Secure Banking over the Internet: Recommendations from the European Committee for Banking Standards
by Rainer A. Rueppel
The Internet is a rapidly evolving information infrastructure (Infor-mation Highway) which provides global connectivity, easy reachability and interactive communications at moderate cost for the consumer. The dominating application is the World Wide Web (WWW), with its potential of 3 million connected computer systems and an order of magnitude more actual users. Currently, WWW is primarily used to provide easy access to free-of-charge information (typically research or marketing information). But this is expected to change dramatically in the near future. WWW is expected to provide a basis for electronic commerce and trade. A similar development can be expected for the broadband networks and Information Highways.
Hence, the Internet has reached an increased market potential which makes it attractive for all service providers and, in particular, for the banks. With the Internet, banks can easily reach their customers on a global scale. Customers may sign up electronically, may order electronically, may transfer money electronically from almost any place in the world. However, as the Internet per se is a highly open and distributed infrastructure without central regulation and control, it is mandatory that the banks carefully address and solve the security issues related to banking applications over the Internet.
European banks must position themselves regarding:
- the use of the Internet for global banking services
- the use of the Internet for internal purposes
- novel banking applications brought forward by global information infrastructures.
The European Committee for Banking Standards (ECBS) was established by the three European Credit Sector Associations (the Banking Federation of the European Union, the European Savings Bank Group and the European Association of Co-operative Banks, representing banks from the countries of the European Union and the EFTA countries) in 1993. Its task is to develop technical solutions to the issues common to all the ECSA members, arising from the need for a Europe-wide approach to the technical banking infrastructure, in specific payment systems, to support the European single market.
Figure:Overview of the Internet security protocols (unshaded areas) and their position in the communication protocol hierarchy.
ECBS currently operates the following technical committees: Plastic Cards and Related Devices (TC1), Automated Cross Border Payments (TC2), and Security (TC4). ECBS, in particular TC4 Security, has become increasingly involved in the area of electronic commerce. The topics addressed are Certification Authorities, Digital Signature, Secure Banking over the Internet, and Key Escrow. This article gives an introduction to the ECBS Recommendations on Secure Banking over the Internet (the full report can be downloaded from http://www.r3.ch/).
The ECBS Recommendations on Secure Banking over the Internet investigate the security requirements for secure banking on the Internet, provide a survey of the security-related protocols, services and applications on the Internet, provide a set of recommendations as to how banks can securely perform banking transactions over the Internet (primarily for customer-bank relationships). More specifically, the following issues are addressed:
- the separation of trusted networks from the Internet, eg Firewall technology
- Internet session security, discussing the major security protocols for online access (such as SSL, S-HTTP, PCT, and STLP)
- Internet mail security, discussing the major security solutions for store-and-forward document exchange (such as PEM, PGP, MOSS, and S/MIME)
- the integration of financial applications with the Web, discussing technologies such as helper, plug-in, ActiveX, and applets
- Electronic Commerce Security, including SET and homebanking solutions
- a general security discussion of hardware and software solutions
- an introduction to public key infrastructures, including registration/ certification and key escrow.
As a guideline through this ECBS Technical Report, the figure provides an overview of the Internet security protocols (unshaded areas) and their position in the communication protocol hierarchy.
A number of recommendations are made in the ECBS Technical Report on Secure Banking over the Internet. The Internet's image is changing fast. The security problems on the Internet are being better understood. However, the emerging solutions must address the security problems of dynamic code download before true electronic commerce can happen. At the heart of any commercial use of the Internet lies the function of a public key infrastructure. For the secure download of content and code, for the secure operation of SSL, SET, E-mail and payment systems, we need trustworthy key management services.
Rainer A. Rueppel - ECBS TC4 WG6 Convener
Tel: +41 1 934 56 56