INTERNATIONAL JOURNAL OF INNOVATION IN ENGINEERING RESEARCH & MANAGEMENT ISSN :2348-4918

ONLINE BANKING SECURITY ISSUES- A REVIEW

Radha Adinarayanan Jyoti Joglekar
Post Graduate Student Associate Professor
Department of Computer Science, Department of Computer Science,
SAKEC, Chembur, Mumbai SAKEC, Chembur, Mumbai

Abstract

Traditional banking system has been supplanted by internet banking system due to
enormously growing IT in todays world. Online banking which is same as internet
banking or e-banking has not only helped increasing the banks productivity but also
has made transactions easy for customer. Internet is being used as the delivery channel
for customers to conduct their online account banking transactions such as paying bills,
viewing checking and savings account balances, tranferring funds and many more.

Using internet as delivery channel, internet banking has provided its banking customers
a huge advantage of not having to visit banks personally to carry out their account
activities. The security and privacy of customers confidential information is the biggest
concern which the banking industry is facing even today.

Keywords:-Threats to online banking, Security goals Confidentiality, Integrity,

Availability.

Introduction user performs any transaction, the

attacker gets the confidential information
Internet banking is an industry which [2]. In order that the customers do not
allows its customers to interact with fall prey to all these attacks, banks need
their banking accounts through internet to create information security awareness
from virtually anywhere in the world. The for their customers. Attack on customers
features provided by banks are: is committed physically in traditional
banking, but the online banking attack is
1. Balance and transaction history
report. carried out on cyber space called cyber
attack and the perpetrator is known as
2. Transfer money into different cyber-criminal [2].
accounts.
The 3 Security Goals CIA
3. Pay utility bills.
The opportunities for attackers increases
4. Book tickets and many more [1]. as the information systems are becoming
more powerful hence the networks
The main target of attackers has always connecting more resources. These are
been the customers confidential data [2]. the 3 stepping stones to securing data
Attackers make use of variety of ways to also called the security triads.
gather information from online
customers. Hackers make use of 1. Confidentiality:
malware in order to steal the confidential
information of customers. Whenever the
1
VOLUME :03 Issue 05 Paper id-IJIERM-III-V-1465 , Octobrer 2016
 INTERNATIONAL JOURNAL OF INNOVATION IN ENGINEERING RESEARCH & MANAGEMENT ISSN :2348-4918

Ensures that sensitive information is authentication tool inspite of

accessible only to authorized personnel authentication accompanied
[3]. Most common method of ensuring progress of security [7].
confidentiality is data encryption. A
security protocol SSL/TLS over internet Since bank customers make use of
for communications have been used in passwords which are easy to
addition with large other protocols to remember, hence they are often
ensure security [3]. Most commonly very weak.
methods include use of ids and
Increasingly used in banking
password as standard procedure. But
websites [4].
the norm is 2 factor authentication and
the other option is using biometric B. Multi factor authentication:
verification [3]. Confidentiality means
that the sensitive information of the Makes use of 2 or more
customer available on system should be independent security factors for
safe from being accessed by authentication into system.
unauthorized user. Example would be
credit card information, personal Something which is known to user
information of customer. If the (password based authentication).
information is not protected properly
Something which identifies the
then bank will eventually lose its
user (biometric authentication).
reputation and customers [3]. Imagine
the customers bank records it should be Something which belongs to user
accessible to them from anywhere. (token-based authentication) [4]
Failure of confidentiality is known as [7].
breach of information. Once if the secret
is revealed then it cannot be unrevealed. C. Advanced online authentication:
Suppose a banking customers records
are posted on certain public website, Advanced online authentication
then confidentiality of information is mechanism is another technique where a
breached since everyone can know your one high level authentication is provided
bank account number, balance etc [3]. by asking security questions.

