Secure Banking over the Internet: Recommendations from the European
Committee for Banking Standards
by Rainer A. Rueppel
The Internet is a rapidly evolving information infrastructure (Infor-mation
Highway) which provides global connectivity, easy reachability and interactive
communications at moderate cost for the consumer. The dominating application
is the World Wide Web (WWW), with its potential of 3 million connected
computer systems and an order of magnitude more actual users. Currently,
WWW is primarily used to provide easy access to free-of-charge information
(typically research or marketing information). But this is expected to
change dramatically in the near future. WWW is expected to provide a basis
for electronic commerce and trade. A similar development can be expected
for the broadband networks and Information Highways.
Hence, the Internet has reached an increased market potential which
makes it attractive for all service providers and, in particular, for the
banks. With the Internet, banks can easily reach their customers on a global
scale. Customers may sign up electronically, may order electronically,
may transfer money electronically from almost any place in the world. However,
as the Internet per se is a highly open and distributed infrastructure
without central regulation and control, it is mandatory that the banks
carefully address and solve the security issues related to banking applications
over the Internet.
European banks must position themselves regarding:
- the use of the Internet for global banking services
- the use of the Internet for internal purposes
- novel banking applications brought forward by global information infrastructures.
The European Committee for Banking Standards (ECBS) was established
by the three European Credit Sector Associations (the Banking Federation
of the European Union, the European Savings Bank Group and the European
Association of Co-operative Banks, representing banks from the countries
of the European Union and the EFTA countries) in 1993. Its task is to develop
technical solutions to the issues common to all the ECSA members, arising
from the need for a Europe-wide approach to the technical banking infrastructure,
in specific payment systems, to support the European single market.
Figure:Overview of the Internet security protocols (unshaded areas)
and their position in the communication protocol hierarchy.
ECBS currently operates the following technical committees: Plastic
Cards and Related Devices (TC1), Automated Cross Border Payments (TC2),
and Security (TC4). ECBS, in particular TC4 Security, has become increasingly
involved in the area of electronic commerce. The topics addressed are Certification
Authorities, Digital Signature, Secure Banking over the Internet, and Key
Escrow. This article gives an introduction to the ECBS Recommendations
on Secure Banking over the Internet (the full report can be downloaded
from http://www.r3.ch/).
The ECBS Recommendations on Secure Banking over the Internet investigate
the security requirements for secure banking on the Internet, provide a
survey of the security-related protocols, services and applications on
the Internet, provide a set of recommendations as to how banks can securely
perform banking transactions over the Internet (primarily for customer-bank
relationships). More specifically, the following issues are addressed:
- the separation of trusted networks from the Internet, eg Firewall technology
- Internet session security, discussing the major security protocols
for online access (such as SSL, S-HTTP, PCT, and STLP)
- Internet mail security, discussing the major security solutions for
store-and-forward document exchange (such as PEM, PGP, MOSS, and S/MIME)
- the integration of financial applications with the Web, discussing
technologies such as helper, plug-in, ActiveX, and applets
- Electronic Commerce Security, including SET and homebanking solutions
- a general security discussion of hardware and software solutions
- an introduction to public key infrastructures, including registration/
certification and key escrow.
As a guideline through this ECBS Technical Report, the figure provides
an overview of the Internet security protocols (unshaded areas) and their
position in the communication protocol hierarchy.
A number of recommendations are made in the ECBS Technical Report on
Secure Banking over the Internet. The Internet's image is changing fast.
The security problems on the Internet are being better understood. However,
the emerging solutions must address the security problems of dynamic code
download before true electronic commerce can happen. At the heart of any
commercial use of the Internet lies the function of a public key infrastructure.
For the secure download of content and code, for the secure operation of
SSL, SET, E-mail and payment systems, we need trustworthy key management
services.
Please contact:
Rainer A. Rueppel - ECBS TC4 WG6 Convener
Tel: +41 1 934 56 56
E-mail: rueppel@r3.ch
