A Security Risk Model for Online Banking System

Anshita Dhoot A. N. Nazarov Alireza Nik Aein Koupaei

Moscow Institute of Physics & Moscow Institute of Physics & Moscow Institute of Physics &
Technology State University Technology State University Technology State University
Moscow, Russia Moscow, Russia Moscow, Russia
anshita.dhoot.23@gmail.com a.nazarov06@bk.ru alireza.nik666@gmail.com

Abstract – We are living in an era, where the security of our various ideologies; sometimes it is very huge to secure the
data has become a huge issue. The services of cyber are the most large data spaces in the cyber from huge numbers of cyber-
entertaining and time-saving things in one’s life. Though, people attacks. Many intruders are there to attack the user’s account
save their data on the cloud, which has been managed by the and it is very vulnerable to detect the cyber-crime which is
cyber. Cyber-security plays an important role in this matter. This happening to the user’s account. The environment of the online
is the open challenge for the security because many intruders are working system includes the One Time Password (OTP)
there who can attack the data and hack the details of the user by generated by the network, which could be provided to the user
the server. If we will see around, then we will find many cases for acknowledging the legitimacy of a user’s mobile number.
which include cyber-crime. This has become a very genuine
concern to secure our datasets which are available on the cloud. A biometric system recognizes using a precise physiological
Our research includes the security of the datasets which will or behavioural attribute possessed by a person. This is called a
include intruder detection that can be occurring anywhere on the biometric, identification and verification system which
earth. This has become very important to protect the data from
intruders, for this intruder detection should be the most depends on the application in which it is used [6]. A
important key to get identified. If we don’t know who is the verification system measures by comparing the biometric
intruder, then how we will get to know who is stealing the data properties of its test with the biometric pattern stored in the
which has been secured by using much biometric security, database, while an identification system identifies each by
fingerprints, passwords, OTPs etc. intruder detection has become probing the whole database to match it.
very important, especially on mobile objects - airplanes, ships, Physiological biometrics combines fingerprint, face, hand
etc.. As we know the problem then only we are able to find the geometry, palm print, etc. whereas behavioural biometrics
solution. To prevent this, we are using the methods from machine
includes signature, speech, gesture, and so on. A biometric
learning, biometric recognition, data learning or hybrid methods.
These are going to be the handle of the system that can help to manner must meet properties such as distinctiveness,
secure the data from intruders by using best optimization universality, collectability, and permeability, to be used in a
techniques to get precise data. We proposed a model for the biometric system. Dependency on the internet world and easy
banking system, whereby using biometric impressions and digital access to their debit and credit card details via the online
signatures to make every transaction possible by bank’s system is becoming a threat for people these days. It has been
customer. This proposes the security for the Smart Online created many account hackers, unknown transactions from the
Banking System (SOBS) by using the biometric prints, it can user's account and many more threats have been generated by
become more secure and reduces a lot of threats can be made by these facilities provided by the cyber world [1, 2].
an intruder.
The number of intrusion detections has been cured and
Keywords— Intrusion Detection, Model, Security, Smart abundant types of attacks are there to being secured. Cyber-
Banking System, Biometric Imprints, Artificial Intelligence. attacks/cyber-crimes made by an intruder such as phishing,
scamming, fraud & identity stealing crimes, virtual crimes, the
I. INTRODUCTION threat by computer hacker groups/organized crime
In this world of internet, full of cyber-attacks, people groups/terrorist groups, money-evasion, and so on [17, 20].
