Courses/Computer Science/CPSC 203/CPSC 203 2007Fall L04/CPSC 203 2007Fall L04 TermProjects/How Secure is Your Bank Account? A Look at Internet Banking Security

Group
Group Name:

Group Members: Rachel Holland, Kayley Walters, Colleen Sherring, Stephani Poirier, Amanda Bahadur

Initial Project Statement
Internet Banking is becoming a common tool in everyday life. We intend on showing that internet banking is secure by discussing the major areas of fraud and the measures taken to protect customers. Security features employed by on-line banking sites include: encryption, fire walls, secure log-in, activation codes, personal verification questions, timed logout, cookies, and many more. We will discuss what these security features are and how they are used, individually and in combination, to ensure the safety of internet banking clients.

Security Issues to be Aware of
Malware: The word malware comes from the words "malicious" and "software". It refers to software which is designed to be malicious, or damaging, toward computers. Malware may enter and cause harm a computer without the knowledge or permission of the user. Malware includes viruses, worms, trojan horses, and many more.

Trojan Horse: A trojan horse is a malicious software program (malware) which appears as a program may be serviceable or enjoyable to the user, and which primarily appears to have no negative effect. Once a trojan horse is installed in a computer it will destroy files or create a "back door" entry in the computer. A "back door" entry may allow unauthorized parties to gain access to information and data in the computer. Trojan horses may be attached to e-mail files, diskettes, CD-ROMS, or Websites; but they do not propagate themselves (they can not transfer themselves, or reproduce, without being transfered by a third party).

Virus: Viruses are malware programs which are designed to appear as innocent programs (games, screen severs, etc.). The purpose of viruses is usually to destroy files and data within the computer; events which may occur right away (activation immediately) or at a preprogrammed date of activation. As in trojan horses, viruses are commonly attached to e-mail messages, CD-ROMS, diskettes, and Web sites; but unlike the trojan horses, viruses have the ability to propagate themselves. A common method of self spreading used by viruses is through the use of Microsoft Outlook. Using Micosoft Outlook, viruses search for e-mail contacts and send themselves to the addresses listed.

Worm: A computer worm can be compared to a virus. Worms take advantage of any security holes that may exist on a website. Within a hole, a worm reproduces and attempts to transfer itself between computers. In terms of on-line banking, worms can corrupt your personal banking information by sharing it with other computers.

Security Holes and Bugs: Security holes in online interactions occur where there is a weak link between programs. Holes allow any individual to gain access to another’s computer through their internet connection. The amount of risk is dependent upon the size of the hole. An entire computer can be over taken through a large hole, or only a password can be found within smaller holes.

Phishing: Phishing is a scam in which hackers are able to retrieve personal banking information by sending false e-mails to clients that request such information. Thieves can believably appear to be the banking institution of the individual by providing false Websites and requesting clients to re-enter passwords, account numbers, or other private details which then leads to strangers.

How Information Is Accessed by Unauthorized Users
There are different ways in which an unauthorized user can gain access to a computer. It begins with the area of the computer system which is being targeted. An unauthorized user can gain access to the information and data stored in the computer, the processing capabilities of the computer, or information which is being transfered between the computer system and other systems. In every computer system there are two types of vulnerabilities: known vulnerabilities, which exist due to the needed capabilities of the computer (for example, e-mail), and unknown vulnerabilities, which are not known to the user and may be the result of either poor engineering or unintended results of needed programs.

An unauthorized user must have knowledge of the computer system they are attempting to gain access to in order to create an appropriate attack (for example, an program designed to run on Microsoft will not be useful if the system the unauthorized user is trying to access is a Mac). There are a few ways to determine the configuration of the intended system, a couple of examples are listed below:

1. Hypertext Transfer Protocol (http)- when a user gains access to specific Websites the configuration information for the computer system is transfered to the selected Website. Once the information is transfered, it can be exploited by unauthorized users, and a remote attacker may be able to execute arbitrary code with system privileges.

2. Unspecific Target Attack- An attack may be made without a specific target. This type of attack will be programmed to certain vulnerabilities and is designed to attack as many systems as possible. Other methods of gaining unauthorized access to computer systems are seemingly less complex. These more common methods include: 1. Password Deciphering- Password deciphering is when an unauthorized users gains knowledge of the password of the authorized user. This can happen in many ways: user laziness, such as writing down the user name and password and leaving it near the computer; social engineering, as explained below; and knowledge of common or simple passwords, such as the users name. Unauthorized users can also use password cracking programs which run through common passwords and can identify dictionary words, names and common phrases with ease. 2. Buffer Overflows- A buffer is memory space which is reserved for incoming data packets. When there is not enough space, or when the operating system does a poor job of managing the buffer's efficiency, a buffer overflow results and creates a vulnerability within the system. An unauthorized user may cause a buffer overflow to occur by sending data packets at high rates which the operating system cannot process in time. When the buffer overflow occurs the system may be attacked through the vulnerability.

