Internet Banking Security - Essay Example

 Internet Banking Security Proposed Two Factor Authentication Solution Abstract— The three core techniques i.e. password, encryption and firewalls/server security are used in order to provide security to Bank clients. The latest research established a new component that can improve all the existing security related to Internet Banking. Furthermore, the study anticipated a necessity for an extra verification. This is due to the new levels of trust among the clients in financial sectors. In order to provide second level of verification, a model utilizing RFID is planned and projected. The security threats are considered as a main obstruction in expanding internet banking. The customers are alarmed for their online accounts safety and security for transactions. The RFID can enhance the chances of better security implementation. The hackers can use the user name and password of the customers who access their bank accounts via Internet banking. However, RIFD will help to prevent such issues. Index Terms— Internet Banking, RFID, Banks, Credit/Debit Card, Security (key words) I. Introduction The three major techniques are used by Banks to provide security to the customers Password Encryption Firewalls/Server. For the online security, the passwords or user names pays an important role. The password is an important element that ensures verified customers to login to their accounts. On the contrary, the hackers can seize a user name or password while transmission and can utilize to access the customer’s account. A research states that an added authentication method is required because in financial services trust is now redefined. In addition, trust is identified as a significant factor that influences customer’s presence in web-based commerce (Ume-Amen, 2011). Security threats are the main factors that work as a barrier for online banking (Hampton-Sosa, Koufaris 2005). The customers are disturbed about the security and safety issues while using Internet banking options. The improved security measures can re-build the trust in customers that influence them to used Internet banking. II. Internet Banking Security for SME’s For discussing the SME industry interms of Internet Banking Security, we have utilized a typical SME as an example. A. Centralized Database access for sales/customer databases The sales database and customer database are connected to the switch. Every request from the users is redirected to the router, where the router checks the Access Control List (ACL) (Rubin 1989). In this scenario, the accounts staff has permissions to access these servers. However, all the other users on the network are restricted to access these servers. B. Email An SME has configured an email server to provide email facility to the employees. It is connected to the switch. The router analyzes all the email requests, from the inbound network, to decide whether to send it to the LAN interface or the WAN interface. The security factor is handled by the firewall and IDS C. Internet Access Internet access is only provided by the Internet Security and Acceleration (ISA) server. The network administration staff can create access policies on the ISA server to allow or deny Internet access by providing MAC address and IP address of the specific user. In a domain environment, as the SME has a domain environment, usernames that are created on the domain server are sufficient. D. Company Website and Intranet The intranet is available to everyone who is associated with the network. E. VOIP To support VoIP functionality, the VoIP architecture is connected to the public switched telephone networks (PSTN). The router that is implemented within the network will provide digital VoIP support. Moreover, in order to add advanced security, a separate firewall is integrated. F. DNS Server As per the requirements of an SME, a local DNS server is implemented. Active directory server will act as a domain and will also manage user account and provide added security in terms of data management. G. File Server As the employees of SME wants a workplace for storing data for other companies, the presence of a file server is installed for that purpose. H. Accounts and Payroll Data The access list of the router is configured to only allow account staff for accessing these servers. In order to add more functionality to these servers containing critical data, they are segmented separately from the network. I. Customer Database As per the requirements, all the staff needs access to the customer database. This can be achieved by allowing all the users of the network from the ACL of the router. However, anonymous users are not allowed to access the database. J. Wireless Environment for Visitors The wireless network environment for the visitors as they can be connected anytime by providing SSID (Ciampa 2011). As they wireless network is not secured enough internally, the SSID will allow only the specific customer who wish to use the network. K. Training Room A network switch is made available in the training room. Users can connect by providing their credentials that can be verified by the domain. ISA server and Active directory both can be configured to specify the users for allowing or denying the Internet access. L. Internal data to Staff working Off-site As the internet is connected via a DSL Internet connection, the modem can be configured with the port forwarding options in order