Académique Documents
Professionnel Documents
Culture Documents
E-BANKING
Electronic communication is infiltrating into the every aspect of our
lives. The number of people using some sort of e-channels for various
services is constantly increasing and of course among the most popular ones
is the Internet. Traditional banking business, as all other businesses, is also
adapting to these changes and new demands. This chapter* will lead you
through the world of electronic banking (especially Internet banking) from
the very beginning to the point where you will learn how to set up your own
Internet bank channel. Security and banking business are inseparable; of all
e-Businesses, the security is here maybe the most important. Therefore, one
whole section of this chapter is devoted to security issues. You will learn
what the main security problems in Internet communications are; you will
familiarize yourself with the solutions to these problems such as Digital
Signatures and Digital Certificates (including ITU-T X.509 Certificates); and
you will see a real-life implementation of these techniques through a Secure
Sockets Layer in your browser.
*
V/2
Finally, you will see an Internet bank demo, and for the very end
some useful tips on searching for the financial information on the Web.
E-Banking
V/3
IU
414
2000
WIU
40
673
2002
225
1174
2005
730
200
400
600
800
1000
1200
1400
IU Internet users
WIU Wireless Internet users
V/4
$1.07
$1.20
$0.73
$1.00
$0.54
$0.80
$0.60
$0.27
$0.40
$0.01
$0.20
$0.00
Branch
CallCtr
ATM Internet/WAP
Figure 5.2
Legend:
and they have family activities after the job. As you can see, there is obvious
collision between customers' demands and our capabilities.
E-Bank is transforming banking business into e-Business through
utilizing various e-Channels. E-channels are:
Internet,
Automated telephone,
ATM network,
E-Banking
V/5
non-stop working time, and that they want to be able to use services from
anywhere, we can clearly see that in e-Banking business we now have a
perfect match between their requests and our capabilities.
Of course, this is not the only advantage of e-Banking. You also
have the possibility to extend your market (even out of country) because,
among other things, you do not need any more an office in every single
town. Also, you have the possibility to process more financial transactions,
and last, but not the least, you have the possibility to lower your transaction
cost.
Figure 5.2 on the previous page, shows the bank cost per transaction
for various types of channels. As you can see, whilst the cost per transaction
in ordinary branch is $1.07, in e-Banking business that cost can be lowered
to only 1 cent per transaction by using Internet or WAP access through a PC,
PDA, WAP mobile device or Web TV.
Now it is time to review some facts about status of Internet banking
in the Europe and in the USA.
V/6
Assets
Number of Banks
Online Presence
5,912
5%
$100M to $500M
3,403
16%
$500M to $1B
418
%34
$1B to $3B
312
42%
$3B to $10B
132
52%
94
84%
23%
41%
INF
NP
FT
36%
E-Banking
V/7
various types of information published on the Web by the bank. At the end
of the year 2000, about 1,100 U.S. banks, large and small, had been
providing full-fledged transactional banking online. In the next two years
additional 1,200 transactional online banks are expected, and by the 2005,
the number of such banks should increase to more than 3,000.
The usage of Internet as an e-Channel, especially through WWW
service, makes financial services available to wide population. Anyone who
has access to Internet can easily make financial transactions simply by using
browser and visiting appropriate Web locations. Of course, the usage of
Internet, as well as other e-Channels, poses some security risks, both for the
users and for the banks. That is the subject of the following section.
V/8
these systems facilitate interaction between the bank and the user, often with
the support of third-party service providers.
It is important to note that not all networks carry the same degree of
risk; not all networks are equally vulnerable; not all networks are equally
critical; and not all networks contain data that is equally sensitive.
Internal attacks are potentially the most damaging because a bank's
personnel, which can include consultants as well as employees, may have
authorized access to critical computer resources. Combined with detailed
knowledge relating to the bank's practices and procedures, an internal
attacker could access value transfer systems directly, or exploit trusted
relationships among networked systems to gain a level of access that allows
him to circumvent established security controls. After that, the attacker could
potentially transfer money or other assets inappropriately. That is why the
first thing you should do is to review and evaluate the security of internal
networks.
The use of public networks poses additional risk to those of internal
networks. It is important to note that the use of dedicated or leased lines may
provide inappropriate sense of security relating to the confidentiality of data
transmitted over them. These lines use the infrastructure of public networks;
therefore, they are vulnerable to same attacks as the public networks
themselves. Risks include line tapping and the possible interception and
alteration of data. Therefore, it is wise to encrypt sensitive data transmitted
via public networks.
