Abstract

Banks are attracted to money so that more targeted to crimes. Some of them are cheque
fraudulence, robberies etc. Traditional banks haven’t had computer technology so that banks
used to have a strong physical security and robust process to fight. Now a days, threat to banks
has been enormous and unpredictable.

Most of the banking operation has been computerized and all data is in electronic format. This
effort is to provide network security solution for a Bank (Financial Institute) which is
implementing internet banking. The bank has over more than Thirty branches island wide which
has an intranet which is open to all the outsiders. Bank is a critical Financial institute which is
required to have a high level of Network security as all the inside and outside customers are
engaged in the Bank workflow. Features of developing an internet banking portal required a
virtuous study on security, data protection and access control.

The key components of a network security solution are IPS, Firewall, SSL, IDS, Access control,
Encryption module and associated protocols. More else possible network vulnerabilities, attack
scenarios and industry standard compliances are also discussed and analyzed by this work.

Keywords: Online Banking, Network Internet Security, Threats, E commerce, Vulnerabilities

 1. Overview
Banks which are widely and commonly used financial institute in island wide. Each individual in
this world needs the support of the bank to keep their money safe. To ease the transaction
processed by customer, internet banking facility has been introduced as the customers can
process all their necessary bank transactions anytime anywhere. With the technological
development in the world there had been so much of invention of new smart devices which has
made a greater impact in introducing online transaction portals in wide scale. As the days pass on
new functions and services has been introduced and added to the Internet Banking portal by
making it more ubiquitous and flexible.

Let’s dig down on the services bank will provide that no other organization would provide. The
traditional three core piece of utilities are:

- Value store – Safe Storage for money

- Money Movement – Transfer money
- Access to credit – Ability to lend money

Since the emergence of banking during the 14th century, as banks we’ve taken that core utility
and we’ve added structure. Initially this structure was about network—where you could bank.
Banks then added structure around the business of banking, trust and identity—who could bank,
what was a bank and how you had to bank.

Technology now affords us the ability to radically eliminate that friction and create banking
embedded in the world around us, delivering banking when and where we need it the most. The
main issue of the technology innovation is because of the increase in cyber-attacks and computer
crime. The commonly identified threat in online bank transactions is the identity theft attack,
where the hacker is stealing the information to fraud transactions which may lead to empty the
entire accounts of the bank customers.

The financial institutes that cater customer to get what they want, when and where they want it
realize, the consumer does not need frequent branches, they need more robust online
applications, mobile banking applications to full fill the requirements.
“Banking is necessary, but banks are not.”

—Bill Gates, Microsoft

Today, we’re at an inflection point in which technology can be leveraged to bring back the
highly personal and relationship-oriented interactions of the past. That same technology can also
be used to dehumanize commerce and banking experiences, raise privacy concerns, and drive
unwanted interactions. As a banker, consumers are seeking for right set of services to create set
of experiences that consumer desired.

The chief objective of this project is to provide an effective solution for the network security of
the selected bank on regards to their online internet banking portals. In implementing such a
technique, its necessary to follow the required stages occasionally. Staring from the requirement
gathering stage, scaling and up to hardware infrastructure stage and then to software
infrastructure instalment, training and development of the respected members of the staff are the
basic stages which is to be followed. Any breakdown which will failed the reduce the
implementation efficiency of network security. As the selected Bank has over more than Thirty
branches island wide, with a goal of expanding the business in another two years. For the
purpose of this expansion the bank will be in a need of a solid and more vigorous network
security solution with a high level scalability. This paper will contain researches with similar
implementation methodologies that is recommended for and industry level work.

The selected bank still does not have the online banking facility given for their customers as they
have been much considering regarding the security measures that is needed to be taken in order
to secure the transactions happening between the customers. But they are in an essential of
providing the internet banking facilities to the customers as it has been a primary requirement for
the people who are with a busy schedule. As none of their applications are based on internet,
which has been applied by a closed network that is needed to be reconfigured to maintain the
internet banking. This work will overlook how to restructure the bank network and provide the
required network security to the internet banking portals.
 2. Objective
The main Aim of this project is to analyze, design, propose and develop Network Security
solution for IB portal with respect to few of the selected institutions. And also the key objective
of presenting this work is to secure all the stored data components and manage all the Internet
Banking functions related security aspects. Achieving this aims have to been followed through
several stages. Beginning from assessing the existing network, scanning its vulnerabilities,
rearranging the current network and security levels, implementing public access portals along
with the security access control, and also end user approachability.

