Research on the vulnerability of online bank security

Source: Internet
Author: User
Tags mixed password protection
When we have not had time to lament the fast and convenient internet banking, viruses and hackers have been the success of many users have scared a shiver. Does it mean that enjoying a convenient life must be exchanged with its own safety?

  "User Story" Don't Talk to strangers.

  Case Playback

February 28, 2005, Netizen Yao in a "good Trading network" website, click into the ICBC online payment system, he entered his own card number and password but can not log in. Fortunately, Yao found the ICBC site and last year by the media exposure of the fake site very similar, and quickly rushed to the nearby ICBC, take out the most of the money, only left 71 yuan. A few hours later, when Yao again inquires the balance, found that Cary except only 1 yuan money, the other 70 yuan has already disappeared.

  Find vulnerabilities

Apparently, the bogus website that lured Yao into entering his account information was the culprit in the case. After investigation, found that its website address www.lcbc.com.cn/index.jsp, and ICBC's regular website www.icbc.com.cn only a letter "1" and "I" difference, it is no wonder that the shrewd little Yao will look at the eye. According to Xiaofeng, general manager of China Financial Certification center of UnionPay, "the technology used by criminals to cheat through fake websites is actually very poor compared with those who steal passwords with virus programs." They use ordinary users do not have enough awareness of the prevention of online banking, the proper use of the full understanding of the characteristics, to promote, award-winning activities such as deception users fooled. ”

There are many similar scams, such as June 27, 2005, Shanghai office of the CBRC found that there is a telephone number in Shanghai, its automatic voice prompts can provide postal savings, Bank of China, ICBC, Agricultural Bank, Construction Bank, Bank of Communications and other financial institutions of the telephone banking services, handling bank card inquiries, Modify passwords and other services. When the customer dials 021-51082075, its automatic voice prompts each commercial bank's telephone bank number, when the customer chooses one of the bank number, the system prompts to enter the bank card number and the account password separately and presses the "#" key, then the system will report the balance of its account. After investigation, this telephone number is specially to obtain the customer account and the password, engages in the fraudulent behavior the counterfeit telephone bank.

In addition, this has to say is "lucky" Mr. Zhang, in the advertising company he had received such a mobile phone message, the content is "Bank of China has now opened online banking services, can check the balance and transfer services online, Welcome to login www.956666.com." "Because of the" 956666 "and the Bank of China's customer service phone is very similar, Mr. Zhang was not suspicious of the authenticity of this message, and plans to go to the site in a few days to open the business. Didn't think, the next day on television on the broadcast of "domain name for www.956666.com fake web site, has been seized by the public security departments," The news, Mr. Zhang did not feel surprised out of a cold sweat, because his large amount of deposits all in the Bank of China, if at that time landed the false web site, that the consequences are

This shows that "similar" is engaged in this kind of cases of the perpetrator of the usual means, cheat is the user in the process of "carelessness." No wonder, everyone said that this bank is safer than the safe place, not to mention the online electronic money, but who had thought, there are really people who played the "Internet safe" idea.

  Expert analysis

If you haven't experienced any of these users, it's not a secret to be thankful for, but to be cautious and vigilant. According to the National Computer network Emergency Technology Management Coordination Center, said: "In 2004, the National Computer Network Emergency Technology Processing Coordination Center has received 223 phishing reports, phishing objects are mainly financial websites and e-commerce sites." This is a staggering figure compared with 2002 and 2003, with only one case per year. ”

Previously said that these fake websites, fake phone fraud has no technical content to say, then why such a tricks but make a lot of users deceived it? Mainly is the user covet the petty gain psychology to cause them to lose the proper security consciousness ", China Merchants Bank Beijing Branch, general manager of the computer department Wang Jianheng said," The bank will not entrust the third party in the name of promotion to the Bank's customers to obtain personal account information, especially the inquiry account, request to enter the bank card account number, password, etc. is absolutely impossible. " Therefore, as long as the registration of the Bank's regular website address and customer service phone, not by any strange promotional to confuse, can completely avoid this phenomenon. ”

