2012 Fourth International Conference on Computational Intelligence, Communication Systems and Networks

A Case Study of Internet Banking Security of Mainland Chinese Banks: A Customer Perspective

Panida Subsorn
School of Information Technology Suranaree University of Technology Nakhon Ratchasima, 30000, Thailand panida.sdu@gmail.com

Sunsern Limwiriyakul
SECAU Edith Cowan University Joondalup, 6027, Western Australia l.sunsern@gmail.com

Abstract Over the past few decades, internet banking has been adopted more regularly to support and enhance the performance of the banking industry operations and management. This increasing trend has meant that security issues of confidentiality, integrity, and privacy have become progressively more serious in internet banking systems to both the banks and customers. This paper is a an extension to the previous research done on Internet Banking in 19 selected licensed banks in Hong Kong. It focuses on internet banking security in 13 selected local mainland China banks. The combined results of both these investigations was used to generate a more practical and inclusive guideline (the internet banking security checklist version 1.05). Whilst the results from the previous research indicate a partial lack of related internet banking security information in all the selected Hong Kong banks websites. All of the selected China banks websites were deficient in this regard, particularly for information in English. Consequently, this lack of information can negatively impact the confidentiality of its existing as well as potential internet banking customers to both the selected Chinese and Hong Kong banks. Keywords-customer perspective; internet banking security; mainland Chinese banks

associated information security threats and risks have naturally arisen due to the use of the new banking systems [3]-[6], [9]. Consequently, the aim of this paper was to mainly examine the information security of the new banking systems in order to evaluate their information security weaknesses through a refined checklist based on the information available on the selected banks websites. The rest of this paper is organized into four major sections: methodology, findings, comparison between the selected banks in mainland China and Hong Kong, and conclusions and recommendations. II.
METHODOLOGY

I.

INTRODUCTION

The comparative analysis method used was separated into two main sections: (1) the availability of internet banking security features of the 13 selected mainland Chinese banks and (2) the results and findings from the 19 selected licensed Hong Kong banks [6]. This comparative analysis method assessed the quality of the internet banking security features among the mainland Chinese banks as well as between the two countries. A. Data sample and collection Thirteen mainland Chinese banks were chosen to complete the aim of this paper and for the comparative analysis. The banks were selected as they were able to match the criteria of provision of banking websites, internet banking services and English version websites [10]-[11] to their existing personal and potential internet banking customers. Furthermore, publicly available secondary data sources through these selected banks websites were utilized in the analysis. The list of the selected mainland Chinese banks deployed in the analysis is displayed in Table I. In addition, all of data obtained via their websites were gathered and evaluated between March and April 2012.
TABLE I. Bank Type State onwed THE LIST OF THE SELECTED MAINLAND CHINESE BANKS Bank Name Industrial and Commercial Bank of China Limited (ICBC) Agricultural Bank of China (ABC) Bank of China Limited (BOC)

The Chinese banking system was unreachable from the outside world due to several political and economic barriers to banking in the past 20 years ago [1]. Fortunately, in 2010, the main banking sector in China was transformed to a modern enterprise as an electronic business as a result of major reforms in the last two decades. The primary aim of this adaptation was to bring the country's banking system up to international standards. Consequently, several new banking systems and processes have been deployed in order to incorporate and connect to the global electronic market [1]. Furthermore, these processes have come under the auspices of the China Banking Regulatory Commission (CBRC) for financial supervision of the Chinese banking system [2]. Electronic money transactions have essentially been employed via secure bank-to-bank Society for Worldwide Interbank Financial Telecommunication (SWIFT) transactions or Bank Identifier Code (BIC) to support the new banking systems [1]. Nonetheless, the problems relating to confidentiality, privacy, and internet banking transactions and personal information security in banking systems have surfaced as concerns for both the banking industry and internet banking customers [3]-[8]. These
978-0-7695-4821-0/12 $26.00 2012 IEEE DOI 10.1109/CICSyN.2012.43 189

Bank Type Bank of (BOCOM)

