Assignment On Banking Service & Operation (EBanking Security, Online Threats & Defence Module)
Submitted To:
Submitted
By: Dr.Bhavana Sindhu
Arunagiri.A 08BSDDU0024 Class 2010 18/11/2009
DEFINITION OF E-BANKING Electronic banking, also known as electronic funds transfer (EFT), is simply the use of electronic means to transfer funds directly from one account to another, rather than by cheque or cash.
VARIOUS FORMS OF E-BANKING: INTERNET BANKING: Internet Banking lets you handle many banking transactions via your perso rsonal computer uter.. For instance nce, you may use your comp comput uter er to view view your your acco accoun untt bala balanc nce, e, requ reques estt tran transf sfer ers s between accounts, and pay bills electronically. Internet banking system and method in which a personal computer is connected by a network service provider directly to a host computer system of a bank such that customer service requests can be processed automatically without need for intervention by customer service representatives.
AUTOMATED TELLER MACHINES (ATM): An unattended electronic machine in a public place, connected to a data system and related equipment and activated by a bank customer to obtain cash withdrawals and other banking services. An automated teller machine or automatic teller machine electronic computerized computerized telecommunicati telecommunications ons device (ATM) is an electronic that allows a financial institution's customers to directly use a
secure method of communication to access their bank accounts, order or make cash withdrawals withdrawals (or cash advances advances using a credit card) and check their account balances without the need for a human bank teller. Many ATMs also allow people to deposit cash or cheques, transfer money between their bank accounts, accounts, top up thei theirr mobi mobile le phone phones' s' prepre-pa paid id acco account unts s or even even buy buy post postag age e stamps. On most modern ATMs, the customer identifies him or herself by inserting a plastic card with a magnetic stripe or a plasti plastic c smartc smartcard ard with a chip, chip, that that contains contains his or her account account number. The customer then verifies their identity by entering a pass passco code de,, ofte often n refer referred red to as a PIN (Personal Identification digits. Upon successful successful entry of the PIN, Number) of four or more digits. the customer may perform a transaction. If the number is entered incorrectly several times in a row (usually three attempts per card card inse inserti rtion) on),, some some ATMs ATMs will will atte attemp mptt reta retain in the the card card as a secu securi ritty prec precau auti tion on to prev preven entt an unau unauth thor oriz ized ed us user er from from disc discov overi ering ng the the PIN PIN by guess guesswor work. k. Capt Captur ured ed card cards s are often often dest destro roye yed d if the the ATM ATM owne ownerr is not not the the card card issu issuin ing g bank bank,, as noncustomer's identities cannot be reliably confirmed. The Indian market today has approximately more than 17,000 ATM’s.
TELE BANKING: Undertaking a host of banking related services including financial transa transacti ctions ons from the conveni convenience ence of custom customers ers chosen chosen place place anywhere across the GLOBE and any time of date and night has now now been been made made poss possib ible le by in intr trod oduc ucin ing g on-l on-lin ine e Tele Teleba bank nkin ing g
servi services ces.. By dial dialin ing g the the give given n Teleb Teleban anki king ng numbe numberr throu through gh a landline landline or a mobile from anywhere, the customer customer can access his account and by following the user-friendly menu, entire banking can be done through Interactive Voice Response (IVR) system.
Credit Card: A credit card is part of a system of payments named after the smal smalll pl plas asti tic c card card issu issued ed to us user ers s of the the sy syst stem em.. It is a card card enti entitl tlin ing g its its hold holder er to buy buy goods oods and and serv servic ices es base based d on the the holder's promise to pay for these goods and services. The issuer of the card grants a line of credit to the consumer (or the user) from which the user can borrow money for payment to a merchant or as a cash advance to the user.
DEBIT CARD: Debit cards are also known as check cards. Debit cards look like cred credit it card cards s or ATM ATM (aut (autom omat ated ed tell teller er mach machin ine) e) card cards, s, but operate like cash or a personal check. Debit cards are different from credit cards. While a credit card is a way to "pay later," a debit card is a way to "pay now." When you use a debit card, your mone money y is qui uick ckly ly dedu deduct cted ed from from your your chec checki king ng or savi saving ngs s account. Debit cards are accepted at many locations, including grocery stores, retail stores, gasoline stations, and restaurants. You can use your card anywhere merchants display your card's
bran brand d name name or logo logo.. They They offe offerr an alte altern rnat ativ ive e to carr carryi ying ng a checkbook or cash.
E-CHEQUE: •
An e-Cheque is the electronic version or representation of paper cheque.
•
The Information and Legal Framework on the E-Cheque is the same as that of the paper cheque’s.
•
It can now be used in place of paper cheques to do any and all remote transactions.
