Internet Banking: Risk Analysis and Applicability of Biometric Technology for Authentication

Int. J. Pure Appl. Sci. Technol., 1(2) (2010), pp. 67-78 International Journal of Pure and Applied Sciences and Technology ISSN 2229-6107 Available online at www.ijopaasat.in Review Paper Internet Banking: Risk Analysis and Applicability of Biometric Technology for Authentication Gunajit Sarma 1 and Pranav Kumar Singh 2,* 1 Department of Humanities and Social Sciences, Central Institute of Technology, Kokrajhar, Assam- 783370, India 2 Department of Computer Science & Engineering, Central Institute of Technology, Kokrajhar, Assam- 783370, India * Corresponding author, e-mail: (snghpranav@gmail.com) (Received: 17-11-2010; Accepted: 3-12-2010) Abstract: Today s world is one with increasing online access to services. One part of this which is growing rapidly is Internet Banking. This is very convenient and the ready access to the Internet in all first world countries, coupled with the cost Savings from closing bank branches, is driving the operation and adoption of these services. Internet banking allows customers to conduct financial transactions on a secure website operated by their retail or virtual bank, credit union or building society. This paper mainly focused on providing banking services to customers using web with highly secured technology. Implementing technology is the responsibility of management. We are highlighting the points towards the use of biometric technology in internet banking system for risk management of banks regular activities through authentication. Keywords: Internet banking, Risk analysis, Risk Management, Authentication, Biometrics. 1. Introduction Today s world is one with increasing online access to services. One part of this which is growing rapidly is Internet Banking. Internet banking refers to systems that enable bank customers to access accounts and general information on bank products and services through a

Int. J. Pure Appl. Sci. Technol., 1(2) (2010), 67-78 68 personal computer (pc) or other intelligent devices.internet banking products and service can include wholesale products for corporate customer as well as retail and fiduciary products for consumers. Ultimately, the products and services obtained through Internet banking may mirror products and services offered through other bank delivery channels. Some examples of wholesale products and services include cash management, wire transfer, Automated Clearing House (ACH) transactions, Bills presentation and payment. The example of retail and fiduciary products and services include Balance inquiry, Funds transfer, Downloading transaction information, Bill presentation and payment, Loan applications, Investment activity and other value added services. A. Types of Internet Banking Understanding the various types of Internet Banking products will help examiners assess the risks involved. Currently, the following three basic kinds of Internet banking are being employed in the marketplace [2]: Informational: This is the basic level of Internet banking. Typically, the bank has marketing information about the bank products and services on a stand-alone server. The risk is relatively low, as informational systems typically have no path between the server and the bank s internal network. This level of Internet banking can be provided by the bank or outsourced. While risk to a bank is relatively low, the server or website may be vulnerable to alternation. Appropriate controls therefore must be in place to prevent unauthorized alternations to the bank s server or website. Communicative: This type of Internet banking system allows some interaction between the bank s systems and the customer. The interaction may be limited to electronic mail, account inquiry, loan applications, or static file updates. Because these servers may have a path to the bank s internal networks, the risk is higher with this configuration than with informational systems. Appropriate controls need to be in place to prevent, monitor, and alert management of any unauthorized attempt to access the bank s internal networks and computer systems. Virus controls also become much more critical in this environment. Transactional: This level of Internet banking allows customers to execute transactions. Since a path typically exists between the server and the bank s or outsourcer s internal network, this is the highest risk architecture and must have the strongest controls. Customer transaction can include accessing accounts, paying bills, transferring funds, etc. B. Growth in Internet Banking There are numerous factors like competitive cost, customer service, and demographic considerations are motivating banks to evaluate their technology and assess their electronic commerce and Internet banking strategies. Many researchers expect rapid growth in customers using online banking products and services. The challenge for national banks is to make sure the savings from Internet banking technology more than offset the costs and risks associated with conducting business in cyberspace. The adoption of Internet banking has been increased dramatically during the last few years due to the following reasons [2].

