Security Analysis of Internet Banking System [626973]

Security Analysis of Internet Banking System

Abstract— Currently ,Internet Banking is the most used
banking service and is in constant competition with the Mobile
Banking servic e.As more and more banks are addressing the
idea of providing these services, which involve an Internet
connection, the risks of attacks increase considerably.The paper
contains a theoretical study on the Internet Banking service,
highlighting the protocol s, the entities involved, the possible
risks and the security mechanisms.The implementation part
includes a case study on Internet Banking provided by Banca
Transilvania through BT24 Mobile Banking, which illustrates
the risks and vulnerabilities signaled to the theoretical
part.Vulnerabilities were identified using specific tools and a
virtual machine that allowed the installation of an Android
based device on which the application was installed.The work
ends with exposing solutions to lessen vulnerabiliti es.

Keywords — Internet Banking, topicality, risks,
vulnerabilities, attacks, Internet

I. INTRODUCTION
At present, the needs of modern life have highlighted that
information for the modern organization is a parallel resource
of importance for earth, labor and capital.As a result,
information technology has become a critical business
resource, because its absence could resulted in bad decisions
and, ultimately,business failures.The technology has opened
new markets, ne w products, new services and efficient
delivery channels for the banking industry (e.g e-
banking,mobile banking). Information Technology has also
provided the banking industry with the means to meet the
challenges generated by the new economy.As Informati on
Technology is the engine of the banking system, it is meant
to increase the speed and reliability of financial operations
and bank sector consolidation initiatives.The unprecedented
increases in financial activities around the globe are due to
the revol ution in Information Technology.Information
technology is the one that allows the banking system to meet
the needs and expectations of customers who are more
demanding and more familiar compared to customers in
previous years.These require instant bank fac ilities, anytime,
anywhere.Other research shows that information technology
provides banks with solutions to take care of accounting and
office requirements.Therefore, this has led to widespread use
of services for bank customers.Thus, the client has the ability
to perform various banking operations where he can access
his bank account via the Internet. In addition to changes in
the financial sector, advancing technology has brought about
changes in data security.Using the Internet as a means of
accessing b anking services has created new problems in
securing online transactions.In order for information to be
secured, measures need to be implemented specific measures
that have to ensure the protection of information against unauthorized loss, destruction or disclosure.The concept of
information security refers to the ability to ensure
integrity,confidentiality and availability of data. As regards
integrity, there are methods by which information is
processed with accuracy.Pri vacy ensures access to
information only to authorized persons.
Accessibility allows users to access information at
appropriate times.Also, the evolution of banking technology
attracts new ricks for which banks need to implement new
control measures.At the same time, this development is
accompanied by technical security measures carried out by
equipment manufacturers.If the technological evolution
increases exponentially, the human component remains
unchanged, which will conclude with the idea that
informati on security can not be achieved only by technical
measures, with man making an important contribution to
this.In particular, security incidents are due to inappropriate
risk management and less due to technical defects. Therefore,
the banking system must form an overview of the risks that
may arise through the use of new technologies, manage these
risks appropriately, inform the staff about these risks, their
management and control methods, and make them aware of
their se verity. By making a reference to what has been
presented above,it made me approach the theme of the
license:"Analysis of the Security of Internet Banking
Systems" and the evolution of the information technology in
the financial field emphasized my desire t o discover the
methods of securing the data used by banks in the Internet
Banking service. Thus, the purpose of this document is to
analyze bank security, namely the security of Internet
Banking systems and the security methods used by the
banking system t o protect confidential information.
Moreover, in the diploma thesis I made a case study on
Internet Banking services provided by a bank in Romania.In
the first part, I made an introduction to the banking system in
Romania and how it developed under the inf luence the
evolution of technology, the services it provides to its
customers, the security methods approached for these
services, more precisely the quality and safety that the
Romanian banking services provide to the customers. Then,
my attention was foc used on how this bank is doing: data
encryption, data integrity, customer registration, client
authentication, information exchanges with customers, etc.

