Cryptographic Key Management principles applied in South African Internet Banking

The convenience of Internet Banking and the breadth of functionality that it provides to its users have made it exceptionally popular, especially in countries like South Africa. Gone are the days of standing in long queues in the bank just to authorise a debit order or to get an account statement. But where accountholders in the past had to enter a secret PIN into a closed and secure system (e.g. ATM or Bank Branch system), these secrets must now be communicated through the insecure Internet. New threats and vulnerabilities within operating systems and Internet applications are published daily and the obvious question becomes apparent: Is it safe to use Internet Banking applications? In this paper, the current architecture of Internet Banking is re-evaluated, with specific focus awarded to the cryptographic security controls implemented in such systems. Since the current sense of security is primarily based on the premise of cryptography, it is appropriate to assess if best practice principles and standards of cryptography and key management have been applied, and to what extend. Furthermore, we assess the value of applying key management principles to a PIN (or password) as if it is a cryptographic key. Through this exercise, it becomes clear that the use of a static secret value to uniquely authenticate a user is not a secure mechanism and it is not appropriate for authentication over the Internet. Possible solutions are also provided as guidelines in addressing this issue.