Click here to load reader
Upload
arun-koshy-thomas
View
47
Download
0
Embed Size (px)
DESCRIPTION
Development of safe and secure E-banking system: Project Management Approach
Citation preview
Development of safe and secure e-banking system
January, 2012
Symbiosis Institute of Telecom Management
Pune
Project Management Assignment-II
MBA(TM-I) Systems and Finance
Date: 17th
January, 2012
PRN Number Name
11020541065 Arun Koshy Thomas
11020541067 Utsab Basak
2
ABSTRACT
“E-banking”- The execution of financial services via internet, reducing cost and increase in
convenience for the customer to access the transaction. e- Banking is an umbrella term for
the process by which a customer may perform banking transactions electronically without
visiting a bank. The following terms all refer to one form or another of electronic banking:
personal computer (PC) banking, Internet banking, virtual banking, online banking, home
banking, remote electronic banking, and phone banking. PC banking and Internet or online
banking is the most frequently used designations. It should be noted, however, that the terms
used to describe the various types of electronic banking are often used interchangeably. The
ever increasing speed of internet enabled phones & personal assistant, made the
transformation of banking application to mobile devices, this creative a new subset of
electronic banking i.e. mobile banking.
The internet is revolutionizing the way the financial industry conducts business online, has
created new players who offer personalize services through the web portals. This increase to
find new ways and increase customer loyalty to add the value to this product and services.
Banks also enables customers lifestyle needs by changing and increasing preference for speed
and convenience are eroding the traditional affinity between customer and branch offices as a
new technology disinter mediates traditional channels, delivering the value proposition
hinges on owing or earning the customer interface and bringing the customer a complete
solution which satisfies their needs. Smart card is a new trend which provides the opportunity
to build an incremental revenue stream by providing an ideal platform for extended
application and services. Banks are well positioned to play central role unit in future M-
commerce market. Banks have strong relationships with corporate and business customers
and a wide experience in providing them with corporate banking services.
3
TABLE OF CONTENTS
Chapter 1
Introduction 4
Chapter 2 Literature Review 5
Chapter 3
Feasibility study and project planning 6
Chapter 4
Project scheduling 15
Chapter 5
Organisation of Project Team 18
Chapter 6
Project Development Cycle 19
Chapter 7
Project Quality Management 20
Chapter 8
Project Safety Management 28
Chapter 9
Project Monitoring and Control 33
Chapter 10
Project Resource Management 39
Chapter 11
Application of IT 41
Chapter 12
Project Close Out 45
Chapter 13
Conclusion 47
References 48
4
CHAPTER 1
INTRODUCTION
E-banking is the wave of the future. It provides enormous benefits to consumers in terms of
ease and cost of transactions, either through Internet, telephone or other electronic delivery.
Electronic finance (E finance) has become one of the most essential technological changes in
the financial industry. E-finance as the provision of financial services and markets using
electronic communication and computation. In practice, e-finance includes e-payment, e-
trading, and e-banking.
Security has always been important to banks. With Electronic banking, it has become even
more important, as Internet banking may supersede the retail outlets as a distribution channel
for financial products and services. The further growth of electronic banking is dependent on
the level of trust from customers, the society and media, and this trust may be reduced by
security incidents and bad publicity. Generally the security focus has been directed towards
the business critical systems in production, but this approach has a challenge. The budgets for
system maintenance and IT operation are generally too small to have room for substantial
security improvements and redesigns. If the system is not secure by delivery, it may never be
- fundamentally - corrected.
5
CHAPTER 2
LITERATURE REVIEW
“Internet banking” refers to systems that enable bank customers to access accounts and
general information on bank products and services through a personal computer (PC) or other
intelligent device. Numerous factors — including competitive cost, customer service, and
Demographic considerations — are motivating banks to evaluate their technology and assess
their electronic commerce and Internet banking strategies. Many researchers expect rapid
growth in customers using online banking products and services. The challenge for national
banks is to make sure the savings from Internet banking technology more than offset the costs
and risks associated with conducting business in cyberspace.
SOURCES:
PRIMARY:
“Comptroller of the Currency Administrator of National Banks” JOURNAL,WHITE
PAPER on “Internet Banking” by Brent Warrington First Data, JOURNAL on
Internet Banking by Monetary Authority of Singapore
SECONDARY:
Review on banking guidelines & authentication techniques
Report on development of Indian banking industry
TERTIARY:
RBI Bulletin, Business world, Outlook Business magazines
SUMMARIZATION:
The data & information derived from the above sources have helped us in formulating a
structure for the report regarding the project starting from development to close out. It also
helped in phase designing of the plan followed by its validation & testing.
6
CHAPTER 3
FEASABILITY STUDY AND
PROJECT PLANNING
A significant transformation in banking system has occurred in the world. The online system
of banking and improvements has been made through recognizing difficulties encountered by
the customer and the authority. Both qualitative and quantitative research, through
parent/career surveys. Focus groups and staff training sessions have influenced the online
process. As a result this had produced an efficient and user friendly system, that relies on an
effective online form, but on the coordination between ban and its customer. A
comprehensive feasibility study of social, economic and technical aspects has also been made
and implemented as below:-
Social Feasibility
It has simplified the banking procedure.
Customers and banking authority had a huge acceptance to the notion.
It had a good social impact and no objections or problems regarding the project is
found.
Economic Feasibility
The project is economically Feasible since we are getting ample economic support
required for the project from banking authorities.
