Online banking
Encyclopedia
Online banking allows customers to conduct financial transactions on a secure website operated by their retail or virtual
bank
, credit union
or building society
.
The common features fall broadly into several categories:
Features commonly unique to Internet banking include:
, Chase Manhattan, Chemical and Manufacturers Hanover) offered home banking services using the videotex
system. Because of the commercial failure of videotex these banking services never became popular except in France where the use of videotex (Minitel
) was subsidised by the telecom provider and the UK, where the Prestel
system was used.
The UK's first home online banking services[2] was set up by Bank of Scotland for customers of the Nottingham Building Society (NBS) in 1983.[3] The system used was based on the UK's Prestel system and used a computer, such as the BBC Micro, or keyboard (Tandata Td1400) connected to the telephone system and television set. The system (known as 'Homelink') allowed on-line viewing of statements, bank transfers and bill payments. In order to make bank transfers and bill payments, a written instruction giving details of the intended recipient had to be sent to the NBS who set the details up on the Homelink system. Typical recipients were gas, electricity and telephone companies and accounts with other banks. Details of payments to be made were input into the NBS system by the account holder via Prestel. A cheque was then sent by NBS to the payee and an advice giving details of the payment was sent to the account holder. BACS was later used to transfer the payment directly.
Stanford Federal Credit Union was the first financial institution to offer online internet banking services to all of its members in October 1994.
Today, many banks are internet only banks. Unlike their predecessors, these internet only banks do not maintain brick and mortar bank branches. Instead, they typically differentiate themselves by offering better interest rates and online banking features.
authentication
, as is the case in most secure Internet shopping sites, is not considered secure enough for personal online banking applications in some countries. Basically there exist two different security methods for online banking.
Another way to provide TANs to an online banking user is to send the TAN of the current bank transaction to the user's (GSM) mobile phone via SMS. The SMS text usually quotes the transaction amount and details, the TAN is only valid for a short period of time. Especially in Germany and Austria, many banks have adopted this "SMS TAN" service as it is considered very secure.
Attacks
Most of the attacks on online banking used today are based on deceiving the user to steal login data and valid TANs. Two well known examples for those attacks are phishing
and pharming
. Cross-site scripting
and keylogger/Trojan horses
can also be used to steal login information.
A method to attack signature based online banking methods is to manipulate the used software in a way, that correct transactions are shown on the screen and faked transactions are signed in the background.
A recent FDIC Technology Incident Report, compiled from suspicious activity reports banks file quarterly, lists 536 cases of computer intrusion, with an average loss per incident of $30,000. That adds up to a nearly $16-million loss in the second quarter of 2007. Computer intrusions increased by 150 percent between the first quarter of 2007 and the second. In 80 percent of the cases, the source of the intrusion is unknown but it occurred during online banking, the report states.
The most recent kind of attack is the so-called Man in the Browser
attack, where a Trojan horse
permits a remote attacker to modify the destination account number and also the amount.
Countermeasures
There exist several countermeasures which try to avoid attacks. Digital certificates are used against phishing and pharming, the use of class-3 card readers is a measure to avoid manipulation of transactions by the software in signature based online banking variants. To protect their systems against Trojan horses, users should use virus scanners and be careful with downloaded software or e-mail attachments.
In 2001 the FFIEC issued guidance for multifactor authentication (MFA) and then required to be in place by the end of 2006.
Virtual bank
A direct bank is a bank without any branch network. It offers its financial services by:* Telephone banking* Online banking* Automated teller machines * Mail banking* Mobile banking...
bank
Bank
A bank is a financial institution that serves as a financial intermediary. The term "bank" may refer to one of several related types of entities:...
, credit union
Credit union
A credit union is a cooperative financial institution that is owned and controlled by its members and operated for the purpose of promoting thrift, providing credit at competitive rates, and providing other financial services to its members...
or building society
Building society
A building society is a financial institution owned by its members as a mutual organization. Building societies offer banking and related financial services, especially mortgage lending. These institutions are found in the United Kingdom and several other countries.The term "building society"...
.
Features
Online banking solutions have many features and md capabilities in common, but traditionally also have some that are application specific.The common features fall broadly into several categories:
- Transactional (e.g., performing a financial transaction such as an account to account transfer, paying a bill, wire transfer, apply for a loan, new account, etc.)
