Posts: 5,362
Threads: 2,998
Joined: Feb 2011
Presented by:
Nikola Skundric �
Prof. Dr. Veljko Milutinovic �
Milos Kovacevic �
Nikola Klem
[attachment=13374]
Introduction to �E - Banking
Introduction
Banking consumers today have �more options then ever before:
“brick and mortar” institution�(has a building and personal service representatives)
“brick and click” institution�(physical structure + Internet bank services)
“virtual bank”�(no public building – exists only online)
What Is an E-Bank?
Traditional banking business assumes:
Customer desk at bank’s building
Office hours from 8.00 am to 7.00 pm
Customers have:
Their job during the day
Family or other activities after the job
What Is an E-Bank?
Logical answer is to use e-channels:
Internet
WAP based mobile network
Automated telephone
ATM network
SMS and FAX messaging
Multipurpose information kiosks
Web TV and others …
What Is an E-Bank?
Customers’ requests are:
Non-stop working time
Using services from anywhere
E-channels provide:
Working time 0 - 24h
Great flexibility
Other Advantages of E-Banking
Possibility to extend your market �(even out of country)
Internet Banking ... and E-Banking
Internet Banking
In this tutorial we shall focus on Internet Banking.
No need explaining why Internet is so important �e-channel:
670 million users worldwide �(end of 2001)
Almost 1.2 billion users in 2005�(forecasts, worldwide)
54% of U.S. population (143 mil.) �is using it (February 2002)
Every month 2 million users �are going online only in USA
What Internet Banking Offers
As a consumer, you can use Internet banking to:
Access account information
Review and pay bills
Transfer funds
Apply for credit
Trade securities
Find out if a check was cleared
Find out when a bill is due
Apply for mortgage
Search for the best loan rates
Compare insurance policies and prices
Many consumers also like the idea of not waiting in line to do their banking, and paying their bills without shuffling papers and buying stamps.
Some Facts
E-Banking in the USA
E-Banking in the USA
Today about 1,100 U.S. banks, large and small, provide full-fledged transactional banking on-line
In next two years additional 1,200 transactional on-line banks are expected
By 2005, the number of such banks should increase to more than 3,000
E-Banking in Serbia
E-Banking in Serbia
Elektronski promet Delta banke:�6.5 milijardi dinara u prva tri meseca
25% naloga u Raiffeisen banci stižu elektronskim putem
U HVB banci svaki drugi nalog je elektronski
35% prometa Nacionalne štedionice obavlja se kroz elektronske usluge
30% klijenata Atlas banke koristi elektronsko bankarstvo
Internet Banking
Using Internet as an e-Channel makes financial services available to wide population
Security Issues
Security problems
Network access can be performed through �a combination of devices (PC, telephone, interactive TV equipment, card devices �with embedded computer chips, ...)
Security Problems
Internet is a public network and�open system where the identity�of the communicating partners�is not easy to define.
Communication path is non-physical�and may include any number of�eavesdropping and active interference possibilities.
“Internet communication is much like anonymous postcards, which are answered by anonymous recipients.”
Although open for everyone to read, and even write in them, they must carry messages between specific endpoints in a secure and private way.
Security Problems
What Do We Have to Achieve
How to Achieve It?
Cryptography algorithms to provide privacy.
Digital Certificates and Digital Signatures �for Web servers, to provide authentication. �data integrity, and non-repudiation service.
Secure Sockets Layer (SSL) uses all these techniques�to achieve trusted communication.
When URL begins with https it identifies the site as “secure” �(meaning that it encrypts or scrambles transmitted information)
Few Security Tips 1/3
Protect yourself from potential pitfalls and make �your Internet banking more safe, productive �and enjoyable by following these advices�(given by Federal Reserve Bank of Chicago)
Make sure your transmissions are encrypted before doing any online transactions or sending personal information.
E-mail is usually not secure. Do not send sensitive data via e-mail (unless you know it is encrypted). �Change all passwords and PIN codes received via e-mail that is not encrypted.
Make sure you are on the right website.
Few Security Tips 2/3
Make sure that the financial institution is�properly insured.
Be “password smart” �(use mix of letters and numbers; change pw regularly; �keep your pw and PIN codes to yourself; avoid easy �to guess pw like first names, birthdays, anniversaries, �social security numbers...)
Keep good records. Save information about banking transactions. Check bank, debit and credit card �statements thoroughly every month. Look for any �errors or discrepancies. �
Few Security Tips 3/3
Report errors, problems or complaints promptly
Keep virus protection software up-to-date. �Back-up key files regularly.
Exit the banking site immediately after completing your banking.
Do not have other browser windows open at the same time you are banking online.
Do not disclose personal information such as credit card and Social Security numbers unless you know whom you are dealing with, why they want this information and how they plan to use it.
