5 U N T

Internet or Online Banking

The objective of the Unit is to understand

> Brief history of Internet Banking
> Internet Banking Product features
> Profitability of Internet Banking
> Risk management and frauds
5.1 Overview and brief history
In today's modern world it is difficult to imagine that at one time, branch
banking was the only form of banking available and for every single need,
customers were required to visit the bank branch. It may also surprise
many that online banking has been around since carly 1980s, though in
a different form and the term online banking' gained popularity only in
the late 1980s.
Innovations in online banking started in early 1980s. It was in 1983
that the Bank of Scotland offered Nottingham Building Society (NBS)
customers the very first internet banking service in the United Kingdom
and named it "Homelink".
Originally the work 'online banking' referred to the use of keyboard and
television or computer monitor to access a bank account, through the use
of telephone lines.

104
 UNIT 5: INTERNET ORONLINE BANKING 105
In 1981, when four of majorUS banks viz., Citibank, Chase Manhattan
and others came up with this idea, there were not enough takers, and hence
it failed to gain momentum. The next wave of online banking came in
mid-1990s. It was in 1994 that Stanford Federal Credit Union became
the first institution in the US to offer online banking to its customers.
Initially customers were reluctant to use online banking because of lack
of security features and lack of awareness as to how to make use of this
channel of banking.
ICICI Bank was the first bank in India to introduce Internet banking,
followed by HDFC Bank and Citibank in the year 1999.
5.2 How Internet Banking Works
An Internet banking server hosts the internet banking programs and is
interfaced with the CBS Server. Usually customers access internet bank
ing page through a designated web-server which is placed in a DMZ
(De-Militarized Zone) for security reasons. Customers can visit the internet
banking page from their own PCs/mobile phones/laptops/tablets etc. They
can register and link their accounts and these accounts can be accessed/
operated through the internet. The bank provides ID and Password for
login and on login attempt, the Internet banking server verifies the ID,
password entered by the customer against its database for the login details,
and then, permits login if those tally. The software links the customer to
his CBS accounts, and he can then transact as per menus in the webpage.
Internet banking uses many additional checks for some or allas the rules
are set transactions, particularly (security checks with additional ques
tions, one-time password during transaction sent to customer's registered
mobilele-mail for screen entry and verification by system, etc.). This is
because Internet banking has some inherent risks attached to it.

5.3 Product features

Of late, Interner banking has taken aphenomenal leap in terms ofproduct
innovation, services ofered, convenience and may power-packed facilities
being offered by various banks. Some of the categories of banking facilities
offered by banks are as follows: -
106 MODULE A:DIGITAL BANKING PRODUCTS

Account Derails: One can track the entire account details by viewing
balance, downloading statements and more. All other accounts, such as
credit card (of thesame bank), loan, DEMAT accounts, etc., can be linked
and tracked in one single location.
Remittances and Funds transfer: Using internet banking facility one can
transfer funds to own accounts in same bank/other bank accounts or to
bank accounts of others with the same bank or with different banks, using
systems such as NEFT, RTGS or IMPS/UPI.
Request Services: Through this service, requests can be made to issue
Cheque book, Demand draft, Stop Cheque payment, Debit card loyalty
point redemption, etc.
Bill payment services:One can facilitate payment of electricity and tele
phone bills, mobile phone, credit card and insurance premium and other
utility bills, without going to the sites of those service providers, as cach
bank has tie-ups with various utility companies, service providers and in
surance companies across the country. To pay one's bills, all that is needed
to be done is to complete a simple one-time registration for each biller.
One can also set up standing instructions, online, to pay recurring bills
automatically. Apart from these 'registered' automated payments (by
SIs), or auto-collected bills to be paid (the biller registration process),
normally most of online payments each time on ad hoc basis, are enabled
and provided in the software to be paid by Credit/Debit cards or internet
banking, or from some wallets, or also from the account directly by transfer
online; this mode is the most popular as it does not need a 'registration'
and the customer is free to choose which bank account or even card-debit
or credit, etc., to pay from.
Investing through Internet Banking:-One can now open an Fixed Deposit,
or many other accounts as the Bank may like to provide for, online includ
ing funding the account by funds transfer. Now investors with interlinked
demat and bank accounts can easily trade in the stock market and the
amounts will be automatically debited/credited to their respective bank
accounts and the shares will be credited/debited to their demat account(s).
Moreover, some banks even extend the facility to purchase mutual funds
directly through the online banking system.
 UNIT 5 : INTERNET OR ONLINE BANKING 107

