E-banking Security System

1. Digital Certificate :

A digital certificate is a form of electronic credential that can prove the authenticity of a user,
device, server, or website. It uses PKI to help exchange communications and data securely over the
internet.

This form of authentication is a type of cryptography that requires the use of public and private
keys to validate users.

Public key certificates are issued by trusted third parties, a CA, who signs the certificate, thus
verifying the identity of the device or user that is requesting access. To ensure validity, the public
key will be matched with a corresponding private key that only the recipient has knowledge of.
Digital certificates have a specific key pair that they are associated with: one public and one
private.

A digital certificate contains the following identifiable information:

• User’s name
• Company or department of user
• IP (internet protocol) address or serial number of device
• Copy of the public key from a certificate holder
• Duration of time the certificate is valid for
• Domain certificate is authorized to represent

Benefits of digital certification

Digital certification can offer a level of security that is increasingly important in this digital age. In
fact, cybersecurity has been named one of the top priorities of the U.S. Government by
the Department of Homeland Security (DHS). Cybercrime is a major threat to businesses and
individuals.

Digital certificates can provide the following benefits:

• Security: Digital certificates can keep internal and external communications confidential
and protect the integrity of the data. It can also provide access control, ensuring only the
intended recipient receives and can access the data.
• Authentication: With a digital certificate, users can be sure that the entity or person they
are communicating with is who they say they are and makes sure that communications
reach only the intended recipient.
• Scalability: Digital certificates can be used across a variety of platforms for individuals and
large and small businesses alike. They can be issued, renewed, and revoked in a matter of
seconds. They can be used to secure a range of user devices and be managed through one
centralized system.
 • Reliability: A digital certificate can only be issued by a publicly trusted and rigorously
vetted CA, meaning that they cannot be easily tricked or faked.
• Public trust: The use of a digital certificate proves authenticity of a website, documents, or
emails. It can assure users and clients that the company or individual is genuine and
respects privacy and values security.

Different types of digital certification

There are three main types of public key certificates: TLS/SSL (Transport Layer Security/Secure
Sockets Layer) certificates, client certificates, and code signing certificates. There are also variations
within each type of certificate.

• TLS/SSL certificates: The TLS/SSL certificate is used to secure communications between a

computer and the server, and it is hosted by the server. When a client computer seeks to
access the server, the server will present the digital certificate to prove that it is authentic
and the desired destination.

The HTTPS (Hypertext Transfer Protocol Secure) designation at the beginning of a web address or
URL (Uniform Resource Locator) indicates the presence of a digital certificate.

When a client computer is presented with the digital certificate from the server, it will then run a
certification path validation to ensure that the subject of the certificate matches the host name.
Within the subject field of the certificate, a primary host name, or Common Name, must be
identified. There can be multiple host names in the case of Subject Alternative Name (SAN)
certificates and Unified Communications Certificates (UCCs).

Public web servers, or internet-facing servers, are required to have a digital certificate signed by a
trusted CA. The TLS/SSL certificates can be domain validated, which is used for websites, or
organization validated, which is used for light business authentication.

The extended validation provides full business authentication. It can offer the highest amount of
security, trust, and authentication.

• Client certificates: This is a form of a digital ID that can identify one machine to another —
a specific user to another user. This can be used to allow a user to access a protected and
secure database and also for email.

With email, often the S/MIME (Secure/Multipurpose Internet Mail Extensions) protocol is used,
which works for communications within an organization. Both parties will need to have copies of
the digital certificate before communicating.

Email messages can be both encrypted and message integrity validated through use of a client
certificate. Each user will need to send a digitally signed message and import the sender’s
certificate ahead of time.
 • Code signing certificates: This type of digital certificate involves software or files. The
publisher or developer of software will sign it to validate its authenticity to users
downloading it.

This can be highly beneficial when software is downloaded through a third-party, ensuring that it is
what it should be and has not been tampered with by malicious actors. This can confirm that files
or software downloaded from the internet are valid and authentic.

Where digital certificates are used

Public certificate authorities are required to adhere to a set of baseline requirements. Most web
browsers are set up to trust a pre-selected list of CAs, which are set by the browser itself or the
operating system of the device. The verification of a digital certificate often happens behind the
scenes and quickly, without a user even being aware of the process.