to provide access to the file server . If off site users want access to the GUI, then remote desktop port forwarding can be considered. For accessing only files, FTP port forwarding can be considered. Router can also be configured for providing access to the offsite staff. M. Intrusion Detection System In order to provide advanced intelligence to the network security, IDS is incorporated within the network. It will sense and monitor the activity and match it to the patterns that are installed in it by the network administration staff. If any unfamiliar activity is noted, IDS will provide notifications and alerts for any possible security breach. N. Redundancy and Failover The switches are interconnected with each other. If any switch fails to respond, the network will still be operational, except from the nodes that are connected to the switch. For future expansions, 16 port switches along with VLAN support are designed. Extra ports will allow integration of workstations, printers or any other useful computing device that will be beneficial for SME. III. Threat and vulnerability of online services In Internet banking, the security threats can be expected from anyone. The hacker can gain access to the network or anyone that has authorized access can also indulge in threat. The threats can be expected from anyone. The motivation and trust are the two main factors on which the Vulnerability related to threat depends. Motivation in threat defines as how much damage can be done to someone. Trust is analyzed by identifying the performance of an organization and their trust level to authorized users and what is the compliance level of acceptable use policies implemented within the working environment. The Internet creates more perilous threats for the users. The failure related to the security system is sated as vulnerabilities. This failure can allow the cyber criminals to gain access to the banking network. Moreover, internal employees are most probable to access data or network services and organizations fails to protect confidential from them (Cole, Ring, 2005). The act can also be unintentional or intentional in some cases. Hackers reply on the reality of organizations who are not able to detect vulnerabilities within their network, inopportunely, they're frequently true (Maximum Security, 2003). Banks utilize many technological methods to secure confidential data of the customers via encryption, firewalls, Intrusion detection systems, as the goal is to protect the financial transactions throughout the network. The research reveals many questions about the security breaches that the banking system is not fully equipped to provide security of bank accounts from the hackers. The vulnerabilties within the system are exploited by only one person uptill now. Likewise, that person bragged on the Internet about transferring $25,000 (US$) from one of the accounts maintaining millions of dollar. Moreover, he also bragged about withdrawing $4500 in cash. (Greenberg & Caswell, 2001). However, in order to prevent many techniques and method are implemented in banks that helps to detect fraud. But the detection system is still not fully effective to trace the illegal activities (Dandash, Phu Dung Le et al., 2007). IV. Online Banking Security mechanism The banks provided their customers an online channel facility to buy the products online via internet banking option (Kondabagil, 2007). Moreover, direct banks also provide the most superior channels. Conversely, not all direct banking clients are using internet banking functions. In fact, many customers still choose the usual way of banking such as telephone banking or ATMs or service terminals (Berger, Gensler 2007). The security issues have become a major concern for internet banking along with usual banking methods. However, every time when the transaction is proceeds, the banks take every possible precaution in order to provide clean and secure information transfer. The Internet banking application related to security is divided into three levels (Doraiswamy, 2009): Primary concern is to provide security for customers information as this data is transferred from customers PC to the Web server. Secondly, security is provided to the area that has Internet banking server along with database including customer’s information. Security measures are implemented in order to prevent illegal users from login through Internet banking option of Website. The Secure Sockets Layer (SSL) security protocol is designed to provide data security among the clients’ browsers and Web servers (Whitman, Mattord 2011). The SSL basically provides data encryption, server verification, message integrity and security “handshake” in order to initiate the connection. However, many banks have established their own techniques to provide security. For instance, the Woof Forest National Bank that is situated in USA has put into practice the “Intelligent Authentication” (IA). This IA tracks down the customers profile, his behavior, IP address, Browser type, timing, frequency etc whenever the customer uses Internet Banking. Thus, when an unusual behavior is identified by the IA tracker, the system needs the customer to answer pre-selected security question in order to proceed further (Singh, 2012). This provides a second level of security to the customers helping them to be safe from any theft and fraud (Sarlak, Hastiani 2010). V. Proposed solution The purpose of