1

SECURITY AS A KEY CHARACTERISTIC OF

EBANKING SYSTEMS

_______________________________________________

A CASE STUDY AT THE SWISS BANKING SECTOR

–

THE ANALYSIS OF THE RETAIL EBANKING SOLUTION

OF CREDIT SUISSE

SEMINAR THESIS

STUDENT NAME: Mariana Raschke

STUDENT NR: 06-217-806

COURSE NAME: Seminar E-Business

DEPARTMENT: Department of Informatics

EXAMINER: Prof. Andreas Meier

SUPERVISOR: Luis Teran

DATE OF SUBMISSION: Mai 12, 2013

  2

ABSTRACT

Nowadays, financial services are being more and more marketed and provided via the Internet. Par-ticularly in retail banking online processing has shaped the way to conduct business. Thereby, IT security management provides a core issue for providers of financial services. The aim of this paper is to provide an exemplary analysis of the eBanking solution’s security of a multinational company in Switzerland. After introducing into basic theory of eBanking and security management, a closer look at the general situation in Switzerland will be taken. A case study in the banking sector provides the core topic of the second part of the paper, assessing practical security management by a multina-tional Swissbank with regard to retail eBanking. Key words: eBanking, Switzerland, Security Management, Retail security solutions, Credit Suisse

  3

TABLE OF CONTENT

ABSTRACT

LIST OF ABBREVIATIONS

1. INTRODUCTION

1.1. Background and motivation 1.2. Problem statement and research questions 1.3. Proceeding and method

1.3.1. Objectives and Output of the Thesis 1.3.2. Addressee 1.3.3. Procedure and Methodology

2. THEORETICAL BACKGROUND

2.1. Electronic Banking as an eBusiness Service 2.1.1. Classification of eBanking as an eService 2.1.2. Classification of eBanking Services according to a maturity assessment model 2.1.3. Benefits of Electronic Banking as an eService 2.1.4. Forms of Electronic Banking 2.1.5. Retail banking in brief

2.2. A basic introduction into Security Management 2.2.1. Data security 2.2.2. Security management and its purpose 2.2.3. Major Security threats 2.2.4. General approach in eBanking Security Management 2.2.5. Typical threats in eBanking 2.2.6. Situation today – the “Cybercrime market“ 2.2.7. Common methods of resolution

3. APPLICATION: CASE STUDY/IES

3.1. Retail eBanking in Switzerland 3.1.1. Legal background for the Swiss Financial Industry and eBanking Security 3.1.2. Security Threat Situation in Swiss Financial industry

3.2. Case Study: The retail eBanking security management approach of CREDIT SUISSE 3.2.1. Introduction 3.2.2. Assessment

4. CONCLUSIONS

4.1. Summary and Conclusions 4.2. Critical Review 4.3. Outlook

5. BIBLIOGRAPHY

6. APPENDIX

  4

LIST OF ABBREVIATIONS

ATM Automated / Automatic Teller Machine

a.o. among others

C & IC Corporate and Institutional Clients

CS Credit Suisse

DMZ Demilitarized Zone

HR Human Resources

i.p. in particular

eBanking Electronic Banking

EBK Eidgenössische Bankenkommission

eFraud Electronic Fraud

eFDS Electronic Fraud Detection System

ePayment Electronic Payment

eService Electronic Service

e.g. for example

IFA Internet Facing Applications

IT Information Technology

iTAN indizierte TAN / “Transaktionsnummer“

mBanking Mobile Banking

mgmt Management

mTAN Mobile TAN / “Transaktionsnummer“

OWASP Open Web Application Security Project

resp. respectively

SFBC Swiss Federal Banking Commission

SW dev. Software development

WES Web Entry Service

VPN Virtual Private Network

  5

1. INTRODUCTION

1.1. Background and Motivation of the Thesis

Today’s on-going trend from offline to online processing naturally leads to a shift towards electronic servicing. Customers’ expectations regarding the availability and quality of online services continu-ously increase corresponding to the speed of the technical development. For companies in a com-petitive market environment, the implementation, active involvement and natural integration of online channels have become evident. Particularly for service companies that are based upon collecting, processing and delivering information, electronic delivery is forecast to become a major distribution channel though [after Daniel 2000].

Thus, among other businesses, customers’ request for time and place independent availability of services also highly impacts the financial sector. Indeed, technology, especially the Internet, has been a key driving force behind the changes in the banking industry1. [Karjaluoto 2002, p. 26].

Nowadays, financial services are being more and more marketed and provided via the Internet. Par-ticularly in retail banking online processing has shaped the way to conduct business, such as in case of electronic payments a.o. In Switzerland as one of the most important financial centers online processing via an eBanking platform has become an essential part of a banks’ market offer in the retail segment. Thereby, basic transactions are usually offered for free (at least to private clients), such as the handling of standardized payment affairs e.g. What was unthinkable a decade ago is now a reality: Every bank in Switzerland - no matter how small - has not only an online presence but offers its customers also online banking services. [schweizerversicherung.ch] This is why we en-counter a technically highly diverge landscape of many different solutions. Still, the providers’ com-mon target is to offer a secure and easy to use online solution to their clients.

1.2. Problem Statement and Research Questions

However, the rapid development of eBanking capabilities carries not only benefits but also risks, such as primarily technology-based threats (a.o.). The extent of the recent cyber attack in South Korea in March of this year closing partly or completely down several companies’ server systems and was supposed to be conducted from a Chinese IP address, clearly illustrated the tremendous harm that can be caused through hacking: Extent of the attack were 32,000 paralyzed computer. [tagesanzeiger.ch 2013] Other illustrious examples are regularly reported in the media. It is a very actual issue though that highly affects both parties, clients as well as service providers and accord-ingly needs to be taken into consideration on the basis of a holistic view.

It is fact that malware is also getting more sophisticated. There is for instance a new threat arising called black holes, screening a computer systematically for vulnerabilities in order to lock in special-ized malware. [ebd.]

                                                                                                               1 In this context the discussion about the disappearance of traditional banks has been a hot topic. It was often claimed

that eBanking creates a threat to traditional banks’ market share, because it neutralizes so many of their competitive advantages in having a traditional branch bank network. (Karjaluoto 2002 p26). Discussion about the market transfor-mation caused by online banking are not in scope of this seminar thesis and hence, excluded from this project.

 2 Online Banking offers do exist for Business partners, C & IC, as well. These offers are out of scope for this paper.

  6

Accordingly crucial is it for a bank to gain a customer’s trust, a general key success factor for service companies, especially in financial industry. Hence, successful security management must be target-ed as a core asset particularly in this business. It must be aspired to offer the highest possible level of security in eBanking. But yet, not every Swiss bank has reached this goal to a satisfying level. This has been shown a.o. by “Kassensturz”, a Swiss TV format concerned with consumer protec-tion. In 2011 they conducted a study in order to test the most popular Swiss eBanking systems. Thereby, the field’s specialist Bernhard Plattner, Full Professor of computer engineering at ETH Zü-rich (Swiss Federal Institute of Technology) together with his team was in charge to hack the ac-counts together with six different login systems. The alarming result even surprised the experts: Many banks protect their customers insufficiently from hackers. In three out of four cases (Migros Bank, Raiffeisen Bank and Berner Kantonalbank) the bank account could be hacked and a payment order could be executed. However, solely the account of UBS resisted the attacks. (see srf.ch]

The specific online service that this Seminar Thesis focuses on is retail eBanking. Its aim is to ad-dress the topic on the basis of a Case Study of a large multinational Swiss Bank. Following theoreti-cal (TRQ) and practical research questions (PRQ) will be answered in the present thesis:

n What are the most important security concerns when it comes to eBanking a) out of the banks perspective resp. b) for the user (TRQ) and how have they been managed in the specific case of the analyzed solution (PRQ)?

n How sophisticated is the solution’s security in comparison to other comparable offers on the market? (PRQ)

n Outlook: What are a) current weaknesses and/or b) potential improvements and which of them are planned to be adjusted/further developed in the future? (PRQ)?

n In tendency, what role security plays regarding the customers’ adoption of eBanking? (PRQ)

1.3. Proceeding and method

Subsequently, all important information regarding the target approach are given, such as the major objectives of the paper, target audience as well as planned procedure and methodology. 1.3.1. Objectives and Output of the Thesis

The author’s target is to provide an exemplary analysis of the retail eBanking security solution of a multinational company in Switzerland. Based on a Case Study the most important security concerns in retail banking should be identified first. Second target is to explain how they have been solved. This will happen on the basis of two perspectives (bank vs. user) if possible. Finally, most important learnings as well as future trends and further improvements will be summarized. Due to the restrict-ed length of this thesis this happens on the basis of one big company only. The paper should serve as a practical example in order to underline the diverge situation regarding eBanking solutions in Switzerland and should motivate to roll out the case study’s concept and apply the procedure to oth-er banks or relevant companies – hence, to further share experiences across banks.

