Professional Documents
Culture Documents
SECURITY STANDARDS
FOR E-BANKING
Submitted to:
Resp Mr. V.S. Solanki
IPM, Faculty
Submitted by:
Group# 14
Chandan Pandey
Gita Rani
Govind Sharma
Nayya jain
Ravindra Rawani
• Debit Card
Banks are now providing Debit Cards to their customers having saving or current account in the
banks. The customers can use this card for purchasing goods and services at different places in
lieu of cash. The amount paid through debit card is automatically debited (deducted) from the
customers’ account.
• Credit Card
Credit cards are issued by the bank to persons who may or may not have an account in the bank.
Just like debit cards, credit cards are used to make payments for purchase, so that the individual
does not have to carry cash. Banks allow certain credit period to the credit cardholder to make
payment of the credit amount. Interest is charged if a cardholder is not able to pay back the credit
extended to him within a stipulated period. This interest rate is generally quite high.
• Net Banking
With the extensive use of computer and Internet, banks have now started transactions over
Internet. The customer having an account in the bank can log into the bank’s website and access
his bank account. He can make payments for bills, give instructions for money transfers, fixed
deposits and collection of bill, etc.
• Phone Banking
In case of phone banking, a customer of the bank having an account can get information of his
account, make banking transactions like, fixed deposits, money transfers, demand draft,
collection and payment of bills, etc. by using telephone .
As more and more people are now using mobile phones, phone banking is possible through
mobile phones. In mobile phone a customer can receive and send messages (SMS) from and to
the bank in addition to all the functions possible through phone banking.
Common E-Banking Services
Retail Services Wholesale Services
Account management Account management
Bill payment and
Cash management
presentment
New account opening Small business loan
applications, approvals, or
Consumer wire transfers advances
Investment/Brokerage
Commercial wire transfers
services
Loan application and
Business-to-business payments
approval
Employee benefits/pension
Account aggregation
administration
Fund transfer
You can transfer any amount from one account to another of the same or any another bank.
Customers can send money anywhere in India. Once you login to your account, you need to
mention the payees's account number, his bank and the branch. The transfer will take place in a
day or so, whereas in a traditional method, it takes about three working days. ICICI Bank says
that online bill payment service and fund transfer facility have been their most popular online
services.
Railway pass
This is something that would interest all the aam janta. Indian Railways has tied up with ICICI
bank and you can now make your railway pass for local trains online. The pass will be delivered
to you at your doorstep. But the facility is limited to Mumbai, Thane, Nashik, Surat and Pune.
Shopping
With a range of all kind of products, you can shop online and the payment is also
made conveniently through your account. You can also buy railway and air tickets through
Internet banking.
E-BANKING COMPONENTS
E-banking systems can vary significantly in their configuration depending on a number of
factors. Financial institutions should choose their e-banking system configuration, including
outsourcing relationships, based on four factors:
Strategic objectives for e-banking;
Scope, scale, and complexity of equipment, systems, and activities;
Technology expertise; and
Security and internal control requirements.
Financial institutions may choose to support their e-banking services internally. Alternatively,
financial institutions can outsource any aspect of their e-banking systems to third parties. The
following entities could provide or host (i.e., allow applications to reside on their servers) e-
banking-related services for financial institutions:
Another financial institution,
Internet service provider,
Internet banking software vendor or processor,
Core banking vendor or processor,
Managed security service provider,
Bill payment provider,
Credit bureau, and
WIRELESS E-BANKING
Wireless banking is a delivery channel that can extend the reach and enhance the convenience of
Internet banking products and services. Wireless banking occurs when customers access a
financial institution's network(s) using cellular phones, pagers, and personal digital assistants (or
similar devices) through telecommunication companies’ wireless networks. Wireless banking
services in the United States typically supplement a financial institution's e-banking products and
services.
