Internet Banking Authentication Methods in Nigeria Commercial Banks

Transcription

1 Internet Banking Authentication Methods in Nigeria Commercial Banks 1 Corresponding Author: lawal5@yahoo.com 1 O.B. Lawal Computer Science Department, Olabisi Onabanjo University Consult, Ibadan, Nigeria lawal5@yahoo.com A. Ibitola Department of Computer and Information Science Lead City University Ibadan, Nigeria O.B. Longe Department of Computer Science University of Ibadan Ibadan, Nigeria longeolumide@fulbrightmail.org ABSTRACT The Electronic banking and payments services of commercial banks are recognised by the Central Bank of Nigeria (CBN). Despite the early stage of electronic banking in Nigeria, banks are already offering various financial services through the internet. In order to protect customers vital information and identities over the internet, necessary and standard multifactor authentication measures should be in place to avoid financial losses. The purpose of this study is to find out the multifactor authentication (MFA) methods used by the banks, evaluate the type of security mechanism adopted and develop security measures to reliably authenticate customers remotely accessing their Internet-based financial services. The study addressed conducting risk-based assessments and customer awareness program. The study was conducted on all the twenty (20) currently operating commercial banks in Nigeria.. Keywords: Two-factor authentication, internet banking, authentication factor, strong authentication, web security Reference Format O.B. Lawal, A. Ibitola & O.B. Longe (2013). Internet Banking Authentication Methods in Nigeria Commercial Banks. Afr J. of Comp & ICTs. Vol 6, No. 1. Pp INTRODUCTION An authentication factor is a piece of information and process used to authenticate or verify the identity of a person or other entity requesting access under security constraints[1]. Multifactor authentication (MFA) is a system where in two or more different factors are used in conjunction to authenticate[1]. Using more than one factor is sometimes called strong authentication. The process that solicits multiple answers to challenge questions as well as retrieves something you have or something you are is considered multifactor[2]. True multifactor authentication requires the use of solution from two or more of the three categories of factors. Using multiple solutions from the same category would not constitute multifactor authentication [2]. Financial institutions engaging in any form of Internet banking should have effective and reliable methods to authenticate customers. An effective authentication system is necessary for compliance with requirements to protect customer information, to prevent money laundering and terrorist financing, to reduce fraud, to inhibit identity theft, and to promote the legal enforceability of their electronic agreements and transactions. The risks of doing business with unauthorized or incorrectly identified persons in an Internet banking environment can result in financial loss and reputation damage through fraud, disclosure of customer information, corruption of data, or unenforceable agreements. 208

2 Wikipedia, the online free encyclopaedia defines internet banking as Online banking (or Internet banking or E- banking) allows customers of a financial institution to conduct financial transactions on a secure website operated by the institution, which can be a retail or virtual bank, credit union or building society. Also, Hazell and Raphael[8] described it as a number of ways in which customers can access their banks without having to be physically present at a bank branch. Authentication schemes according to Sumathi and Esakkirajan[6] are the mechanisms that determine whether a user is who he or she claims to be. Authentication can be carried out at the operating system level or by the RDBMS. The database administrator creates for every user an individual account or user name[7]. In addition to these accounts, users are also assigned passwords. 2. COMPLIANCE REGULATION On August 2003, the Central Bank of Nigeria (CBN) [1] issued guidance entitled Guidelines on Electronic Banking in Nigeria. The Guidance focused on future conduct of financial institutions (the commercial banks) in e-banking and electronic payments delivery. This guidance applies to both retail and commercial customers and does not endorse any particular technology[1]. Financial institutions (banks) should use this guidance when evaluating and implementing authentication systems and practices whether they are provided internally or by a service provider. Although this guidance is focused on the risks and risk management techniques associated with the Internet delivery channel, the principles are applicable to all forms of electronic banking activities. CBN recommend a minimum of two-factor authentication process for all user access to the services provided which could be high-risk transactions involving access to customer information or the movement of funds to other parties [1]. Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services. The authentication techniques employed by the financial institution should be appropriate to the risks associated with those products and services. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks[1]. 2.1 Standards on Protocols The CBN guidance[1] states that Banks must take additional steps to ensure that whilst the web ensures global access to data enabling real time connectivity to the bank s back-end systems, adequate measures must be in place to identify and authenticate authorized users while limiting access to data as defined by the Access Control List. Banks are required to ensure that unnecessary services and ports are disabled. In line with the CBN[1] guidance on Standards on Protocol, banks adopt the current and reliable security measures to authenticate and protect customers information while transacting on the websites. Oceanic bank[13], on its website, says Security for communications and transactions over the internet is important for both Oceanic Bank and our customers, and we'd like to let you know that the Internet Banking security system has been selected by us following extensive research. While the Internet is generally an unsecure network, it may be made secure through the implementation of process controls and infrastructure components[13]. 2.2 Standards on Delivery Channels In line with the CBN requirement, standards are placed on the banks delivery channels. Here are the major ones: i. Mobile Telephony Mobile phones are increasingly being used for financial services in Nigeria. Banks are enabling the customers to conduct some banking services such as account inquiry and funds transfer[1]. Therefore the following guidelines apply: a. Networks used for transmission of financial data must be demonstrated to meet the requirements specified for data confidentiality, integrity and nonrepudiation. b. An audit trail of individual transactions must be kept. ii. Automated Teller Machines (ATM) In addition to guidelines on e-banking in general, the following, but few of the, specific guidelines apply to ATMs: a. Networks used for transmission of ATM transactions must be demonstrated to meet the guidelines specified for data confidentiality and integrity. b. In view of the demonstrated weaknesses in the magnetic stripe technology, banks should adopt the chip (smart card) technology as the standard. For banks that have not deployed ATMs, the expectation is that chip based ATMs would be deployed. 209

3 iii. Internet Banking Banks should put in place procedures for maintaining the bank s Web site which should ensure the following[1]: - Banks must ensure that the Internet Service Provider (ISP) has implemented a firewall to protect the bank s Web site where outsourced. - Banks should ensure that installed firewalls are properly configured and institute procedures for continued monitoring and maintenance arrangements are in place. - Banks should ensure that summary-level reports showing web-site usage, transaction volume, system problem logs, and transaction exception reports are made available to the bank by the Web administrator. - Web site information and links to other Web sites should be verified for accuracy and functionality. 3. INTERNET BANKING SERVICE Apart from the conventional banking practice where customers are to be physically present at the bank branch, information technology has made a new way of banking known as online banking (or internet banking) [1]. This is a service whereby customers carry on banking transactions from the comfort of their homes or offices on the internet using personal computer (PC). Interested customers are profiled and given a set of log-in detail (username/password), as first factor authentication. With this authentication, customers would be able to do account enquiry and view transaction history. In the attempt to make a third party transfer and or third party payment, on the internet, another password would be request from the user to verify the genuineness and safety of the customer. The second password request is the second factor authentication which this study is based on[12]. 3.1 SECURITY MECHANISMS There are general security mechanisms for database systems. However, the increasing accessibility of databases in the public internet and private intranets requires a reanalysis and extension of the approaches, Connolly and Berg[7]. There are various identified mechanisms that are employed by many organisations such as the banks, but for the purpose of this study, just encryption, digital certificate and firewalls are evaluated. Other security mechanisms in a web environment are proxy server, Kerberos, secure electronic transactions (SET), Java Security, Active X security etc. i. Encryption Secure Socket Layer (SSL) encryption is a secure communication protocol that encrypts client information during transmission over the Internet. It is one of the strongest encryption technologies available today, providing server authentication, and ensuring that all data transferred over the Internet is encrypted to protect against it being disclosed to eavesdroppers. It also ensures that any attempt by hackers to tamper with the information will be detected[14]. Another protocol for transmitting data securely over the web that the banks employed is Secure HTTP (S- HTTP). It is a modified