COMP1308 Ecommerce
Abstract: Banks nowadays have their external environment, including globalization and deregulation, is been highly competitive. They find it difficult retaining customers, competing on price, and need to look for other ways for resolving it. As the customer’s demand is increasing, banks had considered the use of technologies for responding to their customers need. In this section, we will tackle about the technologies and solutions to implement on this kind of situation, by means of e-banking.

Developing an “eBanking” solution for UK Credit

Developing an “eBanking” solution for UK Credit

E-banking (Electronic Banking) is the automation of delivering directly of new and traditional banking products and services to customers through electronic and interactive communication channels. This will offers system that enables financial institution customers, personal or corporate, to access accounts, transact business, and receive information about the products and services through a public or private network, including internet. Electronic banking may also known as internet banking (iBanking), online banking, or pc banking. It includes wire transfers, ATMs, mobile banking, electronic funds transfers and debit cards. iBanking today’s product are allow process customer service inquiries, transfer funds from another account or banks, apply for loan, open an account, insurance investment, buy shares etc. Some are providing commercial services, and others are providing full services for the reason of rushing to get there. This kind of strategy has been used by most of the financial institution, offering most financial services a customer could want. As the visiting of banks become fewer and fewer because of most customers are now aware from electronic banking such as ATMs, home banking by the use of internet, or by the use of mobile banking to their financial business. Most of the financial company nowadays are aware of this kind of strategy, looking for technology that introduce new ways of delivering their banking to their customer, such as ATMs, and internet banking. As they found themselves at the forefront of this kind of technology, their trying to replace their traditional banks functions. So we are going to apply this kind of strategy just to stay competitive at all the other huge financial institution for the reason of not being fall behind by using those latest technologies for financial institution.

Case Study of online banking
ING DIRECT ING is the name of the company formed in 1991 taken from Nationale-Nederlanden, the largest insurance company, and NMB Postbank Groep, a banking operation offering wholesale and retail range financial services. ING expanded internationally in Europe and the United States in the late of 1990’s. ING made an intensive market research that led to planning the 1st foreign direct or online banking initiative in Canada. ING market researchers found Canada as med-sized of having a low interest rate offers and high service charges they are experiencing. So ING trigger the initiative approach in Canada in 1997 as ING Direct. The approach has gone successfully as in 1999 had their launched in Spain, Italy, France, Germany, the United Kingdom and, Australia. By 2000 ING became the largest online bank and made to expand more in United States. By 2006, they made a deposits amount of 268 billion and a pretax of 263 million in the second quarter, meaning that the company had rapidly grown. The ING Direct expanded a successful branch in 9 countries. The factors of this success story is ING Direct had a carefully planned, and focused on giving a limited number of services which they can find money and by giving a high interest rate to customers compared to traditional banks. Offering a free of charge services, no minimum deposits and its marketing message was too simple “great rates, no fees, no minimum”.

Page 1

Developing an “eBanking” solution for UK Credit

The business operation they had deployed was low cost but efficient. ING’s simple operation is by accepting deposits, selling investment products and several mutual funds, and writing home mortgages. Never offer services charge like checking, payment services and transfer money back and forth at no cost between their traditional bank and ING Direct. _______________________________
KING,MCKAY,MARSHAL,LEE,VIEHLAND., Pearson International Edition: 2008 Electronic Commerce

Technologies and Solution
Personal Loan Spring clean your finances with an UKCredit Personal Loan. Borrow between £7,000 and £25,000 over 2 - 7 years and get an instant online decision. 8.4% APR typical Smaller Loan UK residents can apply for direct loans between £1,000 and £6,999 over 1 to 5 years. Apply online for an instant unsecured loans decision. 15.9% APR typical Existing Loan Customers You can apply to top up your UKCredit Personal loan at any time. Simply extend your loan term and keep your repayments similar or alternatively you can increase your monthly repayment and pay back over the same loan term - the choice is yours! Give us a call and we can discuss all the options with you. Key Benefits • Choice of Personal Loan or Smaller Loan • Choice of repayment terms • Borrow from £1,000 to £25,000 • Ability to "top-up" your existing loan • Apply by phone • Instant decision loans available Account Student Account Our Student Additions bank account has all the benefits you’d expect from a current account including an interest-free overdraft to help you financially during your time at uni. New customers: Apply now What you get: £200 interest-free overdraft on account opening with further interest-free limits available up to £2,000†. Apply to extend your overdraft up to £3,000 at a preferential rate of 8.9% EAR typical variable if your other funds have been used up. Overdrafts are repayable on demand. I have a UKCredit account: Upgrade in branch

Page 2

Developing an “eBanking” solution for UK Credit

Student and graduate relationship managers in selected branches. Connect card (subject to status) with daily ATM withdrawal limit of £300 subject to status and available funds. Online & Telephone Banking (subject to registration). Top up your mobile at our ATMs. Interest free overdraft limit available on request: Year 1 £1,000 Year 2 £1,250 Year 3 £1,500 Year 4 £1,750 Year 5 £2,000 Front-End eSoft Solution We know that will need a better and high-performance information processing with an interactive GUI that would allow customers to conduct iterative searches and interact with the information displayed on their pc screens. This section will discuss the role that Asynchronous JavaScript plus XML (AJAX), Rich Internet Application (RIA) technology and AJAX RIA is a web application that has the traditional desktop application’s features and functionality. It is typically run in a web browser, software installation isn’t required. AJAX yet considered as the most capable web developer technologies available, it enable search engines and other consumer applications to enrich the user experience for web surfers. In addition, it makes possible to create solutions that offer a business value by providing the function for the feature-rich GUIs that cost less to build, maintain and own than thick-client or plug-in based alternatives. Benefit: Richer- ¹“It offer user-interface behaviors that is not obtainable using only the html widgets to standard browser-based web applications.” This functionality implements almost everything that includes in the technology being used on the client side, like drag and drop, using side bar to change data, performing calculation only by the client and not need to be sent back to the server, example of this is mortgage calculator. More Responsive – because it didn’t need to interact with a remote server unlike the standard web browser that must always interact with a remote server. Client/Server balance- the calling for the client and server computing resources is better balanced, because web server not need to work if the client request some functions that a client-side can do. Asynchronous communication – the client engine interacts with the server without needing to wait for the user to request or to click a button or link. It allows RIA designers to move data between the client and the server without making the user requests it. Network efficiency – the network jamming may also be significantly reduced because an application client engine is more intelligent than a standard web browser when deciding what data is going to send and

