Security Challenges in Designing an Integrated Web
Application for Multiple Online Banking
Annie Ai Bee Ng, Nasuha Lee Abdullah
School of Computer Sciences
Universiti Sains Malaysia
11800 USM Penang, Malaysia
annienab@yahoo.com, nasuha@cs.usm.my
Abstract -- Current online banking only allows payment to be
made from a single bank account hence user needs to log in to
several banking sites to settle the dues monthly. Paying
bills/loans from multiple bank accounts in a single login would
provide greater convenience. This paper reviewed the current on
line banking system and discussed the challenges in designing an
integrated web based application for independent personal
financial organizer called I-PFO. I-PFO allows users to settle
their financial commitments from multiple banks in a single
website. It also provides ease of use, tracking due dates,
organizing and personalization. The challenges of such system
are security, value proposition to attract collaboration from banks
and user acceptance. This paper focuses on security solutions for
I-PFO.
Keywords- multiple online banking; personalized financial
organizer; integrated web application; security solution;
integrated one-stop solution;
I. INTRODUCTION
With the rapid growth of online businesses and users,
there appear many clusters of e-commerce applications that
do not physically link to each other in system perspective;
yet, it is inter-related in business perspective. Online
banking has been around since 1980s’ with it first
introduction in four major banks in New York [1]. However,
user acceptance only begin to pick up recently with
Consumer Payment Surveys in United Kingdom (UK)
reporting that 50 percent of regular Internet users in UK
which constitutes of 22 million users are now banking on
line [2]. In Malaysia, online banking was introduced about
10 years ago and Bank Negara reported in 2007 that there
were 4.5 million subscribers [3]. The numbers are increasing
each year as Malaysia continues to upgrade its Internet
infrastructure. Current online banking systems are offered
by individual banks, user with multiple bank accounts is
facing the inconvenience of safeguarding login names and
passwords as well as following different security procedures
adopted by individual banks. Findings reveal that privacy,
security and convenience factors play an important role in
determining the users' acceptance of e-banking services with
respect to different segmentation of age group, education
level and income level [4]. Meanwhile, accessibility, design
and content are sources of satisfaction [5]. In terms of
978-1-4244-6716-7/10/$26.00 ©2010 IEEE
conveniences, there is no updated amount due published to
the users in one single interface. User needs to log in to
several websites to check the amounts due before they could
settle their monthly dues. According to the results of a
survey, 2 out of 7 factors influencing the growth of e
banking are convenience (including internet accessibility
and ease of use) and security [5].
Hence, a secured integrated web application for multiple
online banking services could be the solution in near future.
It will resolve the concerns over security architecture and
provide great conveniences to users. A web-based
application named Independent Personal Finance Organizer
(I-PFO) is proposed.
II. CHALLENGES IN CURRENT ONLINE BANKING SYSTEM
The inconveniences that users face in current online
banking system are as follow.
A. Excessive steps
Supposing a user has a car loan with Bank A but need to pay
the loan using account from Bank B. User needs to login to
Bank A account to check the car loan amount and loan
account number. Next, user needs to login to Bank B
account, key in Bank A loan account number and the loan
amount. Then, requests for a security pin code and wait for
the code to appear in user’s mobile phone, finally, proceed
to final transaction. Besides, user also needs to navigate and
flip through multiple pages and websites before making
payment.
B. Multiple login usernames and passwords
With reference to the above scenario, users will have to
remember various login names and passwords from
individual banks.
C. No due dates tracking
There is no feature in the online banking system to remind
users when the bill/loans are due.
D. No integrated application in one single paage
User is unable to check the list of all finnancial monthly
commitments in one interface. Moreover, user is also unable
to one-click-pay to settle the bills/loans in one single
interface.
E. Discrimination on disable community
Persons who are visually impaired are not allowed to own
ATM cards, credit cards, and online accouunts to perform
banking transaction. This has caused massivve inconvenience
to them, while, some of them are highlyy educated and
knowledgeable in information technology.
III. PROPOSED PRODUCT
I-PFO is a web-based application that allows users to
easily organize and check their perssonal financial
information from multiple banks using one log in. It is an
integrated one-stop solution for the user to pay
p bills or loans
from multiple bank accounts. Apart from thhat it also track
due dates and allow customization and personalization.
Fig. 1 illustrates the proposed technologyy architecture of
I-PFO. I-PFO runs on PHP, FLASH and MySQL M database.
