You are on page 1of 73

PREFACE

Modern banks are highly complex ad dynamics systems. They operate under very turbulent social economic and political environment. They are required to reconcile several incompatible goals. Conflicting roles and divergent interest they are also fraught with the use risk and uncertainties, hence tactful technological management of such organization to plan to execute guide, coordination and control the performance of people to achieve predetermined goals.management has to keep the organization vibrant moving and in equilibrium. It has to achieve goal which themselves are changing it is therefore a problem highly complex and ticklish. This information will be asset to researcher in making effective decisions. The researches are used to acquire and analyse information and to make suggestions to management as to how internet banking problems should be solved. The marketing research is the process which links to consumer and individuals through information in important part of curriculum of B.B.A. programme is research project taken by the students in any business organization, after completion of second semester of the programme. The objective of this researcht is to enable the students to understand the application of the academics in the real internet banking. I am fullconfident that this research report report will be extremely useful to the management.

Contents Chapter 1.  Research objective Chapter 2.  Introduction Chapter 3.  Types of internet banking Chapter 4.  Internet banking a new medium Chapter 5.  International experience

 Indian internet Banking system  Technological experience & security Chapter 6.  Research Methodology Chapter 7.  Limitation Chapter 8.  Data Analysis Chapter 9.  Findings Chapter 10.  Suggestions Chapter 11.  Conclusion Chapter 12.  Questionnaire Chapter 13.  Bibliography

Research objectives

OBJECTIVE

1.To study about internet banking 2. To study about general perception regarding Internet Banking 3To study about technologies using internet banking 4. To study about safety and security in internet banking

public networks etc and the devices include telephone.INTRODUCTION Banks have traditionally been in the forefront of harnessing technology to improve their products. They have. With the popularity of PCs. The delivery channels include direct dial – up connections. although the range of products and services offered by different banks vary widely both in their content and sophistication. Personal Computers including the Automated Teller Machines. over a long time. This form of banking is generally referred to as Internet Banking. been using electronic and telecommunication networks for delivering a wide range of value added products and services. easy access to Internet and World Wide Web (WWW). . services and efficiency. etc. private networks. Internet is increasingly used by banks as a channel for receiving instructions and delivering their products and services to their customers.

It may receive and reply to customers’ queries through e-mail. Some of these banks are known as ‘virtual’ banks or ‘Internet-only’ banks and may not have any physical presence in a country despite offering different banking services. (i) Legal and regulatory issues. to this new technology. being the efficient and cost effective delivery mechanism of banking services. applications for different services. etc. (iii) The third level of Internet banking services are offered by Fully Transactional Websites which allow the customers to operate on their accounts for transfer of funds. has compelled regulators world over to take note of this emerging channel. in the process it has thrown open issues which have ramifications beyond what a new delivery channel would normally envisage and. but do not permit any fund-based transactions on their accounts. These concerns can be broadly addressed under three broad categories. the levels of banking services offered through INTERNET can be categorized in to three types: (i) The Basic Level Service is the banks’ websites which disseminate information on different products and services offered to customers and members of public in general. Internet. From the perspective of banking products and services being offered through Internet. But. The Regulatory and Supervisory concerns in i-banking arise mainly out of the distinctive features outlined above. Internet banking is nothing more than traditional banking services delivered through an electronic communication backbone. validity of electronic contract including the question of repudiation. as an additional method of serving the customer or by new banks. Security of banking transactions. (ii) Security and technology issues and (iii) Supervisory and operational issues. hence. It removes the traditional geographical barriers as it could reach out to customers of different countries / legal jurisdiction. viz. who deliver banking services primarily through Internet or other electronic delivery channels as the value added services. validity of electronic contract. 3. Some of the distinctive features of i-banking are: 1. queries on their account balances..Broadly. payment of different bills. A new form of competition has emerged both from the existing players and new players of the market who are not strictly banks. not subject to control by any single authority or group of users. Legal issues cover those relating to the jurisdiction of law. This has raised the question of jurisdiction of law / supervisory system to which such transactions should be subjected. gaps in the legal / . which have all along been concerns of both bankers and supervisors have assumed different dimensions given that Internet is a public domain. (ii) In the next level are Simple Transactional Websites which allow customers to submit their instructions. It has added a new dimension to different kinds of risks traditionally associated with banking. etc. heightening some of them and throwing new risk control challenges. 2. customers’ privacy. viz. etc. subscribing to other products of the bank and to transact purchase and sale of securities. It poses a strategic risk of loss of business to those banks who do not respond in time. The above forms of Internet banking services are offered by traditional banks. 4. 5.

verification of digital signature. Security of i-banking transactions is one of the most important areas of concerns to the regulators. perhaps. Information technology audit and re-engineering of operational procedures. There are still no definite answers to these issues. As long as Internet is used only as a medium for delivery of banking services and facilitator of normal payment transactions. central bankers and regulators have been addressing themselves to meet the new challenges thrown open by this form of banking. The supervisory and operational issues include risk control measures. its likely impact on monetary system can not be overlooked. etc. but the systems must be constantly upgraded to changing and well-tested technologies. security awareness and education.regulatory environment for electronic commerce. In such a scenario. The Indian scenario is discussed in detail in Chapter4 of this report. . too i-banking has taken roots. they must be aware of the risks involved and have proper built-in safeguards. encryption / decryption ( minimum key length etc). The other aspect is to provide conducive regulatory environment for orderly growth of such form of banking. Public Key Infrastructure (PKI) etc. take to Internet banking. Not adopting this new technology in time has the risk of banks getting edged out of competition. It is not enough for banks to have systems in place. Even countries where i-banking has been quite developed. it may not impact monetary policy. querying on their accounts. The world over. Central Banks of many countries have put in place broad regulatory framework for i-banking. A number of banks have set up banking portals allowing their customers to access facilities like obtaining information. when it assumes a stage where private sector initiative produces electronic substitution of money like e-cheque. machinery and systems to manage the emerging risks. Soon. Security issues include questions of adopting internationally accepted state-of-the art minimum technology standards for access control. The regulator is equally concerned about the security policy for the banking industry. the thrust of regulatory thinking has been to ensure that while the banks remain efficient and cost effective. The regulator would also be concerned with whether the nature of products and services offered are within the regulatory framework and whether the transactions do not camouflage moneylaundering operations. However. such concern. In India. its impact on monetary policy has not been significant. for the present is not addressed as the Internet banking is still in its formative stage. which is a much bigger challenge. account based cards and digital coins. Several studies have pointed to the fact that the cost of delivery of banking service through Internet is several times less than the traditional delivery methods. The Central Bank may have its concern about the impact of Internet banking on its monetary and credit policies. still higher level of online services will be made available. In India. firewalls. advance warning system. Allied to this is the question where the income has been generated and who should tax such income. On the question of jurisdiction the issue is whether to apply the law of the area where access to Internet has been made or where the transaction has finally taken place. Other banks will sooner than later. This alone is enough reason for banks to flock to Internet and to deliver more and more of their services through Internet and as soon as possible.

) Electronic bill presentment and payment .g. performing a financial transaction such as an account to account transfer. History The precursor for the modern home online banking services were the distance banking services over electronic media from the early '80s (the term online became popular in the late '80s).. In the US the first bank to offer these services did so in 1981 and by 1985 at least 37 banks offered videotex banking services... but traditionally also have some that are application specific. online statements.g.internet banking Features Online banking solutions have many features and capabilities in common.. cobrowsing. such as importing data into a personal finance program such as Quicken. and applications. Some online banking platforms support account aggregation to allow the customers to monitor all of their accounts in one place whether they are with their main bank or with other institutions. wire transfer. paying a bill. new account. or to another customer's account Investment purchase or sale Loan applications and transactions. chat) Bank statements Financial Institution Administration . These services used the videotex system.features allowing the hosting company to administer the solution across financial institutions Features commonly unique to business banking include Support of multiple users having varying levels of authority Transaction approval process Wire transfer Features commonly unique to Internet banking include Personal financial management support.. The common features fall broadly into several categories Transactional (e.. such as repayments Non-transactional (e. apply for a loan.features allowing the financial institution to manage the online experience of their end users ASP/Hosting Administration . etc. Microsoft Money or TurboTax.. Because of the ..EBPP Funds transfer between a customer's own checking and savings accounts. check links.

To protect their systems against Trojan horses.commercial failure of videotex these banking services never became popular except in France were the use of videotex (Minitel) was subsidised by the telecom provider. that correct transactions are shown on the screen and faked transactions are signed in the background. the use of class-3 card readers is a measure to avoid manipulation of transactions by the software in signature based online banking variants. Cross-site scripting and keylogger/Trojan horses can also be used to steal login information. users should use virus scanners and be careful with downloaded software or e-mail attachments. Attacks Most of the attacks on online banking used today are based on deceiving the user to steal login data and valid TANs. Countermeasures There exist several countermeasures which try to avoid attacks. A method to attack signature based online banking methods is to manipulate the used software in a way. . In 2001 the FFIEC issued guidance for multifactor authentication (MFA) and then required to be in place by the end of 2006. Two well known examples for those attacks are phishing and pharming. Digital certificates are used against phishing and pharming.

and financial services with the help of mobile telecommunication devices. SMS Banking etc. mbanking. payments etc.) is a term used for performing balance checks. mobile banking is defined as: "Mobile Banking refers to provision and availment of banking.The scope of offered services may include facilities to conduct bank and stock market transactions. via a mobile device such as a mobile phone.Mobile banking Mobile banking (also known as M-Banking. A mobile banking conceptual model In one academic model." . account transactions. to administer accounts and to access customised information. Mobile banking today (2007) is most often performed via SMS or the Mobile Internet but can also use special programs downloaded to the mobile device.

China. Over the last few years. According to a study by financial consultancy Celent. such as online banks. up from less than 1% today. and now exceeds 2. 35% of online banking households will be using mobile banking by 2010.According to this model Mobile Banking can be said to consist of three inter-related concepts: Mobile Accounting Mobile Brokerage Mobile Financial Information Services Most services in the categories designated Accounting and Brokerage are transaction-based. Information services. and in European countries. The accounting and brokerage services are therefore offered invariably in combination with information services. mobile banking is likely to appeal even more. Trends in mobile banking The advent of the Internet has revolutionized the way the financial services industry conducts business. on the other hand. online brokers and wealth managers who offer personalized services. the mobile and wireless market has been one of the fastest growing markets in the world and it is still growing at a rapid pace. receiving online updates of stock price or even performing stock trading while being stuck in traffic. empowering organizations with new business models and new ways to offer 24x7 accessibility to their customers. balance enquiries might be needed before committing a money remittance. Indonesia and Philippines. The non-transaction-based services of an informational nature are however essential for conducting transactions .5 billion (of which more than 2 billion are GSM). This opens up huge markets for financial institutions interested in offering value added services. Upwards of 70% of bank center call volume is projected to come from mobile phones. In Asian countries like India. Bangladesh. banks can offer a wide range of services to their customers such as doing funds transfer while traveling. the number of mobile subscribers exceeded 2 billion in September 2005. mobile banking will be the "killer application" for the next generation of mobile technology.for instance. Mobile banking will eventually allow users to make payments at the physical point of sale. although such players still account for a tiny percentage of the industry. . may be offered as an independent module. where mobile phone penetration is very high (at least 80% of consumers use a mobile phone). According to the GSM Association and Ovum. Many believe that mobile users have just started to fully utilize the data capabilities in their mobile phones. "Mobile contactless payments” will make up 10% of the contactless market by 2010. According to the German mobile operator Mobilcom. With mobile technology. where mobile infrastructure is comparatively better than the fixed-line infrastructure. The ability to offer financial transactions online has also created new players in the financial services industry.

Bank-led model The bank-led model offers a distinct alternative to conventional branch-based banking in that customer conducts financial transactions at a whole range of retail agents (or through mobile phone) instead of at bank branches or through bank employees.Mobile devices. especially smartphones. This model is additive in nature and may be seen as a modest extension of conventional branch-based banking. In this model customer account relationship rests with the bank Non-bank-led model The non-bank-led model is where a bank does not come into the picture (except possibly as a safe-keeper of surplus funds) and the non-bank (e. anywhere. there is a challenge for CIOs and CTOs of these banks to decide on how to leverage their investment in internet banking and offer mobile banking. high rate of penetration and potential to grow. and should top 20 million units (of over 800 million sold) in 2006 alone. banks across the globe have invested billions of dollars to build sophisticated internet banking capabilities. . Models of branchless banking can be classified into three broad categories . The bank-led model may be implemented by either using correspondent arrangements or by creating a JV between Bank and Telco/non-bank. and may be significantly cheaper than the bank-based alternatives. are the most promising way to reach the masses and to create “stickiness” among current customers. This model promises the potential to substantially increase the financial services outreach by using a different delivery channel (retailers/ mobile phones). the Bank or the Non-Bank/Telecommunication Company (Telco). a different trade partner (telco / chain store) having experience and target market distinct from traditional banks. Another difference lies in the nature of agency agreement between bank and the NonBank.g telco) performs all the functions. According to Gartner. Bank-Led and Nonbank-Led. In the last 4 years. lending etc. Mobile banking business models A wide spectrum of Mobile/branchless banking models is evolving. These models differ primarily on the question that who will establish the relationship (account opening. deposit taking. due to their ability to provide services anytime. Bank-focused model The bank-focused model emerges when a traditional bank uses non-traditional low-cost delivery channels to provide banking services to its existing customers. shipment of smartphones is growing fast.) to the end customer. As the trend is shifting to mobile banking. Examples range from use of automatic teller machines (ATMs) to internet banking or mobile phone banking to provide certain limited banking services to banks’ customers.Bank Focused. in the shortest possible time The proliferation of the 3G (third generation of wireless) and widespread implementation expected for 2003-2007 will generate the development of more sophisticated services such as multimedia and links to m-commerce services.