3. Scripts- Scripts are tools which are written by experienced users to gain access to unauthorized systems. These tools are sometimes used by inexperienced who can not write the programs for themselves. These types of unauthorized users know as "Script kiddies".

4. DoS Attacks- DoS stands for denial of service. A DoS attack is a method of overflowing information packets (similar to a Buffer overflow) in a receiving computer. The attack uses so much of the receiving computer's resources that the computer is unable to preform any other tasks. This type of attack denies the use of the computer's systems to the authorized user.

5. Smurf Attack- A smurf attack involves the use of a ping. A ping is an electric pulse which is used to detect the presence of computers on a network through their IP addresses. When a system receives a ping it sends it back to the transmitting computer and the unauthorized user can forge their own systems IP address onto the receiving computers IP address, allowing it to send the ping out to large networks. The response to the ping is then sent back through the receiving computer instead of the transmitting one.

Tools and Technology Used to Gain Unauthorized Access:
1. Security Exploit- If a weakness is know this application can take advantage of the weakness. 2. Vulnerability Scanner- A tool used within a network to detect or scan for known or common weaknesses. 3. Packet Sniffer- This is an application which captures TCP/IP data packets. Once the TCP/IP data packets are accessible to the user, it can steal passwords and data while it is being transfered within a computer or over a network. 4. Rootkit- A set of programs which hide the fact that a computer's system has been corrupted. The programs work to move the computer's operating system away from it's authorized users. A rootkit is successful due to it's ability to obscure it's entry and prevent it's removal. 5. Social Engineering- Convincing people to reveal personal information under false pretenses.

6. Spoofing Attack- When an advantage is situated due to a person or program which acts as an authorized user through false information or data.

Technology Used by Banks to Ensure Safe Internet Transactions:
Encryption:Encryption is the process or activity of converting data and information to code. When information and data are in this codes or scrambled form, it can not be read by individuals who are not authorized to view it. Encrypted data is transfered between forms which are understandable and those which are not through keys.

Keys: complex algorithms (procedure, formula or list used to complete a goal)which are applied to data to convert them between encrypted and unencrypted forms. The longer the key attached to the data is, the more difficult it is to decipher, and the more unlikely it is that an unauthorized individual will obtain access.

Fire Walls: Firewalls are designed to keep Web servers and computer networks safe from unwanted and unauthorized internet traffic. A firewall is a combination of computer hardware and software which creates a separation between the Internet and internal Web servers, networks, databases, and computer systems. Firewalls can be set up to display a warning if intruders are detected on the network.

End-to-End Security: In end-to-end security the information moves from the Web server to the Web browser without moving through any other servers.

Secure Log-in: A secure log-in is a feature which requires an account number or user name (ID) combined with a personal password. Any attempt to log into an account without a valid ID will be denied as the secure log-in is used to confirm identity and authorization. Both of the elements in the secure log-in are recommended to be kept confidential, much like a bank account PIN number.

Activation Codes: Activation codes are a combination of letters and numbers, which are provided by the institution, and which are must be inputted in order to make the account active. These codes are provided when a request is made by the authorized user to initiate the use of on-line banking. Without the input of the appropriate access code, the account may not be accessed by anyone, including the authorized users of the account. Activation codes enhance security as they are mailed directly to the client and verify the identity of the client when they log in.

Personal Verification Questions: Personal verification questions are designed to ensure the users identity on a particular website. Many banks require a minimum of three questions which are used for various functions including issuing a new password if the original is forgotten. The effectiveness of personal verification questions is found in their uniqueness to the owner. Questions should always be confidential and private and unknown to anyone other than the customer. When choosing a question and answer, one should try to be original and avoid common questions that can be easily guessed. Bank employees will generally never ask for a personal verification question or answer and caution should be taken and information should never be given out.

Timed Logout: Timed Logout is the automatic termination of a secure connection if inactivity occurs for an extended period. When Timed Logout occurs an authorized individual must log-in again before the accounts may be accessed. Timed log outs confirm security of online bank accounts of customers by ensuring unauthorized individuals do not gain access to such bank accounts.

Cookies: A cookie is a small text file which is sent by a Web site to a computer. The text file contains a unique identification number which is used to track the activities of the browser and can be read by the Web site which sends them only. A cookie does not access information within a computer, nor does it have access to data in other cookies. There are two types of cookies which are used: persistent cookies which stay in the browser for extended lengths of time, and non-persistent cookies which are short lived.

