Project on Project on Internet Banking - Report of RBI Working Group
Internet Banking - Technology

Computer networking & Internet

The purpose of computer networking is sharing of computing resources and data across the whole organization and the outside world. Computer Networks can be primarily divided into two categories based on speed of data transfers and geographical reach. A Local area network (LAN) connects many servers and workstations within a small geographical area, such as a floor or a building. Some of the common LAN technologies are 10 MB Ethernet, 100 MB Ethernet, 1GB Ethernet, Fiber Distributed Data Interface (FDDI) and Asynchronous Transfer Mode (ATM). The data transfer rates here are very high. They commonly use broadcast mode of data transfer. The Wide Area Network (WAN), on the other hand, is designed to carry data over great distances and are generally point-to-point. Connectivity in WAN set-up is provided by using dial-up modems on the Public Switched Telephone Network (PSTN) or leased lines, VSAT networks, an Integrated Services Digital Network (ISDN) or T1 lines, Frame Relay/X.25 (Permanent Virtual Circuits), Synchronous Optical Network (SONET), or by using Virtual Private Networks (VPN) which are software-defined dedicated and customized services used to carry traffic over the Internet. The different topologies, technologies and data communication protocols have different implications on safety and security of services.

To standardize on communications between systems, the International Organization of Standards developed the OSI model (the Open System Interconnection Reference Model) in 1977. The OSI breaks up the communication process into 7 layers and describe the functions and interfaces of each layer. The important services provided by some of the layers are mentioned below. It is necessary to have a good understanding of these layers for developing applications and for deploying firewalls (described later).

1. Application Layer Network Management, File Transfer Protocol, Information validation, Application-level access security checking.

2. Session Layer: establishing, managing and terminating connections (sessions) between applications

3. Transport Layer: Reliable transparent transfer of data between end points, end to end recovery & flow control.

4. Network Layer: Routing, switching, traffic monitoring and congestion control, control of network connections, logical channels and data flow.

5. Data Link Layer: Reliable transfer of data across physical link and control of flow of data from one machine to another.

Protocol: The data transmission protocol suite used for the Internet is known as the Transmission Control Protocol/Internet Protocol (TCP/IP). The Internet is primarily a network of networks. The networks in a particular geographical area are connected into a large regional network. The regional networks are connected via a high speed "back bone". The data sent from one region to another is first transmitted to a Network Access Point (NAP) and are then routed over the backbone. Each computer connected to the Internet is given a unique IP address (such as 142.16.111.84) and a hierarchical domain name(such as cse.iitb.ernet.in).The Internet can be accessed using various application-level protocols such as FTP (File Transfer Protocol), Telnet (Remote Terminal Control Protocol), Simple Mail Transport Protocol (SMTP), Hypertext Transfer Protocol (HTTP). These protocols run on top of TCP/IP. The most innovative part of the Internet is the World Wide Web (WWW). The web uses hyperlinks, which allow users to move from any place on the web to any other place. The web consists of web pages, which are multimedia pages composed of text, graphics, sound and video. The web pages are made using Hypertext Markup Language (HTML). The web works on a client-server model in which the client software, known as the browser, runs on the local machine and the server software, called the web server, runs on a possibly remote machine. Some of the popular browsers are Microsoft Internet Explorer and Netscape Navigator.

With the popularity of web, organizations find it beneficial to provide access to their services through the Internet to its employees and the public. In a typical situation, a component of the application runs ( as an ‘applet’) within the browser on user’s workstation. The applet connects to the application (directly using TCP/IP or through web server usingHTTP protocols) on the organization’s application and database servers. These servers may be on different computer systems. The web-based applications provide flexible access from anywhere using the familiar browsers that support graphics and multimedia. The solutions are also scalable and easy to extend.

Banking Products: Internet Banking applications run on diverse platforms, operating systems and use different architectures. The product may support centralized (bank-wide) operations or branch level automation. It may have a distributed, client server or three tier architecture based on a file system or a DBMS package. Moreover, the product may run on computer systems of various types ranging from PCs, open (Unix based) systems, to proprietary main frames. These products allow different levels of access to the customers and different range of facilities. The products accessible through Internet can be classified into three types based on the levels of access granted:

Information only systems: General-purpose information like interest rates, branch locations, product features, FAQs, loan and deposit calculators are provided on the bank’s web (WWW) site. The sites also allow downloading of application forms. Interactivity is limited to a simple form of ‘e-mail’. No identification or authentication of customers is done and there is no interaction between the bank’s production system (where current data of accounts are kept and transactions are processed) and the customer.

Electronic Information Transfer System: These systems provide customer-specific information in the form of account balances, transaction details, statement of account etc. The information is still largely ‘read only’. Identification and authentication of customer takes place using relatively simple techniques (like passwords). Information is fetched from the Bank’s production system in either the batch mode or offline. Thus, the bank’s main application system is not directly accessed.

