DEVELOPING AN

“EBANKING” SOLUTION
FOR UK CREDIT

4/20/2008 COMP1308 Ecommerce

Abstract:
Banks nowadays have their external environment, including globalization
and deregulation, is been highly competitive. They find it difficult retaining
customers, competing on price, and need to look for other ways for
resolving it. As the customer’s demand is increasing, banks had considered
the use of technologies for responding to their customers need. In this
section, we will tackle about the technologies and solutions to implement on
this kind of situation, by means of e-banking.
 Developing an “eBanking” solution for UK Credit

Developing an “eBanking” solution for UK Credit

COMP1308

Introduction
E-banking (Electronic Banking) is the automation of delivering directly of new and traditional banking products
and services to customers through electronic and interactive communication channels. This will offers system that
enables financial institution customers, personal or corporate, to access accounts, transact business, and receive
information about the products and services through a public or private network, including internet. Electronic
banking may also known as internet banking (iBanking), online banking, or pc banking. It includes wire
transfers, ATMs, mobile banking, electronic funds transfers and debit cards. iBanking today’s product are
allow process customer service inquiries, transfer funds from another account or banks, apply for loan, open
an account, insurance investment, buy shares etc. Some are providing commercial services, and others are
providing full services for the reason of rushing to get there. This kind of strategy has been used by most of
the financial institution, offering most financial services a customer could want. As the visiting of banks become
fewer and fewer because of most customers are now aware from electronic banking such as ATMs, home
banking by the use of internet, or by the use of mobile banking to their financial business. Most of the
financial company nowadays are aware of this kind of strategy, looking for technology that introduce new
ways of delivering their banking to their customer, such as ATMs, and internet banking. As they found
themselves at the forefront of this kind of technology, their trying to replace their traditional banks functions.
So we are going to apply this kind of strategy just to stay competitive at all the other huge financial institution
for the reason of not being fall behind by using those latest technologies for financial institution.

Case Study of online banking

ING DIRECT
ING is the name of the company formed in 1991 taken from Nationale-Nederlanden, the largest insurance
company, and NMB Postbank Groep, a banking operation offering wholesale and retail range financial
services. ING expanded internationally in Europe and the United States in the late of 1990’s. ING made an
intensive market research that led to planning the 1st foreign direct or online banking initiative in Canada.
ING market researchers found Canada as med-sized of having a low interest rate offers and high service
charges they are experiencing. So ING trigger the initiative approach in Canada in 1997 as ING Direct. The
approach has gone successfully as in 1999 had their launched in Spain, Italy, France, Germany, the United
Kingdom and, Australia. By 2000 ING became the largest online bank and made to expand more in United
States. By 2006, they made a deposits amount of 268 billion and a pretax of 263 million in the second
quarter, meaning that the company had rapidly grown. The ING Direct expanded a successful branch in 9
countries.
The factors of this success story is ING Direct had a carefully planned, and focused on giving a limited number
of services which they can find money and by giving a high interest rate to customers compared to traditional
banks. Offering a free of charge services, no minimum deposits and its marketing message was too simple
“great rates, no fees, no minimum”.

Page 1
 Developing an “eBanking” solution for UK Credit

The business operation they had deployed was low cost but efficient. ING’s simple operation is by accepting
deposits, selling investment products and several mutual funds, and writing home mortgages. Never offer
services charge like checking, payment services and transfer money back and forth at no cost between their
traditional bank and ING Direct.
_______________________________
KING,MCKAY,MARSHAL,LEE,VIEHLAND., Pearson International Edition: 2008 Electronic Commerce

Technologies and Solution

Loans
Personal Loan
Spring clean your finances with an UKCredit Personal Loan. Borrow between £7,000 and £25,000 over 2 - 7
years and get an instant online decision. 8.4% APR typical
Smaller Loan
UK residents can apply for direct loans between £1,000 and £6,999 over 1 to 5 years. Apply online for an
instant unsecured loans decision. 15.9% APR typical
Existing Loan Customers

You can apply to top up your UKCredit Personal loan at any time. Simply extend your loan term and keep
your repayments similar or alternatively you can increase your monthly repayment and pay back over the
same loan term - the choice is yours! Give us a call and we can discuss all the options with you.

Key Benefits
• Choice of Personal Loan or Smaller Loan
• Choice of repayment terms
• Borrow from £1,000 to £25,000
• Ability to "top-up" your existing loan
• Apply by phone
• Instant decision loans available
Account
Student Account

Our Student Additions bank account has all the benefits you’d expect from a current account including an
interest-free overdraft to help you financially during your time at uni.
New customers: I have a UKCredit account:
Apply now Upgrade in branch

What you get:

£200 interest-free overdraft on account opening with further interest-free limits available up to
£2,000†. Apply to extend your overdraft up to £3,000 at a preferential rate of 8.9% EAR typical
variable if your other funds have been used up. Overdrafts are repayable on demand.

Page 2
 Developing an “eBanking” solution for UK Credit

Student and graduate relationship managers in selected branches.

Connect card (subject to status) with daily ATM withdrawal limit of £300 subject to status and
available funds.
Online & Telephone Banking (subject to registration).
Top up your mobile at our ATMs.

Interest free overdraft limit available on request:

Year 1 £1,000
Year 2 £1,250
Year 3 £1,500
Year 4 £1,750
Year 5 £2,000

Front-End eSoft Solution

We know that will need a better and high-performance information processing with an interactive GUI that
would allow customers to conduct iterative searches and interact with the information displayed on their pc
screens.
This section will discuss the role that Asynchronous JavaScript plus XML (AJAX),
Rich Internet Application (RIA) technology and AJAX
RIA is a web application that has the traditional desktop application’s features and functionality. It is typically
run in a web browser, software installation isn’t required.
AJAX yet considered as the most capable web developer technologies available, it enable search engines
and other consumer applications to enrich the user experience for web surfers. In addition, it makes possible
to create solutions that offer a business value by providing the function for the feature-rich GUIs that cost less
to build, maintain and own than thick-client or plug-in based alternatives.
Benefit:
Richer- ¹“It offer user-interface behaviors that is not obtainable using only the html widgets to standard
browser-based web applications.” This functionality implements almost everything that includes in the
technology being used on the client side, like drag and drop, using side bar to change data, performing
calculation only by the client and not need to be sent back to the server, example of this is mortgage
calculator.
More Responsive – because it didn’t need to interact with a remote server unlike the standard web browser
that must always interact with a remote server.
Client/Server balance- the calling for the client and server computing resources is better balanced, because
web server not need to work if the client request some functions that a client-side can do.
Asynchronous communication – the client engine interacts with the server without needing to wait for the user to
request or to click a button or link. It allows RIA designers to move data between the client and the server
without making the user requests it.
Network efficiency – the network jamming may also be significantly reduced because an application client
engine is more intelligent than a standard web browser when deciding what data is going to send and

Page 3
 Developing an “eBanking” solution for UK Credit

exchange with the servers. It speed up the response and the request made by the both client and server side
because less data is being transferred for each interaction, and overall network is reduced.

