Security concerns in online banking
Many financial institutions are at the forefront of developing best practices and deploying advanced technologies to secure their systems and assets. Information security is an important concern for all institutions in the banking and finance sector. The application of Information Technology has brought about significant changes in the way the institutions in the banking and financial sector process and store data and this sector is now poised to countenance various developments such as Internet banking, e-money, e-cheque, e-commerce etc., as the most modern methods of delivery of services to the customers. The telecommunication networks have played a catalytic role in the expansion and integration of the Information Systems (IS), within and between the institutions, facilitating data accessibility to different users.
The information systems and the networks of the organizations are increasingly faced with security threats from a wide range of sources including computer-assisted fraud, espionage, sabotage, vandalism etc. Financial institutions are persistently targeted by criminals and others with malicious intent. The sources of damage such as the computer viruses, computer hacking and denial of service attacks have become more common, more ambitious and increasingly sophisticated in the networked environment. To address these problems, institutions across the sector worked collaboratively to improve inter- and intrasector communication and created privatepublic partnerships for information sharing and encouraging innovation. The maintenance of the Information systems security is basically a team effort and it is the responsibility of each and every individual in an organization to ensure its proper implementation and observance.
Nowadays, the nature of attacks is more active rather than passive. Previously, the threats were all passive such as password guessing, dumpster dives and shoulder surfing. Here are some of the techniques used by the attackers today:
Trojan Attack. The attacker installed a Trojan, such as key logger program, on a user's computer. This happens when users visited certain websites and downloaded programs. As they are doing this, key logger program is also installed on their computer without their knowledge.
When users log into their bank's website, the information keyed in during that session will be captured and sent to the attacker.
Here, the attacker uses the Trojan as an agent to piggyback information from the user's computer to his backyard and make any fraudulent transactions whenever he wants.
Man-in-the-Middle Attack. Here, the attacker creates a fake website and catches the attention of users to that website. Normally, the attacker was able to trick the users by disguising their identity to make it appear that the message was coming from a trusted source. Once successful, instead of going to the designated website, users do not realize that they actually go to the fraudster's website. The information keyed in during that session will be captured and the fraudsters can make their own transactions at the same time.
There are several methods of ensuring a more secure Internet banking:
(1) Minimum Requirement: Two Factor Authentication
Based on the above method, the security measures in place are not adequate to prevent fraud. The current method of using only one factor of authentication definitely has its weaknesses. The security aspects of Internet banking need to be strengthened. At minimum, a two-factor authentication should be implemented in order to verify the authenticity of the information pertaining to Internet banking services.
The first authentication factor can be the use of passwords and the second authentication factor can be the use of tokens such as a smartcard.The above security measures will greatly minimize incidents of Internet banking fraud. The smartcard here provides a second layer of authentication. This will stop a perpetrator even if he manages to obtain the user's password.
Intercepted passwords cannot be used if fraudsters do not have the Smartcard. Besides addressing fraudulent activities, this can instill customers' confidence in Internet banking.
Additional Requirement: Three Factor Authentication
However, for a better security, a three factor authentication process should be considered. The third authentication factor is the use of biometric such as iris or thumbprint recognition. This ascertains who one is, biologically. This method of authentication has been introduced by the Employee Provident Fund (EPF) for it members, but is limited to getting the latest statements of a member.
With a three-factor authentication a more secure method can be implemented - a password to ascertain what one knows, a token (smartcard) to ascertain what one has, and biometric recognition (for example fingerprint or thumbprint) to ascertain who one biologically is as such, if passwords have been compromised, fraudsters need to get through another two levels of authentication to access a customer's account. This would be difficult, if not totally impossible.
The following are the practices help to prevent online threats such as viruses, worms, and spyware:
1. Use current versions of the operating system and applications on your computer and ensure that security patches are up-to-date. Most major software companies regularly release updates or patches to their software or operating systems to repair security problems. Some companies, such as Microsoft, offer you the ability to automatically receive these updates. All other vendor software updates can typically be found on their website.
2. Ensure that your computer has anti-virus and anti-spyware protection and make sure these programs are updated regularly.
Keeping these programs up-to-date helps protect you from current virus threats and spyware used to gather confidential information such as passwords, credit card numbers and social security numbers. Also, scan your computer for viruses and spyware at least once per month.
3. Use a personal firewall to prevent intruders from compromising your computer. Every computer system connected to the internet is at risk of an attack by an unauthorized intruder. Personal firewalls serve as a protective barrier between your computer, the internet and this risk. Personal firewalls can be either hardware or software and are a big part of improving the security on your computer
4. If you use wireless networking, secure the network with the following practices to reduce the risk of being hacked by a wireless intruder:
Ensure wireless encryption is enabled and the encryption level selection is at least 128-bit encryption which provides a stronger encryption level.
