Framework for internet banking security

Abstract

The way customers are using financial services is changing rapidly. Today’s financial services are characterised by individuality, mobility, independence of place and time, and flexibility. The Internet, based on client server technology, has facilitated this change. Financial services companies are using the Internet as a new distribution channel, offering complex products at lower transaction costs to more potential customers. This also allows customers to access the service from any part of the world at any time, which they are doing through a range of intelligent information access and processing devices which include PDAs and mobile phones. Financial institutions can use the Internet for information presentation and two-way communication, interaction with the user and transaction banking. It offers banks a new channel for sales and customer contact and has thrown up a new form of competition in the shape of banks which have no physical presence. Banks which operate only on the Web can build their business systems from the ground up, without worrying about legacy systems. They also have low overhead costs in terms of real estate, physical infrastructure, and sales force. However, big brick-and-mortar banks have, over the years, built the brand equity that prospective customers trust. In the traditional banking systems, the advantage of physical location and person-to-person interactions help to establish trust. While the online banking industry is growing rapidly, it appears that customers are still wary about online banking services. In assessing its Internet banking planning process and arriving at a road map for Internet banking, a bank must, among other things, consider whether it is consistent with the bank’s overall strategic goals and plans, conduct a cost-benefit analysis of Internet banking activities, evaluate its expertise and technical training requirements, consider the commitment of its people, particularly the senior management and the legacy systems, understand the laws and regulations pertaining to Internet banking and E-commerce, and above all, evaluate security risks, threats, and vulnerabilities. Why the Internet is Vulnerable Many early network protocols that now form part of the Internet infrastructure were designed without security in mind. Without a fundamentally secure infrastructure, network defence becomes difficult. Furthermore, the Internet is an extremely dynamic environment, in terms of both topology and emerging technology. Because of the inherent openness of the Internet and the original design of the protocols, Internet attacks in general are quick, easy, inexpensive, and may be hard to detect or trace. An attacker does not have to be physically present to carry out the attack. Attacks can be launched from anywhere in the world and the location of the attacker can easily be hidden. Nor is it always necessary to break into a site to compromise confidentiality, integrity, or availability of its information or service. Since much of the traffic on the Internet is not encrypted, confidentiality and integrity are difficult to achieve. This situation undermines not only applications but also authentication and non-repudiation. The rapid growth and use of the Internet also contributes to its vulnerability. In order to reduce the time to market, developers do not adequately ensure proper security mechanisms. Installation of off-the-shelf, insecure operating systems compromises the security of the operating system greatly. Often these sites are not fully configured from a security perspective before connecting. There is a lack of well-trained and experienced people to engineer and manage the network in a secure manner. The CERT statistics 1988-98 show that security incidents on the Internet have been growing proportionally to the growth of the Internet.