1.3.2. Addressee

This paper may be of concern for security managers of other banks as well as for any other party interested in the topic. It will give them an overview of the most important security concerns and their possible solution in retail eBanking. Perhaps some technical aspects might even be transferable to other sectors or serve as inspiration in case of different security issues.

  7

1.3.3. Procedure and Methodology

There will be a short theoretical introduction on Retail eBanking Services and Security Management in the related context. This section will be based on the results of a few general research studies, not necessarily limited to a Swiss context. Subsequently, a theoretical overview of the most im-portant challenges when it comes to eBanking systems’ security will be provided. This will happen a national context. Thereby, it is tried to give insight into to the relevance and actuality of the topic also for Swiss banks by including brief references to real cases reported about in the media whenever it is perceived as useful.

In a second part of the paper the Case Study will be conducted, structured according to the central research questions. To gain the relevant information a combination of interview, literature and doc-ument review and a descriptive analysis of the technical components (mapping) served as a fruitful mix of sources.

  8

2. THEORETICAL BACKGROUND The aim of the following chapter is to introduce into the field of eBanking and security management, and subsequently, their combination. In the contrary to the second part of this paper, the where it practical aspects will be looked at in form of a case study, this first chapter focuses on primarily on the theoretical view. Therefore first a classification of eBanking as one of the most typical eServices will be provided, well illustrating a firm’s underlying dilemma of how to integrate new online services into their distribution strategy (complement vs. multichannel strategy). Further after the trial of a def-inition – eBanking as a rather blurry term shows a broad range of characteristics – a classification based on an eService maturity model will be given. Thereby, the objective is to illustrate the strate-gic importance of the business and point out the importance of security as one of its key success factors. 2.1. Electronic Banking as an eBusiness Service

In the following related theroretical aspects will be assessed on a basic level. Due to the broadness and complexity of the topic the scope of this chapter will not go too much into technical details. Gen-erally, the paper aims to start at a broder focus in order to increasingly underline specific methods in business implementation. The first part is dedicated to eBanking as a very illustrious eService. After classifying eBanking related to different forms of eService perception, a eMarketing maturity as-sessment model will serve as a useful basis in order to point out the importance of security in this field. Subsequently, benefits and different forms of Online Banking will be shown. A second part of this chapter it dedicated to a basic introduction into security management, assessing major threats and common procedure of resolution. Thereby, the authentication process is in focus.

2.1.1. Classification of eBanking as an eService [whole paragraph after Bruhn/Meffert 2012, 459 ff]

The creation of services via the Internet usually is limited to benefits that are based on the exchange of information. The reason therefore is that services causing material change to persons or objects typically can't be executed online since they demand physical presence of the service provider and the demander resp. the concerned objects. Accordingly, online services are mostly supplementing the (material) core activity of a firm.

Generally, four possibilities exist how to combine traditional and electronic services. The following graph provides an overview in form of a matrix. On the basis of the dimensions newness of eService offers and newness of traditional service offers it shows whether both types either interact in a com-plementary way (and if yes, in what way) or replace each other.

eServices offered

Traditional Services offered

Already offered New

New n III) Service enhancement n IV) Service innovation

Already offered

n II) Service complementation n I) Service substitution

Graph 1: Matrix of the combination eServices and (offline) traditional services [own illustration adapted from Bruhn/Meffert 2012, p. 470]

  9

The first possible combination (I) is the one applicable to online banking, a typical „Business to Con-sumer“ service as the phenomenon is discussed in this paper2. It’s called “Service substitution“ and is characterized by the presence of a traditional service and a new online service in addition. While the new eSolution implies several risks, still a large amount of advantages can be achieved due to the extension, such as e.g. increased efficiency and subsequently, lower costs or the attraction of additional customers. Possible disadvantages may lie e.g. in a decrease of customers’ trust due to electronic processing instead of direct contact to a firm’s staff, or an unsatisfactory customer treat-ment because of the high level of standardization and accordingly, the risk of a loss in customers’ loyalty.

The classification as described above can be stated as rather blurry. Especially though as the defini-tion of the corresponding dimensions (I – IV) seem not clear without ambiguity. As such in some cases several categories may be applicable. This is why the authors themselves discuss their own view on online banking critically. Rather than to discuss it out of a service substitution’s perspective solely, they state, the phenomena may also be classified differently. Instead, as eBanking services rather may complement traditional over the counter retail business than totally replace it, the online channel could also be described as service complementation (II).

Latter has been underlined by the fact that in Switzerland so-called Internet banks (or “Virtual Banks”) have not been very successful. Their business model is based on the execution of services exclusively via online channels. No retail counters as in traditional banking are offered. An idea that was not able to gain broad acceptance in this country, contrary to foreign markets. Instead, the strategy made by traditional Swiss financial intermediaries of parallel communication and distribution channels such as branch, telephony and the Internet is predominant in the market. It allows custom-ers to select their favorite option from one transaction to another. [whole paragraph, see finma.ch] However, it should not be left out to mention that this approach offers the risk of underestimating online banking’s potential. Anyhow, a companie’s business model in eBusiness is closely linked to the strategic decision, how eServices are perceived and hence, managed according to the upper classification (see also Meier/Stromer 2008, p. 26 ff for examples). But how can the term eServices generally be defined? Bruhn/Meffert [2012, p. 460 ff] propose to start from the classical service dimensions. Those are: the potential, the process and the result di-mension. On that base, eServices can be described as follows, referring to Bruhn [2002]:

“eServices are independent, tradable services that through the provision of electronic capabilities of the provider (po-tential d.) and by the integration of an external factor with the help of an electronic data exchange (process d.) aim to cre-ate a beneficial effect to the external factors (result d.).” [Bruhn 2002, 6]3

A high amount of characteristics are listed in a broad range of literature in order to describe the dif-ferences between traditional (offline) services and eServices. The particularities of the World Wide Web influence all phases of the service creation, the services themselves as well as all parties in-volved to the transaction. Major differences in charaterization can be claimed based on criterias such as the one listed below (not conclusive) [after Bruhn/Meffert 2012, 460 f].

                                                                                                               2 Online Banking offers do exist for Business partners, C & IC, as well. These offers are out of scope for this paper. 3 Critical remark: This definition is mostly limited to a firm’s perspective and excludes the aspect of company internal

eServices such as e.g. in the field of HR.

 

  10

Differentiation between eServices and Classical Services

CRITERIA Classical Services eServices are rather characterized as follows:

n Production

manual

automatic

n Physical presence necessary

not necessary

n Availability limited

unlimited

n Service Encounter high-touch

high-tech

Graph 2: A selection of characteristics to distinguish classical from electronical services [after Bruhn/Meffert 2012, 460 f].

Many other factors could be taken into account. And of course the differentiation is not unambigu-ous. Traditional services being created only partly online or those solely advertised in the Internet, e.g., are to be placed in a blurry area in between. 2.1.2. Classification of eBanking Services according to a maturity assessment model

The target of the following paragraph is to underline the importance of security matters by classifying eBanking as a rather mature, and hence, highly complex eService. This will happen based on a eMarketing maturity assessment model for eBusiness services

Thereby, the maturity assessment model for eBusiness, conceptualized by Meier/Stormer [2008, 107] out of an eMarketing’s perspective, serves as a useful tool. Originally created for classifying eBusiness companies as a whole, in the following the model will be applied differently, namely on the level of individual eServices. Still, the core idea remains the same despite a higher level of ag-gregation and thus, a closer scope: The differentiation of four consecutive stages in eBusiness ex-ploration. How can eBanking as a typical eService be examined according to these levels of maturi-ty? In the following, after the four steps have been pointed out briefly, an assessment will be pro-posed.

eBanking can be classified as a transaction oriented service, hence partly rankable to level B. How-ever, at the same time it also clearly shows individualized indicators in form of a personalized profile (incl. log in) and the storage of client specific data. Thus, it also makes part of level A, a fact that shows the high need for appropriate security management due to confidentiality of information.

To conclude, the classification underlines that security matters are of vital importance, especially in eBanking. A complex settlement of the service is shown (horizontal axis), which at the same time is of high value for the company (vertical axis). Hence, the high share of transaction and the partial individualization of the solution lead to especially sensitive data and therefore, provide a delicate business area. Successful data protection must be key though.

  11

Graph 3: eMarketing maturity assessment model (“Reifegradmodell“) for the classification of eBusiness (services) [own illustration adapted from Meier/Stromer 2008, p. 107]

2.1.3. Benefits of Electronic Banking as an eService

Online accessibility of banking services offers new value to customers. [Karjaluoto 2002, p. 32]. This fact accords the definition by Schmid/Zimmerman [1998, cited after Meier 2013], whereby eBusiness generally refers to „the utilization of information and communication technologies to support the pro-cesses of creating value added in an economical sense.”Generally, electronic markets show the following positive characteristics as per definition they are processed online: independence of time and place, better market transparency; reduction of transaction costs; interactivity and short re-sponse time. [ebd.] The advantages of online banking for all parties involved lie in a broad range of factors. For in-stance, it allows banks to add a low cost distribution channel to their high amount of different ser-vices and hence, achieve better cross-channel productivity and performance. [Karjaluoto 2002 p32] Several additional services can be offered, especially when compared to the traditional channel, the branches. Out of the customers perspective the following aspects belong to the major advantages of online banking: that it is cheap or even offered for free, and its use generally is not tied to time or place. As customers can choose where and when they would like to execute their banking affairs, they benefit from more convenience and, a criterion which is of vital importance, from more privacy while interacting with their banks.

