Professional Documents
Culture Documents
University
E - Banking of Belgrade
Nikola Skundric
nikolas@galeb.etf.bg.ac.yu
Prof. Dr. Veljko Milutinovic
vm@etf.bg.ac.yu
Milos Kovacevic
milos@grf.bg.ac.yu
Nikola Klem
klem@grf.bg.ac.yu
I. Introduction to e-Banking
What is an e-Bank and
why to do e-Banking
Some facts about e-Banking
ntinued... 2 / 99
Outline
continued
IV. Conclusion
3 / 99
Part I
Introduction to
E - Banking 4 / 99
Introduction
5 / 99
What Is an E-Bank?
Customers have:
Collision!
• Their job during the day
• Family or other activities after the job
• Internet
• WAP based mobile network
• Automated telephone
• ATM network
• SMS and FAX messaging
• Multipurpose information kiosks
• Web TV and others …
7 / 99
What Is an E-Bank?
E-Bank is transforming banking business
into e-Business through utilizing e-Channels
8 / 99
Other Advantages of E-Banking
Possibility to extend your market
(even out of country)
9 / 99
Internet Banking ... and E-Banking
Electronic
Internet Banking
Banking
• By
Through
using aAutomated
PC that connects
Teller Machines
to a banking
(ATMs),
website via modem
telephones
and phone line
(not(or
viaother
Internet)
telecommunication
or debit cards. connection)
and Internet
(debit Service
cards look like Provider
credit card, but using debit card
• Or
removes
via wireless
funds technology
from your bankthrough
account
PDAimmediately)
or cell phone
10 / 99
Internet Banking
13 / 99
E-Banking in the USA
Powerful banks are more present
Assets Number of Banks Online Presence
Information Only
No Presence
Fully Transactional
41%
36%
Today about 1,100 U.S. banks, large and small, provide full-fledged
transactional banking on-line
In next two years additional 1,200 transactional on-line banks are
expected
By 2005, the number of such banks should increase to more than 3,000
15 / 99
E-Banking in Serbia
16 / 99
E-Banking in Serbia
Elektronski promet Delta banke:
6.5 milijardi dinara u prva tri meseca
25% naloga u Raiffeisen banci stižu elektronskim
putem
U HVB banci svaki drugi nalog je elektronski
35% prometa Nacionalne štedionice obavlja se kroz
elektronske usluge
30% klijenata Atlas banke koristi elektronsko
bankarstvo
vor: Mikro, jun 2003.
17 / 99
Internet Banking
WWW service
18 / 99
Part II
Security Issues
19 / 99
Security problems
Online banking relies on a networked environment.
Worth noting:
Internal attacks are potentially the most damaging!
20 / 99
Security Problems
Internet is a public network and
open system where the identity
of the communicating partners
is not easy to define.
Spoofing
“How can I be certain that
my personal information “How“How
can can
I beIcertain
reassure that
is not altered by online my
customers
customers’ whoaccount
come to
eavesdroppers when number
my site
information
that theyisarenot
they enter into a secure doing
accessible
business to online
with me,
transaction on the Web?” eavesdroppers
not with a fakewhenset up
they
to
steal
enter their
into acredit
secure
card
transaction
numbers?”
on the Web?”
PROBLEMS
22 / 99
What Do We Have to Achieve
Authentication
no spoofing
Non-repudiation
Privacy
no claiming
no eavesdropping
of user action
Data Integrity
no data alteration
23 / 99
How to Achieve It?
24 / 99
Few Security Tips 1/3
Protect yourself from potential pitfalls and make
your Internet banking more safe, productive
and enjoyable by following these advices
(given by Federal Reserve Bank of Chicago)
ntinued... 25 / 99
Few Security Tips 2/3
.continued
• Be “password smart”
(use mix of letters and numbers; change pw regularly;
keep your pw and PIN codes to yourself; avoid easy
to guess pw like first names, birthdays, anniversaries,
social security numbers...)
ntinued... 26 / 99
Few Security Tips 3/3
.continued
28 / 99
Cryptography Basics
Cryptography provides privacy
ENCRYPTED
ENCRYPTION ALG. MESSAGE DECRYPTION ALG.
(CYPHERTEXT)
MESSAGE MESSAGE
(PLAINTEXT) (PLAINTEXT)
SENDER RECEIVER
KEYS
Symmetric approach
Asymmetric approach
Hybrid approach
29 / 99
Symmetric Approach
Both sides use the same key for encryption and decryption
ENCRYPTED
SYMMETRIC KEY MESSAGE SYMMETRIC KEY
(CYPHERTEXT)
MESSAGE MESSAGE
(PLAINTEXT) (PLAINTEXT)
SENDER RECEIVER
ENCRYPTED
PUBLIC KEY MESSAGE PRIVATE KEY
(CYPHERTEXT)
MESSAGE MESSAGE
(PLAINTEXT) (PLAINTEXT)
SENDER RECEIVER
+ =
32 / 99
Digital Signatures
Cryptography provides privacy, but what about security?
