Int. J. Pure Appl. Sci. Technol., 1(2) (2010), pp.

67-78

International Journal of Pure and Applied Sciences and Technology

ISSN 2229 - 6107
Available online at www.ijopaasat.in
Review Paper

Internet Banking: Risk Analysis and Applicability of Biometric

Technology for Authentication
Gunajit Sarma1 and Pranav Kumar Singh2,*
1

Department of Humanities and Social Sciences, Central Institute of Technology, Kokrajhar, Assam783370, India

Department of Computer Science & Engineering, Central Institute of Technology, Kokrajhar, Assam783370, India
* Corresponding author, e-mail: (snghpranav@gmail.com)
(Received: 17-11-2010; Accepted: 3-12-2010)

Abstract: Todays world is one with increasing online access to services. One part of this
which is growing rapidly is Internet Banking. This is very convenient and the ready access
to the Internet in all first world countries , coupled with the cost Savings from closing bank
branches , is driving the operation and adoption of these services. Internet banking allows
customers to conduct financial transactions on a secure website operated by their retail or
virtual bank, credit union or building society. This paper mainly focused on providing
banking services to customers using web with highly secured technology. Implementing
technology is the responsibility of management. We are highlighting the points towards the
use of biometric technology in internet banking system for risk management of banks
regular activities through authentication.

Keywords: Internet banking, Risk analysis, Risk Management, Authentication,

Biometrics.

1. Introduction
Todays world is one with increasing online access to services. One part of this which is
growing rapidly is Internet Banking. Internet banking refers to systems that enable bank
customers to access accounts and general information on bank products and services through a

Int. J. Pure Appl. Sci. Technol., 1(2) (2010), 67-78

68

personal computer (pc) or other intelligent devices .Internet banking products and service can
include wholesale products for corporate customer as well as retail and fiduciary products for
consumers. Ultimately, the products and services obtained through Internet banking may
mirror products and services offered through other bank delivery channels. Some examples of
wholesale products and services include cash management, wire transfer, Automated Clearing
House (ACH) transactions, Bills presentation and payment. The example of retail and
fiduciary products and services include Balance inquiry, Funds transfer, Downloading
transaction information, Bill presentation and payment, Loan applications, Investment activity
and other value added services.

A.

Types of Internet Banking

Understanding the various types of Internet Banking products will help examiners assess the
risks involved. Currently, the following three basic kinds of Internet banking are being
employed in the marketplace [2]:

Informational: This is the basic level of Internet banking. Typically, the bank has
marketing information about the bank products and services on a stand-alone server. The risk
is relatively low, as informational systems typically have no path between the server and the
banks internal network. This level of Internet banking can be provided by the bank or
outsourced. While risk to a bank is relatively low, the server or website may be vulnerable to
alternation. Appropriate controls therefore must be in place to prevent unauthorized
alternations to the banks server or website.

Communicative: This type of Internet banking system allows some interaction

between the banks systems and the customer. The interaction may be limited to electronic
mail, account inquiry, loan applications, or static file updates. Because these servers may have
a path to the banks internal networks, the risk is higher with this configuration than with
informational systems. Appropriate controls need to be in place to prevent, monitor, and alert
management of any unauthorized attempt to access the banks internal networks and computer
systems. Virus controls also become much more critical in this environment.

Transactional: This level of Internet banking allows customers to execute

transactions. Since a path typically exists between the server and the banks or outsourcers
internal network, this is the highest risk architecture and must have the strongest controls.
Customer transaction can include accessing accounts, paying bills, transferring funds, etc.

B.

Growth in Internet Banking

There are numerous factors like competitive cost, customer service, and demographic
considerations are motivating banks to evaluate their technology and assess their electronic
commerce and Internet banking strategies. Many researchers expect rapid growth in customers
using online banking products and services. The challenge for national banks is to make sure
the savings from Internet banking technology more than offset the costs and risks associated
with conducting business in cyberspace. The adoption of Internet banking has been increased
dramatically during the last few years due to the following reasons [2].