Joint-stock commercial

Bank Name Communications Company Limited

Hua Xia Bank Company Limited (HUAXIA) Shenzhen Development Bank Company Limited (SDB) China Merchants Bank Company Limited (CMB) Shanghai Pudong Development Bank (SPDB) Industrial Bank Company Limited (CIB) China Minsheng Banking Company Limited (CMBC)

City commercial

Bank Of Beijing Bank Of Nanjing Company Limited (NJCB) Bank Of Shanghai

C. The scoring technique A weight rating in each main category was introduced with the refined checklist for mainland Chinese banks in order to provide a further practical and comprehensive guideline. A maximum feasible score of 10 value points had been assigned in each of the sub categories excluding Sections 4.1, 5.1, and 5.5 which had a highest feasible score of 20, 15, and 15 value points respectively. This was due to the fact that these three sections were determined to be very susceptible and essential for both user site and bank site authentication based on the internet banking security approach. Values based on each items importance according to current knowledge were allocated as points in each of the sub categories. III.
FINDINGS

B. The refined internet banking security checklist Background and information of internet banking security features were provided through the refined checklist for the banks existing personal and potential internet banking customers. This refined checklist as fully illustrated in Table II (Version 1.05) has six main security feature categories and one supplementary (language) feature category for the mainland Chinese banks.

Table II presents and concludes the analysis and results findings on internet banking security of the selected local banks in China. The coding technique used in Table II is described as follows.
Represents Yes E F English CFCA Operation CA2 * A N Represents Optional AES 256-bit SSL encryption Entrust Secure Server CA C R V Represents Condition RC4 128-bit SSL encryption VeriSign Authentication

TABLE II. A SUMMARY OF THE REFINED INTERNET BANKING SECURITY CHECKLIST Internet banking information security checklist (Version 1.05) Mainland Chinese banks ICBC ABC BOC BOCOM HUA XIA SDB CMB SPDB CIB CMBC BEIJING NJCB SHANGHAI

Weights

Security feature categories

1. General online security and privacy information to the internet banking customers (40) 1.1 Account aggregation or privacy and confidentiality 1.1.1 Complied with the National Privacy Principles and the Privacy Act 1.1.2 No information 1.2 Losses compensation guarantee 1.2.1 100% 1.2.2 No information 1.3 Online/internet banking security information 1.3.1 Threats: Hoax email, scam, phishing, spyware 1.3.2 Trojan and virus/malicious programs 1.3.3 Keyloggers 1.3.4 General online security guidelines 1.3.5 Security alert/up-to-date issue 1.3.6 Provides password security tips 1.3.7 Others (e.g. wireless) 1.3.8 No information 1.4 Bank security mechanism system 1.4.1 Antivirus/phishing or security scanning protection software 1.4.2 Firewall(s) 1.4.3 IDS/IPS/alert/monitoring system 1.4.4 Others (e.g. data encryption, password protected, physical security, regular audit and backup)

