Online banking an insight into development security a case study based

Online Banking An Insight Into Development & Security A Case study Based (? — ^ A ^TRUNCĩAM (ỊS ) THỒH6 TIN THƯVIỂN s L NN-VH NƯỚC NGOAI T4TV G raduation T hesis Subm itted to Hanoỉ University for the d egree of Bachelor of Computer Science By Nguyen Thanh Van (Computer Science) Supervisor: MSc Trieu Thi Van Hau December, 2009 Abstract The w orld vvitnesses an iníbrm ation and technological revolution This revolution has touched every aspect o f p eo p le's life including banking Such changes and developm ents have im pacts on both custom ers and bankers It brings huge changes in m odem banking transaction activities and giving us a greater opportunity to access the banking system anytim e and anyw here Hovvever, ju st like two sides o f a sam e coin, O nline b a n k in g also has som e pros w hich are the barriers for its developm ent O ne o f the key barriers is the security concem s associated w ith the O n l i n e banking system M any custom ers feel that O nline b a n k i n g is n o t s e c u r e e n o u g h , a n d to i n c r e a s e its s e c u rity level, s o m e te c h n iq u e s have been applied Som e o f them are Secure Socket Layer (SSL) or tw o-factorauthentication This paper explores the current developm ent o f Online banking in the w orld in general and in V ietnam in particular B esides, explain the reasons w hy O nline banking is becom ing a new trend in banking íìeld íìgures out some key challenges, especially in term o f security and investigates som e w idely used techniques that helps im prove the security o f O nline banking are also contents that are m entioned in this thesis Acknovvledgments w ould like to íìrst and íorem ost express m y great gratitude to m y supervisor MSc Trieu Thi Van Hau from Faculty o f Inform ation Technology, Hanoi U niversity for her enthusiastic guidance She helped stim uỉated suggestions and encouraged m e a lot in all the time o f research for and vvriting o f this research am particular grateíul to all the teachers o f Facultv o f Inform ation Technology, Hanoi U niversity w ho have taught me vvith all enthusiasm s, the h elpíulness, the caring gave me the chance and the possibility to com plete th is thesis I have leam t a lot precious lessons from m y all o fy o u , not only in inform ation technology major I also w ant to give m y thanks to the staffs o f library o f Hanoi U niversity supported me in fmding necessary m aterials Especially, am obliged to thanks M rs N guyen N ga for her assistance in her training and support m e in Endnote softw are and proquest database which help me a lot in m y thesis Last, though by no m eans least I am greatly indebted to m y fam ily vvhose love and consistent support has kept me on the right track M y results and this thesis are dedicated to my parents, w ho believe in me and \vho sacriíìced so much to raise me Table of Contents T able o f C o n ten ts V List o f F ig u res vii C hapter Intro d u ctio n .1 M otivation O b jectiv e M ethodology .5 A n O verview o f the Rest o f the D ocum ent C hapter Background Knovvledge H istory o f Online b a n k in g D evelopm ent o f O nline banking C hapter - C haracteristics o f O nline B an k in g 14 A dvantages o f Online b a n k in g .14 B eneíits for c u sto m e rs 14 B enìts for b a n k s 16 D isadvantages o f O nline b an k in g 20 C ustom ers' p ersp ectiv e .20 B anks' p ersp ectiv e 23 C hapter O nline Banking Security S y s te m 26 O verview about O nline banking sy stem 26 Perspective o f O nline banking security s y s te m 29 V C ustom ers' perspective o f security in O nline banking sy ste m s 30 Technical perspective o f security in O nline banking sy stem s 44 Security rules for custom ers 52 Chapter Case S tu d v 56 Techcom bank- The íirst bank in V ietnam adopting tw o-factor authentication for Online banking .56 Techcom bank’s b ack g ro u n d 56 Techcom bank*s Online banking s e rv ic e s 58 T echcom bank's adoption high technology in security sy ste m 59 Tw o-factor au th en ticatio n 59 Secure Socket L ay e r-S S L 62 C hapter C onclusion 64 Findings o f the th e