II. ELECTRONIC BANKING SERVICES
Among the electronic banking services we find: Internet
Banking, Home Ban king and Mobile Banking. In principle,
all three services provide the bank's client with the same
facilities, the differences being given by the freedom of

movement offered and the communication channel with the
bank,so:
A. Internet Banking
Internet Banking, known as online banking, is based on
an Internet connection, which is, in fact, the channel through
which it carries out all banking activity.This service, made
available by banks, can be used by both individuals and legal
entities to perform certain banking operations by using a
computer connected to the Internet.
B. Home Banking
Home Banking is a banking service based on the
installation of a special application on the client's computer
through which it can communicate with the bank either
through a modemmodem connection or via the Internet.This
service can be accessed using a web browser at a address
provided by the bank.The difference between this service and
Internet Banking is that it requires a local installation of a
security certificate.
C. Mobile Banking
Mobile Banking is a novelty in terms of banking services,
using the mobile phone as a means of accessing the financial
application held by the bank. Banking operations via mobile
phone have developed a lot lately and , as a result, bank
operations can now be performed anywhere and at any time
with the aid of the mobile device.

III. PARTICULARITIES OF INTERNET BANKING SERVICES
Regarding the particularities of Internet Banking services
I will refer to: standards / protocols and entities involved in
this banking service. Internet Banking, as mentioned above,
uses the Internet as a communication medium with the bank,
a network that by definition does not ensure the security of
the data transmitted through it. For data to be protected, web
browsers deal with security issues through multiple protocols
such as:SSL, TLS, SET, 3DS.

A. Secure Sockets Layer(SSL)
The Secure Sockets Layer(SSL) protocol is used in most
secure Internet transact ions.Essentially, this protocol
establishes a secure connection between a client and a secure
server to transmit data. Under the layer of application layer
protocols (HTTP, Telnet) and above the transport level of the
TCP / IP protocol, the SSL protocol go al is to ensure data
privacy, message integrity, and authentication. In addition,
for data encryption, SSL uses a two -key encryption system,
of which: a public key and a private key, known only by the
recipient of the message. The reason for using an encry ption
system that includes both public keys and the private key is
due to the relatively low speed of public key encryption
compared to private key encryption module. The SSL
protocol is divided into two levels:
• At the lowest level, placed above the TCP pr otocol
is found the SSL Record protocol, which deals with
data security and integrity.
• At a higher level we find SSL connection protocols
such as: SSL Handshake Protocol, SSL Cipher
Change Protocol, and SSL Alert Protocol.

Fig. 1. SSL protocol arhitecuture

B. Transport Laye Security (TLS)
The TLS (Transport Layer Security) protocol is a security
protocol, being used to create a standard for private
communications. This protocol also allows the client
/server to communicate in such a way that the transmitted
data can not be intercepted. In addition, the TLS protocol
follows cryptographic s ecurity, interoperability,
extensibility, and relative efficiency. To achieve these
goals, the TLS protocol can be divided into two levels:
• TLS recording protocol, which creates a private
connection between the client and the server by
using symmetric encr yption keys.
• The TLS handshake protocol, which allows for
genuine communication between the client and the
server, allowing them to speak the same language
and agree encryption algorithms and encryption
keys before the data is transmitted.

Fig. 2. TLS protocol arhite cuture

C. 3DS(3D -Secure)
The 3DS (3D -Secure) protocol was originally developed
by Arcot System (CA Technologies) and subsequently
implemented by Visa and MasterCard to accelerate the
growth of e -commerce by improving Internet security.
Among the entities inv olved in electronic commerce using
the Internet banking service, we find:banks, payment
intermediaries, aggregators, gateways, payment processors,
certification authorities and trustworthy service providers,
suppliers and manufacturers.

