DEFINITION OF E-BANKING

Electronic banking, also known as electronic funds transfer (EFT), is

simply the use of electronic means to transfer funds directly from one
account to another, rather than by cheque or cash.

VARIOUS FORMS OF E-BANKING:

INTERNET BANKING:
Internet Banking lets you handle many banking transactions via your
personal computer. For instance, you may use your computer to view
your account balance, request transfers between accounts, and pay bills
electronically. Internet banking system and method in which a personal
computer is connected by a network service provider directly to a host
computer system of a bank such that customer service requests can be
processed automatically without need for intervention by customer
service representatives.

AUTOMATED TELLER MACHINES (ATM):

An unattended electronic machine in a public place, connected to a data
system and related equipment and activated by a bank customer to obtain
cash withdrawals and other banking services.
An automated teller machine or automatic teller machine (ATM) is an
electronic computerized telecommunications device that allows a financial
institution's customers to directly use a secure method of communication
to access their bank accounts, order or make cash withdrawals (or cash
advances using a credit card) and check their account balances without
the need for a human bank teller. Many ATMs also allow people to deposit
cash or cheques, transfer money between their bank accounts, top up their
mobile phones' pre-paid accounts or even buy postage stamps. On most
modern ATMs, the customer identifies him or herself by inserting a plastic
card with a magnetic stripe or a plastic smartcard with a chip, that
contains his or her account number. The customer then verifies their
identity by entering a passcode, often referred to as a PIN (Personal
Identification Number) of four or more digits. Upon successful entry of the
PIN, the customer may perform a transaction. If the number is entered
incorrectly several times in a row (usually three attempts per card
insertion), some ATMs will attempt retain the card as a security
precaution to prevent an unauthorized user from discovering the PIN by
guesswork. Captured cards are often destroyed if the ATM owner is not
the card issuing bank, as noncustomer's identities cannot be reliably
confirmed. The Indian market today has approximately more than 17,000
ATM’s.

TELE BANKING:
Undertaking a host of banking related services including financial
transactions from the convenience of customers chosen place anywhere
across the GLOBE and any time of date and night has now been made
possible by introducing on-line Telebanking services. By dialing the given
Telebanking number through a landline or a mobile from anywhere, the
customer can access his account and by following the user-friendly menu,
entire banking can be done through Interactive Voice Response (IVR)
system.
Credit Card:
A credit card is part of a system of payments named after the
small plastic card issued to users of the system. It is a card entitling its
holder to buy goods and services based on the holder's promise to pay for
these goods and services. The issuer of the card grants a line of credit to
the consumer (or the user) from which the user can borrow money for
payment to a merchant or as a cash advance to the user.

DEBIT CARD:
Debit cards are also known as check cards. Debit cards look like credit
cards or ATM (automated teller machine) cards, but operate like cash or a
personal check. Debit cards are different from credit cards. While a credit
card is a way to "pay later," a debit card is a way to "pay now." When you
use a debit card, your money is quickly deducted from your checking or
savings account. Debit cards are accepted at many locations, including
grocery stores, retail stores, gasoline stations, and restaurants. You can
use your card anywhere merchants display your card's brand name or
logo. They offer an alternative to carrying a checkbook or cash.

E-CHEQUE:
 An e-Cheque is the electronic version or representation of paper
cheque.
 The Information and Legal Framework on the E-Cheque is the same
as that of the paper cheque’s.
  It can now be used in place of paper cheques to do any and all
remote transactions.
 An E-cheque work the same way a cheque does, the cheque writer
"writes" the e-Cheque using one of many types of electronic devices
and "gives" the e-Cheque to the payee electronically. The payee
"deposits" the Electronic Cheque receives credit, and the payee's
bank "clears" the e-Cheque to the paying bank. The paying bank
validates the e-Cheque and then "charges" the check writer's account
for the check.

OTHER FORMS OF ELECTRONIC BANKING

 Direct Deposit
 Electronic Bill Payment
 Electronic Check Conversion
 Cash Value Stored, Etc.

SECURITY THREATS TO EBANKING:

The currently known types of attacks on customer computer security that

must be met include:

Man-in-the-browser – A "Trojan horse" changes the contents of the form

that the customer submits to the bank website. The change is not
noticeable in the form itself. It takes place only in computer memory. It
takes place before SSL encoding.
Man in the Middle - Rogue software is put in place at some point between
the customer computer and the bank web sites and intercepts all the
information transmitted between the customer and the bank.

Key Logging – Software implanted in the customer's computer that

records all the keystrokes of the customer, providing a complete record of
user IDs, passwords, pin codes, account numbers and transactions.
Sometimes this is integrated with additional rogue software, and usually
it sends the information it has collected to the hacker.