Websites use digital certificates to create the HTTPS connection, authenticating their validity by
being signed by a trusted CA. This can help a browser to know it is visiting the real website it is
seeking and not a fake or fraudulent one.

Digital certificates are also used in e-commerce to protect sensitive, identification, and financial
information. Online shopping, stock trading, banking, and gaming all use digital certificates. Digital
certificates can be used for electronic credit card holders and merchants to protect the financial
transaction.

Another common use for digital certificates is for email communication. Email can also frequently
contain a digital signature, which sends encrypted messages using a hashing approach.

Criticisms of digital certificates

While digital certificates are designed to invoke public trust and prove security and validity, they
are not infallible. Digital certificates do have potential weaknesses that bad actors have exploited.

Organizations can be breached, for example, and cybercriminals can steal certifications and private
key information, allowing them to then distribute malware. An illegitimate certificate can configure
an infected system to trust it, opening the door to attack.

The MITM (man-in-the-middle) attack has also been known to intercept SSL/TLS traffic to gain
access to sensitive information by either creating a fake root CA certificate or installing a rogue
certificate that can then bypass security protocols. Overall, however, the use of digital certificates
to secure websites is considered to be more secure than not using them.
 2. Digital Signature:
One of the technological inventions transforming the industry at a rapid rate is
the use of a digital signature. The main idea behind the invention of electronic signature
for banking was to simplify how financial institutions operate.
A digital signature is a technology with the potential of accelerating growth and speed of
financial institutions. As we all know, a signature is a vital necessity in any banking
institution. From opening account, depositing money, withdrawing, and any other activity in
the banking sector.
To exemplify, imagine how much time people waste waiting for their loan document signed
for them to be approved. Think how tedious it is to wait for hours in a line for your bank
documents to be signed. Such time consuming, the inefficient and tedious process is the
one that encouraging bank to adopt digital signature.

So, what are the primary purposes of adoption eSignature solutions for banks?

1. A digital signature is secure

2. Increased transparency and efficiency
3. Time-saving
4. Cost-saving
5. Centralization of documents
6. Strengthen the brand image
7. Fights with fraud

3. Electronic Signatures:
In general, an electronic signature is data that establish someone’s identity on an
electronic document. There are many types of electronic signatures:

• Simple electronic signature: low-security, electronic data used by the signer

• Advanced electronic signature: a signature that identifies the signer and reveals
subsequent changes to it.
• Qualified electronic signature: an advanced electronic signature created by a
qualified signature creation device.

A digital signature is a cryptographic output (made with algorithms) that certifies the
authenticity of an inalterable document accepted by a signer. It is used for advanced and
qualified electronic signatures. Therefore, all digital signatures are electronic, but not the
other way around.
Digital signatures are an excellent way to sign paperwork to open a bank account, government
forms (in some places) and other documents because they’re secure with encryption;
authentic, with a certificate that prevents tampering; fast, for applications and other
bureaucratic processes; convenient, with no need to leave home; and sustainable because they
don’t use paper.
E-Security solutions:
These are Types of Network Security Solutions

1. Firewalls Network Security

2. Email Network Security Solutions
3. Encryption
4. Intrusion Detection Systems (IDS)
5. Sandboxing

* Solutions providers-E-locking technique

Electromagnetic lock:
The programmable electronic lock system is realized by
programmable keys, electronic locks and software. When the identification code of
the key matches the identification code of the lock, all available keys are operated to
unlock. The internal structure of the lock contains a cylinder, which has a contact
(lock slot) that is in contact with the key, and a part of it is an electronic control
device to store and verify the received identification code and respond (whether it is
unlocked). The key contains a power supply device, usually a rechargeable battery
or a replaceable battery in the key, used to drive the system to work; it also includes
an electronic storage and control device for storing the identification code of the
lock.
The software is used to set and modify the data of each key and lock.[2]
Using this type of key and lock control system does not need to change user habits.
In addition, compared with the previous mechanical device, its advantage is that
only one key can open multiple locks instead of a bunch of keys like the current one.
A single key can contain many lock identification codes; which can set the unlock
permission for a single user.

