The risks of internet Banking

Internet banking can be defined as the extension of banking services through Internet delivery channels, where your traditional physical bank extends the functionality of your branch into the virtual space.

Through a web interface, the bank provides its customers the convenience of executing transactions from the comfort of their homes or offices.

In Kenya, this convenience is further extended into mobile banking, where customers access their traditional bank accounts through mobile phones. One can therefore move funds from a bank account into other accounts existing within and beyond the hosting bank. This is quite innovative, very convenient and highly functional.

However, the fact that it works most of the time tends to hide the fact that occasionally things can, and do, go horribly wrong. When they do, most banks and their telecommunications partners prefer to remain silent in order to protect their reputation.

But silence does not mean that the risks of internet and mobile banking have disappeared. We must have a conversation these risks and how to mitigate them.

In assessing the risks, we can adopt the common ‘CIA’ perspective – reviewing the Confidentiality, Integrity and Availability risks for internet and mobile banking.

Confidentiality refers to the extent to which information is kept private and only accessible to authorized personnel.

Integrity refers to the ability to protect information from non-authorized alterations, while availability refers to the ability to provide the banking service as and when it is required.

Confidentiality means that your bank account or mobile money (M-Pesa) details should have restricted access in order to minimize the risk of fraudulent activities.

If this were not true, and someone had prior knowledge of your mobile money balance, for example, they would have a better chance of executing the now-notorious trick of sending you a fake M-Pesa text message and subsequently calling you to claim that they have “mistakenly” posted you some money.

If they had knowledge of your previous balance, they would accurately report your faked new balance, increasing the chances that you would make a reverse transmission of the claimed amount in favor of the fraudster.

You would have been conned if you effected the reversal, since the transfer would be coming from your hard-earned money, rather than from the purported mistaken posting.

Another trick is emerging around online banking where some banks have been reported to be acting on “emailed instructions” from customers.

Whereas the Kenya Information and Communication Act of 2009 did recognize electronic records as valid in the eyes of Kenyan courts, the framework supporting emailed transactions is not yet implemented.

Specifically, the Public Key Infrastructure (PKI) framework that would provide solid authentication and non-repudiation mechanisms to support email and other electronic transactions is largely ignored in Kenya.

Authentication is a mechanism that validates the identity supplied by online customers while non-repudiation is a property that allows one to confirm beyond reasonable doubt, by way of digital signatures that a particular email or electronic communication did originate from a particular customer.

In the absence of a Public Key Infrastructure (PKI) environment, it is very easy to generate fake email instructions to a bank that purport to originate from a valid customer. Once the bank executes such an instruction, the customer loses their money.

The situation can even get more complicated when bank insiders are the ones originating the fake email instructions and subsequently executing them under the pretext of innocently serving the customer, when in essence, they are paying themselves through remote accomplices.

Indeed, customers themselves can exploit the loopholes within electronic communications that lack digital signatures. They could also originate fake email instructions to pay their remote accomplices, with the ulterior motive of ensuring that these instructions are later confirmed as fake, making the bank liable for a refund.

All these confidentiality and integrity issues can be technically addressed by implementing a Public Key Infrastructure (PKI) environment. However, other policy, regulatory and procedural practices must precede a successful Public Key Infrastructure (PKI) implementation. The Data Protection Act and the Freedom of Information Act must be urgently enacted to protect citizens from exposures in the ever-changing technological landscape.

Yes, it's a digital world, but not without risks!