The Internet is a public network of networks that can be accessed by
any computer equipped with a modem so like with any pubic network, the
communication path is non-physical and may include any number of
eavesdropping and active interference possibilities. Also, it is an open
system where the identity of the communicating partners is not easy to
define. Thus, as Ed Gerck nicely said "the Internet communication is much
like anonymous postcards, which are answered by anonymous recipients."
However, these postcards, open for anyone to read and even write in them
must carry messages between specific endpoints in a secure and private
way [Gerck00]. Having all that in mind, in e-Banking business we can
define three main problems:
1. Spoofing "How can I reassure customers who come to my
site that they are doing business with me, not with a fake
setup to steal their credit card numbers?
E-Banking
V/9
2. Eavesdropping "How can I be certain that my customers'
account number information is not accessible to inline
eavesdroppers when they enter into a secure transaction on
the Web?"
3. Data alteration "How can I be certain that my personal
information is not altered by online eavesdroppers when
they enter into a secure transaction on the Web?"
V/10
Symmetric approach
Asymmetric approach
Hybrid approach
In symmetric approach, both sides use the same key for the
encryption and decryption. This approach is useful for bulk data encryption
because it is computationally faster then other methods, but we have a
problem of key distribution. The best-known symmetric algorithms are DES
(Data Encryption Standard, IBM & National Bureau of Standards, 1977),
DESX (slightly strengthen version of DES) and IDEA.
In asymmetric approach, the sender uses the public key for the
encryption and the receiver uses the private key for the decryption. This
approach is more convenient for short data encryption because it is
computationally slower then other methods, but here we do not have a
problem with key distribution because the public key can be freely
distributed over any channel, including insecure ones. However, we have
E-Banking
V/11
other sort of the problem how to securely bind that pubic key and its
owner. The most popular asymmetric algorithms are RSA (Rivest, Shamir &
Adleman, 1977) and Diffie-Hellman (1976).
The hybrid approach combines the good sides of both fore
mentioned methods. It uses symmetric approach for data encryption (thus
attaining good speed) and asymmetric approach for passing the symmetric
key. This approach is applied in SSL. We shall talk more about SSL a bit
later.
As you see, no matter what approach we choose, we have a problem
with key management. In the symmetric approach, there is a problem with
key distribution because we still have to have some sort of secure channel
(not necessarily e-Channel) for sending the symmetric key. In asymmetric
approach, on the other hand, although the public key can be distributed over
any insecure channel we have a problem with secure binding of the public
key and its owner. As you will see, that binding is done through the Digital
Certificates. We will come back to that in a little while.
V/12
E-Banking
V/13
V/14
E-Banking
V/15
Public (a bank)
V/16
E-Banking
V/17
V/18
Extensions
E-Banking
V/19
first, we have to understand one important link in the security chain the
Secure Sockets Layer.
V/20
As you can see on the Figure 5.9, the Secure Sockets Layer (in the
less detailed model we are using) is inserted as a topmost sub layer in the
Network Layer.
Here we have to make an important observation. People easily make
the mistake and regard HTTPS and S-HTTP (Secure HTTP) as identical
which is not the case. When a Web address begins with https:// it only
denotes that we are connecting to a secure Web server through a SSL
connection (the little yellow padlock in the system line of your browser
indicates that the secure connection has been established); so, HTTPS is
related to SSL. On the other hand, S-HTTP is a superset of HTTP. It is an
independent protocol and the part of the Application Layer, unlike SSL,
which is the part of the Network Layer. S-HTTP was designed by E.
Rescorla and A. Schiffman of EIT to secure HTTP connections. It provides a
wide variety of mechanisms to provide for confidentiality, authentication,
and integrity. The system is not tied to any particular cryptographic system,
key infrastructure, or cryptographic format it allows messages to be
encapsulated in various ways. Encapsulations can include encryption,
signing, or MAC based authentication. This encapsulation can be recursive,
and a message can have several security transformations applied to it.
S-HTTP also includes header definitions to provide key transfer, certificate
transfer, and similar administrative functions. S-HTTP does not rely on a
particular key certification scheme. It includes support for RSA, in-band,
out-of-band and kerberos key exchange. Key certifications can be provided
in a message, or obtained elsewhere [Shostack95a]. As we said at the
beginning, S-HTTP is part of an application, not part of a network socket
connection.
Layered Structure of the SSL
Secure Sockets Layer is a protocol designed to work, as the name
implies, at the socket layer, to protect any higher-level protocol built on
sockets, such as telnet, ftp, or HTTP (including S-HTTP). As such, it is
ignorant of the details of higher-level protocols, and what is being
transported higher-level protocols can layer on top of the SSL
transparently.
