This raises four issues: authentication, authorisation, data integrity and non-repudiation. Banks typically use a username-password combination to manage the authentication process for retail users and more sophisticated encryption-based mechanisms for corporate customers. Internet bank customers, on their part, must check the validity of the digital certificate assigned to the Web server of the bank. In order to authorise transactions such as fund transfer over the Web, banks usually require additional passwords. For additional security, some banks distribute pager-like devices that are synchronised to their Web infrastructure. They generate temporary security codes that need to be keyed in on the authorisation Web page.

Integrity of the data has two aspects: reliability of the software and prevention of hacking. Non-repudiation deals with establishing a unique digital identity for an individual or a corporate entity. The digital signature — an encryption mechanism — stored on smart cards seems to be the only practical way for ensuring non-repudiation. Incidentally, the Indian cyber law recognises digital signatures.

The prevention of hacking incidents is carried out through network devices such as firewalls and intrusion detection systems. Normally, the computers that host business logic and data are separated from the external world (the Internet) and internal users (the Intranet) through multiple firewalls by creating a demilitarised zone. Many bankers believe leakage of information through internal staff is a more serious threat than that from the external hacking community. Compliance issues also imply secure storage of data for several years.

In order to prevent financial misdemeanours — like tax evasion, and movement of funds emanating from criminal and terrorist activities — security measures must begin at the time of account opening. The rise of e-commerce has given impetus to Web-based payment facilitators (called payment banks in the European Union). These purely Internet banks use a software that interacts with the IT infrastructure of brick-and-mortar banks and verifies customer credentials. Anti-money laundering and know your customer are becoming buzzwords in banking circles.

... contd.