Introduction

Security for Internet

banking: a framework

E-commerce fundamentally focuses on the

electronic exchange of information using
information and telecommunication
infrastructures (particularly the World Wide
Web and the Internet). E-commerce
encompasses a wide range of commercial
activities that can be categorised into
business-to-consumers and business-tobusiness sectors. Industry sectors such as
banking have openly embraced e-commerce
to improve their performance and gain a
strategic competitive advantage.
There are four interlinked factors driving
the global acceleration of banking on the
Internet. These are (NOIE et al., 1999):
(1) accelerating customer demand;
(2) increased competition between banks and
new entrants;
(3) the relentless drive by the banks to reduce
costs and achieve new levels of efficiency;
and
(4) world-wide deregulation of the financial
services market.

Damien Hutchinson and

Matthew Warren

The authors
Damien Hutchinson is a Research Assistant and
Matthew Warren is Associate Professor, both at the
School of Computing and Mathematics, Deakin University,
Geelong, Australia.
Keywords
Electronic commerce, Computer security, Internet,
Banking
Abstract
As a continually growing financial service of electronic
commerce, Internet banking requires the development
and implementation of a sound security procedure. This
involves designing effective methods via which users can
be authenticated in a remote environment. Specifically for
Internet banking there is a real need for a way uniquely to
identify and authenticate users without the possibility of
their authenticity being cloned. Some technologies in use
have been presented for meeting the security
requirements for national, regional and global Internet
banking assurance. However, there has been little
research conducted particularly on the creation of secure
and trusted pathways. Concentrates on presenting a
security framework for Internet banking based on
discovering and defining these pathways in terms of
adequate authentication mechanisms. Proposes a
framework concerning how to identify security
requirements for Internet banking such that the
transactions being conducted are secured within their
respective environments.

Statistics indicate that ATMs, telephone

banking and home banking presently make up
more than 50 percent of all banking
transactions and total non-branch activity is
expanding at a rate of 15 percent per year
(Hutchinson, 2000). In common with many
electronic surveys that point to information
security being the number one concern for
both businesses and consumers (Ernst &
Young, 1999), this uptake is being challenged
by concerns of users and potential users
towards the security and privacy of Internet
banking transactions as well as confidentiality
regarding the processing of personal
information (Hutchinson and Warren, 2001).
This paper is concerned with the service of
Internet banking and the issues surrounding
authentication, which is the mechanism at the
heart of e-commerce security. The content
draws a correlation between the concepts
depicted in Figure 1, by presenting a
framework that when applied to certain
Internet banking scenarios can offer the
customer guidelines regarding the
implementation of appropriate authentication
mechanisms to ensure an adequate level of
trust between the parties conducting the
transaction. It should be noted that previous
research into e-commerce security has been
focused upon generic online security risks,
but this paper focuses on the security
requirements of Internet banking, that is
critical system security protection.

Electronic access
The Emerald Research Register for this journal is
available at
http://www.emeraldinsight.com/researchregister
The current issue and full text archive of this journal is
available at
http://www.emeraldinsight.com/0957-6053.htm
Logistics Information Management
Volume 16 . Number 1 . 2003 . pp. 64-73
# MCB UP Limited . ISSN 0957-6053
DOI 10.1108/09576050310453750

64

Security for Internet banking: a framework

Logistics Information Management

Volume 16 . Number 1 . 2003 . 64-73

Damien Hutchinson and Matthew Warren

Figure 1 Security issues of Internet banking

Figure 2 Research methodology

made up of a widespread data analysis survey

that was based around an interactive model as
displayed in Figure 3. The main task of the
analysis was to uncover the ways in which
SMEs, Internet banking and security come
together in particular work settings to
ultimately initiate a plan to manage the
day-to-day situations of consumers and these
small businesses.
The data collection involved gathering
information about Internet banking, the use
of this service by consumers and small
business and the associated security
implications of Internet banking. Applying
the qualitative elements of observation and
examination (Hill and Kerber, 1967) to this
data collection led to the formulation of an
authoritative and empirical study (Graziano
and Raulin, 2000). The data analysis
consisted of the stages of data display and
data reduction. A content analysis was used to
allocate the raw data collected into logical,
meaningful categories which were identified
by using a process called open coding (Strauss
and Corbin, 1990). This allowed an initial
model to be developed that, when combined
with re-examination via a process called axial
coding (Strauss and Corbin, 1990), provided
a means to identify the links between the
authentication technologies and security
requirements pertinent to individual Internet
banking environments. Drawing and