Int. J. Pure Appl. Sci. Technol., 1(2) (2010), 67-78 69 : Competition: Studies show that competitive pressure is the chief driving force behind increasing use of Internet banking technology, ranking ahead of cost reduction and revenue enhancement, in second and third place respectively. Banks see Internet banking as a way to keep existing customers and attract new ones to the bank. Cost Efficiencies: National banks can deliver banking services on the Internet at transaction costs far lower than traditional branches. The actual costs to execute a transaction will vary depending on the delivery channel used. These costs are expected to continue to decline. National banks have significant reasons to develop the technologies that will help them deliver banking products and services by the most cost-effective channels.. However, national banks should use care in making product decisions. Management should include in their decision making the development and ongoing costs associated with a new product or service, including the technology, marketing, maintenance, and customer support functions. This will help management exercise due diligence, make more informed decisions, and measure the success of their business venture. Geographical Reach: Internet banking allows expanded customer contact through increased geographical reach and lower cost delivery channels. In fact some banks are doing business exclusively via the Internet they do not have traditional banking offices and only reach their customers online. Other financial institutions are using the Internet as an alternative delivery channel to reach existing customers and attract new customers. Branding: Relationship building is a strategic priority for many national banks. Internet banking technology and products can provide a means for national banks to develop and maintain an ongoing relationship with their customers by offering easy access to a broad array of products and services. By capitalizing on brand identification and by providing a broad array of financial services, banks hope to build customer loyalty, cross-sell, and enhance repeat business. Customer Demographics: Internet banking allows national banks to offer a wide array of options to their banking customers. Some customers will rely on traditional branches to conduct their banking business. For many, this is the most comfortable way for them to transact their banking business. Those customers place a premium on person-to-person contact. Other customers are early adopters of new technologies that arrive in the marketplace. These customers were the first to obtain PCs and the first to employ them in conducting their banking business. The demographics of banking customers will continue to change. The challenge to national banks is to understand their customer base and find the right mix of delivery channels to deliver products and services profitably to their various market segments. 2. Internet Banking Risks Internet banking creates new risk control challenges for national banks. From a supervisory perspective, risk is the potential that events, expected or unexpected, may have an adverse impact on the bank s earnings or capital. Effective management of a banking regular activity

Int. J. Pure Appl. Sci. Technol., 1(2) (2010), 67-78 70 requires that bank authority have understood and control the bank s risk culture. Therefore, in our paper firstly we are going to analyze the various types of risks faced by Internet Banking. The following are the various types of risks associated with Internet Banking [2]. Credit Risk: Credit risk is the risk to earnings or capital arising from an obligator's failure to meet the terms of any contract with the bank or otherwise to perform as agreed. Credit risk is found in all activities where success depends on counterparty, issuer, or borrower performance. It arises any time bank funds are extended, committed, invested or otherwise exposed through actual or implied contractual agreements, whether on or off the bank s balance sheet. Interest Rate Risk: Internet rate risk is the risk to earnings or capital arising from movements in interest rates. Interest rate risk arises from different between the timing of rate changes and timing of cash flows. Internet banking can attract deposits, loans and other relationships from a large pool of possible customers than other forms of marketing. Greater access to customers who primarily seek the best rate or term reinforces the need for managers to maintain appropriate asset/liability management systems, including the ability to react quickly to changing market conditions. Liquidity Risk: Liquidity risk is the risk to earnings or capital arising from a bank's inability to meet its obligations when they come due, without incurring unacceptable losses. Liquidity risk arises from the failure to recognize or address changes in market conditions affecting the ability of the bank to liquidate assets quickly and with minimum loss in value. Asset/liability and loan portfolio management systems should be appropriate for products offered through internet banking. Increased monitoring of liquidity and changes in deposits and loans may be warranted depending on the volume and nature of internet account activities. Price Risk: Price risk is the risk to earnings or capital arising from changes in the value of traded portfolio of financial instruments. The risk arises from market making, dealing and position taking in interest rate, foreign exchange, equity and commodities markets. Banks may have exposed to price risk if they create or expand deposit brokering, loan sales, or securitization programme as a result of Internet banking activities. Appropriate management systems should be maintained to monitor, measures, and manage price risk if assets are activity traded. Foreign Exchange Risk: Foreign Exchange risk is present when a loan or portfolio of loans is dominated in a foreign currency or is funded by borrowings in another currency. In some cases, banks will enter into multi-currency credit commitments that permit borrowers to select the currency they prefer to use in each rollover period. Foreign exchange risk can be intensified by political, social or economic development. Appropriate systems should be developed if bank engage in these activities. Reputation Risk: Reputation risk is the current and prospective impact on earnings and capital arising from negative public opinion. This affects the institution's ability to establish new relationships or services. This risk may expose institution to litigation, financial loss, or a decline in its customer base. A bank's reputation can suffer if it fails to deliver on marketing claims or to provide accurate, timely services. National Banks need to a sure that their business continuity plans include the internet banking business. Regular testing or business continuity plan, communications strategies with the press and public, will help the bank ensure it can respond effectively and promptly to any adverse customer of media reactions.