Wireless devices have limitations that increase the security risks of wireless-based transactions
and that may adversely affect customer acceptance rates. Device limitations include reduced
processing speeds, limited battery life, smaller screen sizes, different data entry formats, and
limited capabilities to transfer stored records. These limitations combine to make the most
recognized Internet language, Hypertext Markup Language (HTML), ineffective for delivering
content to wireless devices. Wireless Markup Language (WML) has emerged as one of a few
common language standards for developing wireless device content. Wireless Application
Protocol (WAP) has emerged as a data transmission standard to deliver WML content.
Manufacturers of wireless devices are working to improve device usability and to take advantage
of enhanced “third-generation” (3G) services. Device improvements are anticipated to include
bigger screens, color displays, voice recognition applications, location identification technology
(e.g., Federal Communications Commission (FCC) Enhanced 911), and increased battery
capacity. These improvements are geared towards increasing customer acceptance and usage.
Increased communication speeds and improvements in devices during the next few years should
lead to continued increases in wireless subscriptions.
As institutions begin to offer wireless banking services to customers, they should consider the
risks and necessary risk management controls to address security, authentication, and compliance
issues. Some of the unique risk factors associated with wireless banking that may increase a
financial institution's strategic.
Security and privacy issues of e-banking
Security-
Security of the transactions is the primary concern of the Internet-based industries. The lack
of security may result in serious damages such as the example of Citibank. examples of the
private information relating to the banking industry are: the amount of the transaction, the
date and time of the transaction, and the name of the merchant where the transaction is taking
place
While the complexity of E-Banking has grown tremendously, one should ask, how secure is E-
Banking anyway?
ELECTRONIC AUTHENTICATION
Verifying the identities of customers and authorizing e-banking activities are integral parts of e-
banking financial services. Since traditional paper-based and in-person identity authentication
methods reduce the speed and efficiency of electronic transactions, financial institutions have
adopted alternative authentication methods, including:
Passwords and personal identification numbers (PINs),
Digital certificates using a public key infrastructure (PKI),
Microchip-based devices such as smart cards or other types of tokens,
Database comparisons (e.g., fraud-screening applications), and
Biometric identifiers.
The authentication methods listed above vary in the level of security and reliability they provide
and in the cost and complexity of their underlying infrastructures. As such, the choice of which
technique(s) to use should be commensurate with the risks in the products and services for which
they control access. Additional information on customer authentication techniques can be found
in this booklet under the heading “Authenticating E-Banking Customers.”
The Electronic Signatures in Global and National Commerce (E-Sign) Act establishes some
uniform federal rules concerning the legal status of electronic signatures and records in
commercial and consumer transactions so as to provide more legal certainty and promote the
growth of electronic commerce. The development of secure digital signatures continues to
evolve with some financial institutions either acting as the certification authority for digital
signatures or providing repository services for digital certificates
Security Precautions
Customers should never share personal information like PIN numbers, passwords etc with
anyone, including employees of the bank. It is important that documents that contain confidential
information are safeguarded. PIN or password mailers should not be stored, the PIN and/or
passwords should be changed immediately and memorized before destroying the mailers.
Customers are advised not to provide sensitive account-related information over unsecured e-
mails or over the phone. Take simple precautions like changing the ATM PIN and online login
and transaction passwords on a regular basis. Also ensure that the logged in session is properly
signed out.
User name and a static password are no longer sufficient to protect an online banking session
because criminals had acquired sophisticated and complex skills that enabled them to uncover
various ways to infiltrate a system.
According to Loh, malicious programming such as Trojans, Worms and Backdoor programs
extracts financial information.
He explains that these Malwares such as Trojans have the capacity to disguise itself as a security
update to a legitimate online payment service. When the user executes the deceptively named
file, the Trojans registers itself as a browser helper (BHO) and monitors the internet browsers for
visits to pre-defined URLs. All the account information gathered by the Trojans will then be
posted on a domain controlled by the attacker. The log file is easily accessible due to some
misconfigured web server thus giving the attacker list of account numbers with corresponding
password. This provides the attackers with the information and opportunity to steal currency
from the victims.
To prevent these attacks, a combination of intrusion prevention system (IPS) and intrusion
detection systems (IDS) is required to do the job. security network information reporting tools
should be implemented so that it will alert the banks if the IPS layers has been bypassed and
network anomaly has been detected.