Research methodology
Past research has suggested ``what'' can be
done but not specifically ``how'' to do it;
although government agencies have put
forward electronic commerce initiatives for
small business including guidelines and policy
involving considerations for online security
(Department of Commerce and Trade, 2000),
their make-up describes ``what'' can be done
with little detail about ``how'' to do it. A gap
remains for a comprehensive workable
framework (that incorporates security of SME
electronic business practices with a focus on the
secure management of electronic transactions)
that is both feasible and can be implemented
into the various Australian SME industries.
The methodology employed for this
research involved a qualitative approach
comprising the six phases of developing a
conceptual framework used for organising
variables and their relationships, research
questions that appropriately identified the
objects of inquiry, case definition where the
focus and boundaries of the study were
classified, creating a means for sampling,
instrumentation specifying the collection of
data and finally validation to substantiate the
effectiveness of the framework (Miles and
Huberman, 1994). This methodology, as
shown in Figure 2, was used for the reason
that it can be done inductively and
developmentally from either a tight or a loose
design. Significantly, this approach serves a
critical role both to constrain and to support
analysis within the specified research field.
In order to develop any form of framework
or methodology an extensive literature review
and analysis need to be undertaken. The
literature review was an ongoing component
lasting for the duration of this research. It was

Figure 3 Components of data analysis:

interactive model

65

Security for Internet banking: a framework

Logistics Information Management

Volume 16 . Number 1 . 2003 . 64-73

Damien Hutchinson and Matthew Warren

substantiating conclusions involved the use of

data evaluation techniques to ensure
verification, validation and reliability of the
data analysed. Verification was undertaken by
following a process referred to as tactics for
generating meaning (Miles and Huberman,
1994), which involves examining and reexamining the collected data. Validation was
handled by applying external validity
(Graziano and Raulin, 2000) where external
parties examined the framework. Within
qualitative research the issue of reliability is
concerned with the level of objectivity with
the research and ensuring that data
generation and analysis are appropriate,
thorough and accurate (Silverman, 1997).

.
.

.
.
.
.

Internet banking security

While it is acknowledged that Australian
banks have an excellent record concerning
security of customer information, surveys
indicate that Internet users are weary about
privacy issues including transparency,
collection, use and disclosure of their personal
information. This concern primarily relates to
authentication. The banking and finance
industries report the highest incidence of
misuse being 57 percent, which is directly
related to these industries having one of the
highest dependencies on computers in the
workplace (Hutchinson, 2000).
The Citibank breach of security six years ago
is still extensively recalled in banking and
security circles, since it is one of the few
successful electronic bank frauds on record
(Barlotta, 1999). The incident portrays hackers
who penetrated Citibank's security system and
progressively wired money to banks around the
world. When the heist was discovered in
September 1994, $10 million was gone. All but
$400,000 was eventually recovered.
One of the latest security threats is a
computer program known as ``Nmap'' which
is a network exploration tool and security
scanner. On execution it causes a bank's
intrusion-detection system to falsely believe it
is being attacked by hundreds of hackers
across the globe, when it is actually just one
person (Barlotta, 1999).
The security protections offered by banks
and which customers anticipate should
include (NOIE et al., 1999):
.
careful reference to their authorised Web
sites in their publications;
66

verification via the use of a digital

certificate;
evidence of security protection displayed
on the screen; e.g. Padlock icon;
protection of PINs and passwords;
on-screen and mouse-operated keypads
for sensitive information;
virus protection;
at least 128-bit encryption;
firewall implementation;
stated limits to customer liability for
unauthorised use of access codes.