Page 3

Developing an “eBanking” solution for UK Credit

exchange with the servers. It speed up the response and the request made by the both client and server side because less data is being transferred for each interaction, and overall network is reduced.
_________________________________________ ¹””

Back-end Infrastructure Software Development J2EE (Java 2 Platform Enterprise Edition) J2EE is the standards for developing multitier enterprise applications. It simplifies enterprise applications by basing them on standardized modular components, by giving all set of services to those components, and automate the handling of many details of application behavior, without complex programming. This platform solutions takes the advantages of many features of the java 2 platform Standard Edition(J2SE) such as “write once, run anywhere” portability, JDBC API for database access, COBRA technology for interaction with enterprise resources, and a security model that is for protecting data even in the internet applications. By this platform, it adds full support for enterprise JavaBeans components, JavaServer Pages, Java Servlets API, and XML technology. Complete specifications and compliance tests are included, to ensure portability of applications across the wide range of existing enterprise systems capable of supporting the J2EE platform. J2EE ensures that web services interoperability through support for the WS-I Basic Profile. JavaBeans JavaBeans is an object-oriented programming interface from sun Microsystems that lets you build re-usable applications or program building blocks called components that can be deployed in a network on any major operating system platform. Like java applet, JavaBean components can be used to give World Wide Web pages interactive capabilities such as computing interest rates or varying page content based on user or browser characteristic. To build a component with JavaBeans, you write language statements using Sun's Java programming language and include JavaBeans statements that describe component properties such as user interface characteristics and events that trigger a bean to communicate with other beans in the same container or elsewhere in the network. We are going to use none other than java programming language because we are developing e-channel for banking purposes that is exactly what java can do effectively. Java is the most powerful programming language base on banking purposes, by its object oriented structure. Web Server Windows Server 2008
Microsoft Internet Information Services (IIS, formerly called Internet Information Server) is a set of Internetbased services for servers using Microsoft Windows. It is the world's second most popular web server in terms of overall websites, behind Apache HTTP Server. As of March 2008 it served 49.38% of all websites and

Page 4

Developing an “eBanking” solution for UK Credit

35.20% of all active websites according to Netcraft.[1] The servers currently include FTP, SMTP, NNTP, and HTTP/HTTPS. Earlier versions of IIS were hit with a number of vulnerabilities, chief among them CA-2001-19 which led to the infamous Code Red worm; however, version 7.0 currently has no reported issues that affect it. In perspective, as of 11 September 2007, the free software Apache web server has one unpatched reported issue, affecting only MS Windows systems, and rated "less critical". In IIS 6.0, Microsoft has opted to change the behavior of pre-installed ISAPI handlers,[6] many of which were culprits in the vulnerabilities of 4.0 and 5.0, thus reducing the attack surface of IIS. In addition, IIS 6.0 added a feature called "Web Service Extensions" that prevents IIS from launching any program without explicit permission by an administrator. With the current release, IIS 7.0, the components were modularized, so that only the required components have to be installed, thus further reducing the attack surface. In addition, security features such as URLFiltering were added that rejects suspicious URLs based on a user defined rule set. In IIS 5.1 and lower, by default all websites were run in-process and under the System account, a default Windows account with elevated rights. Under 6.0 all request handling processes have been brought under a Network Services account which has significantly fewer privileges. In particular this means that if there is an exploit in a feature or custom code, it wouldn't necessarily compromise the entire system given the sandboxed environment the worker processes run in. IIS 6.0 also contained a new kernel HTTP stack (http.sys) with a stricter HTTP request parser and response cache for both static and dynamic content. Apache Server The Apache HTTP Server, commonly referred to simply as Apache, is a web server notable for playing a key role in the initial growth of the World Wide Web. Apache was the first viable alternative to the Netscape Communications Corporation web server (currently known as Sun Java System Web Server), and has since evolved to rival other Unix-based web servers in terms of functionality and performance. It is often said that the project's name was chosen for two reasons: out of respect for the Native American Indian tribe of Apache (Indé), well-known for their endurance and their skills in warfare, and due to the project's roots as a set of patches to the codebase of NCSA HTTPd 1.3 - making it "a patchy" server although the latter theory is a lucky coincidence Apache is developed and maintained by an open community of developers under the auspices of the Apache Software Foundation. The application is available for a wide variety of operating systems, including Unix, FreeBSD, Linux, Solaris, Novell NetWare, Mac OS X, and Microsoft Windows. Released under the Apache License, Apache is characterized as free software and open source software. Since April 1996 Apache has been the most popular HTTP server on the World Wide Web. However, since November 2005 it has experienced a steady decline of its market share, lost mostly to Microsoft Internet Information Services. As of March 2008 Apache served 50.69% of all websites. Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Some common language interfaces support mod_perl, mod_python, Tcl, and PHP. Popular authentication modules include mod_access, mod_auth, and mod_digest. A sample of other features include SSL and TLS support (mod_ssl), a proxy module, a useful URL rewriter (also known as a rewrite engine, implemented under mod_rewrite), custom log files (mod_log_config), and filtering support (mod_include and mod_ext_filter). Popular compression methods on Apache include the external extension module, mod_gzip, implemented to help with reduction of the size (weight) of web pages served over HTTP. Apache logs can be analyzed through a web browser using free scripts such as AWStats/W3Perl or Visitors. Virtual hosting allows one Apache installation to serve many different actual websites. For example, one machine, with one Apache installation could simultaneously serve,,, etc.