The security of information may be one of the biggest concerns to the Internet users. For
electronic banking users who most likely connect to the Internet via dial-up modem, is faced
with a smaller risk of someone breaking into their computers. Only organizations such as banks
with dedicated Internet connections face the risk of someone from the Internet gaining
unauthorized access to their computer or network. However, the electronic banking system users
still face the security risks with unauthorized access into their banking accounts. Moreover, the
electronic banking system users also concern about non-repudiability which requires a reliable
identification of both the sender and the receiver of on-line transactions. Non-secure electronic
transaction can be altered to change the apparent sender. Therefore, it is extremely important to
build in non-repudiability which means that the identity of both the sender and the receiver can
be attested to by a trusted third party who holds the identity certificates.
The Citibank $10 million break-in is one example of how the system is vulnerable to
hackers. Hackers have many different ways that they can try to break into the system. The
problem of the systems today are inherent within the setup of the communications and also
within the computers itself. The current focus of security is on session-layer protocols and the
flaws in end-to-end computing. A secure end-to-end transaction requires a secure protocol to
communicate over untrusted channels, and a trusted code at both endpoints. It is really important
to have a secure protocol because the trusted channels really don't exist in most of the
environment.
For example, downloading a game off the Internet would be dangerous because Trojan
horses and viruses could patch the client software after it is on the local disk, especially on
systems like windows 95 which does not provide access control for files. This leads to the use of
software-based protections and hardware-based protections.
Many systems today use some form of software-based protection. Software-based
protection are easily obtained at lower costs than hardware-based protection. Consequently,
software-based protection is more widely used. But, software-based protection has many
potential hazards. For software-based systems,
there are four ways to penetrate the system. First of all, attacking the encryption
algorithms is one possible approach. This form of attack would require much time and effort to
be invested to break in.
A more direct approach would be using brute force by actually trying out all possible
combinations to find the password.
A third possible form of attack is to the bank's server which is highly unlikely because
these systems are very sophisticated. This leaves the fourth possible method, which also happens
to be the most likely attack, which is to attack the client's personal computers. This can be done
by a number of ways, such as planting viruses (e.g. Trojan Horse) as mentioned above. But,
unlike the traditional viruses, the new viruses will aim to have no visible effects on the system,
thus making them more difficult to detect and easy to spread unintentionally
Solutions-
Software-Based Systems
In software-based security systems, the coding and decoding of information is done using
specialized security software. Due to the easy portability and ease of distribution through
networks, software-based systems are more abundant in the market. Encryption is the main
method used in these software-based security system. Encryption is a process that modifies
information in a way that makes it unreadable until the exact same process is reversed.
In general, there are two types of encryption. The first one is the conventional
encryption schemes, one key is used by two parties to both encrypt and decrypt the information.
Once the secret key is entered, the information looks like a meaningless jumble of random
characters. The file can only be viewed once it has been decrypted using the exact same key.
The second type of encryption is known as public key encryption. In this method, there
are two different keys held by the user: a public key and a private key. These two keys are not
interchangeable but they are complementary to each other, meaning that they exists in pairs.
Therefore, the public keys can be made public knowledge, and posted in a database somewhere.
Anyone who wants to send a message to a person can encrypt the message with the recipient
public key and this message can only be decrypted with the complementary private key
Digital Signature
Digital Signature was first proposed in 1976 by Whitfield Duffie, at Stanford University. A
digital signature transforms the message that is signed so that anyone who reads it can know who
sent it. The use of digital signatures employs a secret key (private key) used to sign messages and
a public key to verify them. The message encrypted by the private key can only be verified by
the public key. It would be impossible for any one but the sender to have created the signature,
since he or she is the only person with the access to the private key necessary to create the
signature. In addition, it is possible to apply a digital signature to a message without encrypting
it. This is usually done when the information in the message is not critical.