From a consumer perspective the issue of

trust can be ensured by having the following
trust elements embedded within the trust
model (Chellappa, 2001):
.
Protection. Protection can be defined as
the process through which customers are
satisfied that their personal information is
sufficiently preserved by the entity
collecting the information.
.
Verification. The inherent lack of implicit
identity verification that can be linked
with an electronic transaction means that
a spurious Web site could easily be
created. When relating with Internet
banks customers may make the mistake in
the domain name, ``www.Citibank.net''
instead of ``www.Citibank.com'' or may
misspell Citibank with a ``y'' instead of an
``i'' as in Citybank (Chellappa and
Pavlou, 2001). There have been many
instances of sites that have gained
advantage from such typographical errors
(Sullivan, 2000). In this sense the
consumer wants verification that the
accuracy of the domain name can be
ascertained, proving that they are
transacting with the actual Internet bank.
.
Authentication. Authentication is defined
as the process through which an Internet
merchant can be established via a trusted
third party that guarantees that the
merchant is indeed who they say they are.
.
Non-repudiation. Mechanisms to ensure
that the client (customer) can be certain
they are communicating with the genuine
server (bank) or vice versa, such that
neither of the communicating parties can
later falsely deny that the transaction took
place.
Based on these elements Table I presents a
conceptual taxonomy of trust for the
consumer undertaking electronic commerce
transactions (Chellappa and Pavlou, 2001).

Security for Internet banking: a framework

Logistics Information Management

Volume 16 . Number 1 . 2003 . 64-73

Damien Hutchinson and Matthew Warren

Table I A conceptual taxonomy for consumer trust in EC transactions

Element

Protection

Verification

Authentication

Vulnerability

Intrusion at point of Web page defacing/

destination or storage masquerading

Counter-measure

Disclosure policies
with regard to privacy
protection and
collection of data

Technology
implementation

Firewall technologies

Portals like Yahoo!

(www.yahoo.com) to
verify exact domain
name

The Internet banking framework

Non-repudiation

False retailer claiming Communication with

to be actual retailer
party later falsely
denying the
transaction took place
Independent third
parties like Verisign
(www.verisign.com),
authenticator's seal
on entities' Web site

Mechanisms to
ensure that client
(customer) can be
certain they are
communicating with
the genuine server
(bank) or vice versa

Exchange of digital
certificate combined
with encryption

Digital signature

facilitating integrity and confidentiality via

encryption, statements about data protection
and firewalls representing protection, familiar
and verifiable domain names for verification
and digital certificates ensuring authentication
from trusted third parties (Chellappa, 2001).
With no tangible way for an everyday user to
validate the actual security of Internet Banking
systems, there is little evidence to support that
these symbols have not been fabricated. This
framework provides the basis of identifying the
necessary security requirements and mapping
them to suitable security architecture for the
corresponding environment.

The proposed model for identifying security

requirements in an Internet banking
environment is intended to support the use in
both business-to-business and business-toconsumer e-commerce. Organisations, small
to medium-sized enterprises (SMEs) and
home-based customers will be able to use this
framework as a guide to identifying the
security requirements for their particular
banking environment. The objective of the
scenario presented is to encourage a sense of
confidence in the parties involved in
undertaking Internet banking transactions,
such that their personal information is
protected from prospective security breaches,
as when Barclays, which claims to be the
UK's largest online bank, had to take down its
Web site at the end of July 2000, when
customers were served the bank statements of
other clients (Knight, 2000a, b).
The majority of electronic commerce
transactions are carried out through Web
browsers that are connected to merchant sites
that in turn connect to some form of financial
institution. Like any sound information
system, the transition when conducting such a
transaction should be seamless and
transparent for the user but feedback needs to
be displayed in order to generate a feeling of
control. Some assurance of security is
displayed in browsers and Web sites in the
form of symbols for consumers conducting
transactions that conform somewhat with
these frameworks. Typically, an unbroken
padlock is used to indicate a secure session