IV. RISK IDENTIFICATION AND SECURITY MECHANISM

A. Risk identification
With the development of technology and the emergence
of online banking, banks face increased risks in terms of e-
business.As a result of this, I will continue to present the risks
identified by banks and their approaches to their control.
From the point o f view of electronic activities, there are both
classical risks and new risks such as operational risk (security
risk, design risks, systems implementation and maintenance,
risks arising from inappropriate customer use of banking
products and services), reputational risk, legal risk, credit
risk, interest rate risk, liquidity risk, market risk, management
risk, etc. After the risks has been determined, the bank has the
duty to manage them and control them.
This management and control process involves:
• The approach of security policies and measures,
where the term security includes a number of
systems, applic ations and internal control, thus
contributing to the protection of data. Also, security
policy reveals intentions to support information
security, how to organize security and indicates the
main ways that define the bank's security risk
tolerance.In addit ion, the security policy expands
the responsibilities for modeling, implementation
and enforcement of security measures.
• Internal communication may be conducted under
normal circumstances if all procedures are provided
in writing.Also, management must orga nize a staff
training session on new technologies adopted to
reduce operational risk, and technical staff should
inform management the structure of the system and
its operation.
• Evaluating products and services before exposure to
them helps to reduce both operational and
reputational risk.In addition, by evaluating systems,
one can determine whether the results they provide
are what they want.
At the same time, in addition to the management and control
process, the bank's manage ment must use the optimal
infrastructure, regulate all the activities carried out, and
designate those responsible for supervising and authorizing
activities.
B. Security mechanism
At present, security is the main concern in every area of
life and also plays a very important role in the banking
system, more precisely in banking transactions.Security
issues can be found in two situations:
• The first situation is where the person who makes
the fraud can reach the system directly, in which
case we have physical security.
• The second situation is where the person who makes
the fraud reaches the system by electronic means, in
which case we have an electronic security.
Therefore, taking into account the two situations that may
arise and the wave of security threats generated by the
attacks, a security policy is needed to cover the Internet
Banking control services.These control services are:
data confidentiality, data in tegrity, authentication, non –
repudiation, access control, network security, logging and auditing, system availability, customer protection.Also, these
control services can be implemented on the layers of the OSI
model.
Another category of control techniques used by the banking
system are cryptographic techniques.In this case, encryption
is used to protect the transmission of important digital data in
computer networks.Thus, there are two basic encryption
techniques, namely:
• Encryption technique using symmetric
algorithm (secret key).In symmetric algorithm
systems, the sender and receiver of a message each
uses the same secret key: the sender uses it to
encrypt a message, and the receiver uses it to decrypt
this message.The most important aspect of
encryption using a symmetric key is that very fast
coding and decoding occurs.
Encryption and decryption with symmetric algorithm is
performed using the fo llowing equations:

𝐾𝑒 = 𝐾𝑑 = 𝐾 (1)
𝐸𝑘 (𝑀) = 𝐶 (2)
𝐷𝐾(𝐶) = 𝐷𝐾(𝐸𝐾(𝑀)) = 𝑀 (3)
Where K is the secret key and M is the message. Equation
(2) represents encryption and equation (3) represents the
decryption.
The main algorithms used in symmetrical cryptography are:

TABLE I. SYMMETRIC ALGORITHMS

Algorithms Block size (bits) Key length(bits )
Advanced
Encryption
Standard (AES) 128, 192 sau 256 128, 192, sau
256
Data Encryption
Standard (DES) 64 56
International
Data Encryption
Alogrithm
(IDEA) 64 128
Rivest Cipher2
(RC2) 64 Variable, max.
40
RC4 Sequentially 40 sau 128
RC5 32, 64, say 128 Variable, max.
2048
SKIPJACK 64 80
Triplu DES 64 112

• Encryption technique using asymmetric
algorithm (public key).Two keys are used in
asymmetric algorithms. A key is kept secret and is
therefore referred to as the "private key".The other
key is widely available to anyone who wants it and
is called the "public key".Private and public keys are
mathematically linked, so encrypted private key
information can only be decrypted by the
appropriate public key and vice versa.The private

key, regardless of the key system used, is specific to
an information system.Therefore, the sender of a
message can be authenticated as a private key holder
by any person decrypting the message with a public
key.This property allows the implementation of
non-repudiation schemes.
Encryption and decryption wi th asymmetric algorithm is
performed using the following equations:

𝐾𝑒 ≠ 𝐾𝑑 (4)
𝐸𝐾𝑒 (𝑀) = 𝐶 (5)
𝐷𝐾𝑑 (𝐶) = 𝑀 (6)
Where 𝐾𝐸 is the secret private key,𝐾𝑑 is the public key, M is
the message. Equation (5) represents encryption and equation
(6) represents the decryption.