Monitoring of term deposits 4. Alerts on account activity or passing of set thresholds 3. Insurance policy management 8. Status of requests for credit. Commercial payment processing 5. stop payment on cheque Payments & Transfers 1. Bill payment processing 6. Status on cheque. Access to card statements 6. Exchange of data messages and email. Mobile recharging 4. Personalized alerts and notifications on security prices Support 1. Real-time stock quotes 3. and insurance coverage 2. including mortgage approval. Portfolio management services 2. Domestic and international fund transfers 2. Peer to Peer payments Investments 1. Pension plan management 9.Mobile Banking Services Mobile banking can offer services such as the following: Account Information 1. including complaint submission and tracking 4. Mutual funds / equity statements 7. Access to loan statements 5. ATM Location Content Services . Micro-payment handling 3. Check (cheque) book and card requests 3. Mini-statements and checking of account history 2.

mobile banking will be attractive mainly to the younger. The desire for interoperability is largely dependent on the banks themselves. the customer may be sitting in any part of the world (a true anytime. WAP. It would be a wise idea for the vendor to develop a mobile banking application that can connect multiple banks. Banks unable to meet the performance and reliability expectations may lose customer confidence. news 2. anywhere banking) and hence banks need to ensure that the systems are up and running in a true 24 x 7 fashion. But most of the users are interested in performing basic transactions such as querying for account balance and making bill payment. with countries like India using portals like R-World to enable the limitations of low end java based phones. General information such as weather updates. Overcoming interoperability issues however have been localized. Application distribution . yption of the data that will be stored in device for later / off-line analysis by the customer. where java enabled applications are of better security. Challenges for a Mobile Banking Solution Key challenges in developing a sophisticated mobile banking application are : Interoperability There is a lack of common technology standards for mobile banking. Many protocols are being used for mobile banking – HTML. There are a large number of different mobile phone devices and it is a big challenge for banks to offer mobile banking solution on any type of device. easier to use and offer development of more complex transactions similar to that of internet banking while SMS can provide the basics but becomes a hassle to operate with more difficult transactions. A third of mobile phone users say that they may consider performing some kind of financial transaction through their mobile phone. while focus on areas such as South Africa have defaulted to the USSD as a basis of communication achievable with any phone. It would require either the application to support multiple protocols or use of a common and widely acceptable set of protocols for data exchange. their expectations from the solution will increase. more "tech-savvy" customer segment.1. As customers will find mobile banking more and more useful. XML to name a few. With mobile banking. SOAP. Some of these devices support J2ME and others support WAP browser or only SMS. Location-based services Based on a survey conducted by Forrester. Loyalty-related offers 3. Scalability & Reliability Another challenge for the CIOs and CTOs of the banks is to scale-up the mobile banking infrastructure to handle exponential growth of the customer base.

Default transactions 5. Standard Beneficiary list SMS Banking Screenshot of a typical SMS Banking message on a mobile screen SMS Banking is a technology-enabled service offering from banks to its customers. It will be expected that the mobile application itself check the upgrades and updates and download necessary patches. there could be many issues to implement this approach such as upgrade / synchronization of other dependent components. permitting them to operate selected banking services over their mobile phones using SMS messaging. However.Due to the nature of the connectivity between bank and its customers. Amount format 4. etc. without the customer initiating a request for the information. Push messages are those that the bank chooses to send out to a customer's mobile phone. . Personalization It would be expected from the mobile application to support personalization such as : 1. (see section below on Typical Push and Pull messages). Preferred Language 2. such as a large withdrawal of funds from the ATM or a large payment using the customer's credit card. Push and Pull messages SMS Banking services are operated using both Push and Pull messages. Date / Time format 3. Typically push messages could be either Mobile Marketing messages or messages alerting an event which happens in the customer's bank account. it would be impractical to expect customers to regularly visit banks or connect to a web site for regular upgrade of their mobile banking application.

One-time password and authentication Typical Pull Services would include: Account balance enquiry. Large value withdrawals on the ATM or EFTPOS on a debit card. . Reporting of salary and other credits to the bank account. Pull messages are those that are initiated by the customer. Transfers between customer's own accounts. SMS Banking solutions offer customers a range of functionality. using a mobile phone. Typical Push and Pull Services offered under SMS Banking Depending on the selected extent of SMS Banking transactions offered by the bank. When the request is received the password is sent to the consumer’s phone via SMS. Successful or un-successful execution of a standing order. like moving money from a savings account to a current account to fund a cheque. Examples of pull messages for information include an account balance enquiry. Mini statement request. or requests for current information like currency exchange rates and deposit interest rates. Typical Push Services would include: Periodic account balance reporting (say at the end of month). as published and updated by the bank. OTPs are the latest tool used by financial and banking service providers in the fight against cyber fraud. Insufficient funds. The bank’s customer is empowered with the capability to select the list of activities (or alerts) that he/she needs to be informed. for obtaining information or performing a transaction in the bank account. Large value withdrawals on an account. Electronic bill payment. Large value payment on a credit card or out of country activity on a credit card. Successful payment of a cheque issued on the account. OTPs are requested by consumers each time they want to perform transactions using the online or mobile banking interface. a customer can be authorized to carry out either non-financial transactions. This functionality to choose activities can be done either by integrating to the Internet Banking channel or through the bank’s customer service call centre.Another type of push message is One-time password (OTPs). classified by Push and Pull services as outlined below. Instead of relying on traditional memorized passwords. The password is expired once it has been used or once its scheduled life-cycle has expired. or both and financial and nonfinancial transactions.

Compensating controls for lack of encryption The lack of encryption on SMS messages is an area of concern that is often discussed. the SMS Banking channel is not intended to be used for very high-risk transactions. Foreign currency exchange rates enquiry. etc. This capability mitigates the risk of fraud going unnoticed for a long time and increases customer confidence in the bank’s information systems. e. Also. when there is an ATM fraud happening in the region. The lack of encryption is inherent to the SMS Banking channel and several banks that use it have overcome their fears by introducing compensating controls and limiting the scope of the SMS Banking application to where it offers an advantage over other channels. due their familiarity and past experience with encryption on the ATM and other payment channels. Concerns and skepticism about SMS Banking Many banks would have some concerns when the prospects of introducing SMS Banking are discussed. Requesting for an ATM card or credit card to be suspended. but has the limitation of use only when the customer has access to a computer and the Internet. the bank can push a mass alert (although not subscribed by all customers) or automatically alert on an individual basis when a predefined ‘abnormal’ transaction happens on a customer’s account using the ATM or credit card. as they carry the mobile phone all the time no matter where they are. on which a bank's notifications to the customer involves the risk of delayed delivery and response. unlike other channels such as the post. As a personalized end-user communication instrument. This is quite different from Internet Banking which can offer broader functionality. email. like the ATM and Internet Banking. . Most of these concerns could revolve around security and operational controls around SMS Banking. Fixed deposit interest rates enquiry. The SMS Banking channel also acts as the bank’s means of alerting its customers. urgent warning messages. Internet. today mobile phones are perhaps the easiest channel on which customers can be reached on the spot. This concern sometimes arises within the group of the bank’s technology personnel. However supporters of SMS claim that while SMS Banking is not as secure as other conventional banking channels. telephone banking. De-activating a credit or debit card when it is lost or the PIN is known to be compromised. such as SMS alerts. especially in an emergency situation. Besides.g. the operation of SMS Banking functionality over phone key instructions makes its use very simple. are received by the customer instantaneously.Stop payment instruction on a cheque. The convenience factor The convenience of executing simple transactions and sending out information or alerting a customer on the mobile phone is often the overriding factor that dominates over the skeptics who tend to be overly bitten by security concerns.

Advanced SMS Banking solutions also cater to providing failover mechanisms and least-cost routing options. the more advanced SMS Banking systems are built to be able to work in a multi-host banking environment. and to have open interfaces which allow for messaging between existing banking host systems using industry or de-facto standards. Sometimes ATM type PINs are also employed. Well developed and mature SMS Banking software solutions normally provide a robust control environment and a flexible and scalable operating environment. Depending on the volume of messages that are require to be pushed. These solutions are able to connect seamlessly to multiple SMSC operators in the country of operation. UCP etc.). but the usage of PINs in SMS Banking makes the customer's task more cumbersome. .Suppliers of SMS Banking software solutions have found reliable means by which the security concerns can be addressed. Technologies employed for SMS Banking Most SMS Banking solutions are add-on products and work with the bank’s existing host systems deployed in its computer and communications environment. means to connect to the SMSC could be different. As most banks have multiple backend hosts. such as using simple modems or connecting over leased line using low level communication protocols (like SMPP. Typically the methods employed are by pre-registration and using security tokens where the transaction risk is perceived to be high.

a new medium Internet – its basic structure and topology Internet is a vast network of individual computers and computer networks connected to and communicate with each other using the same communication protocol – TCP/IP (Transmission Control Protocol / Internet Protocol). Internet is often and aptly described as ‘Information Superhighway’. is the largest example of such a system. a means to reach innumerable potential destinations. as commonly understood. connecting two or more networks create ‘inter-network’ or Internet. When two or more computers are connected a network is created. A major perceived advantage of . The Internet. developed in the late 1960s and early 1970s as an experiment in wide area networking. Internet has evolved to its present state out of a US Department of Defence project ARPANet (Advanced Research Project Administration Network).Internet Banking . The destination can be any one of the connected networks and host computers.

Many websites offer e-mail as a free facility to individuals. set up by any one of the ISPs (Internet Service Providers). passwords and the like. The accounts can be SLIP (Serial Line Internet Protocol) or PPP (Point to Point Protocol) account. the client computer does not merely act as a remote terminal of the host. TCP/IP protocol uses a unique addressing scheme through which each computer on the network is identified. Thus. In 1986. Certain ftp sites are available to validated users with an account ID and password. NSFNet became the framework of today’s Internet. The NSFNet was accessible by a much larger scientific community. These accounts allow creating temporary TCP/IP sessions with the host. Though originally designed as a defence network.ARPANet was that the network would continue to operate even if a segment of it is lost or destroyed since its operation did not depend on operation of any single computer. viz. TCP / IP protocol is insecure because data packets flowing through TCP / IP networks are not normally encrypted. thereby allowing the computer to join the Internet and directly establish communication with any other computer in the Internet. is a set of rules which define how computers communicate with each other. World Wide Web (WWW) . video and voice mail. It has become possible for innumerable computers operating on different platforms to communicate with each other over Internet because they adopt the same communication protocol. It is an extremely powerful and revolutionary result of Internet. but can run whatever programs are available on the web. the US National Science Foundation (NSF) established a national network based on ARPA protocol using commercial telephone lines for connectivity. Through this type of connection. The latter. which has facilitated almost instantaneous communication with people in any part of the globe. FTP or File Transfer Protocol is a mechanism for transferring files between computers on the Internet. audio. e-mail: The most common and basic use of Internet is the exchange of e-mail (electronic mail). subject to limitations of speed and memory of the client computer and modem. It is possible to transfer a file to and from a computer (ftp site) without having an account in that machine. ARPANet was officially decommissioned in 1990. a Transport Layer Security (TLS) system which involves an encrypted session between the client browser and the web server. this segment of Internet is fast expanding as the most used communication medium for the whole world. Any organization intending to make available to public its documents would normally set up a ftp site from which any one can access the documents for download. This has been addressed through Secured Socket Layer(SSL). any one who interrupts communication between two machines will have a clear view of the data. over the years it was used predominantly in areas of scientific research and communication. It can also run several programs simultaneously. which stands for ‘Transmission Control Protocol / Internet Protocol’. TCP/IP. Eventually. Many corporates have interfaced their private networks with Internet in order to make their e-mail accessible from outside their corporate network. it moved out of Pentagon’s control and more independent networks from US and outside got connected to it. By the 1980s. In order to access Internet one must have an account in a host computer. commercial networks and general users and the number of host computers grew rapidly. With enhancements like attachment of documents.

viz. and offers a very convenient means of navigating through the net. which is the equivalent of TCP. (iii) the privacy or confidentiality of data. The programming capabilities and platform independence of Java and Java applets have further enriched the web. This is based on WWW technology and provides for application for small screens. sound.. which uses Hyper Text Markup Language (HTML) to link together files containing text. in a tree like structure. In fact. information relating to any deal. The person browsing one document can access any other linked page. can contain links to other related documents and so on. But over the Internet. It is a public domain and there is no restriction on who can use it as long as one adheres to its technical parameters. Wireless Transaction Protocol (WTP). which provides industry wise standard for developing applications and services for wireless communication networks.. The web documents and the web browsers which are the application programs to access them. the introduction of web since early 1990 has made Internet an extremely popular medium and its use in business has been enhanced dramatically. the dimensions of risk are larger while the control measures are relatively fewer. (iv) data integrity. These issues are discussed in detail in Chapter–5 and Chapter–6 of the report. such as e-mail. The ‘point and click’ method of browsing is extremely simple for any lay user of the net. viz. Thus any web document can be accessed irrespective of the platform of the computer accessing the document and that of the host computer. sets the communication rules and Wireless Transport Layer Security (WTLS) provides the required security by encrypting all the session data. which allows automated two-way information flow between data stores and browser screens. XML documents provide both the raw content of data and the data structure and is projected by its proponents as taking the web technology beyond the limits of HTML. WAP is set to revolutionize the commercial use of net. WWW is a segment of Internet.. Wireless Application Protocol (WAP): WAP is the latest industry standard which provides wireless access to Internet through handheld devices like a cellular telephone. This has also given rise to concerns over the security of data and information transfer and privacy. are designed to be platform independent. viz. (ii) authorization. It uses hypertext transfer protocol (HTTP) for communication between computers. This is an open standard promoted by WAP forum and has been adopted by world’s all major handset manufacturers. graphics. Web documents. assurance of identity of the person in a deal. assurance that the data has not been altered and (v) . a party doing a transaction is authorized to do so. rich text. The next in the HTML genre is the Extensible Markup Language (XML). video etc. Security: One of the biggest attractions of Internet as an electronic medium is its openness and freedom. It will be sufficient to say here that the key components of such concern are. These concerns are common to any network including closed user group networks. (i) authentication. file transfers etc. WAP is supplemented by Wireless Application Environment (WAE).Internet encompasses any electronic communication between computers using TCP/IP protocol. which are referred to as pages. with interactive capabilities and adequate security.