Steps in the framework process

Traditionally security assessment has been
undertaken by applying conventional risk
analysis methodologies. These have become
inadequate with the advent of open,
distributed networks, requiring new
approaches to risk assessment. Thus, the
following framework aims to identify the
security requirements for an Internet banking
environment. Developed from a framework
for e-commerce security (Labuschagne,
2000), it consists of a defined six-step process:
(1) Step 1. List all the security requirements
for an Internet banking environment in
general.
(2) Step 2. Identify all participants and
stakeholders involved in the Internet
banking process.
(3) Step 3. Break down transactions into
different autonomous actions.
67

Security for Internet banking: a framework

Logistics Information Management

Volume 16 . Number 1 . 2003 . 64-73

Damien Hutchinson and Matthew Warren

(4) Step 4. Map these identified actions on to

the participants involved, which serve as a
model for the Internet banking
environment.
(5) Step 5. Use the information obtained in
step 4 to determine the security
requirements for a secure Internet
banking environment.
(6) Step 6. Use these security requirements to
develop the security architecture,
comprising suitable security procedures,
mechanisms and policy.

The following section describes where these

security requirements fit into an Internet
banking environment.

Each one of these steps is further examined in

the following sections.

The user's computer includes both a home

customer and an organisational customer
using Internet banking facilities.
The interaction between bank-to-bank
Internet banking has been omitted due to the
discrepancy of the different and advanced
level of security provided at this level.
Figure 4 illustrates a simplified version of
the Internet banking transaction process
through an Internet banking environment
where a customer/business wishes to pay a bill.
In Figure 4, there are two participants to
any Internet banking transaction, namely the
customer that can be either home- or
business-based and the bank. The important
considerations like taxation and legislation
across geographical borders have been
omitted from the discussion for the sake of
simplicity.

The Internet banking environment

There are three main areas of security that are
involved in Internet banking. These are:
(1) the bank;
(2) the Internet;
(3) the user's (customer) computer.

Security requirements for an Internet

banking environment in general
The close relationship that exists between ecommerce and Internet banking means that
an Internet banking session must satisfy the
same security requirements as listed below:
(1) Identification and authentication. The
ability to uniquely identify a person or
entity and to prove such identity.
(2) Authorisation The ability to control the
actions of a person or entity based on its
identity.
(3) Confidentiality. The ability to prevent
unauthorised parties from interpreting or
understanding data.
(4) Integrity. The ability to assure that data
have not been modified accidentally or by
any unauthorised parties.
(5) Non-repudiation The ability to prevent the
denial of actions by a person or entity.
(6) Availability. The ability to provide an
uninterrupted service.
(7) Privacy. The ability to prevent the
unlawful or unethical use of information
or data.
(8) Auditability. The ability to keep an
accurate record of all transactions for
reconciliation purposes.

Description of the spheres

Four spheres can be determined from
Figure 4. Each has its own unique security
requirements based on the Internet banking
requirements outlined later. A sphere is
defined as an independent entity consisting of
a person, information technology or both.
Figure 4 Internet banking environment

These eight security requirements have been

proposed as the basis for the e-commerce
security framework (Labuschagne, 2000). To
extend on this, authentication mechanisms
need to be incorporated to provide the
corner-stone of authentication for the
Internet banking framework. This would
comprise the use of passwords, smart cards
and possibly biometrics.
68

Security for Internet banking: a framework

Logistics Information Management

Volume 16 . Number 1 . 2003 . 64-73

Damien Hutchinson and Matthew Warren

business-based customer acts as the merchant

between the home-based customer and the
bank. In the second scenario, the merchant
accepts the responsibility for securing the
transaction with the home-based customer
before forwarding it to the bank. The merchant
must, therefore, provide assurance that an
electronic transaction can be made safely and
securely and that the risk has been minimised
to an acceptable level for all participants.
In terms of the nature of Internet banking,
business-based companies are entitled to the
same inclusions as home-based banking.
To maintain a level of simplicity, the
electronic business environment, which
comprises knowledge management and
workflow, does not form part of the proposed
framework, although it would be possible to
adopt the framework for this environment.

