Internet Banking System

Internet banking system has become widely popular and used among many consumers. There is much debate as to whether internet banking system is secure. This essay argues that client, data transport and bank's server are important players in terms of internet banking security. This essay demonstrates some vulnerability of these sections and shows successful solutions. This essay concludes that risks of using internet banking system can be restricted.

Introduction

There has been much discussion on the issue of whether banks systems are able to prevent the risks of using the internet that offer to consumers the opportunity to interact with their banking activities. In addition, whether banks' customers are ready to start using the internet to access to their banking records.

Online Electronic banking systems give customers the opportunity to interact with their banking records. Customers can easily access their banking records and make some activities such as money transfers between user's account, retrieving an account balance, retrieving an account history, bills' payment, stock market transactions and other activities. As with any other system, E-banking evolves, whereas it starts with Automated Teller Machine (ATM), the first well-known system, which allows the customers to deal with banking services via friendly graphical user interface. The next step, the customers have been managed their accounts by using phone banking. Then, the internet has been provided a new way to both banks systems and customers to interact together by using friendly interface browser. Currently, mobile phones can be used to perform Electronic banking.

Hole et al (2006) point out that banks encourage their customers to use online banking to save cost and reduce their employees. He suggests that banks' customers seem to believe that internet banking is safe because their banks told them that.

However, Claessens et al (2002) estimated that money saving is not the case for banks, while offer 24 hours 7 days online services to the customer with level of security standards is banks trend.

This essay attempts to investigate whether online banking has been developing to be generally secure. This essay will argue that in terms of internet banking security, there are three sections play an important role which are client side, data transport (the communication between client and server) and server side. If these sections or one of them have any weaknesses then the data is insecure. However, there is always risk even though these sections are generally secure.

In order to demonstrate this, this essay will first describe client side problems and how to overcome these problems. Then the security of the communication between client and server has been discussed. Finally, the essay has been addressed server issues and how these issues are avoided.

1. Client side issues:

This section attempts to identify some particular problems in client side security. In order to highlight these problems the internet banking structure is defined. Then, some problems might face users and some solutions to resolve these problems are addressed. In this essay, the term "user" refers to a physical person while the term "client" refers to a machine and software for the user.

1.1 Internet banking structure

it is clear that there are two parts with respect to internet banking structure: the user and the bank. Once the user has a PC and network connection the most common way to connect with bank's server is Web browser, although some banks are offered alternative application, more secure and reliable, to communicate with their clients' customers which called "stand-alone client/server application" (Claessens et al, 2002). He has commented that to avoid client's Web browser problems and vulnerable security, banks often deploy a Java applet so that can be downloaded from bank's website. It is widely believed that this applet is a small software code that executes in client's browser and provides extra security. Another advantage of download Java applet is that clients are able to download automatically a new updates of the software (Claessens et al, 2002). In other words, Banks do not need to deploy new updates in old-fashioned way. The standard protocol for communication between the browser and the bank's web server that often used is Hypertext Transfer Protocol Secure (HTTPS). Claessens et al (2002) have noted that this protocol is used either in "stand-alone application" or ordinary client's browser to provide security.

However, (Hole et at, 2006) point out that there is a weak link between client's browser and Java applet. He has suggested that this weak link might allow attackers or fraudsters to steal users' banking account details. Nonetheless, Java applet has been developing to fix vulnerabilities by Netscape lab (Netscape Lab, 2008). Moreover, users often have been advised to install firewall and anti-virus software in their PCs and make sure their anti-virus and firewall are up-to-date. However, there is always risk even thought anti-virus and firewall has been installed such as phishing email scams, Keylogger program and other hazards. Therefore, it seems that Java applet or stand-alone application presents some hazards in internet banking system.

1.2 Phishing email scams and Keylogger programmes

Phishing email is a fraudulent email that users are received and ask them to confirm information such as internet banking user ID and password (Hole et al, 2006). The aim of such this email to take the user's log in details, either the email is replied log on details by the user or is directed the user to spoof websites and then someone else can access to the user account.

Hole et al (2006) point out that this issue subject to controversies between to some who are against using internet banking and others with using internet banking.

Another problem that supports people who are against using internet banking is Keylogger programmes (Loscocco, 1998). It can be identified the Keylogger programmes as a virus that can record any presses on the user's keyboard. As a result, an attacker can exploit this type of programs to obtain sensitive information.

However, it seems reasonable to suggest that frauds exist even in real life not only in the cyber world. Moreover, users can protect themselves against phishing by following the instructions that are given by their banks (Ghosh, 2000). Nonetheless, it is clear that phishing email scams and Keylogger programmes are considered as a serious problem; therefore, it can be affect the security of client.