SSL protocol is composed of two layers: the Record Layer and the
Handshake Layer. A multitude of ciphers and secure hashes are supported,
including some explicitly weakened to comply with export restrictions.
E-Banking
V/21
V/22
E-Banking
V/23
be under 100 seconds - SSL, C.8), we have to make a new handshake. The
other type of a handshake is when client authentication is desired.
When a client wishes to establish a secure connection, it sends a
CLIENT-HELLO message, including a challenge, along with the
information on the cryptographic systems it is willing or able to support. The
server responds with a SERVER-HELLO message, which is connection id,
its key certificate (that is server's Digital Certificate), and information about
the cryptosystems it supports. The client is responsible for choosing a
cryptosystem it shares with the server.
The client then verifies the server's public key, and responds with a
CLIENT-MASTER-KEY message, which is a randomly generated master
key, encrypted or partially encrypted with the server's public key. The client
then sends a CLIENT-FINISHED message. This includes the connection-id,
encrypted with the client-write-key. (All these keys will be explained
separately in a little while.) The server then sends a SERVER-VERIFY
message, verifying its identity by responding with the challenge, encrypted
with the server write key. The server got its server-write-key sent to it by the
client, encrypted with the server's public key. The server must have the
appropriate private key to decrypt the CLIENT-MASTER-KEY message,
thus obtaining the master-key, from which it can produce the server-writekey.
If client authentication is in use, then the server must at some point,
send a REQUEST-CERTIFICATE message, which contains a challenge
(called challenge') and the means of authentication desired. The client
responds with a CLIENT-CERTIFICATE message, which includes the client
certificate's type, the certificate itself, and a bunch of response data. The
server then sends a SERVER-FINISH message.
There are a number of keys used over the course of a conversation.
There is the server's public key, a master key, a client-read-key and a clientwrite-key. (The standard uses the term server-write-key as another name for
client-read-key, and server-read-key as another name for client-write-key.)
Client-write-key and client-read-key are derived via a secure hash
from the master key, an ordinal character, the challenge, and connection-id.
Of this input, only the master key is sent encrypted (with the server's public
key.) The master key is reused across sessions, while the read- & write- keys
are generated anew for each session.
V/24
E-Banking
V/25
V/26
very long keys and change these keys regularly. Top-level Certification
Authorities unfortunately are exceptions. It may not be practical for them to
change keys frequently because their keys may be written into the software
(such as browser) used by a large number of verifiers. Certification
Authorities that may be the most probable targets are the ones that offer the
smallest protection level. Like Ed Gerck said: "Protection, in this case, is an
inverse function of worth" [Gerck00].
E-Banking
V/27
VeriSign (www.verisign.com)
Thawte (www.thawte.com)
V/28
Web server
Branch office
terminals
Security
subsystem
SSL connection
Internet
User
E-Banking
V/29
that we cannot let them access our back office system directly. We have to
make some sort of electronic user desk for our customers.
The system that performs that task is called Internet front office
system. Internet front office system, is then, connected to a Web server.
With the help of security subsystem, we can achieve secure communications
by using Secure Sockets Layer (which was explained in detail in previous
section). Of course, this is just a rough sketch.
The above system can be implemented as in-house or out-of-house
architecture. In the in-house architecture all components of the system are
on-site (in the bank); in the out-of-house approach some components are still
located at the bank (generally only the core server and data-transfer server)
while the rest of system components are located elsewhere (at the
Application Service Provider we shall talk about them latter). The picture
is worth a thousand words, so let us examine CustomerLink primer (Figure
5.14).
As you can see, if the out-of-house architecture is used, bank only
has to provide a core server and a data-transfer server (and of course to sign
a contract with some Application Service Provider ASP). Also, note that
Web server
CustomerLink
server
Data transfer
server
Core server
Router
Firewall
Bank site
ASP (Equifax)
User
V/30
E-Banking
V/31
V/32
E-Banking
V/33
Thin client
V/34
Bill payment
Check payment
Insurance services
E-Banking
V/35
Security services
And more
Bill payment:
CheckFree, www.checkfree.com
Web Hosting:
Digex, www.digex.com
DiamondBullet,
www.diamondbullet.com, www.bankingwebsites.com
V/36
E-Banking
V/37
V/38
E-Banking
V/39
V/40
E-Banking
V/41
Financial history
SEC fillings
Stock quotas
Press releases
V/42
E-Banking
V/43
V/44
course has limited capacity that is why we are often forced to follow links
only to certain depth. However, if there is a page with newer information
buried rather deep into the structure of the Web location, our search engine
may not locate it. Focused crawler optimizes the path; because we are now
not following all the links, we are able to go deeper into the structure, thus
locating the previously missed page.
