Introduction
In online banking, bank customers conduct financial transactions with it online, that is, via the internet (wiseGEEK, 2011, 1). Online banking is according to Bhatt (2011, 5 – 19) both advantageous and disadvantageous, however, the advantages outweigh the disadvantages. An advantage of online banking is that it has reduced expenses and allows customers to bank remotely and at their own convenience disregarding normal bank timings. A disadvantage of online banking is that it inherently reduces the interaction between banks and their customers and in addition, security is not guaranteed in this type of banking, that is, hackers have a chance (minimal) to manipulate the system to their advantage. In this manner of banking, it is the duty of the customer’s bank to provide a secure internet portal through which these transactions can be started and completed safely. Thus, information security is of utmost concern and importance in banks that offer the online banking feature.
The article “Why do organizations need information systems?” describes information as the lifeblood of an enterprise (Answers Corporation, 2011, 2). The article additionally points out that an enterprise that poorly manages its information attracts financial losses and liabilities such as lawsuits (Answers Corporation, 2011, 2). When a bank achieves information security it means that, the bank’s information and information systems are protected against intruders, leakages, any form of destruction and any unauthorized use. In other words, the confidentiality, integrity and availability of the bank’s information are safeguarded and maintained. The bank’s information that is secured is mainly of an electronic nature. As pointed out above, poor security of information in an organization attracts financial losses and liabilities such as lawsuits (Answers Corporation, 2011, 2).
One way of enhancing information security is cryptography, which is mainly a defence against internet-based attacks, and it is the encoding of messages in such a way that its contents are hidden from unauthorized principals (Coulouris et al, 2005, 275). To unhide the contents of an encrypted message one has to be familiar with the cryptography key used and its encryption algorithm. Thus, as a measure to boost internet-defence the cryptography key is a secret only known by the concerned parties. In the face of attackers, cryptography boosts internet security by ensuring the secrecy and integrity of information through encryption and decryption of messages by authorized principals who themselves are not a security threat (Coulouris et al, 2005, 276). Cryptography also boosts internet security as it supports the authentication of communication between the principals involved in the process (Coulouris et al, 2005, 276). Cryptography is integral in the implementation of digital signatures, which are an emulation of conventional signatures and which are an indication that there is no alteration of any nature in a document or message. In this way, cryptography boosts internet security (Coulouris et al, 2005, 278).
An example of a cryptographic system is the Triple Data Encryption Standard (3DES), which is a variant and advancement of the Data Encryption Standard (Tropical Software, 1). When the DES was developed around 1974 (Tropical Software, 1) it had a cryptography key size of 56 bits, however, with the development of more powerful computers this size was not effective in enforcing security thus the 3DES was developed, which has a cryptography key size of 156 bits (Wikipedia, 2011, 2). This increment in size facilitates the development of more complex cryptography keys, which in effect discourage internet-based attacks. In this cryptography system, as the name suggests, when encrypting a message or a data block the data encryption standard (DES) is applied three times (Internet.com, 2011, 3).
The typical nature of internet-based attacks is characterized by theft of communication channels or establishment of new communication channels that cover-up or that disguise as authorized communication channels (Coulouris et al, 2005, 269). Internet based attacks can be classified into five broad categories, namely, eavesdropping, masquerading, message tampering, replaying and denial of service. Each of these categories captures a distinct misuse of internet communication channels. The communication channels are the mechanisms in which communication and action-coordination messages are exchanged (Coulouris et al, 2005, 269).
Eavesdropping attacks misuse internet communication channels in such a way that copies of messages being exchanged in the communication channels are obtained devoid of authorization. Masquerading attacks misuse internet communication channels in such a way that an intruder can assume the identity of an authorized principal and therefore receive as well as send messages. Replaying attacks misuse internet communication channels in such a way that messages do not reach their intended recipient at the intended date because an attacker intercepted and held them for transmission at a later date. Denial of service attacks misuse internet communication channels in such a way that communication channels deny authorized principals service following an attackers flooding of the channel with messages. Message tampering attacks misuse internet communication channels in such a way that messages being transmitted through them reach their intended recipient after they have been altered from their original form without authorization.