1.3 Attraction versus security

Another problem of internet banking security is that banks systems normally provide minimum levels of security for client side and rely on client's software that is already available (Hole et al, 2006). Hole et al (2006) has also suggested that this makes the internet banking service more attractive, but it might affect the levels of security that this service is offered. Another problem in terms of internet banking security is that typical client platforms are often very vulnerable (Loscocco, 1989). He, therefore, suggests that vulnerable client platform subject to attack more than server platform due to it is the weak link.

As, however, is mentioned above up-to-date Java applet or stand-alone application is downloaded from bank's website seems to provide extra security. Moreover, hazards of using internet banking should be explained to users. Nonetheless, there is always risk but if security in place can be overcome to a certain extent.

2. Data transport issues

This section focuses on the security of the communication between the client and the bank's server as an important part in terms of internet banking security. Secure Sockets Layer (SSL) technology in this section is presented. Some other issues such as spoofed web site, Certificate Authority and other issues related to the communication security between the client and the bank's server are addressed.

2.1 Secure Sockets Layer (SSL)

The communication between a client and a server in World Wide Web is inherently insecure (Ghosh, 2000). He has explained that when a message (or packet) travels from source to destination through the internet, it is directed by a number of unknown intermediate sites. Consequently, any invisible intermediary can read, destroy or modify the packet. He has shown that the most common protocol that often used to transfer data is Internet Protocol (IP) and Transport Control protocol (TCP). Moreover, a combination of TCP/IP is inherently insecure and gives hackers a chance to read data's transmissions between source and destination. Furthermore, TCP/IP does not support data integrity, privacy, confidentiality and non-repudiation. He has estimated that TCP/IP was designed in a simple way to make as sure as possible that it is consistent with most hardware and software which exist in the internet. It provides reliable communication of packets but does not provide security (Ghosh, 2000). Confidential data should not be sent unless a secure channel is established (Ghosh, 2000).

However, Claessens (2002) has demonstrated that Netscape Lab has been working to institute SSL protocol to establish a secure channel for transferred data between Web clients and Web servers. He also shows that SSL is "simply another protocol stack which rides on the top of the TCP/IP stack to provide secure communication, authentication of the server and data integrity of the packet". Ghosh (2000) has shown that SSL provides the security by encrypting the data that is sent between a Web client and Web server. He also shows that SSL protocol is attached to the protocol stack to secure the packet against hacking that may occur when the packet is traveling through the internet. He also demonstrates that although any intermediary may be able to see the packet in transmission, the encryption will mix up the data so that cannot be noticed.

Nonetheless, SSL provides a secure channel with regard to data communication between client and server but does not secure data that are placed on client and server (Ghosh, 2000). Therefore, although SSL protocol has not been presented a perfect solution, it can prevent the most risks that might be occurred when a data in transmission.

2.2 Certificate Authority

In addition to securing the channel between Web client and Web server via encryption, SSL provides server's authentication. This means that when a user hit a bank's website, the Web client browser is guaranteed that the server has been certified by a Certification Authority (CA). Claessens et al (2002) has shown certificates are usually built-in with the Web browsers installation. It is clear that the CA approves the identity of the Web server. This means that a user can be sure of the identity of the Web site (or Web server) which they interact with. Ghosh (2000) has demonstrated that in order to support connection security, trust and authentication, a Web site must register with a certification authority that exists on the CA's list in the user's browser. Once a Web site is registered and the identity is defined with a CA, the CA then establishes the identity of the web site and private key (Ghosh, 2000).

However, Ghosh (2002) has shown that CA endorses only the identity of the Web site and not the content. It is possible that a Web site might be registered with a CA under one name and address whereas it presents itself as another in the content (Ghosh, 2002). To explain more, assume a Web site that registered with a CA under the URL www.hscb.org. A user visiting this site, seeing the banner for HSCB bank and seeing a secure session was established with authentication (e.g. Lock Icon); assume that the Web site is the official HSBC site (www.hscb.com) while the site may be created by an attacker organisation (Ghosh,2000).

Ghosh (2002) has demonstrated that although such situations are rarely occurred, it has occurred in practice. Therefore, the hazards are exist in terms of the communication security even though CA attempts to limit it.

2.3 Web spoofing

It is possible to use "spoofed" web site to fool the user (Ghosh, 2000). He has identified that a spoofed web site is a fraudulent web site is designed to appear similar to a legal web site. He also shows that it is usually created by an attacker organisation for the reason that users may visit their web sites by mistake or by mistyping the address. He has also shown another type of Web spoofing that attackers occasionally attempt to attack a bank's web site and forward its internet traffic to their own web sites. These web sites are very similar to the official bank web site and then they attempt to take the user's banking details.