Page 5

Developing an “eBanking” solution for UK Credit

Apache features configurable error messages, DBMS-based authentication databases, and content negotiation. It is also supported by several graphical user interfaces (GUIs) which permit easier, more intuitive configuration of the server. Usage Apache is primarily used to serve both static content and dynamic Web pages on the World Wide Web. Many web applications are designed expecting the environment and features that Apache provides. Apache is the web server component of the popular LAMP web server application stack, alongside MySQL, and the PHP/Perl/Python programming languages. Apache is redistributed as part of various proprietary software packages including the Oracle Database or the IBM WebSphere application server. Mac OS X integrates Apache as its built-in web server and as support for its WebObjects application server. It is also supported in some way by Borland in the Kylix and Delphi development tools. Apache is included with Novell NetWare 6.5, where it is the default web server. Apache is used for many other tasks where content needs to be made available in a secure and reliable way. One example is sharing files from a personal computer over the Internet. A user who has Apache installed on their desktop can put arbitrary files in the Apache's document root which can then be shared. Programmers developing web applications often use a locally installed version of Apache in order to preview and test code as it is being developed. Microsoft Internet Information Services (IIS) is the main competitor to Apache, trailed by Sun Microsystems' Sun Java System Web Server and a host of other applications such as Zeus Web Server. Some of the biggest web sites in the world are run using Apache. Google's search engine front end is based on a modified version of Apache, named Google Web Server (GWS). Wikimedia projects, including Wikipedia are also run on Apache servers.

Market structure Given below is a list of top Web server software vendors published in a Netcraft survey in April 2008. Vendor Product Web Sites Hosted 83,206,564 58,540,275 10,075,991 1,926,812 1,495,308 1,018,503 9,432,775 165,696,228 Percent 50.22% 35.33% 6.08% 1.16% 0.9% 0.61% 5.69% 100.00%

Apache Apache Microsoft IIS Google GWS Oversee Oversee lighttpd lighttpd nginx Others Total nginx -

Page 6

Developing an “eBanking” solution for UK Credit

Chosen Web Server Apache will be applying for this scenario, because apache is designed for Java programming language, which will be use for the development of channel of this I-Banking project.

Database Server Cloudscape IBM Whether in the free Derby software that's available from the Apache Software Foundation, or the same codebase shipped by IBM as Cloudscape with optional paid IBM support, the small-footprint Cloudscape/Derby relational engine is making waves among open-source developers for some of its enterprise-level features and capabilities. Like many full-blown relational enterprise databases such as IBM's DB2 and Oracle (and unlike MySQL), Cloudscape supports on-line backup and crash recovery as well as advanced features like Unicode support/internationalization, encryption, and multiple low-overhead connections. It also supports for stored procedures, functions and triggers in its current version. Zero Administration and Stored Procedures Unlike MySQL and the large enterprise DBMSs, Cloudscape is an 'embedded' database that can be easily hidden from the application and not require a database administrator. As an embedded DBMS, the database components are included with the application, and the server will automatically start and stop along with the execution of the application. The database server component is approximately 2MB, in a single JAR file, and does not result in application bloat. (The download, you'll notice, is around 70 MB, but that includes tools/docs and the full client/server stack for Cloudscape.) The MySQL directory for Windows, by contrast, runs 90 megs. Cloudscape is written in Java and is very appealing for building and delivering cross-platform solutions that require a full-function RDBMS. Of course, as a Java database, it runs anywhere J2SE is available—Windows, Linux, UNIX, and the Mac OS X, for example. (MySQL runs on Linux and Windows.) Cloudscape/Derby can be used as a client/server RDBMS as well. The Cloudscape server executes within a JVM and can easily scale to meet many database server workloads. Its database scales up to 50GB, and it easily handles processing requests of 25 concurrent connections. Cloudscape fully supports stored procedures, written in Java, to reduce network overhead and improve application scalability. (Because stored procedures contain program logic, more processing can take place on the database server, which can reduce the bandwidth consumed sending data and instructions back and forth.) Cloudscape requires very little administration as a DB server. Database storage is easily set up, and backing up data is easy using the provided tools. Cloudscape supports many of the latest SQL standards, including triggers and views. Another important advantage of Cloudscape/Derby over MySQL is in its security encryption capabilities. Cloudscape offers the option to encrypt an entire database, which provides an extra layer of security by protecting both the file system and database schema. In other words, no data exists in clear-text form in the database files. This is especially important for remotely deployed databases or mobile databases on notebook computers that are in danger of being hacked into if the notebook computer is stolen. Surprisingly, Cloudscape/Derby database encryption adds less than 10% performance overhead, and takes no additional disk space. Derby's Licensing Advantage Unlike MySQL, Apache Derby can be distributed by ISV's with their applications without the ISV needing to

Page 7

Developing an “eBanking” solution for UK Credit

choose between paying someone for a commercial database license, or putting their own application into open source. Winning the Derby With its small footprint and the fact that it's easily deployed and embedded in Java applications, the Cloudscape/Derby RDBMS is the no-brainer choice for Java developers—especially if you're on a limited budget but require the transactional capabilities of a real database. So Cloudscape/Derby is a natural for Java developers—but it is also good for building and deploying C, Perl, or PHP applications, so the non-Java developer should also consider Cloudscape/Derby as an alternative to MySQL. The client access to Cloudscape uses the same underlying client libraries and database access protocol that is used to access DB2 UDB servers on various platforms, by the way, so if you're in a DB2 shop, you've got that added advantage. MySQL A multithreaded, multi-user, SQL relational database server, MySQL is open-source software available either under the GNU General Public License (GPL) or under other licenses when the GPL isn't appropriate. Unlike open-source projects such as Apache, MySQL is owned and sponsored by a single for-profit firm, the Swedish company MySQL AB, which since 1995 has developed and maintained the product, selling support, service contracts and commercially-licensed copies of MySQL. Partly because of the multiple levels of support offered by MySQL AB, MySQL has grown into the most popular open-source database on the market. Some of its popularity, no doubt, is due to the fact that the product is a free download for many users. But over time, MySQL's ambition level has grown to the point where some see it as a challenger to established enterprise products like Oracle and DB2. However, as the Wikipedia points out, MySQL has always lacked many properties of its big-brother commercial rivals, such as stored procedures, views and triggers. This has led some database experts, such as Chris Date and Fabian Pascal, to criticize MySQL as falling short of being a truly relational RDBMS. Many of these criticisms of MySQL are being addressed in the latest version, MySQL 5.0, currently in beta release, but because of these and other shortcomings many developers have been reluctant to use MySQL for anything more heavy-duty than small scale Web applications. The popularity of MySQL as a Web application is also closely tied to the popularity of PHP, an open-source scripting system used primarily for developing server-side applications and dynamic web content. MySQL and PHP are often promoted by MySQL AB and other vendors as part of the Linux, Apache, MySQL, PHP (LAMP) architecture that has become popular in the Web industry in recent years as a way of deploying inexpensive, reliable, scalable and secure web applications. (The 'P' in LAMP can also stand for Perl or Python.) Though these programs were not designed specifically to work with each other, the combination is popular because of its low cost and the ubiquity of its components (which are often bundled with many current Linux distributions). Administering MySQL To administer MySQL databases you have the option of using the included command-line tools, or downloadable GUI administration tools: MySQL Administrator and MySQL Query Browser. A widespread and popular alternative, written in PHP, is the open-source web application phpMyAdmin and phpMyBackupPro, also written in PHP, which can create and manage backups. It can create pseudo-cronjobs, which can be used (optionally combined with emails) to back up the MySQL database at fixed intervals. MySQL, like some of its commercial rivals, does have an ongoing administrative workload associated with it, something that is not much enjoyed by developers. Licensing MySQL Some users have criticized MySQL AB's position on the software licensing, since MySQL server software and the client libraries are distributed under a dual-licensing format. Users have the option of choosing either a
Page 8