Recharging prepaid phones: Now one can top-up his/her prepaid mobile
cards by logging on to Internet banking. By just selectring the telecom
operator's name, entering the mobile number and the amount of recharge,
the phone can be again back in action, within few minutes.
Shopping: With a range of all kind of products, one can shop online and
the payment is also made conveniently through the account. One can also
buy railway and air tickets using Internet Banking.
Obviously for the above, site-to-site integrations of banks, telecoms and
other online sellers, biller organisations directly (providing mutually be
tween two organisations, - connections, as also credentials, access, agreeing
on formats and contents of messages, and then data exchange and messages
exchanges, and, lastly, programs to handle these access controls, exchange
of messages/data. Initially, the industry started with one-to-one tie-ups
(a bank and an organisation, say Railway). Slowly some banks and some
organisations matured to asituation, that they created acommon standard
of data exchanges and routines, a common set of agreed technical details
for site-to-site handshake between the organisations. This way, many
counterparties can register with one, when they adopt the same technical
details, message formats, standards, routines etc., and can have online
transactions across the two organisations. The customer in the front-end
gets aseamless experience of visitingshop Xor Zsite, paying online from
bank Y, or visiting bank Ysite and pay a tax online to the Govt. or shop at
shop Xor Z, etc., as the bank hosting the online application will provide
for in the sofrware.
This is acase of one-to-many exchange, where one organisation (bank) hosts
the software where others connect with their sites for online exchanges.
Examples may be abank hosting asite for online Tax or some money trans
fer etc. service-other organisations connecting can use those functions by
logging from their own site and they can enhance their software in-house
so that some more service or control to their own users/employees can
be provided. Similarly it can be a Railway ticketing service online, where
many banks can connect, and so, allow its customers to book e-tickets
and pay online from the bank account. This leads to transactions which
are all paperless and instantaneous, with the related entities (shop, bank,
Govt.) providing e-acknowledgements, receipts, as agrecd.
108 MODULE A:DIGITAL BANKING PRODUCTS

The next logical extension is to create a many-to-many exchange so that

many organisations can exchange with many other organisations in single
go. In this case, acentral entity will decide message format, mesage content
standards, validation rules, connectivity technical details etc. All others
willconnect to this entity and deliver whatever is to be delivered to the
other organisation (a specific organisation separately or all of the others,
or a few of them). The central entity will do the message exchanges as
also account for net/gross fund exchanged as desired and deliver to/receive
from data to all. This way the central identity will exchange with all both
ways, and cach organisation will exchange only with the central entity.
Because funds transfers and account keeping is involved, all participants
need to maintain and link their specific bank accounts and authorise the
central entity to operate them freely related to exchange. An example
of this many-to-many internet banking platform exchanges will be, say
NEFT or Clearing among banks in India.

5.4 Profitability of Internet Banking

The impact of internet banking on banks' profitability is significant, as it
cuts the operational cost. The profitability of internet banking is described
as under:

5.4.1New revenues Streams from transaction and user fees

The Internet enables institutions to realize new revenue streams through
service and transaction fees charged to users for the new services now made
possible. These fees enable the institution to offset much of the expenses
incurred to provide the service.
Institutions can tap into an additional source of revenue stream by pro
viding Cash Management Services to wholesalelcommercial customers.
Once the Interner-based cash management system is in place, institutions
have the ability to readily cross-sell other value-added business services to
their business customers, (e.g., payroll, direct online money transfer and
bill payment, as well as other e-commerce offerings through the portal,
such as brokerage, investment, insurance and credit services, retirement
planning advice etc.)
 UNIT 5: INTERNET OR ONLINE BANKING 109

In India, internet banking can be used for making remittances at a fee,

through IMPS, NEFT and RTGS. Many banks have added many other
services like tax payments, Railway ticket booking, online donation to
some organisations/temples, schoollcollege fee payments, etc., all of which
are offered under the Internet Banking services.
5.4.2 Cost savings
Institutions that have put services on-line have seen cost savings in back-of
fice and front-office operations from deposits, to statement processing, to
loan application procesing and customer service. The Internet helps an
institution in streamlining its operations across the board. Cost saving is
achieved primarily through less reliance on manual operations and call
centres. Profitability is further enhanced by lower customer service costs,
through efficiencies enhanced and by online processing, in setting up new
accounts, servicing consumer loan applications, handling balance and
payment activity inquiries, answering requests for copies of checks, stop
payments, address changes, etc.
5.4.3 Cross-Selling
Cross-selling is avery promising area for revenue growth for financial in
stitutions. New customers are attracted to an institution through case of
use and the range of services that they can get from one-stop on the web
site. For financial institutions that have already established an Internet
banking service, on-line loan application and cash management modules
can be added through an additional application delivered through the
same Internet infrastructure. This casy add-on capability enables the
institution to leverage more effectively its initial investment in setting up
the Internet banking service.
Retail customers may find on-line application for consumer and mortgage
loans a more convenient alternative to off-line application procedures.
The financial institution benefits by streamlining operations and by be
ing able to track and analyse work progress and usage by customers, by
broadcasting marketing and service information to customers via internet
based messaging, e.g., by e-mails, etc.
110 MODULE A: DIGITAL BANKING PRODUCTS

Banks are also offering customized offers to their customers through net
banking as per their customer category. Some banks are extending life
time free credit cards totheiraccount holders through net banking. Banks
are utilising their net banking channels, often for croSs selling. Internet
banking enables a very cheap, easy and fast channel to reach customers,
market new products, extend customer education, etc.
Internet enables cheap, fast and widespread communication to non-cus
tomers similarly. So, in marketing and promotions, this platform is quite
useful.

5.4.4 Customer Retention

As the full range of services is made accessible on aBank's Internet banking
web site, existing customers will be more likely to stay with the Bank and
new customers will be enticed to join. On-line customers are more likely
to become captive users of multiple services, as a result of the "stickiness
value" of the Bank's Internet banking web site. Statistics collected from
the banking industry show that customers using Internet banking and,
in particular, customers using electronic bill payments are far more likely
to remain customers of their bank.
Due to internet, services (and in a generalised term - the entire digital
services) have modified customer business needs, expectations and sup
port needs from banks. According to Global Consumer Banking Survey
of M/s Ernst & Young,
> Customers look for a Primary Financial Service Provider (PFSP),
not a bank only, like earlier
> Customers prefer
Transparency of pricing, simplicity of offers, maintenance of
behavioural ease and uniformity across channels (physical or,
the various digital ones, etc.), more and better advice, solving
customer's problems,
Greater use of data to empower customers,
Quick and early responses
Overallexperience
8 UNIT 5: INTERNET OR ONLINE BANKING 111

For banks-, customer segmentation, understanding customer preferences,

aligning products and activities/ navigations/services accordingly- will be
the major areas to look at for being relevant in the digital banking market.
In fact, there are other studies, that point out to the fact that, redesigning
processes, customer interaction experience, and service bouquet -- in both
physical and digital channels, are important for banks to win and retain
customers. This strategy is often referred to as 'digital' delivery enhance
ment, mentioned earlier..(a suitable unification of digital and physical
experiences).

5.5 Risk management and frauds

Like many other domains of banking, internet banking is subject to usual
risks viz.,strategic risk, transaction risk, compliance risk, legal risk, etc.
In addition to the above, internet banking is also subject to certain specific
risks such as Internet Threats, i.e., the various security threats the system
is exposed to (hacking, malware, DoS or similar attacks, less customer
loyalty of net-only customers, etc.), for being on the internet platform.
Personal Internet banking is fast becoming apopular platform for banking
transactions, for the customers, and so also, banks. However, the 'open'
nature of the internet exposes banks/financial institutions to internet
security risks.
Acommon threat, is Phishing (pronounced as 'fishing). Phishing is the
attempt to gather the information, mostly through e-mails, leading the
user to divulge secret credentials, or, even alluring him to open a link or
fle containing hidden malware that will send his credentials out to the
fraudster's system. With this, the fraudster can make fraudulent transac
tions. Often Phishing also involves creating a fake website, like a replica
of a genuine one, and luring users to log in (through mail, where the link
is provided),so that the credentials entered here can be collected by the
fraudster for misuse in future.
Obraining such info through telephone calls for the same purpose is called
Vishing', and doing similarly through SMS is nicknamed 'smishing.
112 MODULE A: DIGITAL BANKING PRODUCTS

A series of apparently unconnected innocuous queries or advertisement

mails can be directed towards one or few of an organisation,to ultimately
obtain some user credentials, and/or some system details, or push down
aTrojan to do these. Incidentally Trojan is a malware that is downloaded
on a target system, that lies low and inactive for as long as programmed
to, and then get active to send out credentials of this target credentials to
the Trojan's controller, or run a malware to open access by further attacks
from its controller system, etc. - [This name Trojan Horse has its root
to- the wooden horse in the story of Helen of Troy].This persistent and
focussed series of attempts is called 'Spear Phishing'.
By phishing, the fraudster basically does what is known as 'Identity Theft',
i.e., taking possession of the user's identity like ID, password, answers to
secret questions, other credentials, e.g., Aadhaar number, PAN number,
contact details, etc., for misuse by gaining entry into systems with these
Credentials.
Other ways of tricking customers to share their critical information un
knowingly, are - brand spoofing (appearing to be belonging o a genuine
webpage, or, appearing to be the genuine owner and sender of some mes
sage or a webpage, etc.), carding (get credit/debit card details from sites,
inboxes, through skimming devices, or any such illicit means to be able to
transact using fake ownership of a card), fake websites, and email scams
(defrauding people withfraudulent emails to get money, credentials, etc.,).
While such fraud or scams have existed for years,digital information and
communication technologies have made these practices easier for nefarious
users to spoof any number of things, including emails, websites, etc. More
often than not, the targets of these scamsters are financial institutions.
Thus, there is a growing need within the financial industry to address this
problem by puting in technical deterrents where possible, but above all,
educating users on such risks.
It may be worthwhile to elaborate on a few threats :
5.5.1 Basic phishing
Basically phishing involves e-mails containing fraudulent forms, or links
to fraudulent websites. For example, an email may contain a link to what
 UNIT 5:INTERNET OR ONLINE BANKING 113

appears to be from a legitimate organization. While the URL initially

appears legitimate, it redirects the user to another location where aspoofed
website resides.
Victims submit sensitive information (personal credentials,bank account
details, etc.) through this website, or directly via emails, without realizing
that it is instantaneously transmitted to criminals who intend to use the
information for malicious purposes.
The email may include one of the following, or similar other enticing
messages to trick the user to act according to its instructions
Your account is currently being updated as we are introducing a
new security system. Follow the instructions below to re-activate
your account'
> Your credit card is the subject of a police investigation for fraud.
Please follow the instructions below
'Our record shows that payment for your internet account is due.
We are currently introducing a new e-payment service. Please follow
the instructions below to activate your online payment
You are the lucky winner of our lucky draw. Please submit your
credit card details so that we can verify your identity.
The following are examples of the instructions the user may be asked to
follow, to deceive him/her into disclosing details such as password, etc.
> 'Please provide a return email with your account details, password
or credit card number. We will re-activate your account as soon as
we receive your email'
'Please click on the hyperlink below to update your personal details'
Please clickon the attachment below. This willautomaticallygenerate
an alert on our side. We will update your account and inform you'.
It should be noted that no Banking or Financial institution will ever send
such emails asking its customers to divulge any confidential or personal
information. Banks therefore goes on repeating that they never ask all
these, and in reality, should never, even in the face of huge frauds or
breakdowns, repeat, never ask for such credentials.
114 MODULE A:DIGITAL BANKING PRODUCTS
5.5.2 Spear Phishing
By diversified and many seemingly innocuous mails, mails attaching
enclosures on completely different topics or issues, or other methods,
the attacker often attempts to make the selected user(s) over a length of
time as necessary, to ultimately divulge personal credentials or data. This
type of series of attacks at various times with many different attempts, is
called spear phishing.
5.5.3 Brand Spoofing
Hackers willfake or spoof websites of legitimate and existing organiza
tions to deceive customers into thinking that they are interacting with
the legitimate company. This can involve receiving an email that contains
a link to a website. Once the user clicks on the link, he/she is redirected
to a fraudulent website. The user, then, unknowingly submits sensitive
information such as user identification number, password, credit card
number, bank account information, and other forms of financial data.

5.5.4 Spoofing
Fake or spoofed organizations: - Organizations such as distributors, es
crows, and other third party mediators are used often. Customers may trust
totransact with. Such transactions usually involve monetary exchanges.
Escrow/Distributor or other agencies services collect the payment from
a buyer on behalf of an online seller, aid in the delivery of the purchased
item to the buyer, or provide maintenance or value-added services. In
instances where this third party is illegitimate, the user will interact in
the spoofed web site, and get defrauded, lose money, may not, receive the
purchased item nor will be able to recover the money paid to the escrow
service. There have been several instances where illegitimate users claim to
be sellers on certain websites, posting falsified auction items, withholding
the customers' payments, but never delivering the goods.
5.5.5 Cyber-mugging
Some emails appear legitimate, but when opened, installTrojans and
Keystroke sniffers onto customer's computers so that sensitive informa
 UNIT 5: INTERNET OR ONLINE BANKING 115

tion can be stolen. Some even cause computers to be remotely controlle.

Criminals can also take out money through Salami slicing. These are
cases where undetectably small increments of money are taken out of an
account over a period of time.
5.5.6 How todeal with today's internet threats and challenges
One-Time Password (OTP):
With a security device:
ASecurity Device generates aseries of passwords unique to an individual's
Personal Internet Banking account. Each One-Time Password is valid for a
short time. As the Security Device is required to validate and authenticate
the user for each online transaction, the user can be assured of a safe and
secure transaction environment. Phishing normally occurs when a User ID
and Internet Banking PIN is revealed. With a Two-Level Authentication via
a One-Time Password, which changes after ashort while, phishing can be
minimised. With such Two-Level Authentication process that uses an ID,
a password or PIN both of which are known to user, and additionally an
OTP that can be had every time from the device that one has to possess,
(also known as Two Factor Authentication or 2FA), one can now manage
Personal Internet Banking transactions safely.
With OTP by mail/SMS
Here, during transaction the bank sends an OTP to the customer's regis
tered e-mail or mobile phone, which the customer needs to enter in the
screen to proceed. This also helps control the threat reasonably.
User Awareness:
User Awareness is a very strong defense implement. The technicalities of
attack, their look and feel as revealed on screen or interactions, are always
changing. An aware user who knows them, or is agile enough to observe
some unusual feature in any activity, or in absence of any such gaps also,
behaves in a restricted and defensive manner as a good practice, is surely
to have less chances of being duped.
There will be a few standard precautions to be observed as a safe practice
irrespective of the actual technical piece being in use.
116 MODULE A: DIGITAL BANKING PRODUCTS
Some tips are:
> Check if thePersonal Internet Banking is the intended site
Always login to Personal Internet Banking site by physically entering
the official URL directly into the browser's address field, instead of
selecting an URL prompted by the system.
> Be certainthat Personal Internet Banking is safe and secure
Customers have to protect their confidential data, such as login
information or passwords, security device if provided, etc. Also
customers need follow bank's communication about the look and
feel, changes in look and content and/or navigation in the internet
banking site, to be sure that this is the genuine site, not afaked copy.
Banks provide a few helps in this matter:
a. often a virtual keyboard is shown in the screen to enter credentials
by customers. This is to avoid the customer keyboard activity to be
copied by a 'key logger program. Often the configuration of the
virtual keyboard is changed very frequently to defeat hackers.
b. banks force periodic password changes, two layer passwords (for
login, and transaction), strong passwords/complex passwords with
restriction on its re-use; avoiding dictionary words or customer
demographic parameters in password.
c. use of a third and dynamic key e.g. OTP to be sent to customer
phone, orVerified by Visa'or 'Master Secure' passwords to be verified
from the card network site in the session for Visa/MasterCards,
additional log-in enablement using a random number generated in
a device given to customer that need be entered in the computer.
d. adding an extra layer of security against customer mistakes, like
forced log-out or suspension of service, use of security questions
and answers to re-permit access.
e. provide specific security client software for the default device (PC,
laptop, etc.) to be invoked for log-in.
 UNIT 5: INTERNET OR ONLINE BANKING 117

f regular customer education by e-mail, banners in website, printouts

behind transaction slips and communication papers.
g customer education exercises through bank employees.
The bankputs Intrusion Detection System (IDs) which checks, at various
levels to guard against intrusion by outsiders.
For Physical Intrusion Detection & Prevention (ID & IP)- Guarded
facilities at the gate of internet banking or data centre set up, entry by
checking of credentials at multiple levels, restricting use of phone/camera/
PC/devices, etc., man-traps, CCTVs etc. are allimplemented.
For the logical IP/ID- the internet server is put as a separate unit outside
CBS. This is again set up as combination of separate servers - Web server
(to beam the internet pages, and receive the user inputs to it), Application
Server (this has the programme for the web pages to be beamed, allowing
user access, processing in the internet banking activities, and talking in
front to the web server and in the back to the CBS.) or simply the App
Server. The third server is the repository of all data of customers, trans
actions, requests, logs, everything. Firewalls are specially provided at this
periphery (CBS is far behind, within the system), and also behind this
before the CBS. Now the Web server has to be in the front to receive
requests from the web, genuine or false; behind it the App server will be,
and, aftera Firewall behind, will be the Data server, in the so-called DMZ
(De-Militarized Zone). The IDS will be installed on the web server, or
immediately behind it.
IDS will monitor and analyse the user and system activities at this layer,
the system configurations and vulnerabilities, system and file integrity,
as also, it check log-in attempt patterns against known attack paterns,
look for abnormal system activities, - suggest that an intrusion is being
attempred and may stop the intrusion if programmed to do so,
The IDS software can be on the host, i.e., the APP server, web server etc.,
separately, and can check their configuration and operation parameters
periodically to find problems if any; and report -(this is Passive ID). The
IDS can alternatively, also be invoked in the Web/App server in a manner
that it monitors the packets travelling and tries to conclude if it is facing
an intrusion attempt, and act to stop the same;-(this is Active IDS).
118 MODULE A: DIGITAL BANKING PRODUCTS
5.5.7 Malware
Malware literally means "malicious software." Malware can be spyware,
ransom ware or adware, and it can carry a virus. Rather than embedding
itself into the operating system or hard drive like a virus, it installs itself
and runs as a software. Ransom ware is malware that closes a computer,
network, or other system until a ransom has been paid and the hacker
deactivates the ransom ware.
Once malware is in your computer, it can wreak allsorts of havoc, from
taking control ofyour machine, to monitoring your actions and keystrokes,
to silently sending all sorts of confidential data from your computer or
network to the attacker's home base. Some aspects of the malware based
risks:
How will this risk spread?
Typically, a computer could get the malware if the user has visited an
infected website or has opened an infected email. In addition, social net
working sites are also increasingly being used to transmit such malware.
What are the signs of malware infection?
The user may experience the following ifhe/she accesses Personal Internet
Banking from an infected computer:
Multiple prompts for login information even after the user has
entered login credentials such as the User ID, Internet Banking
PIN and One-Time Password (OTP)
Errors while loading the login page for Personal Internet Banking
(or any site)
The computer seems to hang for ashort period of time
User may see unfamiliar banking processes and messages; examples
can be, as in 5.5.1 above.
> User may receive email messages or SMS messages for online
transactions that the user did not perform or account number was
not known.
The user should not proceed with any transactions until the computer or
device has been checked and disinfected.
 UNIT 5: INTERNET OR ONLINE BANKING 119

What should one do to keep the information safe online?

1. Check that the anti-virus sofrware is always up to date and install
reputed anti-spyware software. Run the anti-virus software and scan
the entire database files regularly.
2. Not download software from unknown and unsecure websites.
3. Ensure that the One-Time Password (OTP) from the Personal
Internet Banking Security Device (some banks provide these to
customers), or received on phone, and any SMS messages received
in course of the online activities, reflect the user's actual requests
for any online Personal Internet Banking transaction requests.
4. Always check account and transaction history details, such as the
last login date/time and account balances and statements regularly,
to identify any unusual transactions.
5. Not click on links from emails, neither install any programs of
doubtful origins or perform any online transactions on computers
that are suspected to be compromised.
Apart from these, the tips in 5.5.1and 5.5.2 above will also hold good.
Customer responsibility
Customer education is critical to the mitigation of the internet threat.
Online users should be made aware of how to spot fraudulent emails and
websites. URLs can be redirected so that they appear legitimate initially,
in order to deceive the customer. E.g., when a customer submits informa
tion on a website, a seemingly legitimate URL can redirect the customer
to a different address, which is actually a spoofed website or a criminal
email address.
Customers should note that often grammatical and language errors are
more in illegitimate sites, but this may not be a hard-and-fast rule. Cus
tomers need to secure their own computers with technological measures
such as anti-virus software and intrusion detection software.
Customers should not subject their mobile devices and the software that
operates these devices to any unnecessary modification. By doing so, cus
tomers increase the vulnerability of these devices to malicious software,
such as worms and viruses.
120 MODULE A: DIGITAL BANKING PRODUCTS

Internet Banking User Credentials

Protect and secure User ID and Password/PIN. One can protect the User
IDand password and other security information following some practices
as :
ensure that the website address is, or changes from 'http:// to
'https:// and a security icon that looks like a lock or key appears
when authentication and encryption is expected.
strong password i- password should contain at least say 8-12 digits
and/or alphanumeric characters, and also special characters. The last
few passwords should not be used, password cannot be same as User
ID, the user is to be locked out on successive password failures, etc.
>Avoid having the same password for different websites, applications
or services.
Not to store User ID/Internet Banking PIN in the Internet Explorer
Browser - use Auto Complete Function to enter ID, Password, etc.
Never to reveal Internet Banking PIN to anyone:
> Memorize Internet Banking PIN and other security information and
destroy the notification received from Bank, ifso, immediately. The
user should not write or keep a record of the User ID and Internet
Banking PIN. Banks are already avoiding paper advice of PIN, and
the first time PINs are now mostly generated at customer end.
> Not to use easy to remember dates or numbers, like identity card
number or birth dates, as User IDs or Internet Banking PINs.
Change the Internet Banking PIN periodically.
> If mobile phone(s) changes, or get lost, mobile phone numbers,
user customer should inform Banking or Financial institution
immediately.
Other SecurityPrecautions and Practices while using PersonalInternet
Banking
THE D0'S AND DONTS OF ONLINE SAFETY
1. Never click on a link you did not expect to receive
The main way criminals infect PCs with malware is by luring users
to click on a link or open an attachment. "Sometimes phishing
3 UNIT 5: INTERNET OR ONLINE BANKING 121

emails contain obvious spelling mistakes and poor grammar and

are easy to spot. However, targeted attacks and well-executed mass
mailings can be almost indistinguishable [from genuine emails]."
Social media has helped criminals profile individuals, allowing them
to be much more casily targeted, They can see what youre interested
in or what you [post] about and send you crafted messages, inviting
you to click on something.
2. Use different passwords on different sites
With individuals typicaly having anything up to 100 online accounts,
the tendency has become to share one or two passwords across
accounts or use very simple ones, such as loved ones' names, first
pets or favourite sports teams. Any word found in the dictionary is
casily crackable. Instead have one memorable phrase or a line from
a favourite song or poem, add numerals and a specialcharacter.
3. Never reuse your main email password
Ahacker who has cracked your main emailpassword has the keys to
your [virtual] kingdom. Passwords from the other sites you visit can
be reset via your main email account. A criminal can trawl through
your emails and find atreasure trove of personaldata: from banking
to passport details, including your date of birth, all of which enables
ID fraud.
4. Use anti-virus software
Always use anti-virus software which is not the entire answer, but
auseful part of it.
5. If in doubt, block
Just say no to social media invitations (such as Facebook-friend or
Linked in connection requests) from people you don't know.
6. Think before you tweet and how you share information
Again, the principal risk is ID fraud. Hunting for personal details is
the modern day equivalent of "dumpster-diving", in which thieves
would rummage through bins searching for personal documents.
Many people who have learned to shred documents like bank
statements will happily post the same information on social media.
122 MODULE A:DIGITAL BANKING PRODUCTS

Once that information is out there, you don't necessarily have control
of how other people use it.
7. If you have a"wipe your phone" feature, you should set it up
Features such as Find My iPhone, Android Lost or BlackBerry
Protect allow you to remotely to erase all your personal data, should
your device be lost or stolen. In the case where your phone is gone
for good, having a wipe feature can protect your information from
falling into the wrong hands.
8. Only shop online on secure sites
Before entering your card details, always ensure that the locked
padlock or unbroken key symbol is showing in your browser.
Additionaly the beginning of the online retailer's internet address
will change from "http" to "https" to indicatea connection is secure.
Be wary of sites that change back to http once you've logged on.
9. Don't assume banks will pay you back
Banks must refund a customer if he or she has been the victim of
fraud, unless they can prove that the customer has acted "fraudulently
or been "grossly negligent". Yet as with any case of fraud, the matter
is always determined on an individual basis.
10. Ignore pop-ups
Pop-ups can contain malicious software which can trick a user into
verifying something, when you do a download will be performed
in the background, which will install malware known as a drive-by
download. Always ignore pop-ups offering things like site surveys
on e-commerce sites, as they are sometimes where the malicious
code is.
11. Be wary of public Wi-Fi
Most Wi-Fi hotspots do not encrypt information and once a piece
of data leaves your device headed for a web destination, it is "inthe
clear" as it transfers through the air on the wireless network. That
means any packet sniffer [a program which can intercept data)
or malicious individual who is sitting in a public destination with
a piece of software that searches for data being transferred on a
 UNIT 5: INTERNET OR ONLINE BANKING 123