Int. J. Pure Appl. Sci. Technol., 1(2) (2010), 67-78

69

Competition: Studies show that competitive pressure is the chief driving force behind
increasing use of Internet banking technology, ranking ahead of cost reduction and revenue
enhancement, in second and third place respectively. Banks see Internet banking as a way
to keep existing customers and attract new ones to the bank.

Cost Efficiencies: National banks can deliver banking services on the Internet at
transaction costs far lower than traditional branches. The actual costs to execute a
transaction will vary depending on the delivery channel used. These costs are expected to
continue to decline. National banks have significant reasons to develop the technologies
that will help them deliver banking products and services by the most cost-effective
channels.. However, national banks should use care in making product decisions.
Management should include in their decision making the development and ongoing costs
associated with a new product or service, including the technology, marketing,
maintenance, and customer support functions. This will help management exercise due
diligence, make more informed decisions, and measure the success of their business
venture.

Geographical Reach: Internet banking allows expanded customer contact through

increased geographical reach and lower cost delivery channels. In fact some banks are
doing business exclusively via the Internet they do not have traditional banking offices
and only reach their customers online. Other financial institutions are using the Internet as
an alternative delivery channel to reach existing customers and attract new customers.

Branding: Relationship building is a strategic priority for many national banks. Internet
banking technology and products can provide a means for national banks to develop and
maintain an ongoing relationship with their customers by offering easy access to a broad
array of products and services. By capitalizing on brand identification and by providing a
broad array of financial services, banks hope to build customer loyalty, cross-sell, and
enhance repeat business.

Customer Demographics: Internet banking allows national banks to offer a wide array of
options to their banking customers. Some customers will rely on traditional branches to
conduct their banking business. For many, this is the most comfortable way for them to
transact their banking business. Those customers place a premium on person-to-person
contact. Other customers are early adopters of new technologies that arrive in the
marketplace. These customers were the first to obtain PCs and the first to employ them in
conducting their banking business. The demographics of banking customers will continue
to change. The challenge to national banks is to understand their customer base and find
the right mix of delivery channels to deliver products and services profitably to their
various market segments.

2. Internet Banking Risks

Internet banking creates new risk control challenges for national banks. From a supervisory
perspective, risk is the potential that events, expected or unexpected, may have an adverse
impact on the banks earnings or capital. Effective management of a banking regular activity

