Useful Links: www.tomw.net.au/links

IT issues on 666 ABC Canberra Drive with Keri Phillips each Monday at 5:50pm

With Tom Worthington FACS, Visiting Fellow, Department of Computer Science, Australian National University

Is Internet banking secure?

What can you do with e-banking and what are the risks? 3 September 2001

In summary, the communications side of the Internet banking applications that we have reviewed would seem to be secure, and should remain so for the foreseeable future. However, as we shall see in the following section, such security can be easily subverted, if the platforms on which these secure applications run do not protect them from other malicious programs. From: The Problems with Secure On-line Banking, Tim Redhead and Dean Povey, Security Unit, DSTC, 1998

Internet banking is a broad topic. Computer networks can be used for business-to-bank and bank-to-bank transactions, but here we will worry about ordinary individual customers accessing their savings or cheque account. Overall internet banking is probably more secure than the widely used telephone banking.

Services which are currently offered via Internet banking schemes are similar to those offered by many phone-banking services and includes facilities that allow the user to:

• Query account and loan details.
• Obtain records of previous transactions.
• Set up and adjust automatic bill payment schemes.
• Transfer funds between accounts...

From: The Problems with Secure On-line Banking, Tim Redhead and Dean Povey, Security Unit, DSTC, 1998

Internet banking may be too difficult to use for someone with few financial transactions. It can be cost effective for small businesses. As well as transferring money between your own accounts, money can be transferred to accounts at other Australian financial institution to pay bills or salaries.

Customers can use Internet banking via their own dial-up Internet connection at home. The customer uses their web browser with web pages from the bank, Java "applets" from the bank web site or other types of downloaded programs. These services use encryption to protect the transactions between the customer's computer and the bank. You should see a closed lock or similar on the bottom of the screen to indicate security is in place. If using your computer at work Internet banking may not work, due to the company's firewall blocking some of these services.

The client enters an account number and secret PIN to identify themselves. If using a shared computer, particularly one at a cyber-cafe it is important not to keep a copy of the PIN in the computer (type it in each time you use Internet banking). Tim Redhead and Dean Povey at the Security Unit DSTC warn that malicious programs could be used to subvert the computer's security system. If you have a virus checker on your computer this should not be a problem.

Most financial institutions offering retail services in Australia subscribe to an Electronic Funds Transfer (EFT) Code of Conduct. The current code has been revised to take into account Internet banking, but and not all institutions have signed up for the revised code.

Some banks are now offering a service which will allow a client to enter the details of all their banks accounts at other banks, to receive a consolidated statement. This saves logging into several bank systems, if you have multiple accounts. However, it creates a security risk as one bank has all your PINs.

It is possible to make Internet banking more secure, but this will make it harder to use and more expensive for the customer, with the use of extra equipment (such as smart card or thumbprint readers) or more complex procedures (such as single use passwords).

Acknowledgement

Thanks to: Dean Povey, Duncan Unwin, Lyal Collins; Tim Redhead , Bridget Larsen

Further Information:

• More IT issues
• 666 ABC Canberra Drive
• Author's home page

Comments and corrections to: webmaster@tomw.net.au

Copyright © Tom Worthington 2001.