_________________________________________
¹”http://en.wikipedia.org/wiki/Rich_Internet_application”

Back-end Infrastructure
Software Development
J2EE (Java 2 Platform Enterprise Edition)
J2EE is the standards for developing multitier enterprise applications. It simplifies enterprise applications by
basing them on standardized modular components, by giving all set of services to those components, and
automate the handling of many details of application behavior, without complex programming.
This platform solutions takes the advantages of many features of the java 2 platform Standard Edition(J2SE)
such as “write once, run anywhere” portability, JDBC API for database access, COBRA technology for
interaction with enterprise resources, and a security model that is for protecting data even in the internet
applications. By this platform, it adds full support for enterprise JavaBeans components, JavaServer Pages,
Java Servlets API, and XML technology. Complete specifications and compliance tests are included, to ensure
portability of applications across the wide range of existing enterprise systems capable of supporting the
J2EE platform. J2EE ensures that web services interoperability through support for the WS-I Basic Profile.
JavaBeans
JavaBeans is an object-oriented programming interface from sun Microsystems that lets you build re-usable
applications or program building blocks called components that can be deployed in a network on any major
operating system platform. Like java applet, JavaBean components can be used to give World Wide Web
pages interactive capabilities such as computing interest rates or varying page content based on user or
browser characteristic.
To build a component with JavaBeans, you write language statements using Sun's Java programming
language and include JavaBeans statements that describe component properties such as user interface
characteristics and events that trigger a bean to communicate with other beans in the same container or
elsewhere in the network.
We are going to use none other than java programming language because we are developing e-channel for
banking purposes that is exactly what java can do effectively. Java is the most powerful programming
language base on banking purposes, by its object oriented structure.
Web Server
Windows Server 2008
Microsoft Internet Information Services (IIS, formerly called Internet Information Server) is a set of Internet-
based services for servers using Microsoft Windows. It is the world's second most popular web server in terms
of overall websites, behind Apache HTTP Server. As of March 2008 it served 49.38% of all websites and

Page 4
 Developing an “eBanking” solution for UK Credit

35.20% of all active websites according to Netcraft.[1] The servers currently include FTP, SMTP, NNTP, and
HTTP/HTTPS.

Earlier versions of IIS were hit with a number of vulnerabilities, chief among them CA-2001-19 which led to
the infamous Code Red worm; however, version 7.0 currently has no reported issues that affect it. In
perspective, as of 11 September 2007, the free software Apache web server has one unpatched reported
issue, affecting only MS Windows systems, and rated "less critical". In IIS 6.0, Microsoft has opted to change
the behavior of pre-installed ISAPI handlers,[6] many of which were culprits in the vulnerabilities of 4.0 and
5.0, thus reducing the attack surface of IIS. In addition, IIS 6.0 added a feature called "Web Service
Extensions" that prevents IIS from launching any program without explicit permission by an administrator. With
the current release, IIS 7.0, the components were modularized, so that only the required components have to
be installed, thus further reducing the attack surface. In addition, security features such as URLFiltering were
added that rejects suspicious URLs based on a user defined rule set.
In IIS 5.1 and lower, by default all websites were run in-process and under the System account, a default
Windows account with elevated rights. Under 6.0 all request handling processes have been brought under a
Network Services account which has significantly fewer privileges. In particular this means that if there is an
exploit in a feature or custom code, it wouldn't necessarily compromise the entire system given the sandboxed
environment the worker processes run in. IIS 6.0 also contained a new kernel HTTP stack (http.sys) with a stricter
HTTP request parser and response cache for both static and dynamic content.

Apache Server

The Apache HTTP Server, commonly referred to simply as Apache, is a web server notable for playing a key
role in the initial growth of the World Wide Web. Apache was the first viable alternative to the Netscape
Communications Corporation web server (currently known as Sun Java System Web Server), and has since
evolved to rival other Unix-based web servers in terms of functionality and performance.
It is often said that the project's name was chosen for two reasons: out of respect for the Native American
Indian tribe of Apache (Indé), well-known for their endurance and their skills in warfare, and due to the
project's roots as a set of patches to the codebase of NCSA HTTPd 1.3 - making it "a patchy" server although
the latter theory is a lucky coincidence
Apache is developed and maintained by an open community of developers under the auspices of the Apache
Software Foundation. The application is available for a wide variety of operating systems, including Unix,
FreeBSD, Linux, Solaris, Novell NetWare, Mac OS X, and Microsoft Windows. Released under the Apache
License, Apache is characterized as free software and open source software.
Since April 1996 Apache has been the most popular HTTP server on the World Wide Web. However, since
November 2005 it has experienced a steady decline of its market share, lost mostly to Microsoft Internet
Information Services. As of March 2008 Apache served 50.69% of all websites.

Apache supports a variety of features, many implemented as compiled modules which extend the core
functionality. These can range from server-side programming language support to authentication schemes.
Some common language interfaces support mod_perl, mod_python, Tcl, and PHP. Popular authentication
modules include mod_access, mod_auth, and mod_digest. A sample of other features include SSL and TLS
support (mod_ssl), a proxy module, a useful URL rewriter (also known as a rewrite engine, implemented under
mod_rewrite), custom log files (mod_log_config), and filtering support (mod_include and mod_ext_filter).
Popular compression methods on Apache include the external extension module, mod_gzip, implemented to
help with reduction of the size (weight) of web pages served over HTTP. Apache logs can be analyzed
through a web browser using free scripts such as AWStats/W3Perl or Visitors.
Virtual hosting allows one Apache installation to serve many different actual websites. For example, one
machine, with one Apache installation could simultaneously serve www.example.com, www.test.com,
test47.test-server.test.com, etc.

Page 5
 Developing an “eBanking” solution for UK Credit

Apache features configurable error messages, DBMS-based authentication databases, and content
negotiation. It is also supported by several graphical user interfaces (GUIs) which permit easier, more intuitive
configuration of the server.