Int. J. Pure Appl. Sci. Technol., 1(2) (2010), 67-78

70

requires that bank authority have understood and control the banks risk culture. Therefore, in
our paper firstly we are going to analyze the various types of risks faced by Internet Banking.
The following are the various types of risks associated with Internet Banking [2].
Credit Risk: Credit risk is the risk to earnings or capital arising from an obligator's failure to
meet the terms of any contract with the bank or otherwise to perform as agreed. Credit risk is
found in all activities where success depends on counterparty, issuer, or borrower
performance. It arises any time bank funds are extended, committed , invested or otherwise
exposed through actual or implied contractual agreements , whether on or off the banks
balance sheet.
Interest Rate Risk: Internet rate risk is the risk to earnings or capital arising from movements
in interest rates. Interest rate risk arises from different between the timing of rate changes and
timing of cash flows. Internet banking can attract deposits, loans and other relationships from a
large pool of possible customers than other forms of marketing. Greater access to customers
who primarily seek the best rate or term reinforces the need for managers to maintain
appropriate asset/liability management systems, including the ability to react quickly to
changing market conditions.
Liquidity Risk: Liquidity risk is the risk to earnings or capital arising from a bank's inability
to meet its obligations when they come due, without incurring unacceptable losses. Liquidity
risk arises from the failure to recognize or address changes in market conditions affecting the
ability of the bank to liquidate assets quickly and with minimum loss in value. Asset/liability
and loan portfolio management systems should be appropriate for products offered through
internet banking. Increased monitoring of liquidity and changes in deposits and loans may be
warranted depending on the volume and nature of internet account activities.
Price Risk: Price risk is the risk to earnings or capital arising from changes in the value of
traded portfolio of financial instruments. The risk arises from market making, dealing and
position taking in interest rate, foreign exchange, equity and commodities markets. Banks may
have exposed to price risk if they create or expand deposit brokering, loan sales, or
securitization programme as a result of Internet banking activities. Appropriate management
systems should be maintained to monitor, measures, and manage price risk if assets are
activity traded.
Foreign Exchange Risk: Foreign Exchange risk is present when a loan or portfolio of loans is
dominated in a foreign currency or is funded by borrowings in another currency. In some
cases, banks will enter into multi-currency credit commitments that permit borrowers to select
the currency they prefer to use in each rollover period. Foreign exchange risk can be
intensified by political, social or economic development. Appropriate systems should be
developed if bank engage in these activities.
Reputation Risk: Reputation risk is the current and prospective impact on earnings and
capital arising from negative public opinion. This affects the institution's ability to establish
new relationships or services. This risk may expose institution to litigation, financial loss, or a
decline in its customer base. A bank's reputation can suffer if it fails to deliver on marketing
claims or to provide accurate, timely services. National Banks need to a sure that their business
continuity plans include the internet banking business. Regular testing or business continuity
plan, communications strategies with the press and public, will help the bank ensure it can
respond effectively and promptly to any adverse customer of media reactions.

Int. J. Pure Appl. Sci. Technol., 1(2) (2010), 67-78

71

Transaction Risk: Transaction risk is the current and prospective risk to earnings and capital
arising from fraud, error, and the inability to deliver products or services, maintain a
competitive position, and manage information. Transaction risk is evident in each product and
service offered and encompasses product delivery, transaction processing, system
development, computing systems, complexity of products and services, and the internal
control environment. A high level of transaction risk may exist with Internet banking products,
particularly if those lines of business are not adequately planned, implemented and monitored.
Compliance Risk: Compliance risk is the risk to earning or capital violations of, or
nonconformance with, laws, rules, regulations, prescribed practices, or ethical standards.
Compliance risk is also arises in situations where the laws or rules governing certain bank
products or activities of the banks clients may be ambiguous or untested. Compliance risk
exposes the institution to fines, civil money penalties, payment of damages, and the voiding of
contracts.
Strategic Risk: Strategic risk is the current and prospective impact on earnings or capital
arising from adverse business decisions, improper implementation of decisions, or lack of
responsiveness to industry changes. The risk is a function of the compatibility of an
organizations strategic goals, the business strategies developed to achieve those goals, the
resources deployed against these goals, and the quality of implementation. The resources
needed to carry out business strategies are both tangible and intangible. They include
communication channels, operating systems, delivery networks, and managerial capacities and
capabilities. The organizations internal characteristics must be evaluated against the impact of
economic, technological, competitive, regulatory, and other environmental changes.

3. Risk Management
Risk management is the process of identifying vulnerabilities in an organizations information
systems and taking carefully reasoned steps to ensure the confidentiality, integrity, and
availability of all the components in the organizations information system. Risk management
requires two major undertakings: risk identification and risk control. Continuing technological
innovation and competition among existing banking organizations and new entrants have
allowed for a much wider array of banking products and services to become accessible and
delivered to retail and wholesale customers through an electronic distribution channel
collectively referred to as Internet Banking. However, the rapid development of Internet
banking carries benefit as well as risks. Implementing technology is the responsibility of
management. Therefore, the financial institutions should have applied a technology risk
management process to enable them to identify, measure, monitor, and control their
technology risk exposure. Risk management of new technologies has three essential elements:
a. The planning process for the use of the technology.
b. Implementation of the technology.
c. The means to measure and monitor risk.
In our above analysis we have seen that the Internet banking is facing various types of risks.
Out of these the most important one is transaction risks. Transaction risks are the current and
prospective risk to earnings and capital arising from fraud, error, and inability to deliver
product and services. National banks that offer bill presentation and payment will need a
process to settle transactions between the bank, its customers, and its external parties. In
addition to transaction risk, settlement failures could adversely affect reputation, liquidity and
credit risk. Therefore to control such types of risks banks have used various types of