Phishing – Customer identity details are stolen. Typically, this is carried

out in a place and context removed from the bank web site, such as a
fraudulent e-mail asking for information. Phishing is essentially an
online con game, and phishers are nothing more than tech-savvy con
artists and identity thieves. They use spam, fake Web sites, crimeware and
other techniques to trick people into divulging sensitive information, such
as bank and credit card account details. Once they’ve captured enough
victims’ information, they either use the stolen goods themselves to
defraud the victims (e.g., by opening up new accounts using the victim’s
name or draining the victim’s bank accounts) or they sell it on the black
market for a profit.

In most cases, phishers send out a wave of spam email, sometimes up to

millions of messages. Each email contains a message that appears to come
from a well-known and trusted company. Usually the message includes
the company's logo and name, and it often tries to evoke an emotional
response to a false crisis. Couched in urgent, business-like language, the
email often makes a request of the user’s personal information. Sometimes
the email directs the recipient to a spoofed Web site. The Web site, like the
email, appears authentic and in some instances its URL has been masked
so the Web address looks real.

The bogus Web site urges the visitor to provide confidential information —
social security numbers, account numbers, passwords, etc. Since the email
and corresponding Web site seem legitimate, the phisher hopes at least a
fraction of recipients are fooled into submitting their data. While it is
impossible to know the actual victim response rates to all phishing
attacks, it is commonly believed that about 1 to 10 percent of recipients are
duped with a “successful” phisher campaign having a response rate
around 5 percent. To put this in perspective, spam campaigns typically
have a less than 1 percent response rate.

BOT- “Bot” is actually short for robot – not the kind found in science
fiction movies or on the production line in a manufacturing business. Bots
are one of the most sophisticated types of crimeware facing the Internet
today. Bots are similar to worms and Trojans, but earn their unique name
by performing a wide variety of automated tasks on behalf of their master
(the cybercriminals) who are often safely located somewhere far across
the Internet. Tasks that bots can perform run the gamut from sending
spam to blasting Web sites off the Internet as part of a coordinated
“denial-of-service” attack. Since a bot infected computer does the bidding
of its master, many people refer to these victim machines as “zombies.”

Site Cloaking – Cloaking fools search engines by disguising one web site
as another.
Session Hijacking – The session is hijacked by unauthorized use of the
cookies deposited by the banking site.

Pharming – Pharming is diversion of traffic from a legitimate site to a

rogue web site.

Cross-Site Scripting – A script is injected to one web site or web log, but it
is operated at a different web site.

OS command injection – Injection of operating system commands to be

carried out at the web site.

SQL Injection – Injection of SQL queries to be executed at the web site.

Cookie tampering – Information in the cookie is changed to allow an

attack.

Form Tampering (read-only and hidden fields) – Changes are made in

hidden or read-only fields in the HTML form.

Outbound Data Theft – Data sent from the web site are intercepted for use
in attacks. For example, that may include data about the software
installed at the site, version number etc.

Application Denial of Service - Numerous types of attacks make use of the

possibility of entering rogue information in input fields.

The above survey only highlights the major sources of attacks, which are
constantly multiplying.
BASIC CONTROLS FOR ONLINE BANKING
ENROLLMENT:
A. Identification and Authentication
Assuming that the customer has been properly verified and accepted at
the opening of an account, enrollment for online banking consists of
validating that the person attempting to enroll is in fact the same one who
opened the original account. This involves verifying the following:

• Basic identity. To verify basic identity, the customer supplies an account

or customer number that was given when the account was opened. This
number must have a PIN associated with it, as described below. An
account or customer number is not considered to be secret information. It
is readily available from trash, mailings, and is visible to employees. Its
only value is in ensuring that the correct customer has been located on the
bank’s system of record.

• Subsidiary data. These data may be used to “raise the bar” against a
fraudster. The data are not secret in any meaningful way but may at least
require a fraudster to spend additional time to obtain it. Analysis of failed
enrollment attempts (from insufficient or incorrect subsidiary data) may
highlight to fraud departments that there is an attempt being made
against a certain person or account, but subsidiary data should not be
relied on in the absence of the correct secret data. Typical subsidiary data
might include a Social Security number, name, address, amount of the
latest deposit, or location of the branch where the account was opened.
Note that these data must be available on the system of record in order to
be verified.
• Secret data. The only secret data that are shared between the customer
and the bank is a PIN on an opened account, where the PIN has been
delivered out-of-channel, preferably mailed to the statement address of
the account or selected in a branch. The PIN should be attached to a
specific account, is never visible to any bank employee, and is stored in an
encrypted form in the system of record.