Different authentication mechanisms

used are: In this scenario user while
registering his online banking
A. Single factor authentication: account chooses an image and
security questions [5].
Authentication is the point of entry
for banking customers to access Every time the user logins from a
their accounts, making it an different computer ,the user has to
extremely important process. choose the image which he had
chosen at the time of registration
Security level of websites relies and answer the security question.
heavily on their authentication
mechanism strength [4] [7]. If the chosen image and answer
provided by the user matches
Username and password is correctly to the one saved in
generally considered to be common
2
VOLUME :03 Issue 05 Paper id-IJIERM-III-V-1465 , Octobrer 2016
 INTERNATIONAL JOURNAL OF INNOVATION IN ENGINEERING RESEARCH & MANAGEMENT ISSN :2348-4918
database then he is granted
permission to enter password for
authentication [5].
D. One Time Password:
A One Time Password is a
password which is valid only for a
particular login transaction or
session and hence making it not
vulnerable to replay attacks [6].
Therefore if a hacker manages to
record the OTP, he will not be able
to make use of it since it will no
longer be valid.
OTP generation generally make use
of pseudo randomness which is
important else it is very easy to
predict future passwords by
monitoring previous ones [6].
The different mechanisms that can
be used to generate OTPs are:
1. Time Synchronization:-This OTP
generation is based on time
synchronization between the
authentication server and client
which sends the password.
2. Based on Previous Passwords:-
The OTP is generated using some
mathematical calculations based
on previous passwords [6].
3. Based on Challenge:-The OTP is
generated using some
mathematical calculations based
on certain challenge where the
authentication server will generate
a random OTP. [6].
E. Biometric:
The biometric identification
technology has become an integral
part of financial services platform
for security, due to rapid
VOLUME :03 Issue 05 Paper id-IJIERM-III-V-1465 , Octobrer 2016
digitization of banking services
leading to necessity for a stronger
authentication solution.
They are the authenticated
mechanisms that recognize their
banking customers through their
biological traits or characteristics
such as Iris and Voice recognition,
Finger vein patterns, Fingerprints
etc [7].
1.1. Protection against loss of
confidentiality:
Use of access controls and encryption
techniques are used by various
organizations to protect the loss of
confidentiality of sensitive data [8]. For
example the users are first required to
authenticate themselves and then access
to their data is provided to users on the
basis of their proven identity. In short,
access to data is granted via permission.
Users are denied access if no permission
is granted. There are other several
instances where an intruder can access
data without needing to provide his
identity. For example using sniffer, data
sent over wire can be captured [8]. In
addition any data which is on rest such
as on hard disk drive or an usb drive can
be easily stolen and accessed. Using
encryption one can protect data from
loss of confidentiality. Encryption
translates plain text data into cipher text
data. Ciphered data cant be read easily
or intercepted by unauthorized
personnel. AES is an efficient and fast
algorithm which is used commonly to
data at rest [8].
2. Intergrity:
Integrity ensures that data remains
intact and changes to those sensitive
data can only be made by authorized
user [3]. Data is useful only if it is
accurate. System administrators have to
3
 INTERNATIONAL JOURNAL OF INNOVATION IN ENGINEERING RESEARCH & MANAGEMENT ISSN :2348-4918
keep ensuring that data has not been
tampered with. Data that is being
captured must be accurate. Error
checking must be done on regular basis
[3]. This is important because without
this functionality one could easily come
across a situation where an online
banking user wants to pay his utility bill
but he is unable to pay since the bank
records currently doesnt reflect his
previous deposits [3]. Data integrity is
closely related to confidentiality, but the
challenge here is that instead of
protecting the message from only being
accessed, integrity ensures preventing an
intruder from altering a message that is
in transit between the sender and
receiver [3].
Integrity can be compromised
number of ways:
1. Software Deletion.
2. Software Modification.
3. Software Theft [3].
2.1 Protection against loss
integrity:
Hashing is a common way of ensuring
integrity [8]. Hash is a number and the
hashing algorithm calculates a hash
