Case Study Theory -Answer using full paragraphs.

1.
Explain at least 5 different transactions that can be done using internet
banking
There are many different kinds of transactions that one can be done using
internet banking. For instance, one may view their account balance, view
recent transactions, download bank statements, order chequing books, view
images of paid cheques, etc. By using internet banking, a bank customer can
also initiate funds transfers between their linked accounts, pay third parties
for bill payments (for instance, through BPAY), make investment purchases or
sales through these services, engage in loan transactions such as repayment
of enrollments, register utility billers in order to make bill payments, and
utilize many different credit card applications.
2.

Explain at least 4 different transactions that can be done using ATMs.

Automated Teller Machines enable bank customers to perform financial

transactions, especially cash withdrawal without the need for a human clerk,
or bank teller. By using an ATM card and providing authentication through
entering a personal identification number, a customer can access their bank
credit or deposit accounts to make cash withdrawals, check balances, or
credit their mobile phones. If the currency withdrawn is different from the
one stored in the bank account, the money will be converted by an official
exchange rate, thereby providing one of the best exchange rates for foreign
transactions. By using ATMs, one may also make certain investments that do
not necessarily require interaction with a fellow human being, pay income
taxes at the ATMs of select banks, pay utility bills, retrieve account
information, and apply for additional loans.
3.
Explain at least 4 different transactions that can be done using mobile
phones
Mobile phones may be used for mobile payments that involve the use of a
mobile device to purchase goods and services, and for mobile banking. SMS
banking is the earliest mobile banking service offered. Through mobile
banking, one may make transactions related to fund transfers between ones
linked accounts, pay third parties, and check remote deposit. Mobile banking
also offers customers the ability to make investments through providing realtime stock quotes and personalized alerts on security prices, and provides
account information such as access to loan/card statements and mutual
funds.
4.

Explain the use of emails in online banking.

Many verification and account details are linked to a customers email

account. For instance, Interac e-Transfer requires registration by providing
ones name and email address. The email is then used to update the
customer on any updates to their account. For instance, if money has been
deposited, or if other transactions have been completed. Therefore, email in
online banking is a means to identification for the customer. In this way,
phishing attacks may prevent a customer from effectively and securely
addressing their banking concerns, as these attacks send fraudulent emails
and may be deceived into sharing passwords, social insurance, credit card,
or bank account numbers.
5.
What is IVR?
IVR refers to Interactive Voice Response, which is an emerging technology
that allows human-computer interaction through the use of voice input. In
the field of telecommunications, IVR allows customers to interact with a
system through speech recognition. This method of automation allows for
the efficient handling of customer inquiries, as the IVR system may respond
with pre-recorded audio files to direct and instruct the user.
6.

How does voice recognition work with IVR?

Voice recognition lies at the core of IVR, as the words spoken by the caller
are chopped into smaller pieces and then compared to the words stored in
a database. This therefore allows customers to avoid dual-tone multifrequency signalling commands. Similarly, speech recognition does not
restrict the input to ten digits. Overall, voice recognition the translation of
spoken words to text is a developing technology that has many
applications, one of which is interactive voice response. By analyzing
predefined grammatical syntax and statistically trained natural language
models, interpretation of customer can be made to provide an automated
response.
7.

What are the limitations of voice recognition in IVR

Since voice recognition is still in its infancy, voice recognition is not perfect,
and therefore comes with a few disadvantages. Some voice recognition
software for instance, will not always interpret words accurately, leading to
errors due to misinterpretation. Yes and No answers may resolve this
issue, but this also limits the advantage of using voice recognition if it limits
input to two options. Background noise interference and accents may also
compound these problems. The time and cost associated with implementing
a voice recognition system acts as another limitation, as the time needed to
correct and recognize errors, adapt and interpret user voices, and the time
for the user to learn how to use the system should all be considered.

8.

Online banking provides cost advantages to the bank. Justify this

statement with your explanation.