• Systematic lockout. Systematic lockout by real-time monitoring controls

set on the system’s parameters locks a person out after two or more
invalid attempts to access account information or transfer funds

The enrolling application, then, requires entry of (1) the basic identity
data, (2) some subsidiary data, and (3) the secret data. This information is
matched to the system of record’s data, verified through outside
databases, and, if verified, the customer enrollment is accepted.
Remember, at this point the customer should already have passed general
account-opening tests, e.g., cross-checking phone number and physical
address, and these are not, in general, re-verified here. If enrollment fails,
a limited number of retries should be allowed before the attempt is
terminated and this failure is logged. If the customer is already enrolled
for online banking, the system should prevent re-enrollment without
manual intervention and direct customer contact.

B. Post Authentication Setup

Once the customer has been verified, he or she should be required to create
an online identity. This is how the customer will log on in the future. This
identity should not include any of the data required for enrollment and
should consist of:

• A self-selected user ID that is used only on the Web site, and is never
printed out for statement mailings, etc. Note that this ID is not considered
secret since it is generally visible to employees. However, it may raise the
bar slightly and pose an additional knowledge or guess requirement
against a potential fraudulent entry.

• A self-selected Internet password, which should replace the PIN for

Internet authentication since the PIN is generally 4 to 6 digits and as such
is far too small to resist a brute-force cracking attempt. The more
characters used in an Internet password, the more effective it is, so
institutions should allow up to 20 characters. Passwords should be stored
at the financial institution in an encrypted format and should never be
visible to employees, including call-center representatives.

C. Operational Controls After Enrollment

Two final steps should be taken after a customer is enrolled in online
banking:

• A “Welcome to online banking” letter should be mailed to the statement

mailing address. This letter informs the customer to call or email the bank
immediately if he or she did not enroll in online banking. (This will be
ineffective as a fraud-prevention tool if a hijacker has changed the
customer’s mailing address recently.)
• Customer behavior should be tracked for at least the first 30 days to
attempt to identify suspicious or out-of-pattern activities. The customer
should be contacted if there is a shift in behavior patterns, while
suspicious behavior (e.g., completely draining several accounts into one in
a short period of time or attempting to change the account address)
should lead immediately to account blocking and customer contact.
Institutions must not only monitor open accounts for suspicious activity
and unusual transactions, they must also implement the technological
controls that constitute the monitoring and detection processes.

• Providing back-end controls that can prevent account takeover scenarios

with policies that require user IDs and passwords to be different.

Some Recent Innovation in EBanking Security:

One Time Password:

A one-time password (OTP) is a password that is only valid for a single

login session or transaction. OTPs avoid a number of shortcomings that
are associated with traditional (static) passwords. The most important
shortcoming that is addressed by OTPs is that, in contrast to static
passwords, they are not vulnerable to replay attacks. This means that, if a
potential intruder manages to record an OTP that was already used to log
into a service or to conduct a transaction; he will not be able to abuse it
since it will be no longer valid. On the downside, OTPs cannot be
memorized by human beings. Therefore they require additional
technology in order to work.
OTP generation algorithms typically make use of randomness. This is
necessary because otherwise it would be easy to predict future OTPs from
observing previous ones. Concrete OTP algorithms vary greatly in their
details. Various approaches for the generation of OTPs are listed below.

 Using a mathematical algorithm to generate a new password based

on the previous password (OTPs are, effectively a chain and must be
used in a predefined order).
 Based on time-synchronization between the authentication server
and the client providing the password (OTPs are valid only for a
short period of time)
 Using a mathematical algorithm where the new password is based
on a challenge (e.g., a random number chosen by the authentication
server or transaction details) and/or a counter.

There are also different ways to make the user aware of the next OTP to
use. Some systems use special electronic tokens that the user carries and
that generate OTPs and show them using a small display. Other systems
consist of software that runs on the user's mobile phone. Yet other systems
generate OTPs on the server-side and send them to the user using an out-
of-band channel such as SMS messaging. Finally, in some systems, OTPs
are printed on paper that the user is required to carry with him.

Mutual Authentication:

Mutual authentication or two-way authentication (sometimes written as

2WAY authentication) refers to two parties authenticating each other
suitably. In technology terms, it refers to a client or user authenticating
themselves to a server and that server authenticating itself to the user in
such a way that both parties are assured of the others' identity. When
describing online authentication processes, mutual authentication is often
referred to as website-to-user authentication, or site-to-user
authentication.

Typically, this is done for a client process and a server process without
user interaction.

Mutual SSL provides the same things as SSL, with the addition of
authentication and non-repudiation of the client authentication, using
digital signatures. However, due to issues with complexity, cost, logistics,
and effectiveness, most web applications are designed so they do not
require client-side certificates. This creates an opening for a man-in-the-
middle attack, in particular for online banking.

Thank You