- Payments to third parties, including bill paymentsElectronic bill paymentElectronic bill payment is a feature of online banking, similar in its effect to a giro, allowing a depositor to send money from their demand account to a creditor or vendor such as a public utility or a department store to be credited against a specific account...
and telegraphic/wire transfers - Funds transfersGiroA Giro or giro transfer is a payment transfer from one bank account to another bank account and instigated by the payer, not the payee...
between a customer's own transactional account and savings accountSavings accountSavings accounts are accounts maintained by retail financial institutions that pay interest but cannot be used directly as money . These accounts let customers set aside a portion of their liquid assets while earning a monetary return...
s - InvestmentInvestmentInvestment has different meanings in finance and economics. Finance investment is putting money into something with the expectation of gain, that upon thorough analysis, has a high degree of security for the principal amount, as well as security of return, within an expected period of time...
purchase or sale - LoanLoanA loan is a type of debt. Like all debt instruments, a loan entails the redistribution of financial assets over time, between the lender and the borrower....
applications and transactions, such as repayments of enrollments
- Payments to third parties, including bill payments
- Non-transactional (e.g., online statements, chequeChequeA cheque is a document/instrument See the negotiable cow—itself a fictional story—for discussions of cheques written on unusual surfaces. that orders a payment of money from a bank account...
links, cobrowsing, chat)- Viewing recent transactions
- Downloading bank statementBank statementAn account statement or a bank statement is a summary of all financial transactions occurring over a given period of time on a deposit account, a credit card, or any other type of account offered by a financial institution....
s, for example in PDF format - Viewing images of paid cheques
- Financial Institution Administration
- Management of multiple users having varying levels of authority
- Transaction approval process
Features commonly unique to Internet banking include:
- Personal financial management support, such as importing data into personal accounting softwareAccounting softwareAccounting software is application software that records and processes accounting transactions within functional modules such as accounts payable, accounts receivable, payroll, and trial balance. It functions as an accounting information system...
. Some online banking platforms support account aggregationAccount aggregationAccount aggregation is a method that involves compiling information from different accounts, which may include bank accounts, credit card accounts, investment accounts, and other consumer or business accounts, into a single place...
to allow the customers to monitor all of their accounts in one place whether they are with their main bank or with other institutions.
History
The precursor for the modern home online banking services were the distance banking services over electronic media from the early 1980s. The term online became popular in the late '80s and referred to the use of a terminal, keyboard and TV (or monitor) to access the banking system using a phone line. ‘Home banking’ can also refer to the use of a numeric keypad to send tones down a phone line with instructions to the bank. Online services started in New York in 1981 when four of the city’s major banks (CitibankCitibank
Citibank, a major international bank, is the consumer banking arm of financial services giant Citigroup. Citibank was founded in 1812 as the City Bank of New York, later First National City Bank of New York...
, Chase Manhattan, Chemical and Manufacturers Hanover) offered home banking services using the videotex
Videotex
Videotex was one of the earliest implementations of an "end-user information system". From the late 1970s to mid-1980s, it was used to deliver information to a user in computer-like format, typically to be displayed on a television.In a strict definition, videotex refers to systems that provide...
system. Because of the commercial failure of videotex these banking services never became popular except in France where the use of videotex (Minitel
Minitel
The Minitel is a Videotex online service accessible through the telephone lines, and is considered one of the world's most successful pre-World Wide Web online services. It was launched in France in 1982 by the PTT...
) was subsidised by the telecom provider and the UK, where the Prestel
Prestel
Prestel , the brand name for the UK Post Office's Viewdata technology, was an interactive videotex system developed during the late 1970s and commercially launched in 1979...
system was used.
The UK's first home online banking services[2] was set up by Bank of Scotland for customers of the Nottingham Building Society (NBS) in 1983.[3] The system used was based on the UK's Prestel system and used a computer, such as the BBC Micro, or keyboard (Tandata Td1400) connected to the telephone system and television set. The system (known as 'Homelink') allowed on-line viewing of statements, bank transfers and bill payments. In order to make bank transfers and bill payments, a written instruction giving details of the intended recipient had to be sent to the NBS who set the details up on the Homelink system. Typical recipients were gas, electricity and telephone companies and accounts with other banks. Details of payments to be made were input into the NBS system by the account holder via Prestel. A cheque was then sent by NBS to the payee and an advice giving details of the payment was sent to the account holder. BACS was later used to transfer the payment directly.
Stanford Federal Credit Union was the first financial institution to offer online internet banking services to all of its members in October 1994.
