e banking l.
Skip this Video
Loading SlideShow in 5 Seconds..
E - BANKING PowerPoint Presentation
Download Presentation

Loading in 2 Seconds...

play fullscreen
1 / 28

E - BANKING - PowerPoint PPT Presentation

  • Uploaded on

E - BANKING By Pritam Potnis Mahesh Narayan Why E-Banking

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'E - BANKING' - emily

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
e banking



Pritam Potnis

Mahesh Narayan

why e banking
Why E-Banking
  • Over the past decade, the financial services industry has been experiencing dramatic changes from consolidation, the maturation of focused competitors, the erosion of boundary-defining regulatory constraints brought about by technology. With the emergence of ATMs and telephone voice response, the Internet offers a new banking distribution channel.
  • Cost benefits aside, two key market forces are driving banks to provide on-line services:

• Push - competing for deposits forces banks on-line

• Pull - customers are becoming more sophisticated, have more options and are demanding more services

  • But the main issue that bothers everyone is security. By overcoming the security concerns of hesitant customers and retaining existing customers banks can maximize the number of customers utilizing its lowest cost channel and effectively raise the overall market share.
how do i go about building an e banking website
“How Do I GO About Building an E-Banking Website?”
  • Building a finance portal is a complex project, involving a variety of activities from web design to enabling online banking transactions to content management.
how do i go about building an e banking website5
“How Do I GO About Building an E-Banking Website?”

Generally identified are the following four components:

  • 1)   The User Interface

Navigation refers to the websites ease-of-use.

Performance of the website is a technology-driven issue, ensuring that even a customer with a low-speed Internet connection can get information/conduct a transaction in a reasonable amount of time.

2)   Contents & Services

Contents & Services comprises the information (stock quotes or market information), interactions (chat or calculation tools) and transactions (banking or brokerage) the customer can obtain or conduct on the website.

  • 3) Backend/Transaction

Interface for connecting the bank's legacy systems to handle online transactions;

Integration of the online products & services with the bank’s existing

business processes.

4) Enabling Functions.

Include partner management, marketing, and quality assurance.

ok i built the website but how do i make it secure

The industry has identified many categories that are

potentially dangerous or risky for E-Banking websites

  • Physical Attempts to Gain Control
  • Electronic Attempts to Gain Control
  • Execution of Arbitrary Code
  • Spoofing
  • Eavesdropping
  • Denial of Service
  • Exploitation of User by Site
  • Exploitation of Data Subjects
serious damages caused due to security breaches in the system
Serious Damages Caused due to Security Breaches in the System

Bank one provides users with a method to retrieve account

information via a standard web interface. While the customer is

presented a secure and encrypted page, the mechanics of the rest

of the system are implemented in such a manner that they make

easy the most typical attacks. The convenience that the system

provides the user is that it enables the user to store his account

number, which is usually a credit card or debit card number of the

account holder, on the local disk. By failing to de-select the option

“Save Access ID on this computer for future logins”, the user

allows the system to write account number information to cookie

files. In future transactions, this number is picked up from the file.

However, this presents a great deal of insecurity to the user

because the cookie is stored as a flat file.

Bank One Online puts Customer Account Information at Risk


Bank One Online puts Customer Account Information at Risk


  • All ‘userOption’ cookies must be destroyed, either by the client, or by the server when the client revisits.
  • User authentication should be more robust. This means longer PIN numbers. This might result in lesser convenience, but keeps attackers at bay.
  • Cookies used to store state information should be made unusable outside the area of the application.
  • Cookies intended to be transmitted only in encrypted channels should be marked as ‘secure’.
bypassing secure web transactions via dns corruption
Bypassing secure web transactions via DNS corruption

This example talks about some of the problems associated

with secure socket layers or SSL. While it is true that to

break a 64-bit encryption it takes two days, and that SSL

implements a 128-bit encryption, an intruder does not have

to break the encryption to get your account information.