Technical Feasibility
Minimum requirement for execution of the project is a java supporting operating
system since the connection to the database will be made using JSP and SERVLETS,
minimum of 64 MB of RAM, a database software, a server
7
OBJECTIVES OF THE PROJECT:
The main objectives of the system is to provide a series of services to the customer through
the Internet, and make the customer feel flexible in calling out simple tasks faster Instead of
making visit to the bank every time The E-Banking services are executed only upon the
customer, and these e-banking services would fully integrate with the core banking solution
that is already in usage. The e-banking service is open only to savings bank customers and
not for current account holders. The customer is privileged to use most of the system only as
a viewing phase; the only online transactions the customer can do are cheque book requisition
and fund transfer among his personal accounts.
The project has been planned to be having the view of distributed architecture, with
centralized storage of the database. The application for the storage of the data has been
planned. Using the constructs of MSSQLServer2000 and all the user interfaces has been
designed using the ASP.Net technologies. The database connectivity is planned using the
“SQL Connection” methodology. The standards of Security and data protective mechanism
have been given a big choice for proper usage. The application takes care of different
modules and their associated reports. Provide administration to control and monitor various
transactions. The administration should include the following Add new branch details to the
database. The details should include branch name and password etc. to logon the system
Modify the existing details of an office Add the specification of various components for
displaying it to the customer Provide pre-defined queries
PROJECT ORGANIZATION:
Project organization contains following activities which are related to “E-BANKING”:
It providing electronic connection between bank and customer in order to prepare,
manage and control financial transactions.
People use Internet bank to keep eye on their money matters, view
Account balance and check receiving payments from other parties.
It providing faster, easier and more reliable services to customers of E-banking.
8
EXISTING SYSTEM
In the Bank every Activity is handled manually, such as Opening Account, storing Account
holder Details, Transaction Details, and Reports Generation. The manual system is taken
more time and the services to the Customer are slow and not accurate. The client is focus
problem with the existing system with respective two values, such as time value and cost
value.
The online banking system is designed for financial institutions to deal with their basic
banking services. The system allows customers to open accounts, view account balances and
statement details, transfer funds between accounts and change personal information and
passwords. Any customer is able to scan interest details, dong with frequently requested
information for checking, savings, and certificate of deposit accounts quickly and easily
without interacting with bank clerks.
The online banking system provides access 24 hours a day to customers' accounts
information. Therefore customers can enjoy the convenience of financial controls of their
accounts through Internet. In addition, the customers can move funds between bank accounts
in a cost-free way According to standard of software industry; the system described above
belongs to dynamic Web application.
9
PROBLEM DOMAIN:
In existing manual system, it is difficult to maintain a large scale order transactions.
In existing manual system huge expenditure and lot of time is spend in
communicating the information across the external bank branches & the centralized
system.
Manually the information may not be as secure as in automated system.
Manual system may not handle easily the lot of calculations made during fabrication.
PROPOSED SYSTEM
In proposed system we are concentrating the problems whatever a client faced with existing
manual system. By introducing automation system for Banking Information system. The
client is provides fast services to the customer. The transaction service, report generation
service and every service is available at no delay.
This project is an attempt to make the task of administrator as well as customers easier. The
Administrator has the right to know everything. He has the right to know the account details
of the users and bank reports. The development of the new system contains the following
activities which try to automate the entire process keeping in view of the database integration
approach.
1. The administrators have grates accessibility in collecting the consistent Information that is
very much necessary for the system to exist and Coordinate.
10
2. The system at any point of time can give the customers information related to their
Accounts status
Balance enquiry
Fund transfer standards
Cheque book request
3. The system can provide information related to the different types of accounts that are
existing within the bank.
4. The system can provide the bank administration with information on the Number of
customers who are existing in the system.
5. The system at any point of time can provide the information related to the executed
transactions by the customer.
6. The system with respect to the necessities can identify all the history details of the trial
participants along with their outcome of the results.
Requirement analysis is concerned with identifying the basic function of software component
in a hardware & software system.
FEATURES OF PROPOSED SYSTEM:
There are following Features which are related to provide the E-Banking services for the
customers. The main goal of every company is to maximize profits for its owners and banks
are not any exception. Automated e-banking services offer a perfect opportunity for
maximizing profits.
The main benefit from the bank customers’ point of view is significant saving of time by the
automation of banking services processing and introduction of an easy maintenance tools for
managing customer’s money. The main advantages of e-banking for corporate customers are
as follows:
Reduced costs in accessing and using the banking services.
Increased comfort and timesaving — transactions can be made 24 hours a day,
without requiring the physical interaction with the bank.
Quick and continuous access to information.
Corporations will have easier access to information as, they can check on multiple
accounts at the click of a button.
11
Better cash management. E-banking facilities speed up cash cycle and increases
efficiency of business processes as large variety of cash management instruments is
available on Internet sites.
PROJECT JUSTIFICATION:
Need for computerization:
Project justifies the need of computerization which is used to act as the interface which
provides following activities:
Reduced costs. This is in terms of the cost of availing and using the various banking
products and services.
Convenience. All the banking transactions can be performed from the comfort of the
home or office or from the place a customer wants to.
Speed. The response of the medium is very fast; therefore customers can actually wait
till the last minute before concluding a fund transfer.
Funds management. Customers can download their history Of different accounts and
do a “what-if” analysis on their own PC before affecting any transaction on the web.
This will lead to better funds management.
Security. It provides the security & secure data accessing
INTERNET BANKING SERVICES:
Some examples of wholesale products and services include:
Cash management.
Wire transfer.
Automated clearinghouse (ACH) transactions.
Bill presentment and payment.
Examples of retail and fiduciary products and services include:
Balance inquiry.
Funds transfer.
Downloading transaction information.
12
Bill presentment and payment.
Loan applications.
Investment activity.
Other Internet banking services may include providing Internet access as an Internet Service
Provider (ISP).
