ARTICLE-1
HOW DIGITAL CERTIFICATES WORKS
Internet, a virtual world online, is built actually on trust. When we are communicating or getting & sending information with other people online, we don’t actually see the people. But we trust that they are who they say they are. But trust is not enough when it comes to financial transaction or other important communication. But there are crackers and hackers, scammers & con artists in an around us. They are very much active to steal credit card number or our personal & financial information or business secrets information. On the other hand business needs to know that the person sending a data, that is really is who he says he is or an imposter who has managed to steal a data from some one.
Here DIGITAL CERTIFICATE comes to the picture. It is an attachment to an electronic message used to verify that the person sending information, accredit card number or anything over the internet really is who he claims to be. The certificates place on a person’s hard disk and using an encryption technology, create a unique digital certificate for each person. When some one sends email or goes to a site with a digital certificate, that certificate presented to the site or attached to the email and it validate that the user is who he claims to be.
Due to the use of powerful encryption technology this certificates are quite safe & secure. Probably it is much more safe & secure than the real life signature. In real life signature can be forged but in Internet digital certificate can’t be forges.
Certificate Authorities (CA)
Certificate authorities are an independent, recognized and mutually trusted third party who issued Digital Certificate and guaranteed that the person or site is who it claims to be.
The Digital Certificates contains:
Name of entity
Address of entity,
The certificate’s serial number,
Public Key,
Expiration Date, and
Digital Signature,
The information has been encrypted in such a way that it makes unique for each person. The most widely used standard for Digital Certificate is X.509 and most well known certificate authorities are VeriSign (www.verisign.com) and Thawte (www.thawte.com).
How to Creating the Certificate
Step 1: The certificate authorities verify that the public key belongs to a specific company or individual and the through details validation process it is determines that the company or individual is who it claims. It depends on the CA and on the level of certification.
Step 2: After completion of details validation CA creates an X.509 certificate that contains CA and subject information including the public key. The CA signs the certificate by creating a hash value and encrypting the hash value with its private key. The encrypted hash value is called a "digital signature," and when placed into the X.509 certificate, the certificate is said to be "signed." Private Key is very important & CA keeps it very secure because if it is discovered, false certificate would be created.
Public key or Cryptography
Every packet of data sent over the Internet through many public networks, that means access to these packets is not private. So when highly confidential information such as corporate data or credit card numbers, which is transmitted across the Internet, are not save. So the Internet will never be a secure place to do business or send private data, unless there is some way to protect that kind of information.
To protect the confidential information software developers develop encryption & decryption that is information is altered in such a way that to any one other than the intended recipient it will look like meaningless garbage. Again the information is also turned back into the original message by the recipient and only by the recipient. Many complex cryptosystems have been created to allow for this kind of encryption & decryption.
The hearts of cryptosystems are the keys. Keys are secret values that computers use in concert with complex mathematical formulas called algorithms to encrypt and decrypt messages. The concept behind the keys is that if some one encrypts a message with a key, only some one with matching key will be able to decrypt the message.
There are two common encryption systems: secret-key-cryptography, i.e. symmetric cryptography, and public-key-cryptography, i.e. asymmetric cryptography. The most common secret-key cryptography system is the Data Encryption Standard (DES).
To protect the confidential information software developers develop encryption & decryption that is information is altered in such a way that to any one other than the intended recipient it will look like meaningless garbage. Again the information is also turned back into the original message by the recipient and only by the recipient. Many complex cryptosystems have been created to allow for this kind of encryption & decryption.
The hearts of cryptosystems are the keys. Keys are secret values that computers use in concert with complex mathematical formulas called algorithms to encrypt and decrypt messages. The concept behind the keys is that if some one encrypts a message with a key, only some one with matching key will be able to decrypt the message.
There are two common encryption systems: secret-key-cryptography, i.e. symmetric cryptography, and public-key-cryptography, i.e. asymmetric cryptography. The most common secret-key cryptography system is the Data Encryption Standard (DES).
How to verify the Certificate
Signed certificate is verified by the recipient’s software, which is mainly the recipient’s web browser. The list of CA’a and their public keys is maintained by the web browser. Web browser uses this appropriate public key decrypt the signature back into the digest. It recomputed own digest from the plain text in the certificate & compares the two. Certificate is verified if both the digest match & the public key in the certificate are assumed to be the valid public key.
VeriSign introduced the some new concept of classes of digital certificate
Class 1 - For Individual
Class 2 - For company or organizations-Identity proof required
Class 3 - For servers & software signing
Class 4 - For online business transactions between two companies
Class 5 - For private or governmental security
Digital ID is valid for one year & after that every software has to be resigned. To avoid this companies have introduced time stamping services. Once the software has been time stamped it is not required to resigning the software after Digital ID expires.
Below is picture if a user receives an unsigned component distributed via the Internet?
The following will occur
- If security settings are set on "High," the client application will not permit the unsigned code to load.
- If security settings are set on "Medium," the client application will display a warning like this screen:
Below is the picture if a user receives a signed component distributed via the Internet?