Authentication methods
Numerical codes, passwords, and passphrases
Security tokens
Another means of authenticating users is to require them to scan or "swipe" a security
token such as a smart card or similar, or to interact a token with the lock. For example, some locks
can access stored credentials on a personal digital assistant (PDA) or smartphone, by
using infrared, Bluetooth, or NFC data transfer methods.

Biometrics[edit]
As biometrics become more and more prominent as a recognized means of positive
identification, their use in security systems increases. Some electronic locks take advantage of
technologies such as fingerprint scanning, retinal scanning, iris scanning and voice
print identification to authenticate users.

*Transaction security:
Use your login ID and password only on the official login page of the
bank, which should be a secure website. Look for 'https://' in the URL when
logging in; it means that the website is secure. Check your account after
making any transaction online.
Banks secure your transactions and personal information online using
encryption software that converts the information into code that only your bank
can read.
Choose strong and unique passwords · Enable two-factor authentication ·
Steer clear of public Wi-Fi · etc.
*Security devices

Intrusion detection system and firewalls to protect servers and

information systems. Password protection features such as no reusing of
previous three passwords, ATM authentication, OTP verification, pre-enrolment
with ATM or signature authentication. E-mail confirmation or alert.

Example

*Public Key Infrastructure-(PKI)

What is Public Key Infrastructure (PKI)?

Public key infrastructure (PKI) systems offer authentication in transactions. PKI is an information
technology infrastructure that enables internet users to securely and privately exchange information
through the use of a public and a private key pair that is obtained and shared through a trusted
authority. The public key infrastructure provides for a digital certificate that can identify an individual
or an organization and directory services that can store and, when necessary, revoke the certificates.
A certificate is a digital document (i.e. a formatted file) that binds a public key to a person,
application, or service. A trusted Certificate Authority (CA) creates the certificate and digitally signs
it using the CA’s private key. Because of its role in creating certificates, the CA is the central
component of the PKI. Using the CA’s public key, applications verify the issuing CA’s digital
signature, and hence, the integrity of the contents of the certificate (most importantly, the
public key and the identity of the person, application, or server).

There are different types of systems in a Public Key Infrastructure (PKI):

1. Private and Public Key Systems: Private systems are symmetric cryptography and a public
systems are asymmetric cryptography. Currently, public key systems are the most common.
2. Symmetric Encryption Systems: The same key is used for both the processes of encryption
and decryption.
3. Asymmetric Encryption Systems: A different key is used for each process. One key is the
public key and the other key is the private key. If something is encrypted with the public key,
then decryption can only be done with the private key. Alternatively, if something is encrypted
with the private key, then decryption must be done only with the public key.
A certificate authority (CA) is the entity providing the keys. The private key will be given to the person
requesting the key. The public key is made public in a directory for users. No one can ever find out
what someone’s private key is, never being available on the Internet. The private key is used for
proving user identity and encrypting the digital certificate. The digital certificate will be decrypted
by the public key, which is used by the message receiver.

Objectives of Public Key Infrastructure (PKI)

• To reduce risk of fraud in electronic fund transfers and other treasury activities.
• To Use of a low-cost public network infrastructure and eliminates the need for dedicated
leased lines or VPNs.
• To facilitate real-time cash management with strategic banking partners
• To ensure that only specific users can access and execute high-value transactions
• To Integrate the software easily with legacy systems

Why Public Key Infrastructure (PKI)

The greatest obstacle to e-business in the financial service sector is the lack of trust and security
over existing and evolving infrastructures. For e-business transactions to flourish, all parties involved
in transactions and communications must be able to confirm the unique and irrefutable digital
identity of each participant before relying on that information to make a commercial transaction.

But when it comes to making high-value transactions, such as setting up an online cash management
system, even for the so called online banking systems or procuring supplies through the Internet,
there is too much at stake in simply trusting someone just because he gave the correct PIN or the
correct username and password. Developing systems that are able to provide firm authentication of
customers, suppliers and other parties has therefore become a major challenge. Public Key
Infrastructure systems have surfaced as the solution to provide trustworthy identities.

