Internet banking, in which the connection between the customer’s PC and the bank’s system is established over the Internet, faces essentially the same risks as PC banking, with the added risk of the insecurities of the Internet. The techniques available for encrypting the session to protect its contents are available in the same way as for PC banking. The principal added risk is that the customer is deceived into making contact not with the intended system, the bank’s, but with a fraudulent imitation. In PC banking the customer dials the telephone number of the bank’s system, and it would be very difficult for an outsider to divert the call to an imitation system; but the Internet has a much more complex system of addresses than the telephone network, and is much more vulnerable to diversion by a variety of methods. The consequence would be a denial of service (since the fraudulent site would not provide the service required by the customer) and the discovery by the owner of the fraudulent site of whatever transaction and security information the customer revealed.
Since, as discussed earlier, the bank and the customer can use public key cryptography techniques to establish a confidential channel between them, if they each have a secret that they have made known to the other, they can prove their identity by passing this secret across the secure link. It is notable that although the banks have made considerable efforts to establish ‘shared secret’ procedures to enable them to check the authenticity of instructions given to them by customers, none appear to provide any corresponding means by which their customers can check that they are really dealing with the bank and not an imposter. To achieve this by shared secrets would present difficulties, as the banks would have to devise separate passwords to present to each customer, giving rise to significant additional password management problems for banks and customers.
But public key signatures provide an alternative: if both the client and the bank have signature keys, and each has the other’s verification key, each can sign an initial message and thus enable the other to check that the signature belongs to the right person. This process can be automated, so that if the check fails, the parties are warned and no connection is established. Whichever technique is used, the essential condition is that it should enable the bank and the customer to verify the other’s authenticity.
Where customer and bank have a pre-existing conventional banking relationship, appropriate channels must already exist for the exchange of the necessary authentication data. The bank knows the customer’s normal signature, and the customer can call at a known branch of the bank. Mutual authentication will only be difficult in situations where a customer and a bank wish to establish a new online relationship that is not built on a pre-existing ‘real world’ relationship. Good banking practice has always required banks to take care in checking that a new customer is who he or she claims to be (in part to prevent accounts being opened in false names to collect the proceeds of stolen cheques); and more recently banks have become legally obliged (by the Money Laundering Regulations 1993, SI 1993 no. 1933) to make suitable checks for this purpose.
An approach widely proposed to meet such needs is the use of Certification Authorities (CAs). The function of a CA is to affirm that a signature verification key belongs to a particular individual or organisation. The affirmation is made by the CA signing the verification key with their own digital signature. CAs thus provide a means for entirely new relationships to be established in cyberspace without the need for a conventional relationship as a starting point, at least if both parties to the proposed relationship already know the signature of the CA. (A discussion of the complex procedures required to fulfil that condition in any reliable way is outside the scope of this paper.)
The use of a CA for customer authentication is clearly irrelevant between a bank and an existing customer, as they already know one another. For a bank to use a CA to verify the details of a prospective new online customer would amount to delegating to a third party the duties falling on the bank under existing banking practice and the money laundering regulations. It seems unlikely that these relatively sensitive aspects of banking business will prove suitable for outsourcing.
While it is possible to establish a confidential channel between a bank and a customer, this does not eliminate the possible impact of security vulnerabilities in the computer systems used by banks and customers for on-line transactions.
Although UK banks have denied that weaknesses in their computer systems are responsible for alleged fraudulent transaction, the evidence discussed above and in Ross Anderson’s papers (Anderson93, Anderson94) highlights failings in such systems which can have a serious impact on customers. The banks have been unwilling to allow independent experts to examine their systems, justifying this stance by claiming that they need to keep the design and operation of their systems secret in order to protect them from attack.
This approach, known in security circles as ‘security through obscurity’, is now widely discredited, because any advantages provided by secrecy are offset by the fact that this secrecy allows serious faults to exist in systems for long periods without being discovered. The consequences are well illustrated by the ATM phantom withdrawal problem, where the banks have been asserting for years that the design of their systems make such events impossible in the face of steadily growing evidence that they must be wrong. As cases have come to court, defence expert witnesses have gained steadily more access to the details of banking computer systems, and have discovered that banking computer systems do not exhibit the invulnerability that the banks claim for them.
If banks carried the whole risk involved in on-line banking, the vulnerabilities of bank computer systems would be of lesser public concern, but the prosecution of a customer for demanding repayment of sums he claimed were wrongly debited to his account shows the serious consequences of a bank’s attempt to transfer the risk to a customer.
It follows that customers’ interests are not adequately protected even by an acceptance in principle by the banks that they will themselves carry all the risks of fraud in online banking. In practice the banks will employ mechanisms to prevent fraud, and where these mechanisms fail the banks will sometimes wrongly seek to transfer the consequences to their customers. While at first sight account security measures such as PINs, passwords and digital signatures may seem to protect customer interests, their weaknesses will sometimes be used by banks to explain failures that are in reality the result of internal problems with their own systems. In this sense, therefore, it can be argued that security based on the secrecy of the mechanisms employed by the bank operates more in the interests of the bank than of its customers.
The security of online banking systems from a customer perspective is therefore not very satisfactory. Although there is no doubt that the vast majority of customers will not experience problems, for the small number that find themselves victims of security failures in banking computer systems the consequences can easily be very serious. Customers who are thinking of moving to online banking should seek a bank that offers better security than that provided by PINs and passwords alone, and one that has allowed independent experts to audit and publish the results of security reviews of the computer systems it uses to provide online services. They may be in for a long search; in the meanwhile, they might do well to place limits on the amounts which can be transferred from their accounts on the basis of electronic instructions.