Change the default administrator ID and/or password provided by your wireless equipment (e.g. wireless router) manufacturer.
Change the default wireless network name provided by your wireless equipment manufacturer so a hacker can't use the default to try to access your network. Select a name that is equivalent to a strong password.
Consider the option that disables the broadcast of your wireless network name over the air at regular intervals. Broadcasting the name is unnecessary and increases the likelihood that an unwelcome neighbor or hacker will try to log in to your network.
Also consider the option to limit access to your wireless network to only your computer device(s). Consult your wireless equipment manufacturer for assistance on how to select these options.
Beware that connecting to an unprotected network may result in an intruder gaining unauthorized access to your computer.
It is possible for someone to monitor your internet connection and even record your password(s).
5. Do not download or run software from unknown sources. This applies both to software available on the Internet and sent via e-mail. Installing software from unknown sources increases the probability of installing malicious code or accepting computer viruses. Also, exercise caution when trading files with other users as these may also contain software.
6. Power off your computer when it is not in use.
Adopt the following practices to help protect your online banking and confidential information from fraud and identity theft:
1. Use strong password construction by adopting the following principles:
At least eight (8) characters in length if application allows.
Contains at least one upper and one lower case alpha character (e.g., a-z, A-Z).
Contains at least one digit and one special character if supported.
Is not a word in a standard dictionary (English or foreign) or publicly known slang, dialect or jargon.
Is not based on personal information, family names, pet names, the Bank's name or geographic location, etc.
Does not contain ascending or descending characters, digits (e.g., abcd, 4321), repeating characters, or digits (e.g. aaaa, 3434).
Try to create a password that can be easily remembered. One technique is to create a password based on a phrase. For example,the phrase might be "This May Be One Way To Remember" and the password could be "TmB1w2R!".
2. Change your password regularly, at least every 45 days.
3. Never share your password with anyone.
4. Never write your password down or store it online.
5. Use a different password for each online system you access.
6. Never use the "remember my ID and password" option on your computer.
7. Use your own computer when accessing online banking systems and never leave it unattended during an online banking session. Internet kiosks, cyber cafes, and other public use computers are not as secure as your own computer and should not be used to access personal financial information.
8. Practice safe browsing:
Do not download freeware or shareware; these programs often contain spyware or malicious applications.
Do not click on links or buttons in pop-up advertisement windows.
Use a pop-up blocker.
9. Conduct financial transactions only with trusted and secure sites.
When shopping or banking online, it is important to make sure you are utilizing a secure connection. You can check for a secure site by looking at the web site address. Look for an "s" to follow http (i.e. https://). Also, many web browsers show an image of a padlock to indicate a secure connection. You can verify secure sites by "double clicking" on the padlock icon located at the bottom of your browser application and reading the site info in the box that appears.
10. Always log off of your on-line banking session and close your browser.
E-mail over the Internet is inherently unsecured. Adopt the following practices to help minimize the risk of being the victim of fraudulent e-mail scams.
1. There should be a secure encrypted e-mail service, to communicate confidential e-mail information such as account number and social security numbers between the Bank and its clients.
2. Do not open e-mail or attachments from unknown senders, especially executable attachments.
3. Be aware of e-mail scams and phishing. Phishing is an e-mail that falsely claims to come from a known sender. It typically provides a link to a phony website where you are asked to supply your confidential information. Never respond to unsolicited e-mail asking for confidential information. Avoid clicking on links provided in emails. It is better to type the address directly into your browser's address bar.
4. Use e-mail filtering software to screen for unsolicited email (spam).Consider installing a software tool that will assist in filtering spam from your email in-box. These tools can help reduce the likelihood of a virus or worm installing a malicious program on your computer or receiving e-mail phishing attempts.
The providers of Internet banking services must be more responsive security requirements. While there is no doubt that Internet banking transaction should have layered protection against security threats, the providers should approach security considerations as part of their service offerings. Currently, there are no formal processes being put in place to determine the level of security provided by these service providers and to what minimum standards they should be.
Local financial institutions should consider the above-mentioned recommendations to ensure confidentiality of customer information. However, there is a cost implication to the above recommendation. The additional costs are the hardware and software for the card reader and biometric recognition. However, this is indeed a serious matter that needs to be looked into by the relevant authorities in this country. In the long run, the cost involved to implement better security will be worth it and beneficial to the banking industry