Int. J. Pure Appl. Sci. Technol., 1(2) (2010), 67-78 71 Transaction Risk: Transaction risk is the current and prospective risk to earnings and capital arising from fraud, error, and the inability to deliver products or services, maintain a competitive position, and manage information. Transaction risk is evident in each product and service offered and encompasses product delivery, transaction processing, system development, computing systems, complexity of products and services, and the internal control environment. A high level of transaction risk may exist with Internet banking products, particularly if those lines of business are not adequately planned, implemented and monitored. Compliance Risk: Compliance risk is the risk to earning or capital violations of, or nonconformance with, laws, rules, regulations, prescribed practices, or ethical standards. Compliance risk is also arises in situations where the laws or rules governing certain bank products or activities of the bank s clients may be ambiguous or untested. Compliance risk exposes the institution to fines, civil money penalties, payment of damages, and the voiding of contracts. Strategic Risk: Strategic risk is the current and prospective impact on earnings or capital arising from adverse business decisions, improper implementation of decisions, or lack of responsiveness to industry changes. The risk is a function of the compatibility of an organization s strategic goals, the business strategies developed to achieve those goals, the resources deployed against these goals, and the quality of implementation. The resources needed to carry out business strategies are both tangible and intangible. They include communication channels, operating systems, delivery networks, and managerial capacities and capabilities. The organization s internal characteristics must be evaluated against the impact of economic, technological, competitive, regulatory, and other environmental changes. 3. Risk Management Risk management is the process of identifying vulnerabilities in an organization s information systems and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of all the components in the organization s information system. Risk management requires two major undertakings: risk identification and risk control. Continuing technological innovation and competition among existing banking organizations and new entrants have allowed for a much wider array of banking products and services to become accessible and delivered to retail and wholesale customers through an electronic distribution channel collectively referred to as Internet Banking. However, the rapid development of Internet banking carries benefit as well as risks. Implementing technology is the responsibility of management. Therefore, the financial institutions should have applied a technology risk management process to enable them to identify, measure, monitor, and control their technology risk exposure. Risk management of new technologies has three essential elements: a. The planning process for the use of the technology. b. Implementation of the technology. c. The means to measure and monitor risk. In our above analysis we have seen that the Internet banking is facing various types of risks. Out of these the most important one is transaction risks. Transaction risks are the current and prospective risk to earnings and capital arising from fraud, error, and inability to deliver product and services. National banks that offer bill presentation and payment will need a process to settle transactions between the bank, its customers, and its external parties. In addition to transaction risk, settlement failures could adversely affect reputation, liquidity and credit risk. Therefore to control such types of risks banks have used various types of

Int. J. Pure Appl. Sci. Technol., 1(2) (2010), 67-78 72 technology. Biometric technology is also one of the most important technology for risk management as well as security factors of Internet banking. The biometric technology is applied in case of Authentication. Authentication means a way to verify the buyer s identity before payments are made. So, we are going to highlight in this paper the applicability of Biometric technology for Authentication. 4. Introduction to Biometrics Biometrics, which refers to automatic recognition of people based on their distinctive anatomical (e.g., face, fingerprint, iris, retina, hand geometry) and behavioral (e.g., signature, gait) characteristics, could become an essential component of effective person identification solutions because biometric is an individual's bodily identity. Biometrics is an enabling technology with the potential to make our society safer, reduce fraud and lead to user convenience. Biometric technologies should be considered and evaluated giving full consideration to the following characteristics: Universality: Every person should have the characteristic. People who are mute or without a fingerprint will need to be accommodated in some way. Uniqueness: Generally, no two people have identical characteristics. However, identical twins are hard to distinguish. Permanence: The characteristics should not vary with time. A person's face, for example, may change with age. Collectability: The characteristics must be easily collectible and measurable. Performance: The method must deliver accurate results under varied environmental circumstances. Acceptability: The general public must accept the sample collection routines. Nonintrusive methods are more acceptable. Circumvention: The technology should be difficult to deceive. A. TYPES OF BIOMETRICS: There are two types of biometrics: behavioral and physical. Behavioral biometrics: Used for verification. Physical biometrics: Used for either identification or verification. Physical biometrics: Fingerprint - Analyzing fingertip patterns. Facial Recognition - Measuring facial characteristics. Hand Geometry - Measuring the shape of the hand. Iris recognition - Analyzing features of colored ring of the eye. Vascular Patterns - Analyzing vein patterns. Retinal Scan - Analyzing blood vessels in the eye. Bertillonage - Measuring body lengths (no longer used). Behavioral biometrics: Speaker Recognition - Analyzing vocal behavior.