version of the standard HTTP protocol. By convention, web page that requires an SSL connection starts with https, instead of http[15]. The study discovered that two modes of encryption are in use among Nigerian commercial banks, they are 128bit and 256bit SSL. While some banks, such as Zenith, GTB, Oceanic and some others uses the 128-bit SSL, few others such as Skye bank and Standard Chartered uses 256bit SSL. This can be recognised at the address bar which starts with 'https'. Also, a padlock symbol ( ) will be noticed at the bottom of the browser[13]. This encryption technology ensures that data passing between customer computer and the bank is secure and that customer accounts cannot be accessed by anyone else online[16]. ii. Digital Certificate Connolly and Berg[7] defines digital certificate as an attachment to an electronic message used for security purposes, most commonly to verify that a user sending a message is who he or she claims to be, and to provide the receiver with the means to encode a reply. For compliance and security reasons all the banks applied and signs for digital certificate to send encrypted messages. Digital certificate authentication is generally considered one of the stronger authentication technologies, and mutual authentication provides a defence against phishing and similar attacks[7]. The use of shared secrets such as digital images is another technique. An image recognition and selection is used to identify the genuineness of the customer. This method is in use at Enterprise bank website[18]. iii. Firewall When the Web server has to be connected to an internal network, for example to access the company database, firewall technology can help to prevent unauthorised access, provided it has been installed and maintained correctly[18]. A firewall is a system designed to prevent unauthorised access to or from a private network. Following this, it was gathered from the study that all the banks install robust firewalls to protect their internal systems (intranet) and customer s information against intrusion from the internet. [19] 4. ADOPTION Nigeria s slow adoption of electronic banking practice is rapidly changing for the better[21] According to Adeyemi [22] in Aderonke and Charles[21], the awareness of electronic payments in Nigeria is increasing and it accounted for N360 billion worth of transaction in 2008[22]. 210

4 In securing customer data through access control, it is assumed that all bank customers fall in the same user group. They all can perform similar operations after gaining access to the bank s domain through the internet. Customers on internet banking platform can do balance enquiry, check transaction details, make payments and transfer fund within the same bank. Now customers can transfer fund from their bank account to any other bank in Nigeria through the Nigeria Inter-Bank Settlement System s (NIBSS) Nigeria Electronic Fund Transfer (NEFT). The security of shared secret processes can be enhanced with the requirement for periodic change. Shared secrets that never change are described as static and the risk of compromise increases over time. The use of multiple shared secrets also provides increased security because more than one secret must be known to authenticate[2]. ii. Tokens 5. AUTHENTICATION METHODS There are a variety of technologies and methods financial institutions can use to authenticate customers[4]. These methods include: Use of customer passwords, Personal identification numbers (PINs), Digital certificates using a public key infrastructure (PKI), Physical devices such as smart cards, One-time passwords (OTPs), Use of tokens such as USB plug-ins, Transaction profile scripts, Biometric identification and others[4]. The authentication methods adopted by Nigerian banks are passwords, PINs, tokens and One-Time passwords. The level of risk protection afforded by each of these techniques varies. The selection and use of authentication technologies and methods should depend upon the results of the financial institution s risk assessment process[2]. Existing authentication methodologies involve three basic factors : Something the user knows (e.g., password, PIN); Something the user has (e.g., ATM card, smart card, token); and Something the user is (e.g., biometric characteristic, such as a fingerprint). Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods[5]. Accordingly, properly designed and implemented multifactor authentication methods are more reliable and stronger fraud deterrents. For example, the use of a logon ID/password is single-factor authentication (i.e., something the user knows); whereas, an ATM transaction requires multifactor authentication: something the user possesses (i.e., the card) combined with something the user knows (i.e., PIN). A multifactor authentication methodology may also include out of band controls for risk mitigation[5]. i. Shared Secrets Shared secrets (something a person knows) are information elements that are known or shared by both the customer and the authenticating entity. Passwords and PINs are the best known shared secret techniques but some new and different types are now being used as well[2]. Fig. 1: Tokens Tokens are physical