V. IMPLEMENTATION AND EXPERIMENTAL RESULTS

A. Implementation
In the banking field, the development of information
technology (IT) has a major effect on the development of
more flexible payment methods and easier use of b anking
services.The Bank becomes an essential factor in the process
of developing an economy. Thus, in order for this process to
take place, it is necessary for banks to progress, which will
ensure their evolution on the market.As for progress, one can
say that the banking system in Romania, like that of other
nations, is advancing in the development of electronic
services. Adaptation to the electronic system consists in
translating information into an electronic message that can be
encrypted automatically and electronically decrypted.In
addition, this adaptation to electronic services also entails
taking into account certain security risks.From this
perspective, I still intend to analyze the security of Internet
Banking services provided by a bank in Romani a, namely
Banca Transilvania (BT).Currently, Banca Transilvania is
one of the most important financial and banking institutions
in Romania, ranked among the top 10 and one of the most
attractive companies listed on the Bucharest Stock
Exchange.To ensure th e best quality of services, BT is
constantly working At their 13.15% market share in 2017,
Banca Transilvania is an active player on the market,
becoming a world -renowned bank. BT also has around 2.2
million of customers and 7,300 employees.With the
multit ude of services this bank offers, we find the Internet
Banking service both on an online platform and as an
application on the mobile device.Next, I will analyze the
security solutions adopted by this bank for both the bank's
web platform and the mobile ap plication, and then I will do
some tests to check the security level of the application on a
mobile device running Android. The web platform and the
mobile app of the bank offer customers various services
without having to go to a bank's headquarters. In a ddition to
these services, the bank assures the customer that its data is
kept secure by using current security techniques, using
algorithms and security certificates.
To test how data is secured in the BT24 Mobile Banking
application, we have run a test.This test is based on
identifying vulnerabilities in the application.To perform this test, we used a virtual machine on which an operating system
which allows you to em ulate an Android device. On this
device, I installed the app in question.
The operating system used is called Santoku. This is a
preconfigured and bootable Linux environment that has a
variety of packages and applications that allow vulnerabilities
to be identified. We used these tools: apktool, adb, dex2jar,
jd-gui, etc.In order to perform this test, we have made a test
plan.Therefore, in order for this security analysis to provide
useful information, we have developed a test plan th at is
based on an overview of the possible attacks. testing was
created considering Android as an operating system.Thus, the
plan has the following structure:

Fig. 3. Structure of the test plan

As can be seen in the previous figure, there are three major
attack areas that need to be scrutinized in detail.Also, specific
sets of tools and understanding of the operating system to be
attacked are required for each section.After installing the
application on the mobile device, we performed specific tests
for the second section of the test plan. The results of these
tests will be presented in the next chapter .
B. Experimental results
The experimental results are obtained on the basis of the
test plan, which includes the three sections vulnerable to
attac ks.Therefore, I will expose the results obtained and the
tools used to obtain them. As I mentioned earlier, in order to
highlight the vulnerabilities of the application, the latter is the
process by which the functionality of an application is
discovered,t he final product code is decomposed to be
analyzed.In this case, this decomposition assumed the
transition from the binary code of the application to the java
code.This was done by using specific tools such as apktool,
jd-gui, dex2jar, which I will explain later.Moreover, to
accomplish this BT24 Mobile Banking vulnerability
identification test in the second section, I proposed to change
the logo on the first page.This was done according to the
following figure:

Fig. 4. Logo chang e plan

After the two steps in the plan, the application logo has
changed, which means the application has vulnerabilities.
This vulnerability that we found following the test has serious
consequences.Also, the fact that the application is available
in binary code and this code can be used by any person
determines the emergence of security risks.
In addition, if these risks are not they are identified in a
timely manner and can caus e considerable
damage.Moreover, by this test, I wanted to point out that
although this application is a banking one and it is assumed
that data security for this type of application needs to be
achieved as efficiently as possible, it presents some
vulnerab ilities that can harm both the bank and its
customers.Therefore, the result obtained is represented in the
following figures:

