Вы находитесь на странице: 1из 9

Meaning of e-banking

Ebanking is an abbreviation for electronic banking. Ebanking allows you to conduct bank transactions online, instead of finding a bank and interacting with a teller. Most U.S. banks offer ebanking, though the extent of the services may vary. For instance, some banks may offer unlimited bill pay options while others restrict online activity.

Definition of e-banking
Electronic banking, also known as e-banking, virtual banking and online banking, is a service that allows customers to access their bank information, conduct financial transactions, make deposits, withdrawals and pay bills through the Internet without having to physically visit their bank. It provides the convenience of accessing banking facilities from the comfort of their home or office.

Advantages of e-banking
Ease of Use

Electronic banking allows you to conveniently conduct your banking activities online. You can view you account balances and statuses from your home computer. In addition, you don't have to deal with lines at the bank or have conversations with bankers in front of other people.

Direct Deposit

Before the advent of direct deposit, Americans handled their pay differently. On payday you would receive a check (or possibly cash). You then had to take the check to your bank and deposit it, but that would require between two and ten days to clear the funds for your use. Alternatively you could go to the bank the check was written from and cash it, then drive back to your bank and deposit the funds in order to make the funds immediately available. Direct deposit allows the banks and employers to use fewer employee hours to get the job done, saving them money. For customers and employees, direct deposit allows you to have your funds instantly available to you as soon as the transfer is initiated and completed.


If you are an online banking customer, you have the option of accessing your banking information from your home computer. Additionally you can use any computer that is connected to the Internet, and, if your bank has the ability, any smart device that can access the Internet can also give you this functionality. You can, for instance, do your banking from your local coffee shop (assuming they have a free Wi-Fi service).

Bill Pay

Bill pay is a service that banks offer to help you pay your bills on time, at the same time every month. You collect the bills that you want to be included in the bill pay service and set up your bank account to pay a certain amount each month to each biller. Online banking customers can do this from home; otherwise visit your bank to set this up.

Money Transfer

If you hold multiple accounts within the same bank and need to transfer money between them, electronic banking makes it very simple. In fact, online banking customers do not even need to leave their computer to do it. Just pick the amount you would like to transfer, and to which account it will be transferred, complete the transfer and the money is instantly transferred.

disadvantages of e-banking
Internet Connection

Not everyone enjoys the luxury of having a stable and fast Internet connection at home. Aside from having a personal computer or laptop, having stable Internet access at home is a basic prerequisite to performing electronic banking. Of course, people can always use a public computer with Internet access; however, the security of public computers is always a concern.

Computer Know-How

Conducting a successful electronic banking transaction, like paying bills online, requires basic computer skills and knowing your way around the Internet. Being computerliterate is not common to everyone---especially seniors who might not have grown up using computers---and this is a major disadvantage to electronic banking.

Delayed Statements

When performing online banking there is not a standard at which payments made will show up on your online bank statements; they might show up two to three days later, depending upon the bank. When banking in person, you can generally get the exact status of your bank account.

Security Concerns

One of the biggest disadvantages of doing electronic banking is the question of security. With the prevalence of keyloggers, phishing emails, trojans and other online threats, it is natural for people to be concerned with the security of their identity, funds and electronic banking transactions. Using antivirus and similar programs is not full-proof. People worry that their bank accounts can be hacked and accessed without their knowledge or that the funds they transfer may not reach the intended recipients. Although it is rare nowadays with enhanced security measures, these threats still exist.

Loss of Human Touch

Some people still value talking and interacting with bank tellers, managers and other bank clients. Electronic banking takes the majority of these "human interactions" away, leaving the banking experience as a very hands-off, impersonal process.

Process of e-banking Tan list

With the classic TAN process, customers receive a password or PIN from their financial institution plus a list of character strings (TANs) on paper. During log-in and for any subsequent actions, customers then will have to use the first or next unused TAN on their list for entry into the login mask of their eBanking provider and cross this off the list afterwards, as each TAN may only be used once. TANs supplement password or PIN. Customer password or PIN, TAN and ID number are sent to the financial institution simultaneously for checking. After all TANs on a list have been used, customers receive a new list from their financial institution. Tips:

Keep your character string (TAN) list in a safe place. Don't save your character string (TAN) list in any electronic form. Don't note down passwords and PINs, unless you can keep such notes under lock and key. Only ever enter your password or PIN into your eBanking log-in mask.

