Click here to load reader

SECURITY AS A KEY CHARACTERISTIC OF EBANKING SYSTEMS · PDF fileSECURITY AS A KEY CHARACTERISTIC OF EBANKING SYSTEMS _____ A CASE STUDY AT THE SWISS BANKING SECTOR ... IFA Internet

  • View
    221

  • Download
    0

Embed Size (px)

Text of SECURITY AS A KEY CHARACTERISTIC OF EBANKING SYSTEMS · PDF fileSECURITY AS A KEY...

  • 1

    SECURITY AS A KEY CHARACTERISTIC OF

    EBANKING SYSTEMS

    _______________________________________________

    A CASE STUDY AT THE SWISS BANKING SECTOR

    THE ANALYSIS OF THE RETAIL EBANKING SOLUTION

    OF CREDIT SUISSE

    SEMINAR THESIS

    STUDENT NAME: Mariana Raschke

    STUDENT NR: 06-217-806

    COURSE NAME: Seminar E-Business

    DEPARTMENT: Department of Informatics

    EXAMINER: Prof. Andreas Meier

    SUPERVISOR: Luis Teran

    DATE OF SUBMISSION: Mai 12, 2013

  • 2

    ABSTRACT

    Nowadays, financial services are being more and more marketed and provided via the Internet. Par-ticularly in retail banking online processing has shaped the way to conduct business. Thereby, IT security management provides a core issue for providers of financial services. The aim of this paper is to provide an exemplary analysis of the eBanking solutions security of a multinational company in Switzerland. After introducing into basic theory of eBanking and security management, a closer look at the general situation in Switzerland will be taken. A case study in the banking sector provides the core topic of the second part of the paper, assessing practical security management by a multina-tional Swissbank with regard to retail eBanking. Key words: eBanking, Switzerland, Security Management, Retail security solutions, Credit Suisse

  • 3

    TABLE OF CONTENT

    ABSTRACT

    LIST OF ABBREVIATIONS

    1. INTRODUCTION

    1.1. Background and motivation 1.2. Problem statement and research questions 1.3. Proceeding and method

    1.3.1. Objectives and Output of the Thesis 1.3.2. Addressee 1.3.3. Procedure and Methodology

    2. THEORETICAL BACKGROUND

    2.1. Electronic Banking as an eBusiness Service 2.1.1. Classification of eBanking as an eService 2.1.2. Classification of eBanking Services according to a maturity assessment model 2.1.3. Benefits of Electronic Banking as an eService 2.1.4. Forms of Electronic Banking 2.1.5. Retail banking in brief

    2.2. A basic introduction into Security Management 2.2.1. Data security 2.2.2. Security management and its purpose 2.2.3. Major Security threats 2.2.4. General approach in eBanking Security Management 2.2.5. Typical threats in eBanking 2.2.6. Situation today the Cybercrime market 2.2.7. Common methods of resolution

    3. APPLICATION: CASE STUDY/IES

    3.1. Retail eBanking in Switzerland 3.1.1. Legal background for the Swiss Financial Industry and eBanking Security 3.1.2. Security Threat Situation in Swiss Financial industry

    3.2. Case Study: The retail eBanking security management approach of CREDIT SUISSE 3.2.1. Introduction 3.2.2. Assessment

    4. CONCLUSIONS

    4.1. Summary and Conclusions 4.2. Critical Review 4.3. Outlook

    5. BIBLIOGRAPHY

    6. APPENDIX

  • 4

    LIST OF ABBREVIATIONS

    ATM Automated / Automatic Teller Machine

    a.o. among others

    C & IC Corporate and Institutional Clients

    CS Credit Suisse

    DMZ Demilitarized Zone

    HR Human Resources

    i.p. in particular

    eBanking Electronic Banking

    EBK Eidgenssische Bankenkommission

    eFraud Electronic Fraud

    eFDS Electronic Fraud Detection System

    ePayment Electronic Payment

    eService Electronic Service

    e.g. for example

    IFA Internet Facing Applications

    IT Information Technology

    iTAN indizierte TAN / Transaktionsnummer

    mBanking Mobile Banking

    mgmt Management

    mTAN Mobile TAN / Transaktionsnummer

    OWASP Open Web Application Security Project

    resp. respectively

    SFBC Swiss Federal Banking Commission

    SW dev. Software development

    WES Web Entry Service

    VPN Virtual Private Network

  • 5

    1. INTRODUCTION

    1.1. Background and Motivation of the Thesis

    Todays on-going trend from offline to online processing naturally leads to a shift towards electronic servicing. Customers expectations regarding the availability and quality of online services continu-ously increase corresponding to the speed of the technical development. For companies in a com-petitive market environment, the implementation, active involvement and natural integration of online channels have become evident. Particularly for service companies that are based upon collecting, processing and delivering information, electronic delivery is forecast to become a major distribution channel though [after Daniel 2000].

