Network security risks in online banking
Online banking is a banking method in which all financial transactions are made on electronic devices through the internet. Financial institutions offering this service need to have secure website to ensure security to their customers. However, there are risks that arise when making these transactions through the internet. It is important that these financial institutions put in place strong security measures that can efficiently monitor, address, control, and manage these security risks. This paper addresses the legal, security, reputation, and operational risks associated with online banking and their impacts.
The number of attacks that are aimed to the online users is growing daily and at a very high rate. Computers with an internet connection are continuously attacked by worms, spyware, malware, adware, viruses, and keyloggers. Some researches has found out that a Windows PC that is unpatched can get compromised once connected to the internet within the first 12 minutes. Financial institutes therefore need to protect their websites against all types of attacks. Securing online transactions has become a huge requirement and a standard set in evaluating the competitiveness for the financial institutes that provide this service.
Attacks against online banking can be categorized into three; credential stealing attacks (CSA), channel breaking attack (CBA), and content manipulation, commonly referred to as the man-in-thebrowser attack (MiTB). In CSA, the attacker gets the credentials of the online banking user through phishing, or by using malicious software. In CBA, the attacker intercepts communication between the user and the banking provider by pretending to be a client to the server, or the server to the client. By doing so, they acquire the user’s credentials which they use for their malicious acts. In MiTB, the attack happens in the application layer that is between the browser and the user. The attacker is an advantage to delete, write, read, and change the browser’s data while the user is not aware of it. (Khrais. L, 2015)
Attacks can either be internal or external. There are several types of external attacks, one of them is Trojan attacks. In this kind of attack, the adversary installs Trojan on the user’s computer for instance a key logger program. This can happen when the user accesses a certain website, or downloads a program. While doing this, the keylogger program is then installed in their computer without them knowing. Once installed, the user’s information is caught and sent to the attacker when the user logs in the website of their bank. The attacker then uses Trojan to make transaction whenever they want to. Another external attack is the man-in-the-middle attack. In this type of attack, the adversary creates a forged website which is used to attract the attention of online banking users. The attacker is able to disguise their identity to make it look like a message from an authentic source. Once the users have been tricked, they log into the attacker’s website without knowing. Their log in credentials are then captured and sent to the fraudsters who use this information to conduct illegal transactions.
Another external attack is the malicious hackers. This type of attack happens when an attacker breaks into a user’s computer without authorization. A hacker can either be an insider or an outsider. Connectivity in computers has made hacking a more prevalent activity in the present day. This connectivity has made it easy for an attacker to remotely access their victim’s computer. Once they get access, they can tamper with the whole banking network (Miko. K). There is also another type of external attack in which the attacker uses a certain software that can test all possible combinations of a user’s password. Once they get the correct combination, they use it to access the banking network and make all the transactions that they want.
The biggest and most common external attack is phishing. Phishing is a mechanism that attackers use to obtain users’ banking details which they use for fraudulent activities. A phishing attack can happen when an online banker receives a fraudulent mail which is commonly referred to as a spoof mail which is made to look like it comes from an authentic source which leads them to a fraudulent website which is used to collect their personal banking information. Research has shown that phishing is the biggest threat to mobile banking and most of online bankers have little to no knowledge about it (UK essays, 2018)
Another external attack to banking networks is sniffers, which is also referred to as network monitors. In this type of attack, attackers use a software that captures keystrokes form a certain computer. The software can capture passwords and log in IDs. Brute force is another type of attack. This is a technique used to capture messages that are encrypted and then using a software to decrypt the messages. This gives the attackers access to users log in IDs and passwords. Logic bombs, are also used to attack banking networks. They are designed to activate and carry out a destructive action to a network at a given time (Canada, 2017)
There are several types of internal attacks, one of them is theft or fraud. Computer software could be misused by an insider who has access to computer networks to conduct a fraud. Insider attacks are more serious in nature because an insider has more knowledge about the networks and has free access. Another type of internal attack is trap doors or back doors. In this type of attack, only the attacker knows the passwords to a certain system and this gives them access to the network without having problems with security procedures. Another type of attack is omissions and errors. Information systems and data integrity could be threatened because of omissions and errors which mainly occur due to capturing of data. The user could either do it intentionally or unintentionally. It is often difficult to detect these errors because computers do not have the intelligence to recognize and correct them when they originate from the user’s side.
A disgruntled employee that is unhappy with their management may try to sabotage the information system (IS) resources that are available at their disposal. Even though this attack is considered less likely, it is still a risk to the financial institutes which needs to be observed, mostly when there is an employee strike or when a worker is fired. These disgruntled employees could change data, delete data, hold it hostage, plant logic bombs, purposely enter incorrect data, or destroy hardware.
