Jaccal reached 1000 downloads!

Jaccal reached 1000 downloads earlier this month! Hurray!


[Securing Internet Banking] Part 1 – Introduction

Not long ago, the commonplace banking experience for the man-in-the-street consists entirely of walking to the nearest branch of bank, queuing up with other bank customers and when it’s your turn, giving instructions to the clerk behind the counter. Your instructions are verbal and direct to the clerk, any unclear instructions are clarified on the spot, and performed immediately. The clerk knows who you are because you hold your bank account book, and your requests are confirmed by your signature that is compared to one that available to the bank. Bank branches were the one stop shop for all banking services.

Although this has not changed, development of technology has moved retail banking services beyond the physical branch into phone banking, 24-hour ATM banking, Internet banking and mobile banking through the mobile phone. The bank branch is no longer the only means of interacting with the bank, although for many banks it is still the primary means. In particular, Internet banking has extended the reach of the bank users tremendously, pushing away borders and limitations of location. For example in 2001, only 4% out of all banking transactions in Europe were conducted on the Internet compared with 79% with a visit to the bank branch[1]. In 2003, this has risen to 20% compared with 30%[2]. In another study by Ipsos-Reid[3] — compiled from more than 6,600 interviews across 12 countries — usage of Internet banking nearly doubled from 20 percent in 2000 to 37 percent in 2002. In the same study it was observed that Internet banking is most prevalent in Canada, the U.K., Germany and the U.S., where more than 40% of Internet users had banked online.

As a result of these changes, the banking services have been transformed and the established procedures that the banks used to manage the services in the bank branches can no longer apply for these newly transformed services. One such process that has changed drastically is how the bank authenticates an account holder, that is, how a bank knows if the person who requests for a banking service is who he says he is. Although the goal of authenticating the account holder is similar, the process by which a bank recognizes a valid account holder is completely different. For example, the account holder is no longer physically present at all but yet can be at any place around the world as long as he is connected. Also, as the Internet never closes, the service request can be occur at any time of the day. At the same time, the regulatory and legal framework under which these new services are offered are relatively new and not well explored. The risks and liabilities faced by the banks and the account holders are still not fully established.

This paper examines the authentication process with Internet banking, focussing on retail Internet banking that is banking for the mass consumers as opposed to banking for companies and corporations. The topics discussed and explored in this paper ranges from the possible security risks faced by the banks, current implementations of the authentication process and various strategies that can be used and their strengths and weaknesses. The regulatory and legal issues are also explored in brief to describe a more complete picture of this aspect of Internet banking. The liabilities of the bank and the account holder are discussed and analysed.

[1] Datamonitor, eBanking Strategies in Europe 2002 (2001)

[2] Forrester 2003, also see Deutsche Bank Research, E-Banking Snapshot (2003) at http://www.dbresearch.com/PROD/DBR_INTERNET_DE-PROD/PROD0000000000071844.PDF

[3] See Ipso-Reid, Beyond Surfing: E-commerce and Banking Surge (2003) at http://www.ipsos-reid.com/pdf/media/mr030213-1.pdf

Securing Internet Banking

This is tentatively the title of my latest article. I’m doing a lot of research on Internet banking nowadays, it’s a pretty fascinating topic. This is roughly the table of contents for the article:

  • Introduction
  • Internet banking
  • Rationale and risks
  • Internet banking security threats
    • Phishing
    • Man-in-the-middle attacks
    • Trojan attacks
    • Insider attacks
    • Programming faults
  • Counter threat measures
    • Technical methods
      • Channel encryption
      • Single factor authentication
      • Multi-factor authentication
      • Securing transactions
      • Validating transactions
      • Securing clients
    • Non-technical methods
      • User education
      • Liability shifting
      • Loss shifting
  • Liability and legal issues
    • Liability and regulatory issues in US
    • Liability and regulatory issues in UK/Europe
    • Liability and regulatory issues in other countries
  • Internet banking surveys
  • Conclusion

If there is anyone out there who is interested in this topic, please drop me some comments on this!

Upgraded to WordPress 2.0.1 and bugs!

I upgraded to WordPress 2.0.1 today and was plagued with erratic bugs all the way. I was almost tempted to throw in the towel and migrate to another software or just give up managing my own blogging site when I found the solution.

Anyway here’s the problem:

1. When I upgraded from 1.5 to 2.0.1 there I was faced with this mind-blowing piece of error:

Warning: Invalid argument supplied for foreach() in …/public_html/wp-includes/capabilities.php on line 19

After some googling and desk-banging and trying various things, I managed to change line 19 to :

foreach ((array)$this->roles as $role => $data) {

and this apparently worked. Only thing was, I was now faced with another bug:

"You do not have sufficient permissions to access this page."

After more desk-banging and more cussing, I changed the .htaccess file and added these in:

php_flag magic_quotes_gpc off
php_flag magic_quotes_runtime off

Apparently now it works, but the solution was totally unintuitive. Food for thought. Maybe I should really have gone and use blogger.com instead.