PROJECT PLANNING:
E-banking is often a large scale business initiative requiring large scale financial investment
as well as the availability of a pool of human resources with a range of specialist skills such
as technological, marketing, change management and project management. Aladwani, (2001)
suggests that offering an e-banking system proceeds through three generic phases, pre-
development, development, and post-development. The pre-development stage is the period
before the development of a bank’s online services. At this phase, the idea of implementation
of e-banking attracts top management and the benefits/pressures of initiating e-banking
become irresistible. The development phase includes implementation of e- banking related
systems and necessary changes in the organizational structure and culture. The second phase
involves several managerial and technical issues, discussed in previous chapters that need to
be addressed. The last phase, post-development, includes a number of activities such as
maintenance of systems, continuous update of the website, evaluation of services, and
implementing any necessary changes. For this phase, bank’s management needs to
understand a range of new marketing, product development and innovative delivery methods
to ensure the success of the project.
A number of e-banking development, implementation and management activities become
independent projects themselves so that e-banking as a whole requires programme
management rather than just project management. For example, the e-banking adoption
process has to be carefully planned and executed and is often seen as a project in its own
right. From an IT project point of view, time and budget constraints could prove to be serious
problems, as would be the handling of any organizational transformation processes. To deal
with these issues, support from top management is seen as a key ingredient for success of an
e-banking project. E-banking needs a champion amongst top management (generally the
board of directors). Lack of senior management support is a major restriction to e-banking
13
because, without it, obtaining the required resources to bring about the necessary changes in
an organization can prove impossible.
TYPES OF INTERNET BANKING:
Types of Internet Banking
Understanding the various types of Internet banking products will help examiners assess the
risks involved. Currently, the following three basic kinds of Internet banking are being
employed in the marketplace:
1. Informational:
This is the basic level of Internet banking. Typically, the bank has marketing information
about the bank’s products and services on a stand-alone server. The risk is relatively low, as
informational systems typically have no path between the server and the bank’s internal
network. This level of Internet banking can be provided by the bank or outsourced. While
the risk to a bank is relatively low, the server or Web site may be vulnerable to alteration.
INTERNET BANKING
INFORMATIONAL
TRANSACTIONAL COMMUNICATIVE
14
Appropriate controls therefore must be in place to prevent unauthorized alterations to the
bank’s server or Web site.
2. Communicative:
This type of Internet banking system allows some interaction between the bank’s systems and
the customer. The interaction may be limited to electronic mail; account inquiry, loan
applications, or static file updates (name and address changes). Because these servers may
have a path to the bank’s internal networks, the risk is higher with this configuration than
with informational systems. Appropriate controls need to be in place to prevent, monitor, and
alert management of any unauthorized attempt to access the bank’s internal Comptroller’s
Handbook Internet Banking networks and computer systems. Virus controls also become
much more critical in this environment
3. Transactional:
This level of Internet banking allows customers to execute transactions. Since a path
typically exists between the server and the bank’s or outsourcer’s internal network, this is the
highest risk architecture and must have the strongest controls. Customer transactions can
include accessing accounts, paying bills, transferring funds, etc.
15
CHAPTER 4
PROJECT SCHEDULING
The basic planning and management activities described in the planning and also apply to the
fabrication projects. You may refer to those activities for additional detail. Some management
activities applicable to the fabrication projects are described below:
Manage Project and Product Requirements. The overall scope of a project is
established in the IT Evolution Plan. This scope includes expectations and constraints
on the project's product and processes, as well as dependencies between projects.
These expectations and constraints form the technical and nontechnical requirements.
These requirements are the basis of the detailed planning for the project.
Example technical (product) requirements include, among others:
o Functional capabilities
o Performance, size, reliability, quality, and other intrinsic product attributes
o Life-cycle maintenance costs
You must document and review all requirements allocated to a project. Requirements can be
communicated in any convenient form that satisfies the project's need to ensure
communication between it and the stakeholders. For example, you can provide a complete
and concise requirements document or use a simple list of note cards with capabilities to
communicate requirements. For maintenance activities, a problem report or a change
directive may suffice. You can prepare waivers for relief from A-TARS requirements and
forward them to the Technical Architecture Team for negotiation and approval.
Address issues with the requirements' feasibility, clarity, consistency, or verifiability before
commitments are made to satisfy them. Manage and control changes to the requirements to
ensure that project plans remain consistent with the requirements. Because projects are
generally of short duration, once the requirements are accepted, they are generally
16
unchanging until the project completes. New or changed requirements can be applied to
projects later in the plateau. One exception is a make-work modification. A make-work
modification is a change to the requirements to accept the product when full compliance will
cause significant delay or cost. You may define additional projects to rectify the loosening of
requirements later during the plateau or on later plateaus. You can manage requirements
individually on each project or as a set that is allocated across the projects.
Define the Process.
These activities complement and further elaborate the plans produced by the develop
the IT evolution plan activities. Integrate the management, engineering, acquisition,
and support practices for the project into a coherent project process. This includes the
methodologies and tools to be used. Identify the appropriate staff skills and training
needs to select and prepare staff to competently execute the process. The project
practices must conform with the guidelines from the A-TRS The project's defined
process also must be consistent with the project and product requirements allocated to
the project.
Schedule tasks
Create the network of project activities. This involves:
o Identifying internal project task dependencies as well a dependencies,
on other projects. This activity will help with sequencing projects
within the IT Evolution Plan.
o Identifying organizational or other global constraints, such as the
number and type of skilled staff or other resources available (testing
facilities). Task schedules may need to be adjusted to allow for sharing
resources. Staffing plans may need to be to integrated across projects.