Comparison of Search Services
Relatively recently (September 2001) PC World's staff conducted
extensive comparison of search engines, subject directories and metacrawlers [PCWorld01]. This article together with explanation of method of
testing, as well as complete results can be found on the following address:
http://find.pcworld.com/11060
General-purpose search engines with the highest marks the ones that
provide the best service by all means are:
Google www.google.com
Fast www.allthweb.com
Yahoo! www.yahoo.com
Lycos www.lycos.com
Northern Light www.northernlight.com
If you want to use some other, perhaps more specialized search engines, you
can look at the following locations:
Search Engine Guide www.searchengineguide.com
Argus Clearinghouse www.clearinghouse.com
BeauCoup www.beaucop.com
Search Engine Watch www.searchenginewatch.com
There is even directory of directories of search engines:
SearchAbility www.searchability.com
You can also try with the public databases not accessible to the search
engines, such as Lycos Searchable Databases Directory:
http://dir.lycos.com/reference/searchable_databases
E-Banking
V/45
5.4 Conclusion
In this chapter devoted to e-Banking we covered many of its aspects.
You have learned what an e-Bank is and what the benefits of the e-Banking
are; you familiarized yourself with the structure of an e-Bank, learned how
to implement your own Internet channel and how to afterwards search for
financial information on the Web in order to improve your business. You
have also learned what possible security problems can occur and how to
fight those problems.
As a conclusion, we can say that every bank should implement its
Internet channel, because of a reduced cost of transaction (see Figure 5.2 in
section 5.1.2) and global connectivity.
Also, small and mid sized banks could benefit using Application
Service Providers for different kind of services (and choosing the good ASP
is the most important step).
As a last thing in this chapter, we shall mention some common
Internet myths [Rodriguez00]:
Myth 1: Internet requires little upfront investment. This is not true,
because like everywhere else, you get what you pay for.
Myth 2: The Internet will drive transactions from other channels.
The fact is that the channel behavior is additive (and like studies show,
channel adoption has always been additive).
Myth 3: Internet customers are inherently more profitable. The fact
is that the Internet customers' profitability is inconsistent.
V/46
E-Banking
V/47
PROBLEMS
1. What are the benefits and what are the shortcomings of
e-Banking?
2. Describe three main security problems in electronic
communication.
3. Explain how Digital Signatures work.
4. What is the purpose of Digital Certificates and how do they work?
5. What is SSL and how does it work?
6. What is the difference between In-house and Out-of-house bank
architecture?
7. Explain the difference between standard client-server architecture
and n-tier architecture. Describe the Application Tier.
8. What is Application Service Provider? What are the advantages of
using the ASPs, and what are the shortcomings?
9. Briefly describe the required tasks after initial introduction of a
new channel.
10. Explain the general idea of search engines. What is the focused
crawler?
V/48
REFERENCES
[eTForecasts01]
[ABA99]
[Jupiter00]
[eStats99]
[Greenspam00]
[FDIC01]
[Menezes97]
[ITU01]
[Shostack95a]
[Shostack95b]
[MSDN00]
[Gerck00]
E-Banking
V/49
[Novel95]
[Equifax01]
[SCU01]
[PCWorld01]
[Rodriguez00]
V/50
TABLE OF CONTENTS
Chapter 5 E-Banking .........................................................................1
5.1 Introduction to E-Banking .......................................................2
5.1.1 E-Business in Brief ...........................................................2
5.1.2 What Is an E-Bank? ..........................................................3
5.1.3 Some Facts about E-Banking in Europe and the USA......5
5.2 Security Issues .........................................................................7
5.2.1 Overview of Security Problems ........................................7
5.2.2 Cryptography Basics.........................................................9
5.2.3 Digital Signatures ...........................................................11
5.2.4 Digital Certificates ..........................................................14
5.2.5 Secure Sockets Layer (SSL) ...........................................19
5.2.6 Verification of DCs in the user's browser .......................24
5.2.7 Final Words on Digital Certificates ................................26
5.3 Bankers Point of View...........................................................28
5.3.1 Setting up an Internet Bank Channel ..............................28
E-Banking
V/51
5.3.2 Internet Bank Demo........................................................ 38
5.3.3 Searching for Financial Information on the Web .......... 41