Some Bank official website and customer service telephone
Icbc
www.icbc.com.cn 95588
China Construction Bank
www.ccb.cn 95533
Everbright Bank
www.cebbank.com 95595
Minsheng Bank
www.cmbc.com.cn 95568
Bank of Communications
www.bankcomm.com 95559
Fujian Xingye Bank
www.cib.com.cn 95561
Guangdong Development Bank
ebank.gdb.com.cn 5677188
Bank of China
www.bank-of-china.com 95566
Abc
www.95599.cn 95599
Huaxia Bank
www.hxbank.com.cn 95577
China Merchants Bank
www.cmbchina.com 95555
Pudong Development Bank
www.spdb.com.cn 95528
Bank of Beijing
www.bankofbeijing.com.cn 96169
CITIC Industrial Bank
sh.citicib.com.cn 95558

  Agent's weapon.

There is a good song: "Lend me a pair of eyes," here, we do not have too many tricks to dedicate, only hope that all users can "face the temptation to remain vigilant."

A financial lawyer told reporters that in order to prevent such losses, users should develop a good habit of trading on the Internet, to enter the correct URL according to the information provided by the Bank, or to keep in mind the website URL that they need to log on. He suggested that users should not take the search engine way to find the Web site, this will be a mixed bag, the fake site also listed, a little attention, will fall into the false site set up a good trap.

In addition, users should not be too gullible about web pages that require a card number and password, because banks generally do not ask for multiple data to be entered on the same page. However, the lawyer also pointed out that in terms of network payments and related transactions, the State does have to introduce a number of mandatory provisions, to increase the advantages of the bank's responsibilities and obligations, better protect the interests of disadvantaged users. He predicts that after such incidents, banks and public security organs may take appropriate measures to ensure the security of users ' online transactions.

But no matter what, please believe that the sky will never drop pie, only in case of prevention, to avoid "Shang."
"Bank article" feed the hacker a piece of tough

  Case Playback

In early July this year, Ms. Huang, Nanning, opened an online banking business in Nanning Taoyuan branch of China Construction Bank, and suddenly found that 4500 yuan in his account had disappeared. From the bank's account-trading list, Ms. Huang found that the lost 4500 dollars had been handed over to 144 unfamiliar mobile phone charges, which, according to network IP, were all conducted in an internet café in Wuhan. At this time, Ms. Huang realized that her money may have been stolen by internet hackers.

  Find vulnerabilities

The biggest difference between the case and the previous case is that the problem is with the bank itself. The Bank is duty-bound to leak the user's information and to suffer serious economic losses as a result of the loopholes in the banking system that led to the success of the hacking attack. But although the power of this distinction, but the user's heart will inevitably appear a bigger question mark, that is, has been the external propaganda itself is indestructible banking system how can it be so fragile?

You know, everyone's worries are not superfluous. According to the Professional department statistics, China's Internet-connected network Management center 95% have been attacked or invaded, last year, 67.4% of domestic internet users were hacked, of which the financial system accounted for 89%. In particular, the first half of this year, the National Network and information security incidents more than 70,000, of which more than 13,000 involved in the financial system. It is estimated that by 2007, the resulting losses will reach $6.7 billion trillion. From these figures, banks in the past in the eyes of the user that impregnable image will inevitably be greatly compromised.

Therefore, this incoming hacker attack should also be to the bank's system maintenance sounded the alarm, ICBC's electronic bank chief said that banks should set up a set of protection, monitoring, reaction as one of the dynamic adaptive financial supervision and early warning system, To effectively monitor their own security vulnerabilities and attacks from within and outside. At the same time, the bank evaluates the various causes that may cause the system to break or fail in order to develop a corresponding disaster recovery plan beforehand.

