The current controversy surrounding banking has shown the importance of trust between a bank and its customers. One part of that trust has always been the belief that money is secure in a bank that nobody else can access your account but as electronic banking grows, how can people know that this is still the case? In the information age, how safe is your money from information super-highway robbers?
Banks have long been in a dilemma over how much of their security to reveal. From the earliest days of safes, shutters and bars on windows, banks have had to show enough security to reassure customers, while not revealing too much of their practices to potential bank robbers. In the age of electronic banking, via ATMs, telephones, and the Internet, the same dilemma holds: how much to tell, how much to hide?
The most popular form of electronic banking is via ATMs, which are generally perceived as secure as long as your PIN number is kept confidential. The manufacturers of the two most popular types are NCR, which says it has more than 1,000 installed, and Siemens Nixdorf, which says it has more than 400 machines. Both companies say their machines use encryption right from the keypad to protect the information entered, and banks usually transmit this information to central computers over private, leased lines, which are less vulnerable to eavesdropping. Some or all of this information is also encrypted using 56-bit keys and the PIN number is always encrypted.
NCR business development manager, Mr Sean Moloney, says the company's ATMs feature two more levels of security: the electronic encryption device is located in an environment as secure as the cash itself, and even someone servicing the machine cannot get a computer prompt.
Mr Moloney says the majority of ATM fraud happens when a customer compromises the PIN, by for example leaving the number in a wallet. To counteract this some banks photograph everyone making ATM transactions.
Telephone banking, in contrast, does involve sending unencrypted PIN numbers over the public telephone network, but offers people the attraction of banking from the security of their own homes. There is still a security risk: anyone who manages to eavesdrop on the line not an easy task could decode the telephone number tones you're sending. But as the systems used by the two main banks involve sending only a randomly chosen part of the PIN number at a time, an eavesdropper would have to listen in several times before being able to impersonate.
On top of this, AIB only allows limited third-party transfers, while Bank of Ireland only allows £500 transfers into another Bank of Ireland account. The newest form of electronic banking, banking via the Internet, is the one which is most likely to worry customers since, unlike with ATM or telephone banking, an Internet eavesdropper could be located anywhere. The biggest security issues here are authenticity and confidentiality how do you ensure that you are really communicating with the bank, how does the bank ensure that you are who you say you are, and how do you prevent someone else on the Internet "listening in?"
This first issue is addressed by making sure customers connect to the correct Web address and then use a secure Internet connection with digital certificates. Mr Paddy Holahan, vice-president of business development at information security specialists, Baltimore Technologies, warns that Web addresses (URLs) may be faked, and that only if your Web browser indicates both the correct URL and a secure, encrypted connection can you be sure you are communicating with the bank. On setting up a secure connection your browser checks the bank's digital signature which, Mr Holahan assures, cannot be faked.
But because customers do not have their own digital signatures they must use secret access codes agreed in advance with the banks to prove their identity. These are only exchanged once a secure connection has been established. However, versions of browsers such as Microsoft's Internet Explorer and Netscape's Navigator exported outside the US only support 40-bit encryption, so in theory someone monitoring your transaction could store the encrypted information and decrypt it later. Baltimore estimates a 40-bit code can be broken in around one minute, and will be breakable in less than 10 seconds by the year 2000.
The banks address this by asking for different personal access codes each time you connect, and by limiting the amount of money you can transfer from your account per day. Bank of Ireland customers, for example, use a calculator-like device to generate responses to random numbers given by the Internet site when they first connect or try to transfer money.
Complete Internet security will only come about when higher levels of encryption and personal digital signatures are used. This is likely to be still some way off, but for now the growth of home banking is proving people are already prepared to trust the phone and Internet. Their trust is not surprising. After all, people have long given their credit card details over the phone.
