Software Security bank

8/13/2019 Software Security bank

1/28

USER GUIDE- SECURE BANKING

SYSTEM

Group 2 Sun Devil Bank of Arizona State

Group 2:

- Aniket Bharati

- Aniket Patil

- Clinton Dsouza

- MohanRaj Balamuri

- Pradyothan Adamala- Wonkyu Han


2/28

User-guide: Sun Devil Bank ofArizona State

1 | P a g e

Contents

1. Overview ............................................................................................................................................... 3

1.1 Purpose of User guide .................................................................................................................. 3

1.2 How to use this user guide? ......................................................................................................... 3

1.3 Convention in this user guide ...................................................................................................... 4

1.4 Recommended reading. ............................................................................................................... 4

2. Overview of the system ................................................................................................................... 4

2.1 Why use the system? ................................................................................................................... 4

2.2 Introduction to the system .......................................................................................................... 5

2.3 Terminology used in the system .................................................................................................. 6

3. Sub-system : Login functionality.......................................................................................................... 6

3.1 Introduction .................................................................................................................................. 6

3.2 Introduction to System ................................................................................................................ 6

3.3 System GUI ................................................................................................................................... 6

4 Sub-system: Create Account for External Users.................................................................................. 7

4.3 Introduction .................................................................................................................................. 7

4.4 System functionality..................................................................................................................... 8

4.5 System GUI ................................................................................................................................... 9

5 Sub-system: Create Account for Internal Users .............................................................................. 9

5.3 Introduction .................................................................................................................................. 9

5.4 System functionality................................................................................................................... 10

5.5 System GUI ................................................................................................................................. 10

6 Sub-system: Corporate Level Management official.......................................................................... 11

6.3 Introduction ................................................................................................................................ 11


6.5 System GUI ................................................................................................................................. 12

7 Sub-system: Department manager.................................................................................................... 12

7.3 Introduction ................................................................................................................................ 127.4 System functionality................................................................................................................... 13

7.5 System GUI ................................................................................................................................. 13

8 Sub-system: Sales employee.............................................................................................................. 14

8.3 Introduction ................................................................................................................................ 14



3/28


2 | P a g e

8.5 System GUI ................................................................................................................................. 15

9 Sub-system: IT regular employee ...................................................................................................... 16

9.3 Introduction ................................................................................................................................ 16


9.5 System GUI ................................................................................................................................. 16

10 Sub-system: Transaction monitoring Employee ........................................................................... 17

10.3 Introduction ................................................................................................................................ 17


10.5 System GUI ................................................................................................................................. 18

11 Sub-system: Company Management Employee ........................................................................... 18

11.3 Introduction ................................................................................................................................ 18


11.5 System GUI ................................................................................................................................. 19

12 Sub-system: System Administrator ............................................................................................... 19

12.3 Introduction ................................................................................................................................ 19


12.5 System GUI ................................................................................................................................. 20

13 Sub-system: Individual User .......................................................................................................... 21

13.3 Introduction ................................................................................................................................ 21


14.3 Introduction ................................................................................................................................ 23


14.5 System GUI ................................................................................................................................. 23

14 Appendix

14.1 Instllation25

14.2 Starting The Application.26

14.3 Credentials for Testers27


4/28


5/28


4 | P a g e

By first reading and understanding the system overview and then proceeding towards

understanding each sub-system the user will be able to obtain a well-rounded understanding of

the SBS.

1.3Convention in this user guideThe formatting and convention used in this guide is hierarchically set up to the reader a high

lever overview of the system and then drill down to the finer details of each sub-system

architecture, user interface and use case scenarios for each functionality.

Finally, the guide also gives detailed instructions on the configurations of the system, what

components are required for a successful installation and what procedures need to be followed

to completely install the web application on a server with a functioning secure database.Additionally, as will all systems there are bound to be errors and problems with initial

installation if all steps are not followed and correct dependency modules not installed, thus the

final section of this user guide focuses on trouble shooting error and problems if they were to

occur when installing and starting the system.