•
An E-cheque work the same way a cheque does, the cheque writer "writes" the e-Cheque using one of many types of electronic devices and "gives" the e-Cheque to the payee electr electroni onical cally. ly. The payee payee "depos "deposits its"" the Electr Electronic onic Cheque Cheque receives credit, and the payee's bank "clears" the e-Cheque to the paying bank. The paying bank validates the e-Cheque and then "charges" the check writer's account for the check.
OTHER FORMS OF ELECTRONIC BANKING •
Direct Deposit
•
Electronic Bill Payment
•
Electronic Check Conversion
•
Cash Value Stored, Etc.
SECURITY THREATS TO EBANKING:
The The curre current ntly ly know known n type types s of atta attack cks s on cust custom omer er comp comput uter er security that must be met include: "Trojan horse" changes the contents contents of Man-in-the-browser – A "Trojan the form that the customer submits to the bank website. The change is not noticeable in the form itself. It takes place only in computer memory. It takes place before SSL encoding.
Man in the Middle - Rogue software is put in place at some point between the customer computer and the bank web sites and and in inte terc rcep epts ts all all the the in info form rmat atio ion n tran transm smit itte ted d betw betwee een n the the customer and the bank.
Key Logging – Software implanted in the customer's computer that that reco record rds s all all the the keys keystr trok okes es of the the cust custom omer er,, prov provid idin ing g a comp comple lete te reco record rd of us user er IDs, IDs, pass passwo word rds, s, pin code codes, s, acco accoun untt numbe numbers rs and tran transac sacti tions ons.. Some Someti time mes s this this is inte integr grat ated ed with with additional rogue software, and usually it sends the information it has collected to the hacker.
Phishing – Customer identity details are stolen. Typically, this is carried out in a place and context removed from the bank web site, such such as a fraudulent e-mail e-mail asking for informatio information. n. Phishing Phishing is essentially an online con game, and phishers are nothing more than tech-savvy con artists and identity thieves. They use spam, fake Web sites, sites, crimeware crimeware and other techniques techniques to trick people into divulging sensitive information, such as bank and credit card account
details.
Once nce
they hey’ve
captured red
enou enoug gh
victims’
info inform rmat atio ion, n, they they eith either er us use e the stol stolen en good goods s them themse selv lves es to
defraud the victims (e.g., by opening up new accounts using the victim’s name or draining the victim’s bank accounts) or they sell it on the black market for a profit. In most cases, phi his shers hers send out a wave ave of spam ema email, sometimes up to millions of messages. Each email contains a message that appears to come from a well-known and trusted company. Usually the message includes the company's logo and name, and it often tries to evoke an emotional response to a false crisis. Couched in urgent, business-like language, the email often makes a request of the user’s personal information. Sometimes the email directs the recipient to a spoofed Web site. The Web site, like the email, appears authentic and in some instances its URL has been masked so the Web address looks real.
The The bogus bogus Web Web site site urges urges the the visi visito torr to prov provid ide e confi confide dent ntia iall infor nform mati ation
—
soc social ial
secu securi rity ty num numbers ers,
acc account ount numb number ers s,
pass passwor words ds,, etc. etc. Since Since the the emai emaill and corr corresp espond ondin ing g Web Web site site seem eem legi egitimate, the phisher her hopes opes at least a frac raction of reci recipi pien entts are are fool fooled ed in into to su subm bmit itti ting ng thei theirr data data.. Whil While e it is impos mpossi sib ble to know know the the act actual ual vic victim tim resp respon onse se rate rates s to all all phis phishi hing ng atta attack cks, s, it is comm commonl only y beli believe eved d that that about about 1 to 10 perc percen entt of reci recipi pien ents ts are are dupe duped d with with a “s “suc ucce cess ssfu ful” l” phis phishe herr campaign having a response rate around 5 percent. To put this in perspective, spam campaigns typically have a less than 1 percent response rate.
Bot” is actually short for robot – not the kind found in BOT- “Bot” science
fiction
movies
or
on
th e
production
line
in
a
manufacturing business. Bots are one of the most sophisticated types of crimeware facing the Internet today. Bots are similar to worms and Trojans, but earn their unique name by performing a wide variety of automated tasks on behalf of their master (the cybe cyberc rcrim rimin inal als) s) who who are often often safe safely ly loca locate ted d some somewh where ere far across the Internet. Tasks that bots can perform run the gamut from sending spam to blasting Web sites off the Internet as part of a coordinated coordinated “denial-of-servic “denial-of-service” e” attack. attack. Since a bot infected computer does the bidding of its master, many people refer to these victim machines as “zombies.”
Site Cloaking – Cloaking fools search engines by disguising one web site as another.
Session Hijacking – The session is hijacked by unauthorized use of the cookies deposited by the banking site.
Pharming – Pharming is diversion of traffic from a legitimate site to a rogue web site.
Cross-Site Scripting – A script is injected to one web site or web log, but it is operated at a different web site.