Generally, there are vulnerabilities in all commercial operation systems. These weaknesses generate opportunities for possible risks to these systems. There is therefore need for financial institutes that offer online services to have efficient security models. Since online banking is a transaction that is carried out between the user and the system, the financial institution must protect the online banking users with multifaceted security solutions. These security solutions must have the ability to understand all hacking trends and gather all technologies that can provide efficient security for the user’s data, web browsing, and connection network used for transactions.
Security for online information is protecting the information systems that are used for transmission and storage of data during transactions from any unauthorized penetration and access. This security is concerned with protection of information of three categories; information confidentiality, information integrity, and information availability through the use of managerial actions, and technical solutions. A solution that does not have the capability to understand the exact attack technique and the whole online banking process cannot be used to provide the counter measures tools that can block any attacks. The security models that are adopted by online banking systems are made from several security layers which consists of many mechanisms and solutions which focus on protecting the applications of online banking, and the data of users in the whole transaction process.
These solutions and mechanisms include; digital certificates, these certificates are used to authenticate the online banking users, and the banking system network. This authentication is determined by the existence of a certificate authority (CA), public key infrastructure (PKI). A third party attests the validity of the certificates by signing them. Another solution is the use of one-time password tokens (OTP). This solution is mostly used as a second factor of authentication. This device makes the captured data useless during future attacks by dynamically changing the passwords which are only used once. Another security solution that should be used by online banking institutes is the use of on-time passwords cards (OTP). This is an inexpensive method of generating dynamic passwords and providing a second factor of authentication. In some banking systems however, passwords that are generated by OTP are reused severally before they are discarded.
Browser protection is another solution that should be adopted by online banking service providers. In this solution model, security is provided to the system at the level of internet browser. This is the level that is used to access the banking system. The browser and the user are protected against any malware by monitoring the memory area that is allocated by the browser for the purpose of detecting the malware. Another security solution is the use of device register. This security method only grants access to the banking systems only to preregistered and known devices. Techniques such as hardware fingerprinting are used together with identification of the user through the use of secret credentials.
Another solution that should be adopted by online banking providers is completely automated public turing test to tell computers and computers apart, (CAPTCHA). CAPTCHA is implemented to keep (Bots) automated scripts from compressing login and registration page. Many banking systems are adopting this system to make any attacks against the authenticated sessions ineffective. In this method, the user is required to input legitimate information which is then turned into scrambled images which cannot be processed by automated robots. Additionally, the online banking service providers could use the short message service (SMS). Many banking systems have adopted this method to notify their users of any transaction that requires their authentication. SMS method provides a second authentication for the transactions that have specific characteristics by sending a bunch of characters to the online banking user for them to process and authorize that transaction.
A pass-phrase is also a solution model that could be used. This security model is based on the information that is held by the user. It is mainly used as a second authentication method in transactions that involves movement of money. Online banking providers could also use positive identification model. In this model, it requires the user to input secret information that is only known to them for them to identify themselves (Knott. F, 2019). The last solution model is biometric solution technology. It is the technology with the most potential to improve security. Biometric is a method that is automated to tell the difference between users through the use of their biological traits and characteristics for instance patterns of the finger veins, and finger prints. The biometric traits are different for every individual and are difficult to fake. This makes biometric authentication and verification the best security solution for online banking services because it offers security that is advanced.
In conclusion, online banking needs to be secured in order to prevent attackers from taking advantages of any vulnerability that may be found in the online banking systems. There are many threats that face online banking and many more keep on emerging as technology advances. The same way, security solutions keep advancing as threats and risks advance. If not mitigated, these threats can lead to loss of money by the banks, and the users.
Canada, (2017). Common threats to be aware of. Get cyber café. Retrieved from: https://www.getcybercafe.gc.ca/cnt/rsk/cmmn-thrts-en.aspx
Khrais. L, (2015). Highlighting the Vulnerabilities of Online Banking Systems. ResearchGate. Retrieved from: https://www.researchgate.net/publication/284912393_Highlighting_the_Vulnerabilities_of_Online_Banking_System
Knott. F, (2019). Cyber Threats in the Banking Industry. attila. Reyrieved from; https://attilasec.com/blo/banking-industry-cyber-threats/
Miko. K. Internet Banking Attacks. CSIA DCIT. Retrieved from: https://www.dcit.cz/papers/CEPOL_Internet-Banking-Attacks.pdf
Essays, UK. (November 2018). Impacts Of Security Threats On Internet Banking Information Technology Essay. Retrieved from https://www.ukessays.com/essays/information-technology/impacts-of-security-threats-on-internet-banking-information-technology-essay.php?vref=1