Discussion
What can be determined from the facts present
From the facts that emerge in the case between Sandra and MBT it can be determined that the secrecy of the cryptography key used in Sandra’s online financial transactions with MBT has been compromised. Most likely Janet, MBT’s bank manager has knowledge of this key. Again from the facts, it can be deduced that a tampering attack was effected targeting Sandra’s online financial transactions with MBT.
Plausible explanation
A plausible explanation for what ensued between Sandra and MBT is an internet based attack called man-in-the-middle attack, which is categorized as a message tampering attack (Coulouris et al, 2005, 269). The man-in-the-middle attack is effected in three phases (Coulouris et al, 2005, 269). The first phase is the attacker establishing a secure channel through interception of the first message transmitted in that channel, which carries the encryption keys of the channel (Coulouris et al, 2005, 269). The second phase in the attack is the attacker’s submission of compromised keys that enable him/her to decrypt any subsequent messages sent through the channel (Coulouris et al, 2005, 269). The third phase in the attack is the actual tampering of messages: the message is decrypted, altered to the attacker’s satisfaction, reassembled to fit the correct key and then submitted (Coulouris et al, 2005, 269). The most likely man-in-the-middle attacker in the case of Sandra and MBA is Janet, MBA’s bank manager.
What could have been done to avoid the controversy from arising
Considering that, Sandra is a high net worth customer, it would have been imperative for her to verify that she is using secure sessions in carrying out financial transactions. She could do this by hiring the services of trustworthy IT security experts (Bank of San Antonio, 2011, 10). To prevent the controversy from arising, Sandra should have demanded to operate his online bank account on a dual control and approval basis in which she would have to approve any transaction before it is initiated (Bank of San Antonio, 2011, 10). As from the facts presented it can be seen that no secondary approval is needed from Sandra to initiate any financial transaction involving her account.
One way in which MBT could have avoided the controversy from arising is through boosting its security defences against internet-based attacks. Another way the bank could have avoided the controversy is reviewing its online banking policy so that online banking transaction are conducted strictly on a dual control and approval basis. In the event that Janet is trying to steal from Sandra then, a high code of ethics and a critical thinking culture in the bank are other ways in which the bank could have avoided such a controversy. Ethics, according to the Macmillan English Dictionary, are the principles by which you decide what is right and wrong (2002, 470). Critical thinking skills are aimed at helping an individual or organization act purely objectively and rationally (Kurland, 2001, 1). According to Kurland (2000, 1), the characteristics of critical thinking are rationality, self-awareness, honesty, open-mindedness, discipline and sound judgment.
Conclusion
It is a good thing that MBT uses the 3DES cryptography system as this guarantees more security. However, it is important for the bank to boost its defences against internet-based attacks and institute a policy that ensures that online banking transactions are conducted, strictly, in a dual control and approval basis. Instituting a high code of ethics and a critical thinking culture in the bank is also of importance in avoiding controversies such as the one it has with Sandra. Online banking customers, especially high net worth customers, should not entirely trust the security offered by their banks they should do their own assessment from which they can determine whether or not it is secure to carry out online financial transactions with the bank.
References
Answers Corporation. ( 2011). Why do organizations need information systems?. Web.
Bank of San Antonio. (2011). Online banking best practises. Web.
Bhatt, B. (2011). Online banking. Web.
Coulouris, G. Dollimore, J. And Kindberg, T. ( 2005). Distributed systems concepts and design. (4th ed.). Pearson Education Limited: England.
Internet.com. (2011). Triple des. Web.
Kurland D. J. (2000). What is critical thinking?. Web.
Macmillan Education (2002). Macmillan english dictionary. MacmillanPubishers. Oxford.
Tropical Software. Triple des encryption. Web.
Wikipedia Foundation, Inc. (2011). Triple des. Web.
wiseGEEK. (2011). What is online banking?. Web.