demands for the security of their data and expensive things. This paper proposing the security risk model for online
This era of the cyber world has many intruders which makes banking system introduces inline biometric techniques to
internet vulnerable. This is the reason we need to secure cyber- prevent the account of a customer. It helps to detect the
world from various kind of existent attacks can be caused by unexpected trials for the transaction which is occurring to their
the intruders. In search of identifying those intruders which can account without their prior knowledge and prevent their data
make the security networks vulnerable, we need to find their more securely as it will need techniques from biometric
activities or several kinds of possible attacks on data, and then technology, for example, digital signature, face recognition and
only we could prevent the data to being stolen. fingerprints. These techniques help any person to operate a
The basic necessity for the smart banking system is person who is not educated enough to operate any technology,
necessary for people to have trust in their account accessibility but these techniques help them to prevent their ac them to
and security of their privacy. The SOBS works with lots of

978-1-7281-4772-7/20/$31.00 ©2020 IEEE

Authorized licensed use limited to: Universitas Indonesia. Downloaded on August 22,2020 at 16:40:00 UTC from IEEE Xplore. Restrictions apply.
prevent their account from intruders because it will need the cybersecurity model for its management, but it may be
only physical presence of a person who owns the account. vulnerable for dynamic cyber-attacks.
This will help to reduce the paperwork to operate There are various active attacks as well as passive attacks
customer’s account, the transaction is hassle-free, and make exist which can make and user’s account vulnerable as well as
easily accessible to their data more secure than ever. It prevents not secure from the attacker. Sundry researchers are working
from many attacks such as impersonation attack, foreign key on the smart banking system, but still, there are a number of
attack, man-in-the-middle attack, denial-of-service attack, attacks needed to secure from the attackers [10-14].
distributed denial-of-service attack, eavesdropping attack,
password attack, phishing attack, spear-phishing attack, cross- III. PROPOSED MECHANISM
site scripting attack, zero-day exploit, and cyber-attack Through this paper, we are proposing a multi-factor
prevention [18, 19]. authentication model developed the throughput with a
This paper is designed in a way to explore new details tolerated area to make the transaction more secure by
about the cyber-attacks and best possible techniques might be biometrics section, where the Biometric section acts as a
used to secure the account from the customer of any bank. In multi-factor gateway as shown in Figure 1. It provides a face
this paper, seven different sections have been categorized. recognition authentication (FRA), biometric fingerprint
authentication (BFA).
II. RELATED WORK
The feature vector introduced by Tico, et al. consists of the
standard deviations of the Discrete Wavelet Transform (DWT)
coefficients of the whole image at different levels and
familiarization. K-Nearest Neighbour classifier employing
Euclidean distance is used for matching.
Many intruder attackers are sitting to seek for the leniency
of the customer of the bank. The more safe banking system will
be there, more customers will feel free to use online banking.
Junho Lee, Jungwoon Woo et.al. [3], introduced a technology
by providing them with the application by giving the
methodology for developing software in terms to create a
secure web. It does not have OOAD methodology, UMLsec
and Java EE, to maintain the database and to associate it to Fig. 1. The proposed Mechanism
correlate.
In the malware threats and security solutions Wazid, These two techniques are working perfectly and providing
Zeadally and Das [4] discussed the need for mobile banking extreme authenticity for verification of the valid user, it makes
and every possible attack which could be occurred while using not a single transaction transferred from one account to the
the mobile banking system. They have shown their work in other, without any prior knowledge of the user. This proposed
mobile banking, its limitations and its improvements but there model, not only making transaction secure enough as well as
is no model to secure it. reliable system for the user, but it also provides mobile
operability for the user, it doesn’t matter where the user is,
Similarly, R. Bose, S. Chakraborty and S. Roy [5] he/she can operate their account by verifying their transaction
explained the working principle based on multi-factors of cloud
either from BFA or FRA, as shown in Figure 2.
authentication architecture for banking system by using
biometric fingerprint authentication by using USB to make sure
that data is authentic. Even they have established a secure and
safe VPN connectivity but failed to prevent the data from
different cyber-attacks.
In this papers [6, 7, 15], proposed an authentic environment
for user’s credentials of bank and cloud server but these are not
secure enough to prevent customer’s data from the severe
cyber –attacks such as phishing and pharming is possible to
threaten the data of the customer, whereas this [8], presented
the results of several kinds of targeted attack over the online
banking system.