2.1.4. Forms of Electronic Banking

A broad range of definitions for electronic banking exists. To put it simple, the term embraces the provision of information or services by a bank to its customers [Daniel 1999]. It has also been claimed as an electronic connection between bank and customer in order to prepare, manage and control financial transactions’ performance [Karjaluoto 2002 p. 25]. In the literature the terms eBank-ing, Internet banking, and online banking are often is used synonymously. However, electronic bank-ing is a high-order construct, which consists of several distribution channels, such as the Internet ("Internet Banking”), telephone or mobile phone ("Mobile Banking", "mBanking”) [ebd. p. 25]

Step%D% Step%C% Step%B% Step%A%

Informa1on%%

Communica1on%

Transac1on%

Personaliza1on%

Complexity%

Value%for%the%%enterprise%

  12

Also well-known forms such as ATM or Tele Banking ("PC banking", a direct connection from the phone to the bank, in the old times via videotext) can be named electronic banking. [finma.ch] However, the Internet still is the mainly used channel for eBanking, usually accessed via personal computer. It is clearly ahead of all other ways of electronic transmissions such as mobile banking that only recently has started being more and more pushed by providers and increasingly gains fur-ther user acceptance. In the near future more channels, such as television ("TV banking"), are to be developed for the distribution of financial services. Electronic banking together with electronic trading can be summarized under the term e-finance, namely electronic finance. [finma.ch]

Delivery platforms for electronic banking

TYPE OF SERVICE

DESCRIPTION

n PC banking (private dial up)

The customer on their PC installs proprietary software, distributed by the bank. Access to bank via a modem linked directly to the bank.

n Internet banking Access their bank via Internet.

n Managed network The bank makes use of an online service provided by another party.

n TV based The use of satellite or cable to deliver account information to the TV screens of

customers (also Internet based).

n Telephone banking Customers access their bank via telephone (own personal ID and password re-quired).

n Mobile phone Access with text message (SMS), Internet connection (WAP), or high speed 3rd generation mobile connection (also Internet based).

Graph 4: Delivery platforms for electronic banking. [Own illustration adapted Karjaluoto 2002, p. 26]

2.1.5. Retail banking in brief

The demands of a new generation of digital affine bank customers and new media leads to new ex-pectations for the retail banks, and this in particular with regard to the electronic interaction point. They are diametrically opposed to the previous, traditionally rooted and inflexible retail banking as this business is very much characterized by its existing electronic solutions. These are so far strong-ly driven by technological developments and rarely follow customer-oriented approaches. This is easy understandable. Retail banks cater “for ordinary individuals and small businesses, as distinct from large corporations. Retail banking operations offer deposit facilities, lend money, transfer funds and are prepared to deal in relatively small amounts.” [Essevale 2007] Services offered include sav-ings and transactional accounts, mortgages, personal loans, debit cards, and credit cards. [digplan-et.com] The retail segment provides the major part of banking business, and hence, seeks for standardiza-tion due to the high volumes (mass transactions]. Therefore, distribution provides a key cost factor in retail management. Of course, banking products, which do not require a stationary distribution (with-out consultation), are typically cheaper, such as the security trades executed directly by the client via online banking. However, as Daniel [2000] points out, the impact of major trends, such as customer demands for greater convenience, increasing use of technology and deregulation, has also caused the retail banking sector to focus considerable attention on their distribution channel strategie4.

                                                                                                               4 Consult conclusive chapter and outlook of this paper for a more detailed accomplishment.

  13

2.2. A basic introduction into Security Management

In our times, the computer plays such an essential role in daily life that it permeates almost all of our activities – in private life as well as in business context. It is the tool for the creation, processing, and storage of data as well as for information exchange with other people. Though online processing and accordingly, an adequate data management have become an integral part of the global econo-my. [Vieweg et al. 2012] As information systems increasingly gain of importance their security man-agement provides more and more a core focus for companies. After a general theoretical introduction into the field of security management the following chapter provides an overview of key aspects in eBanking security matters such as major threats and com-mon methods of resolution a.o. 2.2.1. Data security

Besides the prize of an organization’s technical infrastructure, namely its hardware and installed software licenses, the stored data and information itself are in particular of great value. Hence, it is crucial for a firm to take appropriate security and protection measures. Already today successful data protection is key. However, the field is gaining even more weight, as the significance of infor-mation technologies increases.

Even though terms such as “data security“, “IT safety“ and “security management“ are used fre-quently, it seems often quite blurry what each term actually embraces and how they terminologically can be differentiated from each other. So it does apply to the definition of data security. Per defini-tion the term describes the prevention of data loss, data theft, and data tampering. [Vieweg et al. 2012) The aim is to ensure the completeness and correctness of the data at all times though. This should happen on the basis of preventive measures such as for example data protection through access control by an individual password. 2.2.2. Security management and its purpose [whole chapter after Kollmann 2011, p. 241 ff] According to the definition of data security mentioned above the following core values are to be tak-en into account by IT security management. Generally, it can be differentiated whether data are to be protected from unauthorized access (in case of confidential data) or “solely“ be prevented from loss. Following overall targets can be claimed from a theoretical point of view

Requirements in management of security solutions

TYPE DESCRIPTION

n Integrity Adequate support of processes serving the achievement of transaction security must be given based on the integration of safety concept in all layers of the corporate structure.

n Confiden-tiality

The exchange of confidential data is only possible when the involvement of authorized persons in charge is carefully managed. The higher the number of people to whom access has been grant-ed, the more difficult the protection und analysis of security lacks is.

n Accessibility Any security measures must be constantly available everywhere, so secure data exchange (not only between bank and client, but also between the bank and third providers) is supported at any time and quick intervention in case of an incident is possible.

n Authenticity The access to data must be ensured through adequate authentication only, namely the people must be known and their identity sufficient recognizable / identifiable.

  14

n Legal compliance

The security concept needs to ensure to be compliant with legal restrictions and demands for all parties involved. If e.g. a client executes a sale, the transmission of his data at the same time means the legal liability, which accordingly, must be clearly communicated. n Cost

Effectiveness

The economic principal demands for an adequate cost/benefit ration of a security concept.

Graph 5: Requirements for the implementation of a security concept. [Own illustration after Kollmann 2011, p. 241 ff] As already mentioned in the beginning, the aspect of authenticity provides a core focus of this pa-per. Each requirement is, as the field in general, very complex and thus, scope must be reduced due to the restricted length of the thesis. 2.2.3. Major Security threats [whole paragraph after Vieweg et al. 2012, 11]

Different types of threats exist with adverse influence on the security of data and IT systems. Gen-eral sources of threats can be: (a more detailed view with core focus on online banking will be given in the case study)

n Force majeure, such general blackout, lightning, fire, water, smoke/vapors n Organizational defects, such as missing or insufficient regularization, inadequate quality man-

agement, missing control, unauthorized access n Technical failure, such as breakdown of the electric power supply or network components,

material defects, thermal overheat due to a deficient cooling system, data loss, incompatibility of system components

n Human misbehavior, such as improper use, maloperation, inadequate administration, trans-mission of wrong data

n Willful acts, such as manipulation, theft, vandalism, misfeasance of data, malicious software (“malware“ or malcode) such as Viruses, Worms, Trojans, Bots, Spyware

Numerous negative effects and risks for computer systems result from the threats listed above. In case of a defect or a usage restriction of hardware and software IT processing can only partly be executed or no more at all.

The core focus of this thesis embraces the last two categories in context with eBanking threats. A more detailed view into major online banking threats of today’s world follows at a latter point. 2.2.4. General approach in eBanking Security Management

Security management got more complex especially though as safety concerns have highly in-creased. Reasons may be the speed of the technical development and the raising interrelatedness of IT systems, also on an international basis, a.o. factors. In this context the OECD states in an ac-tual review [2012] of their security guidelines from 2002: “The threat landscape has evolved in scale and in kind.” Also, very recent developments such as the extended dispersion of smartphones in-creased risk as for banks and other companies, as these devices lead to lacks in internal security management. The phenomenon is known under the term “Bring your own device” (BYOD).