As mentioned before, from a security point of view,
we have to achieve three important things:
Was the
Was
Prevention
the
Digital
message
Digital message
of by
Signatures
sent
Signaturesa
changed
denial
the ofafter
a
declared
previous
it was sent?
sender? act.
Origin
Origin Data-integrity
Data-integrity
Non-repudiation
Non-repudiation
Authentication
Authentication Authentication
Authentication
Sender Receiver
HA
Message Msg* Digest’’
HA DS*
Digest
Digest’
Public Key
Private key DS
Equal?
35 / 99
Digital Signatures
“Non-repudiation: a service that prevents the denial of a
previous act.”
A. Menezes – “Handbook of Applied Cryptography”
Thesecaused
Problems problems by do not disappear
a false certification
with or
encryption or evenmechanism
no certification a secure protocol
40 / 99
ITU-T Recommendation X.509
In general independent,
CA
CA even in the same country
Private
Private
Personal Commercial
Commercial
Public
Public aa company
company Personal
VeriSign
VeriSign
e.g.
e.g. aa bank
bank for
for private
private you,
you, me
me
Thawte
Thawte
needs
needs
42 / 99
X.509 Naming Scheme
A certificate associates
the public key and
unique distinguished name (DN)
of the user it describes.
Authentication relies
on each user possessing
a unique distinguished name.
The DN is denoted by a NA
It’s interesting
and accepted by a CA to note that the same user can
have different
as unique within theDNs
CA’s indomain,
different CAs, or can have
wherethe
thesame DN double
CA can in different
as aCAs
NA. even if the user is
not the first to use it in any of the CAs.
43 / 99
How X.509 Certificate Is Issued
44 / 99
Contents of X.509 Certificate
The certificate holder’s public key value
46 / 99
Verification of DCs in User Browser
47 / 99
Useful Links to Visit
Two largest commercial CA’s:
www.verisign.com
how to apply for DC,
security related stuff
www.thawte.com
how to apply for DC,
security related stuff
48 / 99
Secure Sockets Layer
SSL is perhaps the widest
used security protocol
on the Internet today.
50 / 99
SSL Record Layer
51 / 99
SSL Data Exchange Phase (simplified)
Client Server
Fragments msg.
into blocks (bytes) Msg. block MAC
52 / 99
SSL Handshake Layer
53 / 99
SSL Handshaking Phase (simplified)
Client Server
List of supported
ciphers
Strongest cipher
CLIENT-HELLO message supported + DC
?
OK +
Challenge
SERVER-VERIFY message
SERVER-HELLO message
SSK generated +
and encrypted +
Encrypted
Responding challenge (encrypt. SSK
with SWK)
with SPK Connection ID
Decrypts SSK with own
From now
CLIENT-MASTER-KEY message (encrypt. SKwithand
SPK)
sends ack.
use SSK!
CLIENT-FINISHED message (encrypt. with CWK)
54 / 99
SSL Handshaking Phase
1. REQUEST-CERTIFICATE message
challenge’ + means of authentication desired
2. CLIENT-CERTIFICATE message
client certificate’s type + certificate
+ bunch of response data
3. SERVER-FINISHED message
55 / 99
SSL Keys
There are number of keys used over the course of a
conversation:
• Server’s public key (SPK)
• Master key (SSK) – randomly generated
• Client-read-key also called Server-write-key (CRK/SWK)
• Client-write-key also called Server-read-key (CWK/SRK)
57 / 99
About SSL Strength
58 / 99
Part III
Bankers’
Point of View
59 / 99
Internet Bank Architecture
Web server
Branch office
terminals Security
subsystem
SSL connection
Internet
User
60 / 99
In-house Architecture
CustomerLink Server (CustomerLink Primer)
(On Site)
Core System
(On Site)
In-house Web Server
(On Site)
Security Firewall
(On Site)
Router
(On Site)
All components are in the bank
61 / 99
Out-of-house Architecture
ASP (Equifax)
Bank site
Firewall
User
CustomerLink Primer) 62 / 99
Banking Software Architecture
Before Internet revolution, banking software systems
were dominantly of client-server type
CLIENT-SERVER
data
The network
management
configuration
Sever can where
accessthehuge
workdatabases
potentialand
perform searches
Client demand
(processing in behalfservices
abilities &ofaccessible
the client.
or
application
Executes information
Back-end
information) from otherbetween
is application.
distributed
logic
machines
several– machines.
servers.
