Internet Banking

Internet Banking

[ From chapter-12 of the book "Information Technology in Banking" written by Abul Kashem Md. Shirin and Nusrat Tamanna Prianka and published by Institute of Bankers, Bangladesh (IBB) ]

1.         What is Internet Banking?

Internet banking is also known as i-banking or on-line banking. Internet banking is a system which the customers can access from his home, office or anywhere in the world through internet. To avail this service, the customer needs to get an user ID and password from his bank and he need to have access to a computer with internet connection.

2.         i-Banking Password

When the customer accesses the i-Banking for the first time, the system will ask for changing his password. The customer must change the password as per the password policy of the bank. For example a bank may have adopted the following password policy:

•      Length must be min. 6 - max. 12 characters

•      User ID is not allowed as a part of the password

•    Password should have at least 1 upper case, at least 1 lower case, 1 numeric digit and no symbolic characters

•      Number of identical characters: 2

The following is the valid password: Joyful7, raiN567

The following are not valid passwords: Joy7, rain567, rain666, aaAmin2

3.         i-Banking functions

The customers can perform almost all types of banking activities through i-Banking except cash transactions.

Account Summary    

The customer will be able to view the list of Current, Savings, Term Deposit and retail loan accounts held and the Current Balances in each account in the account currency. An indicative valuation of the account balances can be performed in the customer’s preferred currency

Account Details 

The customer can choose a particular account (Savings, Checking account, Term Deposit or Loan account) and see the account details such as date of opening, date of maturity, outstanding balance, interest accrued, interest paid, limit amount etc.

Account Activity

The customer can see transaction activity in a given account for a range of dates specified by the customer.

Transfer Funds

The customer can transfer funds from his one account to his another account with the Bank.

Open Term Deposit (TD)

The customer can open a Term Deposit by transferring funds from one of his current or savings accounts with the Bank.

Modify Term Deposit

The customer can modify the maturity and interest instruction details of the existing term deposit accounts.

Close Term Deposit

The customer can close a TD account prematurely in part or in full. He will be shown the penalty applicable as per the product definition.

Loans Repayment

The customer can make payment of the Loan installment or any amount by specifying the amount. The amount will be transferred from his deposit account.

Early and Final Settlement

The customer can make an early payment of the entire loan amount due. The amount will be transferred from his deposit account.

Standing Instructions – The customer can setup standing instructions for transferring a fixed amount of funds from his deposit account to another deposit (self or third party) or loan account in the bank in a fixed date of every week / month / quarter / year. He can specify the start date and the final date for execution of the standing instruction.

The users can set-up multiple instructions for each account and define the priority in which they can be executed. The instructions can be setup for one–time transfer or for recurring transfers at a pre-defined frequency.

Payee maintenance – The customer can set up templates for use in ‘Third party Funds Transfer’ mentioning account number and other details of the ‘Third Party’. The ‘Third Party’ means an individual who has account with the same bank. However an educational institute or utility company is not a ‘Third Party’.  To be effective and available in the list during the “Third Party Transfers”, such entries need to be approved (authorized) by a bank officer.

Third Party Transfers - The customer can transfer funds from one of his accounts to another ‘Third Party’ account within the bank. The ‘Third Party’ account must be pre-recorded in the system using ‘Payee Maintenance’ and authorized by a Bank Officer for making this available in the list.

Statement Request

The customer can make a request for account statement for a required period. The bank will manually service this request.

Cheque Book Request

The customer can make a request for a cheque book for an account choosing the number of leaves desired from the set that the Bank offers.

Stop Cheque Request

The customer can choose an Account and enter the cheque number/range of cheque numbers for which the cheque encashment should be stopped. He can also specify the reason for stopping the encashment.

Cheque Status Inquiry

The customer can choose an Account and enter the cheque number for which the status should be viewed. In case the cheque is returned or stopped, the reason for rejection will also be shown.

FX Rates Inquiry

The customer can query on the FX rates that the Bank offers using this function. The rates displayed are the TT, cash and DD rates.

Interest Rates Inquiry

The customer can query on the interest rates offered on Savings & Term Deposit Products offered by the Bank.

Change Password

The customer can voluntarily change the Internet password using this function. In addition the user is forced to change the password by the system at first Logon and defined intervals. In both cases the password needs to conform to the policy defined by the bank.

Letter of Credit

Letter of Credit – Initiate

The customer (company) can choose to initiate LC. One officer of the company will fill-in the LC screens from his office. Another higher level officer will authorize the LC and submits to the Bank. The relevant branch officer will examine the entries and verifies with the documents or scanned copies of the LC documents, and authorize. After authorization by the bank, necessary accounting entries will be passed in to the Core Banking System and SWIFT message will be passed.

The data entry (by an officer of the company) in the LC screen will comprise of multiple screens, which will provide Save and Submit options. The Save option will facilitate saving of partial or incomplete data entered in each Screen. Data will be finally submitted when the Submit option is invoked. Validations of the data entered in all the screens will be done and in case of an error(s) it will be displayed to the user.

A verification and confirmation (by higher level officer of the company) screens will be displayed at the completion of the initiation of a LC and will be a Single Screen. Audit Information at the bottom of each screen will be displayed, the contents of which will be the Initiator Name & Date & Authorizer Name and date corresponding to it.

Letter of Credit – Modify

The customer can modify the LC under certain scenario such as:

The transaction to be modified has to be initiated by the same user.

In addition the transaction to be modified has to be either in an Incomplete State or is Unauthorized or rejected by the authorizer.

Audit Information at the bottom of each screen will be displayed the contents of which will be the Initiator Name & Date & Authorizer Name and date corresponding to it.