Secure Electronic Transaction (SET) software system, the global standard for secure card
payments on the Internet, which is defined by various international companies such as Visa
MasterCard, IBM, Microsoft, Netscape Communications Corp., GTE, SAIL, Terisa Systems and
Verisign. SET promises to secure bank-card transactions online. Lockhart, CEO of MasterCard
said, ".We are glad to work with Visa and all of the technology partners to craft SET. This action
means that consumers will be able to use their bank cards to conduct transactions in cyberspace
as securely and easily as they use cards in retail stores today." [33] SET adopts RSA public key
encryption to ensure message confidentiality. Moreover, this system uses a unique public/private
key pair to create the digital signature. The main concerns for the transaction include not only to
ensure the privacy of data in transit, but also prove the authenticity which both the sender and the
receiver are the ones they claim to be.
Kerberos
Kerberos is named after the three-headed watchdog of Greek mythology and it is one of the
best known private-key encryption technologies. Kerberos creates an encrypted data packet,
called a ticket, which securely identifies the user. To make a transaction, one generates the
ticket during a series of coded messages by making exchanges with a Kerberos server, which
sits between the two computer systems. The two systems share a private key with the Kerberos
server to protect information from hackers and to assure that the data has not been altered
during the transmission. One example of this encryption is NetCheque which is developed by
the Information Sciences Institute of the University of Southern California. NetCheque uses
Kerberos to authenticate signatures on electronic checks that Internet users have registered with
an accounting server.
Hardware-Based Systems
1.Smartcard-
Smartcard System is a mechanical device which has information encoded on a small chip on the
card and identification is accomplished by algorithms based on asymmetric sequences
2. McCHIP
McCHIP which developed by ESD is connected directly to the PC's keyboard using a patented
connection. All information which needs to be secured is sent directly to the McCHIP,
circumventing the client's vulnerable PC microprocessor. Then the information is signed and
transmitted to the bank in.
PRIVACY TECHNOLOGY
Privacy technology can be used to assure that consumers, merchant's, and the transactions
themselves remain confidential. For instance, companies sending important, secret information
about their marketing strategy to one of its partners would like to keep that information private
and out of the hands of its competitors. This technology will keep all information secure and can
be applied to electronic cash, also known as "e-cash". The privacy technology provides a fully
digital bearer instrument that assigns a special code to money, just like a bank note. The security
of e-cash is superior to paper cash because even if it is stolen, it can not be used. However, e-
cash has its share of disadvantages because it lacks the privacy of use. "This system is secure, but
it has no privacy. If the bank keeps track of note numbers, it can link each shop's deposit to the
corresponding withdrawal and so determine precisely where and when Alice spends her money."
This would make it possible to create spending profiles on consumers and threaten their
privacy. Furthermore, records based on digital signatures are more vulnerable to abuse than
conventional files. Not only are they self-authenticating, but they also permit a person who has a
particular kind of information to prove its existence without either giving the information away
or revealing its source. "For example, someone might be able to prove incontrovertibly that Bob
had telephoned Alice on 12 separate occasions without having to reveal the time and place of any
of the calls."
One solution to this lack of privacy is the implementation of "blind signatures". How it
works is that before sending the bank note number to the bank for signing, the user multiplies the
note number by a random factor. Consequently, the bank knows nothing about what it is signing
except that the note has a specific digital signature belonging to a person's account. After
receiving the blinded note signed by the bank the user can divide out the random factor and use it
by transferring it to a merchant's account as a payment for a merchandise. The blinded note
numbers are untraceable because the shop and the bank cannot determine who spent which notes.
This is because the bank has no way of linking the note numbers that the merchant deposited
with the purchaser's withdrawals. Whereas the security of digital signatures is dependent on the
difficulty of particular computations, the anonymity of blinded notes is limited only by the
unpredictability of the user's random numbers. The blinded electronic bank notes protect an
individual's privacy, but because each note is simply a number, it can be copied easily. To
prevent double spending, each note must be checked on-line against a central list when it is spent
which makes this verification procedure unacceptable for many applications, especially for
minor purchases. Thus, this technology currently, is only applicable for large sums of money.
INFORMATION SECURITY PROGRAM
Information security is essential to a financial institution’s ability to deliver e-banking services,
protect the confidentiality and integrity of customer information, and ensure that accountability
exists for changes to the information and the processing and communications systems.