Figure 5 shows a representation of these

spheres.
The following section defines and describes
each individual sphere within the Internet
banking environment as depicted in Figure 5.
Sphere 1 home-based customer
This customer can be any home-based user
on the Internet. It is therefore not viable to
determine or assume that such a customer has
any security (authentication) mechanisms in
place. The only assumption that can be made
is that most home-based customers would use
browsers that support digital certificates and
the secure socket layer (SSL). However, it
cannot be presumed that these customers
have the knowledge or understanding of how
to use this integrated functionality.
The nature of Internet banking is such that
the majority of home-based Internet users
should be seen as potential customers and
hence should not be prevented or hindered in
any way from participating in an Internet
banking transaction. Thus, for these customers,
the partaking in an Internet banking transaction
should cater for secure and user-friendly
operations in a convenient environment.

Sphere 3 bank
The framework regards the inter-network of
banks as a single body as opposed to each
bank being its own separate entity. The
purpose of the banking sphere is twofold:
first, to validate customers through
authentication mechanisms and, second, to
authorise and honour transactions to ensure
against non-repudiation.

Sphere 2 business-based customer

This customer can be any business-based
company on the Internet. The major
difference between a home-based and
business-based customer would be the
implementation of some form of security
mechanisms.
There are two distinct relationships that exist
in this instance. First, the association of the
business-based customer with the bank that
represents a similar relationship to that of a
home-based customer and second, where the

Sphere 4 Internet
The Internet is considered to be a network of
networks where there is no one single entity
responsible for security or held accountable for
any losses suffered. It is viewed as the
infrastructure that facilitates global
communication, leading to e-commerce and
now Internet banking. From its outset, the
Internet in no way has existed to protect any of
the participants but rather to provide a channel
to facilitate the connection between different
entities wishing to communicate via electronic
means. Despite version 6 of the Internet
Protocol (IPv6) being successfully proven in
various test environments, version 4 (IPv4) is
still the chief Internet protocol. Adversely,
IPv4 is without the security functionality
included within IPv6. Thus, the security of a
message cannot be taken for granted.

Figure 5 Spheres within Internet banking environment

Autonomous actions contained within

the Internet banking transaction
Up to now the participants and the
relationship between them have been
69

Security for Internet banking: a framework

Logistics Information Management

Volume 16 . Number 1 . 2003 . 64-73

Damien Hutchinson and Matthew Warren

spheres shown in Figure 3 are used, i.e.

bank, Internet and customer, whether
home- or business-based.
(3) Step 3. This comprises listing the actions
that make up a transaction. The five
actions previously identified are used in
the decision table.
(4) Step 4. This maps the actions on to the
spheres identified in step 2. Naturally, not
all the actions will include all the spheres.
(5) Step 5. This associates the security
requirements for an individual action.

explained. The next step is to analyse and

divide the transaction into smaller,
autonomous actions that combined make up a
complete Internet banking transaction. A
typical Internet banking transaction consists
of the following actions, as illustrated in
Figure 6. Note that home-based and
business-based customers are
interchangeable:
(1) Action 1. A customer uses the Internet to
connect to their bank's Web site.
(2) Action 2. The customer browses the Web
site and decides on a service. An Internet
banking transaction is initiated by the
customer by providing both invoice and
payment information.
(3) Action 3. The bank checks if the
transaction is executable by verifying the
customer has enough funds available and
a reply is returned to the customer.
(4) Action 4. Upon completion of the
transaction confirmation is sent to the
customer.
(5) Action 5. The bank honours the payment
and returns proof of having done so.

This information is then applied to establish

how it can be implemented within the
relevant sphere.
In the decision table, action 1 shows that
the bank must be able to identify and
authenticate a customer satisfactorily to
perform a transaction. At the same time the
customer wants privacy regarding the
personal account information being viewed.
Privacy in this context refers to this
information being unavailable to other
parties. Actions 4 and 5 require the bank to
send confirmation of the transaction and to
ensure confidentiality and integrity of this
message. Concurrently, the customer wants a
guarantee that the bank cannot later deny that
the transaction took place. This refers to the
security requirement of non-repudiation. The
table also indicates that the bank needs to
record the transaction correctly in order to
meet auditing requirements.
By looking at the security requirements for
each action, it is possible to identify the
security mechanisms required to secure the
Internet banking environment. For action 1,
the identification and authentication security
requirement could very well be facilitated by
the implementation of a smart card
authentication system possibly with an
accompanying biometric mechanism. The
required infrastructure through developed
standards and technological know-how has
already been established for smart cards,
providing certain support for this initiative.
The security requirements for action 2 might
suggest that SSL be used for securing the
communication session (currently being used
with 128-bit encryption) across the Internet.
This may only be an interim approach or for
the long term, depending on the
implementation and widespread adoption of
version 6 of the Internet Protocol (IPv6).
Nevertheless it would be imperative to