Value chain service providers. Third-party market place. receiving the response and offering services have a new. with the introduction of WWW in early 1990s. who have adopted electronic medium. the medium for sale and distribution of its products and (iv) the sources of revenue and expenditure and how these are affected. Such form of doing business has been in existence ever since electronic mode of data / information exchange was developed. Business models. The cost of advertisement. These are e-shop. ability to service the . offer and delivery of services through Internet has reduced considerably. forcing most companies to rework their strategies to remain in competition. i. Virtual communities. that is. a party to the deal can not deny that it originated the communication or data. now. A research note by Paul Timmers of European commission had identified eleven business models. brand equity. Internet. However. Internet has influenced all the four components of business model and thus has come to influence the business strategy in a profound way. The second dimension. it is no longer the same business with an additional channel for information exchange. which have been commercially implemented. but one with new strategy and models. This difference has wider ramifications than mere visibility when it comes to issues like customer’s trust. particularly Internet. which cannot be implemented in a traditional way and are critically dependent upon information technology and creating value from information flow. He classified business models along two dimensions. that is. that is. telephones and other telecommunication equipments. to enhance their existing products and services. one can access the products and services from any part of the world. and / or to offer new products and services and the pure eventures who have no visible physical presence. Value chain integrators. simpler and efficient alternative. the competitors and the customers. its products and services (iii) the channels of distribution. E-commerce involves individuals and business organizations exchanging business information and instructions over electronic media using computers. in between these two limits are a combination of both dimensions in different degrees and have some degree of analogy in traditional firms. e-mall. The size of the market has grown enormously as technically.e. (ii) what it sells.e. In the top end of the graph are models. Collaboration platforms and Information brokers. The methods of reaching out to customers. viz. i. Internet has changed the approach to e-commerce. degree of innovation and extent of integration of functions. There are two types of e-commerce ventures in operation: the old brick and mortar companies. e-auction. but its scope was limited only as a medium of exchange of information between entities with a pre-established contractual relationship.. that is. The innovation ranged from the electronic version of a traditional way of doing business (e-shop) to more innovative ways by offering functions that did not exist before. So does the potential competition. A business model generally focuses on (i) where the business operates. eprocurement. E-Commerce: Even though started as network primarily for use by researchers in defence and scientific community. the market. use of Internet for commerce has grown tremendously.non repudiation. extent of integration ranges from a single function business model (like e-shop) to fully integrated functionality (value chain integrator).

. etc. viz. servicing and distribution. service providers like travel related services..customers. Internet offers a unique opportunity to register business presence in a global market. opportunities and concerns common to this category of business irrespective of the business segment. Technological development has made access to Internet both cheaper and faster. whether the counterpart is a final consumer or another business in the distribution chain. are some of the features of e-business which enhance the quality of service to the customers. Replying to customers’ queries through e-mail. setting up (Frequently Asked Questions) FAQ pages for anticipated queries. the two broad categories are: Business-to-Consumer (B2C) and Business-toBusiness (B2B). etc. adopting new business culture and cost. Cost is an important issue in an e-venture. Opportunities: Internet provides an ever-growing market both in terms of number of potential customers and geographical reach. since the business presence is not restricted by time zone and geographical limitations. accepting customers’ complaints online 24 hours a day and attending to the same. The purchasing power and need for quality service of this segment of consumers are considerable. it is equally easy to lose him. help of other media is necessary to draw the potential customers to the web site. e-broking. Although the magnitude of difference varies depending on the type of . Internet offers such opportunity. shopping malls.e. entertainment and any other form of business targeted at the final consumer. The ability to sell one’s product at anytime and anywhere to the satisfaction of customers is essential for e-business to succeed. financial services etc. It is of crucial importance for an e-venture to realize that just as it is easier to approach a customer through Internet. has made Internet as an ideal medium for information dissemination. Thus. i. are the following. through Internet is less compared to the traditional way of doing business. Its effectiveness in disseminating information about one’s business at a relatively cost effective manner is tremendous. Business-to-Consumers (B2C): In the B2C category are included single e-shops. Anybody accessing Internet is a potential customer irrespective of his or her location. The quality of service is a key feature of any e-commerce venture. picture. offering interactive help line. However. education. More and more people across the globe are accessing the net either through PCs or other devices. Time sensitive information can be updated faster than any other media. It is generally accepted that the cost of overhead. Another way of classifying the e-commerce is by the targeted counterpart of a business. Use of multimedia capabilities. Some of the features. movies etc. A properly designed website can convey a more accurate and focussed image of a product or service than any other media. Accordingly. e-banking. e-auction.. any business targeting final consumers cannot ignore the business potential of Internet. sound. These aspects of e-commerce will be touched upon in the following discussions. The customer has the same facility to move over to another site.

a company. which are major sources of concern to ecommerce. its suppliers. i. Cost of communication through WWW is the least compared to any other medium. . Traditional business with well established brands and goodwill and having a physical presence face less resistance from customers in this regard than a pure e-venture. and customers’ faith in a system where such privacy is stated to be ensured are important issues to be addressed. services and finance and are addressed in different chapters of this report.business and the estimates made. Business to Business (B2B) As opposed to B2C e-commerce. Considering that e-commerce aims at global market. are important technological and systems issues. The business should have proper plans to address such opportunities. in fact. but there is unanimity that Internet provides a substantial cost advantage and this. credit card and bank account details etc. Also important are availability of bandwidth and other infrastructure for faster and easier access. Trust of customers in a web venture is an important concern. authenticity of a deal. Concerns: There are a number of obstacles. This is particularly true in a B2C venture like e-shop. These issues are not technology related and any let off in this area can drive the customer away to the competitor or from e-commerce. Typically. but are global e-commerce concerns. manufacturing. whether B2C or B2B and all segments of business. Many a time one’s presence in the web may bring in international enquiries. jurisdiction of tax laws etc. Many B2C ventures have ultimately to deliver a product or service in physical form to the customer for a deal contracted through Internet. This is particularly so in countries like India where penetration of PCs and other devices to households for access to Internet is minimal. Accessibility to Internet by the consumers is an important issue in B2C domain. These are important to all forms of e-commerce. Equally important are questions of repudiation of a deal. Many customers hesitate to deal with a web venture as they are not sure of the type of products and services they will receive. but human factor is important both at the business and at the customers’ end and also in building the trust in the system. identification of a customer etc. dealers and bankers to all the parties are networked to finalize and settle all aspects of a deal. applicability of law. which the business might not have targeted. e-mall or e-auction site. Security of a transaction. the parties to a deal are at different points of the product supply chain. an efficient distribution network. deficiencies of these kinds in the developing world are no longer concerns confined to these areas. in B2B domain. is one of the major driving forces for more number of traditional business adopting to e-commerce and pure e-commerce firms to sprout. and control over quality of product or service delivered. The privacy of information on the customer’s preferences. This needs proper logistics. These are mainly technological issues. in a B2B type domain. which an e-commerce venture needs to overcome.e.

ASPs offer application software online to e-commerce companies who pay for the same according to the use without owning it. is that business information / data is integrated to the back office systems of parties to a deal and the state of straight through processing (STP) or near STP is achieved. New business models are emerging in B2B domain. which results in improved profits through lowering cost and reducing inventories. typically. This scenario can be extended to include the shipper. discussed earlier. Earlier. etc. However. This is a very significant aspect of B2B model of e-commerce.online. the transactions of the type shown above can be processed with minimal human intervention and on 24 hours a day and 7 day a week basis. Often entire back office processing is taken care of by ASPs and other service integrators. IT service provider and the payment system gateway. Perhaps. maintenance and training of personnel. only the goods in different stages of processing physically move from the supplier to the dealer. since they involve large investments and are critical to success. The other issues of importance to a B2B firm are the choice of appropriate technology. . in a B2B environment. Another important feature of a B2B domain. For example. So also are the issues relating to privacy of information. A major concern used to be compatibility of EDI platforms across different B2B partners. tax repudiation etc. At the optimum level of inventory it raises a purchase order with the supplier. whose system in turn. Similar series of transaction processes are also initiated between the company and its dealers and their respective banks. the back office system of a company controls inventory requirement with reference to the order book position updated regularly on the basis of orders received from dealers through Internet. There are portals which offer a meeting ground to buyers and sellers of different products in supply chain. Once e-commerce relationship is established between the firms. depending on the degree of sophistication of the available systems. law. etc. The buyer’s bank credits seller’s bank with the cost of sale though a payment gateway or through RTGS system. providers of different ancillary services. It has also led to standardization of software platforms. Other new forms of business models in B2B domain are Application Service Providers (ASP) and Service Integrators. only large firms could have access to such technology and they used private networks with interface to each other for information flow and transaction processing. more like a buyerseller meet in international business. the issue of build or outsource. Technology and networking are important constituents of a B2B type of business domain. the utility of such service providers will to a large extent depend on the business strategy of the e-venture. Buyer company’s system issues debit instructions on its bank account for payment to the supplier... Banks in the portal offer financial services for deals settled through the portal. as distinct from B2C. The security issues are more pronounced because of high value transfers taking place through the net. The concerns of B2B e-commerce are similar to those of B2C. Internet with WWW and other standard technology have offered opportunity to relatively smaller and medium sized firms to integrate their operations in B2B model and take advantage of the benefits it offers. This has enabled relatively smaller companies to enter the global market. processes the order and confirms supply.

account opening and other forms of traditional banking services. Mostly. Banks are also offering payment services on behalf of their customers who shop in different e-shops.7 trillion to over US $ 7 trillion within the next three years (2003). 500 billion. as they were not sure of the product offered. it has been estimated that 84% of total ebusiness revenue is generated from B2B segment and the growth prospects in this segment are substantial. A survey sponsored jointly by Confederation of Indian Industries and Infrastructure Leasing and Financial Services on e-commerce in India in 1999 made the following observations. This has several reasons some of which are already discussed earlier. In B2B scenario. The Growth of Internet Banking and common products: Internet Banking) is a product of e-commerce in the field of banking and financial services. has been generating. balance transfer instructions. Banks are positioning themselves in such a market in order to be a part of the financial settlements arising out of transactions of this . Besides. The success of B2C ventures depends to a large extent on the shopping habits of people in different parts of the world. Hence. as compared to B2C. However. recording stop-payment instructions. This is expected result. In what can be described as B2C domain for banking industry. It has estimated the revenues to be anywhere between US $ 2. particularly in B2B domain. the process is still evolving and banks are repositioning themselves based on new emerging e-commerce business models. starting from level-1 where only information is disseminated through Internet to level-3 where online transactions are put through.. These aspects have been dealt with in brief in the introductory chapter and again detailed products and services are discussed in chapters 3 and 4. it is natural that banking would position itself in an intermediary role in settling the transactions and offering other trade related services. Considering the volume of business e-commerce. 62% of PC owners and 75% of PC non-owners but who have access to Internet would not buy through the net. In a recent study done by Arthur Anderson. This is true both in respect of B2C and B2B domains. these are traditional services offered through Internet as a new delivery channel. requests for cheque books. There is wide difference in estimates of volume of business transacted over Internet and its components under B2C and B2B. the traditional role of financial intermediary and settlement agents. different banks have different levels of such services offered. banks have also exploited new opportunities offered by Internet in the fields of integrated service providers. in the following paragraphs I-banking concerns in B2B domain are discussed. like low penetration of PCs to households. payment gateway services. most studies agree that volume of transactions in B2B domain far exceeds that in B2C.Several studies have attempted to assess the relative importance of B2B and B2C business domains. e-malls etc. low bandwidth availability etc. in a large part of the world. etc. There is also a growing opinion that the future of e-business lies in B2B domain. However. The same study estimated the size of B2B business in India by the year 2001 to be varying between Rs. 250 billion to Rs. a new form of e-commerce market place is emerging where various players in the production and distribution chain are positioning themselves and are achieving a kind of integration in business information flow and processing (STP or near STP) leading to efficiencies in the entire supply chain and across industries. Internet Banking offers different online services like balance enquiry. Further.

market and providing wholesale financial services. This needs integration of business information flow not only across the players in the supply chain, but with the banks as well. With the integration of business information flow and higher degree of transparency, the banks and other financial services institutions have lost some of the information advantage they used to enjoy and factor in to pricing of their products. However, such institutions have the advantage of long standing relationships, goodwill and brand, which are important sources of assurance in a virtual market. Banks are in fact, converting this goodwill into a business component in e-commerce scenario in providing settlement and other financial services. Some banks have also moved to providing digital certificates for transactions through e-markets. Banks’ strategies in B2B market are responses to different business models emerging in e-commerce. A recent study by Arthur Andersen shows that banks and financial service institutions generally adopt one of three business models to respond to e-business challenges. In the first place, they treat it as an extension of existing business without any significant changes other than procedural and what technology demands. The second strategy takes the same approach as the first but introduces structural changes to the underlying business. In the third approach banks launch e-business platform as a different business from the existing core business and as a different brand of product. There is no definite answer as to which approach is appropriate. Perhaps it depends on the type of market the bank is operating, its existing competencies and the legal and regulatory environment. It is, however, sure that e-banking is evolving beyond the traditional limits of banking and many new products / services are likely to emerge as e-commerce matures.