Responsibilities, especially for inter-project interfaces should be
explicitly assigned.
o Structuring tasks to allow for two measures per individual per month.
This approach provides adequate visibility into project schedule status
and allows project management to determine progress within a 2-week
window (e.g., task duration of 1 to 3 weeks, 1 to 2 individuals per
17
task). Define and objectively state the criteria to indicate task initiation
and completion (e.g., event-influenced, not schedule-driven).
The plan, when completed, will be reviewed and approved by the Project Manager and
members of the IT Evolution Team. Record the plan and any assumptions upon which it is
based and place them under CM.
Hold informal project reviews, involving internal project personnel, on a more frequent basis,
such as every other week. These reviews make sure that the intra project dependencies are
being met and facilitate making minor midcourse corrections that affect only the project
team.
A formal review, generally near the end-time for the project, authorizes the release of the
project's products. These products can then flow formally to other projects through the CM
activities or be incorporated into the developmental configuration.
18
CHAPTER 5
ORGANISATION OF TEAM
Developing a management team that identify with and share our corporate culture
and can in turn develop and pass it on to the next generation
Training a team of excellent managers that are professionally proficient and capable
of leading and developing their teams
Building a competent, aggressive team of leaders who grow from practice and are
capable of self-criticism
Training to produce an aspiring, far-sighted management team capable of self-
transcendence
19
CHAPTER 6
PROJECT DEVELOPMENT CYCLE
20
CHAPTER 7
PROJECT QUALITYMANAGEMENT
DEFINITION:
Creating and following policies and procedures in order to ensure that a project meets the
defined needs it was intended to meet.
In short, quality management means- “Completing the project with no deviations from the
project requirements.”
THREE STEP APPROACH OF QUALITY MANAGEMENT:
QUALITY PLANNING
• Identifying quality standards
• identifying their applications
PERFORMING QUALITY
ASSURANCE
• Applying planned systematic quality activities
• Ensuring that they meet the requirements
PERFORMING QUALITY CONTROL
• Monitoring specific project results to determine whether they comply with applied quality standards
• Identifying ways to eliminate causes of unsatisfactory performance
21
PROJECT QUALITY MANAGEMENT OVERVIEW:
QUALITY PLANNING:
22
QUALITY ASSURANCE:
QUALITY CONTROL:
23
REQUIREMENTS OF PROJECT QUALITY MANAGEMENT:
STEP WISE ANALYSIS:
1. PROJECT MANAGEMENT:
Applies to all aspects of the project, regardless of the product.
2. PRODUCT MANAGEMENT:
Product quality measures and techniques are specific to the particular type of product
produced by the project.
PROJECT QUALITY
MANAGEMENT REQUIREMENTS
PRODUCT MANAGEMENT
PROJECT MANAGEMENT
QUALITY ASSURANCE
PRECISION & ACCURACY
CUSTOMER SATISFACTION
PREVENTION OVER
INSPECTION
MANAGEMENT RESPONSIBILITY
CONTINUOUS IMPROVEMEN
T
24
3. QUALITY ASSURANCE:
The degree to which a set of inherent characteristics fulfil the following requirements:
Stated and implied needs are the inputs to developing project requirements
Turn stakeholder needs, wants, and expectations into requirements
4. PRECISION & ACCURACY:
Precision – consistency that the value of repeated measurements are clustered with
little scatter
Accuracy – correctness that the measured value is very close to the true value.
5. CUSTOMER SATISFACTION:
Understanding, evaluating, defining, and managing expectations so that customer
requirements are met:
Conformance to requirements
Fitness for use
6. PREVENTION OVER INSPECTION:
The cost of preventing mistakes is generally much less than the cost of correcting them, as
revealed by inspection/assessment.
7. MANAGEMENT RESPONSIBILITY:
Success requires the participation of all members of the team, but management is responsible
to provide the resources to succeed.
8. CONTINUOUS IMPROVEMENT:
The “plan-do-check-act” cycle is the basis for quality improvement. Quality improvement
initiatives can improve the quality of project management as well as the quality of the
product.
25
IMPLEMENTATION OF PROJECT QUALITY MANAGEMENT FOR
INTERNET BANKING:
Research is to be conducted to analyse the correlation between the various service quality
dimensions & internet banking as the electronic banking channel
The parameters to be considered for the survey are:
PARAMETERS
Ease use
Operates 24 hrs. a day
All banking needs in menu option
Process my transactions efficiently (not wait)
Performs transactions immediately
Performs all transactions accurately
Guarantee that transactions have taken place
Provide accurate records
Be personalized, e.g. great you by name
Have its ATMS conveniently located
Provide secure services Special service to disabled
Acknowledge me by name on the screen during the transaction
Have a user –friendly system in place to make ATM transactions easier
Connect you immediately to the service
Provide voice/on line directions for new users
Provide a customer friendly environment whilst waiting in the queue to be served
such as music.
Provide a customer friendly environment whilst waiting in the queue to be served
such as advertising about other services the bank provides.
The above parameters should be rated by the customers & the performance gap is to be
evaluated on the basis of:
“PERFORMANCE GAP VALUE= EXPECTED RANKING – ACTUAL
PERFORMANCE RANKING”
26
If PERFORMANCE GAP > 0,it indicates overpromise & under delivery
If PERFORMANCE GAP< 0, it indicates under promise & over delivery
ANALYSIS & INTERPRETATION:
For example for the attribute, “Processing all the transactions efficiently without waiting
period” has got 4.12 in the expected scale & 4.21 in the actual scale thereby indicating a
performance gap of “-0.09” which shows that the service has actually surpassed customers’
expectations regarding what was actually promised & delivered more than required.