1.4Recommended reading.The sources will provide a base foundation into understanding the considerations and thoughts

that went into implementing the system. Additionally, these sources also give detailed

information on the framework and system configuration upon which the web application is

hosted.

2. Overview of the system2.1Why use the system?

The Secure Banking System, is a one stop online banking system for personal bankers providing

them the ability to credit, debit and transfer money from their checking and savings account. In

addition to basic functionalities, this application also provides users with the ability to authorize

payments to merchants or organizations that a user has availed services from, thus allowing for

secure and easy of payment to third party merchants.

Additionally, the system design accommodates for secure banking functionalities, such as the

SSL/TLS implementations on the web server, One Time Password implementation for first time

logins to authenticate the use, secure digital certificates to authenticate the identity of users


6/28


5 | P a g e

making payment and also stringent access control policies to protect use accounts from not only

external access but also internal access by unauthorized employees.

In addition to providing secure banking functionalities to external users / clients, the banking

application also provides internal users namely employees with a platform to perform daily

functions of their job as well as provide support services to customers using the online banking

system. The support services could range from creating an account to deleting an unauthorized

transaction in the event of an identity theft incident.

Given the multi-functional aspect of this system coupled with the secure functionalities

implemented to protect user identity and maintain data integrity , this system provides a better

solution and secure foundation for users to trust and perform their online banking daily tasks.

2.2 Introduction to the systemThe system has been designed for use by three different users:(i) External Client ( Personal online banking users)(ii) Merchants / Organizations ( third party companies)(iii) Internal employees(corporate users hired by the Bank)Each user has a set of functionalities that have been determined by the team and incorporated

into the system. System is designed to be highly robust, and to have a high uptime capability.

Each subsystem described in this guide has a set of unique functionalities with its own user

interface to allow for ease of use.

All users intending to use the SBS application will need to create a user account and will be

assigned a role based on their credentials. For example, employees will be assigned an

employee id with which they will be identified and access level authorization will be determined

based on their role by the system administrator. Once the user has been authorize as a valid

customer by the system, they will be able to access their account and the associated modules or

functionalities with their role.

Based on the users system accessibility, external clients will be able to perform transactionssuch as credit, debit and transfer of money from, to and within their account. Merchants will be

able to submit user authorized payments for services provided to a user of the bank. Finally,

internal employees based in different departments will be able to perform functionalities based

on their role and department in the Bank including providing technical and transaction support

to the bank customers. The number of concurrent logins of a single user from different systems


7/28


6 | P a g e

is set to a maximum of 2.This is to prevent conflict of user queries, requests and makes it more

secure.

2.3Terminology used in the systemThe guide is written with the purpose to explain a complex system to novice users. However,

certain terminologies which would be helpful to know are:

- One Time Password: Refers to a one time generated password used for various purposes butmainly to securely authenticate users.

- Denial of Service is a type of attack on systems which technically overloads the server withrequests such that it is not able to cope and ultimately denies service to authorized users.

- Encryption: The process of encoding messages such that they cannot be broken into.- Digital certificates: electronically signed documents which establishes the authenticity of the

credentials, requests of the users or business making a transaction online.

3. Sub-system : Login functionality3.1 IntroductionThe purpose of the login page is to authenticate and validate authorized users and direct them to

their respective home page. If u enter the wrong password for a certain number of times, the

system locks the user and he needs to request for a new password.

3.2 Introduction to System There is one table with the pass keys stored for the internal and the external users each

uniquely identified.

The idea is the users already go to the bank and get a onetime pass key and use it to create anonline account.

The passkey table has a column which identifies whether the user is an internal user or externaluser.

When a user tries to register an account for the first time. He enters the pass key. The first taskis the pass key being validated in the database. If a valid pass key is found then the system

allows to navigate to the account creation page.

3.3System GUIThe UI for Register is as follows. The user will enter a onetime pass key provided for registration.