  15

How does the Financial Institutions’ contribution to a security management look like on a technical basis? In order to answer this question it is crucial to briefly understand the basic process and relat-ed key protection measures. According to «eBanking - but secure!», an educational online platform jointly supported by numer-ous Swiss banks [2012], a financial institution’s challenge is to comprehensively protect their cus-tomers’ data and finances. This should happen on the basis of a holistic view, whereby, very simplis-tically explained, three technical perspectives as key elements of the transaction process have to be taken into consideration:  

Graph 6: Comprehensive protection in eBanking [ebankingbutsecure.ch]

1. Secure data storage: Customer data and finances need to be stored securely. External inspec-tion bodies and ISO standards’ responsibility is to guarantee standardization. “Compared across international standards, Swiss financial institutions provide a very high level of security.” [ebd.]

2. Protected data access: Means of legitimization such as identification numbers, passwords, PINs, mTANs (a.o.) are meant to be effective obstacles against hacker attacks. Reality has proved that their level of security is not always as high as perceived. Introducing an additional security measure (second identification) allows the bank to further increase online banking security and pro-tects a clients’ against fraudulent payment transactions (e.g. Phishing). [Credit-suisse.ch 2013]

3. Secure data transfer: Data are encrypted in order to prevent third parties from viewing them dur-ing the transfer between customer computer and the financial institution’s server.

However, even though a major part of security management underlies the provider of eServices, protection of course is not limited to the contribution of financial institutions’ contribution. In the con-trary, adequate security measures at the end point, the customers’ own computer is of essential im-portance. At it will be explained later in this paper attackers tend to target the weakest point in the value chain, namely the end user. This is why bank keeps on communicating over and over again that clients themselves shall pay the necessary attention to security lacks. As they need to take part-ly the responsibility, sensitization in order to achieve prevention is a big issue for banks. The use of anti-virus software and a firewall in combination with the latest operating system, helps protecting a PC from computer viruses and Trojan horses.

According to Fatima [2011, p. 3] a common mistake made by end users is believing that their online banking session is perfectly safe when they use an SSL connection. “SSL is designed as a secure tunnel from the end user computer to the bank mainframe and does not protect the end points such as the end user’s computer.“ [ebd.] The attacker may be able to install a Trojan, such as key logger program, on a user’s computer after he visits a certain websites and downloads programs. Regular updates of programs are of particular importance in order to prevent an infection though. [Credit-suisse.ch 2013]

  16

Security management may also be looked at from a firm internal perspective, security of applications embraces many different technical aspects. The successful management demands for the consider-ation of different types of security, such as in particular (a.o.): [inventage.ch 2013]

n Security of infrastructure n Authentication n Application Security n Software Security

Second aspect is in core of this paper when describing the actual solutions resp. for the examination of the case study. Also, these procedures on the client side are easy to assess and thus, rather not confidential, as compared to internal details about bank-specific security approaches. OWASP, in-ternationally the most meaningful “Web application security project“ regularly summarizes the ten most critical security lacks of modern applications, whereby lacks in the authentication procedure are highly ranked. [owasp.org 2013]

The following matrix is shown to demonstrate how challenging the field of security management is in practical business due to its huge complexity. The graph is based on a CS internal example of a security framework. It provides an overview over the key activity classes that should be in scope for a holistic security management out of an IT department’s view and with a general regard to software management. Quickly it is understood how far-reaching the interconnections are that need to be taken into account and successfully managed. Not to forget – security management for a firm is not only challenging and resource intensive on the technical side, but embraces many more than the pure solution implementation, such as e.g. training of clients and employees.

Software Security Framework (SSF)

DOMAIN PRACTICES

Governance Strategy & Metrics Compliance & Policy Training

Intelligence Attack Models Security features & Design

Standard & re-quirements

Secure SW dev. Architecture Analysis Code Review Security Testing

Deployment Penetration testing Software Envi-ronment

Configuration & Vulnerability Mgmt

Graph 7: Software Security Framework for IT [own illustration adapted from a CS internal source]

  17

2.2.5. Typical threats in eBanking

The following list’s aim is to provide an overview over the most popular frauds in ebanking at the moment (not conclusive).

Graph 8: Typical technical threats in electronic banking

Incidents of all types are regularly reported in the media. Such the real case several years ago, when customers of the PostFinance Internet service Yellownet received from a server in Russia phishing emails in which they were asked to first click on a link to verify their contact information then to insert their e-mail address and any security codes for the login. A dozen of users could be fooled. At that time not only PostFinance but also other institutes such as some of the Cantonal Banks were victims of the attacks, probably due to their use of a paper scratch list or matrix card as identification systems. By the time, UBS was one of the earliest adopting a new electronic, namely an offline reader based solution after suffering from several incidents. [Schweizer Bank 2005]

2.2.6. Situation today – the “Cybercrime market“

In its annual report of 2012 the Cybercrime Coordination Unit Switzerland states: “CYCO” is unfortu-nately experiencing a veritable boom in its activities. Last year 55% more cases were reported than in the previous year[s, going back up to 2008].“ Notable is also the fact that for the first time, more reports were received of economic crimes (37%) than reports on illegal pornography (33%). Clearly an alarming trend that is ascertainable when looking at many statistics about IT threats. Already in 2008 the Federal Office of Police (fedpol) pointed out that the general increase of safety standards in ePayment related fields such as eBanking, credit cards, etc., naturally leads to an advanced quali-ty in hacking attacks. Thus, the more business solutions are sophisticated the cleverly devised frauds will appear on the “cybercrime market“, a very wicked cyclic effect though. At that time a trend became apparent that still applies to today’s reality: Attacks are to a big majority based on malware and tend to target directly to the end user devices.

Following tendencies can be stated further intensifying the threat landscape since a while (a.o.):

n Increase of the importance of information technology for business processes and financial transactions

n Increase of participants in these processes, increased interconnectedness of systems n Access to more and more valuable information is possible, hence, the opportunities for fraud,

espionage, and extortion increase. n Besides, the emergence of new actors (such as organized crime, States) raises, whereby the

motives and methods of existing players is more and more about monetary gain (profit or com-

Typical technical threats in electronic banking

n Trojans

n Phishing-Mails

n Malware

n Man in the middle attacks

n Man in the mobile attacks

  18

mercial know-how transfer)

In the following a few more detailed characteristics about the last point are given, indicating the en-hanced professionalism in the criminal field. An impressive amount of participants share the activi-ties of writing malware, operating of bot-Networks, implementing targeted attacks and developing the necessary infrastructure (money mules, etc.). In doing so, actors are very well organized and networked. Almost everything can be organized and be purchased on the market. A high technical know-how is given – as authors are usually "early adopters" who primarily produce customized mal-ware and prefer exploiting not yet known vulnerabilities. Spammers, phishers or protection racketeer can rent missing technical and non-technical infrastructures. The financial intention is clearly the unifying elements that lead to this form of collaboration on a global basis.

To conclude, the cybercrime market is established and highly profitable for the actors. Know-how and the corresponding products are available – the origin of the purchaser is, fatally enough, not of importance as long as the price is right. Enough criminal potential exists. But also for attackers, the question of costs and benefits is essential. Not profitable goals will be dropped sooner or later. [Source of whole paragraph: CS internal workshop with fedpol]. 2.2.7. Common methods of resolution

In the following an overview over often-used approaches for solving the problem is given. As gener-ally, core target lies in avoiding harm of technical threats that are to a big extend already known be-fore incidents happen, the major target of security management is prevention. Besides, other suc-cess factors might be sensitization of users (see Case study) as well as a regular monitoring of on-going trends and newly emerging dangers as a vital part of an internal risk management.

The list of banks applying the approach is not exclusive and based on an article of an industry publi-cation called “PC Tipp“ from 2011 [Salvisberg 2011, p. 22 ff]

eBanking Security elements

n Signature

n Password

n iTAN

n mTAN

n Security token (device)

n Reauthentification

n Life system

n Access Key (incl. Smartcard)

Graph 9: Common security management elements in eBanking

  19

3. APPLICATION: CASE STUDY

After the general introduction in the first part, mostly on a theoretical basis, the second part of the thesis is all about the practical side of the topic. After a brief statement about Switzerland’s legal framework in the field, Swiss banking’s situation is assessed, giving several key facts and figures regarding cybercrime. Then, the core part of this paper follows in form a case study analyzing the security management in eBanking as it is practically managed at Credit Suisse. Thereby, rather than an assessment of technical detailed and statistics (due to the confidentiality of the topic) a collection of insights of different kind is given, structured according to leading reasearch questions. However, a technical insight into the authentification process will be given based on a blueprint of the out of the contract solution management’s perspective.