The following graph gives an example of a comparative analysis of various SERVICE
QUALITY parameters depending upon the “importance indices” allotted to them based on a
market survey, the qualities considered are:
Security
Convenience
Efficiency
Performance of transactions
Accuracy
User friendliness
Ability to satisfy complaints
Overall efficiency
Recognition
Depending on the above process the final weight age of each service quality dimension is to
be measured.
27
For example:
INTERPRETATION:
In the above example as “Recognition” hag got the least weight age hence for QUALITY
MANAGEMENT the bank can implement the following steps:
1. Installation of ATMs in supermarkets, medical institutions & learning centres
2. Provision of a toll free number to handle general complaints & feedback
3. Provision of statements for each transaction conducted electronically to allow the
customers verify the transactions
4. Improvement in the efficiency of the ATM service to minimize the waiting time & boost
the customers’ confidence.
0
10
20
30
40
50
60
70
PERCENTAGE OF RESPONDENTS
66.2% of respondents have
indicated that the security of
online transactions is the
most important factor
Only 41.1% respondents
believe that recognition
of the service delivery is
important
28
CHAPTER 8
PROJECT SAFETYMANAGEMENT
THREATS TO INTERNET BANKING
Local Attacks
A common mistake made by end users believes that their online banking session is perfectly
safe when they use an SSL connection. Security experts continually state that everything is
safe if there is a yellow padlock symbol in the browser window.
But SSL is designed as a secure tunnel from the end user computer to the bank mainframe
and does not protect the end points such as the end user’s computer. The
PWSteal.Bankash.A Trojan exploits this fact. The Trojan drops a DLL and registers its
CLSID as a browser helper object in the registry. Thus the Trojan is able to intercept any
information that is entered into a web page before it is encrypted by SSL and sent out. Other
local attack methods include running a layered service provider (LSP) monitoring all network
traffic, writing its own network driver, or displaying a carefully crafted copy of a website on
top of the official website.
INTERNET BANKING THREATS
REMOTE ATTACKS
LOCAL ATTACKS
JOINT FORCES
29
Remote Attacks
Usually, the attacker sets up a copy of the web page he wants to impersonate on a server he
controls. In the past attackers often linked directly to the original images on the legitimate
web server, which left easy-to-follow traces in the webmaster’s log files. Nowadays,
attackers tend to keep resources locally. Once the bait server has been set up, the attacker
sends out emails that trick the user into visiting the spoofed website. These emails often
prompt the user to visit the online service in order to provide some urgent data verification, or
indicate that the user is required to visit the website because of some update process in the
main database of the service provider. This form of social engineering attack, with the goal of
acquiring user account information, is also known as phishing.
Joint Forces
If an attacker combines local and remote attacks more serious damage can result. For
example, a Trojan running on an infected computer can alter the local hosts file to redirect
any requests for mySecureBank.ltd to an IP address controlled by the attacker. This
behaviour has already been observed in a number of adware threats in the wild. To complete
the illusion, the Trojan can also install a self-signed root certificate on the infected computer.
Free tools like Open SSL can be used to help create these certificates. This enables the
attacker to generate official-looking SSL connections from the infected computer to the
malicious web server hosting the spoofed website.
TYPES OF ONLINE ATTACKS:
Types of attacks may include:
Sniffers — Also known as network monitors, this is software used to capture
keystrokes from a particular PC. This software could capture logon IDs and
passwords.
Guessing Passwords — Using software to test all possible combinations to gain
entry into a network.
Brute Force — A technique to capture encrypted messages then using software to
break the code and gain access to messages, user ID’s, and passwords.
30
Random Dialling — This technique is used to dial every number on a known bank
telephone exchange. The objective is to find a modem connected to the network. This
could then be used as a point of attack.
Social Engineering — An attacker calls the bank’s help desk impersonating an
authorized user to gain information about the system including changing passwords.
Trojan Horse — A programmer can embed code into a system that will allow the
programmer or another person unauthorized entrance into the system or network.
Hijacking — Intercepting transmissions then attempting to deduce information from
them. Internet traffic is particularly vulnerable to this threat.
SAFETY PARAMETERS
Key components that will help maintain a high level of public confidence in an open network
environment include:
Security
Authentication
Trust
No repudiation
Privacy
Availability
Security is an issue in Internet banking systems. The OCC expects national banks to provide
a level of logical and physical security commensurate with the sensitivity of the information
and the individual bank’s risk tolerance. Some national banks allow for direct dial-in access
to their systems over a private network while others provide network access through the
Internet. Although the publicly accessible Internet generally may be less secure, both types of
connections are vulnerable to interception and alteration. For example, hardware or software
“sniffers” can obtain passwords, account numbers, credit card numbers, etc. without regard to
the means of access. National banks therefore must have a sound system of internal controls
to protect against security breaches for all forms of electronic access.
Authentication is another issue in a Internet banking system. Transactions on the Internet or
any other telecommunication network must be secure to achieve a high level of public
31
confidence. In cyberspace, as in the physical world, customers, banks, and merchants need
assurances that they will receive the service as ordered or the merchandise as requested, and
that they know the identity of the person they are dealing with.
Trust is another issue in Internet banking systems. As noted in the previous discussion,
public and private key cryptographic systems can be used to secure information and
authenticate parties in transactions in cyberspace. A trusted third party is a necessary part of
the process. That third party is the certificate authority.
A certificate authority is a trusted third party that verifies identities in cyberspace. Some
people think of the certificate authority functioning like an online notary. The basic concept
is that a bank, or other third party, uses its good name to validate parties in transactions.