Ghosh (2000) has demonstrated that an attacker organisation has the ability to capture, modify or drop Web requests because Web requests and returned Web pages might be managed by the attacker organisations' web sites (see section 2.1). Consequently, all Web requests from a user's browser might be watched and altered. Ghosh (2000) has illustrated how the users can be accessed into a shadowy web site as follow: First step, an attacker attempts to attract a user to hit the attacker organisation's web site. Once the user has been accessed to attacker's Web site, every web site access from the attacker's page then can be traced during the same session.

However, it seems that users can distinguish this kind of Web spoofing attack by checking the certificate of the Web site. Moreover, users always pay attention to the URLs when they connect with Web sites. Furthermore, banks often make users aware of "spoofed" Web sites. Nonetheless it seems reasonable to suggest that inexperience user might log on in "spoofed" web site. Therefore, it is clear that "spoofed" web site also bring another risk for using internet banking system.

3. Server issues

This section focuses especially on the security issues of the bank's server as an important player in internet banking system. The methods that use to verify the identity of a client to provide extra security in internet banking service in this section are presented. The bank's server problems that may be faced such as Denial-of-Service attack, Distributed Denial-of-service (DDoS) attack and Brute-force attack are discussed.

3.1 Authentication mechanism

The authentication methods that use to authenticate bank's server are presented (see section 2.2). However, it seems clear that bank's server should also make sure that received data is real and from an authorised client. Ghosh (2000) has shown the two techniques, either one of them or all of them, which are used by bank's server to authenticate the client.

He has suggested that most banks' servers depend on IP address and client host name method to verify the identity of the client. It is widely believed that using IP address and client host name one of the most basic techniques that used to make sure of the identity of client. Ghosh (2000) has shown that bank's server can use IP address and client host name to make sure that requests are received from an authorized client by using the Domain Name Services (DNS). The DNS can be used by bank's server in order to check that the client's IP address and client's host name that have been sent are identical (Ghosh, 2000). It is often argued that banks' server, to provide more authentication, can use DNS table to check that client's IP address agree with client's host name. However, it seems that there is a particular problem in using IP address and client host name technique which can affect the security of bank's server as well as it does not present a good level of authentication. The problem, according to Claessens (2002), is that attackers can create a fake host name to fool the bank's server. Then, it is possible that bank's server allows the attacker to access a sensitive Web page as a trust client. Therefore, this flaw of using IP address and host name technique can cause a significant problem that might affect the security of bank's server. Nonetheless, it is clear that banks' servers are overcome this problem by using SSL protocol.

Claessens (2002) has shown another technique can be used by bank's server to verify the client's identity which is user name and password. It can be said that most banks' systems rely on user name and password method in order to authenticate the client's identity as well as confirm client's requests. User authentication will start first by creating a database file for authorized users with their user name and password (Ghosh, 2002). He has also shown that in most cases this file is stored in the bank's Web server with user names and encrypted passwords to keep it away from an unauthorized user. Moreover, clients' user names often are established by internet banking system administrators and then they are allowed their client to choose their secret passwords. However, there are some particular problems in using user name and password method which can affect the security of the internet banking system particularly in terms of the authentication of client. One of these problems is that many users often tend to select a password that easy to remember as well as easy to guess such as their mother's name, their middle's name or their date of birth (Ghosh, 2002). He has also suggested another problem of using user name and password method which is, a cracker first can create a small software code to hack the bank's server for capturing the database file that include the user names and encrypted passwords, and then the cracker can run a password guessing software that use to attempt to guess any user's password. It can be suggested that once any passwords are guessed, it can be used to access an bank's customer account, what are probably, change the password or even worse transfer money to an unknown party. Nonetheless, it is often argued that users are often advised to pick a complicated password that might contain a mixture of numbers and character which is hard to be guessed.

Conclusion

In conclusion, this essay has argued that despite the security problems and hazards it has been presented of using the internet to perform banking transactions, users, banks and computer security experts have significantly involved to practice security methods against the people who look behind the shoulder. As with any system, internet banking system has developed to meet security requirements despite the difficulties it faces. Therefore, it is clear that although practicing sensitive activities through the internet such as internet banking activities might bring many risks to banks and users, these risks can be limited to a certain extent.

Issues of internet security have long been a problem for governments, organisations and even individuals as it is a mouse and cat game between legal organisations and illegal organisations. However, it is clear that this game will not finish until a great solution is presented in the future.

References

[1] Claessens, J & Dem, V & De Cock, D 2002 , On the Security of Today's: Online Electronic Banking Systems.

[2] Ghosh, K 2000, E-Commerce Security: Weak Links, Best Defenses.

[3] Hole, J & Moen, V & Tjostheim, T 2007 , Case Study: Online Banking Security.

[4] Loscocco, A 1998 , The Flawed Assumption of Security in Modern Computing

Environment.

[5] Netscape Lab 2008 , www.netscape.com

[6] Smith, D 2006 , Exploring Security and comfort issues associated with online banking.

Cite this page