International experience Internet banking has presented regulators and supervisors worldwide with new challenges. The Internet, by its very nature, reaches across borders and is, for this reason, engaging the attention of regulatory and supervisory authorities all over the world. The experience of various countries, as far as Internet banking is concerned, is outlined in this chapter. U.S.A.

In the USA, the number of thrift institutions and commercial banks with transactional web-sites is 1275 or 12% of all banks and thrifts. Approximately 78% of all commercial banks with more than $5 billion in assets, 43% of banks with $500 million to $5 billion in assets, and 10% of banks under $ 500 million in assets have transactional web-sites. Of the 1275-thrifts/commercial banks offering transactional Internet banking, 7 could be considered ‘virtual banks’. 10 traditional banks have established Internet branches or divisions that operate under a unique brand name. Several new business process and technological advances such as Electronic Bill Presentment and Payment (EBPP), handheld access devices such as Personal Digital Assistants (PDAs), Internet Telephone and Wireless Communication channels and phones are emerging in the US market. A few banks have become Internet Service Providers (ISPs), and banks may become Internet portal sites and online service providers in the near future. Reliance on third party vendors is a common feature of electronic banking ventures of all sizes and degrees of sophistication in the US. Currently, payments made over the Internet are almost exclusively conducted through existing payment instruments and networks. For retail e-commerce in the US, most payments made over the Internet are currently completed with credit cards and are cleared and settled through existing credit card clearing and settlement systems. Efforts are under way to make it easier to use debit cards, cheques and the Automated Clearing House (ACH) to make payments over the Internet. Versions of e-money, smart cards, e-cheques and other innovations are being experimented with to support retail payments over the Internet.

World over, electronic banking is making rapid strides due to evolving communication technology. Penetration of Internet banking is increasing in most countries. Wireless Application Protocol (WAP) is an emerging service which banks worldwide are also offering. The stiff competition in this area exposes banks to substantial risks. The need is being felt overseas that transparency and disclosure requirements should be met by the e-banking community. While existing regulations and legislations applicable to traditional banking are being extended to banks’ Internet banking and electronic banking services, it is recognized that Internet security, customer authentication and other issues such as technology outsourcing pose unique risks. Central Banks worldwide are addressing such issues with focused attention. Special legislations and regulations are being framed by the regulators and supervisors for proper management of the different types of risks posed by these services. The reliance on outsourcing is an area where overseas regulators and supervisors are focusing their attention, with banks having to regularly review and test business continuity, recovery and incidence response plans in order to maintain their reputation of trust. Consumer protection and data privacy are areas which assume great significance when banking transactions are carried over a medium as insecure as the Internet. Many countries are looking at special consumer protection/data privacy legislation for an e-commerce environment. The presence of ‘virtual banks’ or ‘Internet only banks’ and the licensing requirements required for such entities are also areas which are being looked into by overseas authorities. There has also been co-operation among the regulators and supervisors to meet the challenges of ‘virtual’ cross border e-banking, particularly in the light of the possibility of increased money laundering activities through the medium of Internet. Internet banking is universally seen as a welcome development, and efforts

The Indian Scenario The entry of Indian banks into Net Banking Internet banking. has gained wide acceptance internationally and is fast catching up in India with more and more banks entering the fray.are being made to put in place systems to manage and control the risks involved without restricting this service. India can be said to be on the threshold of a . both as a medium of delivery of banking services and as a strategic tool for business development.

It is largely a marketing or advertising tool. The cost-conscious banks in the country have therefore actively considered use of the Internet as a channel for providing services. therefore. a bank. querying on status of requests. Such services include request for opening of accounts. is particularly fascinating to Non-Resident Indians and High Networth Individuals having multiple bank accounts. Federal Bank Ltd. transaction details and status of instructions given by him. 22 banks propose to offer Internet banking in near future while the remaining 13 banks have no immediate plans to offer such facility. A few banks provide the customer to enquire into his demat account (securities/shares) holding details. requisition for cheque books. These web sites still do not allow online transactions for their customers. allows its customer to communicate with it through an e-mail address. Products and services offered Banks in India are at different stages of the web-enabled banking cycle. phone banking at 35 paise.1 per transaction. application forms for downloading and e-mail option for enquiries and feedback. Bank of Madura Ltd. Fully computerized banks. However. instructions for opening of Letters of Credit and Bank Guarantees etc. movement of funds between accounts within the same bank. this is expected to grow exponentially to 90 lakh by 2003. many scheduled commercial banks in India are still in the first stage of Internet banking operations. immense. These services are being initiated by banks like ICICI Bank Ltd. viewing and printing statements of accounts... A recent questionnaire to which 46 banks responded. UTI Bank Ltd. As yet. Vijaya Bank provides information on its web-site about its NRI and other services. ATM transaction cost at 45 paise. Further incentives provided by banks would dissuade customers from visiting physical branches. the total Internet users in the country are estimated at 9 lakh. Customers are required to fill in applications on the Net and can later receive loans or other products requested for at their local branch. The facility of accessing their accounts from anywhere in the world by using a home computer with Internet connection. debit cards at 20 paise and Internet banking at 10 paise per transaction. and thus get ‘hooked’ to the convenience of arm-chair banking.. etc. the bank puts up a web-site that provides general information on the banks. stop payment of cheques.. Costs of banking service through the Internet form a fraction of costs through conventional methods. its location. loan and deposits products. which is not having a web site. With gradual adoption of Information Technology. has revealed that at present. For example. services available e. HDFC Bank Ltd. Only about 1% of Internet users did banking online in 1998. 11 banks in India are providing Internet banking services at different levels.7% in March 2000. Citibank. Initially. At present. communication is limited to a small number of branches and offices which have access to this email account. This increased to 16.major banking revolution with net banking having already been unveiled. Some of the banks permit customers to interact with them and transact electronically with them. Recent entrants in Internet banking are Allahabad Bank (for .g. with better management of their customer base are in a stronger position to cross-sell their products through this channel.* The growth potential is. Global Trust Bank Ltd. Rough estimates assume teller cost at Re.

it is necessary that the proper legal infrastructure is in place. Systems and processes have to be put in place to ensure that errors do not take place. Government has introduced the Information Technology Bill. Indian banks offering online services still have a long way to go. automatic sign-offs. Certain banks like ICICI Bank Ltd. personal contact. The Future Scenario Compared to banks abroad. digital certificates. branch connection encryption. The ‘Infinity’ product of ICICI Bank Ltd. because even a few minutes of downtime in a week could mean substantial losses. register. have gone a step further within the transactional stage of Internet banking by allowing transfer of funds by an account holder to any other account holder of the bank. A contractual agreement is entered into by the customer with the bank for using the Internet banking services. are available. The communication bandwidth available today in India is also not enough to meet the needs of high priority services like online banking and trading. there is as yet no Certification Authority in India offering Public Key Infrastructure which is absolutely necessary for online banking. Proper encryption of data and effective use of passwords are also matters that leave a lot to be desired. Some banks even today do not have uninterrupted power supply unit or systems to take care of prolonged power breakdown.its corporate customers through its ‘Allnet’ service) and Bank of Punjab Ltd. are often hesitant to use the Internet banking services offered by Indian banks. In this way. which has already been notified in October 2000. Section 72 of the Information Technology Act. except for certain purposes and violation of this provision is a criminal offence. The contract details are often one-sided. The customer can only be assured of a secured conduit for its online activities if an authority certifying digital signatures is in place. 2000 casts an obligation of confidentiality against disclosure of any electronic record.. In order to promote Internet banking services. firewalls. with around 3. Banks offering online facilities need to have an effective disaster recovery plan along with comprehensive risk management measures. For these reasons domestic customers for whom other access points such as ATMs. ensuring confidentiality . Users of Internet Banking Services are required to fill up the application forms online and send a copy of the same by mail or fax to the bank. The Internet is in the public domain whereby geographical boundaries are eliminated. with the bank having the absolute discretion to amend or supplement any of the terms at any time. there has to be sufficient number of users and the sufficient infrastructure in place. telebanking. Though various security options like line encryption. etc. Banks offering online facilities also need to calculate their downtime losses. Notification for appointment of Authorities to certify digital signatures.000 hits per month. be attractive / appealing as a value added service to domestic customers. State Bank of India has announced that it will be providing such services soon. random pop-ups and disaster recovery sites are in place or are being looked at.000 transactions taking place on the Net per month through this service. may. gets only about 30. Cyber crimes are therefore difficult to be identified and controlled. Internet Banking. correspondence and information. Non-resident Indians for whom it is expensive and time consuming to access their bank accounts maintained in India find net banking very convenient and useful. therefore. as an additional delivery channel. For online banking to reach a critical mass. personal data in the applications forms is being held by the bank providing the service.

data privacy and confidentiality. malafide or otherwise. Attackers could be hackers.K. theft of or tampering with customer information. Also. It takes the form of inaccurate processing of transactions. cost of repairing these etc. employee fraud. Comprehensive enactments like the Electronic Funds Transfer Act in U. however. necessary that banks critically assess all interrelated systems and have access control measures in place in each of them. infringing customers’ privacy and its legal implications etc. disgruntled employees or even pure thrill seekers. access control is of paramount importance. They can manage to acquire the authentication data in order to access the customer accounts causing losses to the bank. compromises in data integrity. Besides inadequacies in technology. unscrupulous vendors. Operational risk: Operational risk. Controlling access to banks’ system has become more complex in the Internet environment which is a public domain and attempts at unauthorized access could emanate from any source and from anywhere in the world with or without criminal intent. and data protection rules and regulations in the developed countries are in place abroad to prevent unauthorized access to data. retrieve and use confidential customer information and also can implant virus. fraudulent activity of employees and crackers / hackers etc. is likely to be issued in the coming months. Thus.g. in a networked environment the security is limited to its weakest link. Employees being familiar with different systems and their weaknesses become potential security threats in a loosely controlled environment. unauthorized access / intrusion to bank’s systems and transactions etc. and to protect the individual’s rights of privacy. The legal issues are. Security risk arises on account of unauthorized access to a bank’s critical information stores like accounting system. . can become potential source of operational risk. being debated in our country and it is expected that some headway will be made in this respect in the near future. Often there is thin line of difference between operational risk and security risk and both terminologies are used interchangeably. non enforceability of contracts. Such risks can arise out of weaknesses in design. In addition to external attacks banks are exposed to security risk from internal sources e.of data. risk management system. also referred to as transactional risk is the most common form of risk associated with i-banking. implementation and monitoring of banks’ information system. A breach of security could result in direct financial loss to the bank. have proper technology and systems in place to build a secured environment for such transactions. portfolio management system. therefore. Banks using this medium for financial transactions must. This may result in loss of data. etc. could access. disabling of a significant portion of bank’s internal computer system thus denying service. hackers operating via the Internet. For example. Security risk: Internet is a public network of computers which facilitates flow of data / information and to which there is unrestricted access. It is therefore. Other related risks are loss of reputation. human factors like negligence by customers and employees.