sis 64 L im itations 64 Future W o rk 65 R eĩerences 66 List of Figures Figure Preferred banking method (all age g ro u p s) Figure Preferred Banking Method 0 Figure Percentage o f Internet Users W ho Bank O nline Figure Online B anking adoption varies across E urope 10 Figure Online banking grovvs-usually, but not alw ays at the expense o f branch visits 11 Figure Grovvth in Internet B anking 12 Figure Percentage o f bank w ith Internet banking services in Vietnam 0 13 Figure Processing Cost Per T ran sactio n 17 Figure Household Income Level and O nline Banking (2 0 ) 18 Figure 10 Vietinbank O nline B anking 31 Figure 11 Vietcom bank O nline B an k in g 32 Figure 12 HSBC Online Banking-System -initiated iníbrm ation 33 Figure 13 HSBC Online Banking- Security code by T o k en 34 Figure 14 HSBC Online Banking- Successfully lo g in 34 Figure 15 E -T oken 35 Figure 16 Industrial and Comm ercial B ank o f China (IC B C )'s Code C ard 36 Figure 17 Entrust G rid C a rd 37 Figure 18 Physiological characteristics 39 Figure 19 Physical characteristics 39 Figure 20 Tw o-factor A uthentication "S om e thing you know ”+‘‘Som ething you have” 43 Figure 21 SSL certiíìcate o f V ietcom B ank 45 Figure 22 Secure Socket Layer C onnection 46 Figure 23 Secure Socket L a y e r .47 Figure 24 Public- Key In astru ctu re .50 Figure 25 Techcom bank Token K ey 61 Figure 26 Techcom bank w ith V eriS ign's E V SSL C ertiíĩcate 63 viii Chapter Introduction The advent o f the Internet led to changes in business that vve can call revoiutionary This revolution has touched every aspect o f people‘s life From the fìrst m ain frame com puters appeared in I960s (Robertson 2009), com puters and netw ork have developed a lot T hey m ake the w orld sm aller; m ake the transaction be able to everyw here The fast advancing global inform ation infrastructure (including inĩorm ation technology and C om puter netw orks such as the Internet and telecom m unications system s) enable the developm ent o f electronic business at a global level The nearly universal connectivity w hich the Internet offers has m ade it an invaluable business tool This fast em erging econom y is bringing with it rapidly changing technologies increasing k n o w le d g e in te n s ity in a ll a r e a s o f business a n d c r e a tin g V irtual supply chains an d n e w íịrm s o f business and S ervice delivery channels E-banking is considered as a typical exam ple o f e-business solution A s th e deíinition o f Turban et al (2008, p.120) “eb a n k in g a ls o k n o w n a s C yber banking, V irtual b a n k in g o r h o m e b a n k in g , includes v a rio u s banking activities conducted via the Internet from hom e, business, or on the road rather than at a physical bank location” E-banking provides custom ers w ith m any types o f services like O nline (Internet) Banking, Point o f Sale (POS), A utom atic Telier M achine (A TM ), T elephone B anking, H om e B anking/PC Banking, Interactive TV , W ireless com m unication netvvork o r M (m obile) B anking (SM S Banking WAP Banking STK (Sim Toolkit) B anking ) D espite o f the fact that m any o f them have been m ainly depioyed in developed countries because o f the requirem ent o f advanced technology, Online banking is One o f the exceptions O n lin e b a n k in g has not only been em braced in the developed wor!d; it is becom ing an enabling feature o f business grovvlh in the developing vvorld In its very basic form, e-banking can m ean the provision o f inform ation about a bank and its services via a hom epage on the W o rId VVide W eb (W W W ) For exam ples: im ported bank statem ents, retrieve account b alances M ore s o p h is tic a te d O nline b a n k in g s e rv ic e s p ro v id e c u s to m e r a c c e s s to a c c o u n ts , th e a b ility to move their m oney betvveen different accounts, and m aking paym ents o f applying for loans via e-channels, and e v e n invest O nline (buy/sell shares and mutual fu n d s ) (Shah & C larke 2009) It can be said that Online banking has in recent years becom e a mainstream Internet activity At present, it is holding steady, increasing at the same pace as Internet