Future of E-banking

With the security and privacy issues resolved, the future of electronic banking can be very prosperous. The future of electronic banking will be a system where users are able to interact with their banks “worry-free” and banks are operated under one common standard. For banks, adoption of newer technologies and upgrading existing core banking solutions will be necessary to stay ahead of the game. This is aimed at addressing issues like real time responses to customer enquiries via different channels, multi- channel management and coordination. Moreover, faster deployment of technology to enhance bank operations can be done through:
Infrastructure: Hardware, data storage, integration of business processes and security systems
Communication: use of voice systems, Mobile/PDA software, instant messaging
Trading systems: greater use of electronic trading software, equities systems.

In conclusion, the speed and impact of the ICT evolution is a practical proof of Say’s Law, which states that supply creates its own demand. Successful application of ICT within the banking sector is not just a question of the technology deployment per se, but rather how effectively the banks manage the ICT infrastructure and align it with the business objectives.

Is Online Banking Safe?

Today, the security of information may be one of the biggest concerns to the Internet users. Most of the attacks on online banking are based on deceiving the user to steal login data and valid TANs (Transactional Access Number). Two well known examples for those attacks are phishing and pharming. Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. As phishing is no longer as effective as it once was, fraudsters have developed “pharming,” which is more difficult to detect. Pharming redirects users to fake sites when they try to access legitimate websites. A customer logs on, often using an address stored in his or her "favorites" folder, to what looks like a familiar internet banking site and is redirected to a fraudulent site. Cross-site scripting and key logger/Trojan horses can also be used to steal login information. The most recent kind of attack is the so-called Man in the Browser attack, where a Trojan horses permits a remote attacker to modify the destination account number and also the amount.

In August of 1995, Citibank had problems with outsiders breaking into their system. A $10 million computer fraud against Citibank was the first successful penetration by a hacker into the system which transferred trillions of dollars a day around the world. Of the $10 million dollars illegally transferred, $400,000 were not found. Many banking experts predicted that these break-ins were bound to occur with banking business being done electronically at a time when more sophisticated personal computers are available. The Citibank $10 million break-in is one example of how the system is vulnerable to hackers. Hackers have many different ways that they can try to break into the system.

Basically there exist two different security methods for online banking.

The PIN/TAN system: In this system the PIN represents a password, used for the login and TANs representing one-time passwords to authenticate transactions. TANs can be distributed in different ways, the most popular one is to send a list of TANs to the online banking user by postal letter. The most secure way of using TANs is to generate them by need using a security token. These token generated TANs depend on the time and a unique secret, stored in the security token. Usually online banking with PIN/TAN is done via a web browser using SSL secured connections, so that there is no additional encryption needed.
Signature based online banking: In this system all transactions are signed and encrypted digitally. The keys for the signature generation and encryption can be stored on smartcards or any memory medium, depending on the concrete implementation. Digital certificates are used against phishing and pharming, the use of class-3 card readers is a measure to avoid manipulation of transactions by the software in signature based online banking variants. To protect their systems against Trojan horses, users are advised to use virus scanners and be careful with downloaded software or e-mail attachments.

Risk Management- An Imperative Objective

Managing the risks and implementing controls for Internet banking is an imperative objective of the banks. The most dangerous thing is to treat the risks as a technical problem and leave it to IT management to manage. The board and senior management of banks should establish effective management control over the risks associated with e-banking activities. Senior management should ensure that they do not engage in e-banking projects unless they have necessary technical and risk management oversight expertise at all levels. They should set the tone in managing risk by establishing key delegations and reporting mechanisms, separation of duties and escalation procedures. Management should set up a formal risk assessment process in the organization and should ensure that ongoing due diligence and risk analyses are performed as the bank initiates or expands Internet banking activities. Security controls also need special attention from management because of the open nature of the Internet and the pace of technological change. The specific focus areas that will enhance internet security include the following: Authentication; Nonrepudiation; Segregation of duties.