Int. J. Pure Appl. Sci. Technol., 1(2) (2010), 67-78 73 Signature- Analyzing signature dynamics. Keystroke - Measuring the time spacing of typed words 5. Applicability of Biometrics in internet banking for Authentication Utilizing biometrics for internet banking is becoming convenient and considerably more accurate than current methods (such as the utilization of passwords or PINs). This is because biometrics links the event to a particular individual (a password or token may be used by someone other than the authorized user), is convenient (nothing to carry or remember), accurate (it provides for positive authentication), can provide an audit trail and is becoming socially acceptable and inexpensive. A. Advantages Of Using Biometric Using biometrics for identifying human beings in internet banking offers some unique advantages given as follows: Biometrics can be used to identify you as you. Tokens, such as smart cards, magnetic stripe cards, photo ID cards, physical keys and so forth, can be lost, stolen, duplicated, or left at home. Passwords can be forgotten, shared, or observed. Moreover, today's fast-paced electronic world means people are asked to remember a multitude of passwords and personal identification numbers (PINs) for computer accounts, bank ATMs, e-mail accounts, wireless phones, web sites and so forth. Biometrics holds the promise of fast, easy-to-use, accurate, reliable, and less expensive authentication for a variety of applications. Another key aspect is how "user-friendly" a system is. The process should be quick and easy, such as having a picture taken by a video camera, speaking into a microphone, or touching a fingerprint scanner. As biometric technologies mature and come into wide-scale commercial use, dealing with multiple levels of authentication or multiple instances of authentication will become less of a burden for users. B. Security pitfalls of previous schemes There are various shortcomings and pitfalls in the previously used authentication technique. Before using new technology we are mentioning some pitfalls of previous schemes and are given as follows: In many schemes [6], password is chosen by the remote server which might be long, random and difficult for a user to remember. The scheme is a threat to the insider attack that has come to know the password of the user and can misuse the system in future [7]. Passwords are vulnerable to dictionary attacks, guesses and social engineering [10].

Int. J. Pure Appl. Sci. Technol., 1(2) (2010), 67-78 74 Previous schemes do not preserve the anonymity of the user. In the verification phase the transmission to the authentication server over insecure channel in the login message. In case of transaction scenario it is very important to preserve the privacy of a user because an adversary sniffing the communication channel can eavesdrop the communication parties involved in the authentication process to analyze the transaction being performed by the user. Previous literature does not have provision to provide the mutual authentication between the user and server. Losing of smart cards is one of the very serious problems because the lost card can impersonate valid registered user. Traditional authentication system is based on secret key based on public key infrastructure (PKI). But the key has many disadvantages as it can be forgotten or stolen and can be easily cracked. 6. Biometric Authentication Biometric devices consist of a reader or scanning device, software that converts the gathered information into digital form, and a database that stores the biometric data for comparison with previous records. When converting the biometric input, the software identifies specific points of data as match points. The match points are processed using an algorithm into a value that can be compared with biometric data in the database.all Biometric authentications require comparing a registered or enrolled biometric sample (biometric template or identifier) against a newly captured biometric sample (for example, a fingerprint captured during a login). Individuals must first register their form of identity with the system by means of capturing a raw biometric to be used in the system. This process is called Enrolment and is composed of three distinct phases: Capture, Process and Enroll [6]. Capture: A raw biometric is captured by the Biometric sensing device. Process: Characteristics that are unique to individuals and distinguish individuals from one another are extracted from the raw Biometric and transformed into a biometric "template". Enroll: The processed template is stored in a suitable storage medium such as a database on a disk storage device or on a portable device such as a Smart Card, whereby later comparisons can be made easily. Once Enrolment is complete, the system can authenticate individuals by means of using the stored template. Authentication is the process whereby a new biometric sample is captured by the individual who is authenticating with the system and compared to the registered (enrolled) biometric template. There are two forms of Authentication: Verification and Identification. Identification performs the process of identifying an individual from their biometric features. Identification asks the question "Who are you?" Verification involves matching the captured biometric sample against the enrolled template that is stored and requires the user to assert a specific claim of identity such as a user name unique key. Verification asks the question "Are you who you say you are?"

