is complex, requiring both parties to maintain absolute control over exchanging keys. It does not include a separate authentication mechanism. ii.Asymmetric key encryption: It is also known as public/private key cryptography, since it employs two keys a public key and a private key. These two keys are mathematically tied but one key cannot be deduced from the other. For example, to authenticate that a message came from the sender, the sender encrypts the message using their private key. Only the sender knows the private key. But, once sent, the message can be read only using the sender’s public key. Since the message can only be read using the sender’s public key, the receiver knows the message came from the expected sender. Some of the advantages of public key cryptography over private key cryptography are that it simplifies key administration. For example, there is no requirement for a prior distribution of keys between the sending and receiving parties. How Encryption Works in Practice Encryption may be used to both secure the message and authenticate the sender. The normal approach is to use the asymmetric and symmetric encryption technologies together. Banks typically use symmetric (private key) encryption technology to secure messages and asymmetric (public/private key) cryptography to authenticate both parties. Encryption is implemented by means of digital certificates and SSL protocol. Server Side Security: Server side security involves protecting server resources from malicious attacks and server authentication. Protecting server resources: Firewall: Firewalls are frequently used on Internet banking systems as a security measure to protect internal systems connected to an outside network. Firewalls are a combination of hardware and software placed between two networks through which all traffic must pass, regardless of the direction of flow. They provide a gateway to guard against unauthorized individuals gaining access to the bank’s network. It protects the resources of a private network from external networks. It ensure that only the legitimate Internet users are allowed to access the system. Firewalls must be configured to meet a specific operating environment and they must be evaluated and maintained on a regular basis to assure their effectiveness and efficiency. Firewalls fall into two categories, i. Proxy firewalls : An application-level firewall, better known as a proxy acts as an intermediary between the client and the server. The client application connects to the proxy. The proxy opens a connection to the server and passes information back and forth between the server and the client. ii. Packet-filtering firewalls : Packet-filtering determines whether a packet is allowed or disallowed depending on the source of the packet and the contents of it. Packet-filtering also looks at the source and destination ports, and to determine if a packet is part of an ongoing conversation. Server Authentication : Trust is an important issue in Internet banking systems. The customers should be able to identify a bank’s website to ensue that they are providing their financial details to an authenticated bank’s website and not a fraud one. Digital Certificates provides a means of identity on the Internet. Digital certificates: A digital certificate establishes the credentials of an entity when doing business or financial transactions on the Web. Digital certificates provide security against phishing. The common use of a digital certificate is to verify the identity of server and provide with the means to encode data. Digital  Certificates are authenticated, issued, and managed by a trusted third party called a Certification Authority (CA). A certification authority is a trusted third party that verifies identities in cyberspace. The certificate authority functions like an online notary. The basic concept is that a CA, uses its good name to validate parties in transactions. Digicert, Verisign, National Informatic Centre, TCS are some of the certifying authorities. Digital certificates uses SSL protocol for encryption purpose. A digital certificate contains 1. Owner's public key (for encryption purpose) 2. Owner's name 3. Expiration date of the certificate. 4. Name of the issuer (the CA that issued the Digital Certificate) 5. Serial number of the Digital Certificate Following fig. shows a digital certificate: Secure Socket Layer (SSL) SSL is an encryption protocol developed by Netscape which has become a standard in all common browsers. It creates an encrypted link between a web server and a web browser. The exchange of digital certificates between clients and servers is performed by SSL. As soon as a customer connects to a bank's secured server the customer's browser receives the bank's certificate and key. A certificate is used to verify that a server is who it claims to be and, furthermore, to provide the receiver with the means to encode a reply. At this point the browser generates a session key for a symmetrical encryption. This session key is now encrypted with the public key of the bank(contained in digital certificate) and is sent to him. From this point on, the whole communication between the customer and the server is encrypted as well as decrypted with the key that is known to both parties. The bank uses a 128 bit Secure Session Layer (SSL) encryption protocol, between its server and the user's browser. The user's browser will show a padlock when the session is secure. Using SSL can be thought of as preventing eavesdropping. If a hacker were to attempt to listen to the data transmission, they would have to guess the decryption key - which is a 1 in 3.4 x10 to the power of 38 chances, making it infinitely secure. From a technology point of view, on-line banking is secure. Thus SSL assures that the website really is what it claims to be , the user information such as userid, password , credit card numbers, are encrypted and cannot be intercepted and also that the data sent and received cannot be tampered with or forged A secured website can be identified by following two factors: i. The URL of a secured website begins with https rather than http ii. It displays a golden lock symbol. Client Side Security : Client side security involves client authentication as well as protecting client’s computer from viruses, spywares such as keyloggers etc. For protecting against keyloggers now a days many banks provide a virtual keyboard on their website. Virtual Keyboard : A virtual keyboard is “a secure pop-up that enables logins, passwords, bank card details and other important personal information to be entered safely to prevent the theft of confidential information” It is aiming to protect users from keyloggers, and consequently provide a safer Ebanking experience. Client Authentication An effective authentication program should be implemented to ensure that bank is dealing with valid clients. There are a variety of technologies and methodologies that can be used to authenticate customers. These methods include the use of customer passwords, personal identification numbers (PINs), one-time passwords (OTPs), USB plug-ins or other types of “tokens”. 