usage From the latest íigure that is announced by Am erican Banker A ssociations below it cannot be denied that in all kinds o f banking m ethod, Inteniet is one thai is prerred most Preterred Banking Mettiod • Up3 — In tem * f •n k in g m — r » c h # t — ATM —Mail 2007 C0 2009 Figure P reĩerred banking meỉhod (all agegroups) Source: Am erican Bơnkers Association 2009 — T ê ie p h c n * — M o b il* — U n kn o *n been continuousiy upgrading it to provide custom ers vvith the best Products and services for O nline banking (Techcom banknew s 2009) Particulariy, F@ st i-banking and F@st ebanking tw o categories o f O n lin e banking services that Techcom bank offers custom ers, provide m any Products based on high technology w hile F@st S-bank provides services on account m anagem ent o f securities investors and F@ stV ietpay is an electronic paying gate providing O n l i n e paym ent for e-com m erce w ebsite In M arch 2008: Techcom bank V isa Credit card w as launched and in M ay, it launched Cash D eposit m achine (A DM ) vvhich helps custom er directly put m oney into accounts w ithout going to the braches o f this bank Up to now, Techcom bank has been aw arded with m any prizes for its services and developm ent In the officiaI w ebsite o f Techcom bank, it is easily found out m any aw ards that w ere proudly given to Techcom bank O ne o f them is “T op Trade services 2007”- avvard given by M inistry o f industry and C om m erce for typical entetprises, operating in trade services that Viet N am com m itted to im plem ent as joining W TO B esides, in 2008, Award o f “ th e most s a t i s f i e d S e rv ic e in 2008" v o te d b y readers of Sai Gon Tiep Thi m agazines in February and Golden Star A w ard given by young enterprises association in Septem ber It also received aw ard “ reputed securities tradem arks and the top Joint stock com pany o f V ietnam ” given by securities com m ittee Typically, in the prize cerem ony Vietnam Inform ation Technology and Telecom m unication 2008 Techcom bank honorly received for the m ost successíully applied inform ation technology C orporation, ỉt is a yearly aw ard w hich m inistry o f inform ation and com m unication technologv gives to encourage and m ake incentives for corporations with excellent application o f information 57 and technology in the operation Techcom bank is the only bank, until now w hich was g iv en th is h o n o i a w a rd Techcom bank's O nline banking services Techcom bank provides cu sto m er with a variety types o f services that based on high technological techniques F@ st i-banking and F@ st e-banking are tw o categories o f Online banking services that T echcom bank offers custom ers F@ st i-banking is ju st for in d iv id u al custom er vvhile F@ st e-banking fo r C o rp o tio n In this thesis, I ju st íocus o n ly in individual category A part from norm al Products like other banks: checking balance account and transactions, checking and controlling loans, savings, transferring insides and outside Techcom bank’s system , there are also m any Products that m ake Techcom bank diíĩerentiate Services related to credit activities is the íirst one l f custom er has a loan from Techcom bank, such as: norm al loan o r loan for young fam ily, loan for buying houses, Iuxurious c a r th ey can access internet banking to retrieve lo a n 's duration, maturity date, contract num ber, interest rate and lo a rrs transactions A ll com plicated procedures that custom ers have to in the brick and m ortar banks, is sim pliíìed ju st by som e clicks It is also new ĩeature o f Techcom bank w hen com paring with other Vietnam banks N orm ally, O n lin e banking users check balance and iníbrm ation related to their accounts only, not loans A nother d i s t i n g u i s h e d S e r v i c e is O n l i n e p a y m e n t It a l l o v v s users p a v b i l l s O n lin e Hcnvever the transacíions only can be d one with som e certain partners o f Techcom bank for exam ple: electric bill for H oC hiM inh electric com pany, flight ticket with JetStar 58 Paciíic A irlines, assurance fee for íinancial Corporation Prudential Vietnam o r deal w ith d e b it o