IDN TAKE: Securing Online Banking System

With the advent rapid spread and acceptance of online banking system monetary thefts in banking industry have taken a huge spike. 

Below are some excerpts from online news of monetary theft published by various newspapers.

Cyber crime expert Anshul Abhang said, "Banks have developed a system which takes 24 hours to transfer money to a new beneficiary added during any net banking transaction. Meanwhile, an SMS is sent to the account holder conforming the addition of new beneficiary. If it is a transaction he is unaware of, he can immediately alert the bank." 

Abhang said that most net banking frauds happen because users respond to phishing emails sent from fake email addresses. "The sender of email asks the account holder to update his credentials by clicking on a link, which then takes him to a fake website," he said. 

"Bank frauds, on the other hand, fall in the niche category. A user is more likely to believe in an email sent in the name of his bank than falling prey to a lottery email," said Abhang. 

Symantec, a leading software security firm in the world, released a new research on Dyre Trojan this year which says that the trojan is now configured to defraud customers of more than 1,000 banks and other companies worldwide. Dyre is a sophisticated piece of malware, capable of hijacking all three major web browsers — Internet Explorer, Chrome and Firefox — to intercept banking credentials. Financial institutions in the US and the UK are most targeted, but India is not far behind with a 6th global rank and second in Asia.

"Dyre is mainly spread using spam emails. In most cases, the emails masquerade as business documents, voicemail or fax messages. If the victim clicks on an email attachment, they are redirected to a malicious website which will install the Upatre downloader on the computer. Upatre is one of the most popular download tools used by financial fraud groups. Upatre acts as a bridgehead on the victim's computer, collecting information about it, attempting to disable security software, and finally downloading and installing the Dyre Trojan," said Tarun Kaura, director of Technology Sales, India, Symantec.

Kaura said that Dyre is capable of using several different types of man-in-the-browser (MITB) attacks against the victim's web browser to steal credentials.

According to the woman who has filed a complaint with police, online transfer of money was carried out without her knowledge. Police have booked a suspect, who is believed to have called up the woman to get her to divulge information pertaining to the bank account to later transfer money without her consent.

The victim of the latest cyber crime is 33-year-old Sayara Pathan of Pimple Nilakh who has registered a complaint with Sangvi police. Police, acting on her complaint has booked Aman Kumar Gupta (a fictitious name suspected to have been used by the fraudster to evade detection.) The cops have invoked section 420 (cheating) of the Indian Penal Code and sections of the Information Technology (IT) Act in the case. Assistant police inspector S V Gade is investigating the case.

Police said Sayara got a call from the man on her cell phone last month. He claimed to be a bank officer and asked details of ATM cards she had for her accounts with the State Bank of India and the Bank of Maharashtra.

She shared the information with him and he allegedly misused it to withdraw Rs 34,890 from her bank account without her consent through illegal online transactions. Police said the crime took place on March 16-17. Police suspect Aman Kumar Gupta is not the real name of the fraudster.

Earlier, in a similar case, another woman, Kalpana Mahajan (53), of Akurdi was cheated of Rs 1.1 lakh by unidentified online fraudsters. She lodged a complaint at Nigdi police station.

Police said a man claiming to be a bank officer called Mahajan on her cell phone on March 8, 2015. He asked Mahajan to part with personal information and details of her bank account. Using these details he allegedly transferred Rs 1.10 lakh from Mahajan’s account without her consent through illegal online transaction. Police said people should be aware of such fraudulent phone calls and avoid sharing personal details with anybody.

Police said anybody getting such calls should cross-check with bank officials whether the calls are authentic, before sharing personal information.

With the increase in banking on mobile phones and the internet, financial frauds in the system have also seen an uptick, says a survey on financial frauds n the financial sector by Assocham and PwC. The report said that financial frauds led to approximately $20 billion (Rs 1.26 lakh crore) in direct losses annually.

Business Standard

July 10, 2015

Cyber frauds on rise with increase in digital banking: Assocham-PwC

“Financial fraud is big business, contributing to an estimated $20 billion in direct losses annually. Industry experts suspect that this figure is actually much higher, as firms cannot accurately identify and measure losses due to fraud. The worst effect of financial frauds is on FDI (foreign direct investment) inflows into India,” said D S Rawat, secretary-general, ASSOCHAM.

With the rise in smartphones and younger and more digitally savvy populations, banks have been vying to get a larger share of the customer’s digital wallet. However, in this process, the banking applications by lenders are becoming increasingly vulnerable to risks such as phishing, identity theft, card skimming, etc.

“The Indian financial services sector has witnessed exponential growth in the last decade — a growth that has not been without its pitfalls, as incidents of fraud have also been on the rise. Fraud results in significant losses to the public exchequer, thus adversely affecting service delivery,” said the report.

The report states that currently, 74 per cent of the population has mobile phones and this has led to a steady rise in banking on the go. According to Reserve Bank of India data, the volume of mobile banking transactions has risen from around Rs 1,819 crore in 2011–12 to approximately Rs 1,01,851 crore in 2014-15.