Int. J. Pure Appl. Sci. Technol., 1(2) (2010), 67-78

72

technology. Biometric technology is also one of the most important technology for risk
management as well as security factors of Internet banking. The biometric technology is
applied in case of Authentication. Authentication means a way to verify the buyers identity
before payments are made. So, we are going to highlight in this paper the applicability of
Biometric technology for Authentication.

4. Introduction to Biometrics
Biometrics, which refers to automatic recognition of people based on their distinctive
anatomical (e.g., face, fingerprint, iris, retina, hand geometry) and behavioral (e.g., signature,
gait) characteristics, could become an essential component of effective person identification
solutions because biometric is an individual's bodily identity.
Biometrics is an enabling technology with the potential to make our society safer, reduce fraud
and lead to user convenience.

Biometric technologies should be considered and evaluated giving full consideration to the
following characteristics:

A.

Universality: Every person should have the characteristic. People who are mute or
without a fingerprint will need to be accommodated in some way.
Uniqueness: Generally, no two people have identical characteristics. However,
identical twins are hard to distinguish.
Permanence: The characteristics should not vary with time. A person's face, for
example, may change with age.
Collectability: The characteristics must be easily collectible and measurable.
Performance: The method must deliver accurate results under varied environmental
circumstances.
Acceptability: The general public must accept the sample collection routines.
Nonintrusive methods are more acceptable.
Circumvention: The technology should be difficult to deceive.
TYPES OF BIOMETRICS:

There are two types of biometrics: behavioral and physical.

Behavioral biometrics: Used for verification.
Physical biometrics: Used for either identification or verification.
Physical biometrics:
Fingerprint - Analyzing fingertip patterns.
Facial Recognition - Measuring facial characteristics.
Hand Geometry - Measuring the shape of the hand.
Iris recognition - Analyzing features of colored ring of the eye.
Vascular Patterns - Analyzing vein patterns.
Retinal Scan - Analyzing blood vessels in the eye.
Bertillonage - Measuring body lengths (no longer used).
Behavioral biometrics:
Speaker Recognition - Analyzing vocal behavior.

Int. J. Pure Appl. Sci. Technol., 1(2) (2010), 67-78

73

Signature- Analyzing signature dynamics.

Keystroke - Measuring the time spacing of typed words

5. Applicability of Biometrics in internet banking for Authentication

Utilizing biometrics for internet banking is becoming convenient and considerably more
accurate than current methods (such as the utilization of passwords or PINs). This is because
biometrics links the event to a particular individual (a password or token may be used by
someone other than the authorized user), is convenient (nothing to carry or remember),
accurate (it provides for positive authentication), can provide an audit trail and is becoming
socially acceptable and inexpensive.

A.

Advantages Of Using Biometric

Using biometrics for identifying human beings in internet banking offers some unique
advantages given as follows:

Biometrics can be used to identify you as you.

Tokens, such as smart cards, magnetic stripe cards, photo ID cards, physical keys and
so forth, can be lost, stolen, duplicated, or left at home.

Passwords can be forgotten, shared, or observed. Moreover, today's fast-paced

electronic world means people are asked to remember a multitude of passwords and personal
identification numbers (PINs) for computer accounts, bank ATMs, e-mail accounts, wireless
phones, web sites and so forth.

Biometrics holds the promise of fast, easy-to-use, accurate, reliable, and less expensive
authentication for a variety of applications.