Letter of Credit – Authorize

The Authorizer can only authorize those LC Transactions for which he has rights. Rights will be based on the Initiator and the Transaction Authorization Limit. Once the transaction is authorized it will be directly sent to core banking system.

Authorizer can also reject a LC. A facility to specify the Reason for rejection is provided. Audit Information at the bottom of each screen will be displayed, the contents of which will be the Initiator Name & Date & Authorizer Name and date corresponding to it.

4.         Fraud in Internet Banking:

If we look at the functionalities covered under the Internet banking system as mentioned above, we can see that if a fraudster can know the ID and password of a customer, he can easily get access to the system and do the following:

1.         Can get the number, outstanding balance and transaction history of all the accounts maintained by the customer in the bank (stealing confidential information)

2.         Can transfer the money from customer’s one account to the customer’s another account or to an utility company’s account (harassment)

3.         Can transfer the money from customer’s account to the fraudster’s account and withdraw money from ATM (real fraud)

To protect the customers from above frauds, Banks need to protect stealing his password while travelling from customer’s computer to the Bank’s server or from phishing attract. Banks may also introduce a mandatory 2-factor authentication for a 3^rd party transfer and LC transmission.

These protection measures are described below in brief.

a)         Capture of Password during transmission to the bank server

While the Password is travelling through internet from customer’s computer to the Bank’s server, a Fraudster can easily capture it and use the information to enter into the internet banking system. To protect the PIN from capturing during travel, the bank’ system must be capable to encrypt the PIN and bring into the server and decrypt them before further processing. If a Fraudster capture encrypted information on the way, it is not possible for him to decrypt and find the real information. As such the PIN on the way is safe.

b)         Phishing

Phishing is collection of user PIN by presenting a fake web-site address to the user. For example, let us consider that the website address of a Bank is www.abc-bank.com. Hacker will develop a fake website exactly similar to the website of the Bank, but with a different address such as www.abe-bank.com and place in the internet. Now if a user searches for the “ABC” bank in the Google, address of this fake website will be shown in the search result. Now if the user clicks on this link, he will go to the fake website. If he does not look at the website address carefully or the address is not known to him, he will insert his ID and Password into the fake web-page. The hacker will record all such attempts made by different users and collect ID and Passwords.

The false website address may also be send to various users through email where in the name of a bank, the customer will be requested to enter into his i-Banking system and check something. The users, who are not aware of phishing attracts, may try to login into the false website using his ID and Password. All such information will be captures into the hacker’s database.

The hacker can now use the collected ID and Password to enter into the i-Banking System and do fraudulent activities.

It may not be possible for customers to know the exact website address of the Bank.

It is therefore devised that the website of a bank which offers i-Banking may be certified by a certifying authority such as VeriSign. The page of the bank which collects customer’s ID and Password will display seal of the certifying authority. If a customer clicks on the seal, the website of the certifying authority will appears. All the customers must know the web address of the established certifying authority and thus should be able to verify its correctness. If the website address of the certifying authority is correct, the website page of the bank is also correct. As such the customer can insert the ID and Password safely into this webpage.

c)         Repudiation and Digital Signature

Sometimes some customers do some activity in the internet through internet banking system and refuse that he has not done this, rather blame the bank officers saying that they could know his Password from the system and do the transactions to transfer money from his account. This is for sure that the bank officer has no access to the customer’s Password as all the Password are logically recorded into a system where no bank officer even the administrator has access. Moreover there are electronic records in the system which can easily generate a history of the transactions including name and address of the final beneficiary which will clearly indicates that the bank officer is not a beneficiary. However it becomes very difficult to make this understand to the customers. Digital Signature is a solution to this.

Digital Signature is signing (or encrypting) a message or transaction by sender electronically using his private key which can only be read (or decrypt) by the receiver using the sender’s public key. The pair of public and private key is issued by an Issuing Authority (normally a Government Authority, in Bangladesh it is Bangladesh Computer Council) to a user. The user then sends his public key to other users or institutions with whom he wants to exchange electronic information (like email or banking transaction) and keep his private key with him (at his computer or pen drive). Now he will encrypt or sign all the sensitive information using his private key and send to other party. Other party will only be able to open the email or decrypt the information using his public key. This ensures that the transaction is made by the user himself. If the user refuse such transaction, the court can verdict on the issue based on the ICT Act 2006.

Bank can develop a system which will only receive transaction request from the customer which will be encrypted using a private key. All customer desires to do fund transfer transactions using e-commerce may be asked to buy public and private key from the Issuing Authority and submit his public key to the bank.

d)         Two-factor authentication

Password can be hacked by a hacker and used for making unauthorized transactions in the internet banking systems. To secure such transactions, banks can introduce 2-factor authentication which means that a customer must authenticate a transaction using two factors – one is Password and another may be a Token which is called Cryptographic or USB or Hardware TOKEN.

A token is a small hardware issued by bank to a customer. The algorithm of the token device and that in the authentication server which records all the token information are same, as such both the server and the token generate same number after every specified time period (say one minute). After submitting the ID and Password, the user gets access to the internet banking system and does many activities except fund transfer and LC transmission. While making a 3^rd party fund transfer or transmitting LC, the customer is asked to enter his token number displayed on his token at that particular time. He collects the number from his token and inputs into the system. The internet banking system passes this token number and the token ID into the authentication server which checks for the correctness of the number. If the number is correct the transaction is passed, otherwise rejected.

As the token is a physical device belongs to the user and generates random number, the hacker can capture it but will become invalid in the following minute. Thus the two-factor authentication provides more security for the customers and also protect bank from refusing a transaction by a customer as the token belongs to the customer himself.