Key objectives are as follows:

- Examine and conduct a research in the industry with expertise and conclude the best
solution.
- Identifying the security weaknesses if the existing environment.
- Securing the bank internal data from being accessed by the unauthorized outside parties.
- Proposing a better network security solution and ensuring the protection of the
transactions which is done through the bank online portal.
- To provide the financial organization a strategy on how to implement the new
explanation to succeed for the best possible result.
- Coming up with a new Security policy for internal users and also implementing the
necessary security roles in the environment.

Sri Lanka is a growing country and seeks new technology platform to make day today life easier.
Internet Technology is playing a major part in today’s countries economy. Most of the services
has been turned on to IoT to serve the consumer demand. Although growth has been enormous,
the relative challenges to the information security also vast. There are many reasons to cause
unintended security breaches.

Goal of this research is to provide an effective and secure solution for a banking organization
seeking to implement a online base application. Some of the challengers has been identified such
as implementation cost, infrastructure, security, complexity of implementation which required a
solution from scratch. The solution which proposed here, consider the existing infrastructure as
well which would be a cost factor.
The most effective method of security the banking application would be from the scratch which
is to follow secure development lifecycle and tack count of security from the initial phase.

2.1. Problem in brief

Online Banking service let the outsider to enter the restricted datacenters, so it would enable the
consumers to complete the transaction. Since there is cash flow, the banks are wide target for
criminal activities for cyber threat agents. This project critically analyses the scope, design, and
implementation of an s security solution for a bank going online. This focus on main elements
such as scalability, industrial standards, future demand management and operations. Designing
and implementation of a hardware and software-based security system for online banking, and
introduction of security policies and situational analysis are the key objectives of this project.

3. Literature Review
Because of the increasing computer crimes and development in hacking tools & hacking
methods, financial service in the modern world such as Internet Banking are needs to
implementation of high class security procedure. Modern internet banking are wider availability
and security area is the most important two pivotal areas (Chang 2003).

Same as Sri Lanka other places also discussed, It's like Internet Banking introduction at
Malaysia. On the other side, regarding the improvement of the IB infrastructure most of the
authors were discussed in detail, modern IB based on the tele-banking experience (Yousafzai,
2012). Discussing about the infrastructure of the modern IB, needs to resolve the main two
factors. Those security problems are building from the customer end (like a security issues of
The Global System for Mobile communication network -GSM functionality and compromising
of the Mobile app) and also Bank Server end (loopholes, human error, backdoors, etc. open the
way for unauthorized entry and data accessibility). Man in the middle attack irrelevant to this
case (because the data protection of the data transit is not irrelevant to this case). Will address
these matter can be resolved if the data transmission protocols (https) compliance. (Mallat et al.,
2004).

Reduce the effects on the customer end, banking App should be authenticating by the Bank, the
thing is malignant apps will harm to customer and bank posing as the official application.
(Cognizant, 2014). In there, bank app will be the door between the bank and customer, then the
authenticity is the main part. Also, GSM infrastructure problems and security issues are not
relevant (directly) in this type case. Therefore, take some time to recovery that hole, also will
developed the solutions globally (Chbeir et al, 2013). Implementation of the online bank facility
should concern security of the both ends (customer end and bank end) than the middle.

Under this implementation, information exchanged has high important part, also storing very
important. Normally we all are knew bank have millions of data (customers), those are credit
card information, credentials, spending etc. (Hyun Lee, et al. 2013). Therefore, the bank should
need the combination of the authentication, encryption and auditing mechanism and
methodology as an integral part (system). Secure Sockets Layer (SSL) coupled with encryption
(128 bit) in these type of system (as a basic components), Firewalls (both hardware and software
type), Authentication protocols (Username & Password), Alert system (for customer as well as
banking monitor), Access control (of staff members and IT admins), Data encryption in storage,
and Account locking. Malware threats should be identifying, should take suitable responsible
activities, also knew the specific targeting areas. (EPC, 2017; Mohamed & Maskat, 2007). Also
Phishing can effective to modern Internet Banking authentication systems (Drolet, 2018), It is
rise from those days on the implementation of Internet Banking.

