Cryptography and Security in Banking

The prototype of banks has been around as early as 2000 BC, where loans were given out to farmers, and traders traveling between cities. Banks have come a long way since then, it’s treasury where people entrust their most prized possessions to be. In recent times, 62 percent of customers reported banks as the most trusted firm to ensure the security of their personal information, in comparison to other firms, such as Google, Amazon, PayPal, and Apple.

So let’s dive into how cryptography and security are maintained in banking

Introduction to Cryptography

Electronic banking, which provides various banking services through the internet has changed the way business is conducted in banks drastically. Security and privacy are the main expected features in the field of online banking. On-line transactions need the utmost security to avoid possible fraudulent transactions of any kind. The encryption of the information is the source of security and privacy in this online banking. The security is provided in the form of a password, pin code, biometrics, digital signature, steganography, etc.

Cryptography revolves around Encryption and Decryption where Encryption is a process in which plain text data is converted into an unreadable text called the ciphertext and decryption is the process of transforming data that has been rendered unreadable(ciphertext) back to its normal form

Cryptographic methods in banking equipment

In the 1970s, A crypto algorithm called Lucifer algorithm, devised by Horst Feistel was evaluated and after some changes to the internal functions and reducing the key size from 112 bits to 56 bits, the complete algorithm that became the Data Encryption Standard (DES) was published in the Federal Register in 1975.

Then a new algorithm came into the picture. There were two major algorithms for replacing DES. Triple DES (sometimes called TDES or 3DES), or Advanced Encryption Standard. 3DES uses the original DES algorithm three times to encrypt the data. Using either two or three 56 bit DES keys, In 2002, the AES came about, the advanced encryption standard (AES). In cryptography, the Advanced Encryption Standard (AES) is also known as the Rijndael algorithm. Rijndael is an iterated block cipher that supports variable block length and key length, specified as 128, 192 or 256 bits. Murphy and Robshaw introduced an alternate of AES by embedding AES in cipher called BES which uses algebraic operations.

Electronic Banking

ATM

The introduction of the ATM also known as Automatic Teller Machine proved to be an important technological development that enabled financial institutions to provide services to their customers in a 24X7 environment

Various Encryption algorithms are built into the communication network to prevent unauthorized transactions. Presently the pin which is entered on ATM should be converted to an encrypted pattern before sending it over the network. Every ATM has an encrypted pad which encrypts pin on ATM. Manually the keys are added on ATM earlier, now these keys can come from switch ( systems to which ATM‟s are connected ).

An embedded Crypto-Biometric authentication scheme for ATM banking systems has been proposed. The customer's fingerprint is required during a transaction. The fingerprint image is encrypted via a 3D chaotic map as soon as it is captured and then transmitted to the central server using a symmetric key algorithm. The encryption keys are extracted from the random pixel distribution in a raw image of the fingerprint, some stable global features of fingerprint and from pseudo-random number generator. Different rounds of iterations use different keys. The decryption takes place at the banking terminal using the same key. Earlier the transactions in ATMs were encrypted with DES, but the transaction processors required the use of the more secure Triple DES. There were still many fraudulent withdrawals from ATMs, which banks often claim are the result of fraud by smart intruders. The Advanced Encryption Standard (AES) algorithm adds support for the new encryption standard AES, with Cipher Block Chaining (CBC) mode, to IPSecurity (IPSec). The development in AES triggered a transform for IPSec and Internet Key Exchange (IKE) and took over the Data Encryption Standard (DES). AES functions in such a way that it is more secure than DES: AES offers a larger key size while ensuring that the only known approach to decrypt a message is for a fraudster is to try all possible key options. AES has a variable key length — the algorithm can specify a 128-bit key (the default), a 192-bit key, or a 256-bit key. Some of the most advanced encryption technologies are used to protect the Automated Teller Machines.

