Engineering Secure Online Banking

Published Date: 02 Nov 2017

Introduction

The internet in the decade that we are living it became a part of our live. Many things that it important of our daily routine its dependents by internet, one of those and very important things for the working citizen is the money transaction. Nowadays most of the people either is ordinary worker or entrepreneur, they selected to handling their money by using an online system where banks are offering.

In an online banking system that has the main aim is to be safe, because handling money transactions. The main requirement that customers demand from the bank is to ensure when committing a transaction that will not fall victim of a hacker.

In such systems it is impossible to become impregnable system, there is always the possibility of invasion by a hacker, the only thing we can achieve is to reduce it as much as possible the probability of violating the system.

Any Internet banking system must solve the issues of, authentication, confidentiality, integrity, and nonrepudiation, which mean it must ensure that only qualified. People can access an Internet banking account, that the information viewed remains private and can’t be modified, by third parties and that any transactions made are traceable and verifiable.

This project describes current attacks and proposed solutions as how these solutions can be extended in future attacks.

SECURITY GOALS

The concern where intimidate the people, especially politicians, diplomats and military commanders is the probability of losing a significant media information correspondence. This insecurity has occurred since the early days of writing ca 50 .b.c when they realized it was necessary to provide some mechanism to protect the confidentiality of correspondence. First who invented a solution and it was successfully for decades it was Julius Caesar as the mentor of the Invention the invention called Caesar cipher.

As the years pass by governments wanted to make sure the security of the secret data that needs to be exchanged through a communication system, the result was to develop more sophisticated systems of communication to provide the appropriate security protection. The occasion for the necessary use of classification systems was the first war in the 19th century used to communicate information. In the early 21st century, rapid progress in the field of telecommunications, computer hardware and software, and data encryption. These computers quickly became interconnected through a network called the Internet generally.

The internet has many facilities in many companies, banks, governments, even for personal use at home. the Internet, especially the World Wide Web, have completely revolutionized the way we live, work and do business is not disputed. But with the rapid change in communication methods, so there is a rapid change in security threats, as well as the necessary protection to counter the threats been slow to catch up, so to have access to confidential information companies or even worse governments.

The aim now was to pick up the necessary security protection in creating a system to block access to anyone who was not authorized. The key to this was the CIA triad proposed by Donn Parker. The CIA triad is a model consisting of three basic principles, confidentiality, integrity and availability, each one had its own role in the security of the system and both of three formed the core of information system.

Confidentiality is assurance of data privacy. Only the intended and authorized recipients may read the data. Disclosure to unauthorized entities individual or systems is the fundamental principle of keeping information and communications private and protecting them from unauthorized access. For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear.

Integrity in CIA Triad is protecting data from modification or deletion by unauthorized parties, and ensuring that when authorized people make changes that shouldn’t have been made the damage can be undone. This means that some data cannot be modified unauthorized such as user account controls and other data must be much more available for modification than such strict control would allow, such as user files.

Availability of data is the last component in the CIA Triad. For any information system to serve its purpose, the information must be available when it is needed. Means that the communication channels, used to access, and authentication mechanisms must all be working properly for the information they provide and protect to be available when needed. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks.

POSSIBLE ATTACKS

Networks attacks are generally divided into two categories inside and outside attack. Can easily identify an Attack by their goals, it is useful to analyze them based on who is orchestrating. Networks attacks can be prevent from insiders or outsiders.

Inside Attack can be Launched by Trusted Users and This is one of the most dangerous and successfully network attack, The inside attack can make a lot of damage first because the user have access to a lot of network resources, and because network policies of the company are not very strict in defining rules and codes of behavior for users on the internal network, actually Everyone on the internal network is trusted. so the networks are more vulnerable from an inside attack because the user can launch any attack that went, with devastating consequences.

An insider attacker classified as Unintentional inside attacker or Deliberate inside attacker. As it mentioned the most damage to networks is done by inside. An inside attack can be occur not only from a user with a real intent but from a user who have no real intent of causing any harm to the network, but can be an easy target from a hacker to get access through them and the reason is for the lack of knowledge or training and may inadvertently cause damage by their acts. Such acts can be as simple as letting an outside hacker learn passwords or bringing down a critical network resource due to misuse based on lack of knowledge or training. A very common example of this type of individual is one who opens a malicious e-mail attachment, exposing a whole organization to a virus attack. The second type of attacker, is the deliberate inside attacker, and is even more dangerous from Unintentional inside attacker, because they have intentions and the knowledge of the network security to launch a network attack and this type of insider threats gives the attacker a critical edge.

The second category attack is the outside or external attack. Is the type of Attacks than can be Launched by Untrusted Individuals. This type of outside attack has difficulties to reach the purpose, because most network security policies have stringent measures defined against external attackers.

One type attack that can be launched from outsider called hacker is that attacks form inexperienced hackers. Usually this type of attacker they are acting individual its for personal purposes to specific targets. This type of attacker no needs to have

This type of attacker need not have necessary knowledge in the field of hacking because such hacking can learn and apply it from anyone. Responsible for that is the internet because there are many available online tools or worse supplied ready scripts to launch attacks by opening the script. For example such tools as Naptha for DoS attacks, and called by the hackers script kiddy generally. However, the use of scripts can allow the attacker to cause substantial damage to an unsuspecting network.

So apart from the Inexperienced hackers there are Experienced Hackers, professional to this domain. Professional hackers have knowledge and skills in writing various types of code. They have substantial expertise in the TCP/IP protocol suite and a deep knowledge of the workings of various operating systems. These people develop the tools and the script kiddies it mentioned above. These types of hackers are more accurate, always prepared before attack launched, they are doing research and analyzing their victim. Their target is often for high-visibility, high-profile, often well-protected victims whom to prove their experience. Professional hackers are also motivated by profit, so they often conduct corporate espionage. This is probably the most dangerous type of attacker a network can attract.