8/28


9/28


8 | P a g e

The External users will get a pass key from the sales department of the bank to create their user

account. Once they enter their passkey and hit register button on login page, they will be redirected

to the registration page. Here the user enters his details along with the security questions and

submits the form. The passkey has the corresponding bank account number of the user. So all these

details will be saved corresponding bank account number of the user and pass key will be deleted

for security reasons. The same applies to the internal users as-well except that they have to verify

the pre-populated employee id, department and designation at the end of the form. Once

submitted, the external users should be able to login after entering OTP for their first login. But for

the internal users, once the form is submitted, a request will be populated in system administrators

queue for approval. Once he approves the request, the internal user can also login to the system.

4.4System functionality4.4.1 Both internal and external users will be given a passkey to create their user accounts4.4.2 The passkey is used to get them to the registration page where they have to complete

the form and submit it to be registered successfully.

4.4.3 The internal users have to verify that their employee id, department and designation(pre-populated) are correct, before submitting the form.

4.4.4 As the passkey is stored along with the users account number, these details are pushedinto the users table along with their account number.

4.4.5 Once the registration is completed successfully, the passkey will be deleted.4.4.6 The External users can now login with their credentials whereas the internal users have

to wait till the System Administrator approves their request.

4.4.7 The following are the class diagrams associated with this functionality:


10/28


9 | P a g e

4.5System GUI

5 Sub-system: Create Account for Internal Users5.3 IntroductionThe Internal users will get a pass key from the HR department of the bank to create their user

account. Once they enter their passkey and hit register button on login page, they will be redirected

to the registration page. Here the user enters his details along with the security questions and

submits the form. The passkey has the corresponding bank account number of the user. So all these

details will be saved corresponding bank account number of the user and pass key will be deleted

for security reasons and an OTP will be generated. Once submitted, the internal users should be able

to login after entering OTP for their first login. But for the internal users, once the form is submitted,


11/28


10 | P a g e

a request will be populated in system administrators queue for approval. Once he approves the

request, the internal user can also login to the system.

5.4System functionality5.4.1 Both internal and external users will be given a passkey to create their user accounts5.4.2 The passkey is used to get them to the registration page where they have to complete

the form and submit it to be registered successfully.

5.4.3 The internal users have to verify that their employee id, department and designation(pre-populated) are correct, before submitting the form.

5.4.4 As the passkey is stored along with the users account number, these details are pushedinto the users table along with their account number.

5.4.5 Once the registration is completed successfully, the passkey will be deleted.5.5The External users can now login with their credentials whereas the internal users have to wait

till the System Administrator approves their request.

5.6System GUIFollowing is the UI screen for a corporate level employee.


12/28


11 | P a g e

6 Sub-system: Corporate Level Management official6.3 Introduction

A corporate level official is a high authority official is responsible for all the departments.

A corporate level management can perform functions of adding an internal employee, deleting

an internal employee, searching an internal employee and transferring an internal employee.

The corporate level official is responsible for the following five departments in the Sun Devil

Bank of Arizona State:

1. Sales2. IT and Technical Support3. Transactions Monitoring4. Human Resources5. Company Management

6.4System functionalityThe corporate level official will perform the following functionalities:

a. A corporate level official will be able to log into his account and see tabs for the entiredepartment.

b. The corporate level official will be able to view all critical requests made by managersassociated with all the departments. The corporate level official will have the authority toapprove or deny these requests.

c. The corporate level official can also submit a critical request of deleting an employee whichwill need approval from other corporate level employees.

d. The corporate level employee can add an internal employee, delete an internal employee,search from an internal employee and transfer an internal employee.


13/28


12 | P a g e

e.) Vice president & president can request for PII authorizationwhich is the details of

external user along with SSN.CEO can authorize this request.

6.5System GUIFollowing is the UI screen for a corporate level employee.

