Is online banking safe?

The development of network information technology and the popularity of e-commerce have had a strong impact on the traditional business philosophy and methods of enterprises. Internet banking with Internet technology as its core has also made great changes in banking business. "Online banking" not only brings unprecedented business opportunities for the development of financial enterprises, but also brings tangible convenience to many users. As a brand-new bank customer service delivery channel, customers can manage their assets safely and conveniently 24 hours a day, or handle banking business such as inquiry, transfer and payment, no matter at home, office or on the road. The advantages of "online banking" are really obvious. But in the face of this new thing, people have the biggest doubt: is "online banking" safe? It is not unreasonable for people to have such concerns. The connection between the banking network and the Internet makes online banking easy to become the target of illegal invasion and malicious attacks. In addition, the current network disorder and hacker attacks emerge in an endless stream, which also has a certain impact on people's psychology.

Generally speaking, people's concerns about the security of online banking mainly include:

1. The bank trading system has been illegally invaded.

2. Information is stolen or tampered with when it is transmitted through the network.

3. Identification certificates of both parties to the transaction; The account has been stolen by others.

From the bank's point of view, developing online banking will take more risks than customers. So China Merchants Bank, China Construction Bank, China Bank, etc. All the online banks in China have established a strict security system, including security policies, security management systems and processes, security technical measures, business security measures, internal security monitoring and security auditing. To ensure the safe operation of online banking.

Security of Bank Transaction System

The "online banking" system is an extension of banking services, and customers can conveniently use the core business services of commercial banks through the Internet to complete various non-cash transactions. On the other hand, the Internet is an open network, the bank transaction server is an online public site, and the online banking system also opens the door to the Internet for the bank intranet. Therefore, how to ensure the security of online banking transaction system is related to the security of the entire financial network within the bank, which is the most critical issue in the construction of online banking and the most fundamental consideration for banks to ensure the safety of customers' funds.

In order to prevent the transaction server from being attacked, banks mainly take the following three technical measures:

1. Set up a firewall to isolate related networks.

Generally, a variety of firewall schemes are adopted. Its functions are:

(1) Separate the Internet from the transaction server to prevent illegal intrusion by Internet users.

(2) It is used to isolate the transaction server from the bank intranet, effectively protect the bank intranet and prevent the intranet from invading the transaction server.

2. High-security Web application server

The server uses a trusted dedicated operating system, and through its unique architecture and security check, it ensures that only the transaction requests of legitimate users can be sent to the application server for subsequent processing through a specific agent program.

3.24-hour real-time security monitoring

For example, ISS network dynamic monitoring products are used for system vulnerability scanning and real-time intrusion detection. In February 2000, when Yahoo and other big websites were attacked and destroyed by hackers, all websites using ISS security products survived.

Identification and ca certification?

Online transactions are not face-to-face, and customers can make requests anytime and anywhere. Traditional identification methods usually rely on user name and login password to verify the identity of users. The user's password is transmitted in the form of clear text on the network when logging in, which is easy to be intercepted by attackers, and then can impersonate the user's identity, and the identity authentication mechanism will be broken.

In the online banking system, the user's identity authentication depends on the multiple guarantees of encryption mechanism, digital signature mechanism and user login password based on RSA public key cryptosystem. The bank checks the user's digital signature and login password, and the user's identity can only be confirmed after all of them pass. The unique identity of the user is the "digital certificate" issued by the bank. The user's login password is transmitted in the form of ciphertext, which ensures the security and reliability of identity authentication. With the introduction of digital certificate, the identity authentication of users on the bank trading website is realized, thus ensuring that the real bank website is accessed and the transaction instructions submitted by customers are undeniable. Because of the uniqueness and importance of digital certificates, banks have set up CA certification bodies to carry out online business, which are responsible for issuing and managing digital certificates and conducting online identity audit. In June 2000, the China Financial Certification Center (CFCA), led by the People's Bank of China and jointly established by 12 commercial banks, was officially put into operation. This indicates that China's e-commerce has entered a new stage of bank security payment. China Financial Certification Center, as an authoritative, reliable and fair third-party trust institution, provides the basis for identity authentication for future inter-bank transactions.

Network communication security

Because the Internet is an open network, sensitive information (such as passwords, trading instructions, etc. The information transmitted by customers on the Internet may be intercepted, deciphered and tampered with during communication. In order to prevent this from happening, online banking systems generally adopt measures to encrypt transaction information, and SSL data encryption protocol is the most widely used.