Usage
Apache is primarily used to serve both static content and dynamic Web pages on the World Wide Web.
Many web applications are designed expecting the environment and features that Apache provides.
Apache is the web server component of the popular LAMP web server application stack, alongside MySQL,
and the PHP/Perl/Python programming languages.
Apache is redistributed as part of various proprietary software packages including the Oracle Database or
the IBM WebSphere application server. Mac OS X integrates Apache as its built-in web server and as
support for its WebObjects application server. It is also supported in some way by Borland in the Kylix and
Delphi development tools. Apache is included with Novell NetWare 6.5, where it is the default web server.
Apache is used for many other tasks where content needs to be made available in a secure and reliable way.
One example is sharing files from a personal computer over the Internet. A user who has Apache installed on
their desktop can put arbitrary files in the Apache's document root which can then be shared.
Programmers developing web applications often use a locally installed version of Apache in order to preview
and test code as it is being developed.
Microsoft Internet Information Services (IIS) is the main competitor to Apache, trailed by Sun Microsystems' Sun
Java System Web Server and a host of other applications such as Zeus Web Server. Some of the biggest
web sites in the world are run using Apache. Google's search engine front end is based on a modified version
of Apache, named Google Web Server (GWS). Wikimedia projects, including Wikipedia are also run on
Apache servers.

Market structure

Given below is a list of top Web server software vendors published in a Netcraft survey in April 2008.

Web Sites
Vendor Product Percent
Hosted

Apache Apache 83,206,564 50.22%

Microsoft IIS 58,540,275 35.33%

Google GWS 10,075,991 6.08%

Oversee Oversee 1,926,812 1.16%

lighttpd lighttpd 1,495,308 0.9%

nginx nginx 1,018,503 0.61%

Others - 9,432,775 5.69%

Total - 165,696,228 100.00%

Page 6
 Developing an “eBanking” solution for UK Credit

Chosen Web Server

Apache will be applying for this scenario, because apache is designed for Java programming language,
which will be use for the development of channel of this I-Banking project.

Database Server
Cloudscape
IBM
Whether in the free Derby software that's available from the Apache Software Foundation, or the same
codebase shipped by IBM as Cloudscape with optional paid IBM support, the small-footprint
Cloudscape/Derby relational engine is making waves among open-source developers for some of its
enterprise-level features and capabilities.
Like many full-blown relational enterprise databases such as IBM's DB2 and Oracle (and unlike MySQL),
Cloudscape supports on-line backup and crash recovery as well as advanced features like Unicode
support/internationalization, encryption, and multiple low-overhead connections. It also supports for stored
procedures, functions and triggers in its current version.

Zero Administration and Stored Procedures

Unlike MySQL and the large enterprise DBMSs, Cloudscape is an 'embedded' database that can be easily
hidden from the application and not require a database administrator. As an embedded DBMS, the database
components are included with the application, and the server will automatically start and stop along with the
execution of the application. The database server component is approximately 2MB, in a single JAR file, and
does not result in application bloat. (The download, you'll notice, is around 70 MB, but that includes tools/docs
and the full client/server stack for Cloudscape.) The MySQL directory for Windows, by contrast, runs 90
megs.
Cloudscape is written in Java and is very appealing for building and delivering cross-platform solutions that
require a full-function RDBMS. Of course, as a Java database, it runs anywhere J2SE is available—Windows,
Linux, UNIX, and the Mac OS X, for example. (MySQL runs on Linux and Windows.)
Cloudscape/Derby can be used as a client/server RDBMS as well. The Cloudscape server executes within a
JVM and can easily scale to meet many database server workloads. Its database scales up to 50GB, and it
easily handles processing requests of 25 concurrent connections. Cloudscape fully supports stored procedures,
written in Java, to reduce network overhead and improve application scalability. (Because stored procedures
contain program logic, more processing can take place on the database server, which can reduce the
bandwidth consumed sending data and instructions back and forth.) Cloudscape requires very little
administration as a DB server. Database storage is easily set up, and backing up data is easy using the
provided tools. Cloudscape supports many of the latest SQL standards, including triggers and views.
Another important advantage of Cloudscape/Derby over MySQL is in its security encryption capabilities.
Cloudscape offers the option to encrypt an entire database, which provides an extra layer of security by
protecting both the file system and database schema. In other words, no data exists in clear-text form in the
database files. This is especially important for remotely deployed databases or mobile databases on
notebook computers that are in danger of being hacked into if the notebook computer is stolen. Surprisingly,
Cloudscape/Derby database encryption adds less than 10% performance overhead, and takes no additional
disk space.

Derby's Licensing Advantage

Unlike MySQL, Apache Derby can be distributed by ISV's with their applications without the ISV needing to

Page 7
 Developing an “eBanking” solution for UK Credit

choose between paying someone for a commercial database license, or putting their own application into
open source.

Winning the Derby

With its small footprint and the fact that it's easily deployed and embedded in Java applications, the
Cloudscape/Derby RDBMS is the no-brainer choice for Java developers—especially if you're on a limited
budget but require the transactional capabilities of a real database.
So Cloudscape/Derby is a natural for Java developers—but it is also good for building and deploying C,
Perl, or PHP applications, so the non-Java developer should also consider Cloudscape/Derby as an
alternative to MySQL. The client access to Cloudscape uses the same underlying client libraries and database
access protocol that is used to access DB2 UDB servers on various platforms, by the way, so if you're in a DB2
shop, you've got that added advantage.

MySQL

A multithreaded, multi-user, SQL relational database server, MySQL is open-source software available either
under the GNU General Public License (GPL) or under other licenses when the GPL isn't appropriate. Unlike
open-source projects such as Apache, MySQL is owned and sponsored by a single for-profit firm, the Swedish
company MySQL AB, which since 1995 has developed and maintained the product, selling support, service
contracts and commercially-licensed copies of MySQL. Partly because of the multiple levels of support offered
by MySQL AB, MySQL has grown into the most popular open-source database on the market.
Some of its popularity, no doubt, is due to the fact that the product is a free download for many users. But
over time, MySQL's ambition level has grown to the point where some see it as a challenger to established
enterprise products like Oracle and DB2. However, as the Wikipedia points out, MySQL has always lacked
many properties of its big-brother commercial rivals, such as stored procedures, views and triggers. This has
led some database experts, such as Chris Date and Fabian Pascal, to criticize MySQL as falling short of being
a truly relational RDBMS.
Many of these criticisms of MySQL are being addressed in the latest version, MySQL 5.0, currently in beta
release, but because of these and other shortcomings many developers have been reluctant to use MySQL for
anything more heavy-duty than small scale Web applications.
The popularity of MySQL as a Web application is also closely tied to the popularity of PHP, an open-source
scripting system used primarily for developing server-side applications and dynamic web content. MySQL and
PHP are often promoted by MySQL AB and other vendors as part of the Linux, Apache, MySQL, PHP (LAMP)
architecture that has become popular in the Web industry in recent years as a way of deploying inexpensive,
reliable, scalable and secure web applications. (The 'P' in LAMP can also stand for Perl or Python.) Though
these programs were not designed specifically to work with each other, the combination is popular because of
its low cost and the ubiquity of its components (which are often bundled with many current Linux distributions).