Int. J. Pure Appl. Sci. Technol., 1(2) (2010), 67-78 75 The success of a system in performing verification is measured using the metrics below. Successful systems will have high True Positive and True Negative values, a poor system will have high False Positive and False Negative values. Each metric is defined as follows: TP: correctly allow access to an authorized user TN: correctly deny access to an unauthorized user FP: incorrectly allow access to an unauthorized user (FAR) FN: incorrectly deny access to an authorized user (FRR) A diagram illustrating the process of Enrollment and Authentication is shown below: Figure1. Biometric Authentication 7. Comparison of various biometric technologies It is necessary to compare the various biometric technologies in terms of their characteristics for the adoption in authentication process of internet banking. In this context we are highlighting the comparison of various types of Biometric Authentication techniques already given by some authors and research studies. This is presented below in Table1 and Figure2. Table1. Comparison of various biometric technologies based on the perception of the authors. High, Medium, and Low are denoted by H, M, and L, respectively.

Int. J. Pure Appl. Sci. Technol., 1(2) (2010), 67-78 76 Figure2 Graph for Biometric Technologies occupied in market (Source: Thermal imager FLIR infrared camera resources) It can be seen from the figures below that fingerprint is the most common Biometric, occupying 48.8% of the market. One of the major problems with the authentication of users via the internet is the inherent lack of security of traditional authentication techniques, passwords PIN numbers and cookies. With the current development of the biometric fingerprint technology market, the possibility of identifying someone online has been addressed. Fingerprint biometric authentication system is one of the solutions to come out of recent developments. The fingerprint biometric authentication system allows for a web page to include a validation check using objects embedded in the web page which call on an interface to a fingerprint reader attached to the client computer which returns a coded fingerprint to the server where it is then validated. 8. Conclusion: From an operational perspective, this study indicates that banks with web-based banking realized significant benefits. Internet banking allows customer to conduct transaction at any time and thus it reduces the number of physical visit to a bank and it has reduced the cost per transaction. But, technologically, implementing web-based banking so that it is obvious to the

Int. J. Pure Appl. Sci. Technol., 1(2) (2010), 67-78 77 customer is challenging. Careful, planning is a prerequisite, if full benefits are to be realized. In our study we have found that biometric technology has played an important role to control the risk factors through Authentication system. The implementation of appropriate authentication methodologies should start with an assessment of the risks faced by the Internet banking systems. An effective authentication programme should be implemented to ensure that and authentication tools are appropriate for all of the financial institutions, Internet based products and services. A comprehensive approach to authentication requires development of, and adherence to, the banks information security standards, integration of authentication process within the overall information security framework, risk assessment within the lines of business supporting selection of authentication tools, and central authority for oversight and risk monitoring. This authentication process should be consistent with and support the financial institution s overall security and risk management programme. 9. Future Work In our study although we have seen that authentication is the only control mechanism in security concerned,but it is to be inadequate in the case of high risk transactions involving access to customer information or the movement of the funds to other parties. In future we have planned to study the various security aspects for internet banking and will try to implement an integrated authentication model by using new technological approach to deal with security challenges of internet banking system. References [1] Hogan, M. (2003), Are you who you claim to be?, National Institute of Standards and Technology, International Standards Organisation. http://www.iso.ch/iso/en/commcentre/isobulletin/articles/2003/pdf/biometrics03-03.pdf [2] Internet Banking Comptroller's Handbook, Comptroller of the Currency Administrator of National Banks, October 1999, USA [3] Misra and Puri, Indian Economy, Himalaya Publishing House, New-Delhi, India ( 2008 ) [4] Mathew Johnson, A New Approach to Internet banking, Technical Report University of Cambridge Computer Laboratory, September 2008 ( http://www.cl.cam.ac.uk ) [5] Michael E Whitman and Herbert J. Mattord, Priciples and Practices of Information Security,Cenage Learning, Indian Edition ( 2009 )

Int. J. Pure Appl. Sci. Technol., 1(2) (2010), 67-78 78 [6] Mitchell, T. M. (1997), Machine Learning, McGraw-Hill International Editions, p. 232. [7] U.S. Pandey and Er. Saurabh Shukla, E- Commerce and Mobile Commerce Technologies, S. Chand & Company Ltd., New- Delhi ( 2010 ) [8] Yazan K.A. Migdali, Quantitative Evaluation of the Internet Banking Service Encounter s Quality : Comparative Study between Jordan and UK Retail Banks, Journal of Internet Banking and Commerce- Vol.3, no.2(http:// www.arraydev.com / commerce/ jibc ).