|
An online banking session is started when the
authorized subscriber uses his or her browser to
send a secure message via SSL to your financial
institution’s (bank’s) server. For this purpose
he uses the customized password, along with his
User ID. The server verifies this data and
responds by authenticating the customer and
initiating session encryption.
Once your session is securely established, the
server processes and routes the transaction data
using internal protocols. This prevents other
Internet users from proceeding past the bank’s
series of firewalls and filtering routers.
Robust bank’s online servers protect financial
transactions through a number of barriers that
prevent unauthorized access. The first barrier
is a system of filtering routers and firewalls,
which separates the outside Internet from the
institution’s internal network. The filtering
router verifies the source and destination of
each Internet packet, and determines whether or
not to allow the packet through. Access is
denied if the packet is not directed at a
specific available service. In addition, the
filtering router prevents many common Internet
attacks.
Furthermore, a good firewalling scheme, which
many financial institutions utilize, will not
allow servers in the bank’s network to
communicate via TCP/IP - the Internet
communication protocol. No internal online
transaction processing systems are reachable
using TCP/IP. This prevents unauthorized users
from accessing any transaction data from the
Internet.
The information is passed between the bank’s
main server and the customer's PC after it is
duly encrypted using the highest possible
encryption.
|
|
Current browsers counter security threats with a
network communication protocol called Secure
Sockets Layer (SSL). SSL is a set of rules that
tells computers the steps to take to improve the
security level of communications. These rules
are designed for the following:
- Encryption, which guards against
eavesdropping.
- Data integrity, which guards against
manipulation.
- Authentication, which guards against
impersonation.
However, these effects protect your data only
during transmission. That is, network security
protocols do not protect your data before you
send it. Just as you trust merchants not to
share your credit card information, you must
trust the recipients of your online data not to
mishandle it.
|
|
Encryption is the scrambling of information for
transmission back and forth between two points.
When you send out a letter to your friend, you
communicate in a language that both of you
understand. Since your language is also
understood by thousands of other people, if
someone else should get hold of your letter, he
will not have any problem in understanding its
contents. If you do not want anyone other than
the party to whom your letter is intended to
understand your message, you must use a secret
language or you must substitute each alphabet in
your letter for some other alphabet, which only
the two of you will understand. Using a secret
language or substituting one alphabet or word
for another is called encryption and your letter
is said to be encoded. To decode your letter,
the receiver must have the same key that you
used for encoding. To any other person who does
not have this key, the contents of your message
will not make any sense and will be garbage.
Computers also use the same principle. The
browser in your computer uses a string of
numbers, characters and special keys and makes
the encoding and decoding immensely complicated.
Your computer and the one at the receiving end
agree upon the keys to be used for encoding.
These keys are based on a set of mathematical
formulae called algorithms. When a computer
encrypts a message, there are billions of key
combinations to select from. However, only one
of the billions of combinations will be correct.
Only the computers on both ends of the
transaction know what key combination is in use
during that session. The sending and the
receiving computers use a different key
combination for each session and only these two
computers know what key is used for the current
session. So if anyone else tries to read your
message, he will only get meaningless string of
numbers and characters.
Encryption finds its application in a variety of
transactions that involves sensitive matters and
even for national security. Encryption is used
for sending e-mail messages, sensitive documents
and in electronic commerce, such as, credit card
transactions and electronic banking.
The security provided by encryption is measured
in terms of the time frame the encoding key is
used by your computer for encryption. The level
of encryption is measured in bits like 40-bit or
128-bit encryption.
If the encryption has a 40-bit key, it means
that there are 240 possible different
combinations for solving the key. Similarly, for
a 128-bit key, there are 2128 possible different
combinations. In general, the longer the key,
the longer it would take for someone without the
correct decoder key to break the code.
The 40-bit encryption and the 128-bit encryption
differ in their complexity and the key length.
40-bit encryption can use one of the 240
possible different combinations (1 followed by
12 zeroes) and 128-bit encryption uses one of
the 2128 possible different combinations (3.4
followed by 38 zeroes). 128-bit encryption is
exponentially more powerful than 40-bit
encryption.
40-bit encryption is not as powerful as 128-bit
encryption, but this still requires a great deal
of dedicated effort to break. When the length of
the key is increased by one bit, the amount of
effort required for breaking the code doubles.
However, as the power in the hands of the
potential criminals increases, it is necessary
to use a more complex and longer key for secure
transmission of data electronically. This is
being provided by 128-bit encryption.
According to Netscape, 128-bit encryption is
309,485,009,821,345,068,724,781,056 times more
powerful than 40-bit encryption.
For Microsoft browsers: You can find out the
level of encryption by using your browser menu
bar. Select "File" then "Properties" then
"Security."
When you visit a site that requires encryption,
your browser will display the symbol with a key
or a lock. If you are not in a secure area, the
key or lock will be broken.
Customer information and account data is
protected by two independent security protocols:
data encryption and a verifiable Password. When
bank customers use online banking, they are
first prompted to enter their Password. The
receiving computer will not send any account
information to the customer's computer unless
the Password associated with the User ID has
been correctly entered. All information that
passes between the bank’s servers and the
customer's computer is put through data
encryption.
A bank’s success as a financial institution
depends on its ability to manage these systems
safely and to continue to earn your trust as a
customer. By requiring 128-bit encryption, a
bank is assuring the highest level of
commercially available security for your
financial transactions.
|
|
What is Phishing?
PHISHING: is an online identity theft technique
used to lure customers into disclosing their
personally identifiable information including
account names and passwords, and credit card
information. This technique is widely in use in
the digital world, oftentimes customers are sent
emails, pop-ups, and instant messages that mimic
legitimate communications. These communications
prompt the user to visit fraudulent websites
created to gather their personal information.
Financial institutions, banks and online
retailers are most susceptible to having their
communication spoofed in phishing attempts. In
the end, costumers are lured in by these
seemingly legitimate communications into
providing sensitive information, often resulting
in credit card fraud; identify theft, and even
financial loss.
How to recognize a phish (fraudulent) email
as not sent from my bank?
Your bank should not request personal
information from customers directly from an
email-hyperlink or redirect the customer to a
specified site.
Your bank should never send emails asking
customers to supply, verify, or update personal
or account information. Especially requests
pertaining to passwords, PIN’s, and account
numbers.
Your bank’s emails should always be personalized
emails identifying the sender of the email as a
legitimate bank employee and identifying the
receiver as the bank’s customer. Sending emails
with personalized information helps you identify
legitimate versus spoofed emails.
|
TONY
P. GHAZEL CONSULTING, Eastsound, WA