10 10 0 10 10 0 10 1.5 1.5 1 2 1 2 1 10 2.5 2.5 2.5 2.5

190

1.4.5 No information 2. IT assistance, monitoring, and support (20) 2.1 Hotline/helpdesk service availability for personal internet banking customers 2.1.1 24/7 customer contact center by phone OR 2.1.2 No 24/7 customer contact center by phone 2.1.3 Secured email/message box 2.1.4 Email 2.1.5 Demo/FAQ/online support form 2.1.6 No information 2.2 Internet banking transaction monitoring by the banks 2.2.1 Provides dedicated team and technology for monitoring all transactions 2.2.2 No information 3. Software and system requirements and settings information based on the bank website information (30) 3.1 Compatibility best with the popular internet browsers 3.1.1 Google Chrome 3.1.2 Firefox 3.1.3 Internet Explorer 3.1.4 Netscape 3.1.5 Opera 3.1.6 Safari 3.1.7 No information 3.2 Internet banking user device system and browser setting requirement 3.2.1 Hardware device 3.2.2 Operating system 3.2.3 Type of browser and setting (e.g. cookie, java, certificate) 3.2.4 Screen resolution 3.2.5 Browser automatic or manual test feature available 3.2.6 No information 3.3 Free/paid security software/tool/information available to personal internet banking customers 3.3.1 Antivirus/anti-spyware/anti-phishing 3.3.2 Internet security suite 3.3.3 Provides internet information/links to security software vendor(s) (e.g. antivirus, firewall) 3.3.4 Other services (e.g. automated tool, online security scanning tool, security applet control) 3.3.5 No service and/or information 4. Bank site authentication technology (20) 4.1 Employed encryption and digital certificate technologies 4.1.1 256-bit SSL encryption OR A A 4.1.2 128/168-bit SSL encryption R R R R R R 4.1.3 Extended validation SSL certificates 4.1.4 Signing CA V V V V V N V V 4.1.5 No information 5. User site authentication technology (60) 5.1 Logon requirement 5.1.1 Bank/credit card/customer ID/email OR 5.1.2 Registered bank username (characters) OR 5.1.3 Smart ID card/E-wallet with digital certificate embedded/e-banking Code Card/document certificate 5.1.4 Password/pin/security number 5.1.5 Additional password or secret question OR 5.1.6 Others (e.g. CAPTCHA) 5.1.7 Two-factor authentication/dynamic password card/USB key digital C C C C certificate (min. 6 digit pins) 5.1.8 No information 5.2 Logon failure limitation 5.2.1 Standard max. (3 times) OR 5.2.2 Max. more than 3 times OR 5.2.3 In use but does not specific max. number of failure allowed

0 10 5 3 2 1 2 0 10 10 0 10 2 2 2 2 1 1 0 10 2 2 2 2 2 0 10 2 3 2 3 0 20 12 10 4 4 0 15 2 3 5 3 3 2 6 0 10 10 8 5

A R V N R N

191

5.2.4 5.3 5.3.1 5.3.2 5.3.3 5.4 5.4.1 5.4.2

No information Logon user input type Scrambled keypad with/without keyboard OR Combination of keypad and keyboard OR Keyboard only Password restriction/requirement Enforce good password practice Password/pin length (min. 8 characters length)

6 3 0

8 3 0

8 2 0

0 10 10 8 7 10 2 1

5.4.3 5.4.4 5.4.5 5.4.6 5.4.7

5.4.8 5.4.9 5.4.1 0 5.4.1 1 5.5 Transaction verification for external or sensitive transaction (e.g. unregistered 3rd party account, BPAY) 5.5.1 Token device/dynamic password card OR 6 5.5.2 SMS (no. of digit pins) OR 5.5.3 Others (e.g. USB key digital certificate with PIN) AND/OR 5.5.4 Password/extra password/reserved verification info./CAPTHCA 5.5.5 No requirement 5.5.6 No information 6. Internet banking application security features (50) 6.1 Automatic timeout feature for inactivity Internet browser 6.1.1 Max. (less than or equal 30 mins) OR 1 5 6.1.2 In use but does not specify timeout length 6.1.3 No information 6.2 Limited default daily transfer amount to sensitive transaction (e.g. unregistered 3rd party and international accounts) 6.2.1 Less or up to RMB $50,000 OR 6.2.2 More than RMB $50,000 6.2.3 The default maximum daily transfer limit is variable dependant on the type of the internet banking customers 6.2.4 The default maximum daily transfer limit may be increased with the approval by the banks 6.2.5 No information 6.3 Logging information and alert 6.3.1 Last login 6.3.2 Activity log/transaction history 6.3.3 Alert available via email and/or SMS * 6.3.4 No information 6.4 Password policy management 6.4.1 Frequently enforce changing login password (no more than 6 months) 3 6.4.2 Frequently enforce changing login password (more than 6 months) 6.4.3 No information 6.5 Session management 6.5.1 Use of page or session tokens OR 6.5.2 Use of cookie technology 6.5.3 Use of cookie for other purposes (e.g. capturing IP address, marketing, research and/or statistics) 6.5.4 No information 7. Languages (10) 7.1 Employed multi-languages