Most evidently, one of the most prominent cost advantages to the bank is
that they may reduce their staff at a local branch, as there will be fewer
customers to serve physically. Because transactions take place online, less
staff is needed at the branch. In addition, by shifting transactions online,
physical bank locations may be reduced, thus saving the costs for running
the building. Furthermore, once an online banking service is implemented,
there is usually little to no changes required in the future. Thus, this one time
investment will effectively serve customers much into the foreseeable future.
By moving the transfer of money online, there is a decreased need for
physical currency transfer, thereby reducing the costs in this respect as well.
9.
Explain the benefits (convenience) of using online banking for the
customer
A benefit for the customer is that they may manage their finances essentially
wherever internet connection is possible. Instead of physically heading to the
bank to make financial transactions, the customer may now manage their
savings at the comfort of their home. Similarly, time is saved by the
customer, as they no longer need to contact the appropriate persons at the
bank to have their requests fulfilled.
10.

Explain the responsibilities of Head of IT operations in a bank or any

service industry.

The Head of IT Operations holds many responsibilities. Their duties and

responsibilities may include the development of IT plans, managing the
relationship between the landlord and the staff, formulating plans for
operational IT process/policies, identifying operational or IT risks, preparing
proposals for consultation with external operations, monitoring expenditures
against the monthly budget, and managing any special projects assigned.
11.

Define: authentication of users.

Authentication is defined as the act of confirming the truth regarding an

entitys attribute. It is the process of actually verifying the identity of the
user. An example of the authentication of users may involve confirming the
identity of a person by validating their identity documents. There are many
different methods that may be used to authenticate the identity of a user,
such as those involving knowledge factors (passwords and PIN numbers),
ownership factors (ID card and security tokens), and inherence factors
(fingerprints, signature, DNA sequence, and other biometric indicators).
Banks are increasingly resorting to the use of two-factor identification for the
authentication of their users.

12.
What is two factor (in some cases, multifactor) authentication
method?
Two-factor authentication is the identification of a user through the use of
two different components. These components may take the form of
something the user has, knows, or is. For instance, to withdraw money from
an ATM machine, users require a bank card and a PIN number. Two-factor
authentication is essentially a form of multi-factor authentication. By using
two-factor authentication, a users identity is less likely to be compromised
by fraud and identity theft.
13.

What is TAN?

A TAN is a transaction authentication number that is used by some forms of

online banking to act as single use one time passwords that allow the user to
engage in financial transactions. They are essentially an added security
feature to the conventional password authentication methods employed.
TANs are a form of two-factor authentication, as both login data and a TAN is
required to perform transactions online. There are also other variations of
TANs that further reduce the risk of phishing, keylogging, and man-in-themiddle attacks such as Indexed TAN, pushTAN, Mobile TAN, and other
variations involving CAPTCHA.
14.

What is OTP?

OTP refers to a one-time password that is valid only for one login transaction.
As opposed to traditional static passwords which are reused, OTPs offer the
advantage of providing protection against replay attacks, as even if a record
of a used OTP is obtained, it will no longer allow access. Another advantage
is the fact that a user who uses similar passwords for multiple systems is not
immediately at risk on all of them. While there are many advantages to the
use of OTPs, there are also many disadvantages concerning the methods
used to generate and deliver the OTPs between the appropriate parties.
15.

Explain two factor authentication used by TransEuropa bank with

technical details.

Two-factor authentication as used by TransEuropa would involve

identification of a user by means of a combination of two different forms of
identification. Specifically, TransEuropa utilizes two-factor authentication
through the users response to a security question combined with a TAN.
Each customer has been sent a special keypad device capable of generating
the TANs, after the user has entered a code known only between the user
and the bank. Furthermore, their transactions may only take place after the
security question and TAN have been verified. Because of this form of two-

factor authentication used by the bank, it is difficult for hackers to hack into
an account, as this form of multi-factor authentication utilizes many pieces of
information that must be compromised, such as the users personal details,
alongside a generated TAN that is a single use one-time password.
16.

From your research, write down other authentication features used by

various banks across the globe.

Other authentication features may include keystroke authentication and

biometric authentication. Keystroke authentication may be used by banks for
their online banking services. By tracking the way the user types words and
information, the user may be mapped to their unique typing patterns. Thus,
a typing signature may be formed for the user. Biometric authentication
may also be used to provide a possibly more secure identification, as it
utilizes features such as facial recognition, fingerprints, veins, DNA, retina,
odour, or voice recognition to identify the user.
17.

What is phishing?

