15 July 1997
Source: http://www.r3.ch/standards/ecbs/

Thanks to mail list ukcrypto@maillist.ox.ac.uk:

Nicholas Bohm <nbohm@ernest.net>


Dr. Rainer A. Rueppel, rueppel@r3.ch,  tf direct ++41-1-9345600
r3 security engineering ag, Zuerichstrasse 151, CH-8607 Aathal/Zurich,   
http://www.r3.ch/, r3@r3.ch,  tf ++41-1-9345656, fax ++41-1-9345657

Following material is introductory to the 62-page report which is available in PDF format (241K): http://www.r3.ch/standards/ecbs/papers/tr401sbi.pdf

A mirror of the report is on this site: http://jya.com/tr401sbi.pdf

Note: Acrobat reader version 3.0 is required; version 2.1 cannot read the report.

 European Committee for Banking Standards

TC4 Security
Secure Banking over the Internet

Purpose and justification

The Internet is a rapidly evolving information infrastructure ("Information Highway") which provides global connectivity, easy reachability and interactive communications at moderate cost for the consumer. The dominating application is the World Wide Web (WWW), with its potential of 3 million connected computer systems and an order of magnitude more actual users. Currently, WWW is primarily used to provide easy access to free-of-charge information (typically research or marketing information). But this is expected to change dramatically in the near future. WWW is expected to provide a basis for electronic commerce and trade. A similar development can be expected for the IBC networks and "Information Highways".

Hence, the Internet has reached an increased market potential which makes it attractive for all service providers and, in particular, for the banks. With the Internet, banks can easily reach their customers on a global scale. Customers may sign up electronically, may order electronically, may transfer money electronically from almost any place in the world. However, as the Internet per se is a highly open and distributed infrastructure without central regulation and control, it is mandatory that the banks carefully address and solve the security issues related to banking applications over the Internet.

European banks must position themselves regarding:


This ECBS Technical Report shall provide a survey of current and planned banking use of the Internet, investigate the security requirements for secure banking on the Internet, provide a survey of the security-related protocols, services and applications on the Internet, identify the synergies between EDIFACT and the Internet, provide a set of recommendations how banks can securely connect to the Internet (e.g. firewall technology), provide a set of recommendations how banks can securely do banking transactions over the Internet (primarily for customer-bank relationships), discuss other requirements for global banking (e.g. banking secrecy, data privacy, export issues), provide an outlook on new banking applications and services (such as electronic cash) which are needed regarding the advent of a global electronic marketplace.

Contents of the report

Approval of NWI 1/96
Draft Report 6/96
Final Report 12/96
Approval 3/97

Members of ECBS TC4 Working Group 6
Rueppel, A. Rainer (Convenor) r³ security engineering ag, Switzerland
Antunes, Joao Sociedade Interbancaria de Servicos S.A., Portugal
Barbut, Jean Louis GSIT, France
Beltrando, Rene Groupement des Cartes Bancaires "CB", France
Beykirch, Hans-Bernhard Informatikzentrum der Sparkassenorganisation GmbH, Germany
Cornet, Alain Interbank Standards Association, Belgium
Daemen, Joan Esat Lab. K. U. Leuven, Belgium
de Rooj, Peter Europay International, Belgium
Faulkner, Paul Palisade Ltd, United Kingdom
Fjelbye, Peter Danish Payment Systems Ltd., Denmark
Garbe, Sebastian Bundesverband Deutscher Banken e.V., Germany
Harpes, Carlo Certel S.C., Luxembourg
Johansson, Anders Nordbanken, Sweden
Meggle, Claude Groupement des Cartes Bancaires "CB", France
Moulart, Yves Banksys S.A., Belgium
Niehoff, Wilhelm Bundesverband Deutscher Banken e.V., Germany
Stirland, Mark Association for Payment Clearing Services, United Kingdom
van Oudheusden, Daaf Interpay, The Netherlands
Ward, Mike Association for Payment Clearing Services, United Kingdom

