Assignment

On
Banking Service & Operation
(EBanking Security, Online Threats &
Defence Module)

Submitted To: Submitted

By:
Dr.Bhavana Sindhu Arunagiri.A
08BSDDU0024
Class 2010
18/11/2009
DEFINITION OF E-BANKING
Electronic banking, also known as electronic funds transfer (EFT),
is simply the use of electronic means to transfer funds directly
from one account to another, rather than by cheque or cash.

VARIOUS FORMS OF E-BANKING:

INTERNET BANKING:
Internet Banking lets you handle many banking transactions via
your personal computer. For instance, you may use your
computer to view your account balance, request transfers
between accounts, and pay bills electronically. Internet banking
system and method in which a personal computer is connected
by a network service provider directly to a host computer system
of a bank such that customer service requests can be processed
automatically without need for intervention by customer service
representatives.

AUTOMATED TELLER MACHINES (ATM):

An unattended electronic machine in a public place, connected to
a data system and related equipment and activated by a bank
customer to obtain cash withdrawals and other banking services.
An automated teller machine or automatic teller machine
(ATM) is an electronic computerized telecommunications device
that allows a financial institution's customers to directly use a
secure method of communication to access their bank accounts,
order or make cash withdrawals (or cash advances using a credit
card) and check their account balances without the need for a
human bank teller. Many ATMs also allow people to deposit cash
or cheques, transfer money between their bank accounts, top up
their mobile phones' pre-paid accounts or even buy postage
stamps. On most modern ATMs, the customer identifies him or
herself by inserting a plastic card with a magnetic stripe or a
plastic smartcard with a chip, that contains his or her account
number. The customer then verifies their identity by entering a
passcode, often referred to as a PIN (Personal Identification
Number) of four or more digits. Upon successful entry of the PIN,
the customer may perform a transaction. If the number is entered
incorrectly several times in a row (usually three attempts per
card insertion), some ATMs will attempt retain the card as a
security precaution to prevent an unauthorized user from
discovering the PIN by guesswork. Captured cards are often
destroyed if the ATM owner is not the card issuing bank, as
noncustomer's identities cannot be reliably confirmed. The Indian
market today has approximately more than 17,000 ATM’s.

TELE BANKING:
Undertaking a host of banking related services including financial
transactions from the convenience of customers chosen place
anywhere across the GLOBE and any time of date and night has
now been made possible by introducing on-line Telebanking
services. By dialing the given Telebanking number through a
landline or a mobile from anywhere, the customer can access his
account and by following the user-friendly menu, entire banking
can be done through Interactive Voice Response (IVR) system.

Credit Card:
A credit card is part of a system of payments named after the
small plastic card issued to users of the system. It is a card
entitling its holder to buy goods and services based on the
holder's promise to pay for these goods and services. The issuer
of the card grants a line of credit to the consumer (or the user)
from which the user can borrow money for payment to
a merchant or as a cash advance to the user.

DEBIT CARD:
Debit cards are also known as check cards. Debit cards look like
credit cards or ATM (automated teller machine) cards, but
operate like cash or a personal check. Debit cards are different
from credit cards. While a credit card is a way to "pay later," a
debit card is a way to "pay now." When you use a debit card, your
money is quickly deducted from your checking or savings
account. Debit cards are accepted at many locations, including
grocery stores, retail stores, gasoline stations, and restaurants.
You can use your card anywhere merchants display your card's
brand name or logo. They offer an alternative to carrying a
checkbook or cash.

E-CHEQUE:
• An e-Cheque is the electronic version or representation of
paper cheque.
• The Information and Legal Framework on the E-Cheque is
the same as that of the paper cheque’s.
• It can now be used in place of paper cheques to do any and
all remote transactions.
• An E-cheque work the same way a cheque does, the cheque
writer "writes" the e-Cheque using one of many types of
electronic devices and "gives" the e-Cheque to the payee
electronically. The payee "deposits" the Electronic Cheque
receives credit, and the payee's bank "clears" the e-Cheque
to the paying bank. The paying bank validates the e-Cheque
and then "charges" the check writer's account for the check.

OTHER FORMS OF ELECTRONIC BANKING

• Direct Deposit
• Electronic Bill Payment
• Electronic Check Conversion
• Cash Value Stored, Etc.

SECURITY THREATS TO EBANKING:

The currently known types of attacks on customer computer
security that must be met include:

Man-in-the-browser – A "Trojan horse" changes the contents of

the form that the customer submits to the bank website. The
change is not noticeable in the form itself. It takes place only in
computer memory. It takes place before SSL encoding.

Man in the Middle - Rogue software is put in place at some

point between the customer computer and the bank web sites
and intercepts all the information transmitted between the
customer and the bank.