In the case of online banking for users, banks need to have a proper system for authentication of
the user. Even though banks have a secure network system for encrypted data transfer, still the user
is identified using the typical username/id verification process that is vulnerable to hacking. So
implementation of Public Key Infrastructure makes sure that the party performing a transaction over
the Internet is who he claims to be. Later he cannot deny that he has not done a particular
transaction, if he had used his digital certificate.

Benefits of the Use of Public Key Infrastructure (PKI)

Through the use of Public Key Infrastructure and digital signature, one can prove to a third party or
the court that a particular piece of electronic document is authentic and can be traced to the person
who has digitally signed the document or transaction. This works because the cryptography and
mathematics underlying a PKI system ensure that digitally signed documents cannot be forged. The
digital certificate can be thought of as the electronic equivalent of the identification card. Thus, the
authority which issues the digital certificates (known as Certificate Authority) must be highly trusted
and secure.

Besides security, there are other issues related to Public Key Infrastructure – technology, legal
framework and standards. The technology for PKI has been around for more than a decade and is
relatively mature and a number of countries have introduced legislation to recognize the validity of
digital signature.

After introduction of IT Laws by many countries has enabled a standard for business transactions.
Forums like Asia Pacific PKI Forum allows inter-operability to its digital certifying authority licencees
with their counterparts in the member countries of that region. As financial institutions sign on to
these policies and business practices, their customers will create an extensive global system of known
and trusted businesses. Once certified by a Certification Authority, a trading partner can authenticate
any other party with assurance. Even if a trading partner is from another part of the world, the fact
that he is a certified member (through the trust relationship with his bank) makes trading viable and
reduces the risk of transacting in the global system. By virtue of commonly accepted standards,
trading partners will know that:

• Their transactions are legally binding;

• They have recourse in the event of a dispute or a potential fraud situation; and
• They can place legal and practical trust on the electronic identity issued by any Certification
Authority
*Firewalls Secure Ledger-(FSL)
What Is a Firewall?

A firewall is a legal barrier preventing the transference of inside information and the
performance of financial transactions between commercial and investment banks. Restrictions
placed on collaborations between banks and brokerage firms under the Glass-Steagall Act of 1933
acted as a form of firewall. One purpose of a firewall is to ensure banks do not use regular depositors'
money to fund highly speculative activities that could put the bank and depositors at risk.

Types of Firewalls
• Packet filtering
A small amount of data is analyzed and distributed according to the filter’s standards.
• Proxy service
Network security system that protects while filtering messages at the application layer.
• Stateful inspection
Dynamic packet filtering that monitors active connections to determine which network packets
to allow through the Firewall.
• Next Generation Firewall (NGFW)
Deep packet inspection Firewall with application-level inspection.

What Firewalls Do?

A Firewall is a necessary part of any security architecture and takes the guesswork out of host level
protections and entrusts them to your network security device. Firewalls, and especially Next
Generation Firewalls, focus on blocking malware and application-layer attacks, along with an
integrated intrusion prevention system (IPS), these Next Generation Firewalls can react quickly and
seamlessly to detect and react to outside attacks across the whole network. They can set policies to
better defend your network and carry out quick assessments to detect invasive or suspicious activity,
like malware, and shut it down.

Why Do We Need Firewalls?

Firewalls, especially Next Generation Firewalls, focus on blocking malware and application-layer
attacks. Along with an integrated intrusion prevention system (IPS), these Next Generation Firewalls
are able to react quickly and seamlessly to detect and combat attacks across the whole network.
Firewalls can act on previously set policies to better protect your network and can carry out quick
assessments to detect invasive or suspicious activity, such as malware, and shut it down. By
leveraging a firewall for your security infrastructure, you’re setting up your network with specific
policies to allow or block incoming and outgoing traffic.
Network Layer vs. Application Layer
Inspection
Network layer or packet filters inspect packets at a relatively low level of the TCP/IP protocol stack, not
allowing packets to pass through the firewall unless they match the established rule set where the
source and destination of the rule set is based upon Internet Protocol (IP) addresses and ports.
Firewalls that do network layer inspection perform better than similar devices that do application layer
inspection. The downside is that unwanted applications or malware can pass over allowed ports, e.g.
outbound Internet traffic over web protocols HTTP and HTTPS, port 80 and 443 respectively.