OS
comm comman and d
inje inject ctio ion n
–
Inje Inject ctio ion n
of opera perattin ing g
sys ysttem
commands to be carried out at the web site.
SQL Injection – Injection of SQL queries to be executed at the web site.
Cookie Cookie tampering tampering – Information in the cookie is changed to allow an attack.
Form Tampering (read-only and hidden fields) – Changes are made in hidden or read-only fields in the HTML form. ata sent fro from the web site are Outbou Outbound nd Data Data Theft Theft – Data intercepted for use in attacks. For example, that may include data about the software installed at the site, version number etc.
Application Denial of Service -
Numerou Numerous s types types of attack attacks s
make use of the possibility of entering rogue information in input fields. The above survey only highlights the major sources of attacks, which are constantly multiplying.
BASIC
CONTROLS
FOR
ONLINE
BANKING
ENROLLMENT: A. Identification and Authentication Assu As sumi ming ng that that the the cust custom omer er has has been been prop proper erly ly veri verifi fied ed and and acce accept pted ed at the the open opening ing of an acco account unt,, enrol enrollm lment ent for for online online bank bankin ing g consi consist sts s of vali valida dati ting ng that that the the pers person on atte attemp mpti ting ng to enroll is in fact the same one who opened the original account. This involves verifying the following:
• Basic identity. To verify basic identity, identity, the customer customer supplies supplies an account or customer number that was given when the account was opened. This number must have a PIN associated with it, as desc escrib ribed below. ow. An account ount or customer numb umber is not
considered to be secret information. It is readily available from trash, mailings, and is visible to employees. Its only value is in ensu ensuri ring ng that that the the corr correc ectt cust custom omer er has has been been loca locate ted d on the the bank’s system of record.
• Subsidiary data. These data may be used to “raise the bar” against a fraudster. The data are not secret in any meaningful way but may at least require a fraudster to spend additional time to obta obtaiin it. it. Analy nalysi sis s of fail failed ed enro enroll llm ment ent atte attem mpts pts (fro (from m insufficient or incorrect subsidiary data) may highlight to fraud depa depart rtme ment nts s that that ther there e is an atte attemp mptt bein being g made made agai agains nstt a certai certain n person person or account account,, but but subsi subsidi diary ary data data sh shoul ould d not be reli relied ed on in the the abse absenc nce e of the the corr correc ectt secr secret et data data.. Typical subsidiary data might include a Social Security number, name, address, amount of the latest deposit, or location of the branch where the account was opened. Note that these data must be available on the system of record in order to be verified.
• Secret data. The only secret data that are shared between the customer and the bank is a PIN on an opened account, where the PIN has been delivered out-of-channel, preferably mailed to the statem statement ent address address of the account account or select selected ed in a branch branch.. The PIN should be attached to a specific account, is never visible to any bank employee, and is stored in an encrypted form in the system of record.
•
System Systemat atic ic
lockou lockout. t.
Sys yste tem matic atic
lock ockout out
by
real real-t -tiime
moni monito tori ring ng cont contro rols ls set set on the the sy syst stem em’s ’s para parame mete ters rs lock locks s a person out after two or more invalid attempts to access account information or transfer funds
The enrolling application, then, requires entry of (1) the basic identity data, (2) some subsidiary data, and (3) the secret data. Thi This s in info form rmat atio ion n is matc matche hed d to the the sy syst stem em of reco record rd’s ’s data data,, verified through outside databases, and, if verified, the customer enrollment is accepted. Remember, at this point the customer should already have passed general account-opening tests, e.g., cross-checking phone number and physical address, and these are not, in general, re-verified here. If enrollment fails, a limited num number ber of retr retrie ies s shoul hould d be allo allowe wed d befo before re the att attemp empt is terminated and this failure is logged. If the customer is already enro enroll lled ed for for onli online ne bank bankin ing g, the the sy syst stem em sh shou ould ld prev preven entt rereenrol enrollm lment ent with withou outt manua manuall interv intervent entio ion n and and direc directt cust custom omer er contact.
B. Post Authentication Setup Once Once the the cust custom omer er has has been been veri verifi fied ed,, he or sh she e shoul hould d be required to create an online identity. This is how the customer will log on in the future. This identity should not include any of the data required for enrollment enro llment and should consist of:
• A self-selected user ID that is used only on the Web site, and is never printed printed out for statement mailings, mailings, etc. Note that this ID is not considered secret since it is generally visible to employees. However, it may raise the bar slightly and pose an additional knowledge or guess requirement against a potential fraudulent entry.
• A self-selected Internet password , which should replace the PIN for Internet authentication since the PIN is generally 4 to 6 digits digits and as such is far too small to resist a brute-force brute-force cracking attempt. The more characters used in an Internet password, the more effective it is, so instituti utions shoul hould d allow up to 20 characters. Passwords should be stored at the financial institution in an encrypted format and should never be visible to employees, including call-center representatives.