Key Logging – Software implanted in the customer's computer

that records all the keystrokes of the customer, providing a
complete record of user IDs, passwords, pin codes, account
numbers and transactions. Sometimes this is integrated with
additional rogue software, and usually it sends the information it
has collected to the hacker.

Phishing – Customer identity details are stolen. Typically, this is

carried out in a place and context removed from the bank web
site, such as a fraudulent e-mail asking for information. Phishing
is essentially an online con game, and phishers are nothing more
than tech-savvy con artists and identity thieves. They use spam,
fake Web sites, crimeware and other techniques to trick people
into divulging sensitive information, such as bank and credit card
account details. Once they’ve captured enough victims’
information, they either use the stolen goods themselves to
defraud the victims (e.g., by opening up new accounts using the
victim’s name or draining the victim’s bank accounts) or they sell
it on the black market for a profit.

In most cases, phishers send out a wave of spam email,

sometimes up to millions of messages. Each email contains a
message that appears to come from a well-known and trusted
company. Usually the message includes the company's logo and
name, and it often tries to evoke an emotional response to a false
crisis. Couched in urgent, business-like language, the email often
makes a request of the user’s personal information. Sometimes
the email directs the recipient to a spoofed Web site. The Web
site, like the email, appears authentic and in some instances its
URL has been masked so the Web address looks real.

The bogus Web site urges the visitor to provide confidential

information — social security numbers, account numbers,
passwords, etc. Since the email and corresponding Web site
seem legitimate, the phisher hopes at least a fraction of
recipients are fooled into submitting their data. While it is
impossible to know the actual victim response rates to all
phishing attacks, it is commonly believed that about 1 to 10
percent of recipients are duped with a “successful” phisher
campaign having a response rate around 5 percent. To put this in
perspective, spam campaigns typically have a less than 1 percent
response rate.
BOT- “Bot” is actually short for robot – not the kind found in
science fiction movies or on the production line in a
manufacturing business. Bots are one of the most sophisticated
types of crimeware facing the Internet today. Bots are similar to
worms and Trojans, but earn their unique name by performing a
wide variety of automated tasks on behalf of their master (the
cybercriminals) who are often safely located somewhere far
across the Internet. Tasks that bots can perform run the gamut
from sending spam to blasting Web sites off the Internet as part
of a coordinated “denial-of-service” attack. Since a bot infected
computer does the bidding of its master, many people refer to
these victim machines as “zombies.”

Site Cloaking – Cloaking fools search engines by disguising one

web site as another.

Session Hijacking – The session is hijacked by unauthorized use

of the cookies deposited by the banking site.

Pharming – Pharming is diversion of traffic from a legitimate site

to a rogue web site.

Cross-Site Scripting – A script is injected to one web site or

web log, but it is operated at a different web site.

OS command injection – Injection of operating system

commands to be carried out at the web site.

SQL Injection – Injection of SQL queries to be executed at the

web site.
Cookie tampering – Information in the cookie is changed to
allow an attack.

Form Tampering (read-only and hidden fields) – Changes

are made in hidden or read-only fields in the HTML form.

Outbound Data Theft – Data sent from the web site are
intercepted for use in attacks. For example, that may include
data about the software installed at the site, version number etc.

Application Denial of Service - Numerous types of attacks

make use of the possibility of entering rogue information in input
fields.

The above survey only highlights the major sources of attacks,

which are constantly multiplying.

BASIC CONTROLS FOR ONLINE BANKING

ENROLLMENT:
A. Identification and Authentication
Assuming that the customer has been properly verified and
accepted at the opening of an account, enrollment for online
banking consists of validating that the person attempting to
enroll is in fact the same one who opened the original account.
This involves verifying the following:

• Basic identity. To verify basic identity, the customer supplies

an account or customer number that was given when the account
was opened. This number must have a PIN associated with it, as
described below. An account or customer number is not
considered to be secret information. It is readily available from
trash, mailings, and is visible to employees. Its only value is in
ensuring that the correct customer has been located on the
bank’s system of record.

• Subsidiary data. These data may be used to “raise the bar”

against a fraudster. The data are not secret in any meaningful
way but may at least require a fraudster to spend additional time
to obtain it. Analysis of failed enrollment attempts (from
insufficient or incorrect subsidiary data) may highlight to fraud
departments that there is an attempt being made against a
certain person or account, but subsidiary data should not be
relied on in the absence of the correct secret data. Typical
subsidiary data might include a Social Security number, name,
address, amount of the latest deposit, or location of the branch
where the account was opened. Note that these data must be
available on the system of record in order to be verified.