Today, many banks are internet only banks. Unlike their predecessors, these internet only banks do not maintain brick and mortar bank branches. Instead, they typically differentiate themselves by offering better interest rates and online banking features.
Security
Protection through single passwordPassword
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
, as is the case in most secure Internet shopping sites, is not considered secure enough for personal online banking applications in some countries. Basically there exist two different security methods for online banking.
- The PINPersonal identification numberA personal identification number is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system...
/TANTransaction authentication numberA Transaction authentication number, TAN or T.A.N. is used by some online banking services as a form of single use one-time passwords to authorize financial transactions...
system where the PIN represents a password, used for the login and TANs representing one-time passwordOne-time passwordA one-time password is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable...
s to authenticate transactions. TANs can be distributed in different ways, the most popular one is to send a list of TANs to the online banking user by postal letter. The most secure way of using TANs is to generate them by need using a security tokenSecurity tokenA security token may be a physical device that an authorized user of computer services is given to ease authentication...
. These token generated TANs depend on the time and a unique secret, stored in the security token (two-factor authenticationTwo-factor authenticationTwo-factor authentication is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi-factor authentication, which is a defense in depth approach to security...
or 2FA). Usually online banking with PIN/TAN is done via a web browser using SSL secured connections, so that there is no additional encryption needed.
Another way to provide TANs to an online banking user is to send the TAN of the current bank transaction to the user's (GSM) mobile phone via SMS. The SMS text usually quotes the transaction amount and details, the TAN is only valid for a short period of time. Especially in Germany and Austria, many banks have adopted this "SMS TAN" service as it is considered very secure.
- Signature based online banking where all transactions are signed and encrypted digitally. The Keys for the signature generation and encryption can be stored on smartcards or any memory medium, depending on the concrete implementation.
Attacks
Most of the attacks on online banking used today are based on deceiving the user to steal login data and valid TANs. Two well known examples for those attacks are phishing
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
and pharming
Pharming
Pharming is a hacker's attack aiming to redirect a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving...
. Cross-site scripting
Cross-site scripting
Cross-site scripting is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same...
and keylogger/Trojan horses
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
can also be used to steal login information.
A method to attack signature based online banking methods is to manipulate the used software in a way, that correct transactions are shown on the screen and faked transactions are signed in the background.
A recent FDIC Technology Incident Report, compiled from suspicious activity reports banks file quarterly, lists 536 cases of computer intrusion, with an average loss per incident of $30,000. That adds up to a nearly $16-million loss in the second quarter of 2007. Computer intrusions increased by 150 percent between the first quarter of 2007 and the second. In 80 percent of the cases, the source of the intrusion is unknown but it occurred during online banking, the report states.
The most recent kind of attack is the so-called Man in the Browser
Man in the Browser
Man-in-the-Browser , a form of Internet threat related to Man-in-the-Middle , is a trojan that infects a web browser and has the ability to modify pages, modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host application...
attack, where a Trojan horse
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
permits a remote attacker to modify the destination account number and also the amount.
Countermeasures
There exist several countermeasures which try to avoid attacks. Digital certificates are used against phishing and pharming, the use of class-3 card readers is a measure to avoid manipulation of transactions by the software in signature based online banking variants. To protect their systems against Trojan horses, users should use virus scanners and be careful with downloaded software or e-mail attachments.
In 2001 the FFIEC issued guidance for multifactor authentication (MFA) and then required to be in place by the end of 2006.
See also
- Current account
- Enhanced TelephoneEnhanced TelephoneThe Enhanced Telephone is a telephone developed by Citibank in the late 1980s for customers to do banking and other financial transactions from their home. The official launch date was February 26-27, 1990....
- Guide to E-payments
- Mobile bankingMobile BankingMobile banking is a term used for performing balance checks, account transactions, payments, credit applications and other banking transactions through a mobile device such as a mobile phone or Personal Digital Assistant . The earliest mobile banking services were offered over SMS...
- On-line and off-line
- SMS BankingSMS BankingSMS banking is a technology-enabled service offering from banks to its customers, permitting them to operate selected banking services over their mobile phones using SMS messaging.-Push and pull messages:...
- Telephone bankingTelephone bankingTelephone banking is a service provided by a financial institution, which allows its customers to perform transactions over the telephone.Most telephone banking services use an automated phone answering system with phone keypad response or voice recognition capability...