3.1. Retail eBanking in Switzerland

This chapter aims to set the practical framework for the subsequent case study. With this purpose, the country’s legal background is briefly introduced, followed by a closer look at the cybercrime mar-ket in Swiss banking industry. 3.1.1. Legal background for the Swiss Financial Industry and eBanking Security

According to Swiss Law banks and securities dealers are obliged to protect the confidentiality of client data at all times against exposure to unauthorized persons. This under the terms of banking and professional confidentiality on one hand (“Art. 47 of the Banking Act” and “Art. 43 of the Federal Law on Stock Exchanges and Trading in Securities”) and data protection legislation on the other hand. Hence, during transmissions over open networks such as the Internet (e.g. via an extranet or a Virtual Private Network, VPN) the data must be protected by means of encryption. [EBK 2008] Nevertheless, looking back to 2008, the former Swiss Federal Banking Commission (SFBC) at that time did not set any minimum requirements. The official formulation seems unspecific and though, rather blurry, stating that “the institutions governed by the SFBC must, together with their statutory auditors, take steps to determine which encryption procedures and effective methods best protect the confidentiality of the information to be transmitted.” And further: “The technology used should correspond to the latest developments in the field as well as conforming with the relevant interna-tional standards” – without any clearer instructions made available for banks. As in many other countries, the regulation of eBanking in Switzerland lags behind the rapid development of the mar-ketplace. [Bösch 2000, p.1] However, existing banks and securities dealers do not need a separate additional permit if they want to expand their business on the internet. All these aspects may help in explaining the highly diverge landscape is encountered for Swiss eBanking security solutions.

  20

3.1.2. Security Threat Situation in Swiss Financial industry

Studies show that it becomes increasingly difficult at all time to detect attacks early enough. Accord-ing to a newly published survey by KPMG [2013, p. 47] the greatest danger is seen in mobile tele-communications, namely smart phones or tablet computers. Besides, 92 percent of the Swiss com-panies affected by eCrime confirm that targeted attacks are increasing. Interestingly, while each second of the German and one in three of the Austrian financial service providers reported to have been affected in the last two years of e-crime, this is in Switzerland with only 16 percent of financial services the case. In the authors’ opinion, a possible explanation for this surprising country-specific difference may be founded in the Swiss financial institutions’ way to in general deal very discretely if an e-crime happens.

"If a bank is hacked we mostly suspect criminal organizations to be the attackers." claims a KPMG's risk specialist. The financial industry in particular seems to dispose of raising awareness. But, ac-cording to the publication exact figures on the cost of cybercrime are difficult to be estimated. How-ever, “prevention is definitely cheaper than cleaning up after the damage.” [tagesanzeiger.ch 2013] Studies are expensive, and, the costs and lost revenues for example through reputational damage or lost market share, quickly amount of millions of Swiss francs. According to KPMG [2013, p.47] 71% of Swiss companies surveyed expect that the risk of eCrime will increase in the next two years. Still, in comparison to other international markets, the head of the Reporting and Analysis Centre for Information Assurance MELANI, Marc Henauer, once assumed "that the Swiss financial institutions in the area of money transactions on the Internet, so, for example, eBanking, are among the safest worldwide.” [NZZ 2008]

 

3.2. Case Study: The retail eBanking security management approach of CREDIT SUISSE

The whole chapter embracing the case study is based on information from internal and external documents of Credit Suisse as well as on personal discussions with different responsibles. CS’ friendly agreement provides the valuable opportunity to assess eBanking security management in practice, looking at one of the major player in Swiss Banking. The examination is structured accord-ing to the main research questions.

3.2.1. Introduction  

At Credit Suisse, retail is part of the Private Banking division. Tough it is clearly distinguished from the investment banking that provides a separate division. The bank offer offers Online Banking since April 1997. A high amount of IT solution providers in Switzerland promise to offer a secure and modern Online banking solutions and compete for clients, especially big institutions of the financial industry. It is a highly competitive market in Switzerland due to its considerably small size. Complexity is also added by multiple vendor/service provider relationships that often support eBanking operations. [Fatima 2011, p. 4] This applies in particular for the big Swiss banks, such as Credit Suisse, whose IT land-scape consists of a comparatively high amount of solutions purchased from external providers.

  21

Subsequently, a brief overview over the eBanking offer of Credit Suisse for the retail segment is giv-en. It is based on the official communication on the bank’s website in order to illustrate which func-tionalities are promoted to potential clients.

eBanking market offer by Credit Suisse for Private Clients

Accounts & Assets Payments

Securities Trading E-Documents

n account status n transactions details of

all accounts n latest information on

portfolio or safekeep-ing account,

n money market trans-actions, and

n Bonviva credit card transactions

n issue or process all standard domestic and foreign payment orders

n set recurring payments efficiently using standing orders or templates

n electronic billing (receive bills from multiple ven-dors directly to the ac-count, where you can review and pay them)

.

n on more than 60 stock exchanges worldwide

n real time processing n discount up to CHF 25

on each trade

n receive banking receipts and docu- ments electronically as PDFs

Graph 10: CS eBanking market offer for the Private (retail) Clients segment [own illustration after credit-suisse.com 2013]

3.2.2. Assessment

How does Credit Suisse’ security mgmt strategy with regard to online banking look like? Internet Facing Applications (IFA) of financial institutions are the regular target of criminal hacker activity. To protect the bank and its clients, and to adhere to recent regulatory requirements, security of IFA is a top priority for CS. The firm states: “In today’s times where criminal hacker activity is on the rise, it is essential to protect clients from possible account take-overs and fraudulent transfers associated with various forms of malware, man-in-the-middle and other attack vectors.“ A prioritiza-tion of standards is indispensable in order to bundle resources. Though it was put higher criticality to the following four categories: n I Strong authentication n II End-to-end isolation n III Secure first point of entry n IV Fraud detection

Referring to the primary scope of this paper the first category is primarily in scope. How does CS briefly assess today’s general situation in Swiss security management? The current trends in the industry show on one hand a shift in the trends of the attack vectors to-wards more sophisticated combined attacks seeking control of both the web browser of the client as well as the device used for transaction signing. Thereby, the client is often tricked into signing fraud-ulent transactions by a skilled manipulation showing a seemingly valid transaction. By phishing, at least part of the needed identification and authentication information can be stolen without a com-promise of any part of the IFA or the client’s device.

  22

A second vector for accessing the client’s data is by exploitation of well-known security vulnerabili-ties in the IFA or in its supporting infrastructure components. Third, the attacker may gain unauthor-ized access to parts of the client’s data due to misconfigurations of security attributes in the client’s account in the identity management system. On the other hand, traditional attacks like man in the browser or man in the device still persist as attacks kits for this type of attack are common place on the market at affordable costs. Thereby, what are significant trends related to the field that have been identified by CS? According to internal sources two major trends in cybercrime over the past year are worth a special attention:

n The industrialization of attack toolkits, e.g., widespread availability and improved usability of toolkits previously reserved to elite hackers. E.g. a case in point for CS in 2011 was SpyEye5, a powerful crime ware toolkit that dethroned the previous incumbent Zeus. „What made matters worse at that time was that the source of SpyEye was leaked, driving the price of the toolkit from $10,000 to $95 and thus making it available to a much larger community of hackers.“

n The move to mobile after the widespread introduction of mobile banking by the financial indus-try. The usual suspect – SpyEye – provides a hybrid desktop-mobile version for siphoning online bank accounts using the SMS technology for authentication and transaction signing.

Regarding this challenging environment, where does CS stand today? To stay abreast of the continuous evolution of cyber threats, the current defenses for online banking was reviewed in 2011 and a target architecture and approach created. In a nutshell, the outcome is a reinforcement of existing defenses in addition to a few new mechanisms, notably in the area of authentication. The main feature of the target architecture is that it is firstly holistic with several lay-ers of defense and secondly modular by making it possible to replace different components and thus allow for more flexibility. For each layer the current state was identified.

“Security is holistic, with an end-to-end view on threats and the corresponding defenses. This means that single mecha-nisms, such as authentication tokens, are not sufficient to protect online banking.“ Instead, there is a need for several de-fense layers that together can the gaps left by any single mechanism.“ (CS internal source 2011)

In a series of workshops with all major stakeholders the components of the target state were agreed. This work was mostly done for the PB online banking platform (Direct Net), with ongoing efforts in the Mobile working group.

The changes can be split into two major categories:

n An upgrade or replacement of existing components, such the WES infrastructure, the eFDS, or the 2nd channel token.

n Introduction of new components such as risk-based authentication, application firewalls, and anti-malware on the client side.

                                                                                                               5 Both SpyEye and Zeus are Trojan horses that masquerade as benign software, but instead steal banking information

(hence the name). In addition, they transform compromised computers into bots that spread the respective Trojan further. See appendix for details.

  23

Thereby, the security architecture is modular with mechanisms assigned to distinguishable layers wit clear interfaces, thus providing enough flexibility to have several interchangeable or complementary mechanisms in place.“ An example is the combination of more than one authentication factor as input to the adaptive authentication module.

Graph 11: Current attack vectors on a typical Internet facing application within the financial industry. Indicated in red are the main attack surfaces as seen across the industry in Europe. (Source: CS 2011/2013] n “The customer layer, not under control of Credit Suisse, will be assessed for its sanity by using

anti-malware detection capabilities. The corresponding result can be used in the IFA to assess riskiness of entered transactions or exposure of customer information.“

n “On the services layer, changes in the organically grown contract management system towards a flexible external user identity management system will be made in order to be able to leverage the new opportunities in the other layers.“

What security precautions are taken to prevent fraud?