f d e b it card The last but not least is Online saving S ervice that has attracted the attention o f public recently Using this product, custom er can access all inĩorm ation related to the savings accounts in Techcom bank includes: total am ount, interest rate, maturity date, duration E specially, it also supports custom er to open Online savings accounts with very sim plv steps This Service is such a convenient one because some tim es, custom ers only w ant to depose a small am ount It vvill take them a lot o f them to deal with com plex procedure in branch offices In conclusion, although there a re som e lim itations in T echcom bank's O n l i n e banking: fees for the basic and w hole package for using above services is quite high for individual: registration fees 100.000 V N D , Token key fees 400.000 VND and annual fees: 100.000 V ND (Techcom bank 2009), T echcom bank’s O n lin e hanking still receive high appreciations from custom ers for its variety o f services, vvorth trust and reliability w hen they transaction O nline It is illustrated in m any honor prizes that Techcom bank has been avvard by the voting o f the users Techcombank's adoption high technology in security system Two-factor authentication Techcom bank is the first bank in Vietnam has im plem ented a tw o-factor authentication (2FA) key token system using one-tim e pass-word (RSA 2008) A part from using their regular passvvords as usual, custom ers are provided a one-tim e unique 59 num eric pass-word as a second layer o f security A ccording to N guyen D uc Vinh CEO o f Techcom bank ihe bank is recognized as an innovator vvithin the A sian banking industry possessing one o f the most advanced IT banking system s in Vietnam In line vvith its m arket expansion plans and branding strategy, vvith V ietnam 's Internet penetration surpassing 16 m illion users in July 2007 provision for Internet banking w as a natural developm ent for Techcom bank (Techcom bank new s 2009) Techcom bank surveyed and review ed the 2FA offerings in the m arket With the aim to give the custom er a users peace-of-m ind vvhen banking O nline, RSA , the Security Division o f E M C has been chosen as the partner o f Techcom bank adopt the RSA SecurlD ® system in late 2006 because o f its trusted brand nam e and proven fifteen-year experience in th e 2FA token m arket B esides, SecurelD w as selected because o f its ease o f use and the RSA solution could be easily integrated into Techcom bank O n l i n e banking system (RSA 2008) ỉn July 2007, Techcom bank has over 100,000 custom ers accessing services O n lin e, w ith over 20% o f these custom ers currently using the 2FA key tokens from RSA The bank estim ates that this num ber vvill quadruple by 2008 "W e launched the SecurlD 2FA S erv ice in A pril, 2007 aíter a six m onth im plem entation period, w hich included the integration o f the RSA solution into th e internet banking application," said Nguyen (R SA , 2008 p.2) W hen logging onto the Techcom bank secured w ebsite for O nline transactions, the c u s to m e r's id e n tity is veriíĩed using tw o fa c to rs: a S tandard p a s s w o rd a n d th e o n e -tim e RSA The Security Division of EMC, provides Secure Data, Consumer Identity, Two-Factor Authentication Custom Applications, Consulting Assessment and other security solutions and services 60 six-digit numeric password generated by the RSA SecurlD token The token randomly g e n e te s th is n u m e ric passvvorđ e v e ry se c o n d s , th e re b y p re v e n tin g fra u d ste rs from accessing custom er accounts because to so they vvould need both the user-generated passw ord and physical access to the SecurlD token The num eric passw ord, used in conjunction vvitli the custom er’s passw ord, m akes this extrem ely strong and secures approach for Internet banking, and is in line vvith global best practices Figure 25 Techcom bank Token Key The RSA Security solution have helped the bank to im prove custom er satisfaction through the convenience o f self-service capabilities The token's rugged ability to handle accidental im pacts, spills and shocks provides custom ers the reassurance that