• Secret data. The only secret data that are shared between the
customer and the bank is a PIN on an opened account, where the
PIN has been delivered out-of-channel, preferably mailed to the
statement address of the account or selected in a branch. The
PIN should be attached to a specific account, is never visible to
any bank employee, and is stored in an encrypted form in the
system of record.
• Systematic lockout. Systematic lockout by real-time
monitoring controls set on the system’s parameters locks a
person out after two or more invalid attempts to access account
information or transfer funds

The enrolling application, then, requires entry of (1) the basic

identity data, (2) some subsidiary data, and (3) the secret data.
This information is matched to the system of record’s data,
verified through outside databases, and, if verified, the customer
enrollment is accepted. Remember, at this point the customer
should already have passed general account-opening tests, e.g.,
cross-checking phone number and physical address, and these
are not, in general, re-verified here. If enrollment fails, a limited
number of retries should be allowed before the attempt is
terminated and this failure is logged. If the customer is already
enrolled for online banking, the system should prevent re-
enrollment without manual intervention and direct customer
contact.

B. Post Authentication Setup

Once the customer has been verified, he or she should be
required to create an online identity. This is how the customer
will log on in the future. This identity should not include any of
the data required for enrollment and should consist of:
• A self-selected user ID that is used only on the Web site, and
is never printed out for statement mailings, etc. Note that this ID
is not considered secret since it is generally visible to employees.
However, it may raise the bar slightly and pose an additional
knowledge or guess requirement against a potential fraudulent
entry.

• A self-selected Internet password, which should replace the

PIN for Internet authentication since the PIN is generally 4 to 6
digits and as such is far too small to resist a brute-force cracking
attempt. The more characters used in an Internet password, the
more effective it is, so institutions should allow up to 20
characters. Passwords should be stored at the financial institution
in an encrypted format and should never be visible to employees,
including call-center representatives.

C. Operational Controls After Enrollment

Two final steps should be taken after a customer is enrolled in
online banking:

• A “Welcome to online banking” letter should be mailed to

the statement mailing address. This letter informs the customer
to call or email the bank immediately if he or she did not enroll in
online banking. (This will be ineffective as a fraud-prevention tool
if a hijacker has changed the customer’s mailing address
recently.)
• Customer behavior should be tracked for at least the first
30 days to attempt to identify suspicious or out-of-pattern
activities. The customer should be contacted if there is a shift in
behavior patterns, while suspicious behavior (e.g., completely
draining several accounts into one in a short period of time or
attempting to change the account address) should lead
immediately to account blocking and customer contact.
Institutions must not only monitor open accounts for suspicious
activity and unusual transactions, they must also implement the
technological controls that constitute the monitoring and
detection processes.

• Providing back-end controls that can prevent account

takeover scenarios with policies that require user IDs and
passwords to be different.

Some Recent Innovation in EBanking Security:

One Time Password:

A one-time password (OTP) is a password that is only valid for a

single login session or transaction. OTPs avoid a number of
shortcomings that are associated with traditional (static)
passwords. The most important shortcoming that is addressed by
OTPs is that, in contrast to static passwords, they are not
vulnerable to replay attacks. This means that, if a potential
intruder manages to record an OTP that was already used to log
into a service or to conduct a transaction; he will not be able to
abuse it since it will be no longer valid. On the downside, OTPs
cannot be memorized by human beings. Therefore they require
additional technology in order to work.

OTP generation algorithms typically make use of randomness.

This is necessary because otherwise it would be easy to predict
future OTPs from observing previous ones. Concrete OTP
algorithms vary greatly in their details. Various approaches for
the generation of OTPs are listed below.

• Using a mathematical algorithm to generate a new

password based on the previous password (OTPs are,
effectively a chain and must be used in a predefined order).

• Based on time-synchronization between the authentication

server and the client providing the password (OTPs are valid
only for a short period of time)

• Using a mathematical algorithm where the new password is

based on a challenge (e.g., a random number chosen by the
authentication server or transaction details) and/or a
counter.

There are also different ways to make the user aware of the next
OTP to use. Some systems use special electronic tokens that the
user carries and that generate OTPs and show them using a small
display. Other systems consist of software that runs on the user's
mobile phone. Yet other systems generate OTPs on the server-
side and send them to the user using an out-of-band channel
such as SMS messaging. Finally, in some systems, OTPs are
printed on paper that the user is required to carry with him.

Mutual Authentication:
Mutual authentication or two-way authentication
(sometimes written as 2WAY authentication) refers to two parties
authenticating each other suitably. In technology terms, it refers
to a client or user authenticating themselves to a server and that
server authenticating itself to the user in such a way that both
parties are assured of the others' identity. When describing online
authentication processes, mutual authentication is often referred
to as website-to-user authentication, or site-to-user
authentication.

Typically, this is done for a client process and a server process

without user interaction.

Mutual SSL provides the same things as SSL, with the addition of
authentication and non-repudiation of the client authentication,
using digital signatures. However, due to issues with complexity,
cost, logistics, and effectiveness, most web applications are
designed so they do not require client-side certificates. This
creates an opening for a man-in-the-middle attack, in particular
for online banking.

Thank You