Administering MySQL
To administer MySQL databases you have the option of using the included command-line tools, or
downloadable GUI administration tools: MySQL Administrator and MySQL Query Browser. A widespread
and popular alternative, written in PHP, is the open-source web application phpMyAdmin and
phpMyBackupPro, also written in PHP, which can create and manage backups. It can create pseudo-cronjobs,
which can be used (optionally combined with emails) to back up the MySQL database at fixed intervals.
MySQL, like some of its commercial rivals, does have an ongoing administrative workload associated with it,
something that is not much enjoyed by developers.

Licensing MySQL
Some users have criticized MySQL AB's position on the software licensing, since MySQL server software and
the client libraries are distributed under a dual-licensing format. Users have the option of choosing either a

Page 8
 Developing an “eBanking” solution for UK Credit

GNU General Public License, or they may choose a commercial license. Dual-use licenses are a somewhat
controversial part of the open source development world, especially since many developers also view the
GNU GPL License as more restrictive than the open-source license employed by the Apache Software
Foundation (ASF).

MySQL will be applying for this scenario because of its credibility, and a surviving open-source database
management system.

With i-Banking, customers have online access to their checking, savings, credit card, and loan accounts 24x7.
Customer accounts are integrated, thus providing users with a consolidated view of their financial data. A ser-
friendly interface guides customers through their online accounts, enabling bank to offer any number of
features, such as:
• Online account registration
• Review account statements and activity
• Electronic bill payment
• Access multiple accounts (savings, current, loan, credit card)
• Transfer funds between accounts
• Monitor and track credit card spending
• View pre-defined reports
• Download data to popular personal financial management software such as Microsoft Money and
Quicken
• Perform multi-currency transactions

Page 9
 Developing an “eBanking” solution for UK Credit

Business Model

i-Banking architecture supports Single-Bank Model as well as Application Service Provider

(ASP) Model, which allows a single i-Banking system to be shared by many banks. The key advantage of ASP
model is that each bank in the system can run the functionalities provided by the new system without installing
the new system itself. That also means that each bank that shares the new system can keep their current
business process and environment, such as different URL/web site location, different menu structure inside the
web site, different look-and-feel (page layout, colour scheme, etc.) and many more.

Configuration Environment

I-Banking is written in pure Java and Enterprise Java Bean (EJB), which is considered as the most secure
Internet programming language today. Additionally, i-Banking is platform neutral that can be hosted on any
platform that supports Java, e.g. Unix/Linux, Windows, and AS/400.
i-Banking’s architecture consists of five major components:

• The Front-End Gateway – the component provides access to a variety of Internet-enabled devices
and networks, isolating the complexities associated with protocol, security and form factor issues
ensure a consistent consumer experience. I-Banking automatically determines the appropriate
presentation of information for the device being used.
• The Services Infrastructure – these components enables consumer applications such as retail and
commercial banking, investment services, mobile commerce, personalization of the user experience;
and notification services based on the consumer's interests and priorities. The services infrastructure
also enables session management, which ensures the continuity of a transaction over the network. The
architecture is supported by an overall administrative function designed for easy and efficient management.

• The Transaction Processor – provides the handling of banking transactions, such as transfers, the
purchase or sale of securities, etc. The component routes transactions to the correct system and
recover transactions if the application or some component of the system is unavailable or crashes. It
also incorporates load balancing for high-transaction environments.

• The Messaging Gateway – provides rapid linkage to the existing core banking system. I-Banking
uses standard ISO8583 protocol to communicate with core banking system. These components also
support Open Financial Exchange (OFX) or Extensible Mark-up Language (XML) for data exchange.

• The Security Layer – provides security throughout the communication and payment process. I-Banking
delivers end-to-end security to protect the banking institution and its customers. --Banking security
framework is based on a strict methodology of threat evaluation, risk analysis and policy creation. It
is designed to address authentication, authorization, privacy, integrity and non-repudiation.

Page 10
 Developing an “eBanking” solution for UK Credit

Customer Relationship Management

(CRM)
Customer Relationship Management (CRM) is a key element in system integration. It enables you to
understand, anticipate and respond to your customers' needs in a consistent way, across all channels of
communication, opening the door for gains in customer advocacy and the most efficient business processes. It
aims to put your customers at the center of the information flow of a company. An application that enables
companies to make a move towards to a customer centered organization by putting the customer at the center
of all the information that relates to them and allowing authorized people in the organization to access the
information. In short, the company or organization has a lot of information about the customers. But the
information is available only to a specific job functions, and it is not shared. Customer Relationship
Management is about people first and technology second. That’s where the real value of CRM lies, harnessing
the potential of people to create a greater customer experience, using the technology of CRM as the enabler.
There are a number of issues of fundamental importance to the success of CRM application:

Information Storage
All the information on CRM system is organized in a big store called a database. The CRM database is
efficient and able to store details of emails, conversations, quotations, customer names, addresses, telephone
numbers and contact personnel for all your customers. If you store information in a structured and orderly
way, then retrieving information will be relatively easy.

The Right Information

CRM system is places where we store all the customer related information. There is no hard and fast rule.
However, common sense ought to tell that anything of commercial relevance to your company should be
stored. This includes emails with regard to purchases, contracts, negotiation, commercial information should be
stored. Letters to customers should be stored. Anything that adds value to the customer relationship. But do not
store information that is of uncertain legality about your customer or competitor. There have been cases that
some organizations have been successfully sued for sending internal emails that contained questionable
information about a competitor.

Page 11
 Developing an “eBanking” solution for UK Credit

Market Analysis

GEM-CRM Sage-CRM Sage Saleslogix

Product GEM-CRM Sage-CRM Sage Saleslogix

Vendor V2V technologies Inc Sage Software Sage software

Version 3.2 5.7 6.2

Release date 5-Jun 5-May 4-Aug

Contact

Name Mathieu Brunel Bill Hoffman Sales & Support

Telephone 514-940-8649 800-643-6400

Email info@V2V.ca bill.hoffman@sage.com saleslogix@saleslogix.com

Website www.c2vtechnologies.com www.sagesoftware.com

Cost(Canadian
dollars) for typical
implementation

license based

Average cost per

user $480 $650 $759

Average number of
users 15 19 30

average cost $7,200 $12,350 $23,850

average
implementation
costs/ licence costs $1 $1 $0

average
implementation costs $7,200 $12,350 $0

Total $14,400 $24,700 $23,850

Applications

Contact
management yes yes yes

Page 12
 Developing an “eBanking” solution for UK Credit

Services
management yes yes thirdparty

call center yes yes yes

Distribution System yes thirdparty thirdparty

Terms

IMPORTANT - PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY. BY ACCESSING THIS WEBSITE
AND/OR USING THE ONLINE SERVICES, YOU AGREE TO BE BOUND BY THE FOLLOWING TERMS AND
CONDITIONS. IF YOU DO NOT ACCEPT ANY OF THESE TERMS OR CONDITIONS, YOU MUST IMMEDIATELY
DISCONTINUE YOUR ACCESS OF THIS WEBSITE AND/OR USE OF THE ONLINE SERVICES.