Data residing in web servers or even banks’ internal systems are susceptible to corruption if not properly isolated through firewalls from Internet. Non-repudiation involves creating a proof of communication between two parties. Many banks rely on outside service providers to implement.Unless specifically protected. but unauthorized is real in a networked environment. is more prone to attack than one designed to permit say. Data privacy and confidentiality issues are relevant even when data is not being transferred over the net. Banks face the risk of wrong choice of technology. passwords. Technology which is outdated. not scalable or not proven could land the bank in investment loss. In such a scenario. the choice of vendor. any user can gain access by masquerading as a legitimate user by spoofing IP address of a genuine user. A computer connected to Internet is identified by its IP (Internet Protocol) address. There are programs such as ‘sniffers’ which can be set up at web servers or other critical locations to collect data like account numbers. if access to a system is based on only an IP address. it adds to the operational risk. FTP (File Transfer Protocol). Hence. intentionally or unintentionally. Each protocol is designed for specific types of data transfer. say HTTP (Hyper Text Transfer Protocol). commonly known as ‘IP Spoofing’. improper system design and inadequate control processes. . Likewise user identity can be misrepresented. System architecture and design Appropriate system architecture and control is an important factor in managing various kinds of operational and security risks. account and credit card numbers. The risk of data alteration. operate and maintain their e-banking systems. thus making the system vulnerable. For example. authentication control is an essential security step in any ebanking system. Proper access control and technological tools to ensure data integrity is of utmost importance to banks. which neither can deny later. The service provider gains access to all critical business information and technical systems of the bank. become critical components of banks’ security. Identity of the person making a request for a service or a transaction as a customer is crucial to legal validity of a transaction and is a source of risk to a bank. a vulnerable system and inefficient service with attendant operational and security risks and also risk of loss of business. Another important aspect is whether the systems are in place to quickly detect any such alteration and set the alert. Although this may be necessary when banks do not have the requisite expertise. say the bank and its customer. There are methods available to masquerade one computer as another. telnet etc. the contractual arrangement for providing the service etc. Choice of appropriate technology is a potential risk banks face. only HTTP. A system allowing communication with all protocols. both when data is being transmitted or stored. Banks’ system must be technologically equipped to handle these aspects which are potential sources of risk. all data / information transfer over the Internet can be monitored or read by unauthorized persons.. Numerous protocols are used for communication across Internet. Bank should educate its own staff and over dependencies on these vendors should be avoided as far as possible.

It may be due to banks’ own action or due to third party action. It is significant not only for a single bank but also for the system as a whole. Thus the role of the regulator becomes even more important as not even a single bank can be allowed to fail. deployment of ethical hackers for plugging the loopholes and other security measures. backup facilities. The main reasons for this risk may be system or product not working to the expectations of the customers. Under extreme circumstances. Such situation may cause customer-discontinuing use of product or the service. cryptographic techniques. or non-conformance with laws.Not updating bank’s system in keeping with the rapidly changing technology. Also. increases operational risk because it leaves holes in the security system of the bank. These include access control. Reputational risk Reputational risk is the risk of getting significant negative public opinion. or prescribed practices. it may not be updated as required by the bank. digital signature etc. Further. Directly affected customers may leave the bank and others may follow if the problem is publicized. or when the legal rights and obligations of parties to a transaction are not well established. Such risks arise from actions which cause major loss of the public confidence in the banks' ability to perform critical functions or impair bank-customer relationship. Approaches to reduce security related operational risk are discussed in detail in Chapter6. targeted attacks on a bank like hacker spreading inaccurate information about bank products. significant system deficiencies. deploying virus checking. use of firewalls. a virus disturbing bank’s system causing system and data integrity problems etc. contingency plans including plans to address customer problems during system disruptions. which may result in a critical loss of funding or customers. public key encryption. staff may fail to understand fully the nature of new technology employed. . Possible measures to avoid this risk are to test the system before implementation. regulations. Thus education of the staff as well as users plays an important role to avoid operational risk. significant problems with communication networks that impair customers’ access to their funds or account information especially if there are no alternative means of account access. significant security breach (both due to internal and external attack). if updating is left entirely at customers’ end. Other reasons include losses to similar institution offering same type of services causing customer to view other banks also with suspicion. such a situation might lead to systemic disruptions in the banking system as a whole. rules. Legal risk Legal risk arises from violation of. inadequate information to customers about product use and problem resolution procedures.

generated by a given signer. Other reasons for legal risks are uncertainty about the validity of some agreements formed via electronic media and law regarding customer disclosures and privacy protection. thus causing legal risk. banks need to design proper customer identification and screening techniques. Further. If a bank uses a service provider located in another country. in fact. including consumer protection laws. Also. privacy rules and money laundering laws. a hacker may use the linked site to defraud a bank customer. To avoid this. frame policies and procedures to spot and report suspicious activities in Internet transactions. inadequately informed about his rights and obligations. This may cause legal risk. as there may be uncertainty about legal requirements in some countries and jurisdiction ambiguities with respect to the responsibilities of different national authorities. Such market expansion can extend beyond national borders. Such considerations may expose banks to legal risks associated with noncompliance of different national laws and regulations. it will bring additional risks. A customer. It includes legal and regulatory risks. A digital certificate is intended to ensure that a given signature is. This causes various risks. . may not take proper precautions in using Internet banking products or services. is designed to extend the geographic reach of banks and customers. social or political factors. the certifying bank may become liable for the financial losses incurred by the party relying on the digital certificate. by its very nature. This may result in legal sanctions for non-compliance with 'know your customer' laws. Money laundering risk As Internet banking transactions are conducted remotely banks may find it difficult to apply traditional method for detecting and preventing undesirable criminal activities. In the enthusiasm of enhancing customer service. Because of this. the foreign-based service provider or foreign participants in Internet banking are sources of country risk to the extent that foreign parties become unable to fulfil their obligations due to economic. Thus banks expose themselves to the money laundering risk. Application of money laundering rules may also be inappropriate for some forms of electronic payments. If banks are allowed to play a role in authentication of systems such as acting as a Certification Authority.Given the relatively new nature of Internet banking. bank may link their Internet site to other sites also. rights and obligations in some cases are uncertain and applicability of laws and rules is uncertain or ambiguous. causing operational risk. unwanted suits against the bank or other regulatory sanctions. leading to disputed transactions. conduct periodic compliance reviews. Cross border risks Internet banking is based on technology that. it will be more difficult to monitor it thus. develop audit trails. record-keeping and reporting requirements.

liquidity risk. since it is difficult to appraise an application for a loan from a customer in another country compared to a customer from a familiar customer base. it exposes itself to credit risk in the event of the issuer defaulting on its obligation to redeem electronic money. provision of adequate supporting staff. Besides this. establish achievable goals and monitor performance. availability of sufficient resources to support this plan. If a bank purchases e-money from an issuer in order to resell it to a customer. Due diligence needs to be observed in selection of vendors. consult experts from various fields. However. Also they need to analyse the availability and cost of additional resources. proper training of staff and adequate insurance coverage. It is important for a bank engaged in electronic money transfer activities .Cross border transaction accentuates credit risk. Credit risk is the risk that a counter party will not settle an obligation for full value.. either when due or at any time thereafter. Liquidity Risk arises out of a bank’s inability to meet its obligations when they become due without incurring unacceptable losses. Other risks Traditional banking risks such as credit risk. For reducing such risk. periodic evaluations of new technologies and appropriate consideration for the costs of technological upgradation are required. It brings various types of risks associated with it. Degree of this risk depends upon how well the institution has addressed the various issues related to development of a business plan. reputational and legal risks. even though the bank may ultimately be able to meet its obligations. Presently. Proper evaluation of the creditworthiness of a customer and audit of lending process are a must to avoid such risk. interest rate risk and market risk are also present in Internet banking. Facility of electronic bill payment in Internet banking may cause credit risk if a third party intermediary fails to carry out its obligations with respect to payment. their practical consequences may be of a different magnitude for banks and supervisors than operational. Another facility of Internet banking is electronic money. credibility of the vendor (if outsourced) and level of the technology used in comparison to the available technology etc. Banks accepting foreign currencies in payment for electronic money may be subjected to market risk because of movements in foreign exchange rates. These risks get intensified due to the very nature of Internet banking on account of use of electronic channels as well as absence of geographical limits. Strategic Risk This risk is associated with the introduction of a new product or service. This may be particularly true for banks that engage in a variety of banking activities. banks need to conduct proper survey. as compared to banks or bank subsidiaries that specialize in Internet banking. which could enhance the credit risk. audit of their performance and establishing alternative arrangements for possible inability of a vendor to fulfil its obligation . Banks may not be able to properly evaluate the credit worthiness of the customer while extending credit through remote banking procedures. banks generally deal with more familiar customer base.

Banks accepting foreign currency in payment for electronic money are subject to this type of risk. assessing risks. But authorities need to keep in consideration that the development and use of Internet banking are still in their early stages. Banks also face market risk because of losses in on-and-off balance sheet positions arising out of movements in market prices including foreign exchange rates..that it ensures that funds are adequate to cover redemption and settlement demands at any particular time. Similarly banks dealing in electronic money face interest rate risk because of adverse movements in interest rates causing decrease in the value of assets relative to outstanding electronic money liabilities. Failure to do so. and policies that hamper useful innovation and experimentation should be avoided. Internet banking carries various risks for bank itself as well as banking system as a whole. These risks must be balanced against the benefits. The open nature of Internet may induce a few banks to use unfair practices to take advantage over rivals. Thus authorities need to encourage banks to develop a risk management process rigorous and comprehensive enough to deal with known risks and flexible enough to accommodate changes in the type and intensity of the risks. The rapid pace of technological innovation is likely to keep changing the nature and scope of risks banks face. managing risks and controlling risk exposure. besides exposing the bank to liquidity risk. Risk of unfair competition: Internet banking is going to intensify the competition among various banks. Any leaks at network connection or operating system etc. Thus one can find that along with the benefits. . may even give rise to legal action and reputational risk. may allow them to interfere in a rival bank’s system. Supervisory and regulatory authorities are required to develop methods for identifying new risks.

Technology and Security Standards For Internet Banking Introduction The Internet has provided a new and inexpensive channel for banks to reach out to their customers. However. all these capabilities come with a price. an effort has been made to give an overview of the technologies commonly used in Internet banking. The highly unregulated Internet provides a less than secure environment for the banks to interface. The diversity in computer. It also allows customers to access these facilities from remote sites/home etc. communication and software technologies used by the banks vastly increases the challenges facing the online bankers. It allows customers to access banks’ facilities round the clock and 7 days a week. An attempt has been made to describe concepts. The banks planning to offer . techniques and technologies related to privacy and security including the physical security. In this chapter.

the International Organization of Standards developed the OSI model (the Open System Interconnection Reference Model) in 1977. managing and terminating connections (sessions) between applications Transport Layer: Reliable transparent transfer of data between end points. end to end recovery & flow control.25 (Permanent Virtual Circuits). VSAT networks. 1GB Ethernet. Application Layer: Network Management. To standardize on communications between systems. Data Link Layer: Reliable transfer of data across physical link and control of flow of data from one machine to another. The Internet is primarily a network of networks. An outline for a possible framework for security policy and planning has also been given. technologies and data communication protocols have different implications on safety and security of services. control of network connections. or by using Virtual Private Networks (VPN) which are software-defined dedicated and customized services used to carry traffic over the Internet. The OSI breaks up the communication process into 7 layers and describe the functions and interfaces of each layer. The different topologies. switching. Network Layer: Routing. logical channels and data flow. recommendations have been made for ensuring security in Internet banking. Frame Relay/X. an Integrated Services Digital Network (ISDN) or T1 lines. File Transfer Protocol. They commonly use broadcast mode of data transfer. The important services provided by some of the layers are mentioned below. Finally. Connectivity in WAN set-up is provided by using dialup modems on the Public Switched Telephone Network (PSTN) or leased lines. It is necessary to have a good understanding of these layers for developing applications and for deploying firewalls (described later).Internet banking should have explicit policies on security. Computer Networks can be primarily divided into two categories based on speed of data transfers and geographical reach. A Local area network (LAN) connects many servers and workstations within a small geographical area. The Wide Area Network (WAN). Some of the common LAN technologies are 10 MB Ethernet. on the other hand. Synchronous Optical Network (SONET). Session Layer: establishing. Application-level access security checking. 100 MB Ethernet. Protocols: The data transmission protocol suite used for the Internet is known as the Transmission Control Protocol/Internet Protocol (TCP/IP). The networks in a particular geographical area are connected into a large regional . traffic monitoring and congestion control. Fiber Distributed Data Interface (FDDI) and Asynchronous Transfer Mode (ATM). The data transfer rates here are very high. is designed to carry data over great distances and are generally point-to-point. such as a floor or a building. Information validation. Technologies Computer networking & Internet The purpose of computer networking is sharing of computing resources and data across the whole organization and the outside world.