devices (something the person has) and may be part of a multifactor authentication scheme. The hardware consists of a key-fob with an LCD screen on it. A code is displayed on the screen and changes frequently, usually every 60 seconds. The device is generating keys based on a 128-bit encryption seed. When this number is fed to a server that has a copy of that seed, it is used as an additional verification to the other login data[2]. There are three general types of token: the USB token device, the smart card, and the password-generating token. It was gathered from the study that only the password generating token is in used by the banks[9]. Password-Generating Token A password-generating token produces a unique passcode, also known as a one-time password each time it is used. The token ensures that the same OTP is not used consecutively. The OTP is displayed on a small screen on the token[2]. The customer first enters his or her user name and regular password (first factor), followed by the OTP generated by the token (second factor). The customer is authenticated if (1) the regular password matches and (2) the OTP generated by the token matches the password on the authentication server. A new OTP is typically generated every 60 seconds in some systems, every 30 seconds. This very brief period is the life span of that password. OTP tokens generally last 4 to 5 years before they need to be replaced. Password-generating tokens are secure because of the time-sensitive, synchronized nature of the authentication. The randomness, unpredictability, and uniqueness of the OTPs substantially increase the difficulty of a cyber thief capturing and using OTPs gained from keyboard logging[2]. The two aforementioned methods of 2-factor authentications (2FA) are ones basically in use by commercial banks in Nigeria. There are others methods in use globally such as: USB Token devices, Smart Cards, Biometrics, Outof-Band Authentication and Mutual Authentication[2]. 211

5 Table 1: First Factor Authentication and Security Mechanisms Employed by Nigerian commercial banks S/N Log-in Pass BANKS word Security Encryption Online Certificate Fire wall (128 bit) 1 Access Bank 2 Citibank 3 Diamond Bank 4 Ecobank 5 Enterprise Bank 6 FCMB 7 Fidelity Bank 8 First Bank 9 GTBank 10 Keystone Bank 11 Main Street Bank 12 Skye Bank * 13 Stanbic IBTC 14 Standard Chartered * 15 Sterling Bank 16 Union Bank 17 UBA 18 Unity Bank 19 Wema Bank 20 Zenith Bank * 256bit SSL Table 1 above shows list of banks, the first-factor authentication (which is the customer username and password), and security mechanisms employed to safeguard banks resources and customers identities. A combination of encryption modes, digital certificates and robust firewalls are employed by all the banks in compliance. Also, from the above table, all banks adopted a 128bit SSL encryption except for Skye and Standard Chartered banks with higher 256bits SSL encryption security modes. Table 2: Second Factor Authentication Methods Adopted by the commercial banks S/N BANKS Hardware Token PIN 1 Access Bank 2 Citibank 3 Diamond Bank 4 Ecobank 5 Enterprise Bank 6 FCMB 7 Fidelity Bank 8 First Bank 9 GTB 10 Keystone Bank 11 Main Street Bank 12 Skye Bank 13 Stanbic IBTC 14 Standard Chartered 15 Sterling Bank 16 Union Bank 17 UBA 18 Unity Bank 19 Wema Bank 20 Zenith Bank TOTAL Table 2 above shows list of banks and the 2FA methods adopted. Banks using the hardware token are 10 (50%) while PIN using banks are also 10 representing 50%. 212

6 6. RISK ASSESSMENT The implementation of appropriate authentication methodologies should start with an assessment of the risk posed by the institution s Internet banking systems. The risk should be evaluated in light of the type of customer (e.g., retail or commercial); the customer transactional capabilities (e.g., bill payment, wire transfer, loan origination); the sensitivity of customer information being communicated to both the institution and the customer; the ease of using the communication method; and the volume of transactions[4]. An effective authentication program should be implemented to ensure that controls and authentication tools are appropriate for all of the financial institution s Internet-based products and services. Authentication processes should be designed to maximize interoperability and should be consistent with the financial institution s overall strategy for Internet banking and electronic commerce customer services. The level of authentication used by a financial institution in a particular application should be appropriate to the level of risk in that application[4]. A comprehensive approach to authentication requires development of, and adherence to, the institution s information security standards, integration of authentication processes within the overall information security framework, risk assessments within lines of businesses supporting selection of authentication tools, and central authority for oversight and risk monitoring[2]. This authentication process should be consistent with and support the financial institution s overall security and risk management programs. The method of authentication used in a specific Internet application should be