“Whether it’s financial transactions, customer experience, marketing of new products or channel distribution, technology has become the biggest driver of change in the financial services sector. Most financial institutions are therefore insisting on cashless and paperless transactions,” the report said.

The most common types of frauds in the banking sector as of now includes identity thefts, internet banking related frauds such as hacking and online fraud, siphoning of funds by taking the customer’s data etc.

In addition to types of frauds as mentioned above, in some banking frauds bank employees themselves have been involved in materializing the theft of money, 

the news of which can be found by searching the internet. Adding to the agony is the rapid spread of terrorism across the world which is being supported by money laundering. These types of online banking frauds had drawn my attention and I thought of a possible online banking process by which online banking can be comprehensively secured so that all the authentication and transaction process involved in the online banking system can be absolutely fool proof with absolute impunity and transactions can be tracked with absolute certainty. I am taking the privilege to publish the idea in electronic format. 

Online banking system reduce manual processing of customer services of the banks. But such systems are not without their grave insecurities. With an username and password to login from a device onto a banking website and then perform core banking operations seems hassle free but can have grave consequences. It often happens that the username and password are saved in the devices from which the customer logs into the banks' online banking site and customers credentials are saved in that particular device.

Currently through the usage of smart phones online transactions are an easily availed process to access the banking details and to transfer money online. If a customer loses his smartphone in which the online banking credentials are saved then his account is at the mercy of the finder of the phone. 

Any customer performing online banking in a cyber cafe or office computer risks the chance of exposing his online banking credentials thereby risking his account falling in wicked hands. Even with the most encrypted transaction processes the online transaction is not secured as wicked intentioned cyber criminals can hijack the session of the transaction and can alter the amount and account number of the receiving account in particular. In light of these risks I am putting forward a suggestion to ensure secured online banking transactions for regular customers.

Firstly for a particular customer opting for online banking transaction the voice and biometrics including face recognition have to be registered at the bank.

Bank can obtain retina and finger print identity confirmation from UIDAI authorities based on the Aadhaar number provided in KYC document, face & voice recognition compulsorily has to be registered with the bank separately against a particular customer id. The devices from which the online transactions for a particular customer will take place have to be registered with the bank and confirmed by the customer by voice recognition combined with face recognition and/or other biometric methods in combination with face recognition All throughout the rest of the document the combination of Voice and face recognition is represented by V&FR, and, combination of Finger print and retina scan with face recognition is represented as Fg&Rt&FR.

In case of a change of device customer has to notify the banking authorities about the change in person by visiting any nearest branch of the bank and must be authenticated by means of biometrics and face recognition, and only then online transactions can be allowed from the newly registered device cancelling the previous one. One customer has to be allowed to perform online banking transactions from limited number of devices only, preferably restricted and mandatory to two only. In case of mobiles IMEI number can be a device identifier. In case of computers, MAC addresses of network interface card (NIC) can be an unique identifier. In that way it will be easy to monitor the transactions. The change of one registered device should be confirmed from that particular device V&FR or Fg&Rt&FR after filing up a request at a nearest branch of the bank.

The change of both devices at a time shoud get approved by the branch head or the head of department looking into the online banking authentication process of the particular bank. In fact a request for change of both devices should be confirmed by performing both V&FR and Fg&Rt&FR authentication of the customer at a branch of the bank under supervision and attestation of the concerned authorities. Biometric and voice recognition confirmation should be obtained from the new devices also. For mobiles, authentication should be obtained through textual confirmation in the form of yes or no by means of SMS combined with V&FR or Fg&Rt&FR authentication. For computers customer should be made to visit the bank website and thereby through a particular webpage by means of a software the MAC of the NIC has to be registered in combination with V&FR or Fg&Rt&FR authentication as confirmation of the new registration of computer with the bank for online banking transactions. Out of the two devices one device has to be a mobile device ( ideally a smartphone) for confirming banking transactions. The IMEI number of mobiles should be unique for each customer id. MAC address of one registered computer can be against customer ids of joint holders of the accounts confirmed by above mentioned process or each customer id can have unique MAC authenticated by the process mentioned above. But only one MAC address has to be associated with only one account number of a particular bank. Any confirmed or failed transaction has to be confirmed to all the joint holders of the account by SMS to registered mobile numbers and registered email addresses.

Only usage of username and password is a very vulnerable method of authenticating a customer. Irrespective of username or password, at the very advent of an online banking transaction customer needs to be V&FR or Fg&Rt&FR authentication. If the identification fails, irrespective of username or password the authentication process should be aborted.After successful authentication by this method, and, after filling up of online forms every fully compiled request has to be affirmed from a device (like a mobile number) by means of SMS asking for confirmation in the form of textual yes or no thereby showing full details of the request along with unique request id.

