Electronic Banking Security Issues free essay sample

E-Banking: Security Issues Presentation of the Case I. Point of View The Philippine National Bank (PNB), the country’s first universal bank, is the fifth largest private local commercial bank in terms of assets as of December 31, 2009. Through the years, PNB has led the banking industry with its pioneering efforts in the Remittance Business for Overseas Filipino Workers (OFWs) as well as the introduction of many innovations such as the Bank on Wheels, computerized banking, ATM banking, mobile money changing, Domestic Travelers’ Checks, and on-line electronic data processing. PNB has the biggest number of overseas offices and one of the largest domestic branch networks among local banks. PNB Internet Banking is one of the electronic channels being offered to PNB account holders. It allows you to do your routine banking transactions like paying your bills, transferring funds and inquiring about your account balance securely through the Internet. It is a facility wherein clients can securely and effectively take control of their corporate finances through the Internet. It also allows the user/s to manage multiple employee access to accounts in accordance with internal policies. The implementation of a successful e-banking strategy is far from being straight forward, as there are numerous inherent difficulties/barriers. The Internet as a channel for services delivery is fundamentally different from other channels such as branch networks or telephone banking. Therefore, it brings up its own unique challenges that require innovative solutions. Thus, a logical step for the management of banking related organizations may be to fully understand the organizational barriers inherent in e-banking. The Internet has not only created previously non-existent opportunities for cost effective, all time available financial services, it has also increased the significance of a number of risks which did not exist or were not significant in the past. Furthermore, a number of change management issues usually associated with any new technology implementation are compounded simply because some applications such as e-banking have a greater and more immediate impact on the organization. This study will discuss some of the most common roblematic issues in e-banking implementation and management. The main focus will be on those issues which pose considerable risks to e-banking projects and may prevent banks from achieving their desired e-banking related goals. These include: traditional structures which some banks still have and which are unable to respond to agility required for e-banking, resistance from employees, legacy systems which are an obstacle to the integration of systems, security issues, new and complex regulatory issues, and project management problems. II. Statement of the Problem The study aimed to determine the effective way of accessing internet banking and securing accountholder’s account. Specifically, it sought answers to the questions: 1. How secure is Internet Banking? 2. Can anybody else access one’s accounts through the Internet Banking? 3. Is it advisable to access Internet Banking in public areas? III. Objective The study’s view is that to deal with these emerging threats effectively, financial institutions need as a minimum to have: †¢ Assurance of security and confidentiality †¢ Protection against unauthorized access or use Protection against anticipated threats or hazards IV. Area of Consideration SWOT ANALYSIS E-BANKING Strength †¢ Customer access to information 24 hours a day †¢ Timely access to information †¢ Ability to offer  a customer more than one method of  retrieving information †¢ Sophisticated technology systems †¢ Diversity helps to capture different types of market. †¢ The ability to cut internal cost due to advanced technology †¢ Increased  efficiency  due to  automation †¢ Increased accuracy of banking transaction Weakness †¢ High cost of service †¢ Continual wants of customers wants and needs Hostile feelings of employees due to possible pending layoffs due  to automation †¢ Multiple option for the customers †¢ Initial investment in technology will be expensive †¢ Attacking of hackers V. Areas of Consideration (Analysis of the case) The problems of the systems today are inherent within the setup of the communications and also within the computers itself. The current focus of security is on session-layer protocols and the flaws in end-to-end computing. A secure end-to-end transaction requires a secure protocol to communicate over untrusted channels, and a trusted code at both endpoints. It is really important to have a secure protocol because the trusted channels really don’t exist in most of the environment. For example, downloading a game off the Internet would be dangerous because Trojan horses and viruses could patch the client software after it is on the local disk, especially on systems like Windows 95 which does not provide access control for files. This leads to the use of software-based protections and hardware-based protections. Many systems today use some form of software-based protection. Software-based protections are easily obtained at lower costs than hardware-based protection. Consequently, software-based protection is more widely used. But, software-based protection has many potential hazards. For software-based systems, there are four ways to penetrate the system. i. Attacking the encryption algorithms is one possible approach. This form of attack would require much time and effort to be invested to break in. ii. A more direct approach would be using brute force by actually trying out all possible combinations to find the password. ii. A third possible form of attack is to the bank’s server which is highly unlikely because these systems are very sophisticated. iv. The fourth possible method, which also happens to be the most likely attack, which is to attack the client’s personal computers. This can be done by a number of ways, such as planting viruses (e. g. Trojan horse) as mentioned above. But, unlike the traditional viruses, the new viruses wil l aim to have no visible effects on the system, thus making them more difficult to detect and easy to spread unintentionally. VI. Alternative Courses of Action Software-Based Systems In software-based security systems, the coding and decoding of information is done using specialized security software. Due to the easy portability and ease of distribution through networks, software-based systems are more abundant in the market. Encryption is the main method used in this software-based security system. Encryption is a process that modifies information in a way that makes it unreadable until the exact same process is reversed. In general, there