Besides, it also uses Simple Object Acccess Protocol –
Digital Signature (SOAP-DSIG) and Securee Sockets Layer
(SSL) technologies for backend data extraction and
transmission. SOAP is a standard messaginng layer used to
exchange any XML documents [6]. When developing web
services and B2B applications based on SOAP, security
issues are also important [7]. Due to thhis, in business
transactions, the security requirement of non-repudiation
needs to be satisfied. Thus, SOAP-DSIG will fulfil this
requirement. Additionally, SSL will ensure data
confidentiality [7]. Therefore, I-PFO willl adopt SOAP-
DSIG and SSL concurrently.
Figure 1 Technology Architecture of I-P
PFO
(Source: SAP Netweaver, 2004 and IBM, 2005)
The design of I-PFO is aimed at ‘easee of use’. The
design concept of the application is securee, user-friendly,
simple and create value for both user annd banks. It is
designed to appeal to both non-IT and IT- savy
s population.
It extracts up-to-date information in one paage for users to
keep track of their online accounts. With I-PF
FO, users do not
need extensive training to operate and navigaate. Fig. 2 below
showed the interface design of I-PFO.
Figure 2 User Interface
I of I-PFO
IV. CHALLENGEES IN DESIGNING I-PFO
There are various challenges that confront the feasibility
of I-PFO. The most importaant challenge is how to ensure
security. With one login, althhough it creates the much sought
after conveniences, it also poosed a big risk to the user. The
second challenge is how to attract
a banks to collaborate and
allow a third party servicee provider into accessing their
databases. This requires a strong
s value proposition in the
form of product bundling apart from the comprehensive
design of the system. The thhird challenge would be how to
attract user to subscribe to such a service. Research using
Technology Acceptance Model (TAM) on factors
influencing the subscriptionn of a new system would be
required. For the purpose of this research, it will only
address the security issue forr I-PFO.
V. SECURITY SOLUTION FOR I-PFO
In order to reinforce seecurity system in e-commerce
software, the vulnerability points of a system where the
attackers commonly target have
h to be identified [8]. Using
an analogy of a house, the vuulnerability points would be the
entry and exit doors as well as
a windows.
A. Using Threat Model for I-PFO
I Security Development
Solution
When designing and deveeloping a system, it is important
to identify all the possible attack
a threats in the server [8].
Taking the same example off a house, the burglar will most
likely come in through the windows or the doors. Therefore,
the threat model seeks to t identify these points and
implement defense strategiees to protect the house. IBM,
which is the giant IT consuulting firm in United States has
proven track record of provviding trusted security services
and solutions. Therefore, Figg. 3 shows the threat model that
is adapted from IBM researchh paper [9]. The number ‘1’ and
‘2’ shows the possible attackk points of the house.

Figure 3 Threat models
(Source: IBM, 2005)
B. Security Solution for I-PFO
There are many challenges in the process of developing
a secure system for consumers. The biggest challenge is to
balance between convenience and protection, which usually
do not go well together. Thus, I-PFO will adopt the threat
model as a base to develop the security solution. Based on
best practices in today’s e-commerce site (e.g. Maybank,
CIMB), recommendation strategies by leading IT
organizations (e.g. Cisco, IBM), and research journals by
experts, and risk mitigation strategy, I-PFO will use the
most competitive security model.
Most security technologies address just one layer of
protection, leaving weak points in other layers that may be
vulnerable to attacks [10]. Thus, I-PFO would implement
multi-layered security protection, be it on technical and non-
technical solutions for the best protection possible. The
following is the list of solutions that I-PFO plans to use:
• I-PFO Identity Protection and Validation
Infrastructure will use the combination of username,
password, and TAC as authentication. It combines the
concept of something you know (a username and password)
with something you have (a credential with a one-time
password) [11]
• I-PFO Site authentication (with SSL certificate)
helps consumers verify that they are on the correct Web site,
and not an imposter or phishing site [12].
• Risk-based authentication (Fraud Detection
Service) learns how each user behaves and requires
additional authentication when a fraud risk is detected [13].
• Server Firewall to ensure that requests can only
enter the system from specified ports, and in some cases,
ensures that all accesses are only from certain physical
machines [14].
• User education is important to make them aware of
various online threats, so that they can make a good
judgment in all aspects of security issues in order to make
the system as secure as possible [8].