Fully Transactional System These systems provide bi-directional transaction capabilities. The bank allows customers to submit transactions on its systems and these directly update customer accounts. Therefore, security & control system need to be strongest here.

A computer-based application may be built as a monolithic software, or may be structured to run on a client–server environment, or even have three or multi-tiered architecture. A computer application typically separates its 3 main tasks: interactions with the user, processing of transactions as per the business rules, and the storage of business data. The three tasks can be viewed as three layers, which may run on the same system (possibly a large, proprietary computer system), or may be separated on to multiple computers (across the Internet), leading to three-tier or multi-tier architecture.

These layers can be briefly described as follows:

Presentation Layer: This layer is responsible for managing the front-end devices, which include browsers on personal computers, Personal Digital Assistants (PDAs), mobile phones, Internet kiosks, Web TV etc. The presentation layer takes care of user interface related issues like display details, colour, layout, image etc. It also has important responsibilities in user authentication and session management activity.

Application layer: It contains the business logic (for processing of data and transactions) and necessary interfaces to the data layer. It processes requests from the presentation layer, connects to the data layer, receives and processes the information and passes results back to the presentation layer. It is responsible for ensuring that all the business rules are incorporated in the software. The issues of scalability, reliability and performance of the services to a great extent depend upon the application layer architecture

Data Layer: The data layer uses a database package to store, retrieve and update application data. The database may be maintained on one or multiple servers. A database package also supports back-up and recovery of data, as well as logging of all transactions.

Issues in administration of systems and applications: The role of the network and the database administrator is pivotal in securing the information systems of any organization. The role extends across various job functions and any laxity in any of the functions leaves the system open for malicious purposes. A few important functions of the administrator and how they relate to or impinge on system security are discussed below:

Installation of software: A software (whether system or application) needs to be carefully installed as per the developer’s instructions. The software system may contain bugs and security holes, which over a period are fixed through appropriate patches. It is necessary to know the latest and correct configuration of all software packages. Hackers and intruders are often aware of these bugs and may exploit known weaknesses in the software; hence, care should be taken to install only the latest versions of software with the latest patches. Further, improper installation may lead to degradation of services. Installation of pirated software is not only illegal and unethical, but may also contain trojans and viruses, which may compromise system security. In the case of installation of outsourced software, care should be taken to compare the source code and the executable code using appropriate tools as unscrupulous developers may leave backdoor traps in the software and for illegal access and update to the data. In addition, while installing software care should be taken that only necessary services are enabled on a need to use basis.

Access controls and user maintenance : An administrator has to create user accounts on different computer systems, and give various access permissions to the users. Setting access controls to files, objects and devices reduces intentional and unintentional security breaches. A bank’s system policy should specify access privileges and controls for the information stored on the computers. The administrators create needed user groups and assign users to the appropriate groups. The execution privilege of most system–related utilities should be limited to system administrators so that users may be prevented from making system level changes. The write / modify access permissions for all executables and binary files should be disabled. If possible, all log files should be made "append only". All sensitive data should be made more secure by using encryption. The system and database administrators are also responsible for the maintenance of users and the deletion of inactive users. Proper logs should be maintained of dates of user creation and validity period of users. There should be a frequent review to identify unnecessary users and privileges, especially of temporary users such as system maintenance personnel and system auditors.

Backup, recovery & business continuity: Back-up of data, documentation and software is an important function of the administrators. Both data and software should be backed up periodically. The frequency of back up should depend on the recovery needs of the application. Online / real time systems require frequent backups within a day. The back-up may be incremental or complete. Automating the back up procedures is preferred to obviate operator errors and missed back-ups. Recovery and business continuity measures, based on criticality of the systems, should be in place and a documented plan with the organization and assignment of responsibilities of the key decision making personnel should exist. An off-site back up is necessary for recovery from major failures / disasters to ensure business continuity. Depending on criticality, different technologies based on back up, hot sites, warm sites or cold sites should be available for business continuity. The business continuity plan should be frequently tested.

System & network logging: Operating systems, database packages and even business applications produce a ‘log’ of various tasks performed by them. Most operating systems keep a log of all user actions. Log files are the primary record of suspicious behavior. Log files alert the administrator to carry out further investigation in case of suspicious activity and help in determining the extent of intrusion. Log files can also provide evidence in case of legal proceedings. The administrator has to select types of information to be logged, the mechanisms for logging, locations for logging, and locations where the log files are stored. The information required to be logged should include Login/Logout information, location and time of failed attempts, changes in status, status of any resource, changes in system status such as shutdowns, initializations and restart; file accesses, change to file access control lists, mail logs, modem logs, network access logs, web server logs, etc. The log files must be protected and archived regularly and securely