Copyright and Trademark Notices

Except as otherwise expressly stated herein, the copyright and all other intellectual property in the contents of
this website (including, but not limited to, all design, text, sound recordings, images or links) are the property
of UKCredit Bank Ltd ("UKC Bank") and/or its holding company and/or its subsidiaries and/or the
subsidiaries of its holding company (together the "UKC Co."). As such, they may not be reproduced,
transmitted, published, performed, broadcast, stored, adapted, distributed, displayed, licensed, altered,
hyperlinked or otherwise used in whole or in part in any manner without the prior written consent of the UKC
Co.. Save and except with the UKC Co.'s prior written consent, you may not insert a hyperlink to this website
or any part thereof on any other website or "mirror" or frame this website, any part thereof, or any
information or materials contained in this website on any other server, website or webpage.

All trademarks, service marks and logos used in this website are the property of the UKC Co. and/or the
respective third party proprietors identified in this website. No licence or right is granted and your access to
this website and/or use of the online services should not be construed as granting, by implication, estoppels or
otherwise, any license or right to use any trademarks, service marks or logos appearing on the website
without the prior written consent of the UKC Co. or the relevant third party proprietor thereof. Save and
except with the UKC Co.'s prior written consent, no such trade mark, service mark or logo may be used as a
hyperlink or to mark any hyperlink to any UKC Co. member's site or any other site.

Disclaimer
The information and materials contained in or accessed through this website are provided on an "as is" and
"as available" basis and are of a general nature which have not been verified, considered or assessed by
any member of the UKC Co. in relation to the making of any specific investment, business, financial or
commercial decision. Such information and materials are provided for general information only and you
should seek professional advice at all times and obtain independent verification of the information and
materials contained herein before making any decision based on any such information or materials.
The UKC Co. does not warrant the truth, accuracy, adequacy, completeness or reasonableness of the
information and materials contained in or accessed through this website and expressly disclaims liability for
any errors in, or omissions from, such information and materials. No warranty of any kind, implied, express or
statutory (including but not limited to, warranties of title, merchantability, satisfactory quality, non-
infringement of third-party intellectual property rights, fitness for a particular purpose and freedom from
computer virus and other melicious code), is given in conjunction with such information and materials, or this

Page 13
 Developing an “eBanking” solution for UK Credit

website in general.
Under no circumstances shall the UKC Co. be liable regardless of the form of action for any failure of
performance, system, server or connection failure, error, omission, interruption, breach of security, computer
virus, malicious code, corruption, delay in operation or transmission, transmission error or unavailability of
access in connection with your accessing this website and/or using the online services even if the UKC Co. had
been advised as to the possibility.
In no event shall the UKC Co. be liable to you or any other party for any damages, losses, expenses or costs
whatsoever (including without limitation, any direct, indirect, special, incidental or consequential damages, loss
of profits or loss opportunity) arising in connection with your use of this website, or reliance on any
information, materials or online services provided at this website, regardless of the form of action and even if
the UKC Co. had been advised as to the possibility of such damages.

Hyperlinks
For your convenience, the UKC Co. may include hyperlinks to websites on the Internet that are owned or
operated by third parties. Such linked websites are not under the control of the UKC Co. and the UKC Co.
cannot accept responsibility for the contents of or the consequences of accessing any linked website or any
link contained in a linked website. Furthermore, the hyperlinks provided in this website shall not be considered
or construed as an endorsement or verification of such linked websites or the contents therein by the UKC Co..
You agree that your access to and/or use of such linked websites is entirely at your own risk and subject to
the terms and conditions of access and/or use contained therein.

Indemnity
You hereby agree to indemnify and save the UKC Co. harmless against all damages, losses, expenses and
costs (including legal costs) suffered or incurred by the UKC Co. in connection with or arising from (1) your
access of this website and/or use of the online services, or (2) any other party's access of this website and/or
use of the online services using your user id and/or login password, or (3) your breach of any of these Terms
and Conditions of Access, or (4) any other party's breach of any of these Terms and Conditions of Access
where such party was able to access this website and/or use the online services by using your user id and/or
login password.

Miscellaneous
The information and materials contained in or accessed through this website shall not be considered or
construed as an offer or solicitation to sell, buy, give, take, issue, allot or transfer, or as the giving of any
advice in respect of shares, stocks, bonds, notes, interests, unit trusts, mutual funds or other securities,
investments, loans, advances, credits or deposits in any jurisdiction.
The information and materials herein are subject to change (including, without limitation, modification, deletion
or replacement thereof) without notice.
The UKC Co. may terminate your access to this website and/or your use of the online services at any time
without notice and without assigning any reason therefor.

Governing Law and Jurisdiction

Nothing herein shall be construed as a representation by the UKC Co. that the information and materials
contained in or accessed through this website is appropriate or available for use in geographic areas or
jurisdictions other than Europe. By accessing this website and/or using the online services, you agree that such
access and/or use, as well as these Terms and Conditions of Access shall be governed by, and construed in
accordance with; the laws of Europe and you agree to submit to the non-exclusive jurisdiction of the Europe
courts

Page 14
 Developing an “eBanking” solution for UK Credit

Design Approach
Home

Page 15
 Developing an “eBanking” solution for UK Credit

I-Banking

Page 16
 Developing an “eBanking” solution for UK Credit

I-Banking welcome page

A/C Summary

Page 17
Developing an “eBanking” solution for UK Credit

Page 18
 Developing an “eBanking” solution for UK Credit

Transaction History

Funds Transfer

Page 19
 Developing an “eBanking” solution for UK Credit

Personal Loan

Page 20
 Developing an “eBanking” solution for UK Credit

About Personal Loan

Page 21
 Developing an “eBanking” solution for UK Credit

Payment Protection Cover

Page 22
 Developing an “eBanking” solution for UK Credit

Smaller Loan

Page 23
 Developing an “eBanking” solution for UK Credit

Existing Loan Customer

Page 24
 Developing an “eBanking” solution for UK Credit

Branch Locator

Page 25
 Developing an “eBanking” solution for UK Credit

Security Issues
Why we need security? Particularly in E-banking
It is necessary for businesses to provide a secured online transaction way. By making security integral, businesses
not only gain customer trust, but also to their revenue hike by adding more services online. So we offer you a safe
and secure online environment for your banking needs. The following topic will tackle about different security
issues.