C. I-PFO Identity Protection and Validation Infrastructure
Authentication is the process of identifying genuine
users logging into I-PFO. In the market today, there are
many ways to authenticate an individual; it depends on who
is the audience, how they access to the site’s services, and
what are the risks when they do [11]. For I-PFO, easy,
flexible and convenient ways are the best solutions. Thus,
based on the best practices from the banks today, I_PFO will
adopt authentication security solution from VeriSign.
I-PFO identity protection and validation infrastructure is
the authentication infrastructure that combines something
that user knows (username and password) with one time
credential that is TAC (6-digit code) that is sent to user
through hand phone. A TAC would expire upon user
logging out from the account. This validation would take
place before user can perform any transaction in I-PFO. Fig.
4 shows the authentication infrastructure adopted from
VeriSign [11].
Figure 4 I-PFO Authentication Infrastructures
(Source: VeriSign, 2010)
D. I-PFO Site Authentication
Site authentication helps consumers to ensure that they
are on the genuine I-PFO site. The padlock icon and https://
in the browser show the site secured with SSL Certificate
and it will encrypt consumer’s information during
transmission and extraction. Fig. 5 and 6 show sample of
secured website with SSL certification [12].
SSL certificates provide a private communication
protocol that encrypts data between the user’s computer and
the site’s server [12]. When SSL-protected page is
requested, the browser identifies the server as a trusted
entity and initiates a handshake to pass encryption key
information back and forth [12]. With this, hacker sniffing at
potential networks cannot read the contents.
Government certified authority would issue the SSL
certificate to the server. When a request is made from the
user’s browser to the site’s server using https://.., the user’s
browser checks if the site has a certificate it can recognize.
If a trusted certificate authority does not recognize the site,
then, the browser issues a warning as shown in Fig. 7 [9].
Figure 5 I-PFO website with secured SSL Certification

Figure 6 Secure Icon in Microsoft Internet
(Source: VeriSign, 2010)
Figure 7 Warning to user
E. Risk-based Authentication / Fraud Detection Service
(FDS)
If a user logs on and attempts to perform actions that he
is not entitled to perform, the system locks the account as it
indicates illegal intrusion. In other words, if it exceeds the
risk threshold, the intervention engine will be invoked [13].
Internal monitoring team will immediately look into it and
resolve the issue. The rules and behavioral engine will help
to provide early warning of attacks such as malicious
intrusions, non-legitimate network traffic, and malware
sources to that may cause potential denial of service (DoS)
attack. Fig. 8 shows the flow of risk based authentication
adapted from VeriSign Security Solution [15].
Figure 8 I-PFO Risk Based Authentication / Fraud Detection Service
(Source: VeriSign, 2010)
F. Server Firewall
Server firewalls ensure that all requests can only enter
the system from specified ports, and ensure that all accesses
are only from certain physical machines [8]. I-PFO will
adopt the server firewall model from IBM security solution,
where a demilitarized zone (DMZ) using two firewalls will
be setup. The model is as shown in Fig. 9 [14].
The outer firewall has ports open to allow ingoing and
outgoing HTTPS request. This will allow the client/user
browser to communicate with the server. A second firewall
sits behind e-commerce servers. This firewall is more
stringent, allowing only requests from trusted partners’
servers on specific ports. This is a good model when I-PFO
interfaces with banks and other institutions to ensure that all
necessary security is enforced. Both firewalls are with
intrusion detection software to detect any unauthorized
access attempts.
Figure 9 I-PFO Server Firewall
(Source: IBM, 2005)
G. User Education
No matter how advanced the technical enforcement in
the system, the site is only as secure as those who use it
[15]. Just like a house, one can have the most expensive and
sophisticated grill and lock installed, but if the owner
carelessly leaves the door unlocked, exposing the house
regardless of the level of security available. Same
explanation applies to online systems that if the users choose
a weak password and do not keep their password
confidentially, they expose themselves to various threats and
attacks. Therefore, user needs to use good judgment when
giving out confidential information, and be educated about
possible phishing fraud and other social engineering or
online attacks.
VI. PROPOSED OPERATION FLOW OF I-PFO
Fig. 10 shows the proposed operation flow of I-
PFO using selected security measures.
 VII. CONCLUSION
User Interface Backend System Security Framework
The concept of I-PFO may not sound feasible at
Start
present in view of the various challenges mentioned
Server Firewall above. Nevertheless, it proposes the convenience that
protection
any user would like to have in near future. More
First
researches need to carry out to address all other
authentication:
User key in the
I-PFO username and obstacles.
password
username, and
authentication
password. ACKNOWLEDGMENT
The authors would like to thank the School of
Second
authentication:
System receives
request and sends TAC
I-PFO one time Computer Sciences, USM for organizing the writing
credential
User requests TAC to user’s hand phone.
authentication, workshop under the APEX incentive grant that provides
6-digit TAC the platform to produce this paper.
