How to guarantee the safety of net silver

"If the bank doesn't change, we change the bank." 2012, Alibaba Group Chairman Ma Yun said a few years ago suddenly in the Internet widely circulated. Then, Alibaba launched the "Balance Treasure", "Ali small loans" and other business, so that China's banking industry experienced a moderate earthquake. And Tencent, Baidu, Sina and other internet giants followed, has launched its own financial business, so that China's banking industry to feel from the unprecedented impact and pressure.

Many banks have begun to take action, the construction Bank launched a "good business" platform, China Merchants Bank launched "micro-trust Bank", Everbright Bank launched "Rong e loans" online real-time loan services ..., the Chinese banks seem to really start to "change". Throughout these changes, all around the "internet" and "finance" two major themes, indicating that the development of Internet technology has gradually infiltrated the bank's main business, and has a series of profound impact. As the main channel and entrance of banking internet business, Internet bank has been referred to the unprecedented strategic altitude.

On the other hand, the threat of the Internet is also rapidly developing, the huge black industry chain, the mastery of penetrating technology hackers, sophisticated virus trojans, and ubiquitous phishing sites and frauds, pose a challenge to the security of online banking. At the beginning of the year Snowden "Prism Gate event" More people's awareness of information security sounded the alarm.

Facing the complex network environment, how about the security construction level of each major bank's Internet bank? What is the compliance level of the regulatory policy? Are these security defenses in front of senior security professionals, like the legendary "Zeus Shield" or the fragile one? These problems, whether the net bank users or online banking managers are very eager to know the answer.

At the beginning of 2013, NSFocus security experts surveyed, analyzed and studied the personal online bank logins of the 50 major banks in accordance with the report of "China's 50 largest banks" released by Standard and poor at the end of 2012, and recently released the "Personal Online Banking security Research Report". The report stands for individual users, infiltration experts, regulators and security architecture experts from a number of different perspectives, the current 50 banks in China's online bank login security provides a more comprehensive comparison, analysis and evaluation.

Individual users: Security measures are increasingly diverse and detail-rich

Security session, identity authentication, input protection, authentication code, failure handling, browser function masking, reservation information, login reminder and restriction policy ..., from the user's point of view, online Banking security protection strategy is really endless, people dazzling. It seems to be safer for a banking institution to have more strategies.

However, after studying the security strategy of Internet bank login of China's 50 banks, we found a new view, for example: The verification code is the negative experience in the process of login, the security function of reserving information is not obvious, and the strategy related to login restriction is not very good, etc. All these viewpoints can provide a reference for the adjustment of bank's security policy on Internet.

1. Attack and defense: Solving the five major threats is the key to secure online bank login

From the perspective of penetrating experts: phishing, malicious code attacks, brute force hacking passwords, malicious misuse of logins and user identity counterfeiting are still the five major threats to online bank logins. Against these threats, the measures taken by the Bank have played an obvious role, but the malicious abuse of login and user identity counterfeiting is still a headache, unable to effectively solve.

2. Regulatory body: Compliance is not the end, but the starting point, do not lose at the starting line

2012, the People's Bank of China issued red-headed to remind banks to improve information security, and the "Online Banking Information Security standards" again revised and issued, the CBRC has also made a series of actions, the supervision of the good intentions of the organization can be seen. From the perspective of security protection, compliance is the most basic driving force, to meet regulatory requirements is the basis of information security construction. However, through the investigation of 50 big banks, it is found that the information security construction of banking institutions is not optimistic from three aspects, such as network communication, security control and soft keyboard, there is still a big room for improvement. Compliance is not an end in itself but a starting point, and it seems that banking institutions are not fully prepared for the start of the Internet financial business.

3. Limitations: There is also a lack of technology, the gains and losses are to bear their own

Finally, NSFocus Security Advisor pointed out that each security technology has shortcomings and limitations, how to use a variety of different security technology to compensate each other, to achieve the best defensive effect is the Internet Bank security protection problem. After all, banking institutions are responsible for the results of online banking security, not the process.

The report examines the security of online bank login from four different perspectives, hoping to provide some inspiration for the construction of more perfect banking institutions, and find some ideas or inspirations to further improve the security of online bank login. In order to provide some suggestions for the construction of the Internet bank information, it is not clear enough for the safety construction. As Bai Rei, a senior Green Alliance technology Security advisor, said:

"The practice of information security tells us a fact, no 100% security, the security of online banking is the same, so it is recommended that the Internet banks should improve their ability to fight against the attack, to maximize the cost of attacks and the difficulty of the implementation of attacks, the net Silver client should be integrated to protect, manage, Control and audit, such as multi-level, coordinated and consistent security measures.

Online Banking security Road long repair, and the NSFocus will work with the bank colleagues, in the promotion of online banking security on the road to explore the discovery, and jointly defend the net silver users of the money security.