Deployment of Security for Credit UK e-banking

1. PKI
2. SSL
3. Digital Certificate
4. Security token (2FA Authentication)

Some key benefits for ecommerce and other organizations that PKI and its use of public key cryptography
offers:

Reduce expenses of transactional processing.

Reduces risk.

Enhance systems and networks’ efficiency and performances.

Reduce security systems’ complexity with binary symmetrical methods.

Public Key Infrastructure (PKI)

PKI is a foundation in which other systems, network security components, and applications are built. It is the basic
element of an overall security strategy that must work in union with other security mechanisms, risk management
effort, and business practices. It is a deep subject matter and evolving to meet the enlarging demands of the
business world.

It doesn’t serve a particular business function, but provides a foundation of other security services. The primary uses
of PKI are for allowing distribution and use of certificates and public key with integrity and security. A PKI is a
starting point on which other applications and network security elements are built. “Example of systems that uses
PKI-based security mechanisms is emails, value exchange with ecommerce (debit and credit cards), home banking
and electronic postal system.”¹

¹ “http://www.sun.com/blueprints/0801/publickey.pdf“p5

Digital Certificate
Digital certificate is like a passport, it provides a way to establish your identity to gain entry. In digital world,
Digital certificate are issued by a Certification Authority (CA). Like a passport office CA is for validating
certificate holder’s identity and to “sign” the certificate so that it cannot be tampered with. When the

Page 26
 Developing an “eBanking” solution for UK Credit

certificate signed by CA, the holder can now present their certificate to people, web sites and network
resources to prove their establish encrypted, confidential communications.
This certificate is based on public key cryptography, using a pair of key for encryption and decryption. With
this cryptography, keys work in pairs of matched public and private keys. It converts information to a
numerical value, making that information secure and visible only to those who have the key to restore the
converted information.
Public key is freely distributed without exposing private key, which must be kept private by its owner. So that
operation (e.g., encryption) done with the public key can only decrypt by the corresponding private key.
Digital certificate can bind identity, as verified by a trusted third party, with your public key.
Example of Digital Certificate which is deployed by OCBC bank:

(source:http://ocbc.com.sg/personal-banking/tools%20and%20info/Toi_Poc_SecTips.shtm)

SSL

Page 27
 Developing an “eBanking” solution for UK Credit

Security Socket Layer (SSL) technology is a security protocol that is today’s standard for communication and a
transaction security across the internet. SSL is a star in today’s e-commerce and e-business activities on the
Web.
It uses Digital Certificate to create a secure, sensitive communications between two entities. If data sent over
SSL connection are safe and cannot be tampered with or forged without the two parties that is aware of
tampering
What are SSL Certificates?

Using SSL, it enables encrypted communications to a user’s browser and to a web site by authenticating the identity
of the web site with an SSL web server certificate. When the user wants to send sensitive information to a web
server, the browser will access the digital certificates of the web server and receive its public key to encrypt the
data.
The web server is the only one can access its private key, so that server can decrypt the information. That’s why
information remains confidential across the internet.

The following diagram illustrates how a 128- or 256-bit SSL connection works:

Page 28
 Developing an “eBanking” solution for UK Credit

(Source: http://www.entrust.net/ssl-resources/pdf/understanding_ssl.pdf march 2008)

How Certificates are used in an SSL Transaction

Supposing you wants to connect to a secure web site to do some transaction:

• When you visits a web site secured with SSL (you’ll find the URL that begins with “https”), you browser
sends a message requesting for a secure session (SSL).
• The web server will send you a server certificate including public key.
• Now your browser will verify that the certificate sent to you is valid and has been signed by a CA, and
will also verify that the CA certificate has not expired yet.
• If it’s valid, your browser will create a single unique “session” key and encrypt it with the server’s public
key. And your browser will send your encrypted single unique key to the server so that it will both have a
copy.
• The server will recover the session key that your browser sent by decrypting it using it’s private key.

Now the web site is confirmed and verified, and your browser and the web server have a copy of the session key.

Once the SSL verification is complete, you’ll now have a secure communications “pipe”. Your browser and the web
server can now communicate securely using the session key. The entire process of creating an SSL connection takes
only seconds and happens transparently.

Encryption
In ecommerce world, RSA (named because of its creator: Rivest, Shamir, Adleman) public key cryptographic system
is commonly use. Algorithm is based on a hard mathematical problem of factoring composite numbers. It is the
creation of cipher text by one object using another object’s public key to do encryption. Many objects are allowed
to send one object encrypted messages without having first exchange secret or private cryptographic keys. As we
just tackled about SSL, it can only decrypt and read the messages by the owner or the one who has the private
key. Here are some examples of encryption as follows:

“
c = me mod n

Where m is the message to be enciphered and c is the resultant ciphertext. The specific operation performed is the
exponentiation of me mod n, where e and n are the public key of the recipient of the ciphertext. The recovery of
the ciphertext by the recipient occurs as follows:

m = cd mod n
The specific operation performed is the exponentiation of cd mod n where d and n is the recipient’s private key.”

______________________________
http://www.sun.com/blueprints/0801/publickey.pdf

Security Token
Security token (also known as hardware token, authentication token or cryptographic token) can be a physical
device that is given to authorize user to aid authentication (dedicated device). Other than hardware is software

Page 29
 Developing an “eBanking” solution for UK Credit

token, which is authorize the use of computer services. It operates on a general purpose electronic device like a
laptop, desktop, or mobile phone.

There are different types of token, disconnected; not needed an input device, some are needed.

Bluetooth
This token is most combined with a USB token, though it may be both a connected and disconnected state. It must be
inserted into a USB input device to function if further than 10 meters. It works when closer than 32 feet (10 feet).

Cellular phones

This is the new category of 2FA tools, which allow user to use their mobile phones as a security token. The functions
are performed by the java application installed on the mobile phone and provided by a dedicated token. Other
method is SMS messaging, urging an interactive phone call, or using standard protocol such as HTTP, HTTPS.

It simplify deployment, reduces costs and separate token devices is not needed. This method of SMS option will be
exposing for a fees for text messages or WAP/HTTP services.

Disconnected tokens
Disconnected tokens are today’s commonly used by enterprises, like RSA Security’s, Digipass, etc. The bright side of
this token is any input devices are not needed, though it won’t last long. It can only last for 3-5 years.

Two-factor Authentication (2FA)

2fa is a piece of information and process used for authentication and verification of a person’s identity for security
purposes. It is a system that has a two different method for authentication. Using it causes a high level of
authentication.

There are three universally recognized factors for authenticating individuals

‘Something you know’, such as password, PIN or an out of wallet response.

‘Something you have’, such as a mobile phone, credit card or hardware security token.