Numbers only OR Combination of numbers and letters Combination of upper and lower cases Special characters Different passwords as compared to any of three previous used passwords No two or more consecutive identical characters (e.g. aa, 11) No three or more consecutive characters (e.g. abc, 123) Automatic password strength check on creation or change of password No information

0 1 1 1 1 1 1 1 0 15 15 15 15 10 0 0 10 10 8 0 10 5 3 2.5 2.5 0 10 4 3 3 0 10 10 7 0 10 10 7 0 0 10

192

7.1.1 7.1.2 7.1.3

Support only local language Fully support other common language(s) Partly support other common language(s)

E E E E E E E

E E E

6 4 2

A. General online security and privacy information to the internet banking customers The majority of the 13 selected banks had no information provided on their websites apart from three selected banks (ICBC, CMB, and CMBC) in terms of privacy compliance with Chinese National Law. All of the 13 banks did not provide any information with regard to liability for any claim, loss, or damage in relation to the use of the internet banking service. See more details in Table II in Sections 1.1 and 1.2. Only four out of the 13 selected banks scored 50 percent or higher in terms of providing useful general internet security information on their websites. On the other hand, only one selected bank (Hua Xia Bank) provided information about the banks security mechanism system on its website. B. IT assistance, monitoring, and support All of the 13 selected banks provided 24/7 customer contact center support via telephone. In terms of IT assistance, the majority (nine) of the 13 banks provided several types of assistance and support including demo, FAQ, and online support via their websites. In addition, only two (ABC and Hua Xia Bank) of the 13 banks declared on their websites that they provided a monitoring service on an internet banking transaction to their existing personal internet banking customers. See Table II in Sections 2.1 and 2.2 for more details. C. Software and system requirements and settings information based on the website information of the bank Eight of 13 selected banks did not provide any information in terms of internet browser compatibility. The remaining four banks claimed that their websites were best compatible with Internet Explorer or IE (V.6+). Furthermore, several internet browsers were used in the analysis such as Google Chrome (V.18.0), Firefox (V.8.0), and IE (V.7 and 8). The banks entire personal internet banking logon pages responded reasonably to IE internet browser unlike Google Chrome and Firefox internet browsers. In relation to internet banking user device system and browser setting requirement, eight out of 13 banks provided no information on their websites. The remaining five banks have provided only partial information such as operating system and screen resolution requirements. Additionally, only two out of the 13 banks provided no internet security information in relation to antivirus and personal firewall software. There were nine out of the 13 banks who provided various internet banking security software tools such as online scanning, anti-phishing, and anti-spyware tools. See Sections 3.1, 3.2, and 3.3 in Table II for further details.

D. Bank site authentication technology Three banks (ICBC, Hua Xia Bank, and SPDB) out of the 13 selected banks employed combinations of the highest available SSL encryption technology (256-bit) with the extended validation SSL certificate. A combination of both SSL features technology can provide better security, confidentiality, as well as banks identities to both existing personal and potential internet banking customers. Section 4.1 details on this. E. User site authentication technology There were eight of the 13 selected banks who provided an option (refer to C in Sections 5.1.3 and 5.1.7) of different personal login types based on the internet banking customer register types. Consequently, this method offers different levels of functionality, features, and security. For example, a personal internet banking account of ABC had three login types based on authentication technology used which were digital certificate, registered username, and bank card number. Logon through the use of digital certificates can provide the highest level of internet banking security as compared to the other two personal login types. Furthermore, the internet banking customers are given full access and functionality to their bank accounts such as larger amount of transferrable money as extra features when using these logons. On the other hand, logon with registered username, as well as bank card number provided less security and had less access and functionality to their bank accounts respectively. See more details in Table II in Section 5.1. There were seven of the 13 banks who presented logon failure information on their websites. The range of logon failure tolerance was between three to six attempts. See Table II in Section 5.2 for more details. With regard to logon input type, the majority of the 13 banks deployed a keyboard for an input of username or bank card number, as well as password. Only, two banks, (ABC and SPDB) deployed a scrambled keypad password input type for their existing personal internet banking customers. However, SDB offered a scrambled keypad password input type as an alternative option. See Section 5.3 in Table II for further details. In response to the password restriction/requirement, seven of the 13 banks did not display any information on their websites. Furthermore, the six remaining banks provided partial information on password restriction/requirement on their websites. Section 5.4 elaborates on this. Additionally, there were nine out of 13 banks which required verification for external or sensitive transactions. One of the remaining four banks, CMB did not require any type of transaction verification for its internet banking system whereas there was no such information on the other three remaining banks websites. See Table II in Section 5.5 for more details.

