Safe Internet Banking – Secure internet banking

Safe Internet Banking – Secure internet banking

Abbreviations

HTTP – Hyper text Transfer/transmission Protocol

HTTPS – Hyper text Transfer/transmission Protocol Secure

SSL - Secure Sockets Layer

TLS - Transport Layer Security

URL – Universal Resource Locator

TCP - Transport Control Protocol

Phishing-

A phishing technique was described in detail in 1987, and (according to its creator) the first recorded use of the term "phishing" was made in 1995. The term is a variant of fishing probably influenced by fishing and alludes to "baits" used in hopes that the potential victim will "bite" by clicking a malicious link or opening a malicious attachment, in which case their financial information and passwords may then be stolen.

. Phishing is a problem faced by Banking institutions worldwide. It is an attempt to 'fish' for your banking details. Phishing could be an e-mail that appears to be from your bank. Please note that Banks will never ask for confidential password, login ID or any other data.

Most common mistake done by the highly educated and computer experts is that they provide their account ID, Pass words, and other account information. Why don’t they apply a small amount of their mind that their bank already has these details and need not to ask you on emails.

Phishing Techniques-

Spear Phishing

 The Phishing attempts directed at specific individuals or companies have been termed spear phishing. Attackers may gather personal information about their target to increase their probability of success.

Precautions

1.      Never respond an email asking your bank account details.

2.      Always bear in mind that your bank will never ask your account details.

3.      Always bear in mind that your bank already has these details.

4.      Immediately report such details to tour bank branch and anti-phishing department of your bank. Preferably redirecting the mail in original or attaching a screen shot.

5.      After reporting the matter to your bank delete the mail.
    

Clone Phishing

In this type of phishing attack a clone of, a previously delivered, legitimate email (May contain an attachment or link) its content and recipient address is taken and used to create an almost identical cloned email. The attachment or Link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may also claim to be a re-send of the original or an updated version to the original. This could be used to pivot (indirectly) from a previously infected machine and gain a foothold on another machine, by exploiting the social trust associated with the inferred connection due to both parties receiving the original email.

Precautions

Targets of the attackers are banks and their websites and banks have sufficient staff to combat.

Whaling

When phishing attacks have been directed specifically at senior executives and other high profile targets within businesses, is termed as whaling.

Precautions

In this type of phishing attackers will be in huge benefit if  he is successful. In such cases two senior executives are targeted. For example “India & co.” has business relations with “America & co.” and “India & co.” frequently transfers money to the account No-1111111111 of “America & co.” at New York. The attacker has got the details of the account of “America & co.”. He will send an email to “India & co.” that we(“America & co.”) are establishing a new business office at London(or may give any other reason) therefore  in future make all payment to account no-2222222222 at London.

Precautions

In such cases mishaps can be easily avoided by contacting the client on phone, by confirming alternative email or visiting client’s website.

Link manipulation

In Most  cases some kind of technical deception designed to make a link in an e-mail appearing  to be from the genuine organization, which will lead to the destination desired by the fisher Common tricks use are. Misspelled URLs or the use of sub domains. In the following example URL, http://www.thedibank.comp.com/, at first sight it appears that the URL will take you to the compsection of the thedibank website; actually this URL points to the " thedibank" (i.e. phishing) section of the example website. Now a days every body is in so hurry that the don’t read the complete URL. They never need to think and click immediately while they see the name of there bank.

Another common trick is to make the displayed text for a link (the text between the tags suggest a reliable destination, when the link actually goes to the phishers' site. The following example link, http://www.thedibank/genuineappears to direct the user to the "Genuine"; section on it will in fact take the user to the article entitled "Deception". In the lower left hand corner of most browsers users can preview and verify where the link is going to take them. Hovering your cursor over the link for a couple of seconds may do a similar thing, but this can still be set by the phisher.

A further problem with URLs has been found in the handling of Internationalized domain names (IDN) in web browsers, that might allow visually identical web addresses to lead to different, possibly malicious, websites. Despite the publicity surrounding the flaw, known as IDN spoofing or homograph attack, phishers have taken advantage of a similar risk, using open URL redirectors on the websites of trusted organizations to disguise malicious URLs with a trusted domain. Even digital certificates do not solve this problem because it is quite possible for a phisher to purchase a valid certificate and subsequently change content to spoof a genuine website.

Precautions

See under  spear phishing

Software Installation –

Some times you will receive an email with an attachment. Bank’s logo/monograms and style will be the same as if it has been received from your bank. You will be instructed to install the software for the sake of improvement in speed and service. Never click on such attachments and report the matter immediately otherwise your balance may be zero within minutes, because the software will immediately send your account details including the password and user ID to the phisher.