Know Your Rights
There are regulations against unauthorized�transactions (Including Internet banking,�ATM and debit card transactions)
A consumer's liability for an unauthorized transaction is determined by how soon the financial institution is notified (max. 60 days upon receipt of statement)
When making purchases via the Internet it is smart to use a credit card instead of a debit card (liability should be no more than $50 if properly reported, plus you do not have to pay disputed amount during investigation).
Cryptography Basics
Asymmetric approach
Symmetric Approach
Asymmetric Approach
Hybrid Approach
Uses asymmetric approach for passing the symmetric key
Uses symmetric approach for data encryption
Digital Signatures
Cryptography provides privacy, but what about security?
As mentioned before, from a security point of view, �we have to achieve three important things:
Digital Signatures
Digital Signatures
Digital Signatures
“Non-repudiation: a service that prevents the denial of a previous act.”
A. Menezes – “Handbook of Applied Cryptography”
Key Management Problem
The whole system of Digital Signatures �relies on the capability to securely bind �the public key and its owner.
Q1: “How can I be sure that the public key my browser uses to send account number information is in fact the right one for that Web site, and not a bogus one?”
Q2: “How can I reliably communicate my public key to customers so they can rely on it to send me encrypted communications?”
The solution is to use Digital Certificates.
Digital Certificates
Problems caused by a false certification
or no certification mechanism
Certification
Certificates provide strong binding �between the public-key and some �attribute (name or identity).
Digital Certificates
An electronic file that uniquely identifies communication entities on the Internet.
Associate the name of an entity �with its public key.
Issued and signed by Certification Authority.
Everybody trusts CA, and CA is responsible
for entity name – public key binding.
ITU-T Recommendation X.509
Certification Authority
CA is a general designation for any entity that controls the authentication services and the management of certificates (also called issuer)
X.509 Naming Scheme
A certificate associates �the public key and �unique distinguished name (DN) �of the user it describes.
Authentication relies �on each user possessing �a unique distinguished name.
The DN is denoted by a NA �and accepted by a CA �as unique within the CA’s domain, �where the CA can double as a NA.
How X.509 Certificate Is Issued
Contents of X.509 Certificate
Verification of DCs in User Browser
Verification of DCs in User Browser
Most of the servers that use CA certificates force the client to accept certain �CAs’ signatures (for top level CAs), �which are “hardwired” into the software, �or stored on Smart cards.
The CAs’ PK may be the target of an extensive decryption attack. �That is why CAs should use very long keys and change keys regularly.
Useful Links to Visit
Two largest commercial CA’s:
verisign.com
how to apply for DC, �security related stuff
thawte.com
how to apply for DC, �security related stuff
Secure Sockets Layer
SSL Communication Channel
SSL Record Layer
At the lowest level, layered on top of some reliable �transport protocol (e.g. TCP)
It provides connection security using data encryption �with symmetric cryptography and message integrity check with keyed MAC (Message Authentication Code)
As a public key for encryption for every SSL session �we create a randomly generated temporary master key, SSK (adoption of a SSK is described in Handshake Layer)
SSL Data Exchange Phase (simplified)
SSL Handshake Layer
A handshake occurs when a machine �tries to use a SSL connection.
If connection is opened, but no session exist recently (suggested under 100 sec - SSL, C.8) �we have to make a new handshake.
Other type of handshake occurs �when client authentication is desired.
SSL Handshaking Phase (simplified)
SSL Handshaking Phase
If client authentication is in use �there are three more steps:
REQUEST-CERTIFICATE message�challenge’ + means of authentication desired
CLIENT-CERTIFICATE message�client certificate’s type + certificate �+ bunch of response data
SERVER-FINISHED message
SSL Keys
There are number of keys used over the course of a conversation:
Server’s public key (SPK)
Master key (SSK) – randomly generated
Client-read-key also called Server-write-key (CRK/SWK)
Client-write-key also called Server-read-key (CWK/SRK)
CWK & CRK are derived via a secure hash from �the master key, the challenge, and the connection ID.
Only master key is sent encrypted (with SPK)
The master key is reused across sessions, while the �read- & write- keys are generated anew for each session.
SSL Data Exchange Phase
Once the handshaking is complete, �the application protocol begins to operate,�as described in the Record Layer.�(this is also called the data-exchange phase, as noted before)
SSL specification is not clear at what point the SSL connection is consider to be done with a connection, or what to do with the keys at that point.
Implicitly, the session is done when the TCP connection �is torn down, and the keys should be kept for roughly 100 sec after that (although that is not explicitly defined)
About SSL Strength
Two variants of SSL:
40-bit and 128-bit� (refers to master key length)
According to RSA labs it would take a �trillion trillion years to crack 128-bit SSL �using today’s technology!
However, SSL, being a low level protocol, does little to protect you once your host is compromised.
