Getting an idea about the various types of Internet banking
products will help examiners review the associated risks. Currently, in the
market place, the following three basic types of Internet banking are being
employed.
Informational -
This is the fundamental level of Internet banking. Typically, on a stand-alone
server, the bank has marketing information about the bank's products and services.
Since informational systems naturally have no path between the server and the bank's
internal network, the risk is comparatively low.
This level of Internet banking can be offered by the bank or
outsourced. While the risk to a bank is rather low, the server or Web site may
be susceptible to adjustment. To prevent unauthorized alterations to the bank's
server or web site, appropriate controls therefore must be in place.
Communicative - Interaction between the bank's systems and the customer would be allowed by this
type of Internet banking system. The interaction may be confined to electronic
mail, account inquiry, loan applications, or static file updates (name and
address changes).
The risk is higher with this configuration than with
informational systems since these servers may have a path to the bank's
internal networks.
To prevent, monitor, and alert management of any illegal
attempt to access the bank's internal networks and computer systems, appropriate
controls required to be in place. In this environment, virus controls also
become much more critical.
Transactional - Customers can execute transactions with this level of Internet banking. This
is the highest risk architecture and must have the strongest controls, since a
path normally exists between the server and the bank's or outsourcer's internal
network.
Accessing accounts, paying bills, transferring funds, etc are the
customer transactions that would be included.
Types of Security Threats in Online Banking
Banks and service providers require guarding against various
types of online attacks. The purpose of an attack may vary. In operating
systems of particular kind, attackers may try to exploit know vulnerabilities.
During
a short time frame, they also may try to make an unauthorized entry into a Web
site repeatedly thus denying service to other customers.
Types of attacks may include:
Sniffers -
Also familiar as network monitors, this software is used to capture keystrokes
from a specific PC. Logon Ids and passwords may be captured with this software.
Guessing Passwords - We can test all possible combinations to enter into a network using this software.
Brute Force - A technique to capture encrypted messages then using software to break the
code and gain access to messages, user ID's, and passwords.
Random Dialing - To dial every number on a known bank telephone exchange, this technique is
used. The purpose is to find a modem connected to the network. This could then
be used as a point of attack.
Social Engineering
- To gain information about the system along with changing password, an
attacker calls the bank's help desk impersonating an authorized user.
Trojan Horse - A programmer can insert code into a system that will let the programmer or
another person illegal entrance into the system or network.
Hijacking -
Attempting to deduce information from them there by intercepting transmissions.
Internet traffic is particularly susceptible to this threat.
Related Articles:
|