Developing an “eBanking” solution for UK Credit

GNU General Public License, or they may choose a commercial license. Dual-use licenses are a somewhat controversial part of the open source development world, especially since many developers also view the GNU GPL License as more restrictive than the open-source license employed by the Apache Software Foundation (ASF). MySQL will be applying for this scenario because of its credibility, and a surviving open-source database management system.

With i-Banking, customers have online access to their checking, savings, credit card, and loan accounts 24x7. Customer accounts are integrated, thus providing users with a consolidated view of their financial data. A serfriendly interface guides customers through their online accounts, enabling bank to offer any number of features, such as: • Online account registration • Review account statements and activity • Electronic bill payment • Access multiple accounts (savings, current, loan, credit card) • Transfer funds between accounts • Monitor and track credit card spending • View pre-defined reports • Download data to popular personal financial management software such as Microsoft Money and Quicken • Perform multi-currency transactions

Page 9

Developing an “eBanking” solution for UK Credit

Business Model

i-Banking architecture supports Single-Bank Model as well as Application Service Provider (ASP) Model, which allows a single i-Banking system to be shared by many banks. The key advantage of ASP model is that each bank in the system can run the functionalities provided by the new system without installing the new system itself. That also means that each bank that shares the new system can keep their current business process and environment, such as different URL/web site location, different menu structure inside the web site, different look-and-feel (page layout, colour scheme, etc.) and many more. Configuration Environment I-Banking is written in pure Java and Enterprise Java Bean (EJB), which is considered as the most secure Internet programming language today. Additionally, i-Banking is platform neutral that can be hosted on any platform that supports Java, e.g. Unix/Linux, Windows, and AS/400. i-Banking’s architecture consists of five major components: • The Front-End Gateway – the component provides access to a variety of Internet-enabled devices and networks, isolating the complexities associated with protocol, security and form factor issues ensure a consistent consumer experience. I-Banking automatically determines the appropriate presentation of information for the device being used. The Services Infrastructure – these components enables consumer applications such as retail and commercial banking, investment services, mobile commerce, personalization of the user experience; and notification services based on the consumer's interests and priorities. The services infrastructure also enables session management, which ensures the continuity of a transaction over the network. The
architecture is supported by an overall administrative function designed for easy and efficient management.

The Transaction Processor – provides the handling of banking transactions, such as transfers, the purchase or sale of securities, etc. The component routes transactions to the correct system and recover transactions if the application or some component of the system is unavailable or crashes. It also incorporates load balancing for high-transaction environments. The Messaging Gateway – provides rapid linkage to the existing core banking system. I-Banking uses standard ISO8583 protocol to communicate with core banking system. These components also support Open Financial Exchange (OFX) or Extensible Mark-up Language (XML) for data exchange. The Security Layer – provides security throughout the communication and payment process. I-Banking delivers end-to-end security to protect the banking institution and its customers. --Banking security framework is based on a strict methodology of threat evaluation, risk analysis and policy creation. It is designed to address authentication, authorization, privacy, integrity and non-repudiation.

Page 10

Developing an “eBanking” solution for UK Credit

Customer Relationship Management (CRM) Customer Relationship Management (CRM) is a key element in system integration. It enables you to understand, anticipate and respond to your customers' needs in a consistent way, across all channels of communication, opening the door for gains in customer advocacy and the most efficient business processes. It aims to put your customers at the center of the information flow of a company. An application that enables companies to make a move towards to a customer centered organization by putting the customer at the center of all the information that relates to them and allowing authorized people in the organization to access the information. In short, the company or organization has a lot of information about the customers. But the information is available only to a specific job functions, and it is not shared. Customer Relationship Management is about people first and technology second. That’s where the real value of CRM lies, harnessing the potential of people to create a greater customer experience, using the technology of CRM as the enabler. There are a number of issues of fundamental importance to the success of CRM application: Information Storage All the information on CRM system is organized in a big store called a database. The CRM database is efficient and able to store details of emails, conversations, quotations, customer names, addresses, telephone numbers and contact personnel for all your customers. If you store information in a structured and orderly way, then retrieving information will be relatively easy. The Right Information CRM system is places where we store all the customer related information. There is no hard and fast rule. However, common sense ought to tell that anything of commercial relevance to your company should be stored. This includes emails with regard to purchases, contracts, negotiation, commercial information should be stored. Letters to customers should be stored. Anything that adds value to the customer relationship. But do not store information that is of uncertain legality about your customer or competitor. There have been cases that some organizations have been successfully sued for sending internal emails that contained questionable information about a competitor.