SSL protocol was originally developed by Netscape. Its main purpose is to provide a secret and reliable connection between two communications. At present, most Web servers and browsers support this protocol. After the user logs in and passes the authentication, all the data transmitted between the user and the service provider on the network are encrypted with the session key until the user logs out of the system. And the encryption key used in each session is randomly generated. In this way, it is impossible for an attacker to get any useful information from the data stream on the network. At the same time, a digital certificate is introduced to sign the transmitted data. Once the data is tampered with, it will inevitably be inconsistent with the digital signature. The encryption key length of SSL protocol is directly related to its encryption strength, generally 40 ~ 128 bits, which can be found in the help and about of IE browser. At present, China Construction Bank and others have adopted high-intensity encryption with effective key length of 128 bits.

Customer's safety awareness?

The security awareness of bank card holders is an important factor that cannot be ignored. At present, the security awareness of bank card holders in China is generally weak: they don't pay attention to the confidentiality of passwords, or set passwords to easily guessed numbers such as birthdays. Once the card number and password are stolen or guessed by others, the user's account may be stolen online, such as shopping, consumption, etc., thus causing losses, but the technical means of the bank can do nothing. Therefore, some banks require customers to sign a contract at the bank counter with legal documents before using "online banking" for transfer payment, so as to ensure the safety of customers' funds.

In another case, customers using online banking on public computers may make confidential information such as digital certificates fall into the hands of others, thus directly breaking through the online identification system and stealing online accounts.

As the core and foundation of the survival and development of online banking, security has been highly valued by banks from the beginning, and effective technical and business means have been adopted to ensure the security of online banking. However, security and convenience are contradictory. It means that the safer the application, the more complicated the operation, which affects the convenience and makes it difficult for customers to use. Therefore, security and convenience must be weighed. Up to now, the transaction volume of online banking in China has reached hundreds of billions of yuan, and there have been no security problems in banks. Only a few customers lost money because of their poor sense of confidentiality.

summary

According to relevant data, there are more than150,000 households using online banking services in the United States, and the online banking business accounts for 10% of the total banking business. By 2005, this proportion will be close to 50%. However, the business volume of online banking in China is less than 1% of the total banking business. In this respect, the development prospect of online banking in China is extremely broad. We have reason to believe that with the enhancement of national financial awareness and the promulgation of national laws and regulations to regulate online behavior, online banking will have a better environment, and "online banking" that can provide "3A services" (anytime, anywhere, in any way) will certainly appear.

Since 1995, the United States launched the world's first online bank-Security First Online Bank, online banking has developed very rapidly in the world. In 2002, about 5.6 million households in the United States used online banking or online payment at least once a month. 2003

In 2006, Bank of East Asia and HSBC started online banking in Chinese mainland. The first online bank in China appeared in 1998. It is reported that by the end of 2004, China online banking had reached17.58 million individual customers and 600,000 enterprise users, and the online banking transaction volume reached 49 trillion yuan.

However, just as consumers accept and try the novelty and convenience brought by this new thing, fraud cases caused by security problems follow one after another. This makes consumers begin to question and have to re-examine the credibility of online banking. How to understand the security of online banking? The problem is that banks or consumers are not aware of prevention. Security has indeed become a focus of the development of online banking.

Various security problems of online banking

Online banking, also known as online banking or online banking, refers to the virtual banking counter where banks provide banking services to customers through the network with their own computer system as the main body and computers of units and individuals as the network access operation terminals. Simply put, online banking is a virtual banking counter on the Internet, which "moves" the traditional banking business to the Internet and realizes the operation of banking business on the Internet.

In western developed countries, online banking services are generally divided into three categories, namely, information services, customer exchange services and bank transaction services. Information service means that banks provide products and services to customers through the Internet. Customer communication services include e-mail, account inquiry and loan application. Bank trading services include personal business and corporate business. The former includes transfer, remittance, payment, mortgage, securities trading and foreign exchange trading. The latter includes settlement, credit and investment. Bank transaction service is the main business of online banking.

The characteristic of online banking is that as long as customers have their own account number and password, they can enter online banking through the Internet to handle transactions around the world. Compared with the traditional banking business, the advantage of online banking is that it can not only greatly reduce the operating costs of banks, but also help to expand the customer base, cross-sell products and attract and retain high-quality customers. Because customers use public browser software and public network resources, it saves customers the cost of software and hardware development and maintenance. Online banking is not limited by time and space, which breaks the traditional geographical and time business restrictions and can provide financial services to customers anytime and anywhere. And on the basis of integrating all kinds of cross-selling product information, we can realize financial innovation and provide customers with more personalized services.