The company claims to use exclusively well-tested and established security software. However, as the client PC can not be controlled CS as any other bank can never take over a total guarantee that a Direct Net connection is completely secure. Anyhow, as a perfect security solution does not exist, offering “hundred percent“ security is impossible though.

n Authentication

During the Direct Net registration process a technique with strong authentication is used. Namely, the user is identified based on the input of three security features. They consist of the user ID, the password and a number code from the RSA SecurID that changes every minute (readable on a separate token).

  24

CS Security target I: Strong Authentication Clients that are accessing Credit Suisse applications that contain secret or confidential data would be asked to on-board to strong authentication. Strong authentication implies that besides user name and password, clients would use another “strong” authentication factor that meets the following crite-ria: Sits on a device separate from where the user logs into the application and initiates financial transactions (“dedicated hard token“). In context with tokens it is crucial to see that the current SecurID and mTAN, both of which suffer from known vulnerabilities, must be replaced. CS looked at different promising new technologies for online and mobile banking security. On two of them, the SMS SI and biometrics, former was indeed chosen as a method being implementing since a while, will be commented later (outlook). n Data transmission

Next, the data transmission between the customer's PC / browser and Direct Net using 128-bit SSL (secure socket layer) is protected. This is a standard, widely used encryption technology with a high safety standard. An additional protection against "pishing" attacks was introduced in late 2007 in the Direct Net application together with the MS Internet explorer 7.x, namely the so-called EV (Extended validation) protection certificates by VeriSign (“browser EV SSL certificates”). The company assures, to take any unauthorized entering a computer system their customers or dis-semination of viruses, very seriously. This is why CS maintains a close collaboration with the federal agencies CYCO and MELANI, to which suspicious Internet content is forwarded immediately for in-depth analysis. Together with other Swiss financial institutions these results serve as a basis for further solution development and implementation. CS Security target II: Highly resistant to credentials theft This aspect includes transaction verification (transaction signing) for high value transactions. Inte-grates with current Credit Suisse DMZ authentication mechanisms. What are the major challenges with regard to Online Banking Security Management? According to an internal statement, the user behavior in security aspects must be generally seen as careless and not following the recommended strong security advices. Therefore the user himself must be considered as the weakest link in the security chain. For example it must be expected that he will reuse the chosen password on other platforms, or share it with other people, or not regularly update his Anti-Malware software, or use open Wi-Fi networks etc.

Thus, the bank’s objective is to offer preventive measures on one hand by sensitizing in form of in-formation and training materials. Therefore, Credit Suisse counts on the active contribution of the client. And on the other hand, the company seeks to provide very rapid support in case of a cyber attack. Every single case is investigated individually, if necessary by all business areas involved (such as IT Operations, legal services, security management, product management a.o.). Key question is the clarification whether an infringement of a user’s duty to take care is on hand as stated in the online banking contract. In case an incident is reported, speed and an excellent client service are crucial. Thus, an especially trained support team takes over the analysis following a clearly defined incident handling process. Those measures embrace three steps: n I Immediate actions: Direct Net contract and hence, access is blocked and flagged with a

warning; suspicious payment immediately analyzed by investigation team

  25

n II Damage Control: Payments investigations contacts the beneficiary bank; withdrawn of pay-ment; within one day so-called mobile consultants visit the client at his location

n III Incident Handling: if necessary an offence is reported and handed over to public prosecu-tion; client signs necessary legal statements, decision about possible refund is taken; the ac-count is unlock and a mailing sent out to client affected

Prospective contribution of Credit Suisse to support clients in appropriate online banking handling:

n Behavioral and security code of conduct for users n Demonstration via web video n Hotline service n Training materials n Classroom courses for free

CS has realized what an article by NZZ [2011] underlines: Despite commonly known danger of rob-bery especially elderly people still are traveling with large amounts of money. The reason therefore seems not primarily to be founded in security concerns. Instead many are struggling with the tech-nology of the cashless payment process itself. It was claimed that the real challenge for most people is to learn the proper use of eBanking technologies. This is why Pro Senectute attempts to promote the unwinding of Internet banking with specific courses. And so does CS for a broad target group in order to foster prevention and stimulate awareness. What is the matter regarding clients’ adoption of Online Banking Security Solutions?

Generally it is recognized that online banking “was hampered by security concerns until widespread adoption of e-commerce, along with the establishment of sites like Amazon and eBay, led to in-creased comfort levels with the technology.“ [World Retail Banking Report 2012]

Anyhow, the choice of the appropriate security solutions always provides a trade off for online bank-ing providers in many respects. One of the major is to walk the line between degree of usability and security level. A user expects the best security solution offered by his bank – as the company states: “The most important thing for a user is ’his online banking is secure’.“ But, at the same time he wishes for a security solution as ’usable’ as possible. Usually, a safer solution is deemed to be more complicated and accordingly, leads to a more time consuming handling. In order o support the deci-sion or development process CS maintains internal usability guidelines for web applications. To summarize the most important security design principles five aspects are worth mentioning:

n The user’s mental model of the security goal must match the implemented security mechanism n The user is reliable made aware if the security tasks he needs to perform n The user is able to figure out how to successfully perform those tasks intuitively n The user is not able to make dangerous mistakes n The security mechanisms need to be as transparent as possible to the user and should not be

in the way of the users main goals

Today, the number of visitors of CS’ Direct Net amounts for over 400'000 per quarter worldwide. Workshops, surveys and focus group studies provide the bank with direct feedback from the target groups about their preferences and expectations. So-called user research is also very valuable for the assessment whether a security solution is likely to be adopted by the clients. The following list provides an overview (not conclusive) over real requirement statements from clients of the retail segment private clients and private banking with regard to the security procedure:

  26

n Performance of the system: Client should be able to carry out his transactions as quick as possible.

n Stability and availability of the system: Both should be as high as possible, it is of vital im-portance that login is possible at any time.

n Integrated approach: The solution should be unified across all products (e.g. no separate pro-cedure form Banking and eBanking).

n Token: Clients are aware of their importance for security and willing to adopt them. Device must be portable and small.

n Data Privacy: Client wants to be informed about the data storage (esp. which ones are stored) n Communication: An adequate and proactive communication is crucial, particularly in the case

of a change clients need to be provided with all relevant information in order to first, understand why the system switch is made, second, which actions he has to undertake himself, and third, in what way the adaption contributes to a better protection of his fortune and data.

Interestingly, CS’ user research showed that clients’ security concerns are not higher for mBanking. The reason might be insufficient awareness of the technical difference between a W-LAN, 3G and an Internet connection via cable. Internet access seems to be considered regardless of which type.

Outlook: Which improvement projects are planned in the field or already ongoing? The most important actual cross-bank initiative is the replacement of SecurID by the new “SMS Se-curity Procedure“ (SMS SP) for Swiss Clients. The implementation is ongoing since 2010. The target is to enhance security in online and mobile banking by currently one of the safest security solutions on the market. In scope are Swiss private clients and private banking clients with a national cell phone number6. Instead of a code shown on a separate token changing minute-by-minute the user now inserts a security number he receives on his mobile phone. Background of the switch pushed by the upper management is the “steady rise in attempted online banking frauds in 2012 with Se-curID clients“. At the end of last year more than 300'000 clients were still using SecurID worldwide. The following two problems with the former solution can be criticized:

n No transaction signing is possible in the event if suspicious payments, causing an increased security risk for the bank.

n Clients who have not yet switched are exposed to an increased risk of eFraud attacks.

As a result, a new campaign is launched in 2013 to further push clients’ switch to the new solution claimed to be more modern. Thereby, data security is not perceived to provide an issue as cell phone numbers are used solely for the purpose of logging in to Direct Net. The following matrix pro-vides a summery of the most important benefits of the SMS SP for both parties.

Advantages for the clients (external) Advantages for the company (internal)

n More convenience (Logon codes are re-ceived on the mobile phone; no separate token needed to be carried with the client)

n More control (Fraudulent transactions to be dedicated in good time; possibility for clients to conform the payment via SMS)

n More security (A control check via SMS in case of doubt is possible and feedback very fast transmitted)

n More convenience (Logon codes are received on the mobile phone)

                                                                                                               6 The new procedure does not apply to C & IC clients and clients resident outside Switzerland.

  27

n Cost advantages (No additional charges incurred)

n Client satisfaction (Positive feedbacks of clients using the procedure)

Graph 12: Advantages of the SMS Security Procedure according to a bank internal perspective. (Source: CS 2011, own illustration]

As already mentioned CS looks at different promising new technologies for online and mobile bank-ing security. With regard to a general outlook into the future of the field another interesting method should no be left out to be mentioned: Biometrics use biological or behavioral traits of human users to either identify or authenticate them. In the context of online and mobile banking security, biomet-rics are heavily discussed as they can play the role of additional primary or secondary authentication factors, given the prevalence of sensors (such as the camera or microphone) in personal devices.