value for a file or for string of data. Hash
values remain the same as long as the
data remains unchanged. MD5 and SHA-
1 are the 2 primary hashing algorithms.
The detection systems check the
information on regular basis. If the hash
values are the same then the data is not
altered and if the hash values are
modified then the data has lost integrity
and is considered suspect [8]. Digital
signatures can be used to send
messages. Hash values are calculated
before the message is being sent and
hash is sent along with the message. The
hash values are calculated again when
VOLUME :03 Issue 05 Paper id-IJIERM-III-V-1465 , Octobrer 2016
the message is received and compared to
original hash values which were
calculated earlier. If the hash values are
different then the message has lost its
integrity. Though the primary goal of
digital signature is to provide non-
repudiation and authentication, it still
protects against the loss of integrity [8].
3. Availability:
Availability ensures that data remains
accessible to online banking customers
24*7 [3]. It is required for the servers to
stay available all the time. Since the data
needs to be accessible by online
customers whenever they require access,
therefore the system administrator
should ensure systems high availability.
in a The aim of high available systems is to
remain available at all times, highly
preventing service disruptions due to
system upgrades, software and hardware
failures and power outages. In the fast
paced world of todays internet banking,
banks without this would find that if its
customers are unable to get to their
of money then the bank would lose their
customers. DOS attacks are very
common today. The primary aim of
DDOS attack is to ensure that the users
are unable to access the website they are
privileged to access. Such downtime will
turn out to be very expensive [3].
3.1. Protection against loss of
availability:
Organizations use primary methods like
fault tolerant systems, redundant servers
and backups inorder to protect against
loss of availability [8]. Fault tolerant
systems are those systems which can
develop a fault, yet tolerate it and still
continue to operate. This is
accomplished using redundant systems
such as redundant servers or drives.
Backup ensures that the customers vital
sensitive information is backed up and
4
 INTERNATIONAL JOURNAL OF INNOVATION IN ENGINEERING RESEARCH & MANAGEMENT ISSN :2348-4918
will be restored incase the original
information becomes corrupt or gets
erased off. Fault tolerant and
redundancies can be implemented at
different levels. Alternate sites can be
used incase an entire location is taken
down by disaster [8].
Consider an example that explains CIA
interrelation: Suppose there are 1000
transactions executing simultaneously. If
an attacker wants to modify a particular
transaction.
1. To modify a particular transaction he
needs to retrieve details of the
transaction, which leads to loss of
confidentiality of information.
2. Once attacker gains access to data,
alterations can be made which leads to
loss of integrity of information.
3. Thus original data will no longer be
available, leading to loss of availability of
information.
Figure 1.Interrelationship between
CIA [3]
4. Threats to Online Banking:
VOLUME :03 Issue 05 Paper id-IJIERM-III-V-1465 , Octobrer 2016
Information can be compromised in a
number of ways and the methodologies
used by online hackers are evolving
constantly.
4.1. Phishing:-
Phishing is a very well known online
fraud [9]. A scam where scamsters fish
for users personal details by sending
them hoax emails claiming to be from
legitimate financial institutions. These
emails are sent in bulk to the recipients
asking them to provide their sensitive
personal information such as their SSN
number, debit card and credit card
details, PIN numbers etc.Emails also
contain certain obfuscated links to the
spoofed web site where the users are
asked to enter their personal details.
Thus phishing is a threat to
confidentiality [2] [9].
Preventive measures:
1. Never respond to emails which request
your personal financial information.
2. Be aware about opening email
attachments and downloading contents
since the source is unknown.
3. Type the URL of banking websites
manually into browser.
4. Suspicious activities should be
reported immediately.
5. Internet banking passwords should be
changed on regular intervals.
6. Keep checking your accounts on
regular basis.
7. Security of the computer should be
enhanced [2] [9].
4.2. Malware:
Software which is designed specifically to
damage a computer or gain access to a
5
 INTERNATIONAL JOURNAL OF INNOVATION IN ENGINEERING RESEARCH & MANAGEMENT ISSN :2348-4918