Lushu, a professor and password expert at the National Key Laboratory of Information security at the Graduate School of Chinese Academy of Sciences, told reporters: "Cryptography technology as the core of information security technology, in the bank to prevent hacker attacks should be fully adopted and applied." Banks need to take the necessary technical means, set up a strict ' system prevention, technical prevention ' safety management control mechanism, the use of cryptography technology to ensure the data in the process of processing, storage and transmission of the integrity and security, to prevent the illegal use of data information, modification and duplication, to eliminate internal crime, to prevent external intrusion. ”

  Expert analysis

In fact, to eliminate the security awareness of the use of individual users, the People's Bank of China Chen Jing said that the online banking system is facing the threat of the following three points: the bank trading system was illegally invaded, information transmission through the network was stolen or tampered with, the identity of the two parties, the account was stolen

"The risk that banks will have to carry out online banking is much higher than that of bank customers." Therefore, such as domestic has opened the ' online Banking ' Business of China Merchants Bank, Construction Bank, Bank of China, etc., have set up a strict security system, including security policies, security management systems and procedures, security technology measures, business security, internal security monitoring and security audits, to ensure the safe operation of online banking, Chen Jing said.

At the same time, in order to prevent the transaction server from being attacked, the bank has also taken many effective measures to ensure the safe and effective operation of the system:

  1. Set up firewalls and isolate related networks

This commonly uses the multiple firewall scheme, may divide the Internet and the transaction server very well, prevents the Internet user's illegal intrusion. At the same time, the separation between the transaction Server and the bank intranet effectively protects the bank intranet and prevents the internal network from invading the transaction server.

  2. High-security Web application Server

The server uses a trusted, dedicated operating system with its unique architecture and security checks to ensure that only legitimate users ' transaction requests can be sent to the application server for subsequent processing through a specific agent.

  3.24-hour real-time security monitoring

For example, many banks currently use the ISS Network dynamic monitoring products, can perform system vulnerability scanning and real-time intrusion detection. According to the Industrial and Commercial Bank of China, deputy director of electronic banking Zhou Yonglin, in February 2000 Yahoo and other big sites were hacked, the use of the ISS security products site are spared.

And because the Internet is an open network, customers in the online transmission of sensitive information (such as passwords, trading instructions, etc.) in the communication process there are intercepted, deciphered, tampered with the possibility. In order to prevent such a situation, the online banking system is generally used to encrypt the transmission of transaction information measures, the most widely used is the SSL data encryption protocol. SSL protocol encryption key length and its encryption strength has a direct relationship, is generally 40~128 bit, at present, ICBC, CMB and CCB have adopted an effective key length of 128-bit high-strength encryption.

  Agent's weapon.

The stability and security of the online banking trading system is the basis and guarantee for the smooth transaction, if the bank only to make up for the problems after the problem, will be eliminated by the users. Therefore, in the face of the current emerging forms of attack and the ubiquitous security crisis, only a positive, active and constantly upgrade their own systems, can really do in the bud. Wang Jianheng, who has been engaged in the technical management of Beijing Merchants Bank, has been very experienced in this respect, and he believes that banks should not only use confidentiality agreements between client terminals and bank servers to ensure the security of data transmission, but also operate a reasonable flow control. In addition, the online personal bank must take the double layer password protection, the customer enters the card number and the password at the same time, also must enter a dynamic additional password, thus, the bank can carry on the risk control to each business.

It is worth mentioning that, CMB, CCB and so on have launched the USB key personal digital certificate. The appearance of the certificate and Flash disk products similar, small and portable, the core is a chip to achieve the encryption operation, the use of the USB device can be completed within the core security identification and encryption operations, and then return the encrypted information to the PC system. In this way, customers can carry the digital certificate, anytime and anywhere to use the online Personal Banking Professional Edition, both safe and convenient. However, this USB key requires two hundred or three hundred dollars per average of the use of money to create the difficulty of its promotion, so how to reduce its cost of use, to better serve the user should be the bank's current priority to solve the problem.

In addition, in the online banking system, the user's identity authentication relies on the encryption mechanism of the RSA public key cryptosystem, the digital signature mechanism and the multiple guarantee of the user login password. The bank verifies the user's digital signature and login password before confirming the identity of the user. Therefore, the user's unique identity is the "digital certificate" issued by the bank.