‘Something you are’, such as a fingerprint, retinal scan, or other biometric.
________________________________
Source: http://www.answers.com/topic/two-factor-authentication?cat=technology

2FA or T-FA requires at least two authentication methods as mentioned above. The first factor of this method is the
‘something you know’ which is a password, and the second is commonly the ‘something you have’ which is a physical
device or more complex, the ‘something you are’, the biometrics such as fingerprint. Like a bank, an ATM card,
‘something you have’, and the password, ‘something you know’.

Using more than one method is a strong authentication, not like one factor, a static password is considered by some
to be weak authentication. Strong authentication and multi-factor authentication are different processes. Collecting
for multiple answers to give a challenge for questions maybe considered strong authentication. "By definition true
multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using
multiple solutions from the same category ... would not constitute multifactor authentication." Clarified by the FIEC
and has issued supplemental guidance on this subject in august 2006.

Page 30
 Developing an “eBanking” solution for UK Credit

Firewall
It is a system designed, which control and inspect the traffic passing through a private network, and it is based on a
set of rules that let the traffic pass or deny. It can be hardware, software or a combination of both. It is frequently
used for preventing unauthorized users from accessing the private networks connected to the internet, especially
intranet. Like an immigration checkpoint, it examines each entry, and exit of all messages passing through it, and
blocks those that do not meet the specified security criteria.

Several Types of firewall techniques:

• Network Layer (Packet Filter) – filtering packet entering or leaving the network and allowing packets to
pass through the firewall unless it didn’t match based on user-defined rules. It is fairly effective and
transparent to users, but it is difficult to configure. Network Layer fall in to two categories, stateful,
stateless.

Stateful firewalls- it maintain background about the session that is active, and uses that “state
information” to fasten packet processing. Several properties can describe any existing network
connection, like source and destination of IP address, TCP ports, UDP, and present connection
lifetime (including session initiation, handshaking, data transfer, or completion connection).¹ It will
allow packet to pass through without further processing if packet does match the existing
connection. If packet doesn’t match any existing connection, it will be evaluated according to the
ruleset for new connection.

Stateless firewalls – has a capability of packet-filtering, but cannot exceed to more complex
decisions on what the communications have reached between hosts.
_____________________________

¹ http://en.wikipedia.org/wiki/Firewall_(networking)

• Application layer- it works in one of two modes: passive or active. Active application firewalls inspect all
incoming request, such as exchanging the actual message against known vulnerabilities such as SQL
injection, cookie tampering, and cross-site scripting. The only thing that can pass through the application is
the requests that are deemed “clean”. While passive application layer firewalls act similarly to IDS
(Intrusion Detection System), but it cannot actually deny or reject those request if a potential attack is
detected. Application Layer firewalls maximize the overall security of the application infrastructure by
rejecting and denying an attack that causes a structural damage to data source or service outrage. This
application is remotely updatable, allowing them to prevent newly discovered vulnerabilities. These
firewalls are always up to date unlike the other security-focused code, due to the development and testing
cycles takes more time.
• Proxies – it may act as a firewall (either dedicated hardware or software on a general purpose machine)
be responding to input packets (e.g. connection request) between the client and the server. The traffic goes
from the web browser/application first through the proxy before reaching the requested sources and back
through the proxy when data is requested from internet resources by the client. Then the client will receive
the data transmitted by the proxy.

(Source: http://www.proxyserverprivacy.com/proxy-server.shtml)

It implements protocol or service-specific security such as level of authentication and access control, and
makes decision for packet-forwarding. Base on a set of rules for proxy server that apply to the individual
network service as well as host/user permissions, it evaluates the request and decides to permit or deny it.

Page 31
 Developing an “eBanking” solution for UK Credit

It provides a greater level of security because it ensures that two connecting host never exchange packets
directly.

• Network Address Translation (NAT) it allows protected network to have access to the external network and
restrict the outsiders to get in. NAT substitutes the address for the source address field when request is sent
through the firewall. And when a reply return to the NAT application, the address in the destination field is
replaces by its own with that of the original client making the request. With this technique it hides the
internal host addresses from external hosts because they are aware of firewall IP address only. NAT
reduces the ability to attack internal hosts greatly.

Security Layer

All customers’ financial information

or any kind of sensitive
information is the most valuable
asset of every iBanking system. So
that company must assure that all
information is tightly secured and
provides appropriate integrity,
and availability.

(http://www.anabatictech.com/product/pocketbank/PocketBank-InternetBankingWhitePaper.pdf)

For the above mentioned, i-banking must implements 5 layers of approach to ensure the security of the system:

 Layer 1: Secure User Connection

 Layer 2: User Authentication
 Layer 3: Server Access
 Layer 4: System Architecture
 Layer 5: Application Architecture

Layer 1: Secure user Connection

Page 32
 Developing an “eBanking” solution for UK Credit

• SSL
• Digital Certificate issued by VeriSign
• Establishes credible Internet “identities”.
• PKI
Layer 2: User Authentication

• Alpha numeric id and password

• Unique id established by consumer
• Unique alpha numeric initial password established by the application-mailed.
• Incorrect password counter – disable account after three incorrect attempts
• Mandatory password change during initial sign-on.
• Session expiration after 10 min of inactive use.
Layer 3: Server Access

• Dedicated ISP connection for internet backbone, for basic screening of the IP addresses
• Internet Firewall(s) for avoiding access of unauthorized requests, make the internet Backbone server is only
accessible resource, logged all attempts to penetrate for security audits, and block viruses.
Layer 4: System Architecture

• Application are built in pure java language and enterprise java Beans, for hosting on UNIX-based servers
or AS/400 which are far more secure than Microsoft Windows based alternatives.
• Dedicated html/Web server-accepts direct internet “hits”.
• Has a restrictive Access Control Lists (ACL) for each of authentication server, database server, and
component server.
• Sensitive customer information resides only on core banking system.
Layer 5: Application Architecture

• All user and administrative actions are logged to database.

• All data on I-banking is encrypted using appropriate encryption algorithm.
• Can be set require password change every 30 days.
• Can limit the amount of daily transfers.

News on Security/Security Alerts

Malware Targets E-Banking Security Technology

New malicious software that contains a feature specially designed to obstruct online security technology that is
implemented by Bank of America and other financial institutions that is using E-Banking. This feature comes from the
recent version of “Pinch”, a Trojan horse program that is widely distributed and gives bad guys the ability to steal
information such as userid and password from a victim’s computer. And produced a newly known version of Pinch
that is also looks for id and password and steals a special token that is planted to a user’s machine who banks
online with a financial institution that is using Adaptive Authentication, a security technology owned by RSA
Security. The technology is also known as “site key”, which is Bank of America’s branding of the RSA technology.