Another key aspect is how "user-friendly" a system is. The process should be quick and
easy, such as having a picture taken by a video camera, speaking into a microphone, or
touching a fingerprint scanner.

As biometric technologies mature and come into wide-scale commercial use, dealing
with multiple levels of authentication or multiple instances of authentication will become less
of a burden for users.

B.

Security pitfalls of previous schemes

There are various shortcomings and pitfalls in the previously used authentication technique.
Before using new technology we are mentioning some pitfalls of previous schemes and are
given as follows:

In many schemes [6], password is chosen by the remote server which might be long,
random and difficult for a user to remember. The scheme is a threat to the insider attack that
has come to know the password of the user and can misuse the system in future [7]. Passwords
are vulnerable to dictionary attacks, guesses and social engineering [10].

Int. J. Pure Appl. Sci. Technol., 1(2) (2010), 67-78

74

Previous schemes do not preserve the anonymity of the user. In the verification phase
the transmission to the authentication server over insecure channel in the login message. In
case of transaction scenario it is very important to preserve the privacy of a user because an
adversary sniffing the communication channel can eavesdrop the communication parties
involved in the authentication process to analyze the transaction being performed by the user.

Previous literature does not have provision to provide the mutual authentication
between the user and server.

Losing of smart cards is one of the very serious problems because the lost card can
impersonate valid registered user.

Traditional authentication system is based on secret key based on public key

infrastructure (PKI). But the key has many disadvantages as it can be forgotten or stolen and
can be easily cracked.

6. Biometric Authentication
Biometric devices consist of a reader or scanning device, software that converts the gathered
information into digital form, and a database that stores the biometric data for comparison with
previous records. When converting the biometric input, the software identifies specific points
of data as match points. The match points are processed using an algorithm into a value that
can be compared with biometric data in the database .All Biometric authentications require
comparing a registered or enrolled biometric sample (biometric template or identifier) against
a newly captured biometric sample (for example, a fingerprint captured during a login).
Individuals must first register their form of identity with the system by means of capturing a
raw biometric to be used in the system. This process is called Enrolment and is composed of
three distinct phases: Capture, Process and Enroll [6].

Capture: A raw biometric is captured by the Biometric sensing device.

Process: Characteristics that are unique to individuals and distinguish individuals from
one another are extracted from the raw Biometric and transformed into a biometric
"template".
Enroll: The processed template is stored in a suitable storage medium such as a
database on a disk storage device or on a portable device such as a Smart Card,
whereby later comparisons can be made easily.

Once Enrolment is complete, the system can authenticate individuals by means of using the
stored template. Authentication is the process whereby a new biometric sample is captured by
the individual who is authenticating with the system and compared to the registered (enrolled)
biometric template. There are two forms of Authentication: Verification and Identification.
Identification performs the process of identifying an individual from their biometric features.
Identification asks the question "Who are you?"
Verification involves matching the captured biometric sample against the enrolled template
that is stored and requires the user to assert a specific claim of identity such as a user name
unique key. Verification asks the question "Are you who you say you are?"

Int. J. Pure Appl. Sci. Technol., 1(2) (2010), 67-78

75

The success of a system in performing verification is measured using the metrics below.
Successful systems will have high True Positive and True Negative values, a poor system will
have high False Positive and False Negative values. Each metric is defined as follows:

TP: correctly allow access to an authorized user

TN: correctly deny access to an unauthorized user
FP: incorrectly allow access to an unauthorized user (FAR)
FN: incorrectly deny access to an authorized user (FRR)

A diagram illustrating the process of Enrollment and Authentication is shown below:

Figure1. Biometric Authentication

7. Comparison of various biometric technologies

It is necessary to compare the various biometric technologies in terms of their characteristics
for the adoption in authentication process of internet banking. In this context we are
highlighting the comparison of various types of Biometric Authentication techniques already
given by some authors and research studies. This is presented below in Table1 and Figure2.
Table1. Comparison of various biometric technologies based on the perception of the authors.
High,
Medium,
and
Low
are
denoted
by
H,
M,
and
L,
respectively.