Internet banking is to provide convenient banking services to the customer while minimizing banking cost. For the long term business objectives of the bank, value added services must be delivered to the customers. As per the revolutionary Internet era, the critical success factor is to create and maintain trust, as all the transactions are initiated, transmitted and processed on the Internet, requires an adequate level of trust (Matthew Lee, 2000). Likewise, customer wishes to use Internet banking may become reluctant for technology adoption, consequently, the bank’s staff needs to enhance adoption of Internet banking services by focusing on their marketing campaigns based on factors below risk barriers (Laukkanen, et al, 2007). Banks need to satisfy their customers to be secure and appropriate security measures are in place for securing the transaction channels. Moreover, reliability is also a strong factor that ensures effectiveness while processing a financial transaction. As mentioned, the level of trust within the customers of the bank is considered to be a core factor associated with collaboration. Furthermore, banks should also show progress on mitigating security risks and at the same time raising the level of trust for their customers. Thus, for achieving an optimal level of trust with the customers, this research has constructed a framework that will enhance Internet Banking Security and at the same time mitigate the associated risks by incorporating an RFID reader to the online banking application, applicable on end user’s system, as shown in Figure 2 (Padmalatha, 2011). Fig.2 RFID Communication Mechanism Source: (Hunt, Puglia et al. 2007) An Radio Frequency Identification incorporates three mechanisms i.e. a transponder called as an RFID tag programmed with a piece of inormation, placed on the object for identification (FZHANG, Q., 2007), a transceiver that incorporates a decoder for data interpretation and an antenna that will be used to scan and emit radio waves for activating the tag for read/write data(Vacca, 2009). Likewise, the reader comprises of equal or less than 2000 bytes of data (Roussos, 2008). The tags that are passive can operate up to 100MHz frequency radius, as it is integrated with magnetic induction (Kevan, 2003). Moreover, the RFID device functions similar to a (Using Info Technology 6, 2005) magnetic strip or barcode of the credit card / ATM card back side, as it holds the unique identification key for that specific card/object. Likewise, there is a requirement for scanning only the barcode/magnetic strip for retrieving the information. Figure 3 demonstrates this process in detail. Fig.3 RFID Communication with Magnetic Card The antenna used for scanning can be fixed permanently to the computer. Likewise, when the RFID tag travels through the radius of the scanning antenna, the activation signals are identified by the antenna and RFID chip initializes information transmission that is again received by the scanning antenna. However, information from RFID tags can be retrieved by many ways such as: The time required to read an RFID tag is 100 milliseconds RFID tag must not be on the surface of the particular object and is not a wearable item Any size of RFID tag is readable and multiple tags can be readable one by one The radio frequency signals from the scanning antenna are small in range and two types of RFID tags can be used (Sarlak, Hastiani 2010). Active RFID tags are integrated with a power source and Passive tags do not require a power source. However, RFID tags are low cost receivers that have the capability of identifying signals on the Ultra high Frequency (UHF) tags that are at a distance of three meters (Zhang, 2007). Moreover, they also do not require a power source and can be detectable for a very long time. Furthermore, the RFID signals incorporates two factors i.e. they provides a communication mechanism for the transponder and energy/power source required for communication (Lehpamer, 2012). VI. methods of operation The proposed solution incorporates an RFID reader that will be equipped on end user system, as shown in Fig 4. The connectivity will be established by a Universal Serial Bus (USB) connection for either i.e. legacy systems or newly purchased systems Fig.4 RFID Architecture Source: (Hunt, Puglia et al. 2007) This is also a possibility of a stand-alone RFID card reader or integrated within a keyboard/mouse. In any scenario, the log-on page that is located on the back side of the Credit/Debit card will be modified for retrieving user information. As there are no requirements of scanning, the system can retrieve the contents within a range of one meter radius. The output will be similar to scanning a card; instead, it is carried out in the atmosphere. Likewise, the scanning of the Credit/Debit card along with user authentication will provide assurance of authentic user presence. Without the absence of the card within the RFID range, access will not be granted to the bank accounts. However, bank will be responsible for encryption and secure transmission of data over the Internet. VII. extra layer of authentication As the proposed solution possesses double authentication mechanism, it incorporated two phases. These phases initialize after the end user access Internet banking account, as the remote users requires authenticating their credentials first and then the magnetic strip possessing the code of the Credit/Debit