The applet connects to the application (directly using TCP/IP or through web server using HTTP protocols) on the organization’s application and database servers. a component of the application runs ( as an ‘applet’) within the browser on user’s workstation. Banking Products: Internet Banking applications run on diverse platforms. FAQs. The regional networks are connected via a high speed 'back bone'. The most innovative part of the Internet is the World Wide Web (WWW). With the popularity of web.111. The web uses hyperlinks. It may have a distributed.1 below shows some of the components and technologies/products commonly used in the design of web-based applications.in).The Internet can be accessed using various application-level protocols such as FTP (File Transfer Protocol). branch locations. Moreover. The product may support centralized (bank-wide) operations or branch level automation. client server or three tier architecture based on a file system or a DBMS package. Telnet (Remote Terminal Control Protocol). which allow users to move from any place on the web to any other place. These servers may be on different computer systems. Some of the popular browsers are Microsoft Internet Explorer and Netscape Navigator. Interactivity is limited to a simple form of ‘e-mail’. Each computer connected to the Internet is given a unique IP address (such as 142. The products accessible through Internet can be classified into three types based on the levels of access granted:  Information only systems: General-purpose information like interest rates. statement of account etc. The information is still largely ‘read only’. runs on a possibly remote machine. The solutions are also scalable and easy to extend.network. The data sent from one region to another is first transmitted to a Network Access Point (NAP) and are then routed over the backbone. transaction details.ernet.84) and a hierarchical domain name(such as cse.iitb.16. graphics. Electronic Information Transfer System: These systems provide customer-specific information in the form of account balances. 6. Simple Mail Transport Protocol (SMTP). Fig. sound and video. operating systems and use different architectures. These products allow different levels of access to the customers and different range of facilities. the product may run on computer systems of various types ranging from PCs. The sites also allow downloading of application forms. loan and deposit calculators are provided on the bank’s web (WWW) site. called the web server. to proprietary main frames. In a typical situation. Hypertext Transfer Protocol (HTTP). These protocols run on top of TCP/IP. which are multimedia pages composed of text. known as the browser. runs on the local machine and the server software. The web works on a client-server model in which the client software. The web pages are made using Hypertext Markup Language (HTML). The web consists of web pages. product features. Identification and authentication of  . The web-based applications provide flexible access from anywhere using the familiar browsers that support graphics and multimedia. open (Unix based) systems. No identification or authentication of customers is done and there is no interaction between the bank’s production system (where current data of accounts are kept and transactions are processed) and the customer. organizations find it beneficial to provide access to their services through the Internet to its employees and the public.

which over a period are fixed through appropriate patches.  Fully Transactional System: These systems provide bi-directional transaction capabilities. layout. processing of transactions as per the business rules. These layers can be briefly described as follows:  Presentation Layer: This layer is responsible for managing the front-end devices. Information is fetched from the Bank’s production system in either the batch mode or offline. Internet kiosks. Thus. which may run on the same system (possibly a large. A few important functions of the administrator and how they relate to or impinge on system security are discussed below: Installation of software: A software (whether system or application) needs to be carefully installed as per the developer’s instructions. reliability and performance of the services to a great extent depend upon the application layer architecture. colour. The three tasks can be viewed as three layers. and the storage of business data. Application architecture A computer-based application may be built as a monolithic software. Data Layer: The data layer uses a database package to store. connects to the data layer. which include browsers on personal computers. receives and processes the information and passes results back to the presentation layer. or even have three or multi-tiered architecture. The bank allows customers to submit transactions on its systems and these directly update customer accounts. or may be structured to run on a client–server environment. Personal Digital Assistants (PDAs). It is responsible for ensuring that all the business rules are incorporated in the software. It processes requests from the presentation layer. The database may be maintained on one or multiple servers.   Issues in administration of systems and applications: The role of the network and the database administrator is pivotal in securing the information systems of any organization. security & control system need to be strongest here. Therefore. leading to three-tier or multi-tier architecture. The software system may contain bugs and security holes. The issues of scalability. A database package also supports back-up and recovery of data. retrieve and update application data. The presentation layer takes care of user interface related issues like display details. A computer application typically separates its 3 main tasks: interactions with the user.customer takes place using relatively simple techniques (like passwords). the bank’s main application system is not directly accessed. mobile phones. Application layer: It contains the business logic (for processing of data and transactions) and necessary interfaces to the data layer. It also has important responsibilities in user authentication and session management activity. as well as logging of all transactions. or may be separated on to multiple computers (across the Internet). image etc. Hackers and intruders are often aware . The role extends across various job functions and any laxity in any of the functions leaves the system open for malicious purposes. proprietary computer system). Web TV etc. It is necessary to know the latest and correct configuration of all software packages.

Log files alert the administrator to carry out further investigation in case of suspicious activity and help in determining the extent of intrusion. Depending on criticality. database packages and even business applications produce a ‘log’ of various tasks performed by them. and locations where the log files are stored. Backup. Installation of pirated software is not only illegal and unethical. location and time of failed attempts. care should be taken to compare the source code and the executable code using appropriate tools as unscrupulous developers may leave backdoor traps in the software and for illegal access and update to the data. In the case of installation of outsourced software. based on criticality of the systems. the mechanisms for logging. locations for logging. Access controls and user maintenance : An administrator has to create user accounts on different computer systems. but may also contain trojans and viruses. Log files are the primary record of suspicious behavior. changes in system status such as . Setting access controls to files. documentation and software is an important function of the administrators. The frequency of back up should depend on the recovery needs of the application. Proper logs should be maintained of dates of user creation and validity period of users. The administrators create needed user groups and assign users to the appropriate groups. The back-up may be incremental or complete. In addition. hot sites. All sensitive data should be made more secure by using encryption. care should be taken to install only the latest versions of software with the latest patches. especially of temporary users such as system maintenance personnel and system auditors.of these bugs and may exploit known weaknesses in the software. The business continuity plan should be frequently tested. Recovery and business continuity measures. There should be a frequent review to identify unnecessary users and privileges. Log files can also provide evidence in case of legal proceedings. Most operating systems keep a log of all user actions. objects and devices reduces intentional and unintentional security breaches. System & network logging : Operating systems. Both data and software should be backed up periodically. Automating the back up procedures is preferred to obviate operator errors and missed back-ups. while installing software care should be taken that only necessary services are enabled on a need to use basis. The execution privilege of most system–related utilities should be limited to system administrators so that users may be prevented from making system level changes. Further. The system and database administrators are also responsible for the maintenance of users and the deletion of inactive users. status of any resource. The administrator has to select types of information to be logged. recovery & business continuity: Back-up of data. warm sites or cold sites should be available for business continuity. An off-site back up is necessary for recovery from major failures / disasters to ensure business continuity. all log files should be made 'append only'. A bank’s system policy should specify access privileges and controls for the information stored on the computers. improper installation may lead to degradation of services. which may compromise system security. Online / real time systems require frequent backups within a day. and give various access permissions to the users. The information required to be logged should include Login/Logout information. changes in status. If possible. different technologies based on back up. hence. should be in place and a documented plan with the organization and assignment of responsibilities of the key decision making personnel should exist. The write / modify access permissions for all executables and binary files should be disabled.

Confidentiality extends beyond data transfer and include any connected data storage system including network storage systems. set up at an opportune location like Web server. It goes hand in hand with authentication. whereas accountability allows us to trace uniquely the action to a specific user. modem logs. unless otherwise protected. Access Control: It is a mechanism to control the access to the system and its facilities by a given user up to the extent necessary to perform his job function. compromising data confidentiality. alterations. we may create a number of additional access points into the internal operational system. much like a phone number identifies a telephone. disclosure and modification. Access control may be of discretionary and mandatory types. mail logs. theft of data or funds. Efforts . network access logs. Unauthorized access causes destruction. It may be to ensure that unauthorized users do not enter. intentional tampering. etc. Authentication: It is a process of verifying claimed identity of an individual user. machine. software component or any other entity. or for verifying the sources from where the data are received. Security and Privacy Issues Terminology: Security: Security in Internet banking comprises both the computer and communication security. The communication security aims to protect data during the transmission in computer network and distributed system. initializations and restart. or worse. Loss of data integrity could result from human error. dangerous. In this situation. Authentication can be based on password or network address or on cryptographic techniques. Data Confidentiality: The concept of providing for protection of data from unauthorized disclosure is called data confidentiality. web server logs. This may include credit card number. change to file access control lists.shutdowns. Password and other access control methods help in ensuring data confidentiality. The aim of computer security is to preserve computing resources against abuse and unauthorized use. unauthorized access attempts might be initiated from anywhere. or even catastrophic events. can collect vital information. For example. The log files must be protected and archived regularly and securely. loans or password etc. special programs such as 'Sniffers'. Failure to protect the correctness of data may render data useless. It provides for the protection of the system resources against unauthorized access. Due to the open nature of Internet. In establishing a link between a bank’s internal network and the Internet. Data Integrity: It ensures that information cannot be modified in unexpected way. deposits. Authorization means control over the activity of user. denial of service etc. An access control mechanism uses the authenticated identities of principals and the information about these principals to determine and enforce access rights. Although it is difficult to monitor a transmission at random. It is important because it ensures authorization and accountability. and to protect data from accidental and deliberate damage. all data transfer can be monitored or read by others. because of numerous paths available. an IP Address identifies a computer system on the Internet. file accesses.

or refusing to acknowledge. Non-Repudiation: Non-Repudiation involves creating proof of the origin or delivery of data to protect the sender against false denial by the recipient that data has been received or to protect the recipient against false denial by the sender that the data has been sent. but instead implements malicious procedures that cause the network to fail. perhaps denying access to privileged users The intruder does not gain access. . Further more. encryption and digital signatures are the methods to ensure data integrity. An attack could be any form like:      The intruder may gain unauthorized access and nothing more The intruder gains access and destroys. A traditional e-mail bomb is simply a series of message (perhaps thousands) sent to your mailbox. corrupt or otherwise alters data The intruder gains access and seizes control partly or wholly. if the system is not configured properly or the updated patches are not installed then hackers may crack the system using security hole. legitimate communication or transaction. which facilitates a security audit at a future date.must be made to ensure the accuracy and soundness of data at all times. A wide range of information regarding security hole and their fixes is freely available on the Internet. It ensures compliance with established policy and operational procedures. and hang. in order to test for adequacy of system controls. System administrator should keep himself updated with this information. Access control. Attacks and Compromises: When a bank’s system is connected to the Internet. to detect breaches in security. To ensure that a transaction is enforceable. policy and procedures. Some acceptable level of security must be established before business on the Internet can be reliably conducted. an attack could originate at any time from anywhere. reboot. The attacker’s object is to fill the mailbox with junk. Audit Trail refers to data generated by the system. steps must be taken to prohibit parties from disputing the validity of. Security Audit Trail: A security audit refers to an independent review and examination of system's records and activities. Common cracking attacks include: E-mail bomb and List linking Denial-of-Service Sniffer attack Utilizing security hole in the system software E-mail bomb: This is a harassment tool. Modern security techniques have made cracking very difficult but not impossible. but instead forges messages from your system The intruder does not gain access. and to recommend any indicated changes in the control.

It gets its security from the difficulty of calculating discrete logarithms in a finite field. They are a combination of hardware and software. One key is kept secret and therefore it is referred as 'private key'. Hence they can crop up at any platform. Blowfish. Common and more popular public key cryptosystem algorithms are Diffie-Hellman. Operating Systems and Firewalls. If an attacker sniffs encrypted data. Holes: A hole is any defect in hardware. it is near to impossible to find out the private key from the public key. Both the method of encryption and the size of key are important to ensure confidentiality of a message. Encrypted session provides a good solution for this. Client and Server software. not all applications have integrated encryption support. if the machine is in promiscuous mode then it can capture all packets and frames on the network. Sniffers can capture passwords and other confidential information. LOKI. The Public key and Private key are mathematically related so that information encrypted using the public key can only be decrypted by the corresponding private key and vice-versa. Sniffers are extremely difficult to detect because they are passive programs. DES and Triple DES are the commonly used techniques. Cryptography is the art and science of keeping messages secure. Elliptic Curve etc. Twofish. Triple DES. but will only respond to data addressed specifically to it.Denial-of-Service (DoS) attacks: DoS attacks can temporarily incapacitate the entire network(or at least those hosts that rely on TCP/IP). the confidentiality is directly related to the key size. International Data Encryption Algorithm (IDEA). Importantly. In all these. Nevertheless. it will be useless to him. An encrypted message is called cipher text. all machines on the network can 'hear' the traffic passing through. the same key is used to encrypt and decrypt the message. Asymmetric key cryptography scheme is also known as Public key crypto-system.  Diffie-Hellman: This is the first public key algorithm invented. It uses a ‘key’ for encrypting or decrypting a message. and is referred as 'Public key'. The process of turning a cipher text back into plain text is called decryption. There are two types of encryption: Symmetric key and Asymmetric key encryption. a single DoS attack may well work on several target operating systems. Available fixes must be applied. software or policy that allows attackers to gain unauthorized access to your system. The network tools that can have holes are Routers. Data Encryption Standard (DES). Diffie-Hellman method can be used for distribution of keys to be used for symmetric encryption. . the longer it takes to break the encrypted message. DoS attacks strike at the heart of IP implementations. Cryptography: The process of disguising a message in such a way as to hide its substance is called encryption. RSA. Sniffers work by placing the network interface into promiscuous mode. Common symmetric algorithms include One-time pad encryption. In the symmetric key cryptography scheme. Larger the key size. Sniffer Attack: Sniffers are devices that capture network packets. Under normal circumstances. Many DoS attacks are well known and well documented. However. Here two keys are used. The other key is made widely available to anyone who wants it.