Depending on the extent of in-house technology, a financial institution’s e-banking systems can
make information security complex with numerous networking and control issues. The IT
Handbook’s “Information Security Booklet” addresses security in much greater detail. Refer to
that booklet for additional information on security and to supplement the examination coverage
in this booklet.
SECURITY GUIDELINES
Financial institutions must comply with the “Guidelines Establishing Standards for Safeguarding
Customer Information” (guidelines) as issued pursuant to the Gramm–Leach–Bliley Act of
1999 (GLBA). When financial institutions introduce e-banking or related support services,
management must re-assess the impact to customer information under the GLBA. The guidelines
require financial institutions to:
Ensure the security and confidentiality of customer information;
Protect against any anticipated threats or hazards to the security or integrity of such
information; and
Protect against unauthorized access to or use of such information that could result in
substantial harm or inconvenience to any customer.
The guidelines outline specific measures institutions should consider in implementing a security
program. These measures include:
Identifying and assessing the risks that may threaten consumer information;
Developing a written plan containing policies and procedures to manage and control these
risks;
Implementing and testing the plan; and
Adjusting the plan on a continuing basis to account for changes in technology, the sensitivity
of customer information, and internal or external threats to information security.
The guidelines also outline the responsibilities of management to oversee the protection of
customer information including the security of customer information maintained or processed by
service providers. Oversight of third-party service providers and vendors is discussed in this
booklet under the headings “Board and Management Oversight” and “Managing Outsourcing
Relationships.” Additional information on the guidelines can be found in the IT Handbook’s
“Management Booklet.” The IT Handbook’s “Information Security Booklet” presents additional
information on the risk assessment process and information processing controls.
The guidelines required by the GLBA apply to customer information stored in electronic form as
well as paper-based records. Examination procedures specifically addressing compliance with
the GLBA guidelines can be accessed through the agency websites listed in the reference section
of this booklet. Although the guidelines supporting GLBA define customer as “a consumer who
has a customer relationship with the institution,” management should consider expanding the
written information security program to cover the institution’s own confidential records as well
as confidential information about its commercial customers.
INFORMATION SECURITY CONTROLS
Security threats can affect a financial institution through numerous vulnerabilities. No single
control or security device can adequately protect a system connected to a public network.
Effective information security comes only from establishing layers of various control,
monitoring, and testing methods. While the details of any control and the effectiveness of risk
mitigation depend on many factors, in general, each financial institution with external
connectivity should ensure the following controls exist internally or at their TSP.
Ongoing knowledge of attack sources, scenarios, and techniques. Financial institutions
should maintain an ongoing awareness of attack threats through membership in information-
sharing entities such as the Financial Services - Information Sharing and Analysis Center
(FS-ISAC), Infragard, the CERT Coordination Center, private mailing lists, and other
security information sources. All defensive measures are based on knowledge of the
attacker’s capabilities and goals, as well as the probability of attack.
Up-to-date equipment inventories, and network maps. Financial institutions should have
inventories of machines and software sufficient to support timely security updating and
audits of authorized equipment and software. In addition, institutions should understand and
document the connectivity between various network components including remote users,
internal databases, and gateway servers to third parties. Inventories of hardware and the
software on each system can accelerate the institution’s response to newly discovered
vulnerabilities and support the proactive identification of unauthorized devices or software.
Rapid response capability to react to newly discovered vulnerabilities. Financial institutions
should have a reliable process to become aware of new vulnerabilities and to react as
necessary to mitigate the risks posed by newly discovered vulnerabilities. Software is seldom
flawless. Some of those flaws may represent security vulnerabilities, and the financial
institution may need to correct the software code using temporary fixes, sometimes called a
“patch.” In some cases, management may mitigate the risk by reconfiguring other computing
devices. Frequently, the financial institution must respond rapidly, because a widely known
vulnerability is subject to an increasing number of attacks.
