Understanding Transaction Security
Security and the perception of security is paramount for banks as theirs is the burden of trust. We trust our bank to keep our money safe and to ensure it remains so make sure they have enough when we want to come and withdraw at some future time.
We trust our banks to protect our information, our money and our transactions from being intercepted and changed. We trust our banks to ensure that no false transaction is initiated on my behalf, and we trust our banks to know who we are so as to protect my identity as a client from being abused in any way. On top of this huge burden of trust, we also expect our banks to make it easy and convenient for us to access our banking services and of course as cheap as possible!
Transaction Security can in simple terms be reduced to the following key concepts:
- authentication which is all about knowing that the entity you are dealing with is who they say they are.
- authorisation which is all about ensuring that the authenticated entity is actually allowed to do what they are requesting
- non repudiation is all about ensuring that if some action is done, it can be proved without a doubt that the doer did it
- traceability is all about ensuring that any action or transaction can be traced from its origin to its conclusion/destination
- auditability is about ensuring that the data of all actions and transactions exists and can be reported on in a meaningful way
- privacy is about ensuring that the contents of any transaction/data cannot be observed by anybody other than authorised persons
- verifiability is being able to verify the originator and in some case, the destination of any financial transaction
and the tools used include:
- encryption
- message authentication codes
- transaction & batch sequence numbering
- session layer encryption
- hardware security modules
- trust centres and key management
- identity managent
- access control
- audit logs
- standardized message formats etc...
Obviously in complying with these and other security considerations some flexibility and ease of access is lost, making some banking experiences extremely frustrating. Knowledge, with a good dose of common sense, is what is required to balance the security applied against the actual magnitude of the exposure. The difficulty lies not in the financial risk mitigation but in the reputation risk mitigation. If a bank loses it reputation for being safe then it might as well close its doors. For this, and all the preceding reasons, Transaction Security is a key requirement from any banking system.