Executes Front-end App.
presentation
logic
63 / 99
Banking Software Architecture
In the Internet era banking software systems are n-tier (n > 2)
Application logic
64 / 99
Presentation Logic
web server
thin client
67 / 99
Application Service Providers
Advantages: Disadvantages:
Thin client Every workstation needs Internet
Renting instead of buying access
Only effective using time Broad bandwidth necessary
charged Doubtful data security on the
Cost planning more reliable Internet
Total cost of ownership Not all applications have Internet
decreased compatible surfaces yet
Less IT workforce needed Loss of company’s independence
Installation / upgrading time
saved
Reaction time reduced
One single business partner
69 / 99
Planning Phase in the Setup Process
Complexity of a problem
• Telecommunications infrastructure
• Security
• Multi-tier software infrastructure
• Maintenance
small big
Bank size?
mid
70 / 99
Services offered by ASPs
Online personal banking
(account information,
OPB
OPB transfers, deposits, …)
RA
RA OCM
OCM
Online cash
management for
TBS
TBS BP
BP companies
Bill payment
Check payment
SCS
SCS ASP
ASP CHP
CHP Card payment solutions
Insurance services
Web presentation
WPA
WPA CDP
CDP design, hosting,
administration
WPH IS Security services
WPH IS
WPD
WPD Testing of electronic
business software
71 / 99
Choosing Strategic and Tech Partners
Choosing the right ASP is the most
important task in the setup procedure
An
An ASP
ASP must
must
Be
Be an
an expert
expert for
for Internet
Internet access
access Have
Have experience
experience in
in electronic
electronic business
business
Have
Have aa secure
secure and
and fault-tolerant
fault-tolerant LAN
LAN Have
Have aa good
good software
software solution
solution
Have
Have well
well educated
educated IT
IT staff
staff
Accessible
Accessible 24
24 hours,
hours, 365
365 days
days
72 / 99
ASPs – The Cost of Downtime
75 / 99
After Initial Introduction of a New Channel
Required tasks after initial introduction of a new channel:
Be
Beinformed
informed
Permanent
Permanent
marketing
marketingcampaign
campaign
Education
Educationof
ofbank’s
bank’sstaff
staff
76 / 99
Education of Staff
Studies show that education of bank’s staff
in using the Internet channel is often incomplete.
Staff should provide answers to FAQ
about using the Internet channel to their customers.
You do it but
(Internet
you don’t
Banking)
think
Education process can itbe
is done
because through:
important
everyoneto does
you. it.
• Courses after the job
• By stimulating staff to use Internet Banking from home
(participating in PC purchase,
obtaining discounts from local ISP)
77 / 99
Permanent Marketing
We have a good solution for Internet banking
but number of online users is very low after initial setup.
What’s wrong?
78 / 99
How To Do Marketing
Organizing education
about Internet technologies
and new banking services
among customers.
79 / 99
Education of Customers
81 / 99
Monitoring Activity on Internet Channel
Feedback support
• customers forms
• e-mail for additional questions/services
82 / 99
Be Informed!
• Competition
(what they offer, what are the complaints of their customers)
• Potential customers
84 / 99
Nature of the Financial Data on the Internet
85 / 99
Searching Services on the Web
We can generally search the Web using three types of searching services:
Subject
Subject Search
Search
directories
directories Engines
Engines
Meta
Meta
crawlers
crawlers
86 / 99
Subject Directories
Examples:
Yahoo!, Lycos, LookSmart, Excite…
87 / 99
Search Engines
Html page
Search Crawler
Engine
Parser
Link
Indexer
URL queue
Query
Word Index
+ URLs
89 / 99
Meta-crawlers
Examples:
MetaCrawler, Dogpile, HotBot, …
90 / 99
Focused Crawling
Focused crawlers visit only topic-specific pages.
standard focused
91 / 99
Search Engines - Comparison
Recent extensive comparison (September 2001) of
search engines conducted by PC World’s staff can be
found on the following URL:
http://find.pcworld.com/11060
Leaders are:
• Google – www.google.com
• Fast – www.alltheweb.com
• Yahoo – www.yahoo.com
• Lycos – www.lycos.com
• Northern Light – www.northernlight.com
92 / 99
Search Engines - Comparison
Directories of search engines can be found on following
URLs:
• Search Engine Guide – www.searchengineguide.com
• Argus Clearinghouse – www.clearinghouse.com
• BeauCoup – www.beaucop.com
• Search Engine Watch – www.searchenginewatch.com
93 / 99
Other Useful Links to Visit
www.streeteye.com/cgi-bin/allseeingeye.cgi,
financial data meta-crawler
www.moneysearch.com,
finance specific directory search
www.dailystocks.com,
excellent financial portal for investors
www.companysleuth.com,
excellent financial portal for investors
94 / 99
Part IV
Conclusion
95 / 99
Conclusion
In this tutorial on e-Banking
we covered many of its aspects:
• You learned what an e-Bank is,
and what the benefits
of e-Banking are
• You familiarized yourself with the
structure of the e-Bank
• You learned how to implement
your own Internet channel
and how to afterwards search for
financial information on the Web
in order to improve your business
• And you have also learned what
possible security problems can
occur and how to fight those
problems
96 / 99
Conclusion in 40 Words
Every bank should implement its Internet channel
(reduced cost of transaction, global connectivity).
Myth: Fact:
The Internet requires little You get what you pay for.
upfront investment.
98 / 99
~ The End ~
Authors:
Nikola Skundric
nikolas@galeb.etf.bg.ac.yu
Prof. Dr. Veljko Milutinovic
vm@etf.bg.ac.yu
Milos Kovacevic
milos@grf.bg.ac.yu
Nikola Klem
klem@grf.bg.ac.yu
99 / 99