TELE BANKING:
Undertaking a host of banking related services including financial
transactions from the convenience of customers chosen place anywhere
across the GLOBE and any time of date and night has now been made
possible by introducing on-line Telebanking services. By dialing the given
Telebanking number through a landline or a mobile from anywhere, the
customer can access his account and by following the user-friendly menu,
entire banking can be done through Interactive Voice Response (IVR)
system.
Credit Card:
A credit card is part of a system of payments named after the
small plastic card issued to users of the system. It is a card entitling its
holder to buy goods and services based on the holder's promise to pay for
these goods and services. The issuer of the card grants a line of credit to
the consumer (or the user) from which the user can borrow money for
payment to a merchant or as a cash advance to the user.
DEBIT CARD:
Debit cards are also known as check cards. Debit cards look like credit
cards or ATM (automated teller machine) cards, but operate like cash or a
personal check. Debit cards are different from credit cards. While a credit
card is a way to "pay later," a debit card is a way to "pay now." When you
use a debit card, your money is quickly deducted from your checking or
savings account. Debit cards are accepted at many locations, including
grocery stores, retail stores, gasoline stations, and restaurants. You can
use your card anywhere merchants display your card's brand name or
logo. They offer an alternative to carrying a checkbook or cash.
E-CHEQUE:
An e-Cheque is the electronic version or representation of paper
cheque.
The Information and Legal Framework on the E-Cheque is the same
as that of the paper cheque’s.
It can now be used in place of paper cheques to do any and all
remote transactions.
An E-cheque work the same way a cheque does, the cheque writer
"writes" the e-Cheque using one of many types of electronic devices
and "gives" the e-Cheque to the payee electronically. The payee
"deposits" the Electronic Cheque receives credit, and the payee's
bank "clears" the e-Cheque to the paying bank. The paying bank
validates the e-Cheque and then "charges" the check writer's account
for the check.
The bogus Web site urges the visitor to provide confidential information —
social security numbers, account numbers, passwords, etc. Since the email
and corresponding Web site seem legitimate, the phisher hopes at least a
fraction of recipients are fooled into submitting their data. While it is
impossible to know the actual victim response rates to all phishing
attacks, it is commonly believed that about 1 to 10 percent of recipients are
duped with a “successful” phisher campaign having a response rate
around 5 percent. To put this in perspective, spam campaigns typically
have a less than 1 percent response rate.
BOT- “Bot” is actually short for robot – not the kind found in science
fiction movies or on the production line in a manufacturing business. Bots
are one of the most sophisticated types of crimeware facing the Internet
today. Bots are similar to worms and Trojans, but earn their unique name
by performing a wide variety of automated tasks on behalf of their master
(the cybercriminals) who are often safely located somewhere far across
the Internet. Tasks that bots can perform run the gamut from sending
spam to blasting Web sites off the Internet as part of a coordinated
“denial-of-service” attack. Since a bot infected computer does the bidding
of its master, many people refer to these victim machines as “zombies.”
Site Cloaking – Cloaking fools search engines by disguising one web site
as another.
Session Hijacking – The session is hijacked by unauthorized use of the
cookies deposited by the banking site.
Cross-Site Scripting – A script is injected to one web site or web log, but it
is operated at a different web site.
Outbound Data Theft – Data sent from the web site are intercepted for use
in attacks. For example, that may include data about the software
installed at the site, version number etc.
The above survey only highlights the major sources of attacks, which are
constantly multiplying.
BASIC CONTROLS FOR ONLINE BANKING
ENROLLMENT:
A. Identification and Authentication
Assuming that the customer has been properly verified and accepted at
the opening of an account, enrollment for online banking consists of
validating that the person attempting to enroll is in fact the same one who
opened the original account. This involves verifying the following:
• Subsidiary data. These data may be used to “raise the bar” against a
fraudster. The data are not secret in any meaningful way but may at least
require a fraudster to spend additional time to obtain it. Analysis of failed
enrollment attempts (from insufficient or incorrect subsidiary data) may
highlight to fraud departments that there is an attempt being made
against a certain person or account, but subsidiary data should not be
relied on in the absence of the correct secret data. Typical subsidiary data
might include a Social Security number, name, address, amount of the
latest deposit, or location of the branch where the account was opened.
Note that these data must be available on the system of record in order to
be verified.
• Secret data. The only secret data that are shared between the customer
and the bank is a PIN on an opened account, where the PIN has been
delivered out-of-channel, preferably mailed to the statement address of
the account or selected in a branch. The PIN should be attached to a
specific account, is never visible to any bank employee, and is stored in an
encrypted form in the system of record.
The enrolling application, then, requires entry of (1) the basic identity
data, (2) some subsidiary data, and (3) the secret data. This information is
matched to the system of record’s data, verified through outside
databases, and, if verified, the customer enrollment is accepted.
Remember, at this point the customer should already have passed general
account-opening tests, e.g., cross-checking phone number and physical
address, and these are not, in general, re-verified here. If enrollment fails,
a limited number of retries should be allowed before the attempt is
terminated and this failure is logged. If the customer is already enrolled
for online banking, the system should prevent re-enrollment without
manual intervention and direct customer contact.
• A self-selected user ID that is used only on the Web site, and is never
printed out for statement mailings, etc. Note that this ID is not considered
secret since it is generally visible to employees. However, it may raise the
bar slightly and pose an additional knowledge or guess requirement
against a potential fraudulent entry.
There are also different ways to make the user aware of the next OTP to
use. Some systems use special electronic tokens that the user carries and
that generate OTPs and show them using a small display. Other systems
consist of software that runs on the user's mobile phone. Yet other systems
generate OTPs on the server-side and send them to the user using an out-
of-band channel such as SMS messaging. Finally, in some systems, OTPs
are printed on paper that the user is required to carry with him.
Mutual Authentication:
Typically, this is done for a client process and a server process without
user interaction.
Mutual SSL provides the same things as SSL, with the addition of
authentication and non-repudiation of the client authentication, using
digital signatures. However, due to issues with complexity, cost, logistics,
and effectiveness, most web applications are designed so they do not
require client-side certificates. This creates an opening for a man-in-the-
middle attack, in particular for online banking.
Thank You