Online banking also known as internet banking, e-banking, or virtual

banking, is an electronic payment system that enables customers of a bank or

other financial institution to conduct a range of financial transactions through the
financial institution's website. The online banking system will typically connect to
or be part of the core banking system operated by a bank and is in contrast
tobranch banking that was the traditional way customers access banking
services.
To access a financial institution's online banking facility, a customer with internet
access would need to register with the institution for the service, and set up a
password and other credentials for customer verification. The credentials for
online banking is normally not the same as for telephone or mobile banking.
Financial institutions now routinely allocate customers numbers, whether or not
customers have indicated an intention to access their online banking facility.
Customers' numbers are normally not the same as account numbers, because a
number of customer accounts can be linked to the one customer number. The
customer number can be linked to any account that the customer controls, such
as cheque, savings, loan, credit card and other accounts.
The customer visits the financial institution's secure website, and enters the
online banking facility using the customer number and credentials previously set
up. The types of financial transactions which a customer may transact through
online banking usually includes obtaining account balances and list of latest
transactions, electronic bill payments, and funds transfers between a customer's
or another's accounts. Most also enable a customer to download copies of
statements, which can be printed at the customer's premises (with some banks
charging a fee for mailing hardcopies of bank statements). Some banks also
enable customers to download transactions directly into the customer's
accounting software. The facility may also enable the customer to order chequebooks, statements, report loss of credit cards, stop payment on a cheque, advise
change of address, and other routine transactions.

Advantages[edit]
There are some advantages on using e-banking both for banks and customers:

Permanent access to the bank

Lower transaction costs / general cost reductions

Access anywhere

No security problems

Security[edit]

Five security token devices for online banking.

Security of a customer's financial information is very important, without which

online banking could not operate. Similarly the reputational risks to the banks
themselves are important.[5] Financial institutions have set up various security
processes to reduce the risk of unauthorized online access to a customer's
records, but there is no consistency to the various approaches adopted.
The use of a secure website has been almost universally embraced.
Though single password authentication is still in use, it by itself is not considered
secure enough for online banking in some countries. Basically there are two
different security methods in use for online banking:

The PIN/TAN system where the PIN represents a password, used for the
login and TANs representing one-time passwords to authenticate
transactions. TANs can be distributed in different ways, the most popular one
is to send a list of TANs to the online banking user by postal letter. Another
way of using TANs is to generate them by need using a security token. These
token generated TANs depend on the time and a unique secret, stored in the
security token (two-factor authentication or 2FA).
More advanced TAN generators (chipTAN) also include the transaction
data into the TAN generation process after displaying it on their own
screen to allow the user to discover man-in-the-middle attacks carried out
by Trojans trying to secretly manipulate the transaction data in the
background of the PC.[6]
Another way to provide TANs to an online banking user is to send the TAN
of the current bank transaction to the user's (GSM) mobile phone via SMS.
The SMS text usually quotes the transaction amount and details, the TAN
is only valid for a short period of time. Especially in Germany, Austria and
the Netherlands many banks have adopted this"SMS TAN" service.
Usually online banking with PIN/TAN is done via a web browser using SSL
secured connections, so that there is no additional encryption needed.
Signature based online banking where all transactions are signed
and encrypted digitally. The Keys for the signature generation and
encryption can be stored on smartcards or any memory medium,
depending on the concrete implementation (see, e.g., the
Spanish ID card DNI electrnico[7]).

Attacks
Attacks on online banking used today are based on deceiving the user
to steal login data and valid TANs. Two well known examples for those
attacks are phishing and pharming.Cross-site
scripting and keylogger/Trojan horses can also be used to steal login
information.

A method to attack signature based online banking methods is to

manipulate the used software in a way, that correct transactions are
shown on the screen and faked transactions are signed in the
background.
A 2008 U.S. Federal Deposit Insurance Corporation Technology
Incident Report, compiled from suspicious activity reports banks file
quarterly, lists 536 cases of computer intrusion, with an average loss
per incident of $30,000. That adds up to a nearly $16-million loss in the
second quarter of 2007. Computer intrusions increased by 150 percent
between the first quarter of 2007 and the second. In 80 percent of the
cases, the source of the intrusion is unknown but it occurred during
online banking, the report states.[8]
Another kind of attack is the so-called man-in-the-browser attack, a
variation of the man-in-the-middle attack where a Trojan horse permits
a remote attacker to secretly modify the destination account number
and also the amount in the web browser.
As a reaction to advanced security processes allowing the user to
cross-check the transaction data on a secure device there are also
combined attacks using malware and social engineering to persuade
the user himself to transfer money to the fraudsters on the ground of
false claims (like the claim the bank would require a "test transfer" or
the claim a company had falsely transferred money to the user's
account and he should "send it back").[9][10] Users should therefore never
perform bank transfers they have not initiated themselves.

Countermeasures
There exist several countermeasures which try to avoid attacks. Digital
certificates are used against phishing and pharming, in signature
based online banking variants (HBCI/FinTS) the use of "Secoder" card
readers is a measurement to uncover software side manipulations of
the transaction data.[11] To protect their systems against Trojan horses,

users should use virus scanners and be careful with downloaded

software or e-mail attachments.
In 2001, the U.S. Federal Financial Institutions Examination
Council issued guidance for multifactor authentication (MFA) and then
required to be in place by the end of 2006.[12]
In 2012, the European Union Agency for Network and Information
Security advised all banks to consider the PC systems of their users
being infected by malware by default and therefore use security
processes where the user can cross-check the transaction data against
manipulations like for example (provided the security of the mobile
phone holds up)SMS TAN where the transaction data is sent along with
the TAN number or standalone smartcard readers with an own screen
including the transaction data into the TAN generation process while
displaying it beforehand to the user (see chipTAN) to counter man-inthe-middle attacks.[13]