Phishing is defined as the act of sending fraudulent information to a user

through electronic communications posing as a credible and legitimate
enterprise in order to obtain user-sensitive information that could be
exploited for identity theft. Phishing may often instruct a use to provide their
credit card, password, or bank account numbers. Because phishing attacks
prey on tricking people into believing they are being contacted by a
legitimate company, it relies on the susceptibility of the user to such attack
to retrieve confidential information.
18.

From your research, explain various steps taken by the bank to protect
customers from phishing and evaluate their effectiveness.

As phishing schemes prey on the susceptibility of the user to being tricked to

provide user-sensitive information that could be exploited for identify theft,
the best way for banks to protect their customers from phishing is through
education. By ensuring the users are aware of the risks and how to protect
themselves from said risks, banks may protect their customers by relaying
the fact that they will not ever ask for the users banking data over emails.
Furthermore, as noted by Michael, the Head of IT Operations, out-of-band
verification is another way to protect the customers from phishing attacks.
19.

What is Trojan?

A Trojan refers to a non-replicating form of malware containing malicious

code that, when run, usually results in the theft of user data. Unlike
computer viruses, a Trojan horse does not replicate itself. Stemming from the
Greek narrative of the Trojan War in which the Greeks presented a giant

wooden horse to the enemy as a peace offering while concealing Greek

soldiers within the horses hollow interior, the Greeks were able to
subsequently capture the city of Troy. Similarly, Trojans pose as harmless
programs that are in actuality quite dangerous to the user.
20.

Explain how Man-in-the-Browser Trojan works with technical details.

Man-in-the-Browser Trojans are a form Trojan horse that operate by infecting

a users web browser by taking advantages of a browsers security
vulnerabilities. This allows the attacker to modify web pages and transaction
content, thus covertly preventing the user from discerning its presence. A
Man-in-the-browser attack is able to bypass SSL and even multi-factor
authentication schemes in place since it installs a Trojan horse capable of
modifying the users web transactions as they occur in real time. However,
as these attacks are both high-tech and high priced, they are usually used
in financial fraud cases where resources can be expended. While a man-inthe-browser attack is more difficult to prevent and disinfect compared to
conventional man-in-the-middle attacks since it takes place within the
security mechanisms of a users web browser, it may be prevented with
adequate web-fraud detection and antivirus software.
21.

Explain the dangers of phishing and Man-in-the-Browser Trojan for

online banking customers.

Phishing and Man-in-the-Browser Trojans are extremely dangerous for

customers of online banking, as they rely not on brute force decryption
attacks that are already made difficult by the key-lengths and security
measures offered by the banking system, but rely instead on human
behaviour/error that allows them to exploit the information presented by a
user of an online banking service. Phishing for instance, requires the user to
fall for the fraudulent messages of the attacker and willingly present their
banking information, whereas Man-in-the-Browser attacks threaten the user
with its ability to hide itself and exploit flaws in the users web browser.
22.

What is out-of-band verification?

Out-of-band verification refers to a form of two-factor authentication that

requires secondary information to verify a users identity. Specifically, it
requires secondary verification through a different communication network
along with the usual user ID and password. Out-of-band verification is usually
utilized within banking organizations were high security requirements are in
place to secure the transfer of banking information.
23. Explain how out-of-band verification minimizes the risk for online
bankers.

By utilizing out-of-band authentication, hacking into a users account is made

more difficult since two separate and unconnected verification channels are
needed. As with other forms of two-factor authentication, both of these
channels would have to be compromised for an attacker to gain access to
the secure information. One out-of-band measure could be the use of a
phone call from a registered number to confirm the users desire to access
their banking capabilities online. Combined with other security measures
such as biometric verification, out-of-band verification can minimize the risk
for online bankers.
24.

What is encryption?

Encryption refers to the process of increasing the security of the contents of

a file by scrambling the contents of the file in a way so that it can only be
read by the appropriate parties with the correct decryption key. In the
process of encryption, the message (usually referred to as plaintext) is
encrypted using an encryption algorithm, which generates ciphertext which
can only be read if decrypted. While theoretically possible to decrypt
messages without possessing the appropriate key, well-designed schemes
require large computational resources to crack, thus making it unfeasible and
impractical to attempt.
25.

What is symmetric encryption?