Man-in-the-Middle attack

An intruder can replace the IP address of the bank with the IP of his

evil system in the DNS entry of the name server. When you type the

URL of the bank, the evil system returns its IP address to you and

also open a session with the bank at the same time. There is a

secure connection between user and the evil system, and between

evil system and the bank. The evil system forwards the bank page to

the user and the user page to the bank, and all the while, copies

critical user information to itself.

e banking websites must be careful of the following crimes
  • New Account Creation
  • Account Takeover
  • Use of chat-room information from a public list.
  • Site cloning
  • Hacking and cracking into a merchant database
  • Fraudulent Transactions
how do i prevent such crimes from taking place
How Do I Prevent Such Crimes from Taking Place?
  • Develop and publish a privacy policy.
  • Follow the privacy policy. Ensure that your employees are trained about the policy.

Monitor the privacy policy and your compliance. To this extent, appoint a security and privacy coordinator for your organization. Make that person's contact information known. Research and respond to any consumer complaints.

  • Store only data elements that you absolutely need to have. Maintaining a database with purchase and address information is fine to facilitate one-to-one marketing, but maintaining a database of payment information is not needed. Once the payment is completed, this data should be removed.
how do i prevent such crimes from taking place12
How Do I Prevent Such Crimes from Taking Place?

Verify that the payment system you implement (even when outsourcing) deletes temporary data files with payment records and that the outsourcing entity has strict security and privacy policies as well.

Make certain server log files do not inadvertently store customer payment information. 

  • Compartmentalization of access to payment systems. All employees don’t need to have access to databases or payment application software.
  • Monitor employees who have access to sensitive data or payment systems. Perform spot-checks and verify that they are working within the scope of their jobs.
how do i prevent such crimes from taking place13
How Do I Prevent Such Crimes from Taking Place?

Immediately report any security breach or loss of computer systems to police.

Only ask customers for information that is absolutely necessary to complete the transaction.

Encrypt sensitive data, like credit card account data, in databases. Encrypting uses cryptographic methods to scramble data so that only an authorized application in possession of a special key can read the data.

§Manage encryption keys. This includes all key management best practices, including obsolescence of keys and re-issuance of keys.

role of privacy and security policies
Role of Privacy and Security Policies

Privacy and security policies are important

steps in protecting consumers from fraud.

Companies should have both privacy and

security policies to ensure that there are clear

rules to which the company and its employees

adhere and that consumers understand the

operations of a company with which they

choose to do business. Developing a good

privacy policy helps a company examine and

analyze its own information practices.

some future trends in banking and trading paradigms
Some future trends in banking and trading paradigms:

Today’s banking and trading institutions realize that they must

graduate from online services to wireless services. They are also

realizing that inertia in these areas, i.e. a resistance to change may

result in large amount of losses to these institutions. Additionally,

wireless banking may become the need of the hour of the end

customer. Though this entails surmounting of many technological

impediments, it nevertheless is a potential way of things working in


Unlike online services, where the end user is connected to

the Internet through a standard TCP/IP connection from a PC, in a

wireless connection, there are many more challenges. In wireless

services, airwaves are the main carriers of data, and the physical

location is of paramount importance in ensuring good quality of


likely vital statistics in future
Likely Vital Statistics in future

The Gomez research institute estimates that the number of people

using internet and wireless services will increase from 8 million in

1998 to 40 million in 2003. This presents vendors with a

tremendous opportunity for growth and business.

A research by Jupiter Communications says that approximately 140

million people in the U.S will be having non-PC wireless access by

2003, while there will be 155 million landline PC accesses. This

means that the non-PC access will grow to 65% of the wire line PC

access within the next three to four years.

According to Forrester research, approximately 120 million

Europeans already use mobile phones, exchanging more than two

billion wireless text messages each month. Forrester predicts that

by 2003, nearly one third of the population of Europe will be

accessing wireless services. 90 percent of the 50 e-commerce executives interviewed by Forrester plan to launch websites that

are wireless accessible.

likely vital statistics in future17
Likely Vital Statistics in future

A major banking institution claims that having an online

banking customer base of 3 million, which represents more

than 20 percent of its customer base, continues to sign up

approximately 130,000 people for online banking ever month.