There are two models for the development of online banking. One is invisible electronic banking, also known as "virtual banking". The other is based on the existing traditional banks, using the Internet to carry out traditional banking transaction services. So, in fact, there is no real online banking in China, that is, "virtual banking". At present, online banking in China basically belongs to the second mode.

For banks, it has always been "credit first". Since online banking is a product of the Internet, all security risks brought by the Internet will naturally affect online banking and its credit. Therefore, the security of online banking is not only the most worrying thing for customers, but also the concern and attention of traditional banks. In addition to data transmission risk, application system design defects and computer virus attacks, the security risks faced by online banks are the most harmful and influential security problems at present. These fraudulent means include fake bank websites, e-mail fraud and online trading traps.

Fake bank websites have strong concealment, and their domain names are usually different from real banks by one letter or number, while their home pages are very similar to real banks. Fraudulent emails provide a link that is very similar to a bank or shopping website. Once the user who receives this email clicks this link, the page will prompt the user to continue to enter their account information. If users fill in such information, they will eventually fall into the hands of fraudsters. The trap of online trading is that some unknown shopping websites usually print out information such as ultra-low-priced goods, and when users click on the payment link, they will cheat users of their bank information. How do banks deal with various security problems of online banking? What corresponding measures have they taken?

Bank: Do it when you should.

In August, 14, domestic commercial banks and China Financial Certification Center (CFCA) jointly launched the "Safe and secure online banking in 2005" activity. Banking departments and third-party security certification bodies work together to provide consumers with an opportunity to understand online banking and information security knowledge.

Among these 14 banks, China Industrial and Commercial Bank launched online banking in 2000. By adopting international advanced technical security measures and strict risk control measures, ICBC has established a set of strict online banking technology and system system, ensuring the safe operation of online banking.

Shang Yang, deputy director of the electronic banking department of China Industrial and Commercial Bank, told reporters that there are four main types of fraudulent activities that use online banking to defraud customers' funds. First, criminals pretend to be well-known companies, especially banks, through e-mail, in the name of system upgrade, to trick unsuspecting users into clicking on fake websites, requiring them to input sensitive information such as their account number, online banking login password and payment password at the same time. Second, criminals use online chat to sell online game equipment, digital cards and other commodities at low prices as netizens, and trick users into logging in to the fake website address provided by criminal suspects, and enter bank account numbers, login passwords and payment passwords. Third, criminals take advantage of some people's bad online habits, such as downloading and opening some unknown programs, games and emails. , and may implant Trojan virus into customers' computers through these programs and emails. Once a customer logs into online banking with this "poisoned" computer, his account and password may be stolen by criminals.

For example, when people surf the Internet on public computers such as Internet cafes, sensitive information such as Trojan horse programs, account numbers and passwords may be embedded in the computers of Internet cafes in advance. Fourth, criminals take advantage of the psychology that people are afraid of trouble and the password setting is too simple, and may guess the password by means of temptation. Therefore, in order to ensure the security of information and funds, we not only need to have the ability to identify online fraud, but also need to develop good online banking habits. Of course, if the user handles the customer certificate, it can effectively prevent all kinds of common cyber crimes and ensure the safety of users' funds.

The security of ICBC's online banking system is multi-layered, including online banking technology security and business security, which form a complete online banking security system. From the perspective of technical security, the technical security of online banking includes network security and transaction security. Network security ensures the safety and reliability of ICBC's website, and transaction security ensures the safety of customers' funds through online banking transactions. Among them, network security involves system security and network operation security.

System security actually refers to the security of hosts and servers, mainly including anti-virus, system security detection, intrusion detection (monitoring) and audit analysis; The security of network operation refers to the necessary emergency measures for emergencies, such as data backup and recovery. In order to ensure the network security of online banking, ICBC has taken a series of measures, including setting the first firewall between the Internet and the online banking server, and setting the second firewall between the portal server and the ICBC internal network (application server). The second firewall and the first firewall at the entrance are products of different manufacturers, and different security policies are set, so that even if hackers break through the first firewall, they cannot easily break through the second firewall and enter the intranet, and so on.

While ensuring network security, ICBC's online banking has also taken a series of measures to ensure the security of online transactions, including adopting the most stringent 1024-bit certificate authentication and 128-bit SSL encrypted public key certificate security system provided by China Financial Certification Center (CFCA). According to customers' different requirements for convenience and security level, ICBC divides customers into two categories: uncertified customers and certified customers. Customers who do not apply for a certificate must first verify the customer's account number (or their login ID) and login password, and must also verify the payment password for external payment.

