[Securing Internet Banking] Part 2 – Internet banking
This paper defines Internet banking as systems that enable bank customers to access banking products and services over an Internet enabled terminal[1]. Internet banking is also known as online banking, e-banking, web-based banking and electronic banking. While some literature has differentiated banks that operate primarily or mostly over the Internet (Internet banks) from traditional banks that offer Internet banking services as part of its overall set of services, Internet banking services in this paper refers to the services themselves and therefore covers both.
Internet banking is a relatively recent phenomenon and had an uneven growth throughout the world. Different countries and regions had reacted differently to the onset of Internet banking, accordingly to their infrastructure capabilities and their existing banking environment. Before Internet banking was prevalent, home banking using the PC was a service provided by some banks. In PC banking, the bank customer performs his banking transactions using proprietary software that dials into the bank’s private network via a modem. Data is exchanged by the client software on the PC and the server at the bank. In comparison, Internet banking services use web browsers to access the bank’s servers which are on the Internet, a public network.
During the Internet boom years, Wells Fargo became the first bank to offer Internet-based banking services in 1995 and Security First Network Bank started to be the first Internet-only bank in October 1995. Today, most conventional banks of a reasonable size offer some form of Internet banking service.
Typical banking services provided by an Internet banking service provider are:
· Balance enquiry – information on the current account balances
· Funds transfer – transferring money from one account to another, which can possibly include accounts in another bank
· Bill presentment – viewing bank-related billing information (typically credit card)
· Bill payment – paying bills (typically recurrent bills e.g. utilities such as mobile phone or cable)
· Loans/accounts application – initiating the application process for banking products
· Investment activity – investment related banking services such as paying for shares
[1] See US Comptroller of Currency, Administrator of National Banks, Internet Banking – Comptroller’s Handbook (1999), Jaqueline Marcucci, “The Brave New World of Banking on the Internet: The Revolution of Our Banking Practices”, Nova Law Review, (1999), Monetary Authority of Singapore, Internet Banking Technology Risk Management Guidelines (2003) for alternate definitions.
Ruby on Rails developers in Singapore?
Been trying to google around to see if there are other Rails developers in Singapore, or some that would be interested in learning Rails. If that’s you then drop me a note. If you know of someone, then ask him if he’s interested in contacting me? I want to start a developer’s group on Rails here, kinda have someone to talk shop with.
I remember the days when we first started the Singapore Java Users Group, it was a fun time. Perhaps can start something along those lines (but without the latter negativity) with Rails.
[Securing Internet Banking] Part 1 – Introduction
Not long ago, the commonplace banking experience for the man-in-the-street consists entirely of walking to the nearest branch of bank, queuing up with other bank customers and when it’s your turn, giving instructions to the clerk behind the counter. Your instructions are verbal and direct to the clerk, any unclear instructions are clarified on the spot, and performed immediately. The clerk knows who you are because you hold your bank account book, and your requests are confirmed by your signature that is compared to one that available to the bank. Bank branches were the one stop shop for all banking services.
Although this has not changed, development of technology has moved retail banking services beyond the physical branch into phone banking, 24-hour ATM banking, Internet banking and mobile banking through the mobile phone. The bank branch is no longer the only means of interacting with the bank, although for many banks it is still the primary means. In particular, Internet banking has extended the reach of the bank users tremendously, pushing away borders and limitations of location. For example in 2001, only 4% out of all banking transactions in Europe were conducted on the Internet compared with 79% with a visit to the bank branch[1]. In 2003, this has risen to 20% compared with 30%[2]. In another study by Ipsos-Reid[3] — compiled from more than 6,600 interviews across 12 countries — usage of Internet banking nearly doubled from 20 percent in 2000 to 37 percent in 2002. In the same study it was observed that Internet banking is most prevalent in Canada, the U.K., Germany and the U.S., where more than 40% of Internet users had banked online.
As a result of these changes, the banking services have been transformed and the established procedures that the banks used to manage the services in the bank branches can no longer apply for these newly transformed services. One such process that has changed drastically is how the bank authenticates an account holder, that is, how a bank knows if the person who requests for a banking service is who he says he is. Although the goal of authenticating the account holder is similar, the process by which a bank recognizes a valid account holder is completely different. For example, the account holder is no longer physically present at all but yet can be at any place around the world as long as he is connected. Also, as the Internet never closes, the service request can be occur at any time of the day. At the same time, the regulatory and legal framework under which these new services are offered are relatively new and not well explored. The risks and liabilities faced by the banks and the account holders are still not fully established.
This paper examines the authentication process with Internet banking, focussing on retail Internet banking that is banking for the mass consumers as opposed to banking for companies and corporations. The topics discussed and explored in this paper ranges from the possible security risks faced by the banks, current implementations of the authentication process and various strategies that can be used and their strengths and weaknesses. The regulatory and legal issues are also explored in brief to describe a more complete picture of this aspect of Internet banking. The liabilities of the bank and the account holder are discussed and analysed.
[1] Datamonitor, eBanking Strategies in Europe 2002 (2001)
[2] Forrester 2003, also see Deutsche Bank Research, E-Banking Snapshot (2003) at http://www.dbresearch.com/PROD/DBR_INTERNET_DE-PROD/PROD0000000000071844.PDF
[3] See Ipso-Reid, Beyond Surfing: E-commerce and Banking Surge (2003) at http://www.ipsos-reid.com/pdf/media/mr030213-1.pdf
Securing Internet Banking
This is tentatively the title of my latest article. I’m doing a lot of research on Internet banking nowadays, it’s a pretty fascinating topic. This is roughly the table of contents for the article:
- Introduction
- Internet banking
- Rationale and risks
- Internet banking security threats
- Phishing
- Man-in-the-middle attacks
- Trojan attacks
- Insider attacks
- Programming faults
- Counter threat measures
- Technical methods
- Channel encryption
- Single factor authentication
- Multi-factor authentication
- Securing transactions
- Validating transactions
- Securing clients
- Non-technical methods
- User education
- Liability shifting
- Loss shifting
- Technical methods
- Liability and legal issues
- Liability and regulatory issues in US
- Liability and regulatory issues in UK/Europe
- Liability and regulatory issues in other countries
- Internet banking surveys
- Conclusion
If there is anyone out there who is interested in this topic, please drop me some comments on this!
1 comment