Additionally, 750,000 people signed up for the bank’s

electronic billing and payment service, and the total dollar

value of payments processed grew by 36%.

GartnerGroup predicts that by 2004, 8 percent of new

applications for consumer use will permit access from mobile

clients. GartnerGroup also estimates that more than 60 million

employees worldwide working outside the traditional office


components of a wireless system
Components of a wireless system

Handheld Devices

Connectivity, Coverage

and Gateways

Middleware processing



API connection

Data System Backend


components of wireless system
Components of wireless system

Handheld Devices:

The different kinds of equipment that qualify for listing under this category

are: Thin client devices, palm pilots, workpad, two way paging devices like

RIM, smart phones and WAP phones. Each of these devices uses their own

gateway to communicate with application servers. Since each device has its

own method of formatting and presenting data, the challenge for the

application server lies in sorting out these devices and sending data to

each of these devices in a manner compatible to their representation.

Connectivity, Coverage and Gateways:

The handheld device accesses a local cell tower that is responsible for

delivering local geographical coverage in a certain region. The coverage is

segregated into hexagonal boundaries. The cell tower transmits the data to

a base station. The base station transmits the data to a mobile switching

center, which links all the base stations.

wireless middleware and transcoding
Wireless Middleware and Transcoding

The wireless application server is the workhorse of the whole

wireless system. This is the place where wireless data is controlled,

rules are set for data processing and configuration files are

executed. The application server ought to be open ended, so that it

can integrate with other systems. The most popular and prevalent

method of communicating with the backend systems is using XML.

Transcoding is the process of formatting data using XML, XSL style

sheets and DTD files. Formatting information or data in this

manner enables the user to view the data in a universal manner,

irrespective of the device used.

Managing Data

At the application server level, the handheld device ID and

the user ID are stored for verifying logins. Once a login

request is received, the application server will make a trip

to the database to verify the authenticity of the login. The

middleware database prepares and formats the data for the

device that requests the login. The application server will

also compare the registered device ID to the user ID for

additional verification

Pushing-Pulling Data

When the handheld device initiates communication, pull

technology is employed, where data is pulled from the

application server to the handheld device. On the contrary,

when the application serve has a control over the handheld

device, push technology is employed, in which case the

application server pushes data to the handheld device

without waiting for the device’s consent

Security in wireless banking

Double key secure authentication is most often used for

verifying access across different systems. This is where the

user will authenticate at two levels, the application server,

and also at the level of the financial system. Only when both

authentications agree is the user granted access. In a

double key secure scenario, all data paths traveled are

verified by using double key secure. Another popular

method authentication used is the Public-Private key


selecting the right vendor
Selecting the right vendor:

A trusted name with an ensured longevity.

The vendor must have tried and tested the product in the same or

in a related area of application.  

The testing and quality assurance of the product must be done as

early as possible to ensure proper functionality. New and evolving

systems must be backward compatible with existing backend


Management of all entities such as user definitions, events,

requests, and updates must be tested thoroughly

The vendor must have experienced and adequate technical


selecting the right vendor26
Selecting the right vendor

Contingency planning must be in place

The system must be device and network independent. The

application should be fully configurable with customizable screens

using the standard APIs. The application server must lend itself to

faster development and deployment.

There should be development tools to enable you to make changes,

add services, or deploy applications are crucial.

tips to succeed
Tips to succeed

Document all rules and procedures

Starting with high-level conceptual and visual design, set up the

application network as early as possible.

Run studies on bandwidth required to communicate between the

backend system and the middleware system and the gateways.

List the requirements and functionalities of users

Perform user analysis

Perform technical assessment

Hold frequent user group meetings

List business requirements

tips to suceed
Tips to suceed

Define functional requirements

Use standard APIs, like OFX and XML API

Measure performance and process requirements

Develop a delivery plan

Test APIs and architectural designs of the applications. Integrate with

the data source directly.

Start with a pilot

Fix bugs and fine tune system performance

Implement a full scale rollout