card is verified prior to granting access. VIII. conclusion and recommendations The Internet Banking System of a bank requires continuous improvements in the security domain, as customer data is processed and transmitted over the Internet. Likewise, they need to mitigate any associated risks that may directly or indirectly affect the end user transactions. The output of these transactions is the successful payment on one of the side; however, there are many phases such as authorization/authentication prior to the output/results. At one point, this is an excellent value added service but on the other, trust of end users is an essential limiting factor. One of the researchers identifies that the propensity for trusting Internet banking is positively proportional to the perceived level of security over the Internet. Consequently, trust is a major contributing factor that will enhance the willingness of end users to perform Internet banking (Great Britain: Parliament: House of Lords: Science and,Technology Committee, 2007). Likewise, banks must target ‘Trust’ as a vital factor to gain competitive advantage and minimizing end user ambiguities by deploying two factor authentication. Moreover, technology can be utilized for gaining trustworthiness such as two-factor authentication, firewall, intrusion detection, honey pot networks can be designed within Internet banking application. The goal is to achieve end user satisfaction, trustworthiness and competitive advantage. We have designed a framework that will use two factor authentications and will facilitate to improve trust, and by integrating RFID technology within the Internet banking system, the coded information will be extracted. In the end, a research is still required for testing the effectiveness of RFID based authentication from the end user system and integrating the Internet banking application with this solution. Moreover, the solutionrequires the end users to trust on two mechanisms i.e. the RFID mechanism and online internet banking interface. However, it will give an edge, as end users will be more trustful , as now we have two layers of authentication and without the credit card in hand, no one will be able to process a transaction, as in case of traditional credit card number. Furthermore, for establishing this two factor authentication mechanism, there is a requirement of establishing a standard that would be accepted globally. However, there are some issues for this mechanism, as the RFID mechanism can be modified by an expert hacker. References BERGER, S.C. and GENSLER, S., 2007. Online Banking Customers: Insights from Germany. Journal of Internet Banking & Commerce, 12(1), pp. 1-6. COLE, E. and RING, S., 2005. Insider Threat: Protecting the Enterprise from Sabotage, Spying, and Theft: Protecting the Enterprise from Sabotage, Spying, and Theft. Elsevier Science. CIAMPA, M.D., 2011. Security+ Guide to Network Security Fundamentals [With Access Code]. Course Technology, Cengage Learning DANDASH, O., PHU DUNG LE and SRINIVASAN, B., 2007. Security Analysis for Internet Banking Models, Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing, 2007. SNPD 2007. Eighth ACIS International Conference on 2007, pp. 1141-1146. DORAISWAMY, A., 2009. Security Testing Handbook for Banking Applications (Softcover).IT Governance. FZHANG, Q., 2007. E-supply Chain Technologies and Management. Information Science Reference Greenberg, P. & S. Caswell (February 1, 2001). Online banking fraud raises more security concerns. E-Commerce GREAT BRITAIN: PARLIAMENT: HOUSE OF LORDS: SCIENCE AND,TECHNOLOGY COMMITTEE, 2007. Personal Internet Security: 5th Report of Session 2006-07, Vol. 2: Evidence. Stationery Office. KEVAN, T., 2003. Integrating RFID. Frontline Solutions, 4(11), pp. 34. HUNT, V.D., PUGLIA, A. and PUGLIA, M., 2007. RFID: A Guide to Radio Frequency Identification. Wiley. HAMPTON-SOSA, W. and KOUFARIS, M., 2005. The Effect of Web Site Perceptions on Initial Trust in the Owner Company. International Journal of Electronic Commerce, 10(1), pp. 55-81. KONDABAGIL, J., 2007. Risk Management in Electronic Banking: Concepts and Best Practices. Wiley. Laukkanen, P., S. Sinkkonen, T. Laukkanen, & M. Kivijärvi (2007). “Consumer Resistance and Intention to Use LEHPAMER, H., 2012. RFID Design Principles. Artech House, Incorporated. Maximum Security. 2003. Sams Publishing. MATTHEW LEE, 2000. Trust in Internet Shopping: A Proposed Model and Measurement Instrument AMCIS 2000 Proceedings, . PADMALATHA, S., 2011. Management Of Banking And Financial Services, 2/E. Pearson Education. ROUSSOS, G., 2008. Networked RFID: Systems, Software and Services. Springer London, Limited. SARLAK, M.A. and HASTIANI, A.A., 2010. E-Banking and Emerging Multidisciplinary Processes: Social, Economical and Organizational Models. Business Science Reference. RUBIN, C., 1989. Rationale for Selecting Access Control List Features for the Unix System. Diane Publishing Company. SINGH, B., 2012. Network Security and Management. Prentice Hall India Pvt., Limited. UME-AMEN, M., 2011. Media Influence on Marketing Communications. Interdisciplinary Journal of Contemporary Research in Business, 3(1), pp. 1192-1217. Using Info Technology 6E. 2005. McGraw-Hill Education (India) Pvt Limited. VACCA, J.R., 2009. Computer and Information Security Handbook. Elsevier Science. WHITMAN, M.E. and MATTORD, H.J., 2011. Principles of information security. Course Technology Ptr. . Read More