User keys in the I-PFO Fraud REFERENCES
TAC in I-PFO. Detection Service
[1] Mary J Cronin, Banking and Finance on the Internet, New
York Van Nostrand Reinhold, 1997.
[2] Kirky, Online Banking exceeds 50% usage by internet user,
No Terminated.
2010, http://www.onlinebankingreviews.co.uk/ (accessed 14 Feb
System
Log for risk
I-PFO Identity 2010).
Identity protection &
Verification investigation. [3] Yee YY, Yeow PHP, “User acceptance of internet banking
validation
service in Malaysia”, WEBIST 2008, LNBIP 18, pg295-
306, 2009.
Yes
[4] Poon, “Users’ Adoption of E-banking Services: the
User checks Systems ref resh and
Malaysian Perspective”, Journal of Business and Industrial
his/her extract the updated SOAP-DSIG- SSL Marketing, Vol.23, No.1, pp.59-69, 2008.
personalize data and publish in
the I-PFO.
protection for data [5] Poon and Tan, “Spread of E-Banking in Malaysia: A
f inancial page.
extraction Consumer Perspective”, The ICFAI university Journal of
Bank Management, Vol.VII, No.4, pp.71-84.
[6] SAP Netweaver, SOAP-Based Transfer of Data,
No <http://help.sap.com/saphelp_nw04/helpdata/EN/80/1a627ee0721
Due date >= X
Nothing 1d2acb80000e829fbfe/frameset.htm>, 2004 (accessed 14 Feb
days? 2010).
[7] Satoshi Hada, SOAP Security Extension: Digital
Yes
Signature,<http://www.ibm.com/developerworks/webservices/li
Notes: brary/ws-soapsec/>, 2001 (accessed 14 Feb 2010).
For example, if Blinking "DUE"
the current bill [8] Dieter Gollmann, “E-commerce Security”, Computing & Control
due is DIGI, I- Engineering Journal, vol. 11, pg. 4, 2000.
PFO shows
blinking “DUE”. [9] Darshanand Khusial, Ross McKegney, E-Commerce Security:
Server Firewall
Attacks and Preventive Strategies,
protection
<http://www.ibm.com/developerworks/websphere/library/techartic
les/0504_mckegney/0504_mckegney.html>, 2005 (accessed 14
User selects DIGI Feb 2010).
icon, then, drag and Server No
Terminated.
drop CIMB icon authenticate
Log for risk I-PFO Fraud [10] IBM Redguide, Introducing the IBM Security Framework and
near DIGI icon or correct Detection
vice versa. partner?
investigation.
Service IBM Security Blueprint to realize Business-driven Security,
<http://www.ibm.com/developerworks/wikis/display/IBMSecurity
Blueprint/IBM+Security+Framework+Page>, 2009 (accessed 14
Yes Feb 2010).
[11] VeriSign, VeriSign Identity Protection (VIP)
I-PFO interf ace with SSL Certification Network,<http://www.verisign.com/authentication/consumer-
partner's f or secured protection for
payment transf er. (The
authentication/shared-authentication-network/index.html>,2010
interfacing with
correct user account partners
(accessed 14 Feb 2010).
inf ormation is sent f rom
CIMB to DIGI) [12] VeriSign, Secure Socket Layer (SSL): How It Works,VeriSign,
<http://www.verisign.com/ssl/ssl-information-center/how-ssl-
security-works/index.html>, 2010 (accessed 14 Feb 2010).
“Transaction Success”
Yes [13] Li Bo, Xu Congwei, “E-commerce Security Risk Analysis and
and the summary
Transaction Management Strategies of Commercial Banks”, International
report is published. success?
Forum on Information Technology and Applications,
vol.1, pg.423, pg.424, 2009.
“Transaction Fail” and
No
[14] Han Zhang, Gerald Weber, William Zhu, Clark Thomborson,
the summary report is
published. “B2B E-Commerce Security Modeling: A Case Study”, vol.2,
pg.1, 2006.
[15] Ge Qingping, Feng Li, Yang Li, “Probe into E-commerce
Figure 10 Operation Flow Chart of I-PFO Security Technology”, 2009 International Forum on Computer
Science-Technology and Applications, vol.2, pg. 426, pg.427,
pg.428, 2009.