These transactions could be broken down

further if deemed necessary. A decision table
can then be used to assist in the identification
of the essential security requirements for the
Internet banking environment as previously
described.

Security decision analysis

The decision table, as shown in Figure 7,
illustrates an example based on the scenario
outlined previously. A brief discussion of the
steps to develop such a decision table is also
provided.
Following is a brief description of each of
the steps:
(1) Step 1. This consists of listing all the
security requirements that must be
satisfied as discussed previously.
(2) Step 2. This consists of listing the spheres
that have been identified. Only the three
Figure 6 Autonomous actions contained within Internet banking
transaction

70

Security for Internet banking: a framework

Logistics Information Management

Volume 16 . Number 1 . 2003 . 64-73

Damien Hutchinson and Matthew Warren

Figure 7 Decision table

conduct timely checks on the protection

provided by 128-bit encryption, with the high
likeliness that it will be broken in the near
future. The security requirements for actions
4 and 5 may be satisfied using SSL, although
the acknowledgement needs to be digitally
signed by the bank to conform with the
security requirement of non-repudiation for
all transactions. This would be catered for by
the use of digital certificates.

.
.
.

.
.

the consumer;
the terminal (cell phone or PDA);
the wireless and public network
(telecommunication exchange);
the Internet (communication server); and
the bank.

This is represented in Figure 9, which also

illustrates the autonomous actions contained
within this particular environment.
Following is an explanation of these
actions:
(1) Action 1. The consumer uses a mobile
phone or personal digital assistant (PDA)
to connect to a wireless or other public
network.
(2) Action 2. Through the telecommunication
exchange and Internet, the consumer is
able to connect to their bank's Web site.
(3) Action 3. The consumer browses the Web
site shown on their cell phone or PDA
screen and decides on a service, i.e. transfer
funds from account A to account B.

Case study
For the purpose of this paper, the following
small case study provides an evaluation of one
of the identified scenarios based on the
developed framework constructed previously.
The first evaluation is based on the consumerto-business e-commerce environment
depicted in Figure 8.
In this scenario the areas that must be
secured include:
Figure 8 Scenario of consumer, cell phone and PDA

71

Security for Internet banking: a framework

Logistics Information Management

Volume 16 . Number 1 . 2003 . 64-73

Damien Hutchinson and Matthew Warren

Figure 9 Autonomous actions contained within the cell phone, PDA scenario

to secure this Internet banking environment

can be suitably determined. For example,
confidentiality can be assured by a smart card
acting as a veritable lock between the secret
code on the chip and the unsecured terminal
(in this case the cell phone, PDA, and
telecommunication exchange) environment.
In addition authentication can be provided for
via the use of a PIN as well as an integrated
digital signature and digital certificate
associated with a smart card system. Further

(4) Action 4. The bank checks the validity of

the consumer's request.
(5) Action 5. The bank sends the
confirmation to the consumer on
completion of the transaction.
(6) Action 6. The bank honours the transfer
and returns verification to the consumer.
From this the decision table can be derived, as
shown in Figure 10.
By viewing the security requirements for
each action, the security mechanisms required
Figure 10 Scenario decision table (derived from Table II)

72

Security for Internet banking: a framework

Logistics Information Management

Volume 16 . Number 1 . 2003 . 64-73

Damien Hutchinson and Matthew Warren

data integrity can be catered for via the use of

message authentication codes that are in-built
into the secure socket layer (SSL), which can
be used for securing the Web session over the
Internet. To prevent Internet-based users
from breaching the banking network, a
firewall should be implemented to isolate the
Web server from the customer information
database. Finally, by complementing the
identification and authentication process of
Internet banking-based transactions with
technologies like public-key cryptography,
digital notary and digital signature,
repudiation of transactions is protected.