Limba, Pleta, et.al. [9], designed a model for cybersecurity
management includes six dimensions for better
communications within the organization, but it may not able to
secure the dynamic plans may change or adapt by various Fig. 2. Block diagram of Proposed Biometric BFA and FRA
technologies. This assured that it could able to handle the initial
and interoperable/moderate level of each dimension of the

Authorized licensed use limited to: Universitas Indonesia. Downloaded on August 22,2020 at 16:40:00 UTC from IEEE Xplore. Restrictions apply.
 In this model of the smart online banking system, FRA or the multiple Support Vector Machines. It helps to
BFA will be used to take input to authenticate system’s model. determine the example is belonged to a certain category
It helps to obtain an image for preprocessing through the or not.
fingerprints/face recognition/digital signature. The next step iv) Featured & Labeled Bounding Box: it combines the
will be the feature extraction, in this whatever the image has each proposed regions to set an example that helps to
been captured by the machine as input via preprocessing & train a Linear Regression Model for granted-truth for
image obtaining gateway. The received image will be predicting Bounding Box.
processed to SVM classifier or training classifier, which will
help to generate to make a decision, either to validate the user IV. BASIC MATHEMATICAL MODEL
or reject it. The rejected input will as again to give input to the This proposed mathematical model as per CNN’s major
machine and accepted input will allow the user to handle the parts, as mentioned below:
transaction of their account.
a) Fast R-CNN Model: this uses the complete image of
This is how the proposed model will work and provide an CNN input for the process of feature extraction, rather
authenticated user to transact into the banking system. than the proposed region. Furthermore, the network
Anything can be done smartly, there is no validation can deny trains to update parameters of the model as the input
BFA or FRA. These are the most renowned technologies which of the whole image, then CNN output will generate
enhance the security of the transaction. This also helps the the output of CNN as shape (1*c*h1*w11*c*h1*w1).
existing banking system more secure than the existing online
banking system. b) Assuming Selective Search: it generates the n
The act of CNN as the extractor of feature and the dense proposed regions, which have a different shape to
indicate particular Regions of Interests (ROIs). Its
layer which consisted output from the image extractor, which
different shapes and sizes will have differed from
helps to provide input to the SVM that classify the object
similar shapes and similar shapes must be extracted
presence, within the proposal of candidate region. Additionally, from the existed ROIs. (Let us assume the height = h2
to predict the object's presence, this proposed algorithm will and the width = w2).
increase the bounding box’s prediction that helps to produce
offset value to extract the precise data of the user. c) Completely Connected Layer: it is used to change the
The benefits of CNN, comparatively, to its antecedents that shape of the output to n*dn*d (d= model design will
robotically to detect the vital features without taking any help determine this d).
of human expertise or human’s supervision. The major steps d) Category Prediction: during this process, the shape
have been explained by Figure 2, diagrammatically. It includes will be the completely connected layer to its output
Preprocessing & Image Obtaining, Feature Extraction with the which is transformed again into n*qn*q. we use soft-
help of Neural Networking or features of Region-Based with max regression for this, where q is the number of the
Convolution Neural Networking (R-CNNs) helps to detect category. During the time of this bounding box
object which could be applicable to the deep models, Features prediction, the entire connected layer’s shape of the
Extraction, and Verification. output will be transformed again into n*4n*4. It
The R-CNNs model, select various existed regions from the means that it helps us to predict the category as well
image for e.g. Anchor box, bounding box, their categories of as the bounding box for existed proposed region.
labelling such as offsets, etc. after selecting from the image,
V. VERIFICATION
they use CNN for forwarding computation that helps to extract
features from the given area. Later, the feature of each The function of Support Vector Machine is an extensively
proposed region predicts the category of labelling as well as the used tool, especially in the technique for pattern recognition
bounding box. Explicitly, R-CNNs composed four major parts area. It also makes to use the principle of Structural Risk
which have been mentioned below: Minimization (SRM), which provides a good performance in
i) Selective Search: it is performed on the received input the field of non-linear patterns, especially in the concept to
image. It helps to select the multiple high-quality from transform the input vectors converted into the space of high
the proposed regions, which help to select the image on dimensional feature with the help of kernel.