The Bank of America is using adaptive Authentication, meaning that if you are in the other place and access their
site, it will ask you secret questions that you made. Once questions are answered correctly, the site will place a
bypass token on whatever machine the user is on for the reason of user may not need to be bothered by security

Page 33
 Developing an “eBanking” solution for UK Credit

questions the next time that the machine is used to access the site. This is meant if the hacker plants a Malware on
your machine that steal information, hacker will need to answers all or most of the secret questions you made. But
the site key stores the token in the same place on every user’s machine. The newest version of Pinch is dedicated to
simply go into that directory and gets the token, storing it along with the id and password stolen to a specific user.

Lawrence Baldwin (co-founder of myNetWatchman.com) discover the pinch’s feature while observing a user that is
affected by the Malware. He said that it was a matter of time before the Malware incorporated the sitekey hack.

Marc Gaffan, RSA’s head of marketing, said that they’re seeing more and more of Malware coming out. But he
cautioned that their technology offers additional layers of protection for banks even of token, and information are
being stolen. And he declined to give more specifics about their protections because he doesn’t want to “give away
the secret sauce”.

“Pinch showcases some of the best (or worst, depending on your vantage point) point-and-click products that the
malware industry has to offer these days.” It is created with the help of a configurable and extremely
sophisticated virus creation kit called Pinch Pro. That can be purchased at forums of Russian hackers. The following

is the Sample of the program:

____________________________________________________
http://blog.washingtonpost.com/securityfix/2007/11/new_malware_defeats_sitekey_te.html?nav=rss_blog

Phishing

The word phishing was made by crackers referring of act of tricking people into exposing sensitive
information. An attempt of creating a scenario that is people are believed that they’re dealing with an authorized
party, specially their bank. The attacker will ask the victim for private information such as credit card information,
etc. this activity is much automated and the victim is the large number of internet user

It is also a deceit e-mail method where attackers send out a sanctioned-look email to gather personal and financial
information from the victims. Usually, the emails appear to be well known and trustworthy web sites. By using

Page 34
 Developing an “eBanking” solution for UK Credit

spoofed image or logo of the financial institution and convinces the user to provide personal and account details
by means of visiting a web link given in the message.

They’re using a number of different social engineering and e-mail spoofing to try to trick their victims.

Example of Phishing

http://kbase.gfi.com/images/antiphish.gif

The PayPal Company is being used by the attacker, sending to a customer where the message is
legitimate-looking email, and the logo and trade mark of PayPal Company were used. Telling that the company is
having a technical difficulty and asking a victim to click on the link whereby it directly goes to a page that is asking
for users to register again, asking personal information, sensitive information such us bank information such as VISA
and PayPal accounts, user name and password information, social security numbers, and any other information
which can be used to retrieve forgotten or lost credentials. If victim choose to ignore the request, it says that they
leave the company no choice but to temporarily suspend their account.

The fraudulent page is specially coded to retrieve correct information that is to be submitted. When you typed
wrongly it will alert that you should key in the correct information to be submitted.

Page 35
 Developing an “eBanking” solution for UK Credit

The PayPal co is affected because their company is being used by the scammers. The company reputations will
goes down because of they didn’t tell their customers to be aware of some phishing threat, etc.

Consequences of Phishing

The major threat of this phishing is your identity is being used in a digital crime by the attacker. It is usually used
for financial gain or for defamatory purposes. Once they stole your personal information, they will use it, such us
making fraudulent charges on your credit or debit card; make use of your credentials on different online services,
such us eBay, Amazon and others to commit crime without being caught. Making it appears as though you
committed the criminal action.

Cost Budgeting

Products cost
mysql database server free
Java Platform free
GEM CRM $14,400
Apache
web
hosting(http://www.webhosting
pad.com/) per year $179.50
total $ 14,579.50

Page 36
 Developing an “eBanking” solution for UK Credit

Conclusion
In the past several years, many banks have launched Internet banking services to retail customers with the
intent of attracting and retaining more high-value customers and decreasing costs. Although in most cases,
these banks are not making money from these efforts, there are some success stories – banks that have
effectively developed, delivered and evolved their services.

Based on our research of these Internet banking leaders, we believe that the implementation of best practices
can help banks to deliver Internet services more effectively. The best practices can help prioritize Internet
development efforts and extend the Internet technology and development infrastructures to Internet
applications in non-retail banking areas.

All of the Internet products and services have potential to provide substantial value to customers. However, we
believe that it is the integration and execution of the offerings that will separate the best of the banks from
the mediocre. Banks that implement the best practices will have the highest chance of on-going success in these
varied electronic commerce efforts

RIA (http://en.wikipedia.org/wiki/Rich_Internet_application) 20/04/2008

J2EE (http://java.sun.com/j2ee/overview.html#1) 10/04/2008
JB (http://searchsoa.techtarget.com/sDefinition/0,,sid26_gci212416,00.html) 10/04/2008
CRM (http://www.camagazine.com/index.cfm/ci_id/35165/la_id/1.htm%20onClick=) 10/04/2008
CRM(http://dl.sugarforge.org/training/training/IntroductiontoCRM/CRM_Fundamentals.pdf) 10/04/2008
Web Server (http://en.wikipedia.org/wiki/Web_server) 10/04/2008
Configuration Environment(http://www.anabatictech.com/product/pocketbank/PocketBank-InternetBankingWhitePaper.pdf) 10/04/2008
MySql/Cloudscape (http://www.devx.com/ibm/Article/28526) 10/04/2008
Terms (dbs.com.sg)20/04/2008
Technologies (http://www.halifax.co.uk/bankaccounts/studentcurrentaccount.asp)
Digital Certificates and SSL (http://www.entrust.net/ssl-resources/pdf/understanding_ssl.pdf) march 2008
PKI (http://www.sun.com/blueprints/0801/publickey.pdf) march 2008
Security Token (http://www.answers.com/topic/software-token, http://www.answers.com/topic/security-token?cat=technology) 21 march 2008
Two-Factor Authentication (http://www.answers.com/topic/two-factor-authentication?cat=technology) 22 march 2008
Firewall (http://www.webopedia.com/TERM/f/firewall.html) 23 march 2008
Types of firewall (http://en.wikipedia.org/wiki/Firewall_(networking)) 23 march 2008
Application layer (http://www.f5.com/glossary/application-layer-firewall.html) 23 march 2008
Proxy (http://www.proxyserverprivacy.com/proxy-server.shtml) 23 march 2008
Network Address Translation NAT (http://www.sei.cmu.edu/str/descriptions/firewalls_body.html) 23 March 2008
Phishing (http://searchsecurity.techtarget.com/sDefinition/0,290660,sid14_gci916037,00.html, http://kbase.gfi.com/showarticle.asp?id=KBID002585) 8
April 2008

Page 37