Ron Rivest. to review prescribed standards. viz.) Certified Products: The banks should use only those security solutions/products which are properly certified for security and for record keeping by independent agencies (such as IDRBT). auditability. The application for approval should clearly cover the systems and products that the bank plans to use as well as the security plans and infrastructure. the Reserve Bank of India Act.. The pair is used for asymmetric encryption. 1949. (When stored in encrypted form. RSA: Named after its three inventors. no Indian . Adi Shamir and Leonard Adleman. and to make fresh recommendations on a regular basis. 1999. The bank should upgrade the systems by installing patches released by developers to remove bugs and loopholes. Maintenance of Infrastructure: Security infrastructure should be properly tested before using the systems and applications for normal operations. Broadly. Education & Review: The banks should review their security infrastructure and security policies regularly and optimize them in the light of their own experiences and changing technologies. reliability. 1949. availability. 1934. it should be possible to decrypt the information for legal purpose by obtaining keys with owners’ consent. Under the Foreign Exchange Management Act 1999. and the Foreign Exchange Management Act. Standing Committee: RBI may set up a standing Committee to monitor security policy issues and technologies. Security Architecture. They should educate on a continuous basis their security personnel and also the end-users. who first introduced the algorithm in 1978. recoverability. Legal Issues involved in Internet Banking The legal framework for banking in India is provided by a set of enactments. It may be necessary to keep all received and sent messages both in encrypted and decrypted form. Approval for I-banking: All banks having operations in India and intending to offer Internet banking services to public must obtain an approval for the same from RBI. and upgrade to newer versions which give better security and control. The public and private keys are function of a pair of large (100 or 200 digits or even larger) prime numbers. Log of Messages: The banking applications run by the bank should have proper record keeping facilities for legal purposes. These tools should be used regularly to avoid security breaches. and Operations Manual. RBI may provide model documents for Security Policy. Different types of activities which a bank may undertake and other prudential requirements are provided under this Act. and other important aspects of the services. Monitoring against threats: The banks should acquire tools for monitoring systems and the networks against intrusions and attacks. the Banking Regulations Act. Accepting of deposit from public by a non-bank attracts regulatory provisions under Reserve Bank of India Act 1934. no entity can function as a bank in India without obtaining a license from Reserve Bank of India under Banking Regulations Act. RSA gets its security from the difficulty of factoring large numbers. RBI may call for various documents pertaining to security.

came into force with effect from October 17. 1881. various provisions of law. b. use of electronic medium in general and Internet in particular in banking transactions. non-repudiation etc. 1881. infrastructure failure. As discussed earlier. c. This dichotomy between integration of trade and finance over the globe through ecommerce and divergence of national laws is perceived as a major obstacle for e-commerce / ibanking and has set in motion the process of harmonization and standardization of laws relating to money. commonly referred to as ‘electronic commerce’…The Act. However. which uses Internet both as a medium for receiving instructions from the customers and also delivering banking services. There is also the question of adequacy of law to deal with situations which are technology driven like denial of service / data corruption because of technological failure. 1925. Indian Contract Act. Government of India has enacted The Information Technology Act. in order to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication. Indian Evidence Act. including non-resident banks. . 1882. are also applicable to Internet banking. the Negotiable Instruments Act. authentication. 1891 and Reserve Bank of India Act 1934 in order to facilitate e-commerce in India. Internet banking is an extension of the traditional banking. e. etc. consumer protection etc. 1882. 2000. 1872. hacking. such as. given the vulnerability of data / information passing through Internet. has put to question the legality of certain types of transactions in the context of existing statute. banking activity is also influenced by various enactments governing trade and commerce.resident can lend. are important legal questions having a bearing on electronic commerce and Internet banking. The Act has also amended certain provisions of the Indian Penal Code. A trust as defined in section 3 of the Indian Trusts Act. A power-of-attorney as defined in section 1A of the Power-of-Attorney Act. etc. Cross border transactions carried through Internet pose the issue of jurisdiction and conflict of laws of different nations. except under certain circumstances provided in law. A will as defined in clause (h) of section 2 of the Indian Succession Act. A negotiable instrument as defined in section 13 of the Negotiable Instruments Act. open a foreign currency account or borrow from a non resident. validity of contract entered into electronically. the Indian Evidence Act. which has also drawn upon the Model Law. The Bankers Book of Evidence Act. d. 1872. this Act will not apply to:a. 1872. privacy. Any contract for the sale or conveyance of immovable property or any interest in such property. However. Hence. Besides these. which was adopted by the General Assembly of United Nations and has been recommended to the member nations for consideration while revising / adopting their laws of electronic trade. conceptually. A major initiative in this direction is the United Nations Commission on International Trade Law (UNICITRAL)’s Model law. banking and financial services. which are applicable to traditional banking activities. 2000. It has also raised the issue of ability of banks to comply with legal requirements / practices like secrecy of customers account. The validity of an electronic message / document.

The underlying object of the bank insisting on producing reliable references is only to find out if possible whether the new constituent is a genuine party or an imposter or a fraudulent rogue [Union of India Vs National Overseas Grindlays Bank Ltd. The banker’s action in good faith and without negligence have been discussed in various case laws and one of the relevant passages from the judgment of Justice Chagla in the case of Bapulal Premchand Vs Nath Bank Ltd. (AIR 1946 Bom. incur any liability to the true owner of the cheque by reason only of having received such payment. in order to establish the reasonable care the banks have to make enquiries about the integrity/reputation of the prospective customer. Thus. non-repudiation.f. 1881 (the Act) a banker who has in good faith and without negligence received payment for a customer of a cheque crossed generally or specially to himself shall not. before accepting a customer. at present are only willing to accept the request for opening of accounts. Similarly. inquiry as to negligence must be directed in order to find out whether there is negligence in collecting the cheque and not in opening the account. Any such class of documents or transactions as may be notified by the Central Government in the official Gazette. 1881 but reasonable care depends upon the facts and circumstances of the case. the introduction of a new customer by a third party reference is a wellrecognized practice followed by the banks before opening new accounts in order to prove the reasonable care and absence of any negligence in permitting the new customer to open the account. Online opening of account: The banks providing Internet banking service.. each of which has been examined in the context of existing legal framework. Supervisors world over. Further the Supreme Court of India in Indian Overseas Bank Ltd. This is primarily for the purpose of proper identification of the customer and also to avoid benami accounts as also money laundering activities that might be undertaken by the customer. etc. Further.482) is as follows: 'Primarily. but if there is any antecedent or present circumstance which aroused the suspicion of the banker then it would be his duty before he collects the cheque to make the necessary enquiry and undoubtedly one of the antecedent circumstances would be the opening of the account. In the course of providing Internet banking services the banks in India are facing new challenges relating to online opening of accounts. (1978) 48 Com. he will run the risk of forfeiting the protection given by Section 131 of Negotiable Instruments Act. expect the Internet banks also to follow the practice of ‘know your customer’. Vs.Cases 277 (Del)]. It is not a mere enquiry about the . in case the title to the cheque proves defective. As per Section 131 of the Negotiable Instruments Act. liability standards and consumer protection. Industrial Chain Concern [JT1989(4)SC 334] has stated that as a general rule. The accounts are opened only after proper physical introduction and verification. the bank must take reasonable care to satisfy himself that the person in question is in good reputation and if he fails to do so. In certain cases failure to make enquiries as to the integrity of the proposed customer would constitute negligence'. the Delhi High Court was also of the view that the modern banking practice requires that a constituent should either be known to the bank or should be properly introduced. secrecy of customers accounts. authentication.

2] of Chapter [3] of this Report. code numbers. the approach in the other countries has been to keep the legislation technology neutral. Authentication: One of the major challenges faced by banks involved in Internet banking is the issue relating to authentication and the concerns arising in solving problems unique to electronic authentication such as issues of data integrity.identity of the person. relationship numbers. non-repudiation. passwords. account numbers and encryption are evolved to establish authenticity of an instruction. 2000 and become a certifying authority for facilitating Internet banking. A clarification to this effect by way of an amendment of the aforesaid Act will facilitate the Internet banking transactions. 2000 comes into operation. privacy. transaction and information transmitted electronically. The certifying authority acts like a trusted notary for authenticating the person. the asymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record). Methods and devices like the personal identification numbers (PIN). telephone-PIN numbers. Different countries have addressed these issues through specific laws dealing with digital signatures. This might lead to the doubt of whether the law would recognize the existing methods used by the banks as a valid method of authenticating the transactions. it may be possible for the banks to rely on the electronic signatures of the introducer. In India. the Information Technology Act. confidentiality issues and the consumer protection. Hence. Using a digital certificate from trusted certificate authority like a bank shall provide a level of comfort to the parties of an Internet banking transaction. The Group. 2000. The present legal regime does not set out the parameters as to the extent to which a person can be bound in respect of an electronic instruction purported to have been issued by him. the banks may be allowed to apply for a license to issue digital signature certificate under Section 21 of the Information Technology Act. Hence. it is recommended by the Committee that the . This however would not imply that the security risks associated with Internet banking should go unregulated. endorses the practice presently followed by the banks in seeking proper introduction before allowing the operations of the customers’ accounts. Further. 2000 (the "Act") in Section 3 (2) provides that any subscriber may authenticate an electronic record by affixing his digital signature. From a legal perspective. Generally. authentication is achieved by what is known as security procedure. However the Act only recognizes one particular technology as a means of authenticating the electronic records (viz. In this regard as noted in paragraph [3.2. Section 3 (2) of the Information Technology Act 2000 may need to be amended to provide that the authentication of an electronic record may be effected either by the use of the asymmetric crypto system and hash function. The Group is of the view that the law should be technology neutral so that it can keep pace with the technological developments without requiring frequent amendments to the law as there exists a lot of uncertainty about future technological and market developments in Internet banking. In the context of Internet banking and after the coming into force of the Information Technology Act. If the agreed procedure is followed by the parties concerned it should be deemed as being an authenticate transaction. or a system as may be mutually determined by the parties or by such other system as may be prescribed or approved by the Central Government. therefore. the security procedure requires to be recognized by law as a substitute for signature. But this may have to await till the certification machinery as specified in the Information Technology Act. evidentiary standards.

Most of the banks have adopted 128 Bit strong encryption which is widely accepted worldwide as a standard for securing financial transaction. it is equally important to note that the banks may still be exposed . 1961. provides that in cases where the amount exceeds Rs.000/-. 1949. The primary intention behind the enactment of Section 40 A of the Income tax Act. While availing the Internet banking services the customers are allotted proper User ID. the transfer of funds takes place only between identified accounts. which serves the same purpose as a crossed cheque or a crossed bank draft. 1961: Section 40A(3) of the Income tax Act. However. . This concern of the bankers is very high especially in the case of joint accounts where both the parties share one personal identification numbers or relationship numbers and operate the account jointly. Mode of Payment under the Income Tax Act. in which the above benefit will not be available to the customers. In other words a third party would not be able to withdraw money from an account or access the account of the customer unless the customer had divulged his/her password in the first place. the Committee recommends that Section 40A of the Income Tax Act. The Internet banking services at present are being provided by most of the banks by systems which are only accessible through "secure zones" or SSL (Secure Sockets Layer) to secure and authenticate the user through a secure browser. In the case of a funds transfer. However. Hence. to permit the banks to act as such trusted third parties in e-commerce transactions. passwords and/or personal identification numbers and/or the other agreed authentication procedure to access the Internet banking service and only users with such access methodology and in accordance with the agreed procedure are authorized to access the Internet banking services. if the password or the identification number is misplaced or lost or gets into the hands of the wrong person and such person procures details about the customers account then the banker may be faced with legal proceedings on the grounds of violation of the obligation to maintain secrecy of the customer's accounts. it is very important that the banks continue to be obliged to protect the customer account. . The law at present requires the banker to take scrupulous care not to disclose the state of his customer's account except on reasonable and proper occasions. Secrecy of Customer's Account: The existing regime imposes a legal obligation on the bankers to maintain secrecy and confidentiality about the customer’s account. One of the services provided by the banks offering Internet banking service is the online transfer of funds between accounts where cheques are not used. 1961. 20. To reduce the risk of the customers’ account information being accessed by third parties.Reserve Bank of India may recommend to the Central Government to notify the business of the certifying authority under Clause (o) of Section 6(1) of the Banking Regulation Act. 1961 is to check tax evasion by requiring payment to designated accounts. Further. the benefit of the said section will be available only if the payment is made by a crossed cheque or a crossed bank draft. dealing with deductible expenses. may be amended to recognise even electronic funds transfer. by the very nature of Internet the account of a customer availing Internet banking services would be exposed to the risk of being accessed by hackers and inadvertent finders.

including the sending of an instruction more than once. Revocation and Amendment of Instructions: The general revocation and amendment instructions to the banks are intended to correct errors. a revocation or amendment may be intended to stop a fraud. Hence the banks offering Internet banking services may clearly notify the customers the time frame and the circumstances in which any stop payment instructions could be accepted. Rights and Liabilities of the Parties: Typically. could be designed by the Indian Banks’ Association capturing. access requirements. etc. In an Internet banking scenario there is very limited or no stoppayment privileges since it becomes impossible for the banks to stop payment in spite of receipt of a stop payment instruction as the transactions are completed instantaneously and are incapable of being reversed. : . Occasionally. net security devices. .to the risk of liability to customers and hence they should adopt all reasonable safety controls and detection measures like establishment of firewalls. the banker-customer relationship is embodied in a contract entered into by them. A Standard format/minimum consent requirement to be adopted by the banks offering Internet banking facility. duties and responsibilities of the banks as well as customers and any limitations on the liabilities of the banks in case of negligence and nonadherence to the terms of agreement by customers. banks should put in place adequate risk control measures in order to minimize possible risk arising out of breach of secrecy due to loss/ misplacement/ theft of customers’ ID/PIN. inter alia. The banks providing the Internet banking services currently enter into agreements with their customers stipulating their respective rights and responsibilities including the disclosure requirements in the case of Internet banking transactions. Under the existing law. contractually. Further. banks are responsible for making and stopping payment in good faith and without negligence. etc.

disliking towards banking services. structure and strategy of investigation conceived so as to obtain answer to research question and to control variance. The language of questionnaire is simple and easily understood by people. attitude. Reserach design Research design is the plan. For collecting these information one questionnaire was prepared. This questionnaire consists of a set of question presented to respondent for answering. This survey is conducted to collect the proper information about the consumer’s preferences.Research Methodology I have conducted a survey among customer in Mathura region. liking. . Sample size : 100 respondents Sample Area : Research covers each and every corner of Mathura city.

