Security Model risks of online banking systems

Source: Internet
Author: User
Tags asymmetric encryption

The security of online banking is based on the Digital Signature Theory of asymmetric encryption systems. However, a digital signature is required only if the communication parties do not trust each other. Both parties do not trust each other, but they trust the digital signature mechanism.

The current development of online banking does not follow this condition. However, the customer must fully trust the bank. Specifically, the service provider software and client software of the online bank are both developed by the development institution entrusted by the bank. The client has no choice but to fully trust the Bank to use the services provided by the online bank. A bank can install a backdoor in the client software to obtain the customer's information if necessary, resulting in serious asymmetry between the two parties. On the other hand, the current online banking software stores all transaction data on the Bank's server, and the customer has hardly backed up the bank signature of the transaction data and transaction data.

In recent times, there have been many cases of theft of funds from online bank customers. These cases finally led to a lawsuit. Why? First, the security vulnerabilities of the software provided by the Bank absolutely exist. At present, security experts generally believe that a software with certain complexity must have vulnerabilities. The bank owner vowed to ensure that their software is free of loopholes and can only be deceiving themselves. Second, it is also possible for the client software developer to intentionally set a backdoor in the software. The interests of banks and customers are fundamentally opposite. There is no reason for customers to trust software developers entrusted by banks. Third, the customer cannot collect evidence. For online banking, the most important and legal evidence is the customer's signature to the transaction data and the Bank's signature to the transaction data in each transaction data. However, none of the software currently used has done this for customers.

Because the customer's software is completely provided by the bank, the Bank often refuses to disclose the software's agreement details and implementation details for security reasons. Once the customer's funds are stolen, it is difficult for the customer to determine whether the security risks exist due to the software provided by the bank, the client's Computer Security Configuration vulnerabilities, or the trojan is installed.

What is the correct security model? First, banks and customers must follow the principle of mutual trust. However, they can establish a mutually acknowledged secure communication protocol, such as using a ready-made SET protocol. The customer is generally unable to complete this task. However, they can entrust a software developer they trust to perform this task. For example, software developers can develop software based on public communication protocols and provide it to bank customers. In the event of economic disputes, the customer can entrust the software developer to assist in collecting evidence.

For convenience, the bank can also provide a reference implementation for the customer's software. For those who trust the bank, they can directly use the reference software provided by the Bank, but the related security risks are borne by the customer.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.