Precautions

See under  spear phishing

Safety Measures to be taken by banking websites

https -  Hypertext Transfer Protocol Secure (HTTPS) is a communications protocol for secure communication over a computer network. simply layering the Hypertext Transfer Protocol (HTTP) on top of the SSL/TLS protocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications. HTTPSprovides authentication of the web site and associated web server that one is communicating with, which protects against man-in-the-middle attacks. Additionally, it provides bidirectional encryption of communications between a client and server, which protects against eavesdropping and tampering with and/or forging the contents of the communication. In practice, this provides a reasonable guarantee that one is communicating with precisely the web site that one intended to communicate with (as opposed to an imposter), as well as ensuring that the contents of communications between the user and site cannot be read or forged by any third party.

Verysign – This certificate is mostly used by banking websites but they themselves are facing controversies including domain seizure and legal cases. (Visit -http://en.wikipedia.org/wiki/Verisign)

SSL - The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message transmission on the Internet. SSL has recently been succeeded by Transport Layer Security (TLS), which is based on SSL. SSL uses a program layer located between the Internet's Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers. SSL is included as part of both the Microsoft and Netscape browsers and most Web server products. Developed by Netscape, SSL also gained the support of Microsoft and other Internet client/server developers as well and became the de facto standard until evolving into Transport Layer Security. The "sockets" part of the term refers to the sockets method of passing data back and forth between a client and a server program in a network or between program layers in the same computer. SSL uses the public-and-private key encryption system from RSA(Rivest, Shamir and Adleman), which also includes the use of a digital certificate.

How secure are our banks

Most of the banks except State Bank group banks don’t have HTTPS, Verysign SSL security measures. Thus we can say State Bank group banks branches are the most secure branches. Some of the banks use these security measures in their net banking websites only.

Green URL

It is important that how a user can identify weather the site is having these security arrangements or not. It is very simple, while we go to the site, the site’s URL(the space where we write the address) will turn green and the sign of a locked pad lock will appear.

Security measures adopted by banks

In Inter bank/Intra Bank transactions.

The are almost secure transactions. All the banks are very cautious and have made arrangements as under -

Creation of beneficiary/third party

No one can transfer an amount to another account holder within his own bank or another bank until you create a beneficiary/third party. It is a safe procedure. You have to submit particulars of the client, bank will first verify the beneficiary/third party and then allow you to transfer the money. All this procedure is pass word/one time pass word protected and almost safe.

One Time Pass Word

In most of the banks you can transfer a certain amount(about up to Rs-19999/-) directly but if you transfer an amount above it(About Rs-20000/- or above, you will receive a one time pass word on your registered mobile phone. This is an important security layer in case of high value transactions.

SMS Alert

Immediately after the transfer request you will receive an sms alert on your registered mobile phone.

Transactions out side banks

In these transactions, the beneficiaries are almost private business companies and Govt. or private offices so banks are unable to do more though in such transactions each transaction is protected by a one time pass word irrespective of the amount involved. However, try to avoid these transactions as far as possible.

Important Tips

1.      Frequently change your passwords.

2.      Never share your password with others.

3.      Do not log in to your internet banking account frequently.

4.      Never have a date of birth of any boy or a popular name as your password.

5.      Always use a critical password, a combination of letters, figures and special characters like @$#&% etc. Some banks(State Bank Group) has a facility of special signs to be used in passwords. Please use them.

6.      Always use the virtual key board(A key board appeared on the screen)

7.      Never have the same password for many account.

8.      Transactions within the bank and one to another bank are comparatively safe than the private business firms.

9.      Always install a reliable Anti virus software

10.  Try to avoid transactions from a computer other than your own i.e. . from an internet café or a friend or relative’s house. If you have to do it in unavoidable circumstances, change all your passwords as soon as you reach your own computer.

11.  If you receive an unusual email i.e. asking your account/password details or asking to run any software, never act on it and immediately report the matter to your bank branch and anti fishing department of your bank.

12.  Never save your banking password on your internet browser.

13.  If your bank’s URL does not start with HTTPS, be cautious, your site is not safe.

14.  If Pad lock sign does not appear in your bank’s URL, be cautious, your site is not safe.

15.  If your bank’s URL does not Green be cautious, your site is not safe.

Virtual Key Board

This key board appears on your screen when you login. In a physical key board each key(Technically called Micro switch) has an electronic circuit under it. And all the keys are fixed at a certain position which is fixed for ever. It is understood that the attackers have an arrangement to steal your pass word by judging your key board hits which is not possible  if we use virtual key board because it changes the positions of its keys each time we login.

Note-This is based on my knowledge and experience. Every body is at liberty to follow or not and I do not hold any responsibility or what so ever in any condition.