193

F. Internet banking application security features With regard to the automatic timeout feature for inactivity, only two (BOC and CIB) out of the 13 selected banks stated that their internet banking systems had this feature. There were six of the 13 banks who did not provide any information related to the limited default daily transfer amount to sensitive transactions. In addition, six of the 13 banks did not display any information regarding logging information, including any alert features on their websites. See Sections 6.1, 6.2, and 6.3 in Table II for more information. In terms of password policy management, only the Hua Xia Bank provided a password policy to enforce frequency change on their existing personal internet banking customer passwords every three months. Additionally, there was no information related to session management technology being used in all of the 13 banks websites. See Table II in Sections 6.4 and 6.5 for further details. G. Languages All of the 13 banks provided their internet banking information in the standard Chinese language. The websites of ICBC, ABC, BOC, BOCOM, and Beijing had fully supported services on English language while the remaining eight banks had partially supported services. For example, Hua Xia Bank, CIB, CMBC, NJCB, Bank of Shanghai, SPDB, and SDB did not provide internet banking login pages in the English language. IV.
COMPARISON BETWEEN THE SELECTED BANKS IN MAINLAND CHINA AND HONG KONG

the selected mainland Chinese and Hong Kong banks were considerably high. The average scores of Category 5 (Table III) on both the selected mainland Chinese and Hong Kong banks were similar. Using either USB digital certificate or dynamic password (token or SMS) was a common technology usage for user site authentication discovered in many of the selected mainland Chinese and Hong Kong banks. In Category 6 (Table III), the average scores of both the selected mainland Chinese and Hong Kong banks were below 50 percent, particularly the selected mainland Chinese banks who achieved only 15 percent. This due to the fact that majority of the selected mainland Chinese banks were lacking in providing related information on their websites. The automatic timeout feature for inactivity, password policy, and session management were amongst the examples. Both of the selected mainland Chinese and Hong Kong banks scored well on Category 6. In particular, the selected Hong Kong banks scored full marks as a result of providing full language compatibility on both local and other common languages. Standard Chinese and English language were both supported on the selected mainland Chinese and Hong Kong banks.
TABLE III. COMPARISON BETWEEN THE SELECTED BANKS IN MAINLAND CHINA AND HONG KONG Category (sub total marks) 1 (40) 2 (20) 3 (30) 4 (20) 5 (60) 6 (50) 7 (10) Chinese bank (avg. marks) 6.1 8.9 5.2 17.8 35.1 7.8 8.7 Chinese bank (% avg.) 15.3 44.6 17.4 89.2 58.5 15.6 87.7 HK banks (avg. marks) 29.5 9.1 11.4 17.5 34.8 21.6 10 HK banks (% avg.) 74.4 45.5 38.1 87.4 58 43.2 100

In terms of Category 1 (Table III) in the previous research [6], the selected Hong Kong banks performed better with higher scores (29.5/40 or 74.4%) as compared with the selected mainland Chinese banks [6]. This was due to the fact that all the selected Hong Kong banks provided privacy, confidentiality, as well as compensation guarantee information in English language on their websites unlike the majority of the selected mainland Chinese banks which provided such information only partially. Both the selected mainland Chinese and Hong Kong banks scored poorly in Category 2 (Table III). The lack of information provision on internet banking transaction monitoring on their websites was a good example of it. In relation to Category 3 in Table III, the selected Hong Kong banks scored much higher than the selected mainland Chinese banks. This was due to the fact that the selected Hong Kong banks provided more information details particularly on internet browser compatibility via their websites. Many of the selected mainland Chinese and Hong Kong banks deployed extended validation SSL certificate for their bank site authentication. Furthermore, some of the selected mainland Chinese and Hong Kong banks deployed SSL with 256-bit encryption technology which can further increase security to their bank site authentication. As the results, the average scores of both

V.