Because of the uniqueness and importance of digital certificates, banks have set up CA certification bodies to carry out online business, which is responsible for issuing and managing digital certificates and conducting online identity audits. June 2000, led by the People's Bank of China, 12 commercial banks jointly built the Chinese Financial Certification Center (CFCA) officially listed operation. As an authoritative, trustworthy and impartial third party trust organization, China Financial Certification Center provides the basis of identity authentication for the realization of trans-bank transactions in the future.

"Industry article" so that everyone has an umbrella

  Case Playback

According to CCTV December 10, 2004, because of the loss of 25,000 yuan to log on the fake Bank of China website, Mr. Hu has formally asked the Bank of China to compensate for its losses, but was rebuffed by the Bank of China. The Bank of China said it was not the first time they had encountered such a situation, the banks had never had a precedent for compensation, and this time they have no reason to pay. Mr Hu insists that "banks should lose money".

  Find vulnerabilities

The most complicated case in the previous case is the division of powers and responsibilities. First of all, 25,000 yuan is really not a small sum, for Mr Hu's loss, I think everyone will show sympathy, but really involved in responsibility, people's views and understanding is not the same.

According to Mr Hu, "I have deposited my money here as a bank, and you should keep my money in good faith." He also said that according to bank regulations, the user's card and password loss caused by the user, but now the key problem is that their cards have not been lost. So how does a bank view the power and responsibility of its customers in such a situation?

Bank of China Xidan Mansion Sales Department a staff surnamed Liu said: "The general principle of division of responsibility is to distinguish between the responsibility of their own, or belong to others." In this incident, is the user himself to keep the password and bank card, but also because of their own reasons on the false web site, resulting in card and password theft caused the loss, then, in such cases, the responsibility should be borne by the customer.

In view of this, the bank to judge the user's liability to determine the loss of the standard is to analyze the bank's internal system problems or other problems caused, or because the user himself to take care of inadvertently or password theft caused.

When the reporter consulted the CCB and the Pudong Development Bank's electronic Banking department heads, they also believe that the emergence of false web sites, not banks can be around, so the card number and password loss is not the fault of the bank. Meanwhile, people like ICBC and CMB said in their own banks found counterfeit sites, the head office with the Public Security organs to actively cooperate with the false Web site in time to be closed, and the depositors hung out a warning bulletin or security prompts, which means that the bank in advance, and afterwards have no fault, has done their duty to pay attention to, Therefore, it is groundless to ask the bank to bear the liability for damages.

  Expert analysis

Although all are justified, but these are only the parties to the side of the words, will inevitably be biased, the user on the false web site caused by losses to the bank, but the bank said that they do not have responsibility, then the user's loss in the end who should bear it? Let's listen to the legal experts ' conclusions.

According to Tang Xin, an associate professor at Tsinghua University Law School, from the legal level, the perpetrator of the fault is responsible for his actions, so in this case, the object of the claim is the first person to cheat, is their fraud caused the user account and password theft, directly caused the user's property losses, this is no doubt.

The Chinese University of Political science and law experts also believe that, according to the current evidence to judge the case, the bank should not be liable for compensation. But he also said that this is only a temporary phenomenon, because the legal adjustment lags behind the reality caused. Believe that in the future legislation, we can consider the current bank some dispensable practices, up to mandatory provisions, for example, the bank must establish a more clear and reliable security technology for the site, so that consumers can easily identify the authenticity, and the bank must set up full-time staff to conduct network patrol, timely prevention of counterfeit sites, etc. To increase the obligation of the bank to protect the interests of the users to the maximum extent.

When the dispute arises, the two sides are most concerned about whether through formal legal channels to effectively solve the problem. In recent years, the dispute that leaked bank card caused the deposit to be cheated by others has occurred. And because the State has not promulgated the corresponding legal norms, so that the issue of whether such new cases should be accepted as a civil case, there are also among the legal staff "should accept" and "inadmissible" different views.

