Online Banking Consumer Protection – the More the Better?

27 11 2012

Living as a complete foreigner in the United States for the last couple of months, one of the outstanding differences which gave me cultural curiosity is its banking. Two things were particularly confusing – the paper checks and the online banking. Some may ask “Isn’t their Internet banking super easy?” True, and that is where my confusion arises.  My new bank, and the clerk, never asked me anything about security options except setting up the password and 4-digit PIN. It was shockingly simple and minimal compared to my old bank in my hometown. Later on, when I browsed their site, it was connecting to their SSL server. It had the mind-boggling green box – a safe sign anyway. It was fast, easy, and I was not challenged by any other security questioned except my password and PIN. I could finalize my first month’s rent transfer online without trouble. A while later I happened to lock my account by entering incorrect password three times. Still I could reset my password by phoning the bank and dealing with the automated answering machine.

It contrasts to my previous online banking experience, where some security features are mandated for the banks if they want to provide their customer banking service online. On top of the traditional password for the website and PIN for the account, a personal certificate and a physically distributed passcode are both issued. For example, using desktop or smartphone, I can only start my online banking after presenting my personal certificate signed by the bank (the banks operates like a Certificate Authority). And from that point I can access and see my account details. In process transactions, I need to present the certificate again in a process of digitally signing the transaction order’s confirmation. Before each confirmation, the server will also challenge me with ‘what you have’ passwords. The clients can choose to have an OTP (One Time Password) token after paying about $5. Other than the better security, the OTP usually grants higher daily transaction limit than the Security Card. If the customers don’t want to pay this $5, as an alternative the credit-card-sized Security Card, with a table of challenge number, can be issued for free. On every transaction order, the bank will challenge the client with two different numbers from this table.

From its complexity, some clients including me feel some sense of safety. Do these features imply that my old bank is safer than my new, password only banking? I thought so. Should they urgently adopt OTP, security card, PKI, or Smartcard to increase safety? Maybe.

Whatever security options the banks decide to deploy, their primary goals are confidential channel, authentication of user and server, data integrity and non-repudiation [1]. The bank can claim they have done their part, after providing standardized solutions to protection the end-to-end communication from the eavesdroppers and a good authentication that is enough to differentiate me from dogs of the Internet. Data-integrity and non-repudiation would be the side product of the security solution. In this sense, my new bank did its job by providing SSL connection and password authentication. More security features may redundant – if I can do my part to protect the password.

However, the challenge is in the client side. I am not sure if my computer is 100% secure, and the banks have no way to know whether their clients’ computers are running with banking Trojan or wiretapped by some network penetrator. I can only hope that my communication between the keyboard and the browser is not key-logged, my monitor not screen-logged, my web browser clean, and the SSL properly connected to my bank while I do my banking.

A scary scenario can be written if I don’t assume the safety of my PC, and there is not much my bank can do to save me. Thing can be stolen – password, PIN, my private key along with the certificate, my password to invoke my private key and partial contents from my security code card. This may mean, the expensive banking PKI becomes useless unless even with the bank’s effort to provide better security. Security Card can slow down the exfiltration, although it also can be fully revealed if the Trojan had enough time to collect all the 4 digit numbers in 35 table entries. My OTP may still stand safe.  Studies say that proper use of security card and OTP will minimize the attack vector down to man-in-the-browser or session hijacking attack [1], which is more costly or difficult for the attackers [2].

Should we force the banks to take more responsibility on the security of the client’s terminal, by distributing banking plug-in or anti-virus software for the client’s computer connecting their servers? The answer may be controversial, and solution may differ by countries and cases. It may annoy people, because the installation of the plug-in is sometimes not optional [1]. However, no matter how the bank tries to deploy new security supports, such effort can become useless when the users are infected by various kinds of Trojan, carelessly store their private keys in their email boxes, or their security card scanned and stored in the cloud storage.

Given that my new bank does not lose data somewhere else, my new bank’s simple password security is not worse than the one they provide in my hometown. I guess I should just be more careful and vigilant, maybe virtualize one of my desktop for banking only. However, since I can make mistakes and lose my data someday, I would feel safer if my bank promotes the OTP or security card as one of their security options.


[1] Hyoungshick Kim, Jun Ho Huh, Ross Anderson “On the Security of Internet Banking in South Korea” Computing Science Group, Oxford University, CS-RR-10-01

[2] Chris Sanders, “Understanding Man-in-the-Middle Attacks”,




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: