1. The bank trading system has been illegally invaded.
2. Information is stolen or tampered with when it is transmitted through the network.
3. Identification certificates of both parties to the transaction; The account has been stolen by others.
From the bank's point of view, developing online banking will take more risks than customers. So China Merchants Bank, China Construction Bank, China Bank, etc. All the online banks in China have established a strict security system, including security policies, security management systems and processes, security technical measures, business security measures, internal security monitoring and security auditing. To ensure the safe operation of online banking.
Security of Bank Transaction System
The "online banking" system is an extension of banking services, and customers can conveniently use the core business services of commercial banks through the Internet to complete various non-cash transactions. On the other hand, the Internet is an open network, the bank transaction server is an online public site, and the online banking system also opens the door to the Internet for the bank intranet. Therefore, how to ensure the security of online banking transaction system is related to the security of the entire financial network within the bank, which is the most critical issue in the construction of online banking and the most fundamental consideration for banks to ensure the safety of customers' funds.
In order to prevent the transaction server from being attacked, banks mainly take the following three technical measures:
1. Set up a firewall to isolate related networks.
Generally, a variety of firewall schemes are adopted. Its functions are:
(1) Separate the Internet from the transaction server to prevent illegal intrusion by Internet users.
(2) It is used to isolate the transaction server from the bank intranet, effectively protect the bank intranet and prevent the intranet from invading the transaction server.
2. High-security Web application server
The server uses a trusted dedicated operating system, and through its unique architecture and security check, it ensures that only the transaction requests of legitimate users can be sent to the application server for subsequent processing through a specific agent program.
3.24-hour real-time security monitoring
For example, ISS network dynamic monitoring products are used for system vulnerability scanning and real-time intrusion detection. In February 2000, when Yahoo and other big websites were attacked and destroyed by hackers, all websites using ISS security products survived.
Identification and ca certification?
Online transactions are not face-to-face, and customers can make requests anytime and anywhere. Traditional identification methods usually rely on user name and login password to verify the identity of users. The user's password is transmitted in the form of clear text on the network when logging in, which is easy to be intercepted by attackers, and then can impersonate the user's identity, and the identity authentication mechanism will be broken.
In the online banking system, the user's identity authentication depends on the multiple guarantees of encryption mechanism, digital signature mechanism and user login password based on RSA public key cryptosystem. The bank checks the user's digital signature and login password, and the user's identity can only be confirmed after all of them pass. The unique identity of the user is the "digital certificate" issued by the bank. The user's login password is transmitted in the form of ciphertext, which ensures the security and reliability of identity authentication. With the introduction of digital certificate, the identity authentication of users on the bank trading website is realized, thus ensuring that the real bank website is accessed and the transaction instructions submitted by customers are undeniable. Because of the uniqueness and importance of digital certificates, banks have set up CA certification bodies to carry out online business, which are responsible for issuing and managing digital certificates and conducting online identity audit. In June 2000, the China Financial Certification Center (CFCA), led by the People's Bank of China and jointly established by 12 commercial banks, was officially put into operation. This indicates that China's e-commerce has entered a new stage of bank security payment. China Financial Certification Center, as an authoritative, reliable and fair third-party trust institution, provides the basis for identity authentication for future inter-bank transactions.
Network communication security
Because the Internet is an open network, sensitive information (such as passwords, trading instructions, etc. The information transmitted by customers on the Internet may be intercepted, deciphered and tampered with during communication. In order to prevent this from happening, online banking systems generally adopt measures to encrypt transaction information, and SSL data encryption protocol is the most widely used.
SSL protocol was originally developed by Netscape. Its main purpose is to provide a secret and reliable connection between two communications. At present, most Web servers and browsers support this protocol. After the user logs in and passes the authentication, all the data transmitted between the user and the service provider on the network are encrypted with the session key until the user logs out of the system. And the encryption key used in each session is randomly generated. In this way, it is impossible for an attacker to get any useful information from the data stream on the network. At the same time, a digital certificate is introduced to sign the transmitted data. Once the data is tampered with, it will inevitably be inconsistent with the digital signature. The encryption key length of SSL protocol is directly related to its encryption strength, generally 40 ~ 128 bits, which can be found in the help and about of IE browser. At present, China Construction Bank and others have adopted high-intensity encryption with effective key length of 128 bits.
Customer's safety awareness?
The security awareness of bank card holders is an important factor that cannot be ignored. At present, the security awareness of bank card holders in China is generally weak: they don't pay attention to the confidentiality of passwords, or set passwords to easily guessed numbers such as birthdays. Once the card number and password are stolen or guessed by others, the user's account may be stolen online, such as shopping, consumption, etc., thus causing losses, but the technical means of the bank can do nothing. Therefore, some banks require customers to sign a contract at the bank counter with legal documents before using "online banking" for transfer payment, so as to ensure the safety of customers' funds.
In another case, customers using online banking on public computers may make confidential information such as digital certificates fall into the hands of others, thus directly breaking through the online identification system and stealing online accounts.
As the core and foundation of the survival and development of online banking, security has been highly valued by banks from the beginning, and effective technical and business means have been adopted to ensure the security of online banking. However, security and convenience are contradictory. It means that the safer the application, the more complicated the operation, which affects the convenience and makes it difficult for customers to use. Therefore, security and convenience must be weighed. Up to now, the transaction volume of online banking in China has reached hundreds of billions of yuan, and there have been no security problems in banks. Only a few customers lost money because of their poor sense of confidentiality.
summary
According to relevant data, there are more than150,000 households using online banking services in the United States, and the online banking business accounts for 10% of the total banking business. By 2005, this proportion will be close to 50%. However, the business volume of online banking in China is less than 1% of the total banking business. In this respect, the development prospect of online banking in China is extremely broad. We have reason to believe that with the enhancement of national financial awareness and the promulgation of national laws and regulations to regulate online behavior, online banking will have a better environment, and "online banking" that can provide "3A services" (anytime, anywhere, in any way) will certainly appear.
Since 1995, the United States launched the world's first online bank-Security First Online Bank, online banking has developed very rapidly in the world. In 2002, about 5.6 million households in the United States used online banking or online payment at least once a month. 2003
In 2006, Bank of East Asia and HSBC started online banking in Chinese mainland. The first online bank in China appeared in 1998. It is reported that by the end of 2004, China online banking had reached17.58 million individual customers and 600,000 enterprise users, and the online banking transaction volume reached 49 trillion yuan.
However, just as consumers accept and try the novelty and convenience brought by this new thing, fraud cases caused by security problems follow one after another. This makes consumers begin to question and have to re-examine the credibility of online banking. How to understand the security of online banking? The problem is that banks or consumers are not aware of prevention. Security has indeed become a focus of the development of online banking.
Various security problems of online banking
Online banking, also known as online banking or online banking, refers to the virtual banking counter where banks provide banking services to customers through the network with their own computer system as the main body and computers of units and individuals as the network access operation terminals. Simply put, online banking is a virtual banking counter on the Internet, which "moves" the traditional banking business to the Internet and realizes the operation of banking business on the Internet.
In western developed countries, online banking services are generally divided into three categories, namely, information services, customer exchange services and bank transaction services. Information service means that banks provide products and services to customers through the Internet. Customer communication services include e-mail, account inquiry and loan application. Bank trading services include personal business and corporate business. The former includes transfer, remittance, payment, mortgage, securities trading and foreign exchange trading. The latter includes settlement, credit and investment. Bank transaction service is the main business of online banking.
The characteristic of online banking is that as long as customers have their own account number and password, they can enter online banking through the Internet to handle transactions around the world. Compared with the traditional banking business, the advantage of online banking is that it can not only greatly reduce the operating costs of banks, but also help to expand the customer base, cross-sell products and attract and retain high-quality customers. Because customers use public browser software and public network resources, it saves customers the cost of software and hardware development and maintenance. Online banking is not limited by time and space, which breaks the traditional geographical and time business restrictions and can provide financial services to customers anytime and anywhere. And on the basis of integrating all kinds of cross-selling product information, we can realize financial innovation and provide customers with more personalized services.
There are two models for the development of online banking. One is invisible electronic banking, also known as "virtual banking". The other is based on the existing traditional banks, using the Internet to carry out traditional banking transaction services. So, in fact, there is no real online banking in China, that is, "virtual banking". At present, online banking in China basically belongs to the second mode.
For banks, it has always been "credit first". Since online banking is a product of the Internet, all security risks brought by the Internet will naturally affect online banking and its credit. Therefore, the security of online banking is not only the most worrying thing for customers, but also the concern and attention of traditional banks. In addition to data transmission risk, application system design defects and computer virus attacks, the security risks faced by online banks are the most harmful and influential security problems at present. These fraudulent means include fake bank websites, e-mail fraud and online trading traps.
Fake bank websites have strong concealment, and their domain names are usually different from real banks by one letter or number, while their home pages are very similar to real banks. Fraudulent emails provide a link that is very similar to a bank or shopping website. Once the user who receives this email clicks this link, the page will prompt the user to continue to enter their account information. If users fill in such information, they will eventually fall into the hands of fraudsters. The trap of online trading is that some unknown shopping websites usually print out information such as ultra-low-priced goods, and when users click on the payment link, they will cheat users of their bank information. How do banks deal with various security problems of online banking? What corresponding measures have they taken?
Bank: Do it when you should.
In August, 14, domestic commercial banks and China Financial Certification Center (CFCA) jointly launched the "Safe and secure online banking in 2005" activity. Banking departments and third-party security certification bodies work together to provide consumers with an opportunity to understand online banking and information security knowledge.
Among these 14 banks, China Industrial and Commercial Bank launched online banking in 2000. By adopting international advanced technical security measures and strict risk control measures, ICBC has established a set of strict online banking technology and system system, ensuring the safe operation of online banking.