C. Operational Controls After Enrollment Two final steps should be taken after a customer is enrolled in online banking:
• A “Welcome “Welcome to online online banking” banking” letter should be mailed to the statement mailing address. This letter informs the customer to call or email the bank immediately if he or she did not enroll in online banking. (This will be ineffective as a fraud-prevention tool if a hi hijjacke ackerr has has cha changed nged the cus customer omer’s ’s maili ailing ng addr addres ess s recently.)
• Customer behavior should be tracked for at least the first 30 days days to atte attemp mptt to id iden enti tify fy su susp spic icio ious us or outout-of of-p -pat atte tern rn activities. The customer should be contacted if there is a shift in behavi behavior or patter patterns, ns, while while sus suspic picious ious behavio behaviorr (e.g., (e.g., comple completel tely y draining several accounts into one in a short period of time or attempting
to
immediately ely
change
to
the
account unt
account
blocking
address)
an d
should
cus usttomer
lead
contac ntactt.
Institutions must not only monitor open accounts for suspicious activity and unusual transactions, they must also implement the techn echno ologi logic cal
contr ontrol ols s
that hat
cons consttitut itute e
the the
monit onito oring ring
and
detection processes.
• Provid that can can prev preven entt acco accoun untt Providing ing back-e back-end nd contro controls ls that takeo akeove verr scena cenari rios os wit with polic oliciies that hat requ requiire us user er IDs IDs and passwords to be different.
Some Recent Innovation in EBanking Security: One Time Password: A one-time password (OTP) is a password that is only valid for a sing single le logi login n sess sessio ion n or tran transa sact ctio ion. n. OTPs OTPs avoi avoid d a numb number er of short hortco com min ing gs
that that
are are
ass associa ociate ted d
wit with
trad tradit itio iona nall
(sta (s tati tic c)
passwords. The most important shortcoming that is addressed by OTPs OTPs is that hat, in contr ontras astt to stat tatic pass passwo word rds s, they they are are not not vulne vulnerab rable le to repl replay ay atta attack cks. s. This This means means that that,, if a pote potent ntia iall intruder manages to record an OTP that was already used to log
into a service or to conduct a transaction; he will not be able to abuse it since it will be no longer valid. On the downside, OTPs cannot be memorized by human beings. Therefore they require additional technology in order to work. OTP generat generation ion algorit algorithms hms typica typically lly make make use of randomness randomness.. This is necessary because otherwise it would be easy to predict futu future re OTPs OTPs from from obs observi erving ng prev previo ious us ones ones..
Concr oncret ete e
OTP OTP
algorithms vary greatly in their details. Various approaches for the generation of OTPs are listed below. •
Using
a
mathema ematical
algorit rithm
to
gener enerat ate e
a
new new
pass passwo word rd base based d on the the prev previious ous pass assword word (OTP (OTPs s are are, effectively a chain and must be used in a predefined order). •
Based on time-synchronization between the authentication server and the client providing the password (OTPs are valid only for a short period of time)
•
Using a mathematical algorithm where the new password is based on a challenge (e.g., a random number chosen by the aut authent hentic icat atio ion n
serv server er or
trans ransac acttion deta detail ils s)
and/ and/or or a
counter. There are also different ways to make the user aware of the next OTP to use. Some systems use special electronic tokens that the user carries and that generate OTPs and show them using a small display. Other systems consist of software that runs on the user's mobile phone. phone. Yet other systems generate OTPs on the serverside and send them to the user using an out-of-band channel
such su ch as SMS mess messag agin ing. g. Final Finally ly,, in some some sy syst stem ems, s, OTPs OTPs are printed on paper that the user is required to carry with him.
Mutual Authentication: Mutu Mutual al
auth authen enti tica cati tion on
or
two-w two-way ay
auth authen enti tica cati tion on
(sometimes written as 2WAY authentication) refers to two parties authenticating each other suitably. In technology terms, it refers to a client or user authenticating themselves to a server and that server authenticating itself to the user in such a way that both parties are assured of the others' o thers' identity. When describing online authenticati authentication on processes, processes, mutual authenticati authentication on is often referred to
as
website-to-user
authentication,
or
site-to-user
authentication. Typically, this is done for a client process and a server process without user interaction. Mutual SSL provides provides the same things as SSL, with the addition addition of authentication and non-repudiation of the client authentication, using digital signatures. signatures. However, due to issues with complexity complexity,, cost cost,, logi logist stic ics, s, and effec effecti tive venes ness, s, most most web appl applic icat atio ions ns are desi design gned ed so they they do not requi require re clie client nt-s -sid ide e certi certifi ficat cates es.. This This creates an opening for a man-in-the-middle attack, attack, in particular for online banking.
Thank You