appropriate and reasonable, from a business perspective, in light of the reasonably foreseeable risks in that application[2]. Because the standards for implementing a commercially reasonable system may change over time as technology and other procedures develop, financial institutions and technology service providers should develop an ongoing process to review authentication technology and ensure appropriate changes are implemented[4]. The study agrees with the CBN which consider singlefactor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties[3]. Single-factor authentication tools, including passwords and PINs, have been widely used for a variety of Internet banking and electronic commerce activities, including account inquiry, bill payment, and account aggregation. However, financial institutions should assess the adequacy of such authentication techniques in light of new or changing risks such as phishing, pharming, malware, and the evolving sophistication of compromise techniques[3]. Where risk assessments indicate that the use of singlefactor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks. The risk assessment process should: Identify all transactions and levels of access associated with Internet-based customer products and services; Identify and assess the risk mitigation techniques, including authentication methodologies, employed for each transaction type and level of access; and Include the ability to gauge the effectiveness of risk mitigation techniques for current and changing risk factors for each transaction type and level of access. 7. OPENING ACCOUNT AND CUSTOMER VERIFICATION With the growth in electronic banking and commerce, financial institutions should use reliable methods of originating new customer accounts online. Moreover, customer identity verification during account opening is required and is important in reducing the risk of identity theft, fraudulent account applications, and unenforceable account agreements or transactions. Potentially significant risks arise when a financial institution accepts new customers through the Internet or other electronic channels because of the absence of the physical cues that financial institutions traditionally use to identify persons[1]. One method to verify a customer s identity is a physical presentation of a proof of identity credential such as a driver's license international passport or national ID card[1]. Similarly, to establish the validity of a business and the authority of persons to perform transactions on its behalf, financial institutions typically review articles of incorporation, business credit reports, board resolution identifying officers and authorized signatories, and other business credentials. However, in an Internet banking environment, reliance on these traditional forms of paper-based verification decreases substantially[1]. Accordingly, financial institutions need to use reliable alternative methods. 8. MONITORING AND REPORTING Monitoring systems can determine if unauthorized access to computer systems and customer accounts has occurred[2]. A sound authentication system should include audit features that can assist in the detection of fraud, money laundering, compromised passwords, or other unauthorized activities. The activation and maintenance of audit logs can help institutions to identify unauthorized activities, detect intrusions, reconstruct events, and promote employee and user accountability. In addition, financial institutions should 213

7 report suspicious activities to appropriate regulatory and law enforcement agencies as required by the Bank Secrecy Act[3]. According to the CBN guidance[1], under the section Reporting Requirements states that: a. Banks are required to render separate returns on their e-banking activities to appropriate regulatory authorities as prescribed by the CBN from time to time. b. Cases of frauds and forgeries relating to e-banking should be highlighted in the returns on frauds and forgeries. Banks should rely on multiple layers of control to prevent fraud and safeguard customer information[1]. Much of this control is not based directly upon authentication. For example, a financial institution can analyze the activities of its customers to identify suspicious patterns. Financial institutions also can rely on other control methods, such as establishing transaction limits that require manual intervention to exceed a preset limit of amount[1]. Adequate reporting mechanisms are needed to promptly inform security administrators when users are no longer authorized to access a particular system and to permit the timely removal or suspension of user account access[2]. Furthermore, if critical systems or processes are outsourced to third parties, management should ensure that the appropriate logging and monitoring procedures are in place and that suspected unauthorized activities are communicated to the institution in a timely manner. An independent party (e.g., internal or external auditor) should review activity reports documenting the security administrators actions to provide the necessary checks and balances for managing system security. 