Fig. 5. Logo changed

VI. CONCLUSION

With the emergence of new technologies, securing systems to
attacks is becoming increasin gly important and complex in
the banking sphere.The security measures adopted in this area
promise to ensure the security, confidentiality and integrity
of data, but these in turn may have some gaps which may
affect the field in which they are used. Thus, following the
case study on Transylvania Bank, it can be said that it uses
various sec urity methods, protocols and algorithms for data
protection as efficient as possible. However, following the
test, it has been demonstrated that, BT24 Mobile Banking has
certain vulnerabilities.Moreover, these vulnerabilities can
easily be identified by attackers and used for illegal purposes,
as the binary code of the application can be accessed by
anyone.So all these things are alarming that although this
application uses security methods and has various security
certificates, vulnerabilities exist.Their presence increases the
risk of an attack on the application, which can cause
considerable damage.The pages products resulting from an
attack directly affect the client using this application because its data is compromised and can no longer be talked abou t
confidentiality.
Therefore, the client needs to be aware of the fact that even
in the case of this application, there may be risks in the other,
even if it is a banking application and security is increased.
In conclusion, the whole study reveals a clear idea that there
is no total security.Even if security is not complete, adopting
security methods and security certificates is essential to avoid
attacks.
To avoid these attacks and to reduce vulnerabilities, I
propose that the solution in this case be avoided to have the
binary code of the application on the Internet because it can
be converted to Java code and can be modified by specific
tools.Also, another solution I propose involves adopting
security methods that will not allow validation of the
signature if the application has been modified.
ACKNOWLEDGMENT

The authors want to thank the Technical University of
Cluj-Napoca, Faculty of Elect ronics and Telecommunications
for the granted support.

REFERENCES
[1] Bc. Rrezarta Halili, „The impact of Online Banking on Bank
Performance”, Institute
Economic Studies, Charles University in Prague,2014
[2] Elsevier Ltd., „The Impact of Information Technology i n Banking
System”, peer -review
under responsibility of the 2nd World Conference on Psychology,
Counselling and
Guidance,2011
[3] Nicolae Marin, „Sistemul bancar si amenintarile din zona
criminalitatii informatice”,Direcția
Antifraudă și Securitate,2015
[4] Pop Sorin Eugen, „Securitatea sistemelor informatice”,Facultatea de
inginerie,Universitatea
din Bacău,2007
[5] Abubakar, A.A.; Tasmin, R.B.H., „The impact of information and
communication
technology on banks performance and custom er service delivery in the
banking
industry ”, International Journal of Latest Trends in Finance and
Economic Sciences,
vol.2(1), pp.80 -90,2012
[6] https:// www.scribd.com/doc/83213535/Intern et-Banking
[7] Drigă, I.; Niță, D.; Dura, C., „E-BANKING SERVICES –
FEATURES,
CHALLENGES AND BENEFITS” , Annals of the University of
Petroșani, Economics,
vol.14(1), pp.49 -58,2014
[8] Mostafa Hashem „Sherif Protocols for Secure Electronic
Commerce ”,CRC Press,2004
[9] Saudit Arabian, „Internet Banking Security Guidelines”, Banking
Technology
Department,May 2001
[10] https://en.wikipedia.org/wiki/Transport_Layer_Security
[11] https:// www.slideshare.net/vladpetre88/the -3d-secure -protocol
[12] https://support.mygateglobal.com/hc/en –
us/article_attachments/209413945/3D_Secure.pdf
[13] https://ijcsits.org/papers/vol4no62014/7vol4no6.pdf
[14] https:// www.ffiec.gov/pdf/authentication_guidance.pdf
[15] https:// www.sans.org/reading -room/whitepapers/auditing/security –
assessment -guidelines –
financial -institutions -993
[16] http://ligiagolosoiu.ro/content/Servicii_bancare_ele ctronice.pdf
[17] https:// www.acl.com/pdfs/DP_Fraud_detection_BANKING.pdf
[18] https://pdfs.semanticscholar.org/04e9/4a36c8e9870bcb2f090aeae2fc
29075059ec.pdf
[19] http://steconomice.uoradea.ro/anale/volume/2008/v4 -management –
marketing/280.pdf

[20] http://shodhganga.inflibnet.ac.in/bitstream/10603/9006/16/16_chapte
r%206.pdf
[21] http://www.facweb.iitkgp.ernet.in/~sourav/AES.pdf
[22] https:// www.bancatransilvania.ro/
[23] https://en.wikipedia.org/wiki/VirtualBox
[24] https://santoku -linux.com/about -santoku/ [25] https:// www.incapsula.com/web -application -security/penetration –
testing.html
[26] https://androidappsapk.co/download/ro.btrl.mobile/c9db2f4e7fb7f58
12dd311806e94318a/
[27] https://androidfilehost.com/?fid=24415232478676607