computer without owners knowledge [9]. 2. Disable unused network.

Basically created by the fraudsters to
collect sensitive information, spread 3. Guard against TCP SYN flooding by
adware and gather money. It generally installing patches [2] [9].
appears on computer in the form of 4.5. Pharming:
unexpected programs, unwanted pop-
ups and malicious other activities. Thus Pharming is a cyber attack where the
it is a threat to confidentiality [2] [9]. attacker redirects certain websites traffic
to another fake website [2] [9].
Preventive measures:
Preventive measures:
1. Report suspicious websites
immediately. 1. Use AntiPhishing Add-ons.
2. Be suspicious about receiving emails 2. Ensure we enter correct spelling in
and attachments from unknown sources. browsers URL to protect against similar
domain attack.
3. Install antivirus and keep them
updated [2] [9]. 3. Verify the certificate of site, whether it
is legitimate or not [2] [9].
4.3. Man-in Middle attack:
Advantages of Online Banking:
MITM is an attack performed by an
intruder where he secretly relays and 1. Round the clock banking.
possibly alters communication between 2
parties who believe they are 2. Most preferred convenient banking.
communicating directly with each other
3. Low cost banking.
whereas the entire conversation is in
control of the Conclusion:
attacker.Eg.Eavesdropping.Also called
Bucket brigade attack[2][9]. Online Banking provides low cost
transactions,24*7 hrs of services, huge
Preventive measures: volume of transactions in minimum time,
transaction facilities from remote and
1. Use encrypted network connections
many more e-banking has become an
(VPN /HTTPS) [2] [9].
integral part of modernized banking. The
4.4. Denial of service: level of risks is high for banks. The main
concern with internet banking is the
DOS attack is an attempt to make a security and privacy of banking
computer resource unavailable to its customers financial sensitive
intended users, by flooding the information that is exchanged between
bandwidth of the victims network or fills the customer and bank. Completely
his email box with spam mails, thus eradicating online frauds, malware and
depriving him of services he is accessible spywares is not certainly possible but
to. Thus it is a threat to data availability early detection and prevention measures
[2] [9]. if taken on time can be useful.
Preventive measures:

1. Route filters needs to be implemented.

6
VOLUME :03 Issue 05 Paper id-IJIERM-III-V-1465 , Octobrer 2016
 INTERNATIONAL JOURNAL OF INNOVATION IN ENGINEERING RESEARCH & MANAGEMENT ISSN :2348-4918

References [8]Available:http://www.pearsonitcertific
ation.com/articles/article.aspx?p=17086
[1] Internet Banking (E- 68.
Banking) Available:
http://www.worldjute.com/ebank.html. [9]Available:https://www.clickssl.net/blo
g/types-of-internet-security-threats-and-
[2] Morufu Olalere, Victor O. Waziri, Idris preventions.
Ismaila, Olawale S. Adebayo and Ololade
O,Assessment of Information Security [10]Available:https://www.linkedin.com/
Awareness among Online Banking pulse/types-internet-security-threats-its-
Costumers in Nigeria, International prevention-mr-ooppss.
Journal of Advanced Research in
Computer Science and Software
Engineering ,Volume 4, Issue 6, June
2014, ISSN: 2277 128X.

[3] CharlesP.Pfleeger and Shari

Lawrence Pfleeger, Security In
Computing (4th Edition),Pearson
Publication,2009.

[4] Maha M.Althobaiti and Pam

Mayhew,Security and Usability of
Authenticating Process of Online
Banking: User Experience Study, 978-1-
4799-3532-1/14, 2014 IEEE.

[5]FreedomBankAvailable:http://www.fre
edombankva.com/pdf/Microsoft%20Wor
d%20%20Advance%20Online%20FAQ.pd
f

[6] Ms. E.Kalaikavitha and Mrs. Juliana

Gnanaselvi, Secure Login Using
Encrypted One Time Password (Otp) and
Mobile Based Login Methodology,
Research Inventy: International Journal
of Engineering and Science Vol.2, Issue
10 (April 2013), Pp 14-17 ISSN (e): 2278-
4721, ISSN (p):2319-6483.

[7] Mahmoud Musa Mohammed and Dr.

Muna Elsadig ,A Multi-layer of Multi
Factors Authentication Model for Online
Banking Services,2013 International
Conference on computing (ICCEEE), 978-
1-4673-6232-0/13,2013 IEEE.

7
VOLUME :03 Issue 05 Paper id-IJIERM-III-V-1465 , Octobrer 2016