are two types of encryption. The first one is the conventional encryption schemes, one key is used by two parties to both encrypt and decrypt the information. Once the secret key is entered, the information looks like a meaningless jumble of random characters. The file can only be viewed once it has been decrypted using the exact same key. The second type of encryption is known as public key encryption. In this method, there are two different keys held by the user: a public key and a private key. These two keys are not interchangeable but they are complementary to each other, meaning that they exist in pairs. Therefore, the public keys can be made public knowledge, and posted in a database somewhere. Anyone who wants to send a message to a person can encrypt the message with the recipient public key and this message can only be decrypted with the complementary private key. Thus, nobody but the intended receiver can decrypt the message. The private key remains on one’s personal computer and cannot be transferred via the Internet. This key is encrypted to protect it from hackers breaking into the personal computer. There are four examples of current encryption technology presented below: Digital Signature, Secure Electronic Transaction, Pretty Good Privacy, and Kerberos. 1. Digital Signature Digital Signature was first proposed in 1976 by Whitfield Duffie, at Stanford University. A digital signature transforms the message that is signed so that anyone who reads it can know who sent it. The use of digital signatures employs a secret key (private key) used to sign messages and a public key to verify them. The message encrypted by the private key can only be verified by the public key. It would be impossible for anyone but the sender to have created the signature, since he or she is the only person with the access to the private key necessary to create the signature. In addition, it is possible to apply a digital signature to a message without encrypting it. This is usually done when the information in the message is not critical. In addition, this allows people to know who compose the message. Because of the signature contains information so called â€Å"one-way hash†, it is impossible to forge a signature by copying the signature block to another message. Therefore, it is guaranteed that the signature is original. One example of the use of digital signature in the electronic banking industry is by First Digital Bank. The First Digital Bank offers electronic bank notes: messages signed using a particular private key to provide unforgettable credentials and other services such as an electronic replacement for cash. â€Å"All messages bearing one key might be worth a dollar, all those bearing a different key five dollars, and so on for whatever denominations were needed. These electronic bank notes could be authenticated using the corresponding public key which the bank has made a matter of record. First Digital Bank would also make public a key to authenticate electronic documents sent from the bank to its customers. † 2. Secure Electronic Transaction (SET) Secure Electronic Transaction (SET) software system, the global standard for secure card payments on the Internet, which is defined by various international companies such as Visa MasterCard, IBM, Microsoft, Netscape Communications Corp. , GTE, SAIC, Terisa Systems and Verisign. SET promises to secure bank-card transactions online. Lockhart, CEO of MasterCard said, â€Å"†¦We are glad to work with Visa and all of the technology partners to craft SET. This action means that consumers will be able to use their bank cards to conduct transactions in cyberspace as securely and easily as they use cards in retail stores today. † [33] SET adopts RSA public key encryption to ensure message confidentiality. Moreover, this system uses a unique public/private key pair to create the digital signature. The main concerns for the transaction include not only ensuring the privacy of data in transit, but also prove the authenticity which both the sender and the receiver are the ones they claim to be. Digital signature is used to achieve the authenticity. A digital signature is produced by first running the message through a hashing algorithm to come up with the message digest. Next, by encrypting the message digest with sender’s private key, this would uniquely identify the sender of the message. When receiving the message, the receiver decrypts the encrypted message with sender’s public key. This ensures that the message was actually from the appropriate person. Besides uniquely identifying the sender, the digital signature also ensures that the original message was not tampered with in transit. The receiver can use the original hashing algorithm to create a new message digest after decrypting the message and compare the new message digest to the original digest. If they match each other, it can be sure that the message has not been altered in transit. Although the public key encryption and the digital signature ensures the confidentiality and the authenticity of the message, there is still a potential danger existed in that the information the sender provides may not be real. For example, the sender may encrypt a bank card number which belongs to someone else by using his/her own private key. To ensure the true authentication, there is a need for a process of certification. A third party who is trusted by both the sender and the receiver will issue the key pair to the user who provides sufficient proof that he is who he claims to be. One assumption lies in the receiver’s trust that the CA’s own key pairs, which are used in the certification process, have not been compromised. â€Å"Assuming SET will impact the deployment of RSA encryption for home banking and bill payment services online, one might wonder whether the banking industry should just adopt SET for other non-credit card transactions, as well. A senior banking executive at a major US bank contends, SET has the capability to allow payments that are not card-based. The processes in SET are not specific to card transactions. They are generic: authentication, certification, encryption and so on. † 3. Pretty Good Privacy (PGP) Pretty Good Privacy (PGP), created by Philip Zimmermann, is a â€Å"hybrid cryptosystem that combines a public key (asymmetric) algorithm, with a conventional private key (symmetric) algorithm to give encryption combining the speed of conventional cryptography with the considerable advantages of public key cryptography. The advantage of PGP is that it does not require a trusted channel of transmitting the encryption key to the intended recipient of your message. Furthermore, it has the ability to sign the messages by encrypting them with sender’s private key which cannot be replaced by any other key. Once the receiver received the message, he/she can then decrypt the message with the senderà ¢â‚¬â„¢s public key which cannot be forged and represents the true identity of the sender. 