This device from which confirmation will be asked from the customer will be the second device (the device other than the device from which customer has initiated the authentication/login process). Every such transaction's unique id can begin with an unique combination of alphabets and the unique id should be unique for every bank. Similarly every confirmation SMS of the online banking transaction for every bank should begin with uniquely identifiable alphabetic or alphanumeric combination thereby uniquely identifying the bank, and, upon whose receipt the internet data connection of the recipient device ,if on, will be cut off automatically. This method has to be implemented through service providers compulsorily In addition to the confirmation by means of textual 'yes' or 'no' from the second device the SMS sent to the second device ( the confirming device ) should be capable of obtaining V&FR or Fg&Rt&FR authentication the customer asking for his confirmation. This could be a priorly installed MMS application recommended by RBI which may get invoked or activated upon receipt of the SMS by the second device which will be capable of capturing & encrypting the V&FR or Fg&Rt&FR authentication. In that way if both the devices fall in wicked hands the final V&FR or Fg&Rt&FR authentication should act as a check confirming that the account is being accessed by the proper customer. 

Due to the requirement of being online through usage of internet connectivity from the first device the importance of second device lies in avoiding or thwarting the ill intentions by means of methods like session hijacking of full transaction session initiated by the first device by a man-in-the-middle, who, upon session hijacking will be capable of altering the amount and recipient account numerics. In fact the man-in-the-middle will be sending the correct numerics to the customer by keeping his original numerics the same all throughout the transaction, but will be sending the manipulated data packets to the banking end by manipulating the data packets in the middle. Such manipulators are even known to be capable of keeping the CRC of the data packets same/unaltered. So customer even won't know about the manipulation until he checks his passbook statement or ATM statement or tries to get a confirmation from his intended recipient and the banking process will be fooled into the fraudulent transaction. 

So only upon the voice recognition success from the confirming second device the transaction should proceed. It is to be made compulsory that the voice recognition will accept "yes proceed "or "no stop" combined by any other arbitrary words which will not be predetermined. 

Either of the two devices, if they are mobiles, can be allowed to be initiator of login / authentication process and confirmation device,but, for each unique transaction the roles of the devices should be unique.

The V&FR or Fg&Rt&FR authentication should be a compulsory criteria for online banking transactions. 

The software responsible V&FR or Fg&Rt&FR authentication should perform the scan live from the designated devices and not collect the data from the biometric scans or facial scans preserved as files or voice files preserved on the registered devices and transfer the data online and the time of this authentication should be limited by an authentication time out life time. That means every time customer has to complete his V&FR or Fg&Rt&FR authentication within the authentication time out life time. At last, the confirmation of the success or failure of the transaction has to be provided in the form of SMS to all the registered devices of the account. 

With the advent of 4G services the V&FR or Fg&Rt&FR methods of authentication should be compulsory methods of authentication authenticating an attempt of online banking transaction.

Upon implementation of such methods the online banking transactions are likely to be less vulnerable to fraudulent attempts of monetary transactions by wicked or unauthorized persons. Updation of secured methods should be a relentless and constant effort for securing online banking transactions. The registered devices with the bank can also be hacked into and the files can be stolen.

So for that very reason biometric softwares developed for performing customer authentication online scan and transfer of the biometrics must meet the aforesaid function of only online scanning , capturing and transfer of the biometrics & voice samples and not accept any files from secondary storage devices(like: HDD, SD memory cards etc.) along with the registration of the devices with bank is the key towards successful implementation of genuine online live authentication for online banking transactions. 

All applications related to the online banking transactions should be developed by or approved and regulated by Institute For Development And Research In Banking Technology (IDRBT) established by Reserve Bank of India.

Along with the method of online banking transaction conventional methods of banking transactions ( transactions by means of cheque and draft etc.) should prevail as the very concept of online banking transaction has to depend upon internet connectivity at both the ends. Upon opting for online banking transaction by a customer the banks must not be allowed to discontinue or deny the conventional methods of transaction under any circumstances. Such denials will be synonymous to criminal offence and complaints related to such attempts should be strictly dealt with by RBI with show cause notice and very stringent penalties being implied upon the defaulter bank.

In case of loss of money by a customer through fraudulent transactions (online banking or conventional) RBI should look into every such complaint and investigate the lapses made by banking authorities and impose reimbursement order to the bank to compensate the monetary loss to the customer. Reserve Bank of India being the regulatory body of banks functioning in India should be increasingly looking into the implementation of most secured methods of account related functioning and should make biometric and voice based authentication and additional methods similar to aforesaid suggestion mandatory for banks to implement online banking transaction.

While the whole idea of initializing and completing a banking transaction online can be made to happen using a single mobile phone,usage of two devices only makes the whole process more secured. I had put forward the aforesaid idea with Banking Ombudsman Kolkata and Mumbai of RBI as well as several persons of Institute For Development And Research In Banking Technology (IDRBT) in the month of October 2015 via email. I thank Admin of Indian Defence News for allowing me to express my idea over the internet for making the online banking system comprehensively fool proof . I hope that with the passage of time and progress in researh and improvement in encryption and online banking process banking system is only going to get better and fraud proof.