multiple scales includes variants of sizes and shapes. It will be located to the optimal hyperplane for its linearly
This makes to the label on proposed-region of the separable data as well as it extends to its no-linearly separable
category as well as a ground-truth bounding box. data with the help of mapping to the space of high dimensional
ii) Pre-trained CNN: it selects and places the in-truncated feature space. SVM has several applications such as
form before the proposed region’s output layer. It helps authentication based on biometric-based data, text
categorization, information management, bioinformatics,
to transform it into the required input dimensions by
digital signature, and so on.
the network. It uses the forward computation to provide
the output of feature extraction from each proposed The principle on which SVMs is based i.e. Structural Risk
region. Minimization (SRM), which is based on the Statistical
iii) Featured & Labeled Category: it combines the each Learning Theory (SRT). If you wish to know more about
proposed regions to set an example that helps to train SVM, then it is available in Vapnik20, Byun21 & Lee.
LIBSVM22 has been used for the process of verification. We

Authorized licensed use limited to: Universitas Indonesia. Downloaded on August 22,2020 at 16:40:00 UTC from IEEE Xplore. Restrictions apply.
have four built-in kernels at our removal, those are linear, best possible architecture to access with ease and most secure
radial basis function, sigmoid and radial basis function. These way to save their data from different intruders. Future research
parameters require SVM to turn such as another learning includes to secure this model from different unknown attacks
algorithm to find out optimal parameters, which provides the and to make it more feasible to the users.
enhanced precision of the result on test data. Remaining three
kernels are used for this process. In this, each kernel will have REFERENCES
the five-fold-cross-validation process to perform on the existed [1] Taylor, Robert W., et al. "Cybercrime and cyber terrorism." 2019.
training set. Algorithmic ‘Grid Search’ is used to receive [2] Umanailo, M. Chairul Basrun, et al. "Cybercrime Case as Impact
parameters such as γ and c. The values of γ and c are giving the Development of Communication Technology That Troubling
best optimal average of the cross-validation for its precision, Society." Int. J. Sci. Technol. Res 8.9. 2019, pp. 1224-1228.
which are employed at the place of testing this process. [3] Lee, Junho, et al. "A Software Development Methodology for Secure
Web Application." International Journal on Advanced Science,
VI. EXPERIMENTAL RESULT Engineering and Information Technology 9.1. 2019, pp. 336-341.
[4] Wazid, Mohammad, Sherali Zeadally, and Ashok Kumar Das. "Mobile
DATASET banking: evolution and threats: malware threats and security
solutions." IEEE Consumer Electronics Magazine 8.2. 2019, pp. 56-60.
Those databases which have benchmark FVC2002DB1B [5] Bose, Rajesh, Srabanti Chakraborty, and Sandip Roy. "Explaining the
[16], has been used for our experiments, which consist of ten Workings Principle of Cloud-based Multi-factor Authentication
Architecture on Banking Sectors." 2019 Amity International Conference
users with eight impressions for each of it. These databases are on Artificial Intelligence (AICAI). IEEE, 2019.
divided into the testing set as well as the training set, where [6] Ronchi, Corrado, et al. "Security, privacy and efficiency of internet
the training set has seven images of fingerprints and testing set banking transactions." 2011 World Congress on Internet Security
has one image of fingerprints. Those images have been taken (WorldCIS-2011). IEEE, 2011.
with a size of 388*374, at 500 dpi resolution. [7] Hole, Kjell Jørgen, Vebjørn Moen, and Thomas Tjostheim. "Case study:
Online banking security." IEEE Security & Privacy 4.2. 2006, pp. 14-20.