their token vvill íunction w hen required From the bank's perspective, durability will help the bank reduce costs associated w ith replacing dam aged tokens and prolong the token's life 61 As a result o f the RSA S ecu rlD solution Techcom bank's F@st i-Bank Service launch has been extrem ely sưccessful It has built Techcom bank‘s image as a leading, custom er-íocused technology bank specializing in secured O n l i n e practices Secure Socket Layer-SSL Techcom bank has selected the trusted provider o f Internet inírastructure services for the netw orked w orld to provide E xtended V alidation SSL (EV SSL) C ertiíìcates for protection against Internet threats as m o re custom ers adopt Internet banking in Vietnam A s the m ost respected and trusted SSL authority on the Web, VeriSign is the EV SSL C ertiíìcate provider o f choice for m ore than 10,000 Internet dom ain nam es, representing 74 percent o f the entire EV SSL C ertiíìcate m arket w orldw ide In fact, more than 95 percent o f the Fortune 500 and 96 o f the w orld's 100 largest SSL-using banks secure their sites with SSL C ertiíicates sold by V eriSign (V eriSign 2009) In an article in official o f T echcom bank vvebsite (2009) interview ing Mr Le X uan Vu, D eputy General D irector, he em phasizes that it is an im portant tim e in the developm ent o f Internet banking in V ietnam , and Vietnam banks need to ensure about the highest levels o f security available to encourage adoption, build coníìdence and saĩeguard their custom ers from any potential O n l i n e threats Using V eriS ign's EV SSL w ill provide very im portant visual assurance to the custom ers that the Web site is a legitimate site (Techcom bank 2009) V eriS ign's EV SSL C ertiíìcates will provide im m ediate visual cues to T echcom bank's custom ers using the latest Web brovvsers that cu ently support EV SSL The address bar tum s green a padlock icon appears next to the address and a new ĩield 62 displays to the right o f the URL in the brovvser This field contains the nam e o f the organization that ow ns the site as vvell as the secnrity providcr that issued the certificnte, such as VeriSign M*krUu: I OếngnMD h l tr rót n t ể t ó i trinh < *n*Ị t m e a ì t t E i p i c r t ' & ú tfân n ộ " un Tit kim o|ôJil_L!ớJU C hớ c n n h í p ƠHJỘÍ C h i c i n n h ỗ p Chuộc v ả c h u y ẽ n tiẽ n lừ tổ i k h o n cá n h n sa ng tầ i k h o a n I iẻ t k iệ m O n lin e q u d I n t e r n e t B a n k in g la b n dA h o ã n th a n h g ia o d tch g irt tiẻ n €»aca« is":*.m HọồnnQÙ L angiM O * : TECHCOM BANK o D ịc h v ụ k h c h h a n g /7 : Tô *4-*-J94 7444 / 100SS8S22 v /i yj ằ!ã Brogdon c 1999, ‘Banking and th e Internet: Past present and possibilities", vievved at 29 Septem ber 2009 < http://v\'\vw db.standford.edu/pub/gio/CS991/bankint’.htm l> 66 Card Technology Today 2008 ‘US consum ers w ary o f password security for eCom m erce; sm artcards to give peace o f rnind?', C ard Technology Today, vol 20, no 4, p l Controller o f the C urrency A dm inistrator o f N ational Banks 1999 Iníernet Banking C om ptroỉler's H andbook, C ontroller o f the Currency A dm inistrator o f N ational Banks, viewed 29^ Septem ber 2009, 10 Devlin, J 1995 T ech n o lo g y and Innovation in Retail Banking D istribution\ International Journal o f B ank M arketing, vol 13, no 1, pp 19-25 11 Ducker, p 2002, M anaging in the N ext Society, Trum an Tally Books, N ew York 12 Federal Financial Institutions Exam ination Council 2005, FF1EC Guidance: Authentication in an Internet B anking environm ent, Federal Financial Institutions Exam ination Council, viewed 151*1 O ctober 2009, < h ttp ://w w 'w ffie c g o v /D d f/a u th e n tic a tio n g u id a n c e p d f> 13 Fox, s & Beier, J 2006, ‘Online B anking 0 ', P ew Internet, view ed 19Ih O ctober 2009 14 Fox, s & Beier, J 2006, Online B anking 2006: Sur/ìng to the B ank 1, Pew Internet, view ed 29* O ctober 2009, 67 16 Industrial and Com m ercial Bank o f C hina 2008, O nline Bank Help Industrial and Com m ercial Bank o f China vievved 13,h O ctober 2009, < httD ://w w w ich c.co m cn > 17 Jain A & Ross A 2004 ‘An introduction to biometric recognition, Circuits and