4. research instrument. Specifying the method to be used in the collection and analysis of data.People intention. The structure of the research is a more specific outline or the scheme and the strategy shows how the research will be carried out. sociographical. A structured Non-Disguised questionnaire was designed and the respondents were asked to put their appropriate responses. research approach.Opinion of people. Most research projects involve some primary data collection. Sample size of hundred(100) respondents is chosen using random sampling.How people behave. 5. Type of data The research plan calls from gathering primary data. inaccurate.Knowledge of people 3. Designing the research plan calls for decision on data source. 2. psychographical and behavioral facts. Depending upon the nature of data required. When the data needed by researcher but it do not exist or outdated. incomplete or unreliable. These are data gathered for a specific purpose and research project. (A) Primary data:- The two main methods by which primary data can be collected are observation and communication.The plan is an outline of the research scheme on which the researcher is to work.Demogaraphically. following types of data are collected 1. . the researcher will have to collect primary data. secondary data or both. sampling plan and contact method. attitude of people.

observations 2. bank journal and magazines. Secondary data provide of starting point for any research and offer the advantage of low cost and ready availability.focus group research 3. experimental research is suitable for casual research design.survey research 4. .(B) Secondary data:- Secondary data is that which has been collected by one person and used by another person. Survey research best suits the descriptive research .experimental research First two types are suitable for exploratory research. I had collected secondary data from annual reports of bank. Research Approach Primary data can be collected in for ways: 1.

AWARNESS OF INTERNET BANKING .

HOW OFTEN DO YOU USE INTERNET BANKING 100 90 80 70 60 50 40 30 20 10 0 YES/NO YES/NO YES/NO YES/NO 25% 30% First T Visit Weekly Visit Monthly Visit NO YES 25% Yearly Visit 20% .

50 45 40 35 30 25 20 15 10 5 0 1st Qtr house office bank travelling Others WHERE DO YOU GENERALLY USE INTERNET BANKING .

20% 40% 20% 20% TECHNOLOGY TIME SAFETY SECURITY REANSIONS WHICH ATTRACT THE CONSUMER USING INTERNET BANKING .

CONSUMER IN RURAL /URBAN 100 90 80 70 60 50 40 30 20 10 0 URBAN YES NO YES/NO YES/NO YES/NO YES/NO RURAL INTERNET BANKING ARE USEFUL OR NOT .

transistion 18% 17% 6% 59% information online transistion ebusiness USING OF INTERNET BANKING .

This chapter suggests approaches to supervision of Internet banking activities.Banking on the Internet provides benefits to the consumer in terms of convenience. The Internet itself however is not a secure medium. drawing upon the best international practices in this area as relevant to the Indian context. . while others have adopted a wait and watch attitude. World over. Regulations and guidelines issued by some countries include the following. and to the provider in terms of cost reduction and greater reach.       Requirement to notify about web site content Prior authorization based on risk assessment made by external auditors On-site examination of third party service providers Off-site policing the perimeters to look for infringement. regulators and supervisors are still evolving their approach towards the regulation and supervision of Internet banking. and thus poses a number of risks of concern to regulators and supervisors of banks and financial institutions. Prohibition on hyper links to non bank business sites Specification of the architecture In some countries supervisors have followed a ‘hands-off’ approach to regulation of such activities.

Major supervisory concerns These concerns can be clubbed into the following:    Operational risk issues Cross border issues Customer protection and confidentiality issues .

and all third party support services and service providers with their track record and agreements with them. which is sought from the specialist external auditors. a checklist could be developed along the lines of those covering general computerized banking featured in the manual developed for inspection of computerized branches. The bank should also enclose a security policy framed in this regard which should cover all the recommendations made in Chapter 6 of this report and produce a certification from a reputed external auditor who is CISA or otherwise appropriately qualified that the security measures taken by the bank are adequate and meet the requirements and that risk management systems are in place to identify and mitigate the risks arising out of the entire gamut of Internet banking operations. A vulnerability which is accentuated in Internet banking is the reliance upon third party providers and support services and this requires banks to effectively manage the risks of all outsourced activities. as part of the Internet policy. Further. The assurance about security controls and procedures. which mitigate the risks of disruption and defective service. with the periodicity depending on the risk assessment of the supervisor. banks would also be required to report every breach or failure of the security systems and procedures to RBI. the IBA (Indian Banks Association) or IDRBT (Institute for Development and Research in Banking Technology) could be asked to develop broad guidelines for the use of the banking community. Till such time as the RBI builds up sufficient capability to do this inhouse. who may decide to subject the failure to an on-site examination or even commission an auditor to do so.With the above approach in mind. the Group recommends that the regulatory and supervisory concerns relating to Internet banking can be met in the manner outlined in the following paragraphs. After this initial approval is given. The Board note should cover the reasons for the bank choosing to enter into such business. . For this purpose. banks should develop outsourcing guidelines. All banks which propose to offer transactional services on the Internet should obtain an inprinciple approval from RBI prior to commencing these services. the bank would be obliged to inform the RBI of any material changes in web-site content and launch of new products. The RBI as supervisor would cover the entire risks associated with electronic banking as part of its annual inspections. Accordingly. The RBI could require the bank together with the auditor to hold discussions with the RBI in this regard before granting such approval. The application should be accompanied by a note put up to the Board of the bank along with Board resolution passed. controls and procedures it has put or intends to put in place to identify and manage the risks arising out of the proposed ventures. should be periodically obtained. it is recommended that this function be outsourced to qualified EDP auditors. Direct supervision of the third party by the supervisor is not envisaged. the potential penetration it seeks to achieve. the technology and business partners for the products. a cost-benefit analysis. a listing of products it seeks to offer. Alternatively. In turn the supervisors should have the ability to assess the risks arising out of such liaisons. and the systems and the skills and capabilities it has in this regard and most materially the systems.

on the browser screen. the name of the Portal site to whom the payment is to be effected as well as the value of the transactions and seek the explicit approval of the customer to authorize the payment. It was deliberated whether banks undertaking Internet banking should be subject to any additional capital charge because of the potentially higher proneness to unexpected losses. Depending on the nature of the payment.. However. All interactions with the Portal sites as well as the customers browser terminal should be secured using SSL/128 bit encryption as a minimum requirement and should in due course be also augmented with the digital certification requirement as and when digital certificate deployment is enabled in the country. which would also be consistent with the second pillar approach of the new capital accord. with a unique reference number for the transaction. and this would be served by having a mandatory disclosure template which would list the risks to the customer and the responsibilities and possible liability of the banks and the customer. the bank should return the URL request to the originating Portal.It is not enough for the risk identification and assessment exercise to be between the bank and the supervisor alone.e. The Basle Committee for Banking Supervision (BCBS) has constituted an Electronic Banking Group (EBG) to develop guiding principles for the prudent risk management of e-banking . the bank should authenticate the customer who has originated the transaction by asking him to key in. In such a scenario. The customer too needs to be enlightened of the risks inherent in doing business on the net. an enhanced supervisory risk assessment on this account could warrant an additional capital charge. his user ID and password which the bank would have provided him to facilitate access to his accounts with the bank. or to the banks’ host system in case of a direct debit or to the Inter-Bank Payment Gateway in case of debit to customer account in another bank. Upon such authentication and due verification. this will be covered in a way once the banks move towards riskbased supervision where supervisory intervention will be linked to the risk profile of individual institutions. The issue of reputation risk due to customers misunderstanding the hyper-links on the web-sites of banks also needs to be addressed. Banks should also provide their most recent published financial results on their web-site. the payment authorization request should be routed either to the credit card authorizing system if payment is requested using credit card. Upon receiving the URL request from the Portal site. as a conformation to pay as per the settlement cycle agreed with the Portal. As yet standards have not been developed for measuring additional capital charge on account of operational risks. Fundamentally there are two scenarios where hyperlinks are necessary between non-bank business sites and bank-sites: . Upon receiving the payment authorization. the bank should re-submit the transaction information on the customer’s browser terminal i.

The Group will identify the areas of concern for supervision of cross border e-banking activities and will promote cooperative international efforts within the banking industry. therefore. guidance etc. there is a need for continued interaction among the central banks and supervisors with a view to enhancing the abilities of the supervisory community to keep pace with the dynamic e-banking activities.activities as an extension of the existing Basel Committee Risk Management Principles. training material. . Therefore.. This Working Group. recommends that the Reserve Bank of India should maintain close contact with regulating / supervisory authorities of different countries as well as with the Electronic Banking Group of BCBS and review its regulatory framework in keeping with developments elsewhere in the world. It will evolve sound practices and will encourage and facilitate exchange of information. developed by other members and supervisors around the world.

smart cards or other biometric technologies. Maintenance of Infrastructure: Security infrastructure should be properly tested before using the systems and applications for normal operations.Keeping in view the terms of reference. There should be a separate Security Officer / Group dealing exclusively with information systems security. passwords. Organizations should make explicit security plan and document it. etc. libraries. Access Control: Logical access controls should be implemented on data. a proper system of back up of data and software is in place and is strictly adhered to. Some of the important functions of the administrator via-a-vis system security are to ensure that only the latest versions of the licensed software with latest patches are installed in the system. business continuity plan is in place and frequently tested and there is a robust system of keeping log of all network activity and analyzing the same. The Information Systems Auditor will audit the information systems. application software. The Information Technology Division will actually implement the computer systems while the Computer Security Officer will deal with its security. the Group has made a number of recommendations in preceding chapters. utilities. The bank should upgrade the systems by . A summary of these recommendations is given below. telecommunication lines. proper user groups with access privileges are created and users are assigned to appropriate groups as per their business roles. system software. systems. Logical access control techniques may include user-ids. Technology and Security Standards: The role of the network and database administrator is pivotal in securing the information system of any organization.

and other important aspects of the services.installing patches released by developers to remove bugs and loopholes. recoverability. It should include sufficient details for RBI to evaluate security. . The application for approval should clearly cover the systems and products that the bank plans to use as well as the security plans and infrastructure. and upgrade to newer versions which give better security and control. availability. Approval for I-banking: All banks having operations in India and intending to offer Internet banking services to public must obtain an approval for the same from RBI. reliability. RBI may provide model documents for Security Policy. auditability. Security Architecture. and Operations Manual.

CONCLUSION In the above data we can say that internet banking has spread very fast in India . . And the advantage is providing by the bank. Initially the rural people are not aware the technologies which are using into the internet banking but later or sooner they will be used very frequently. and all the Indian bank has started their internet operations. People have given the information regarding internet banking.

QUESTIONNAIRE Name Age Occupation ______________________ ______________________ ______________________ .

Do you use internet banking ? (A) Yes [] (B) No [] 2.I.B [] (D) BANK OF BARODA [ ] 3.I (e)HDFC [] [] (B) P. Since how many year do you Know about internet banking ? (A) Childhood [] (B) 3 Year back [ ] (D) 7more year back[ ] (C) 5Year back [ ] 7. What is your perceptions about internet banking? (A) Excellent (C) Average (E) no opinion [] [] [] (B) Good (D) Poor [] [] 6. Which internet banking do you use? (A)I. Who had influenced you to use internet banking ? (A) Friends (C) Advertisement [ ] (E) Other [] [] (B) Family (D) bank staff [] [] 4.C.CI (C) S.B. What are the reasons for using any internet banking ? (A)information [ ] (B) transistion [ ] (C) on line business (E) Other [ ](D) e business [] [] 5.1. internet banking sServices is – (A) Excellent (C) Good [] [] (B)Very Good (D) Fair [] [] .N.

Internet banking are useful or not (A) Yes [] (B) No [] 11. Give three reasons to use the internet bankingL? 1. . 2. 2.(E) Poor [] 8. 16. Suggest the order of Preference which result in the Popularity and extensive use of internet banking (A) technology [ ] (C) Safety [] (Btime ( D) Security [ ] [] Preference 1: 13. Do you have any Problem with internet banking? 1. 3. Preference 2: How often do you use internet banking ? (A) daily (C)monthly [ ] [] (B) weekly (D)yearly [] 15. 3.

GOOGLE.WEKIPEDIA.BANK JOURNALS 4.WWW.BIBLIOGRAPHY 1.PNB.ORG 3.CO.WWW.IN 2.COM .

COM .5.B.I.WWW.S.