Chellappa, R. and Pavlou, P. (2001), ``Perceived

information security, financial liability and consumer
trust in electronic commerce transactions'', Marshall
School of Business, University of Southern
California, Los Angeles, CA.
Department of Commerce and Trade (2000), ``A security
management framework for online services'', Office
of Information and Communication (OIC) and
Contract and Management Services, Government of
Western Australia, Perth, August.
Ernst & Young (1999), ``E-commerce: 1999 special report
technology in financial services'', available at:
www.ey.com/global/vault.nsf/US/
1999fsitechnologyreport_exec/$file/
1999fsitechnologyreport_exec.pdf
Graziano, A. and Raulin, M. (2000), Research Methods: A
Process or Inquiry?, 4th ed., Allyn & Bacon,
Boston, MA.
Hill, J. and Kerber, A. (1967), Models, Methods, and
Analytical Procedures in Education Research, Wayne
State University Press, Detroit, MI.
Hutchinson, D. (2000), ``A framework of authentication for
Internet banking'', thesis (honours), School of
Computing and Mathematics, Deakin University,
Geelong.
Hutchinson, D. and Warren, M. (2001), ``A framework of
security authentication for Internet banking'', paper
presented at the 3rd International Conference on
Information Integration and Web-based
Applications & Services (IIWAS), September,
Austrian Computer Society, Linz.
Knight, W. (2000a), ``Barclays security breach forces online
service to close'', ZDNet UK, Monday, 31 July,
available at: www.zdnet.co.uk/news/2000/30/ns17002.html
Knight, W. (2000b), ``Barclays in security gaffe this week'',
ZDNet UK, Wednesday, 2 August, available at:
www.zdnet.co.uk/news/2000/30/ns-17040.html
Labuschagne, L. (2000), ``A new approach to dynamic
Internet risk analysis'', thesis (DCom), Rand
Afrikaans University, South Africa, available at:
csweb.rau.ac.za/deth/acad/thesis/
Miles, M.B. and Huberman, A.M. (1994), Qualitative Data
Analysis, Sage Publications, London.
National Office for the Information Economy (NOIE),
Australian Bankers Association (ABA) and
Australian Information Industry Association (AIIA)
(1999), ``Banking on the Internet: a guide to
personal Internet banking services'', August,
available at: www.noie.gov.au/Projects/ecommerce/
banking/personal_banking/banking_online.html
Silverman, D. (1997), Qualitative Research: Theory,
Method and Practice, Sage Publications, London.
Strauss, A. and Corbin, J. (1990), Basics of Qualitative
Research: Grounded Theory, Procedures and
Techniques, Sage Publications, Thousand Oaks, CA.
Sullivan, B. (2000), ``Making money off `typosquatting':
firms tap domain typos to grab clicks and ad bucks''
in MSNBC Technology Section, 22 September,
available at: http://zdnet.com.com/2100-11502915.html?legacy=zdnn

Conclusion
The entities involved in the transaction
including the technological components are
clearly defined and arranged accordingly.
Naturally the various entities will require
different security requirements based on their
interaction within the specified Internet
banking environment. The model caters for
this determination by providing a detailed
decision table that amalgamates all the
information gathered in the six-step process.
This valuable cross-referencing method
ensures that all avenues from whence
contingencies arise are covered.
The framework of authentication for
Internet banking allows customers to work
their way through each step, identifying the
necessary security requirements along with
the counteracting authentication mechanism.
The distinctive style of the framework,
including explicit descriptions, examples and
cross-referencing capability, ensures all
security requirements and authentication
mechanisms are sufficiently identified for
correct and effective implementation.

References
Barlotta, J. (1999), ``Banks on guard against hackers'',
Business Today, Boston Herald, Sunday, 14 March,
p. 31.
Chellappa, K. (2001), ``Contrasting classical electronic
infrastructure and the Internet: a tale of caution'',
research paper, Marshall School of business,
University of Southern California, Los Angeles, CA.

73