9. CUSTOMER AWARENESS Banks have made, and should continue to make, efforts to educate their customers. Because customer awareness is a key defence against fraud and identity theft, financial institutions should evaluate their consumer education efforts to determine if additional steps are necessary[1]. Management should implement a customer awareness program and periodically evaluate its effectiveness. Methods to evaluate a program s effectiveness include tracking the number of customers who report fraudulent attempts to obtain their authentication credentials (e.g., ID/password), the number of clicks on information security links on Web sites, the number of statement stuffers or other direct mail communications, the amount of losses relating to identity theft, etc[2]. The study found out that all banks are making efforts to educate their customers on how to handle any suspicious attempt on their financial details; to ignore any mail requesting for their PIN and or card details as the bank would not for any reason request for them, to not enter the bank s website from links from their boxes, to access the internet banking portal from a designated web address. 10. RECOMMENDATION (a) According to the CBN guidance[1], banks should introduce logical access controls over ICT infrastructure deployed. Controls instituted by banks should be tested through periodic Penetration Testing, which should include but should not be limited to; a. Password guessing and cracking b. Search for back door traps in programs. c. Attempts to overload the system using Ddos (Distributed Denial of Service & DoS (Denial of Service) attacks. d. Check if commonly known vulnerabilities in the software still exist. e. Banks may for the purpose of such Penetration Testing employ external experts. f. Continuous and regular customer awareness program to educate customers. A further study to evaluate the reliability and effectiveness of each of the two most used 2-factor authentication methods, that is, the hardware token and the PIN. 11. CONCLUSION Financial institutions offering Internet-based products and services should have reliable and secure methods to authenticate their customers. The level of authentication used by the financial institution should be appropriate to the risks associated with those products and services. Financial institutions should conduct a risk assessment to identify the types and levels of risk associated with their Internet banking applications. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks. The Central Bank of Nigeria (CBN) consider single-factor authentication, as the only security control mechanism, to be inadequate in the case of high-risk transactions involving access to customer information or the movement of funds to other parties. It was discovered from the study that all Nigerian banks have adopted and implemented the 2FA methods as mandated by the CBN and to meet international standards. The success of a particular authentication method depends on more than the technology. It also depends on appropriate policies, procedures, and controls. An effective authentication method should have customer acceptance, reliable performance, scalability to accommodate growth, and interoperability with existing systems and future plans. 214

8 Three methods were used to gather information for the survey; (1) information from the banks websites, (2) telephones calls to the e-banking units of some of the banks, and (3) enquiring from the customer service officers in some bank s branches where information could not be gotten from any of the previous two methods. REFERENCES [1] Central Bank of Nigeria: Guidelines on Electronic Banking in Nigeria, August, 2003 [2]Federal Financial Institutions Examination Council (FFIEC) agencies, Authentication in an Electronic Banking Environment, [19] corporate/jsp/user/onlinesecurity.htm [20] [21] Adesina and Charles. An Emperical Investigation of the levels of User Acceptance of E-Banking in Nigeria. Journal of Internet banking and Commerce. Vol. 15, No. 1. April [22] Ayo, C. K. Adebiyi A. A., Fatudimu I.T., Ekong O.U. (2008). Framework for e-commerce Implementation: Nigeria a Case Study, Journal of Internet Banking and Commerce, August 2008, vol. 13, no.2. [3] FFIEC Information Technology Examination Handbook, Information Security Booklet, December 2002 [4] FFIEC Information Technology Examination Handbook, E-Banking Booklet, August 2003 [5] Basel Committee on Banking Supervision, Risk Management Principles for Electronic Banking. July Bank for International Settlements. [6] Sumathi S. and Esakkirajan S. Fundamentals of Relational Database Management Systems, Springer, [7]Database Systems. A practical Approach to Design, Implementation and Management. Addison Wesley. Fourth Edition, [8] Paul Hazell and Ziad Raphael, Internet Banking: Disruptive Or Sustaining Technology? Field Project Report submitted to Harvard Business School Boston, MA [9] Adeoye O. S. (2012) Evaluating The Performance Of Two-Factor Authentication Solution In The Banking Sector. Ijcsi International Journal Of Computer Science Issues, Vol. 9, Issue 4, No 2, July Issn (Online): [10] [11] [12] DM.asp [13] corporate/jsp/user/onlinesecurity.htm [14] [15] p [16] [17] bank/internetbanking [18] 215