Today, the security of information may be one of the biggest concerns to the Internet users. Most of the attacks on online banking are based on deceiving the user to steal login data and valid TANs (Transactional Access Number). Two well known examples for those attacks are phishing and pharming. Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. As phishing is no longer as effective as it once was, fraudsters have developed “pharming,” which is more difficult to detect. Pharming redirects users to fake sites when they try to access legitimate websites. A customer logs on, often using an address stored in his or her "favorites" folder, to what looks like a familiar internet banking site and is redirected to a fraudulent site. Cross-site scripting and key logger/Trojan horses can also be used to steal login information. The most recent kind of attack is the so-called Man in the Browser attack, where a Trojan horses permits a remote attacker to modify the destination account number and also the amount.
In August of 1995, Citibank had problems with outsiders breaking into their system. A $10 million computer fraud against Citibank was the first successful penetration by a hacker into the system which transferred trillions of dollars a day around the world. Of the $10 million dollars illegally transferred, $400,000 were not found. Many banking experts predicted that these break-ins were bound to occur with banking business being done electronically at a time when more sophisticated personal computers are available. The Citibank $10 million break-in is one example of how the system is vulnerable to hackers. Hackers have many different ways that they can try to break into the system.
Basically there exist two different security methods for online banking.
The PIN/TAN system: In this system the PIN represents a password, used for the login and TANs representing one-time passwords to authenticate transactions. TANs can be distributed in different ways, the most popular one is to send a list of TANs to the online banking user by postal letter. The most secure way of using TANs is to generate them by need using a security token. These token generated TANs depend on the time and a unique secret, stored in the security token. Usually online banking with PIN/TAN is done via a web browser using SSL secured connections, so that there is no additional encryption needed.
Signature based online banking: In this system all transactions are signed and encrypted digitally. The keys for the signature generation and encryption can be stored on smartcards or any memory medium, depending on the concrete implementation. Digital certificates are used against phishing and pharming, the use of class-3 card readers is a measure to avoid manipulation of transactions by the software in signature based online banking variants. To protect their systems against Trojan horses, users are advised to use virus scanners and be careful with downloaded software or e-mail attachments.
Signature based online banking: In this system all transactions are signed and encrypted digitally. The keys for the signature generation and encryption can be stored on smartcards or any memory medium, depending on the concrete implementation. Digital certificates are used against phishing and pharming, the use of class-3 card readers is a measure to avoid manipulation of transactions by the software in signature based online banking variants. To protect their systems against Trojan horses, users are advised to use virus scanners and be careful with downloaded software or e-mail attachments.
No comments:
Post a Comment