Security of the e commerce depend on the few things (facts) and complex inter combination &
interrelationship of those things, database management systems, network infrastructure and
systems software, also including the application development platforms. In here, if the one of
component have single issue, it causes to overall failure and security problems in the entire set-
up. Since the early days in E-commerce that points have been valid (Deitel et al, 2001; Stallings,
1999). Those implementations key ingredient is access control, then proposed implementation
will add the significant access control. Also under the passing note, hope to carrying out a
customer survey of their IT literacy and utilize of the Internet Banking etc. In here compatibility
is very important, still we haven't evaluated the app structure and portal design (without a survey
sample). But, Already The Bank IT department client interface management taken, in this
proposal subject limited is Networking Security.

Industry has a reputation that isn’t much better than the tobacco industry. That a survey found
that 51% of respondents indicated the financial services industry has a “very bad” reputation.
Contrast this with technology companies, in which just 6% of respondents indicated this, and
banks need to do more than have Facebook pages. People trust their friends and family, but not
their banks. How can the banking industry rebuild trust and relationships with its customers?
Aside from some of the basic business model reformation that will happen, for example, finding
ways of making money through value creation versus penalty fees, overdraft fees, automated
teller machine (ATM) fees, and so on, understanding and fitting into a customer’s lifestyle
becomes very important. This is where social fits in.

Mobility devices are becoming computing device for customers and from that new set of
possibilities open financial institutions. These new opportunities come about as a result of online
applications.

Considering the all above factors, Proposed Bank - ground survey should implement following
components in the Internet Banking implementation (to assess the current setting of bank,
security status, staff and customer IT literacy networking architecture), Scan Vulnerability,
Identification of Customer requirement.

Also needs to identification of components proposed network security solution, should take the
verification of proposal with industry standards, Consider the possible attacks (E.g. DoS,
Hacking, Phishing, etc.) and give the special attention, give the proposal for enhancement of the
existing environment and new guide, solution for IB.

One of PayPal’s biggest innovations over the past couple of years has been its co-innovation
with the banking industry. One such example allows bank customers to use their mobile phone to
instantly send money around the world for a fraction of what it cost years ago, which offers
significant value.

Main components are the Firewall (both hardware and software), SSL module, Authenticating
module (single sign-on) Web Application Firewall, IPS/IDS.

That type of major network change will affect daily works of the bank, Access privileges, IT
policies & practices. Because through the proposal, should needs to inform to senior
management over the time scale, module by module, should discuss those effects,
implementation should have several stages, each module have training session.
 4. Network Security for Banking
This section will be discussed about the requirements of the new implementation, Legal and
regulatory. Policy and procedures and con concept behind these technologies. This creates a
baseline for a better solution and will provide operational principals and operational
environment.

4.1. Security Compliance for Banking

The banks registered under the Central Bank of Sri Lanka (CBSL) has to comply with all
regulation that published or established. The banks must follow the regulations and implement
the policy procedures according to that. The general requirements of CBSL has been taken in to
account when the financial institutes implement their policy and procedures.

The Baseline Security Standard for Information Security Management (BSS) has focused on
every aspect of information storage, transmission and processing via CIA triage. The Network
security has been identified in the Part II: Security Domain, Communication Security –

- Section 7.2 – Network Security Management

To ensure the protection of information in network and the protection of the

supporting infrastructure.

- Section 7.3 - Network Controls

Capability of users connecting to the organization’s local area or wide are
network shall be restricted in accordance with the access control policy of
organization. Groups of network service, user and information systems shall be
separately maintained in the network to access those resources in the accordance
with the information security policy of the organization.