EXPERIMENTS [8] Correia, Márcio AS, et al. "Segurança em internet banking." XIII
Simposio Brasileiro em Seguranca da Informacao e Sistemas
The several fingerprints have been selected to train, to test Computacionais (SBseg), Gramado-RS. 2008.
and to repeat the entire process for four times. This makes the [9] Limba, Tadas, et al. "Cybersecurity management model for critical
experiments repetition for trials then it considered as its final infrastructure", 2019.
performance. Each and every set has features set, aside from [10] Nami, M. R. "E-banking Issues and challenges: ACIS International
the verifying them through SVM process. The various window Conference on Software Engineering, Artificial Intelligences,
size (w), has experimented on ROI, that makes it best to Networking and Parallel." Distributed Computing (SNPD), 2009.
acquire the superlative result for a 5*5 window size of fuzzy [11] Dandash, Osama, Phu Dung Le, and Bala Srinivasan. "Security analysis
for internet banking models." Eighth ACIS International Conference on
features, after of all this, on the invariant moments for a 16*16 Software Engineering, Artificial Intelligence, Networking, and
of window size. The entire features have been normalized Parallel/Distributed Computing (SNPD 2007). Vol. 3. IEEE, 2007.
before the process to provide input to the SVM. [12] Peotta, Laerte, et al. "A formal classification of internet banking attacks
and vulnerabilities." International Journal of Computer Science &
Each set of features is set aside for verification using SVM. Information Technology 3.1. 2011, pp. 186-197.
Different window sizes (W) have experimented on ROIs. [13] Nor, Fazli Bin Mat, and Kamarularifin Abd Jalil. "An enhanced remote
The best results are obtained on fuzzy features for a window authentication scheme to mitigate man-in-the-browser
attacks." Proceedings Title: 2012 International Conference on Cyber
size of 5x5 and on invariant moments for a window size of Security, Cyber Warfare and Digital Forensic (CyberSec). IEEE, 2012.
16x16. The features are normalised before inputting to SVM [14] Nagaraju, Sabout, and Latha Parthiban. "Trusted framework for online
banking in public cloud using multi-factor authentication and privacy
TABLE I. ACCURACY OF THE PROPOSED METHOD protection gateway." Journal of Cloud Computing 4.1. 2015. P. 22.
FVC2002 Accuracy [15] Taylor, Robert W., et al. "Cybercrime and cyber terrorism." (2019).
Linear BFA and FRA Polynomial [16] Kour, Jaspreet, M. Hanmandlu, and A. Q. Ansari. "Biometrics in Cyber
Fuzzy features 74.8 87.6 77.6 Security." Defence Science Journal 66.6, 2016.
Invariant moment 92.4 95.1 90.1 [17] Nazarov, Aleksei Nikolaevich. "Estimation of the information safety
features level of modern info-communication networks on the basis of the logic-
probability approach. "Automation and Remote Control 68.7. 2007, pp.
1165-1176.
VII. CONCLUSION [18] Nazarov, Alexey Nikolaevich, Xuan Tien Nguyen, and Minh Hai Tran.
"MODELING OF INFORMATION ATTACKS, AND SECURITY
Thus, the models and methods proposed in the work allow RISK ASSESSMENT OBJECTS. Conference "Information Society
to construct effective mechanisms for the protection of cyber- Technologies". Moscow, 2016.
security in banking system at the canonical, logical and [19] Kizza, Joseph Migga. Guide to computer network security. London:
physical levels of their representation, providing access and Springer, 2009.
admission to the content of their data to only with the [20] Wang, Huaqun, Debiao He, and Shaohua Tang. "Identity-based proxy-
appropriate user authority and establishing rules for user oriented data uploading and remote data integrity checking in public
cloud." IEEE Transactions on Information Forensics and Security 11.6.
interaction with information resources according to the criteria 2016, pp. 1165-1176.
of optimal, consistent with the requirements. This gives the

Authorized licensed use limited to: Universitas Indonesia. Downloaded on August 22,2020 at 16:40:00 UTC from IEEE Xplore. Restrictions apply.