Nonrepudiation is the undeniable proof of participation by both the sender and receiver in a
transaction. It is the reason public key encryption was developed, i.e., to authenticate
electronic messages and prevent denial or repudiation by the sender or receiver. Although
technology has provided an answer to nonrepudiation, state laws are not uniform in the
treatment of electronic authentication and digital signatures. The application of state laws to
these activities is a new and emerging area of the law.
Privacy is a consumer issue of increasing importance. National banks that recognize and
respond to privacy issues in a proactive way make this a positive attribute for the bank
and a benefit for its customers. Public concerns over the proper versus improper
accumulation and use of personal information are likely to increase with the continued
growth of electronic commerce and the Internet.
Availability is another component in maintaining a high level of public confidence in a
network environment. Among the considerations associated with system availability are
capacity, performance monitoring, redundancy, and business resumption. National banks and
their vendors who provide Internet banking products and services need to make certain they
have the capacity in terms of hardware and software to consistently deliver a high level of
service.
32
DIFFERENT SAFETY PROCESSES:
TYPES OF SECURITY CONTROLS:
SAFETY PROCESSES
FIREWALLS
VENDOR MANAGEM
ENT
PASSWORDS
TRANSACTION
SECURITY
ENCRYPTION &
CONFIDENTIALITY
VIRUS DETECTION & PROTECTION
BANK RESUMPTIO
N & CONTINGE
NCY PLANNING
CONTROLS
BIOMETRICS
DIGITAL SIGNATURE & CERTIFICATE AUTHORITIES
PERFORMANCE
MONITORING
SOFTWARE DISTRIBUTIO
N AUDITING
CUSTOMER SUPPORT
INTERNET SERVICE
PROVIDERS
33
CHAPTER 9
PROJECT MONITORING &
CONTROL MECHANISM
Main steps of this stage are:
RISK ASSESSMENT:
INTERNET BANKING RISKS:
RISK CONTROL
INTERNET BANKING
RISKS
INTEREST RATE
RISK CREDIT RISK
LIQUIDITY RISK
REPUTATION
RISK
FOREIGN
EXCHANGE RISK
TRANSACTION
RISK COMPLIANCE RISK
STRATEGIC RISK
PRICE RISK
RISK ASSESSMENT
RISK MANAGEMENT
34
DESCRIPTION:
Credit Risk
Credit risk is the risk to earnings or capital arising from an obligor’s failure to meet the terms
of any contract with the bank or otherwise to perform as agreed. Credit risk is found in all
activities where success depends on counterparty, issuer, or borrower performance. It arises
any time bank funds are extended, committed, invested, or otherwise exposed through actual
or implied contractual agreements, whether on or off the banks’ balance sheet.
Internet banking provides the opportunity for banks to expand their geographic range.
Customers can reach a given institution from literally anywhere in the world. In dealing with
customers over the Internet, absent any personal contact, it is challenging for institutions to
verify the bonafide of their customers, which is an important element in making sound credit
decisions.
Interest Rate Risk
Interest rate risk is the risk to earnings or capital arising from movements in interest rates.
From an economic perspective, a bank focuses on the sensitivity of the value of its assets,
liabilities and revenues to changes in interest rates. Interest rate risk arises from differences
between the timing of rate changes and the timing of cash flows (repricing risk); from
changing rate relationships among different yield curves affecting bank activities (basis risk);
from changing rate relationships across the spectrum of maturities (yield curve risk); and
from interest-related options embedded in bank products (options risk).
Liquidity Risk
Liquidity risk is the risk to earnings or capital arising from a bank’s inability to meet its
obligations when they come due, without incurring unacceptable losses. Liquidity risk
includes the inability to manage unplanned changes in funding sources. Liquidity risk also
arises from the failure to recognize or address changes in market conditions affecting the
ability of the bank to liquidate assets quickly and with minimal loss in value.
Price Risk
Price risk is the risk to earnings or capital arising from changes in the value of traded
portfolios of financial instruments. This risk arises from market making, dealing, and
position taking in interest rate, foreign exchange, equity, and commodities markets.
35
Foreign Exchange Risk
Foreign exchange risk is present when a loan or portfolio of loans is denominated in a foreign
currency or is funded by borrowings in another currency. In some cases, banks will enter into
multi-currency credit commitments that permit borrowers to select the currency they prefer to
use in each rollover period. Foreign exchange risk can be intensified by political, social, or
economic developments. The consequences can be unfavourable if one of the currencies
involved becomes subject to stringent exchange controls or is subject to wide exchange-rate
fluctuations.
Transaction Risk
Transaction risk is the current and prospective risk to earnings and capital arising from fraud,
error, and the inability to deliver products or services, maintain a competitive position, and
manage information. Transaction risk is evident in each product and service offered and
encompasses product Internet Banking
development and delivery, transaction processing, systems development, computing systems,
complexity of products and services, and the internal control environment
Compliance Risk
Compliance risk is the risk to earnings or capital arising from violations of, or non-
conformance with, laws, rules, regulations, prescribed practices, or ethical standards.
Compliance risk also arises in situations where the laws or rules governing certain bank
products or activities of the bank’s clients may be ambiguous or untested. Compliance risk
exposes the institution to fines, civil money penalties, payment of damages, and the voiding
of contracts. Compliance risk can lead to a diminished reputation, reduced franchise value,
limited business opportunities, reduced expansion potential, and lack of contract
enforceability.
Strategic Risk
Strategic risk is the current and prospective impact on earnings or capital arising from
adverse business decisions, improper implementation of decisions, or lack of responsiveness
to industry changes. This risk is a function of the compatibility of an organization’s strategic
goals, the business strategies to achieve those goals, the resources deployed against these
goals, and the quality of implementation. The resources needed to carry out business
strategies are both tangible and intangible. The organization’s internal characteristics must
36
be evaluated against the impact of economic, technological, competitive, regulatory, and
other environmental changes.