    Thus, among other businesses, customers request for time and place independent availability of services also highly impacts the financial sector. Indeed, technology, especially the Internet, has been a key driving force behind the changes in the banking industry1. [Karjaluoto 2002, p. 26].

    Nowadays, financial services are being more and more marketed and provided via the Internet. Par-ticularly in retail banking online processing has shaped the way to conduct business, such as in case of electronic payments a.o. In Switzerland as one of the most important financial centers online processing via an eBanking platform has become an essential part of a banks market offer in the retail segment. Thereby, basic transactions are usually offered for free (at least to private clients), such as the handling of standardized payment affairs e.g. What was unthinkable a decade ago is now a reality: Every bank in Switzerland - no matter how small - has not only an online presence but offers its customers also online banking services. [schweizerversicherung.ch] This is why we en-counter a technically highly diverge landscape of many different solutions. Still, the providers com-mon target is to offer a secure and easy to use online solution to their clients.

    1.2. Problem Statement and Research Questions

    However, the rapid development of eBanking capabilities carries not only benefits but also risks, such as primarily technology-based threats (a.o.). The extent of the recent cyber attack in South Korea in March of this year closing partly or completely down several companies server systems and was supposed to be conducted from a Chinese IP address, clearly illustrated the tremendous harm that can be caused through hacking: Extent of the attack were 32,000 paralyzed computer. [tagesanzeiger.ch 2013] Other illustrious examples are regularly reported in the media. It is a very actual issue though that highly affects both parties, clients as well as service providers and accord-ingly needs to be taken into consideration on the basis of a holistic view.

    It is fact that malware is also getting more sophisticated. There is for instance a new threat arising called black holes, screening a computer systematically for vulnerabilities in order to lock in special-ized malware. [ebd.]

    1 In this context the discussion about the disappearance of traditional banks has been a hot topic. It was often claimed

    that eBanking creates a threat to traditional banks market share, because it neutralizes so many of their competitive advantages in having a traditional branch bank network. (Karjaluoto 2002 p26). Discussion about the market transfor-mation caused by online banking are not in scope of this seminar thesis and hence, excluded from this project.

    2 Online Banking offers do exist for Business partners, C & IC, as well. These offers are out of scope for this paper.

  • 6

    Accordingly crucial is it for a bank to gain a customers trust, a general key success factor for service companies, especially in financial industry. Hence, successful security management must be target-ed as a core asset particularly in this business. It must be aspired to offer the highest possible level of security in eBanking. But yet, not every Swiss bank has reached this goal to a satisfying level. This has been shown a.o. by Kassensturz, a Swiss TV format concerned with consumer protec-tion. In 2011 they conducted a study in order to test the most popular Swiss eBanking systems. Thereby, the fields specialist Bernhard Plattner, Full Professor of computer engineering at ETH Z-rich (Swiss Federal Institute of Technology) together with his team was in charge to hack the ac-counts together with six different login systems. The alarming result even surprised the experts: Many banks protect their customers insufficiently from hackers. In three out of four cases (Migros Bank, Raiffeisen Bank and Berner Kantonalbank) the bank account could be hacked and a payment order could be executed. However, solely the account of UBS resisted the attacks. (see srf.ch]

    The specific online service that this Seminar Thesis focuses on is retail eBanking. Its aim is to ad-dress the topic on the basis of a Case Study of a large multinational Swiss Bank. Following theoreti-cal (TRQ) and practical research questions (PRQ) will be answered in the present thesis:

    n What are the most important security concerns when it comes to eBanking a) out of the banks perspective resp. b) for the user (TRQ) and how have they been managed in the specific case of the analyzed solution (PRQ)?

    n How sophisticated is the solutions security in comparison to other comparable offers on the market? (PRQ)

    n Outlook: What are a) current weaknesses and/or b) potential improvements and which of them are planned to be adjusted/further developed in the future? (PRQ)?

    n In tendency, what role security plays regarding the customers adoption of eBanking? (PRQ)

    1.3. Proceeding and method

    Subsequently, all important information regarding the target approach are given, such as the major objectives of the paper, target audience as well as planned procedure and methodology. 1.3.1. Objectives

Search related