4. Kerberos Kerberos is named after the three-headed watchdog of Greek mythology and it is one of the best known private-key encryption technologies. Kerberos creates an encrypted data packet, called a ticket, which securely identifies the user. To make a transaction, one generates the ticket during a series of coded messages by making exchanges with a Kerberos server, which sits between the two computer systems. The two systems share a private key with the Kerberos server to protect information from hackers and to assure that the data has not been altered during the transmission. One example of this encryption is NetCheque which is developed by the Information Sciences Institute of the University of Southern California. NetCheque uses Kerberos to authenticate signatures on electronic checks that Internet users have registered with an accounting server. Hardware-Based Systems Hardware-based systems offer a more secure way to protect information, but, it is less portable and more expensive than software-based systems. The hardware-based security system creates a secure, closed channel where the confidential identification data is absolutely safe from unauthorized users. There are two hardware-based systems discussed in this section: Smartcard system and MeCHIP. 1. Smartcard System Smartcard System is a mechanical device which has information encoded on a small chip on the card and identification is accomplished by algorithms based on asymmetric sequences. Each chip on the Smartcard is unique and is registered to one particular user, which makes it impossible for a virus to penetrate the chip and access the confidential data. However, practical limitations in the Smartcard system prevent it from broad acceptance for major applications such as home banking or on-line distribution. One draw-back for the Smartcard is that it cannot handle large amounts of information which need to be decoded. Furthermore, the Smartcard only protects the user’s private identification and it does not secure the transfer of information. For example, when the information is keyed into the banking software, a virus could attack the information, altering its destination or content. The Smartcard would then receive this altered information and send it, which would create a disaster for the user. Nevertheless, the Smartcard is one hardware-based system that offers confidential identification. 2. MeCHIP MeCHIP which developed by ESD is connected directly to the PC’s keyboard using a patented connection. All information which needs to be secured is sent directly to the MeCHIP, circumventing the client’s vulnerable PC microprocessor. Then the information is signed and transmitted to the bank in secure coded form. A closed, secure channel from the client to the bank is assumed in this case. All information which is transmitted and received is logged and verified to ensure that it has not been tampered with. If there are any deviations, the session is immediately terminated. This hardware-based solution offers the necessary security at the personal computer to transfer confidential information. VII. Analysis of the Courses of Action VIII. Recommendation It is safe and secure to transact via PNB Internet Banking. First of all, you will be authenticated via your User ID and password before you are given access to the Internet Banking facility. Make sure that you don’t share this information to anyone. Furthermore, your transactions (sessions) are secured with the highest level of encryption (128-bit SSL) to ensure confidentiality. 128-bit is the most widely used security layer in the internet today. Nobody can access one’s accounts through the Internet banking, unless you give your user ID and password out. By law, the user ID and password allows us to identify you as the valid owner of the account. We advise you to refrain from giving your user ID and password out or writing it down where people could see it. For ADDITIONAL security, you may want to regularly change your password. You should also make sure that your password is hard to guess. Here are some helpful tips in assigning an effective password: †¢ The password is case-sensitive and should be alphanumeric (combination of alphabets and numbers). Combine upper and lower case characters with numbers, e. g. , pAssW123†. Use keywords that are known only to you, e. g. a favourite book, author, event, etc. ; e. g. , Harry Potter and the Chamber of Secrets is translated to hpatcos. Just add a number or date to that, too. †¢ Avoid using easy-to-guess passwords such as names and birthdays. For added security, it is not advisable you to access Internet Banking in public areas like internet cafe. Should you however, need t o do so, we suggest that you close the browser after logging off. We also advise you to change your password immediately when a private computer is available to you. 3. Conclusion The providers of Internet banking services must be more responsive security requirements. While there is no doubt that Internet banking transaction should have layered protection against security threats, the providers should approach security considerations as part of their service offerings. Currently, there are no formal processes being put in place to determine the level of security provided by these service providers and to what minimum standards they should be. Local financial institutions should consider the above-mentioned recommendations to ensure confidentiality of customer information. However, there is a cost implication to the above recommendation. The additional costs are the hardware and software for the card reader and biometric recognition. However, this is indeed a serious matter that needs to be looked into by the relevant authorities in this country. In the long run, the cost involved to implement better security will be worth it and beneficial to the banking industry 4. Bibliography http://www. linkedin. com/company/philippine-national-bank http://www. pnb. com. ph/index. php? option=com_contentview=articleid=173Itemid=103 ttp://www. slideshare. net/TDonofrio54/critical-security-and-compliance-issues-in-internet-banking-presentation http://www. articlesbase. com/college-and-university-articles/security-concerns-in-online-banking-4544020. html OVERVIEW Philippine National Bank is a Philippines-based universal bank. The bank provides a full range of banking and financial services to large corporate, middle-market, small-medium enterprises (SMEs), and retail customers, including overseas Filipino workers (OFWs), as well as to t