Reputation Risk
Reputation risk is the current and prospective impact on earnings and capital arising from
negative public opinion. This affects the institution’s ability to establish new relationships or
services or continue servicing existing relationships. This risk may expose the institution to
litigation, financial loss, or a decline in its customer base. Reputation risk exposure is present
throughout the organization and includes the responsibility to exercise an abundance of
caution in dealing with customers and the community.
A bank’s reputation can suffer if it fails to deliver on marketing claims or to provide accurate,
timely services. This can include failing to adequately meet customer credit needs, providing
unreliable or inefficient delivery systems, untimely responses to customer inquiries, or
violations of customer privacy expectations.
RISK MANAGEMENT:
Financial institutions should have a technology risk management process to enable them to
identify, measure, monitor, and control their technology risk exposure.
Main steps involved are:
The planning process for the use of the technology.
Implementation of the technology.
The means to measure and monitor risk.
The risk planning process is the responsibility of the board and senior management. They
need to possess the knowledge and skills to manage the bank’s use of Internet banking
technology and technology-related risks. The board should review, approve, and monitor
Internet banking technology-related projects that may have a significant impact on the bank’s
risk profile. They should determine whether the technology and products are in line with the
bank’s strategic goals and meet a need in their market. Senior management should have the
skills to evaluate the technology employed and risks assumed. Periodic independent
evaluations of the Internet banking technology and products by auditors or consultants can
help the board and senior management fulfil their responsibilities.
37
Implementing the technology is the responsibility of management. Management should
have the skills to effectively evaluate Internet banking technologies and products, select the
right mix for the bank, and see that they are installed appropriately. If the bank does not have
the expertise to fulfil this responsibility internally, it should consider contracting with a
vendor who specializes in this type of business or engaging in an alliance with another
provider with complementary technologies or expertise.
Measuring and monitoring risk is the responsibility of management. Management should
have the skills to effectively identify, measure, monitor, and control risks associated with
Internet banking. The board should receive regular reports on the technologies employed, the
risks assumed, and how those risks are managed. Monitoring system performance is a key
success factor. As part of the design process, a national bank should include effective quality
assurance and audit processes in its Internet banking system.
RISK CONTROLLING:
The control objectives for an individual bank’s Internet banking technology and products
might focus on:
Consistency of technology planning and strategic goals, including efficiency and
economy of operations and compliance with corporate policies and legal
requirements.
Data availability, including business recovery planning.
Data integrity, including providing for the safeguarding of assets, proper authorization
of transactions, and reliability of the process and output.
Data confidentiality and privacy safeguards.
Reliability of MIS.
TYPES OF RISK CONTROLS:
Internal accounting controls
Used to safeguard the assets and reliability of financial records. These would include
transaction records and trial balances.
38
Operational controls
Used to ensure that business objectives are being met. These would include operating plans
and budgets to compare actual against planned performance.
Administrative controls
Used to ensure operational efficiency and adherence to policies and procedures. These would
include periodic internal and external audits.
Monitoring transaction activity to look for anomalies in transaction types, transaction
volumes, transaction values, and time-of-day presentment.
Monitoring log-on violations or attempts to identify patterns of suspect activity
including unusual requests, unusual timing, or unusual formats.
Using trap and trace techniques to identify the source of the request and match these
against known customers.
Regular reporting and review of unusual transactions will help identify:
Intrusions by unauthorized parties.
Customer input errors.
Opportunities for customer education.
INTERNAL RISK
CONTROLS
PREVENTIVE
DETECTIVE CORRECTIVE
39
CHAPTER 10
PROJECT RESOURCE
MANAGEMENT
CUSTOMER RELATIONSHIP MANAGEMENT:
HUMAN RESOURCE MANAGEMENT:
1 •Customer requisition through referrals.
2
•Customer development through personalisation and customisation.
3
• Leveraging customer equity through cross-selling and up-selling.
4 •Customer retention and referrals.
LEVEL 2
LEVEL 1
LEVEL 0 HUMAN RESOURCE MANAGEMENT
ORGANIZATIONAL PLANNING
MANAGEMENT PLAN
PROJECT INTERFACES
STAFF ACQUISITION TEAM
DEVELOPMENT
PERFORMANCE REPORTS
40
RESOURCE UTILIZATION SCOPE FOR A PROJECT:
CONTROLS
Material catalogue
management
Enquiries & purchase
orders
Vendor data
management
APPLICATIONS
Document control
Cost management
Management
information
Estimation
BUSINESS AREAS
Material Management
Procurement
Project controls
Cost estimation
Decision making support
KEY DELIVERABLES
Construction plans
Documents deliverables
Purchasing &
expediting status
Progress & cost reports
PROJECT
41
CHAPTER 11
APPLICATION OF INFORMATION
TECHNOLOGY
SYSTEM ANALYSIS AND DESIGN
The method followed in the proposed system in linear sequential model. This model
suggests systematic, sequential approach to software development that begins at the system
level and progresses through analysis, design, coding, testing and maintenance.
System / information engineering and modelling
System engineering and analysis encompasses requirement gathering at the system level
with a small amount of top level analysis and design. Information gathering encompasses
requirements at the strategic business level and business area level.
Software Requirement analysis
The requirement gathering process is intensified and focused specifically on software. To
understand the behaviour of the software to be built the software the software engineer
must understand the information domain for the software as well as required function,
behaviour, performance and interfacing.
Design
Software design is actually a multi-step process that focuses on four distinct attributes of a
program: data structure, software architecture, interface representation and procedural details.