10. Internet and Email Security

- Section 10.2 – Online Transactions

Procedures shall be in place to ensure the implementation of adequate segregation of

duties within the organization for systems and databases that shall use transaction
authentication methods to ensure non- repudiation and shall establish accountability for internet
banking transactions. Organizations shall maintain comprehensive audit trail and logs and shall
employ appropriate cryptography techniques, specific protocols or other security controls to
ensure the confidentiality of the customer internet banking data

As you see here, the Network security and Internet security has been focusing in the standard as
well. These are legal requirement and the bank should be adhered to these guidelines when
implementing the policy and procedures.

The section “Communication Security” brief about controls which are relevant to network,
should be identified and implemented in order to protect the information which has been
processed, transit and stored in the infrastructure. The controls such as VPN, SSL, RA, CA are
some of examples. Then it mentions about access control to be implemented to enable secure
access to the network. And it mentions about network segregation and information segregation
separation of environment. Further it discusses about the network policy as well.

Section 10 discuss about adequate procedures for segregation of duties, which means
Segregation of duties is like a separation of duties and responsibilities policy, but it also
combines the principle of least privilege. The goal is to ensure that individuals do not have
excessive system access that may result in a conflict of interest. When duties are properly
segregated, no single employee will have the ability to commit fraud or make a mistake and have
the ability to cover it up. It’s similar to separation of duties in that duties are separated, and it’s
also similar to a principle of least privilege in that privileges are limited.

Authentication method to ensure non-repudiation: Not being able to deny having performed an
action or activity or being able to verify the origin of a communication or event. Nonrepudiation
ensures that the subject of an activity or who caused an event cannot deny that the event
occurred. Nonrepudiation prevents a subject from claiming not to have sent a message, not to
have performed an action, or not to have been the cause of an event. It is made possible through
identification, authentication, authorization, accountability, and auditing. Nonrepudiation can be
established using digital certificates, session identifiers, transaction logs, and numerous other
transactional and access control mechanisms. A system built without proper enforcement of
nonrepudiation does not provide verification that a specific entity performed a certain action.
Nonrepudiation is an essential part of accountability. A suspect cannot be held accountable if
they can repudiate the claim against them.
Maintain comprehensive audit trail, the audit trails created by recording system events to logs
can be used to evaluate the health and performance of a system. The event logs leading up to a
crash can often be used to discover the reason a system failed. Log files provide an audit trail for
re-creating the history of an event, intrusion, or system failure. Auditing is needed to detect
malicious actions by subjects, attempted intrusions, and system failures and to reconstruct
events, provide evidence for prosecution, and produce problem reports and analysis. Auditing is
usually a native feature of operating systems and most applications and services.

Appropriate cryptographic technique, systems to meet four fundamental goals: confidentiality,

integrity, authentication, and nonrepudiation. Achieving each of these goals requires the
satisfaction of a number of design requirements, and not all cryptosystems are intended to
achieve all four goals. Confidentiality ensures that data remains private in three different
situations: when it is at rest, when it is in transit, and when it is in use.

Above are the security controls mentioned in the BSS standard related to network security and
internet banking.

4.2. Network Security Requirement

When implementing an internet banking solution, the bank has to consider the law and regulation
particular to the implementation, Information security risk management framework and bank’s
infrastructure, cost factor, future requirements of expansions are have to be analyzed. The Bank
has to mainly focus on the security of the system, application and infrastructure as well.
Therefore, security framework would be important which include network security.

4.3. Current security posture of the bank’s infrastructure

4.3.3. Staff Contribution from the Bank
The interview has been conducted with the IT staff and non-IT staff as well. Here, we discus
about their opinions.

According to the IT staff, all are well knowledge of IT technology and relevant competency has
been maintaining. And aware about information security and data protection, liabilities.

The rest of the people are non-IT staff which would do the regular banking activities as BAU.
The ratio between IT and non- IT is 1:3 and total staff would be 60. Considering the ratio of this
initial requirement can be cater with the existing staff.

Management Contribution: In a project like this, Management contribution is critical and they
has to support the plan and growth. A formal meeting has been conducted with the bank
management to gather information on their expectation. This covered future expansion goals,
current investment capacity, IT awareness & restructuring costs factor, time factor (road map) of
implementation, and accessibility to bank's central IT infrastructure. It has also detailed each
stage how the solution will be implemented, system shutdown requirements, and permission to
cooperate with mobile interface developers