Banks use many different technologies to keep you and your personal information protected. They use different software’s and programs such as encryption, and firewalls. They also use things like end-to-end security to make sure that the information being passed on isn’t going through any other servers other then the one that has been specified. Not only is the bank doing things to protect your identity using different technologies but they also set up different effects so that you can personally do things to help yourself and help banks protect your identity. Many banks that have online access make you answer a personal question that only you should know. So not only do you have to type in your bank number and your password but also answer a personal question that you set up. This is just an extra measure of security in case some did happen to find out your bank number and password. As you can see banks are very adamant on making sure that nobody accesses your personal information and tries to steal your money or possibly even your identity.

Technology Used by Internet Service Providers to Ensure Secure Internet Transactions:
Fire Walls: As described in the section above, Firewalls are used by Internet Service Providers, Web sites, and computer owners.

SSL: SSL stands for Secure Socket Layer. SSL is an encrypted connection between the Web browser and the Web server. The SSL helps the protect confidential information, such as bank account numbers and credit card numbers, from being accessed as it moves between the Web browser and the Web server. The SSL connection is established by the Web browser once the secure log-in has confirmed authorization. SSL was developed by Netscape communications Corporation as a method of providing highly secure Internet communications between computers and Web servers.

Anti-Spyware:This program helps to stop Spyware which can hijack your browser and can attempt to steal credit card numbers, debit card numbers and other personal information. Once collected, this information can then be distributed. Spyware enters your computer by internet downloads, attachments, and program installations.

Anti-Virus with Ad Block: Anti-Virus is a software program designed to identify and remove a known or potential computer virus.This particular program with the Ad Block ensures that fake ads do not pop up wanting credit card numbers and other personal information while keeping your computer safe from viruses. This software helps make you less susceptible to identity theft. Because this software prevents and protects your computer from viruses, it makes it more difficult for a hacker to get into your computer and steal your personal information.

Service providers are an integral part of keeping your banking and personal information secure. There are many different technologies that service providers use. Many of them help from keeping hackers out of your computer via Anti-Virus with Ad Block, Anti-Spyware, Fire Walls etc. These programs are not only used by service providers but by banks and homeowners as well. . Not only do banks help keep our information safe and secure, but so do our internet service providers.

Technology Individuals Should Use to Ensure Safe Internet Transactions:
A critical step personal computer users must take to protect their personal computer when using it for online banking is making sure it has the latest security technology. This includes up-to-date anti-virus software, anti-Spyware software, a personal firewall, and the latest security updates from your web browser and operating system, as well as current updates for your anti-virus and anti-Spyware software. Review your banks online privacy policies and practices information, looking for methods used to encrypt transactions and authenticate user information, as well as, look for, and implement, suggestions made by the bank to keep your home computer secure and protected. Check for other security measures mentioned, such as requiring additional security information before authorizing a payment to a business or individual who has not received payments before. Ensure the privacy policy of the company or service you will be sending an online payment to, BEFORE you make the payment.

Besides employing top security measures, a little common sense goes a long way to keeping your banking information secure. Social networking sights are a bountiful pool of information for hackers and thieves to take personal information from, so use discretion when providing information to the online world. Use a PIN or password that is unique and hard to guess and make sure to change it often. DO NOT, under any circumstances, give this information out! Nor should you use a birthday or social security number, as these are easy for thieves to find out. Likewise, if your bank offers additional security through the use of personal verification questions, use information that is not widely known by others, and change this information often. Disconnect from the internet after each session, as hackers cannot attack your computer if the internet is not connected. This is especially important for people with high-speed connections. Avoid using public locations, such as libraries and internet cafes, to do your online banking – these computers have poor security and are easily accessed by hackers. Likewise, credit cards usually have stronger protection against personal liability claims than debit cards, which is why experts recommend using a credit card over a debit card when paying for items online. Checking your online account regularly for unauthorized activity will help reduce damages if you become a victim of identity theft and fraud. Always verify with your bank or financial institution the authenticity of emails you receive that are supposedly from your bank. NEVER reply to these emails, especially if they ask you to verify account information, passwords, etc. By thinking smart and using common sense, your banking information will be more secure.

Conclusion
For further explanation of key security features, please see the definitions presented above.

Banks employ top security measures and the latest technology available to ensure safe online banking procedures for their customers. In addition, personal computer users can educate themselves on security features and technology available for their personal computer to protect it from unauthorized users gaining access to private information. Due to the security features, technology, and common sense methods mentioned above, we believe that internet banking is secure.