i tan
With the iTAN procedure, customers receive a list of indexed characters strings (iTANs) from their financial institution. During log-in, customers enter their ID number and their password or PIN into the log-in mask of their eBanking provider and transmit these data to the financial institution. The financial institution confirms data they currently have on file (e. g. customer name and time of last log-in) back to the customer, and requests a certain iTAN. Customers then type in the requested iTAN and transmit it back to the financial institution by way of confirmation. Customers therefore cannot just verify their log-in simply using the next valid TAN on their list, but are requested by the financial institution to enter a certain, random iTAN number, identified by a serial number, from their active list instead. Tips:

Keep your iTAN list in a safe place. Don't save your iTAN list in any electronic form. Don't note down passwords and PINs, unless you can keep such notes under lock and key. Only ever enter your password or PIN into your eBanking log-in mask.

M tan(mobile tan or sms tan)

As you would already assume from the name, this process uses an additional communication channel in addition to the Internet, i.e. the mobile phone network. After customers log in with ID number and password or PIN, the financial institution transfers the access code (mTAN) by SMS. Only once this access code has been entered are customers permitted access to their account. In addition, potentially risky transactions must be confirmed by mTAN. A confirmation is not required for all remittances. Many systems remember recurring payment recipients of a customer, so you no longer have to confirm every single remittance. The additional communication channel makes it more difficult for attackers to phish out TANs. Tips:

When confirming transactions, always make absolutely sure that you check all data to be signed. Don't keep your mobile phone and your access data together in the same place. Don't use your mobile phone for eBanking. Don't note down passwords and PINs, unless you can keep such notes under lock and key. Only ever enter your password or PIN into your eBanking log-in mask.

E tan
With the eTAN process, customers receive a PIN or password and an electronic TAN generator from their financial institution. This shows the eTAN to be used on a display. TAN generators include a clock accurately synchronized with the financial institution's time, thus always showing the exact time and ensuring that the eTAN shown is synchronous with the server. Login procedures are identical to the TAN process in any other respect. Tips:

Keep your electronic TAN generator in a safe place, and not together with your access data. Don't note down passwords and PINs, unless you can keep such notes under lock and key. Only ever enter your password or PIN into your eBanking log-in mask.

Chip tan
For the Chip TAN process, customers will require a password or PIN, a card reader and a bank card from their financial institution. During log-in, customers first have to enter their ID number and their password or PIN. Then they are asked for their personal access code. This is generated using the card reader and bank card. Tips:

Keep your bank card in a safe place, and not together with your access data. Don't note down passwords and PINs, unless you can keep such notes under lock and key. Only ever enter your password or PIN into your eBanking log-in mask.

Usb stick with hardened web browser

With the USB stick process, a hardened browser on a write-protected USB stick is used. This browser can be used the same as any browser installed on your computer, with the one difference that attackers cannot manipulate a hardened browser. This prevents the activation of any malicious software. Hardened browsers usually start automatically when inserting the stick into the USB port. Using this hardened browser, customers can then log into their eBanking as usual. To log in, one of the login procedures described above is used. Tips:

Don't keep your USB stick together with your other secret elements in the same place. Don't note down passwords and PINs, unless you can keep such notes under lock and key. Only ever enter your password or PIN into your eBanking log-in mask.

Usb stick with hardened web browser and certificate

This process is similar to the "USB stick with hardened browser" process described above. However, an additional personal certificate is used as well. This certificate is issued by the financial institution or a certification agency. In addition to your stick, you will need a password to log in. Tips:

Don't keep your USB stick together with your other secret elements in the same place. Don't note down passwords and PINs, unless you can keep such notes under lock and key. Only ever enter your password or PIN into your eBanking log-in mask.

Zone trusted information channel

The ZTIC process uses a USB device. This increases security by creating a secure connection to the financial institutions server from the customer computer, and frees customers from the task of having to check the servers authenticity themselves. The ZTIC device therefore only allows SSL/TLS connections with known, preconfigured servers. Transaction data received from the financial institutions server via their website are securely transferred to the ZTIC device, and are displayed to the customer in a 100% genuine manner (analogue mTAN) there. The transaction is only triggered once the customer has authorised it by pressing a key. As described in the two methods using an USB stick above, malware is not currently able to attack an ZTIC device and infect it. You will find a (YouTube) video introducing the ZTIC process here. Tips:

Don't keep your USB device in the same place as your secret elements. Dont write down any passwords or PINs, unless you can keep such notes under lock and key. Only ever enter your password or PIN into the login template for your eBanking service and/or your eBanking devices (TAN generator etc.).