Symmetric encryption refers to the encryption algorithms that use the same
cryptographic keys for the encryption and decryption of plaintext and
ciphertext respectively. In practice, these two keys are held in secret and are
not disclosed publicly. While symmetric-key encryption is simpler and faster
to operate compared to public-key encryption, it requires that two parties
must exchange the key in a secure way. Symmetric encryption is sometimes
referred to as secret-key encryption.
26.

What is asymmetric encryption?

Asymmetric encryption also known as public key encryption refers to the

set of algorithms used in encryption that utilize two separate keys. One of
the keys is public, while the other is held privately. These two keys together
are considered a key pair. Asymmetric encryption works by establishing a
public key that anyone who wishes to send a message has access to and a
private key that is kept secret. All messages encrypted using the public key
can only be decrypted using the matching private key, and vice versa. Thus,
one does not need to worry about the passing of public keys over
communication networks.
27.

What is a digital certificate?

A digital certificate is a public key certificate that is issued according to a

distinct set of identity verification criteria. In order to obtain an Extended
Validation Digital Certificate, extensive verification of the websites identity is
made by the certificate authority before a certificate is presented. By
utilizing digital certificates alongside SSL, added trust may be given to online
transactions by requiring websites to undergo certification procedures.
However, there are also many other low-validation certificates that are
offered, and since many browsers do not differentiate, users may not be
aware of the extent to which a website has been validated.
28.

What is the role of digital certificate in online banking/e-commerce?

Digital certificates are important in the online banking/e-commerce industry,

as a principle motivation for its use is to add trust to online transactions. By
requiring website operators to undergo rigorous testing in order to obtain a
certificate, a user may rest assured that their information is secure, and their
banking information kept confidential. The digital certificate may be
considered an indicator to the user that the banking service provided is of
adequate technical security, thus signifying to the user that their information
is safe in the hands of the bank.
29. Name at least two digital certificate agencies for e-commerce/online
banking.
There are many independent digital certificate authorities that issue digital
certificates. The most prominent providers include Symantec, Comodo, and
GoDaddy, which account for around three-quarters of all issued TLS
certificates on public web servers. Other certificate authorities include
GlobalSign and DigiCert.
30.

What is SSL protocol?

Secure Sockets Layer (SSL) protocol is the predecessor to the Transport Layer
Security (TLS) cryptographic protocol that is implemented to provide
communications security over a communications network. It is a widely used
security protocol that provides a secure channel between two machines
operating over the Internet or over an internal network. Presently, the SSL
protocol is usually employed when web browsers need to secure a
connection.
31.

Encryption key length of 2048 bits. What is meant by this statement?

Encryption key length refers to the key size, measured in bits of the key used
in cryptographic algorithms. Encryption systems are usually grouped into
distinct categories with a different level of cryptographic complexity that
corresponds to different key sizes for the same level of security. For instance,

a 1024-bit key asymmetric RSA algorithm is around as secure as an 80-bit

key in a symmetric algorithm. An encryption key-length of 2048 bits is
therefore most likely referring to the asymmetric algorithm key
corresponding to 2048 bits that, according to the RSA, is equivalent to 112bit symmetric keys and is sufficient until 2030. As Asymmetric encryption
relies on the difficulty of integer factorization, asymmetric keys must be
longer for equivalent attacks against symmetric keys.
32.

Explain how brute-force decryption method works?

In cryptography, a brute-force attack or exhaustive key search is a

cryptanalytic attack that can be used against all forms of encrypted data
except for data encrypted In an information-theoretically secure manner. This
type of attack may be used when it is not possible to take advantage of other
weaknesses in encryption that would make the task easier. A brute force
decryption method involves systematically checking all possible keys until
the correct one is found. This type of attack may be made more difficult with
the obfuscation of data, which makes it more difficult for the attacker to
recognize when they have cracked the system. When in an offline attack, the
attacker may however, try keys at their own leisure without the risk of
interference.
33.

What are backdoor methods?

Backdoor methods is defined as the unauthorized access of a computer

system. A backdoor usually lies in the program code and is created by a
programmer, allowing attackers to access a users computer without their
knowledge or consent. Because of this, backdoors are considered to be
security threats. There are also many ways a computer may be infected with
backdoors, such as through downloadable software