The design process translates requirements into a representation of the software that can be
accessed for quality before code generation begins readable form.
Testing
Once the code had been generated the program testing begins. The testing process focuses on
the logical internals of the software assuring that all statements have been tested and on the
42
functional externals (i.e.) conducting tests to uncover and ensure that defined input will
produce actual results that agree with the required results.
Maintenance
Software will undoubtedly undergo change after it its delivered to the customer. Change will
occur because errors have been encountered, because the software must be adopted to
accommodate changes in the external environment or because the customer requires
functional or performance enhancements. Software maintenance reapplies each of the
preceding pages to an existing program rather than a new one. However the linear sequential
model is a widely used process model for software engineering.
Technologies used:
Screen Designing: HTML, JSP.
Coding: JSP, JDBC and other java concepts.
Data base: Oracle.
Three Tier Architecture
FIRST TIER:
Responsibility for presentation and user interaction resides with the first-tier
components. These client components enable the user to interact with the second-tier
processes in a secure and intuitive manner. Web Sphere Application Server supports several
client types. Clients do not access the third-tier services directly.
43
SECOND TIER:
The second-tier processes are commonly referred to as the Application Logic Layer.
These processes manage the business logic of the application, and are permitted access to the
third-tier services. The application logic layer is where most of the processing work occurs.
Multiple client components can access the second-tier processes simultaneously, so this
application logic layer must manage its own transactions.
THIRD TIER:
The third-tier services are protected from direct access by the client components residing
within a secure network. Interaction must occur through the second-tier processes.
PROCESS FLOW DIAGRAM OF INTERNET BANKING ARCHITECTURE:
Database
Safe and Secure
Internet Banking
Administrator
Account Update Transaction
s
E statements Issue Chequebook
Customer Bank Employee
Legend
Storage subsystem
Application Layer
Application layer interface
44
Architectural Requirements
1. Portability – The system must be easily portable to a wide array of platforms using
various operating systems. Porting the software from one operating system to
another should not require more than 5% of the code to be changed. Similarly
changing the backend database should not require more than 5% of the code to
change.
2. Extensibility/Reuse – The software should be extensible in order to add new
features without affecting the base modules. The new releases of the system should
maximize the reuse of solutions developed in earlier releases.
3. Ease of use – The system must be easy to use without requiring users to memorize
commands, special terms, or notations. A new user should not require more than
one hour of training to get comfortable using the system.
CONSTRAINTS:
Constraints:
There must be high end system to load software and to maintain database. A
minimal terminal is required with printer for reports. Which are to be interconnected in
network?
Technical Constraints:
Linux/Windows System with Apache server configured for execution of JSP
coding. Oracle database is required.
Business Constraints
The customer can only transaction that can be availed by the user is the
transfer of funds to another account but he cannot deposit or withdraw through the internet.
45
CHAPTER 12
PROJECT CLOSE OUT
PROJECT IMPLEMENTATION STAGES:
There are ample opportunities for financial institutions to boost the adoption of Internet
banking, not only by offering customers the kind of service and capabilities they want, but
also by implementing a solution that they can count on. With careful, conscientious planning
before even approaching prospective providers, institutions can properly evaluate them based
on their ability to cost effectively provide a comprehensive, reliable and secure solution. As a
global technology leader in information commerce, First Data helps financial institutions ease
the transition to an outsourced Internet Banking Solution that more effectively and reliably
serves their needs in Internet banking. Top rated in customer satisfaction, features and
functionality, marketing support and overall value, First Data currently provides Internet
banking services to more than 600 financial institutions. Over the previous 18 months alone,
PROJECT
CLOSE
OUT
PHASE
46
the company has successfully converted more than 100 customers. With First Data, the
financial institution experiences a fluid, cost effective conversion process without increasing
employee workload—and ultimately ensures customer satisfaction and loyalty to its brand.
With the right Internet Banking Solution, financial institutions can alleviate the limitations
and challenges they are experiencing with their current system. In effect, the institution can
save significant time and money, while greatly reducing the risk of losing valuable customers
due to an inadequate solution. For many small- and mid-sized financial institutions, an
outsourced solution makes the most sense. Excellent, Ready -made options are available to
enable these institutions to offer the functionality their customers demand without expensive
internal development and on-going maintenance requirements. An outsourced solution not
only reduces costs, but also increases flexibility and security.
47
CHAPTER 13
CONCLUSION
E-banking is making significant progress in terms of customers’ adoption, functionality and
profitability for banks. However it still faces a number of threats including security and
privacy issues which will have to be dealt with to ensure long term survival. It is difficult to
predict the future, but some remarks can be made based on the experience so far. In our view,
the next developments in e-banking will involve new products and services that were not
feasible in traditional banking models. This could involve making instant payments (possibly
using mobile phones), or tools to help people manage their multi-bank financial portfolio.
Internet only banking may also become more viable as the functionality of e-banking grows,
and customers adapt to the new ways of conducting their financial activities. International
banking might become a reality for ordinary consumers as banking payments systems are
increasingly harmonised.
48
REFERENCES
BOOK REFERENCES
Mahmood Shah & Steve Clarke, E-banking Management: Issues, Solutions and
Strategies.
Journal of Internet Banking and Commerce
Is Your Internet Banking Solution A First Data White Paper Costing You Customers?
Whitepaper by Brent Warrington
Karen Furst, William W. Lang, and Daniel E. Nolle, Internet Banking: Developments
and Prospects.
WEB SITES
Online banking of National City bank www.Nationalcity.com
Online banking of Bank one www.BankOne.com
Online banking of ICICI bank www. ICICI .com
rbidocs.rbi.org.in/rdocs/publicationreport/pdfs/21595.pdf