Cards

The electronic card allows a cardholder to make a payment or a purchase by electronic fund transfer. The common types of cards are credit cards and debit cards. Electronic cards are usually embossed plastic cards, which comply with the ISO/IEC 7810 ID-1 standard. The Electronic cards usually have an embossed card number which complies with the ISO/IEC 7812 numbering standard. Magnetic stripes were introduced on debit cards in the 1970s when the ATMs came in. The magnetic stripe could store card data which could be read by physical contact and by swiping on the machine hence making it easy to intrude into data encoded on magnetic-stripe. Magnetic-stripe credit cards are also much easier to counterfeit than chip and PIN varieties. As magnetic-stripe cards don‟t require any PIN, they offer no protection against any kind of fraud. The cause that the chip and PIN cards are more secure than magnetic stripe cards is that they require a four-digit PIN for authorization. It is the easiest way to know that the cardholder is the real owner of the card. All the data and communications are protected by cryptography, making chip and PIN cards more difficult to hack. The EMV smart chip where EMV stands for Europay, MasterCard and Visa, the three companies that created this microchip authentication system for credit, debit and ATM cards is the small chip embossed on cards

A smart card is a card with embedded integrated circuits which can process data by receiving input using ICC application and delivering the output. There are two broad categories of ICCs. A smart card which is called Memory card contains only non-volatile memory storage components, and perhaps some specific security logic. The other Microprocessor cards contain volatile memory and microprocessor components. The card generally is embedded with a hologram to avoid counterfeiting. Later on, the idea of authentication system using biometrics combined with other technologies such as fuzzy extractor, Global System for Communication (GSM) and Radio Frequency Identification in ATM smart card was developed.

Mobile Banking

Authenticating users (over the phone or website) is the most important factor for any business. Enter, One-time password (OTP) which is used to prove one’s identity over the wireless channel. A One Time Password (OTP) is a password that is valid for only one Login Session or transaction. The OTP sent to the user’s registered mobile number as an SMS. The user can receive the OTP via text message which can be used for their money transfer and payment operations and Internet Banking login. Neither the person nor anyone else can use for a second time these five-digit one-time passwords generated by OTP SMS. But the OTP SMS sent normally as plain text is vulnerable to various attacks along the communication channel. The user needs to know the PIN to read the OTP. The user can proceed with the business transaction, only after this authentication. This process provides end-to-end-encryption of the OTP SMS. The OTP which is encrypted can be decrypted only if the 4 digit PIN entered by the user at his mobile is correct. Since the PIN is known only to the user, it provides two levels of authentication. Only if PIN and OTP are correct the user is allowed to proceed with the m-banking transaction that he initiated. The OTP generated is encrypted using the powerful AES algorithm. The generated OTP value is encrypted using a powerful AES algorithm and sends it to users. AES is an iterative and asymmetric key block cipher that uses three keys strengths of 128, 192 and 256 bits. The AES uses 128 bits as a block for encryption and decryption. The encrypted AES tool converts the input plain text to ciphertext in a number of required repetitions based on the encryption key. The AES decrypt method uses the same process to transform the ciphertext back to the original plain text using the same encryption key. It is very difficult to break even using a brute force attack. The encrypted OTP password is sent to mobile through Bluetooth technology or modem. The drawback of this method is that it has a large system load for encryption and decryption. It's better to use OTP as layered security than using OTP alone; one way to implement layered security is to use an OTP together with a password that is exclusively with the user (and never transmitted to the user, as OTPs often are).

References

Goldreich, Oded. Foundations of cryptography. (1998): 3.

Advanced Encryption Standard (AES), Cisco Systems, Inc. 2004

“Cryptography”:http://en.wikipedia.org/wiki/Cryptography “How crypto is being used in bank ing”: www.mbanking.blogspot.com/.../how-crypto-is-being-used-in-banking.ht

“SecureElectronicTransaction(SET)”:http://en.wikipedia.org/wiki/Secure_Electronic_ Transaction

V. S. Miller, Use of elliptic curves in cryptography, in: H. Williams (Ed.), Advances in Cryptology CRYPTO 85 Proc., Vol. 218 of Lecture Notes in Computer Science, Springer Berlin Heidelberg, 1986, pp. 417–426. doi:10.1007/3–540–39799- X_31.

N. Haller, The s/key one-time password system, Network Working Group.

Kewin Chikomo, Ming Ki Chong, Alpan Arnab, Andrew Hutchison, “Security of Mobile Banking”.

Yang, Dexin, and Bo Yang. A new password authentication scheme using fuzzy extractor with smart card. Computational Intelligence and Security, 2009. CIS’09. International Conference on. Vol. 2. IEEE, 2009.

Avhad, Prashant R., and R. Satyanarayana. A Three-Factor Authentication Scheme in ATM. 2014

Shi, Peipei, Bo Zhu, and Amr Youssef. A rotary pin entry scheme resilient to shoulder-surfing. Internet Technology and Secured Transactions, 2009. ICITST 2009. International Conference for. IEEE, 2009.

Uma Dixit.Cryptography — Security in E-Banking. IOSR Journal of Business and Management (IOSR-JBM).