1.Single factor authentication : Only one factor of information is required for authentication of the client. e.g Userid & password are used for authentication. 2. Multifactor Authentication The use of single-factor authentication is inadequate. Protection through single password authentication is not considered secure enough for personal online banking applications. Banks therefore should implement multifactor authentication methods. In multifactor authentication more than one factor are required for authentication USB Token Device The USB token device is typically the size of a house key. It plugs directly into a computer’s USB port and therefore does not require the installation of any special hardware on the user’s computer. Once the USB token is recognized, the customer is prompted to enter his or her password (the second authenticating factor) in order to gain access to his account. USB tokens are hard to duplicate and are tamper resistant; thus, they are a relatively secure for storing sensitive data and credentials and easy to use. Smart Card A smart card is the size of a credit card and contains a microprocessor that enables it to store and process data. Inclusion of the microprocessor enables software developers to use more robust authentication schemes. To be used, a smart card must be inserted into a compatible reader attached to the customer’s computer. If the smart card is recognized as valid (first factor), the customer is prompted to enter his or her password (second factor) to complete the authentication process. Smart cards are hard to duplicate and are tamper resistant. Smart cards are easy to carry and easy to use. Password-Generating Token A password-generating token produces a unique pass-code, also known as a one-time password(OTP) each time it is used. The token ensures that the same OTP is not used consecutively. The OTP is displayed on a small screen on the token. The customer first enters his or her user name and regular password (first factor), followed by the OTP generated by the token (second factor). The customer is authenticated if (i) the regular password matches and (ii) the OTP generated by the token matches the password on the authentication server. OTP tokens generally last 4 to 5 years before they need to be replaced. Password-generating tokens are secure because of the time-sensitive, synchronized nature of the authentication. The randomness, unpredictability, and uniqueness of the OTPs substantially increase the difficulty of a cyber thief capturing and using OTPs gained from keyboard logging. Biometrics : Biometric technologies identify or authenticate the identity of a living person on the basis of a physiological or physical characteristic (something a person is). Physiological characteristics include fingerprints, iris configuration, and facial structure. Physical characteristics include, for example, the rate and flow of movements, such as the pattern of data entry on a computer keyboard. The process of storing user’s biometric information into a biometrics-based system is called “enrollment”. Once enrolled, customers interact with the live-scan process of the biometrics technology. The live scan is used to identify and authenticate the customer. The results of a live scan, such as a fingerprint, are compared with the registered templates stored in the system. If there is a match, the customer is authenticated and granted access. Biometric identifiers are most commonly used as part of a multifactor authentication system, combined with a password (something a person knows) or a token (something a person has). Two biometric techniques that are increasingly gaining acceptance are fingerprint recognition and face recognition. Customer Awareness about security: Banking institutions have made, and should continue to make, efforts to educate their customers. Customer awareness is a key defense against fraud, phishing and identity theft. Customers must follow following points : * Select a password that is easy for you to remember but difficult for others to guess. * Do not write password down or store it in a file on your computer. * Never disclose password in a voice mail or email, or over the phone. * Ensure no one observes while typing in password * Change password on a regular basis, within every 90-120 days. * Install and use a quality anti-virus program and a firewall for protection against keyloggers. * Update softwares: The operating system, the browser and all of the other programs concerned should always be used in their latest versions (activate automatic update functions, where possible)! * Before signing in i. Open the browser in a new window : Start the browser again for every e-banking process and close all other applications! ii. Enter the address manually :Never follow links found in e-mail messages or web pages of third parties when signing in to the e-banking homepage. Always enter the bank''s address (URL) manually. This is for protection against phishing attacks. * During the e-banking process i. Verify the e-banking page and the encoding : With the aid of the digital certificate verify the web page you have visited and check whether it is encoded. ii. Use the built-in security elements : Ask for SMS about successful sign-in transactions, use limits etc. * Closing the e-banking process i. Sign out correctly: Close the internet-banking session by clocking on the “sign-out'' button. ii. Delete temporary Internet files : Delete the browser's temporary Internet files after closing the internet-banking process! Advantages of Internet banking * Availability of 24* 7 *365 services * Banking can be done from any location where internet access is available * Both traditional and new services are available. * No technical knowledge is required to use the services. * No specific software is required. * It gives reliefs to their customer from carrying heavy cash. * Provides prompt & speedy operations to clients. * It saves lot of time to their customers & convenient to access. * Make the payments of merchandise transaction through Debit & Credit cards. * Cost effective. Limitations : * Internet connection must be working in order for you to have access to bank’s website. * User Learning is required to access Internet banking services. * Since it is new technology there is some resistance of users. Suggestions & Recommendations * Banks should provide demos for using internet banking services. * Banks have to use various security features to enhance users trust. * User‘s have to learn the threats and take precautions with the new technology to take advantage of internet banking facilities Conclusion Internet banking is cost effective and time saving. Advancement in technology has made Internet Banking as safer as old style payment methods. Both the banks have to use various security features to enhance users trust as well as the user‘s have to learn the threats and take precautions to take advantage of Internet banking facilities. When both bank and customers use proper available security techniques Internet banking can done securely. References: Books : i. Web Technologies – Achut Godbole & Atul Kahate ii. E-Commerce concepts, models, strategies – C.S.V Murthy Websites : i. www.wikipedia.org ii. www.ehow.com iii. www.icicibank.com