Page 11

Developing an “eBanking” solution for UK Credit

Market Analysis
GEM-CRM Product Vendor Version Release date GEM-CRM V2V technologies Inc 3.2 5-Jun Sage-CRM Sage-CRM Sage Software 5.7 5-May Sage Saleslogix Sage Saleslogix Sage software 6.2 4-Aug

Contact Name Telephone Email Website Cost(Canadian dollars) for typical implementation license based Average cost per user Average number of users average cost average implementation costs/ licence costs average implementation costs Total Applications Contact management Mathieu Brunel 514-940-8649 Bill Hoffman Sales & Support 800-643-6400




15 $7,200

19 $12,350

30 $23,850




$7,200 $14,400

$12,350 $24,700

$0 $23,850




Page 12

Developing an “eBanking” solution for UK Credit

Services management call center Distribution System

yes yes yes

yes yes thirdparty

thirdparty yes thirdparty

Terms IMPORTANT - PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY. BY ACCESSING THIS WEBSITE AND/OR USING THE ONLINE SERVICES, YOU AGREE TO BE BOUND BY THE FOLLOWING TERMS AND CONDITIONS. IF YOU DO NOT ACCEPT ANY OF THESE TERMS OR CONDITIONS, YOU MUST IMMEDIATELY DISCONTINUE YOUR ACCESS OF THIS WEBSITE AND/OR USE OF THE ONLINE SERVICES. Copyright and Trademark Notices Except as otherwise expressly stated herein, the copyright and all other intellectual property in the contents of this website (including, but not limited to, all design, text, sound recordings, images or links) are the property of UKCredit Bank Ltd ("UKC Bank") and/or its holding company and/or its subsidiaries and/or the subsidiaries of its holding company (together the "UKC Co."). As such, they may not be reproduced, transmitted, published, performed, broadcast, stored, adapted, distributed, displayed, licensed, altered, hyperlinked or otherwise used in whole or in part in any manner without the prior written consent of the UKC Co.. Save and except with the UKC Co.'s prior written consent, you may not insert a hyperlink to this website or any part thereof on any other website or "mirror" or frame this website, any part thereof, or any information or materials contained in this website on any other server, website or webpage. All trademarks, service marks and logos used in this website are the property of the UKC Co. and/or the respective third party proprietors identified in this website. No licence or right is granted and your access to this website and/or use of the online services should not be construed as granting, by implication, estoppels or otherwise, any license or right to use any trademarks, service marks or logos appearing on the website without the prior written consent of the UKC Co. or the relevant third party proprietor thereof. Save and except with the UKC Co.'s prior written consent, no such trade mark, service mark or logo may be used as a hyperlink or to mark any hyperlink to any UKC Co. member's site or any other site. Disclaimer The information and materials contained in or accessed through this website are provided on an "as is" and "as available" basis and are of a general nature which have not been verified, considered or assessed by any member of the UKC Co. in relation to the making of any specific investment, business, financial or commercial decision. Such information and materials are provided for general information only and you should seek professional advice at all times and obtain independent verification of the information and materials contained herein before making any decision based on any such information or materials. The UKC Co. does not warrant the truth, accuracy, adequacy, completeness or reasonableness of the information and materials contained in or accessed through this website and expressly disclaims liability for any errors in, or omissions from, such information and materials. No warranty of any kind, implied, express or statutory (including but not limited to, warranties of title, merchantability, satisfactory quality, noninfringement of third-party intellectual property rights, fitness for a particular purpose and freedom from computer virus and other melicious code), is given in conjunction with such information and materials, or this

Page 13

Developing an “eBanking” solution for UK Credit

website in general. Under no circumstances shall the UKC Co. be liable regardless of the form of action for any failure of performance, system, server or connection failure, error, omission, interruption, breach of security, computer virus, malicious code, corruption, delay in operation or transmission, transmission error or unavailability of access in connection with your accessing this website and/or using the online services even if the UKC Co. had been advised as to the possibility. In no event shall the UKC Co. be liable to you or any other party for any damages, losses, expenses or costs whatsoever (including without limitation, any direct, indirect, special, incidental or consequential damages, loss of profits or loss opportunity) arising in connection with your use of this website, or reliance on any information, materials or online services provided at this website, regardless of the form of action and even if the UKC Co. had been advised as to the possibility of such damages. Hyperlinks For your convenience, the UKC Co. may include hyperlinks to websites on the Internet that are owned or operated by third parties. Such linked websites are not under the control of the UKC Co. and the UKC Co. cannot accept responsibility for the contents of or the consequences of accessing any linked website or any link contained in a linked website. Furthermore, the hyperlinks provided in this website shall not be considered or construed as an endorsement or verification of such linked websites or the contents therein by the UKC Co.. You agree that your access to and/or use of such linked websites is entirely at your own risk and subject to the terms and conditions of access and/or use contained therein. Indemnity You hereby agree to indemnify and save the UKC Co. harmless against all damages, losses, expenses and costs (including legal costs) suffered or incurred by the UKC Co. in connection with or arising from (1) your access of this website and/or use of the online services, or (2) any other party's access of this website and/or use of the online services using your user id and/or login password, or (3) your breach of any of these Terms and Conditions of Access, or (4) any other party's breach of any of these Terms and Conditions of Access where such party was able to access this website and/or use the online services by using your user id and/or login password. Miscellaneous The information and materials contained in or accessed through this website shall not be considered or construed as an offer or solicitation to sell, buy, give, take, issue, allot or transfer, or as the giving of any advice in respect of shares, stocks, bonds, notes, interests, unit trusts, mutual funds or other securities, investments, loans, advances, credits or deposits in any jurisdiction. The information and materials herein are subject to change (including, without limitation, modification, deletion or replacement thereof) without notice. The UKC Co. may terminate your access to this website and/or your use of the online services at any time without notice and without assigning any reason therefor. Governing Law and Jurisdiction Nothing herein shall be construed as a representation by the UKC Co. that the information and materials contained in or accessed through this website is appropriate or available for use in geographic areas or jurisdictions other than Europe. By accessing this website and/or using the online services, you agree that such access and/or use, as well as these Terms and Conditions of Access shall be governed by, and construed in accordance with; the laws of Europe and you agree to submit to the non-exclusive jurisdiction of the Europe courts