In addition, through a series of ways, such as increasing the password difficulty (which must be a combination of 6-30 digits and letters), setting up a virtual "E" card (specially used for online shopping) and the maximum daily payment limit, customers can be guaranteed to use online banking safely to the maximum extent. For customers who have applied for certificates, ICBC USBKey customer certificate is a smart chip with a shape similar to a USB flash drive. It is the "identity card" and "security key" of online banking, and it is also the highest security measure at present. After the customer applies for this certificate, all online operations involving fund transfer must be completed through this customer certificate, which is only kept and used by the customer himself. In other words, as long as the account number, login password, payment password, customer certificate, certificate password and other security precautions are not lost or leaked, or even if they are lost, as long as the password and certificate are not obtained by the same person, there is no financial security problem.

In addition to technical security, ICBC has established a sound internal teller operation management mechanism at the business security level. The internal management system of the whole network bank provides unified internal management functions to the whole bank through the ICBC intranet. Within the system, four types of 9-level teller systems are established from the head office, provincial banks to municipal banks, which are managed step by step, and each level has the authority to manage and supervise the next level. At the same time, when the teller carries out some key operations, it also needs the real-time audit of the teller at the next higher level to prevent a single person from committing a crime.

So, how should users use online banking safely? Deputy Director Shang Yang said that for customers with customer certificates, as long as the password and certificate are not obtained by the same person, the security of customer funds can be guaranteed. It is very safe for customers who do not have a customer certificate as long as they keep their account number, password and payment password. In short, there are several points to remind people: 1. Please take good care of your account and password. 2. Beware of fake websites asking for customer sensitive information such as account number, password and payment password. 3. Take care of your computer. Don't download some software of unknown origin easily. It is best not to use online banking in public places (such as Internet cafes and public libraries). 4. The most effective way is to apply for customer certificate at ICBC outlets. Once you have your own customer certificate, you can effectively prevent online fraud such as fake websites and Trojans. In other words, even if a fake website or Trojan horse obtains sensitive information such as your account number and password by deception, you can still use online banking with peace of mind with a certificate.

Huaxia Bank also started online banking in 2000. The first online banking transaction took place on May, 2006 17. As of June, 2005, the number of corporate customers of online banking is close to10.2 million, and the number of registered customers of individuals is close to 2 1 10,000. The accumulated transaction amount exceeds 750 billion yuan, and the number of transactions exceeds 440,000.

According to Gao Jingwen, deputy manager of the online banking office of Huaxia Bank's online banking department, the report of the National Computer Network Emergency Technical Handling Coordination Center (CNCERT/CC) shows that in the first half of 2004, there were about 20 incidents of various types of online fraud by using Chinese hosts, which exceeded 1 10 in July and June of the same year. With the popularity of online banking, there will be more and more such fraud incidents, and the technical means used by criminals are becoming more and more advanced. They steal the accounts and passwords of bank customers, which poses a serious threat to the safety of users' funds.

Therefore, Huaxia Bank has formed a set of perfect security management system in terms of technical strategy, management strategy and business strategy, and adopted multiple technical and business security guarantee measures on the bank side and the client side.

Their technical measures include: the architectural design adopts the centralized mode of unified entrance and exit. All business operations of online banking are logged in through the portal website of Huaxia Bank Head Office. Centralized management is conducive to concentrating superior manpower, material resources and technology, ensuring transaction safety and reducing the probability of fake websites. Triple firewalls with different specifications and models are used between the public network and the bank website, between the website and the transaction server, and between the transaction server and the bank intranet to isolate related networks; Its function is to prevent illegal access to websites, prevent website visitors from illegally invading online banking, effectively protect the bank intranet and prevent the intranet from invading the online banking transaction server. Like ICBC, Huaxia Bank adopts 128-bit SSL data encryption protocol and digital certificate issued by CFCA. Digital encryption protocol establishes a secret and reliable connection between users and online banking servers, which ensures the integrity and security of information transmission. Digital certificates guarantee the integrity, confidentiality and non-repudiation of transactions.

The business security measures of Huaxia Bank are as follows: the certificate is stored by IC card or U disk, which is convenient for private storage and not easy to forge; Double protection of certificate authentication password and system login password; Online transfer must go through multiple bookkeeping and authorization confirmation; If the customer's password has not been changed for 3 months, the system will automatically remind the customer to change the password; If the password is wrong for many times in a row, the system will automatically lock it, and login is not allowed to prevent malicious password testing; Enterprises can set up a variety of authorization combinations according to their actual conditions; Every click operation of the customer can be monitored in real time in the computer room; Complete log records can provide a basis for post-audit

In terms of safety management, Huaxia Bank Online Banking has specially established an emergency plan; Set up a special security office to provide technical support; The system operation department is equipped with specialized personnel to monitor and process the system in real time.