Authentication: This means ensuring customers are verified and their identities established before conducting business over the Internet. Passwords, biometric methods, challenge-response systems, public key infrastructure are some of the ways of strengthening authentication. There is a growing trend towards single-sign-on applications, where the customer needs only a single ID to access his entire relationship.
Nonrepudiation: Banks should make certain that customers who transact on the Internet cannot later deny having originated the transactions. Using techniques like PKI (digital certificates), strong nonrepudiation can be achieved.
Segregation of duties: As in any traditional process, segregation of duties is vital to prevent perpetration of fraud by any individual.
Banks should ensure that there are appropriate measures to protect the data integrity of e-banking transactions, records and information. All e-banking transactions should generate clear audit trails, which should be archived. It is also vital to generate and protect records of customer instructions in a legally acceptable format. Management should strengthen information security controls to preserve the confidentiality and integrity of customer data by implementing methods such as Firewalls, ethical hacking tests, physical and logical access controls.

The senior management of banks should also establish effective Legal and Reputational Risk Management in the following ways:

Privacy: To protect the privacy of the customers Banks should articulate a privacy policy and should communicate this to customers. Customers must be allowed opt-out options, and great care must be exercised before sharing customer information with outside entities. If customers are from a different jurisdiction, then the strongest privacy law may apply.
Availability: Banks should have business continuity and contingency planning processes to help ensure continuous availability of Internet banking services. This is challenging because of the potential for high transaction volume and the demand for 24-hour, seven-day-a-week availability.
Incident response: Banks should also formulate appropriate incident response plans to detect, manage, contain and minimize problems arising from internal and external attacks. There should be clear escalation paths, a communication strategy for customers and the press and a documented chain of command. Finally, there should be a process for collecting and preserving forensic evidence after an adverse event.

Risk management of e-banking should be incorporated within the existing risk management disciplines in the organization and new control procedures should be implemented with rapid changes in technology.

E-banking risks

Many researchers expect rapid growth in customers using online banking products and services. The challenge for banks is to make sure the savings from Internet banking technology more than offset the costs and risks associated with conducting business in cyberspace. The unprecedented speed with which new technologies are being adopted, the ubiquitous and global nature of electronic networks, the integration of e-banking platforms with legacy systems and the increasing dependence of banks on third party information service providers, all dramatically amplify the magnitude of risks to which banks are exposed. Internet banking does not open up new risk categories, but rather accentuates the risks that any financial institution faces. These are some of the risks that are facilitated by internet banking:

· Strategic risk
· Transaction risk
· Compliance risk
· Reputation risk
· Information security risk
· Credit risk
· Interest rate risk
· Liquidity risk
· Price risk
· Foreign exchange risk

Spurred by competitive and peer pressures, banks may seek to introduce or expand Internet banking without an adequate cost-benefit analysis. The organization structure and resources may not have the skills to manage Internet banking. This leads to strategic risks. Most Internet banking platforms are based on new platforms which use complex interfaces to link with legacy systems, thereby increasing risk of transaction errors. Third-party providers also increase transaction risks, since the organization does not have full control over a third party. Again, the compliance risks are amplified when the customer, the bank and the transaction are in more than one country. Moreover, reputation risk also arises when a bank's reputation can be damaged by Internet banking services that are poorly executed for instance, limited availability, buggy software, and poor response. Furthermore, the information security risk is the risk to earnings and capital arising out of lax information security processes, thus exposing the institution to malicious hacker or insider attacks, viruses, denial-of-service attacks, data theft, data destruction and fraud. Internet banking also leads to credit risk as it enables customers to apply for credit from anywhere in the world and find it extremely difficult to verify the identity of the customer. Again, as it is easy to compare rates across banks, pressure on interest rates is higher, accentuating the need to react quickly to changing interest rates in the market which lead to interest rate risk. The other important risk is liquidity risk that is the risk to earnings or capital arising from a bank's inability to meet its obligations. Banks may be exposed to price risk, if they create or expand deposit brokering, loan sales or securitization programs as a result of Internet banking activities. Lastly, internet banking also facilitates the foreign exchange risk as it encourages residents of other countries to transact in their domestic currencies.