Page 14

Developing an “eBanking” solution for UK Credit

Design Approach Home

Page 15

Developing an “eBanking” solution for UK Credit


Page 16

Developing an “eBanking” solution for UK Credit

I-Banking welcome page

A/C Summary

Page 17

Developing an “eBanking” solution for UK Credit

Page 18

Developing an “eBanking” solution for UK Credit

Transaction History

Funds Transfer

Page 19

Developing an “eBanking” solution for UK Credit

Personal Loan

Page 20

Developing an “eBanking” solution for UK Credit

About Personal Loan

Page 21

Developing an “eBanking” solution for UK Credit

Payment Protection Cover

Page 22

Developing an “eBanking” solution for UK Credit

Smaller Loan

Page 23

Developing an “eBanking” solution for UK Credit

Existing Loan Customer

Page 24

Developing an “eBanking” solution for UK Credit

Branch Locator

Page 25

Developing an “eBanking” solution for UK Credit

Security Issues Why we need security? Particularly in E-banking
It is necessary for businesses to provide a secured online transaction way. By making security integral, businesses not only gain customer trust, but also to their revenue hike by adding more services online. So we offer you a safe and secure online environment for your banking needs. The following topic will tackle about different security issues.

Deployment of Security for Credit UK e-banking
1. 2. 3. 4. PKI SSL Digital Certificate Security token (2FA Authentication)

Some key benefits for ecommerce and other organizations that PKI and its use of public key cryptography offers:
Reduce expenses of transactional processing. Reduces risk. Enhance systems and networks’ efficiency and performances. Reduce security systems’ complexity with binary symmetrical methods.

Public Key Infrastructure (PKI)
PKI is a foundation in which other systems, network security components, and applications are built. It is the basic element of an overall security strategy that must work in union with other security mechanisms, risk management effort, and business practices. It is a deep subject matter and evolving to meet the enlarging demands of the business world. It doesn’t serve a particular business function, but provides a foundation of other security services. The primary uses of PKI are for allowing distribution and use of certificates and public key with integrity and security. A PKI is a starting point on which other applications and network security elements are built. “Example of systems that uses PKI-based security mechanisms is emails, value exchange with ecommerce (debit and credit cards), home banking and electronic postal system.”¹

¹ ““p5

Digital Certificate Digital certificate is like a passport, it provides a way to establish your identity to gain entry. In digital world, Digital certificate are issued by a Certification Authority (CA). Like a passport office CA is for validating certificate holder’s identity and to “sign” the certificate so that it cannot be tampered with. When the

Page 26

Developing an “eBanking” solution for UK Credit

certificate signed by CA, the holder can now present their certificate to people, web sites and network resources to prove their establish encrypted, confidential communications. This certificate is based on public key cryptography, using a pair of key for encryption and decryption. With this cryptography, keys work in pairs of matched public and private keys. It converts information to a numerical value, making that information secure and visible only to those who have the key to restore the converted information. Public key is freely distributed without exposing private key, which must be kept private by its owner. So that operation (e.g., encryption) done with the public key can only decrypt by the corresponding private key. Digital certificate can bind identity, as verified by a trusted third party, with your public key. Example of Digital Certificate which is deployed by OCBC bank:


Page 27

Developing an “eBanking” solution for UK Credit

Security Socket Layer (SSL) technology is a security protocol that is today’s standard for communication and a transaction security across the internet. SSL is a star in today’s e-commerce and e-business activities on the Web. It uses Digital Certificate to create a secure, sensitive communications between two entities. If data sent over SSL connection are safe and cannot be tampered with or forged without the two parties that is aware of tampering What are SSL Certificates?

Using SSL, it enables encrypted communications to a user’s browser and to a web site by authenticating the identity of the web site with an SSL web server certificate. When the user wants to send sensitive information to a web server, the browser will access the digital certificates of the web server and receive its public key to encrypt the data. The web server is the only one can access its private key, so that server can decrypt the information. That’s why information remains confidential across the internet. The following diagram illustrates how a 128- or 256-bit SSL connection works:

Page 28

Developing an “eBanking” solution for UK Credit

(Source: march 2008)

How Certificates are used in an SSL Transaction

Supposing you wants to connect to a secure web site to do some transaction: • • • • • When you visits a web site secured with SSL (you’ll find the URL that begins with “https”), you browser sends a message requesting for a secure session (SSL). The web server will send you a server certificate including public key. Now your browser will verify that the certificate sent to you is valid and has been signed by a CA, and will also verify that the CA certificate has not expired yet. If it’s valid, your browser will create a single unique “session” key and encrypt it with the server’s public key. And your browser will send your encrypted single unique key to the server so that it will both have a copy. The server will recover the session key that your browser sent by decrypting it using it’s private key.

Now the web site is confirmed and verified, and your browser and the web server have a copy of the session key. Once the SSL verification is complete, you’ll now have a secure communications “pipe”. Your browser and the web server can now communicate securely using the session key. The entire process of creating an SSL connection takes only seconds and happens transparently.

In ecommerce world, RSA (named because of its creator: Rivest, Shamir, Adleman) public key cryptographic system is commonly use. Algorithm is based on a hard mathematical problem of factoring composite numbers. It is the creation of cipher text by one object using another object’s public key to do encryption. Many objects are allowed to send one object encrypted messages without having first exchange secret or private cryptographic keys. As we just tackled about SSL, it can only decrypt and read the messages by the owner or the one who has the private key. Here are some examples of encryption as follows: “ c = me mod n Where m is the message to be enciphered and c is the resultant ciphertext. The specific operation performed is the exponentiation of me mod n, where e and n are the public key of the recipient of the ciphertext. The recovery of the ciphertext by the recipient occurs as follows: m = cd mod n The specific operation performed is the exponentiation of cd mod n where d and n is the recipient’s private key.” ______________________________

Security Token
Security token (also known as hardware token, authentication token or cryptographic token) can be a physical device that is given to authorize user to aid authentication (dedicated device). Other than hardware is software

Page 29

Developing an “eBanking” solution for UK Credit

token, which is authorize the use of computer services. It operates on a general purpose electronic device like a laptop, desktop, or mobile phone. There are different types of token, disconnected; not needed an input device, some are needed.

