[Securing Internet Banking] Part 1 – Introduction

Not long ago, the commonplace banking experience for the man-in-the-street consists entirely of walking to the nearest branch of bank, queuing up with other bank customers and when it’s your turn, giving instructions to the clerk behind the counter. Your instructions are verbal and direct to the clerk, any unclear instructions are clarified on the spot, and performed immediately. The clerk knows who you are because you hold your bank account book, and your requests are confirmed by your signature that is compared to one that available to the bank. Bank branches were the one stop shop for all banking services.

Although this has not changed, development of technology has moved retail banking services beyond the physical branch into phone banking, 24-hour ATM banking, Internet banking and mobile banking through the mobile phone. The bank branch is no longer the only means of interacting with the bank, although for many banks it is still the primary means. In particular, Internet banking has extended the reach of the bank users tremendously, pushing away borders and limitations of location. For example in 2001, only 4% out of all banking transactions in Europe were conducted on the Internet compared with 79% with a visit to the bank branch[1]. In 2003, this has risen to 20% compared with 30%[2]. In another study by Ipsos-Reid[3] — compiled from more than 6,600 interviews across 12 countries — usage of Internet banking nearly doubled from 20 percent in 2000 to 37 percent in 2002. In the same study it was observed that Internet banking is most prevalent in Canada, the U.K., Germany and the U.S., where more than 40% of Internet users had banked online.

As a result of these changes, the banking services have been transformed and the established procedures that the banks used to manage the services in the bank branches can no longer apply for these newly transformed services. One such process that has changed drastically is how the bank authenticates an account holder, that is, how a bank knows if the person who requests for a banking service is who he says he is. Although the goal of authenticating the account holder is similar, the process by which a bank recognizes a valid account holder is completely different. For example, the account holder is no longer physically present at all but yet can be at any place around the world as long as he is connected. Also, as the Internet never closes, the service request can be occur at any time of the day. At the same time, the regulatory and legal framework under which these new services are offered are relatively new and not well explored. The risks and liabilities faced by the banks and the account holders are still not fully established.

This paper examines the authentication process with Internet banking, focussing on retail Internet banking that is banking for the mass consumers as opposed to banking for companies and corporations. The topics discussed and explored in this paper ranges from the possible security risks faced by the banks, current implementations of the authentication process and various strategies that can be used and their strengths and weaknesses. The regulatory and legal issues are also explored in brief to describe a more complete picture of this aspect of Internet banking. The liabilities of the bank and the account holder are discussed and analysed.

[1] Datamonitor, eBanking Strategies in Europe 2002 (2001)

[2] Forrester 2003, also see Deutsche Bank Research, E-Banking Snapshot (2003) at http://www.dbresearch.com/PROD/DBR_INTERNET_DE-PROD/PROD0000000000071844.PDF

[3] See Ipso-Reid, Beyond Surfing: E-commerce and Banking Surge (2003) at http://www.ipsos-reid.com/pdf/media/mr030213-1.pdf


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s