Network access controls over external connections. Financial institutions should carefully
control external access through all channels including remote dial-up, virtual private network
connections, gateway servers, or wireless access points. Typically, firewalls are used to
enforce an institution’s policy over traffic entering the institution’s network. Firewalls are
also used to create a logical buffer, called a “demilitarized zone,” or DMZ, where servers are
placed that receive external traffic. The DMZ is situated between the outside and the internal
network and prevents direct access between the two. Financial institutions should use
firewalls to enforce policies regarding acceptable traffic and to screen the internal network
from directly receiving external traffic.
System hardening. Financial institutions should “harden” their systems prior to placing them
in a production environment. Computer equipment and software are frequently shipped from
the manufacturer with default configurations and passwords that are not sufficiently secure
for a financial institution environment. System “hardening” is the process of removing or
disabling unnecessary or insecure services and files. A number of organizations have current
efforts under way to develop security benchmarks for various vendor systems. Financial
institutions should assess their systems against these standards when available.
Controls to prevent malicious code. Financial institutions should reduce the risks posed by
malicious code by, among other things, educating employees in safe computing practices,
installing anti-virus software on servers and desktops, maintaining up-to-date virus definition
files, and configuring their systems to protect against the automatic execution of malicious
code. Malicious code can deny or degrade the availability of computing services; steal, alter,
or insert information; and destroy any potential evidence for criminal prosecution. Various
types of malicious code exist including viruses, worms, and scripts using active content.
Rapid intrusion detection and response procedures. Financial institutions should have
mechanisms in place to reduce the risk of undetected system intrusions. Computing systems
are never perfectly secure. When a security failure occurs and an attacker is “in” the
institution’s system, only rapid detection and reaction can minimize any damage that might
occur. Techniques used to identify intrusions include intrusion detection systems (IDS) for
the network and individual servers (i.e., host computer), automated log correlation and
analysis, and the identification and analysis of operational anomalies.
Physical security of computing devices. Financial institutions should mitigate the risk posed
by unauthorized physical access to computer equipment through such techniques as placing
servers and network devices in areas that are available only to specifically authorized
personnel and restricting administrative access to machines in those limited access areas. An
attacker’s physical access to computers and network devices can compromise all other
security controls. Computers used by vendors and employees for remote access to the
institution’s systems are also subject to compromise. Financial institutions should ensure
these computers meet security and configuration requirements regardless of the controls
governing remote access.
User enrollment, change, and termination procedures. Financial institutions should have a
strong policy and well-administered procedures to positively identify authorized users when
given initial system access (enrollment) and, thereafter, to limit the extent of their access to
that required for business purposes, to promptly increase or decrease the degree of access to
mirror changing job responsibilities, and to terminate access in a timely manner when access
is no longer needed.
Authorized use policy. Each financial institution should have a policy that addresses the
systems various users can access, the activities they are authorized to perform, prohibitions
against malicious activities and unsafe computing practices, and consequences for
noncompliance. All internal system users and contractors should be trained in, and
acknowledge that they will abide by, rules that govern their use of the institution’s system.
Training. Financial institutions should have processes to identify, monitor, and address
training needs. Each financial institution should train their personnel in the technologies they
use and the institution’s rules governing the use of that technology. Technical training is
particularly important for those who oversee the key technology controls such as firewalls,
intrusion detection, and device configuration. Security awareness training is important for all
users, including the institution’s e-banking customers.
Independent testing. Financial institutions should have a testing plan that identifies control
objectives; schedules tests of the controls used to meet those objectives; ensures prompt
corrective action where deficiencies are identified; and provides independent assurance for
compliance with security policies. Security tests are necessary to identify control
deficiencies. An effective testing plan identifies the key controls, then tests those controls at
a frequency based on the risk that the control is not functioning. Security testing should
include independent tests conducted by personnel without direct responsibility for security
administration. Adverse test results indicate a control is not functioning and cannot be relied
upon. Follow-up can include correction of the specific control, as well as a search for, and
correction of, a root cause. Types of tests include audits, security assessments, vulnerability
scans, and penetration tests.
Bibliography:-
3. Security Comes First With Online Banking at Security First Network Bank.
Http://www.hp.com/ibpprogs/gsy/advantage/june96/custspot.html