This token is most combined with a USB token, though it may be both a connected and disconnected state. It must be inserted into a USB input device to function if further than 10 meters. It works when closer than 32 feet (10 feet). Cellular phones This is the new category of 2FA tools, which allow user to use their mobile phones as a security token. The functions are performed by the java application installed on the mobile phone and provided by a dedicated token. Other method is SMS messaging, urging an interactive phone call, or using standard protocol such as HTTP, HTTPS. It simplify deployment, reduces costs and separate token devices is not needed. This method of SMS option will be exposing for a fees for text messages or WAP/HTTP services.

Disconnected tokens
Disconnected tokens are today’s commonly used by enterprises, like RSA Security’s, Digipass, etc. The bright side of this token is any input devices are not needed, though it won’t last long. It can only last for 3-5 years.

Two-factor Authentication (2FA)
2fa is a piece of information and process used for authentication and verification of a person’s identity for security purposes. It is a system that has a two different method for authentication. Using it causes a high level of authentication. There are three universally recognized factors for authenticating individuals

‘Something you know’, such as password, PIN or an out of wallet response. ‘Something you have’, such as a mobile phone, credit card or hardware security token. ‘Something you are’, such as a fingerprint, retinal scan, or other biometric. ________________________________

2FA or T-FA requires at least two authentication methods as mentioned above. The first factor of this method is the ‘something you know’ which is a password, and the second is commonly the ‘something you have’ which is a physical device or more complex, the ‘something you are’, the biometrics such as fingerprint. Like a bank, an ATM card, ‘something you have’, and the password, ‘something you know’. Using more than one method is a strong authentication, not like one factor, a static password is considered by some to be weak authentication. Strong authentication and multi-factor authentication are different processes. Collecting for multiple answers to give a challenge for questions maybe considered strong authentication. "By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category ... would not constitute multifactor authentication." Clarified by the FIEC and has issued supplemental guidance on this subject in august 2006.
Page 30

Developing an “eBanking” solution for UK Credit

It is a system designed, which control and inspect the traffic passing through a private network, and it is based on a set of rules that let the traffic pass or deny. It can be hardware, software or a combination of both. It is frequently used for preventing unauthorized users from accessing the private networks connected to the internet, especially intranet. Like an immigration checkpoint, it examines each entry, and exit of all messages passing through it, and blocks those that do not meet the specified security criteria.

Several Types of firewall techniques:
• Network Layer (Packet Filter) – filtering packet entering or leaving the network and allowing packets to pass through the firewall unless it didn’t match based on user-defined rules. It is fairly effective and transparent to users, but it is difficult to configure. Network Layer fall in to two categories, stateful, stateless. Stateful firewalls- it maintain background about the session that is active, and uses that “state information” to fasten packet processing. Several properties can describe any existing network connection, like source and destination of IP address, TCP ports, UDP, and present connection lifetime (including session initiation, handshaking, data transfer, or completion connection).¹ It will allow packet to pass through without further processing if packet does match the existing connection. If packet doesn’t match any existing connection, it will be evaluated according to the ruleset for new connection. Stateless firewalls – has a capability of packet-filtering, but cannot exceed to more complex decisions on what the communications have reached between hosts.
_____________________________ ¹

Application layer- it works in one of two modes: passive or active. Active application firewalls inspect all incoming request, such as exchanging the actual message against known vulnerabilities such as SQL injection, cookie tampering, and cross-site scripting. The only thing that can pass through the application is the requests that are deemed “clean”. While passive application layer firewalls act similarly to IDS (Intrusion Detection System), but it cannot actually deny or reject those request if a potential attack is detected. Application Layer firewalls maximize the overall security of the application infrastructure by rejecting and denying an attack that causes a structural damage to data source or service outrage. This application is remotely updatable, allowing them to prevent newly discovered vulnerabilities. These firewalls are always up to date unlike the other security-focused code, due to the development and testing cycles takes more time. Proxies – it may act as a firewall (either dedicated hardware or software on a general purpose machine) be responding to input packets (e.g. connection request) between the client and the server. The traffic goes from the web browser/application first through the proxy before reaching the requested sources and back through the proxy when data is requested from internet resources by the client. Then the client will receive the data transmitted by the proxy.

(Source: It implements protocol or service-specific security such as level of authentication and access control, and makes decision for packet-forwarding. Base on a set of rules for proxy server that apply to the individual network service as well as host/user permissions, it evaluates the request and decides to permit or deny it.

Page 31

Developing an “eBanking” solution for UK Credit

It provides a greater level of security because it ensures that two connecting host never exchange packets directly. • Network Address Translation (NAT) it allows protected network to have access to the external network and restrict the outsiders to get in. NAT substitutes the address for the source address field when request is sent through the firewall. And when a reply return to the NAT application, the address in the destination field is replaces by its own with that of the original client making the request. With this technique it hides the internal host addresses from external hosts because they are aware of firewall IP address only. NAT reduces the ability to attack internal hosts greatly.

Security Layer

All customers’ financial information or any kind of sensitive information is the most valuable asset of every iBanking system. So that company must assure that all information is tightly secured and provides appropriate integrity, and availability.


For the above mentioned, i-banking must implements 5 layers of approach to ensure the security of the system: Layer 1: Secure User Connection Layer 2: User Authentication Layer 3: Server Access Layer 4: System Architecture Layer 5: Application Architecture Layer 1: Secure user Connection

Page 32

Developing an “eBanking” solution for UK Credit

• SSL • Digital Certificate issued by VeriSign • Establishes credible Internet “identities”. • PKI Layer 2: User Authentication • Alpha numeric id and password • Unique id established by consumer • Unique alpha numeric initial password established by the application-mailed. • Incorrect password counter – disable account after three incorrect attempts • Mandatory password change during initial sign-on. • Session expiration after 10 min of inactive use. Layer 3: Server Access Dedicated ISP connection for internet backbone, for basic screening of the IP addresses Internet Firewall(s) for avoiding access of unauthorized requests, make the internet Backbone server is only accessible resource, logged all attempts to penetrate for security audits, and block viruses. Layer 4: System Architecture • • Application are built in pure java language and enterprise java Beans, for hosting on UNIX-based servers or AS/400 which are far more secure than Microsoft Windows based alternatives. • Dedicated html/Web server-accepts direct internet “hits”. • Has a restrictive Access Control Lists (ACL) for each of authentication server, database server, and component server. • Sensitive customer information resides only on core banking system. Layer 5: Application Architecture • • • • • All user and administrative actions are logged to database. All data on I-banking is encrypted using appropriate encryption algorithm. Can be set require password change every 30 days. Can limit the amount of daily transfers.