Potential benefits for the clients Potential challenges

n More user-friendliness (remembering a password is much harder than e.g. smiling)

n Accuracy of pattern recognition (heavily depends on the environment)

n More binding of the login to the user (passwords can be easily shared)

n Privacy concerns

n Need for additional processing power and storage space

Graph 13: Advantages of the SMS Security Procedure from a bank internal perspective. [Source: CS 2011, own illustration)

Given the promise of this technology, CS started different studies to understand its viability for online and mobile banking, such as e.g. a master thesis project with the EPFL. Exemplary traits (behavioral resp. biological) show the following illustration.

Behavioral Traits Biological Traits n Voice

n Fingerprint

n Typing Rhythm n Face Topography

n Dynamic Signature n Vein Structure

n n Eye Movement n Iris Structure

Graph 14: Overview of biometric factors [Source: CS 2011, own illustration]

How does the application of CS’ eBanking authentification solution look like today? The following blueprint provides an overview over the eBanking authentification solution of Credit Suisse as it was stated a several years ago. It is designed after a contract managements’ perspec-tive and therefore, is organized all around the so-called EBVV that stand for the “Electronic Banking Vermögensverwaltung”. As more details would have gone too much into the confidential area of bank internal security no closer level of aggregation has been chosen. Besides, it is assumed that the graph containing common security approaches speaks for itself. (see next page for the graph)

  28

Graph 15: The eBanking authentification solution of CS’ EBVV architecture (Own illustration based on internal sources of 2008]

Internet&

Intranet&

HOST&

Automa0c&&contract&&genera0on&

Direct&Net&&

External&client&&

Diff.&Server&&(e.g.&SecurMail)&

EBVV&HTML&Client&

EBVV&DB&

Internal&&client&

Service&&leCers&

Creden0al&&leCers&&(e.g.&User&Pin)&

Repor0ngs&and&Sta0s0cs&

Token&authen0ca0on&(SecurID)&

Customer&&authen0ca0on&&(WES&SLS)&

Secure&Web&Entry&Service(WES&SES)&

Applica0ons&

Applica0on&Authoriza0on&Enforcement&

1.&Authoma0za0on&

2.&&Info&

3.&Update&(administra0on)&

4.&Authen0ca0on&&

Corba&Services&

2.& 1.& 2.&/&4.& 2.&/&3.&

  29

4. CONCLUSIONS 4.1. Summary and Conclusions Since more than a decade eBusiness provides one of the quickest growing economical fields for many different types of marketers. Also the financial industry, typically very much characterized by the personal service encounter via branches, is experiencing a fundamental transformation. Factors such as the raising importance of information technologies together with the general cost pressure has drastically impacted banking business. As it was pointed out in the first part of this paper, rapid technical development, a.o., has significantly increased complexity in the field of security manage-ment. In parallel, the threat landscape has evolved dramatically in recent times and keeps on provid-ing a major issue for all kind of eBusiness providers. However, especially challenging though the situation is for providers of financial eServices due to the confidentiality of their businesses’ data. After clearifying basic theory in eBanking and security management (such as regarding vocabulary and classifications), a closer look at the general situation of in Switzerland was taken. Therefore, typical security frauds in eBanking were examined and the most common security solutions ex-plained with a special focus on authentication. A case study in the banking sector provided the core topic of the second part of the paper. It as-sessed practical security management by a multinational Swissbank with regard to retail eBanking. This happened on the basis of several research questions and according to a broad mix of internal sources, which, out of reasons of confidentiality, could not go into too much business details. Once more it was shown how important successful data protection is key for eBanking providers and their clients. However, the field is still gaining even more weight, also for Credit Suisse, as the com-plexity of the threat landscape continuously increases on a global base. The case study has well underlined the topic’s internal complexity besides the technical aspects. It seems that banks tend to switch comparatively late to more modern solution, no earlier than attacks significantly raise. Rea-sons therefore may be found in immense budgets needed for new the implementation of new solu-tions, the sign-off from top management based on reported incidents and actual risk of reputational loss. So the typicall dilemma in security management wil remain, as implementation always lacks behind the threat market. Naturally, as for big banks the implementation is very resource intensive and time consuming, and the market as well as smaller providers are able to act very much more agile. However, big efforts can be stated of all kind to continuously improve eBanking security. The outlook offered unic insights into planned adaptions of CS as well as into important trends, such as mobile banking or the evaluation of biometric solutions. 4.2. Critical Review Even though a very delicate topic is in focus, many interesting aspects about practical security man-agement in eBanking out of a Swiss providers perspective could be given in the paper. But, it seems logical that a single case study does not provide a representative sample. However, a bottom-up and hence, more qualitative examination rather than a statistical, quantitative point of view often can show important hints for additional research. As it applies in this case a key challenge in assessing very complex fields is to decide about the broadness of the study’s scope. In order to start and provide a well funded example for future en-rollment the decision underlying this paper was to go for a rather large, and thus, holistic view of security management. This is highly related to the authors’ non-technical background. Anyhow, many consecutive research questions result of the paper, offering a valuable source also for projects

  30

following a closer and more technical scope. Further steps could e.g. be the closer assessment of single security processes and accordingly, the proposition of possible improvements. However, the papers aim to provide an overview of the most important security concerns and their illustration by a practical eBanking example could successfully be achieved. The case study is ready to be rolled-out for other banks as part of future research. If even based on a written questionary this would ensure the replicability of data. 4.3. Outlook From a macro perspective, IT security continues providing an core issue for banks. “The aspects of data security and privacy are of extreme importance, since in the long run the data processing sys-tems will be even more established in all areas of life.“ [Vieweg et al. 2012] This is why the authors of the book “Data user – How client data revolutionize the economy” [Bloching et al. 2012] claim the following trend: Today, successful data based marketing provides a big chance for differentiation to other competitors. In the contrary, in about ten years at the latest, collecting customer data and the ability to evaluate them intelligently will constitute nothing more than a hygiene factor. Companies all over the world have to get ready for that, especially when pushing electronic banking. Due to their massive amount of sensitive data this applies particularly to multinational banks. When looking at the technical future of eBanking, two trends for security measures are statable. First mobile banking in a rather short-term point of view, and second are biometric solutions ex-pected to be implemented for retail in the longterm at a later point. The branch and Internet continue to have the highest customer experience levels. However, mobile is approaching them. It is notable that in fact customer satisfaction for mobile banking has improved significantly since 2011 (from 44% in 2011 to 58% in 2012). [Global Consumer Banking Survey 2012] According to the World Retail Banking Report [2012] the mobile channel has high potential for improving overall levels of positive customer experience. Current trends indicate that adoption of mobile banking may evolve in a similar way as Internet banking did. Besides, other channels are about to be further developed for the distribution of financial services in the future, for example tele-vision ("TV-banking"). Besides mobile banking, biometrics is another hot topic in eBanking. Five years ago the NZZ claimed: “And because the anxiety in the Swiss banking is growing, more security will soon be granted through biometric security elements” (2008) Even though today, the regular use of biometrics in eBanking in Switzeraland is still not the case, banks such as Credit Suisse are evaluating their potencial and convinced that these technics will be integrated sooner or later in daily authentication processes in order to be able to compete with the cybercrime market. An internal master thesis project together with the EPFL came to the conlusion that today, biometric mesures are at current state not yet ready to be rolled-out for Credit Suisse on a global basis. A key challenge for banks lies in following an integrated strategic approach regarding online activi-ties. Electronic banking will no longer remain “another“ distribution channel solely. Its increasing market share necessarily leads to a shift from a functional view to a more holistic management. As cost pressure and fallen margins in the financial sector will further enhance competition, Swiss banks have to look out for online business models. "Schweizer Bank”, an industry magazine notes: "New players, such as online broker will make them an increasing part of the ancestral business dispute.” eBanking should no longer seen as a complementary component only, but more and more must be part of a multichannel strategy, as Schweizer Versicherung [2010] pointed out as well. In-novative eBanking services can offer a chance for differentiation. It was stated that the degree of innovation regarding that matter in Switzerland is low as the margins in retail business still seem to be comparatively high. [Binnendijk 2011, p. 3] However, security in (retail) eBanking will keep on providing a key success factor for banks. Their solutions compete a global market, not only with re-gard to customers’ but as well to frauds.