Flicker tan
To use the Flicker TAN method (optical TAN procedure), customers need a password or a PIN and a so-called Flicker TAN generator. A Flicker TAN generator differs from a standard TAN generator insofar that it incorporates 5 sensors which enable this device to capture optical information (the so-called flicker code). It is also fitted with a keypad or fingerprint reader. Once a transaction has been registered, a graphic design consisting of five flickering black and white spaces appears on the customers PC screen. These flickering spaces serve to carry the inf ormation of the transaction just made in a manner which guarantees data authenticity. When you subsequently hold the Flicker TAN generator with the optical sensors pointing towards your screen, it can capture the information transmitted by the financial institution to then decode and display it (similar to the mTAN procedure). This allows customers to verify and then authorise the transaction just requested. As long as customers check all transaction data shown on the Flicker TAN generator display for their correctness before confirming them, this procedure protects them against phishing or man-in-the-middle attacks. Tips:

Keep your Flicker TAN generator in a safe place, and separate from any other access data. Dont write down any of your passwords or PINs, unless you can keep such notes strictly under lock and key. Make sure you only ever enter your password or PIN into the eBanking log-in screen.

Case Study: Internet banking services

Companies must instigate their own security arrangements for Internet transactions, if they are to retain customer confidence

Secure Internet banking incorporating encryption

Traditional customer access systems have operated in closed private networks accessed through dedicated telephone lines; banks and their customers were happy to use these services as long as certain core data security concerns were allayed. These data security requirements were

usually described in terms of the need for confidentiality, integrity and authentication. The need for confidentiality, which is of particular importance in the corporate banking arena, prescribes that data cannot be interpreted by anybody other than the sending or receiving parties. The confidentiality of computer data can be easily protected through a regime of data encryption. Sometimes data will be deliberately or accidentally amended during transmission and it is common practice therefore to use cryptographic methods to be able to detect these amendments. These techniques, known as Hash or Message Digest functions, are a very reliable means of guaranteeing data integrity. Whenever the communication is between multiple parties there is a further requirement for guarantees that each entity is "who he says he is". A further encryption process, based on public-key cryptography, allows each user to apply his own digital signature to a transmission so that it can be said to be authenticated. Often the digital signature process is augmented by the use of digital identity certificates "signed" by a trusted Certification Authority. A Certification Authority is a component in a Public Key Infrastructure or PKI. One popular rule of thumb is that "when you are connected to the Internet, the Internet is connected to you...". For this reason, many Internet applications assume the presence of the data security precautions described above, but even where systems can guarantee data security they often fail to legislate for when something actually does go wrong. For example, because of the ubiquitous nature of the Internet, there is the theoretical possibility that anybody anywhere can attempt to attack an Internet banking service; these attacks can manifest themselves in the form of traditional break-in attempts, fake websites or by "denial of service" attacks. Legal framework Even where Internet Banking Services can be secured by cryptography, authenticated websites and firewalls, there remain serious legal challenges to be resolved. Business on the Internet is without precedent and lacks a legal framework in most countries; banks and customers therefore need to define appropriate legal measures covering, among other things: Service Levels, Indemnities, limitations of liability and acceptability of digital signature. Essentially, it is imperative that they legislate for when things can go wrong, so that both parties can understand their obligations and entitlements. By its very nature, however, the Internet has no defined jurisdiction; in legal parlance this is sometimes described as being "extraterritorial". Users are increasingly mobile and some countries even apply local national regulations governing the use of cryptography, so it is therefore important for all parties to acknowledge these constraints in their agreements and to define the operational and legal jurisdiction under which Internet banking is supported. In conclusion, the Internet poses a number of security challenges for banks willing to invest in it, but only with an integrated set of proven security technologies, professional policies and procedures and an educated user base can a bank achieve a successful deployment. Applications at risk