CONCLUSIONS AND RECOMMENDATIONS

There was a lack of internet banking security information to cover Categories 1, 3, 5, 6, and 7 for majority of the selected mainland Chinese banks particularly in Sub categories 1.1, 1.2, 1.3, 2.2, 3.1, 3.2, 5.4, 6.1, 6.4, 6.5, and 7.1. Providing significant details of general online security, privacy, liability, transaction monitoring, and session management can increase internet banking security awareness and confidentiality assurance to both existing personal and potential internet banking customers. Furthermore, providing compatibility to the several popular and well-known internet browsers such as Google Chrome and Firefox will increase the flexibility of use for the existing personal and potential internet banking customers. Enforcing good password policies such as setting a minimum requirement for password length to at least eight characters with a combination of upper and lower cases, letters, numbers, as well as special characters can increase the security of the internet banking authentication system. Displaying information on automatic timeout feature for internet browser inactivity (Sub category 6.1) can increase internet banking security awareness, as well as usability to existing personal and

194

potential internet banking customers. By frequently enforcing password login changes (Sub category 6.4) for particular period of time such as six months can also tighten the security of internet banking systems. In addition, full English language support (Sub category 7.1) for internet banking should be considered for the majority of the selected mainland Chinese banks which did not provide full English language support. This will allow their foreign and non Chinese speaking internet banking customers to be able to receive full details on internet banking information via the banks websites. In relation to bank site authentication technologies (Category 4), changing to extended validation SSL certificate and 256-bit SSL encryption technologies is recommended and should be applied to the selected mainland Chinese banks. Applying the refined internet banking security checklist (Version 1.05) to the selected mainland Chinese and Hong Kong banks can standardize information security and usability to their internet banking systems. Furthermore, it also can enhance confidentiality and security awareness to the banks existing personal and potential internet banking customers. In addition, the checklist can assist any individual internet banking customers decisions when selecting internet banking products, providers, and/or services. ACKNOWLEDGMENT We would like to extend my sincerest thanks and our appreciation to Mr. Yunous Vagh for his knowledge and support in this paper.

REFERENCES
[1] V. Lee, "Understanding Chinese banking structure before doing business in China," 2010. [2] China Internet Information Center, "China Banking Regulatory Commission," 2003. [3] P. Subsorn and S. Limwiriyakul, "A comparative analysis of the security of Internet banking in Australia: A customer perspective," presented at the 2nd International Cyber Resilience Conference (ICR2011), Perth, Western Australia: Edith Cowan University, 2011a. [4] P. Subsorn and S. Limwiriyakul, "A comparative analysis of internet banking security in Thailand: A customer perspective," presented at the 3rd International Social Science, Engineering and Energy Conference 2011 (I-SEEC2011), Nakhon Pathom, Thailand, 2011b. [5] P. Subsorn and S. Limwiriyakul, "An analysis of internet banking security of foreign subsidiary banks in Australia: A customer perspective," International Journal of Computer Science Issues (IJCSI), vol. 9, 2012a. [6] S. Limwiriyakul and P. Subsorn, "A customer perspective investigation on internet banking security of licensed banks in Hong Kong," presenting at The 2012 International Conference on Security and Management (SAM'12), Las Vegas, USA, 2012b. [7] D. Hutchinson and M. Warren, "A framework of security authentication for internet banking," presented at the International We-B Conference (2nd), Perth, Western Australia, 2001. [8] D. Hutchinson and M. Warren, "Security for Internet banking: A framework," Logistics Information Management, vol. 16, pp. 64 73, 2003. [9] Usonlinebiz, "Types of Internet banking and security threats ", vol. 2011: Usonlinebiz, 2008. [10] China Knowledge Online, "Services in China: China banking system," n.d. [11] China Banking Regulatory Commission (CBRC), "Domestic financial institutions," n.d.

195