  31

One may assume the general economic pressure naturally leads firms towards a search for different approaches and the raising tendency to bundle efforts. Since a couple of years a trend towards open architectures seems notable (after the «Best-in-Class-Principal» products are bought wherever best price is offered. IT companies are strong drivers of the trend, such as e.g. Swisscom IT Ser-vices. The aim of their recent overtake of the IT-Outsourcing-Geschäft of Entris Banking is to further bundle ebanking activites of different providers. With this acquisition the Swisscom subsidiary re-sponses to the needs of the banks that in today’s times of costs and margin pressure – besides in-creasing regulatory requirements and complexity – seem to be concerned with sourcing strategies. (ictk.ch 2013) Still, it seems that at least the larger Swiss banks are mostly characterized by a “monolithic“ system. Exceptions may be found, such as the interesting example of the collaboration of ZKB and other Cantonal banks already started a decade ago. Instead of each region having its on procedure, the initiative aimed to roll out the sophisticated online banking solution across all regions. [NZZ 2001] The legal dimension remains another challenge as it lacks behind the market’s circumstances. Due to the rapid development in online banking as generally in electronic commerce, present models of regulation are increasingly becoming obsolete [see Meier 2013]. The movement towards the legal recognition of eServices will continue.

  32

5. BIBLIOGRAPHY [Basel Committee on Banking Supervision 2007] Risk Management. Principles for Electronic Bank-ing. 2007. available: http://www.bis.org/publ/bcbs98.pdf, last accessed on Mai 7, 2013. [Binnendijk V. 2013] Binnendijk, Valentin: Customer Experience im Retail Banking. Executive sum-mery, 2011. available: http://cx.stimmt.ch/wp-content/uploads/2012/04/ExecutiveSummary_Masterarbeit_Binnendijk.pdf, , last accessed on Mai 7, 2013 [Bösch 2000] Bosch, Rolf: E-Banking. Homburger Rechtsanwälte. Zürich 2000. available: http://www.homburger.ch/fileadmin/publications/E-Banking_in_Switzerland_-_Ren__B_sch_mit_Sandro_Abegglen_und_Mark-Oliver_Baumgarten_2000.pdf, last accessed on Mai 7, 2013 [Credit Suisse 2013] available: https://www.credit-suisse.com/ch/privatkunden/onlinebanking/en/directnet/ihre_vorteile/index.jsp, last accessed on Mai 7, 2013 [CYCO 2012] Cybercrime Coordination Unit Switzerland CYCO. Annual Report 2012. available: http://www.fedpol.admin.ch/content/dam/data/kobik/Berichte/2008-12/rechenschaftsbericht-2012-e.pdf [Daniel, E.] Daniel, Elizabeth: The provision of electronic banking services in the UK and Scandina-via. Journal of Financial Services Marketing,Vol. 4, No. 4, Cranfield 2000, pp. 319–330. available: http://oro.open.ac.uk/15954/2/, last accessed on Mai 7, 2013. [Digiplanet.com 2013] Definition of Retail banking, Online wicki, 2013. available: http://www.digplanet.com/wiki/Retail_banking, last accessed on Mai 7, 2013 [EBK 2008] Häufig gestellte Fragen. EBK, Archiv of Finma. 2008. available: http://www.finma.ch/archiv/ebk/d/faq /faq4.html#4A, last accessed on Mai 7, 2013. [Ernst and Young] Retail Banking 2020. Eine Studie von Ernst & Young und der Universität St.Gallen über den Bankenmarkt Schweiz. Press release, St. Gallen 2012. available: http://www.ey.com/Publication/vwLUAssets/Retail_Banking_2020_Studie/$FILE/20121210_Pressemitteilung_final.pdf, last accessed on Mai 7, 2013. [Essevale 2007] Business Knowledge for IT in Retail Banking: The Complete Handbook Essevale corporation limited, first edition, 2007. available: http://books.google.ch/books?id=lkkGaIr3DQkC&printsec=frontcover&hl=de#v=onepage&q&f=false, last accessed on Mai 7, 2013 [Fatima, A.] Fatima, Amtul: E-Banking Security Issues – Is There A Solution in Biometrics? Journal of Internet Banking and Commerce. Vol. 16, No. 2 (2011), p. unknown available: http://www.arraydev.com/commerce/JIBC/2011-08/Fatima.pdf, last accessed on Mai 7, 2013. [Inventage.com 2013] E-Banking offering, 2013. available: http://www.inventage.com/e-banking-de.html, last accessed on Mai 7, 2013.

  33

[Jans D.] Jans, David: «Kassensturz» hackt E-Banking-Konten. Test 2011 available: http://www.srf.ch/konsum/themen/geld/kassensturz-hackt-e-banking-konten, last ac-cessed on Mai 7, 2013. [Karjaluoto H.] Karjaluoto, Heikki: Electronic Banking in Finland – Consumer Beliefs, Attitudes, Inten-tions, and Behaviors, Jyväskyla 2002. available: https://jyx.jyu.fi/dspace/bitstream/handle/123456789/13218/9513911675.pdf, last ac-cessed on Mai 7, 2013.  [KPMG 2013] KPMG Studie 2013. Forensic. e-Crime - Computerkriminalität in der deutschen Wirtschaft mit Kennzahlen für Österreich und Schweiz, 2013. available: http://www.kpmg.de/docs/Studie_e-Crime_sec%282%29.pdf, last accessed on Mai 7, 2013. [KPMG 2011] Mit E-Banking gegen Überfälle – Mit Prävention und Kursen sollen Senioren besser geschützt warden. 2. März 2011. available: http://www.nzz.ch/aktuell/zuerich/stadt_region/mit-e-banking-gegen-ueberfaelle-1.9738979, last accessed on Mai 7, 2013. [MELANI 2007] Melde- und Analysestelle Informationssicherung MELANI. Checkliste "Sicheres e-Banking", 05.02.2007. available: http://www.melani.admin.ch/dienstleistungen/00132/00148/?lang=de, last accessed on Mai 7, 2013. [NZZ 2001] Boni, Rendite und soziale Verpflichtungen – Ein Gespräch mit dem künftigen CEO der Kantonalbank. 26. September 2001 available: http://www.nzz.ch/aktuell/startseite/article7NRAL-1.480361, last accessed on Mai 7, 2013  [NZZ 2008] Die Krise brachte uns neue Kunden. 2. November 2008. available: http://www.nzz.ch/aktuell/startseite/die-krise-brachte-uns-neue-kunden-1.1204833, last accessed on Mai 7, 2013. [NZZ 2008] Der Bankschalter zu Hause. 2. November 2008. Available: http://www.nzz.ch/aktuell/startseite/der-bankschalter-zu-hause-1.1204845, last accessed on Mai 7, 2013. [Rüesch, S.] Rüsch, Stefan: Online Banking: Schweizer Banken mit Nachholbedarf. Schweizer Bank, Mai 2010. available: http://www.schweizerversicherung.ch/de/artikelanzeige/artikelanzeige_print.asp?pkBerichtNr=181084, last accessed on Mai 7, 2013. [Salvisberg, G.] Salvisberg, Gabriela: E-Banking aber sicher. In: PC-Tipp, No. unknown, Aug. 2011, pp. 22-29. available: http://www.oneconsult.com/downloads/1108-PCtipp-eBanking-Salvisberg.pdf, last accessed on Mai 7, 2013 [tagesanzeiger.ch 2013] Schweizer Wirtschaft fürchtet private Notebooks am Arbeits- platz. 26.03.2013. available: http://www.tagesanzeiger.ch/digital/internet/Schweizer-Wirtschaft-fuerchtet-private-Notebooks-am-Arbeitsplatz/story/18285623, last accessed on Mai 7, 2013. [tagesanzeiger.ch] Virenscanner mit grossen Schwächen. 22.03.2013. http://www.tagesanzeiger.ch/digital/internet/Virenscanner-mit-grossen-Schwaechen/story/12292783, last accessed on Mai 7, 2013.

  34

[tagesanzeiger.ch] Kamen die Hacker-Angriffe gegen Südkorea aus China? 21.03.2013. available: http://www.tagesanzeiger.ch/ausland/asien-und-ozeanien/Kamen-die-HackerAngriffe-gegen-Suedkorea-aus-China/story/21586599, last accessed on Mai 7, 2013. [OECD 2012]: Review of the 2002 Security Guidelines, 2nd edition, 2012. available: http://www.oecd.org/sti/ieconomy/Security%20guidelines%20review.pdf, last accessed on Mai 7, 2013. [OWASP 2013] The Open Web Application Security Project (OWASP). Top 10 list. 2013. available: https://www.owasp.org/index.php/Top_10_2013-Top_10, last accessed on Mai 7, 2013.

  35

6. APPENDIX

6.1. Hybrid SpyEye in a nutshell [whole paragraph after a CS internal source]

SpyEye is a powerful botnet management toolkit active since 2009 and known for its capability to attack online banking systems. The newest attack on mobile platforms (Android) is available since July 2011 and works as follows:

n 1. The attacker compromises the user’s desktop browser, steals his online banking login cre-dentials and tricks him into downloading an Android application to protect from SMS hijacking.

n 2. Once the user installs the malware on his phone, all SMS are rerouted to the attacker’s net-work.

n 3. With all login credentials in hand, the attacker logs into the user’s online banking account and changes the registered phone number for transaction verification.

n 4. The attacker can now safely execute fraudulent transactions and sign them using SMS from the new phone number.