Gao Jingwen, deputy manager, said that online banking fraud is an international problem. Even in foreign countries, there is no completely effective technical means. This is a problem that needs the joint efforts of all parties. From the user's point of view, it is necessary to cultivate safety awareness, strictly follow the instructions of the bank, and be aware of prevention if you receive text messages or emails from unknown sources. As far as banks are concerned, in addition to taking adequate security measures and internal control measures, they should also use various channels to explain the safety knowledge of online banking to users and remind them of matters needing attention. The judicial department needs to define online banking fraud strictly by law.

Enterprise: Technology is not the most important thing to prevent problems.

All banks try their best to do a good job in the security of online banking. If banks take credit as their responsibility, then manufacturers take credit protection as their responsibility. Regarding the security of online banking, Shi, president of Founder Information Security Technology Co., Ltd. believes that online banking, like airlines, has the characteristics of high risk and high security. For the security of online banking, large security vendors mainly solve the security problems at the network level, from the bank's trading platform, private line, intranet to public network to ensure the security of the network. On the network level, firewall, antivirus software, IDS products, etc. It is the guarantee of the peripheral security of the online trading platform. The security between online banking and users needs digital certificate, USBKEY and so on. Online banking is a high-end business. Founder will cooperate with high-end integrators to launch not only high-tech products, but also practical products to make consumers feel safe and credible psychologically.

In the field of information security, Founder Security covers more than 40 products in five product lines, including firewall, antivirus, content security gateway, intrusion detection and virtual private network. TRUPREVENT Enterprise Edition, the latest panda intrusion protection, is an intrusion protection software integrating known and unknown threats, which can resist network threats such as viruses, Trojans and worms to the greatest extent. This intelligent product based on recognition behavior technology is the first step of Founder's future intelligent network security products. Mr. Shi said that technology has never been a problem. The problem lies in how technology can be transformed into products at the most appropriate time and cut into the market in the most appropriate way. Future online banking should be based on IP network. Only when the security products based on IP network are mobile, wireless and portable can the security and reliability of the network be truly realized.

The reporter also interviewed Online Banking (Beijing) Technology Co., Ltd., which takes "electronic payment experts" as its development orientation. This is an enterprise that provides electronic payment solutions for enterprises and individuals engaged in e-commerce. As a neutral third-party payment platform, online banking provides online payment gateway and personal virtual account (similar to C TO C payment account), which mainly solves the problem of capital flow in e-commerce. It builds a bridge between banks and businesses. On the one hand, it is linked to banks; On the other hand, it provides a payment platform for businesses with digital certificates. Therefore, whether online banking provides a trading platform for merchants or a settlement platform for banks, it is closely related to security issues.

Zhao Guodong, CEO of online banking and a technical background, said that in many cases, the security problems of online banking are not caused by the technology itself, but more by people's lack of awareness of prevention and management. As a third-party payment platform, online banking is strict and prudent in terms of security. Their security measures include: cooperating with Tianwei Integrity to launch an online payment gateway in line with People's Republic of China (PRC) Electronic Signature Law.

The transaction data encrypted by the digital certificate provided by Tianwei Chengxin can effectively prevent hackers from tampering and stealing, ensure the security of the merchant's transaction data to the maximum extent, ensure the integrity and non-repudiation of the transaction data, and prevent the payment gateway from modifying the transaction data by itself. Secondly, the international organization VERISIGN's 128-bit SSL encryption transmission mechanism is adopted to transmit transaction information through high-intensity encryption to further prevent hackers from stealing information. Third, cooperate with VISA to launch an international credit card payment platform that meets 3D security specifications. Visa verification service is based on the principle of safety and ease of use, and adopts the "3D technology" of global mutual payment. It is a security verification service launched by VISA international organization to improve the security of credit card online payment, ensure the security of online payment for users and safeguard the interests of users. With the visa verification service, online transactions have double insurance.

In terms of server security, online banking uses a combination of hardware firewall and software firewall to shield most viruses and attacks. On the bank side, they adopted SSL 128-bit encryption algorithm and SET (Secure Electronic Transaction) protocol to ensure the safe implementation of B2C online payment. In the settlement between the payment platform and the bank, online banking adopts the mode of secondary settlement and becomes a fair third party in the payment process. During the transaction, the information of both parties to the transaction is transmitted to the payment platform, and deposit certificates are kept, so that both parties to the transaction can conveniently inquire about the order and related information, especially when a transaction dispute occurs, the relevant information can be used as strong evidence for arbitration. No matter from the point of view of banks or manufacturers, digital certificates based on PKI technology seem to be a more reliable security protection measure.