The are many types of banking application that are now in the process of migrating from these traditional closed network environments to the more open and exposed medium of the Internet. The migration and evolution of e-commerce systems on the net has itself prescribed the need for an entirely new vocabulary to describe new technologies such as Virtual Private Networks [VPN's], firewalls, extranets, proxy servers, Secure Sockets Layer [SSL] and so on Among the first tranche of banking applications that can use these technologies and augment them with the implementation of cryptographic solutions are: ( Corporate Electronic Banking Systems ( Home Banking Applications ( Ancillary Services, such as FX trading, Trade Finance, Portfolio Management and so on The technology already exists for other ATM-analogous applications, such as cash downloads, lodgements and video conferencing. There are already some working implementations in production. However, for the sake of simplicity it is best to focus on implementations that are familiar to many of us. For instance, consider a hypothetical transaction where an Internet user initiates a transaction to pay a large foreign currency cash value to a beneficiary. The transaction must remain confidential now and for a long time in the future, as if it was made at the branch. The data content must have integrity [i.e. not changed in transit]; both parties need assurances that critical data such as the transaction value or beneficiary account details are as originally entered at the client end. The bank will require absolute assurances that the initiator of the instruction is authentically who they purport to be. The bank will require the presentation of some form of electronic authentication, analogous to an identity document that might be presented under normal "paper" circumstances. The value amount of the final transaction might be affected by a fluctuation in the currency market after the instruction was issued; this fluctuation could work in either parties favour but it defines the need for both parties to be unable to repudiate either the payment or its receipt. This requirement defines a need for the sender and bank to digitally sign their messages. Now consider a retail customer paying a domestic bill or other low-value payment to a premandated beneficiary over the Internet: Does it matter whether this transaction is confidential or not? Not necessarily.The data content must have integrity, but in this type of transaction the user must select a (pre-mandated) beneficiary account, so the potential to amend this detail is greatly reduced. The need for authentication of the payee is not so great; after all, transactions of this nature are typically of low value and, given the nature of the application, the end-user does not care if some impostor fraudulently pays their bills! The payment is of relatively low value, is typically in a domestic currency and is unlikely to be repudiated; a digital signature might represent a barrier to the overall user-friendliness of the solution. The solutions - cutting your cloth to fit

The more "traditional" applications listed above all have a requirement for confidentiality, integrity, user-authentication and non-repudiation, but banks attach different degrees of importance to each, depending on the attendant risk as a consequence of the value of the asset being protected and of the level of associated liability. In Internet browser and server products there are technologies embedded that transparently enable cryptographic software or that allow the implementation of "plug-in" solutions. I will discuss the possible solutions under the headings listed at the beginning of this feature and then suggest one feasible solution that provides "Security in an Open World". 1) Confidentiality and integrity The security solution embedded in internet browsers and servers is called Secure Sockets Layer [SSL]; among other things it encrypts and hashes all traffic, thus providing a high degree of confidentiality and integrity to both parties to a transaction. 2) Authentication and Non-Repudiability SSL can provide server and client authentication through the deployment of digital certificates issued from within a PKI and stored in the client browser. There are certain disadvantages to this model, namely: The digital certificates are attached to the software and not to the end-user. Therefore there is the absence of the concept of a digital signature that is bound to the end-user and as a consequence it is not feasible to provide an authentication framework for multiple users at a single [PC] browser. The certificate in the browser is not easily portable, for instance for use at home and in the office the certificate There is an accepted principle in the cryptographic industry that states that "authentication should be a combination of something you know and something you have". What this means in the context of Electronic Banking is that for a user to authenticate himself to a bank he should have something he holds [some form of token containing a digital certificate] and something he knows [a password or PIN]. To this end I would suggest that the most viable authentication models can be constructed using either: 3) User smart cards containing a signature key and certificate, protected by PIN and accessible from a browser plug-in or Java applet. User "key ring" Files [on diskettes] containing the same signature key and certificate, encrypted and secured by a pass phrase and accessible from a signed Java applet in the browser. This is arguably a less elegant solution, but for a very large community of users it can be highly cost effective and negates the requirement for a card reader on the Client PC. Conclusion Security is often a trade-off between what is acceptable and what is affordable. Also, any security solution should strive to be as transparent as possible so that users will not resist its implementation. "Security in the Open World of the Internet" is very complex and its deployment is not a trivial exercise that should be embarked upon without at least seeking expert advice. Baltimore

Technologies are available and have the expertise to offer a consultative service to you in order to help you to define a sensible framework for your Internet Banking applications.