ARTICLE-2
A brief overview of Mobile Banking
Intro
I suppose I am not to be exaggerating if somebody asks me “where is your bank?” And if I say “in my hand”. Really we can make a several banking operation with the help of mobile phone. In India, there are 400 million mobile populations & growing. Banking population is much less than this & there is tremendous scope for bank to utilize this mobile channel because most of the customers are comfortable with. Bankers are now shifting focus from cost reduction to branch less banking.Technology
For branch less banking there are two elements. First is Debit/ATM/Smart Card & another is cell phone. Both are technology dependent. ATM or smart card technology is not at all brings down the banking cost, because it involves operation cost, but mobile banking is really a cashless & if our
MS-Mobile Station ISC-International Switching Centre
BTS-Base Transceiver Station EIR-Equipment Identity Register
BSC-Base Station Controller AUC-Authentication Centre
MSC-Mobile Switch Centre HLR-Home Location Registry
OMC-Operation and Management Centre VLR-Visitor Location Registry
SMSC-Short Message Service Centre
GSM Architecture
Involvement in mobile banking is more then really we will enter in to a cashless economy.
Mainly SMS, GPRS and USSD (Unstructured Supplementary service data), this three technologies are used for mobile banking.
SMS, often called text messaging, is widely accepted for mobile banking because all current mobile devices having a text messaging facility. GPRS, a general-packet-based-radio-service, is widely accepted because its faster data rate. It has become more widely available along with other 2.5G and 3G services. Java enabled handset is required fro GPRS. Banks offer this facility only in GSM mobile, not in CDMA mobile.
Protocol Overview
What Mobile Banking Facilities Bank offered to the customers?
Banking Services
- Check balances in the customers current account & savings account,
- Check balances in the customers fixed deposit account,
- Check & view last 10 transactions in the customers account,
- Request for a/c statement for a selected period through E-mail,
- Customers can pay bills for registered billers through banks Bill Pay system,
- Customers can transfer funds from their account to any other third party account. This system varies from bank to bank,
- Customer can request to issue a new cheque book,
- Customer can check the status of his issued cheque,
Investment Services
- Check investment account holding value,
- Investment in mutual fund,
- Redeem the investment,
- Last 5 NAV of mutual fund
Addl. Customer can change his net banking password. It is advisable to change the password in regular interval.
Who can access & view mobile banking?
Individual Account
Account Type | View | Access |
Sole Ownership Account | Yes | Yes-Access & Transact |
Joint Account-Single Operation | Yes | Yes-Access & Transact |
Joint Account-Joint Operation | Yes | No |
Minor Account-Minor | No | No |
Minor Account-Guardian | Yes | Yes-Access & Transact |
Minor Account-Power of Attorney | Yes | Yes-Access & Transact |
Non-Individual Account
Account Type | View | Access |
Authorized Signatories-Single Operating | Yes | Yes-Access & Transact |
Authorized Signatories-Conditional Operating | Yes | No |
How SMS Mobile Banking Works
- To avail this facility it is essential to register mobile number with the bank
- You must be a subscriber of cellular service provider with whom bank has a tie up with SMS facility,
- SMS banking covers most of the basic banking enquiry like, balance enquiry, cheque status, mini statement, Cherye book request & others,
- Individual can access only his account.
- Transaction is executed when a customer send a command keyword, to the bank, using a short code, a five or six digit number. If a/c holder send ‘BAL’ a/c holder will get a quick response with their a/c balance.
How GPRS enabled mobile banking works
- Need a GPRS enable mobile handset & a advanced GPRS subscription from mobile service provider, and also minimum 80 kbps GPRS bandwidth required,
- The handset must be Java enabled having MIDP 2.0 and CLDC 1.0 compliant & having a greater than 100kb JAR Memory,
- With the help of GPRS menu of service provider download the application provided by the bank and install it,
- After installation application icon will be appear in the menu,
- Start the application with user ID or nick name & net banking password. After successful login activation key is generated. You have to register this key with the help of bank’s customer care service. After successful registration you will access your account using bank’s mobile banking facility from your mobile phone.
How USSD enabled mobile banking works
USSD means Unstructured Supplementary Service Data. This system is only available on GSM networks. Various mobile banking process i.e. balance enquiry, money transfer, bill payment, and top up can be performed through this communication protocol. It is similar to SMS technology only that its data payload limits between 160-182 alphanumeric characters in a single transmission. However this technology has some advantage over than SMS technology
- Message delivery is guaranteed
- This protocol allows for session based communication between the server & the mobile handset,
- USSD application may be performed using a wide variety of mobile application platforms like, WAP,J2ME,SIM Toolkit, CAMAL or using USSD command,
- USSD is more secure than standard SMS,
- Invoke commands by entering command codes, no need to install an application into the handset or no need to open a messaging application,
- USSD does not cost the end users,
Security
Mobile banking is very attractive due to his convenient approach to perform remote banking, but however, the safety issue is still a concern for several customers. Banks are assuring the customers that the mobile banking is safe just like an iron locker because the transaction work on a four-digit mobile banking PIN. Incorrect pin entries lock the application.
The mobile banking uses secured HTTPS protocol for communication between the mobile client and the mobile server. Secure Hyper Text Transfer Protocol (HTTPS) uses HTTP, but, additionally activates Web server security, in the form of Secure Sockets Layer (SSL), So that the communications between the client and the (host) Web server are encrypted.
Conclusion
As long as technology is save mobile banking is also a save. Globally m-commerce is growing very fast. Every bank is trying to give customer a better opportunity. Advance technologies simplified our life. We can do more out of the bank.
Ref. video: how Barclays Mobile banking works
http://www.barclays.in/channels/mobile/hello_money_demo.htm
Ref. Kotak Mahindra Bank, Barclays India, Indian Overseas Bank
No comments:
Post a Comment