Shang Yang, deputy director of the electronic banking department of China Industrial and Commercial Bank, told reporters that there are four main types of fraudulent activities that use online banking to defraud customers' funds. First, criminals pretend to be well-known companies, especially banks, through e-mail, in the name of system upgrade, to trick unsuspecting users into clicking on fake websites, requiring them to input sensitive information such as their account number, online banking login password and payment password at the same time. Second, criminals use online chat to sell online game equipment, digital cards and other commodities at low prices as netizens, and trick users into logging in to the fake website address provided by criminal suspects, and enter bank account numbers, login passwords and payment passwords. Third, criminals take advantage of some people's bad online habits, such as downloading and opening some unknown programs, games and emails. , and may implant Trojan virus into customers' computers through these programs and emails. Once a customer logs into online banking with this "poisoned" computer, his account and password may be stolen by criminals.
For example, when people surf the Internet on public computers such as Internet cafes, sensitive information such as Trojan horse programs, account numbers and passwords may be embedded in the computers of Internet cafes in advance. Fourth, criminals take advantage of the psychology that people are afraid of trouble and the password setting is too simple, and may guess the password by means of temptation. Therefore, in order to ensure the security of information and funds, we not only need to have the ability to identify online fraud, but also need to develop good online banking habits. Of course, if the user handles the customer certificate, it can effectively prevent all kinds of common cyber crimes and ensure the safety of users' funds.
The security of ICBC's online banking system is multi-layered, including online banking technology security and business security, which form a complete online banking security system. From the perspective of technical security, the technical security of online banking includes network security and transaction security. Network security ensures the safety and reliability of ICBC's website, and transaction security ensures the safety of customers' funds through online banking transactions. Among them, network security involves system security and network operation security.
System security actually refers to the security of hosts and servers, mainly including anti-virus, system security detection, intrusion detection (monitoring) and audit analysis; The security of network operation refers to the necessary emergency measures for emergencies, such as data backup and recovery. In order to ensure the network security of online banking, ICBC has taken a series of measures, including setting the first firewall between the Internet and the online banking server, and setting the second firewall between the portal server and the ICBC internal network (application server). The second firewall and the first firewall at the entrance are products of different manufacturers, and different security policies are set, so that even if hackers break through the first firewall, they cannot easily break through the second firewall and enter the intranet, and so on.
While ensuring network security, ICBC's online banking has also taken a series of measures to ensure the security of online transactions, including adopting the most stringent 1024-bit certificate authentication and 128-bit SSL encrypted public key certificate security system provided by China Financial Certification Center (CFCA). According to customers' different requirements for convenience and security level, ICBC divides customers into two categories: uncertified customers and certified customers. Customers who are not certified must first verify their account number (or their login ID) and login password before entering the online banking, and the payment password must also be verified for external payment.
In addition, through a series of ways, such as increasing the password difficulty (which must be a combination of 6-30 digits and letters), setting up a virtual "E" card (specially used for online shopping) and the maximum daily payment limit, customers can be guaranteed to use online banking safely to the maximum extent. For customers who have applied for certificates, ICBC USBKey customer certificate is a smart chip with a shape similar to a USB flash drive. It is the "identity card" and "security key" of online banking, and it is also the highest security measure at present. After the customer applies for this certificate, all online operations involving fund transfer must be completed through this customer certificate, which is only kept and used by the customer himself. In other words, as long as the account number, login password, payment password, customer certificate, certificate password and other security precautions are not lost or leaked, or even if they are lost, as long as the password and certificate are not obtained by the same person, there is no financial security problem.
In addition to technical security, ICBC has established a sound internal teller operation management mechanism at the business security level. The internal management system of the whole network bank provides unified internal management functions to the whole bank through the ICBC intranet. Within the system, four types of 9-level teller systems are established from the head office, provincial banks to municipal banks, which are managed step by step, and each level has the authority to manage and supervise the next level. At the same time, when the teller carries out some key operations, it also needs the real-time audit of the teller at the next higher level to prevent a single person from committing a crime.
So, how should users use online banking safely? Deputy Director Shang Yang said that for customers with customer certificates, as long as the password and certificate are not obtained by the same person, the security of customer funds can be guaranteed. It is very safe for customers who do not have a customer certificate as long as they keep their account number, password and payment password. In short, there are several points to remind people: 1. Please take good care of your account and password. 2. Beware of fake websites asking for customer sensitive information such as account number, password and payment password. 3. Take care of your computer. Don't download some software of unknown origin easily. It is best not to use online banking in public places (such as Internet cafes and public libraries). 4. The most effective way is to apply for customer certificate at ICBC outlets. Once you have your own customer certificate, you can effectively prevent online fraud such as fake websites and Trojans. In other words, even if a fake website or Trojan horse obtains sensitive information such as your account number and password by deception, you can still use online banking with peace of mind with a certificate.