However, just before the deadline of this article, the reporter recently learned that Sichuan High Court has specifically sent letters to the Supreme People's Court for instructions. The Supreme People's Court also announced on August 1 the official reply to the question of whether the deposit contract dispute caused by the bank card was leaked as a civil case. That is to say, from the date of the official approval, because the bank card was leaked, and the deposit was taken by others using false cards to take away the "secret loss of deposits", Depositors can sue the bank in court. From this, we also see the state of the Network bank transaction security, I believe that with the national laws of the increasingly perfect, network trading environment will become more and more secure.

  Agent's weapon.

In addition to looking forward to the official introduction of the relevant laws of the State, we also hope to have a fair and authoritative third party to conduct justice for both sides when confronted with the disputes between customers and banks. This requires such institutions as the CBRC and the central bank to monitor the risks of online banking.

In accordance with the requirements of the interim measures for the administration of online banking, commercial banks should establish an online banking information management system, and the People's Bank of China can develop an information management system for docking with commercial banks, and the People's Bank of China should supervise the network business of commercial banks, that is, to track and supervise the The retail business is focused on the changes in its development direction.

At the same time, from the development of foreign financial industry, "mixed operation" is the trend, especially the online banking will greatly accelerate the process of "mixed operation" in China. Although the currency of Internet bank accelerates the turnover speed of bank capital and reduces the transaction cost, the financial risk is also rising because of the complexity of the electronic money circulation link and the universality of the transaction object, which makes the supervisory authority face the risk of evading the regulation.

Again, traditional regulatory instruments can lead to the inability of online banking to implement efficient, comprehensive supervision, as a financial supervision authority, in addition to the formulation of targeted management measures, but also should speed up the pace of their own electronic construction, relying on advanced scientific and technological means, the implementation of off-site monitoring, in order to constantly adapt to the new situation in financial supervision and new problems.

At present, in the process of approval, we should strictly construct the system. The system arrangement such as publicity, information disclosure, internal control and system design of Internet bank must be strictly approved. However, the hardware facilities, technical investment and personnel allocation of internet banking should not intervene too much, so that the banks should be given the appropriate flexible space to plan their investment according to their actual situation, so as to avoid unnecessary waste of resources due to administrative intervention. At the same time, we should pay attention to risk prevention and resolution mechanism. The establishment of online banking or the development of new business, must have a sound risk identification, identification, management, risk-making and disposal programs, plans.

RELATED LINKS safe use of online banking seven cheats

  1. Check the Web site

Customers in the online banking, should pay attention to check the Web site and the agreement on the legal site is consistent, beware of some criminals malicious imitation Bank website, cheat account information.

  2. Proper selection and safekeeping of passwords

Passwords should be avoided with personal data, do not use such as ID number, date of birth, telephone number, etc. as a password. It is suggested to use the method of mixing letters and numbers to improve the difficulty of password cracking. The password should be kept properly and avoid writing the password on paper. Try to avoid the use of the same password in different systems, otherwise the password once lost, the consequences will be disastrous.

  3. Do a good deal on the record

Customers should record online bank transfer and payment business, regularly check "Historical transaction details", regular print online banking statements, such as abnormal transactions or accounting errors, and immediately contact the bank to avoid loss.

  4. Proper custody of digital certificates

Online banking users should avoid using internet banking on public computers to prevent confidential information such as digital certificates from falling into the hands of others, so that online identity systems can be compromised and online accounts stolen.

  5. Increase vigilance against abnormal dynamics

In case of major events, the system must suspend service, the bank will advance notice of the customer. Customers who are not careful in the unfamiliar "bank url" entered the bank card number and password, and encountered similar "system maintenance" such as prompts, should immediately call the Bank Customer Service hotline for confirmation. In case of discovery of information stolen, should immediately modify the relevant transaction password or bank card loss.

  6. Install antivirus Software

Install a firewall program for your computer to prevent personal account information from being hacked. It is recommended that antivirus software be installed and frequently upgraded.

  7. Plug Software Vulnerabilities

To prevent others from using software vulnerabilities to access the computer to steal information, customers should update the relevant software and download the patch program.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.