Int. J. Pure Appl. Sci. Technol., 1(2) (2010), 67-78

76

Figure2 Graph for Biometric Technologies occupied in market (Source: Thermal imager FLIR
infrared camera resources)

It can be seen from the figures below that fingerprint is the most common Biometric,
occupying 48.8% of the market.
One of the major problems with the authentication of users via the internet is the inherent lack
of security of traditional authentication techniques, passwords PIN numbers and cookies. With
the current development of the biometric fingerprint technology market, the possibility of
identifying someone online has been addressed. Fingerprint biometric authentication system is
one of the solutions to come out of recent developments. The fingerprint biometric
authentication system allows for a web page to include a validation check using objects
embedded in the web page which call on an interface to a fingerprint reader attached to the
client computer which returns a coded fingerprint to the server where it is then validated.

8. Conclusion:
From an operational perspective, this study indicates that banks with web-based banking
realized significant benefits. Internet banking allows customer to conduct transaction at any
time and thus it reduces the number of physical visit to a bank and it has reduced the cost per
transaction. But, technologically, implementing web-based banking so that it is obvious to the

Int. J. Pure Appl. Sci. Technol., 1(2) (2010), 67-78

77

customer is challenging. Careful, planning is a prerequisite, if full benefits are to be realized.

In our study we have found that biometric technology has played an important role to control
the risk factors through Authentication system. The implementation of appropriate
authentication methodologies should start with an assessment of the risks faced by the
Internet banking systems. An effective authentication programme should be implemented to
ensure that and authentication tools are appropriate for all of the financial institutions, Internet
based products and services. A comprehensive approach to authentication requires
development of, and adherence to, the banks information security standards, integration of
authentication process within the overall information security framework, risk assessment
within the lines of business supporting selection of authentication tools, and central authority
for oversight and risk monitoring. This authentication process should be consistent with and
support the financial institutions overall security and risk management programme.

9. Future Work
In our study although we have seen that authentication is the only control mechanism in
security concerned ,but it is to be inadequate in the case of high risk transactions involving
access to customer information or the movement of the funds to other parties. In future we
have planned to study the various security aspects for internet banking and will try to
implement an integrated authentication model by using new technological approach to deal
with security challenges of internet banking system.

References
[1] Hogan, M. (2003), Are you who you claim to be ?, National Institute of Standards and
Technology, International Standards Organisation.
http://www.iso.ch/iso/en/commcentre/isobulletin/articles/2003/pdf/biometrics03-03.pdf
[2] Internet

Banking Comptroller's Handbook, Comptroller of the Currency

Administrator of National Banks, October 1999, USA

[3] Misra and Puri , Indian Economy , Himalaya Publishing House , New-Delhi, India ( 2008 )

[4] Mathew Johnson , A New Approach to Internet banking, Technical Report University of
Cambridge Computer Laboratory, September 2008 ( http://www.cl.cam.ac.uk )

[5] Michael E Whitman and Herbert J. Mattord, Priciples and Practices of Information
Security,Cenage Learning , Indian Edition ( 2009 )

Int. J. Pure Appl. Sci. Technol., 1(2) (2010), 67-78

78

[6] Mitchell, T. M. (1997), Machine Learning, McGraw-Hill International Editions, p. 232.

[7] U.S. Pandey and Er. Saurabh Shukla , E- Commerce and Mobile Commerce Technologies , S.
Chand & Company Ltd. , New- Delhi ( 2010 )
[8] Yazan K.A. Migdali, Quantitative Evaluation of the Internet Banking Service Encounters
Quality : Comparative Study between Jordan and UK Retail Banks, Journal of Internet
Banking and Commerce- Vol.3, no.2(http:// www.arraydev.com / commerce/ jibc ).