News on Security/Security Alerts

Malware Targets E-Banking Security Technology
New malicious software that contains a feature specially designed to obstruct online security technology that is implemented by Bank of America and other financial institutions that is using E-Banking. This feature comes from the recent version of “Pinch”, a Trojan horse program that is widely distributed and gives bad guys the ability to steal information such as userid and password from a victim’s computer. And produced a newly known version of Pinch that is also looks for id and password and steals a special token that is planted to a user’s machine who banks online with a financial institution that is using Adaptive Authentication, a security technology owned by RSA Security. The technology is also known as “site key”, which is Bank of America’s branding of the RSA technology. The Bank of America is using adaptive Authentication, meaning that if you are in the other place and access their site, it will ask you secret questions that you made. Once questions are answered correctly, the site will place a bypass token on whatever machine the user is on for the reason of user may not need to be bothered by security

Page 33

Developing an “eBanking” solution for UK Credit

questions the next time that the machine is used to access the site. This is meant if the hacker plants a Malware on your machine that steal information, hacker will need to answers all or most of the secret questions you made. But the site key stores the token in the same place on every user’s machine. The newest version of Pinch is dedicated to simply go into that directory and gets the token, storing it along with the id and password stolen to a specific user. Lawrence Baldwin (co-founder of discover the pinch’s feature while observing a user that is affected by the Malware. He said that it was a matter of time before the Malware incorporated the sitekey hack. Marc Gaffan, RSA’s head of marketing, said that they’re seeing more and more of Malware coming out. But he cautioned that their technology offers additional layers of protection for banks even of token, and information are being stolen. And he declined to give more specifics about their protections because he doesn’t want to “give away the secret sauce”. “Pinch showcases some of the best (or worst, depending on your vantage point) point-and-click products that the malware industry has to offer these days.” It is created with the help of a configurable and extremely sophisticated virus creation kit called Pinch Pro. That can be purchased at forums of Russian hackers. The following

is the Sample of the program: ____________________________________________________


The word phishing was made by crackers referring of act of tricking people into exposing sensitive information. An attempt of creating a scenario that is people are believed that they’re dealing with an authorized party, specially their bank. The attacker will ask the victim for private information such as credit card information, etc. this activity is much automated and the victim is the large number of internet user

It is also a deceit e-mail method where attackers send out a sanctioned-look email to gather personal and financial information from the victims. Usually, the emails appear to be well known and trustworthy web sites. By using

Page 34

Developing an “eBanking” solution for UK Credit

spoofed image or logo of the financial institution and convinces the user to provide personal and account details by means of visiting a web link given in the message.

They’re using a number of different social engineering and e-mail spoofing to try to trick their victims.

Example of Phishing

The PayPal Company is being used by the attacker, sending to a customer where the message is legitimate-looking email, and the logo and trade mark of PayPal Company were used. Telling that the company is having a technical difficulty and asking a victim to click on the link whereby it directly goes to a page that is asking for users to register again, asking personal information, sensitive information such us bank information such as VISA and PayPal accounts, user name and password information, social security numbers, and any other information which can be used to retrieve forgotten or lost credentials. If victim choose to ignore the request, it says that they leave the company no choice but to temporarily suspend their account.

The fraudulent page is specially coded to retrieve correct information that is to be submitted. When you typed wrongly it will alert that you should key in the correct information to be submitted.

Page 35

Developing an “eBanking” solution for UK Credit

The PayPal co is affected because their company is being used by the scammers. The company reputations will goes down because of they didn’t tell their customers to be aware of some phishing threat, etc.

Consequences of Phishing

The major threat of this phishing is your identity is being used in a digital crime by the attacker. It is usually used for financial gain or for defamatory purposes. Once they stole your personal information, they will use it, such us making fraudulent charges on your credit or debit card; make use of your credentials on different online services, such us eBay, Amazon and others to commit crime without being caught. Making it appears as though you committed the criminal action.

Cost Budgeting

Products mysql database server Java Platform GEM CRM Apache web hosting(http://www.webhosting per year total

cost free free $14,400


$179.50 14,579.50

Page 36

Developing an “eBanking” solution for UK Credit

Conclusion In the past several years, many banks have launched Internet banking services to retail customers with the intent of attracting and retaining more high-value customers and decreasing costs. Although in most cases, these banks are not making money from these efforts, there are some success stories – banks that have effectively developed, delivered and evolved their services. Based on our research of these Internet banking leaders, we believe that the implementation of best practices can help banks to deliver Internet services more effectively. The best practices can help prioritize Internet development efforts and extend the Internet technology and development infrastructures to Internet applications in non-retail banking areas. All of the Internet products and services have potential to provide substantial value to customers. However, we believe that it is the integration and execution of the offerings that will separate the best of the banks from the mediocre. Banks that implement the best practices will have the highest chance of on-going success in these varied electronic commerce efforts

RIA ( 20/04/2008 J2EE ( 10/04/2008 JB (,,sid26_gci212416,00.html) 10/04/2008 CRM ( 10/04/2008 CRM( 10/04/2008 Web Server ( 10/04/2008 Configuration Environment( 10/04/2008 MySql/Cloudscape ( 10/04/2008 Terms ( Technologies ( Digital Certificates and SSL ( march 2008 PKI ( march 2008 Security Token (, 21 march 2008 Two-Factor Authentication ( 22 march 2008 Firewall ( 23 march 2008 Types of firewall ( 23 march 2008 Application layer ( 23 march 2008 Proxy ( 23 march 2008 Network Address Translation NAT ( 23 March 2008 Phishing (,290660,sid14_gci916037,00.html, 8 April 2008

Page 37

Sign up to vote on this title
UsefulNot useful