Wi-Finetwork can intercept your unencrypted data. If you choose

to bank online on public Wi-Fi, that's very sensitive data you are
transferring. Please use either using encryption [software], or only
using public Wi-Fi for data which youre happy to be public and
that shouldn't include social network passwords.
12. Run more than one email account
Think about having one for your bank and other financial accounts,
another for shopping and one for social networks. If one account is
hacked, you won't find everything compromised. And it helps you
spot phishing emails, because if an email appears in your shopping
account purporting to come from your bank, for example, you'll
immediately know it's a fake.
13. Don't store your card details on websites
Err on the side of caution when asked ifyou want to store your credit
card details for future use. Mass data security breaches (where credit
card details are stolen en masse) aren't common, but why take the
risk? The extra 90 seconds it takes to key in your details each time
is a small price to pay.
14. Add a DNS service to protect other devices
A DNS or domain name system service converts a web address
(a series of letters) into a machine-readable IP address (a series of
numbers). You're probably using your ISP's DNS service by default,
but you can opt to subscribe to a service such as Google public
DNs, Open DNS or Norton Connect Safe, which redirect you if
you attempt to access a malicious site. "This is helpful for providing
some security (and parental control) across all the devices in your
home including tablets, TVs and games consoles that do not support
security software. But they shouldn't be relied upon as the only line
of defence, as they can easily be bypassed."
15. Enable two-factor verification
If your email or cloud service offers it Gmail, Dropbox, Apple,
Whatsup and Facebook do - take the trouble to set this up. In
addition to entering your password, you are also asked to enter a
124 MODULE A : DIGITAL BANKING PRODUCTS

verification code sent via SMS to your phone. Ahacker might crack
your password, but without the unique and temporary verification
code should not be able to access your account.
16. Lock your phone and tablet devices
Keep your phone and Tablet devices locked, just as you would your
front door. Keying in a password or code 40-plus times a day might
seem like a hassle but It's your first line of defense. Next-generation
devices, however, are employing fingerprint scanning technology as
additional security.
17. Be careful on e-commerce sites
Check the seller feedback and if a deal looks too good then it may
well be. Keep your online payment accounts secure by regularly
changing your passwords, checking the bank account to which it is
linked and consider having a separate bank account or credit card
for use on them, to limit any potential fraud still further.
18. Lock down your Facebook account
Facebook regularly updates its timeline and privacy settings, so it is
wise to monitor your profile, particularly if the design of Facebook
has changed. Firstly, in the privacy settings menu, under "who can
see my stuff?" change this to "friends". Also in privacy, setting "limit
old posts" applies friends-only sharing to past as well as furure posts.
Disable the ability of other search engines to link to your timeline.
Also, remove your home address, phone number, date of birth and
any other information that could used to fake your identity. Similarly
you might want to delete or edit your "likes" and "groups" - the
more hackers know about you, the more convincing a phishing
email they can spam you with.
While much of the above are technical solutions to prevent you
being hacked and scammed, hacking done well is really the skill of
tricking human beings, not computers, by preying on their gullibility,
taking advantage of our trust, greed or altruistic impulses. Human
error is still the most likely reason why you'llget hacked.
 UNIT 5: INTERNET OR ONLINE BANKING 125

Computers may retain images or copies of data sent or received

over the internet. As such, it is advisable that users should clear the
internet browser's disk cache after cach Internet Banking session.

5.6 Let us sum up

> In today's modern world it is difficult to imagine that once branch
banking was the only form of banking available and for every single
need the customers were required to visit the bank branch
> As of today, Internet banking has taken a phenomenal leap in terms
ofinnovation, services offered, convenience and host ofpower-packed
facilities being offered by various banks
Some of the categories of banking facilities offered by banks are
account derails, remittance and fund transfer, request services, bill
payment service, investment services, phone and DTH recharge
and shopping etc.
The Internet enables institutions to realize new revenue streams
through service and transaction fees charged to users
> Personal Internet banking is fast becoming a popular platform for
banking transactions. However, the open' nature of the internet
exposes financial institutions and users to internet security risks.

5.7 Keywords
> Phishing Phishing email messages, websites, and phone calls are
designed to steal money. Cybercriminals can do this by installing
malicious software on your computer or stealingpersonal information
off of your computer
> Brandspoofng: Hackers will fake or spoofwebsites of legitimate and
existing organizations to deceive customers intothinking they are
interacting with the legitimate company
Gyber-mugging: Some emails appear legitimate, but when opened,
install Trojans and Keystroke sniffers onto customer's computers so
that sensitive information can be stolen.