Copyright © 1997 r³ security engineering ag.
Last Update : 97/01/23 - Please send feedback or comments to

 ECBS TC4 Security
Secure Banking over the Internet


1 Introduction

1.1 Background
1.2 Scope

2 Internet security

2.1 Introduction
2.1.1 What is the Internet?
2.1.2 The World Wide Web?
2.1.3 Java
2.1.4 The common Internet services?

2.2 Relevant scenarios
2.2.1 The bank as a user of the Internet
2.2.2 The bank as an information provider
2.2.3 The bank as an electronic banking provider
2.2.4 The bank as a part of an electronic payment system

2.3 Threats
2.3.1 Introduction
2.3.2 Some Categories of Threat

3 Separating trusted networks - Firewalls

3.1 Introduction
3.1.1 The Need for Security Measures
3.1.2 The Firewall Concept
3.1.3 Running a Web server

3.2 Firewall elements
3.2.1 Packet Screening
3.2.2 A Proxy or Application Level Gateway
3.2.3 Bastion Host
3.2.4 Screened Host

3.3 Security Policy Design Considerations

3.4 Discussion

4 Internet Session Security

4.1 Secure Sockets Layer (SSL)
4.1.1 Background
4.1.2 Applicable scenarios
4.1.3 Description
4.1.4 Discussion

4.2 Secure HTTP (S-HTTP)
4.2.1 Background
4.2.2 Description
4.2.3 Discussion

4.3 Private Communication Technology (PCT) Protocol
4.3.1 Background
4.3.2 Description
4.3.3 Discussion

4.4 IETF Transport Layer Security Protocol
4.4.1 Discussion

5 Internet Mail Security

5.1 Applicable scenarios

5.2 Internet Mail
5.2.1 Background
5.2.2 Description
5.2.3 Security

5.3 PGP
5.3.1 Background
5.3.2 Description
5.3.3 Security
5.3.4 Discussion

5.4 Privacy Enhanced Mail (PEM)
5.4.1 Background
5.4.2 Description
5.4.3 Security
5.4.4 Discussion

5.5 MIME Object Security Services (MOSS)
5.5.1 Background
5.5.2 Description
5.5.3 Security
5.5.4 Discussion

5.6 S/MIME
5.6.1 Background
5.6.2 Description
5.6.3 Security
5.6.4 Discussion

6 Web Integration of Financial Applications

6.1 Background
6.1.1 General considerations
6.1.2 Applicable scenarios

6.2 Security issues regarding downloading documents
6.2.1 Discussion

6.3 Security considerations regarding downloading code
6.3.1 The sandbox approach
6.3.2 The code signing approach
6.3.3 Discussion

6.4 Helper Application
6.4.1 Description
6.4.2 Discussion

6.5 Plug-in
6.5.1 Description
6.5.2 Discussion
6.5.3 National activities

6.6 ActiveX
6.6.1 Description
6.6.2 Discussion

6.7 Applets
6.7.1 Description
6.7.2 Discussion

7 Electronic Commerce Security

7.1 Secure Electronic Transaction (SET)
7.1.1 Background
7.1.2 Applicable scenarios
7.1.3 Description
7.1.4 Discussion
7.1.5 National solutions

7.2 Homebanking Solutions
7.2.1 Microsoft's Open Financial Connectivity (OFC)
7.2.2 Internet Gatways to Legacy Applications
7.2.3 National Activities

8 Hardware and Software Solutions

8.1 Background

8.2 Applicable Scenarios

8.3 Description
8.3.1 Software solutions
8.3.2 Simple Secure Environments
8.3.3 Extended Secure Environments

8.4 Discussion

9 Public Key Infrastructure

9.1 Registration & Certification of Public Key Users
9.1.1 Introduction
9.1.2 Example - The VeriSign Certificate Classes
9.1.3 Discussion
9.1.4 National activities

9.2 Key Escrow (Key Recovery)
9.2.1 Background
9.2.2 Discussion

10 Terminology

Copyright © 1997 r³ security engineering ag.
Last Update : 97/01/23 - Please send feedback or comments to