System s for Video T echnology', IE E E Transactions, vol 14, no 1, pp - 20 18 Jayaw ardhena, c & FoIey, p 2000, C hanges in the banking sector- the case o f Internet banking in the UK.', Internet Research: Electronic N etw orking A pplicatio n s a n d Poỉicv, vol 10 no I , pp 19-30 19 Jelassi, T & Enders, A 2005, Slrategres f o r e-business C reating Vaỉue through E lectronic a n d M obile Commerce, C oncepís an d Cases, Prentice Hall, New Jersey 20 K artha, D 2009, 'D isadvantages o fIn te m e t B anking', Buzzle, viewed 28th O ctober 2009, < http://w w w buzzle.com /arĩicles/disadvantages-of-intem etbanking.htm l> 21 M askow ski, M 2007, ‘O nline B anking Secure - Iníorm ation for Online U ser’, Bankenverband, vievved 16* O ctober 2009, < w -\vw bankenverband.de/pic/.-./0711 online-banking-securiĩv.pdf >■ 22 M ols, N 1999, ‘The Internet and the B anks' Strategic D istribution Channel D ecisions', International ỉournal o f B ank M arketìng, vol 17, no 6, pp 295-300 23 M ols, N 1998, ‘The Behavioral C onsequences o f PC B anking', International JournaI o f B ank M urketing, voi 16 no 5, pp 195-201 68 24 M eyer T 2006, 'O n lin e Banking: What we leam from th e differences in E urope’, D eutsche Bank Research, vievved 19lh O ctober 2009, 25 Perum al V & Shanm ugam B 2004, 'Internet Banking: Boon or B ane?' viewed 17th O ctober 2009, < http://ww w arravdev.com /com m erce/.H BC/200412/Perum al.HTM > 26 Ratha, N, Connell, H, & Bolle, M 2001, ‘Enhancing security and privacy in biom etrics-based authentication system s' IB M system s Jo u rn a l, vol 40 pp 614634 27 Robertson, J 2009, ‘IBM 's M ainíram e Policies Draw DoJ S crutiny', vievved 4* N ov 2009, < http://\vw w ecom m ercetim es.com /storv/68336.htm l> 28 RSA 2009, ‘Case Study-Techcom bank V ietnam ’, view ed 13lh N ovem ber 2009, EM C, < w ww rsa.com /Droducts/securid/success/TCB C P 1007-low res.pdf> 29 Shah, M & Clarke s 2009, E-banking M anagem ent: Issues, Solutions, and Strategies, Inform ation Science R eíerence N ew York 30 Steve, D 2008, ‘Internet Banking S ervices', vievved 8* N ovem ber 2009, ^ttpi/A vm v.intem etbankingguide.com /intem et-banking-services/problem s-uithinternet-central-net-internet-banking-banking/ 31 Techcom banknew s 2009 'Techcom bank D rives Internet banking Adoption with V eriSign® Extended V alidation SSL C ertiíìcates', Techcom bank, viewed 10^ N ovem ber 2009, 35 W alczuch, R., Braven, G, & Lundgren, H 2000, ‘Internet Adoption Barriers for Small Firms in the N etherlands', P roceedings o f the A m erìcas Conference on lnform ation System s: O rganization Track, 10-13 A ugusí 2000, Long Beach, C alifom ia, pp 672-680 36 W arwich, F, & M icheal, s 2002, Secure Electronic Ecom m erce, 2nd Edn, Prentice Hall, N ew Jersey pp 21 -31 37 W ebintem etbanking 2009 ‘D isadvantages o f Online internet', viewed 19th N ovem ber 2009 < http://w uw w ebinternetbanking.com /disadvantagesintem etbanking.htm l> 38 W ing, B 1999, "Using public-key infrastructures for security and risk M anagem ent', IE E E C om m unications M agazine, vol 37, no.9, pp 71-73 39 W inne c 0 , 'A n E valuation o f Internet B an k in g in N e w Z e a la n d ', paper presented at the 35th Hawaii International Conference on System Science Hawaii, 7-10th January 70 40 Zhang, Y 2008 'A n Em pirical Study on the relationship betvveen identity-checking steps and perceived trustvvorthiness in Online B anking System U se', paper presented at the 7th International Conference on A pplications and Principles o f Inform ation Science Orlando, Florida U SA 10-13lh July 71 ... can access any iníịrm ation regarding th eir accounts and transactions any tim e o f the day because they are never close available 24 hours a day seven days a w eek 365 days a year This m eans... f O n l i n e banking in the w orld, and in Vietnam in particular Find out w hat are the advantages and disadvantages o f O nl ine banking to custom ers and bankers A ssessing security issues... during any operation such as a? ?ter transĩerring m oney, checking balances and so on A vailability ensures that the custom er can access their account and check the iníịrm ation anytim e and anywhere