7 Sub-system: Department manager7.3 Introduction

A department manager is a person working for the Bank, who is in-charge of a particular

department which performs a unique function and provided services to clients and employees.

Like a corporate level management a Department manager performs functions similar to them

which included authorizing user / employee account creation, deletion or transfer.

There are five departments in the Sun Devil Bank of Arizona State:

1. Sales2. IT and Technical Support3. Transactions Monitoring4. Human Resources5. Company Management


14/28


13 | P a g e

A manager associated with any of these departments is responsible for authorizing critical

transactions which could include employee account creation, transfer and deletion. However a

Department Mangers authorization has to be approved by an associated corporate level

management. However the influence of managersaccess is limited to the assigned department.

They can also view all transactions internal and external associated with their department, void

any public Users/ Merchants personal identifiable information which will not be disclosed to

the manager unless proper authorization has been given.

7.4System functionalityThe system to support the department managers will perform the following functionalities:

e. A department manager for a specific department will be able to log into his account whichwill bring up an overview page associated with only his department.

f. The department manager will be able to view all critical requests made my employeesassociated with his department and other transactions which are associated with his

department. The manager will have the authority to approve or deny these requests.

g. The department manager will also have an interface search for users in his department andperform actions such as delete and transfer. However these actions need to be authorized

by corporate level management.

h. The department manager can also add internal users to his department by searching theirname and/or employee id.

7.5System GUIThe design of the GUI for the Department manager was kept simplistic, with the most important

features being displayed on the first page.


15/28


14 | P a g e

Fig 7.1- Department Manager Overview Scree for Sales department

Figure 7.1 displays the overview screen for a department manager in the sales department. All

other department managers will have the same screen overview with the associated

department contents filled into the screen.

8 Sub-system: Sales employee8.3 Introduction

Sales Employee is a type of regular employee who belongs to the Sales Department and

responsible for making banking operations in his respective department. When a user requests

for a credit card, it is the sales employee who receives that request. It is his responsibility to

approve/reject the request upon his verifications. The table entries are populated from the

external users transaction tables with the filet of credit card on the transaction type column.

He can also raise requests to IT department for system maintenance issues.

8.4System functionalityThe Sales Employee will perform the following functionalities:

1. A Sales Employee will be able to log into his account.2. Once he logs in, he finds a queue which consists of the credit card requests from the users.


16/28


15 | P a g e

3. Upon his verifications, he may approve/reject a request.4. He can see the UI where he can raise requests to IT department for system maintenance

issues.

8.5System GUI


17/28


16 | P a g e

9 Sub-system: IT regular employee9.3 Introduction

IT regular Employee is a type of regular employee who belongs to the IT Department and

responsible for making System maintenance operations for all the internal users. When an

internal user requests for a system maintenance operation, it is the IT employee who receives

that request. It is his responsibility to approve the request once he completes the system

maintenance operation.

9.4System functionalityAn IT Employee will perform the following functionalities:

1. An IT Employee will be able to log into his account.2. Once he logs in, he finds a queue which consists of the system maintenance operation

request from the internal users.3. He approves the request once he completes the system maintenance operation.

9.5System GUI


18/28


17 | P a g e

10 Sub-system: Transaction monitoring Employee10.3 Introduction

A Transaction monitoring Employee is a type of regular employee who belongs to the

Transaction monitoring Department and responsible for making banking operations in

his respective department. He can view, create, modify, delete and authorize

transactions upon having necessary authorization from the users and/or merchants. He

does not have access privilege to view or modify any user account unless he/she has

been authorized to do so. He can access transactions related to his/her department with

necessary authorization from users/merchants or respective department managers. He

can also raise requests to IT department for system maintenance issue.

10.4 System functionalityA Transaction Monitoring Employee will perform the following functionalities:

1. A Transaction monitoring Employee will be able to log into his account.2. Once he logs in, he finds a queue which consists of the transaction requests from

the users.

3. Depending upon the request from the user, he can create a new transaction orview/modify/delete a transaction using the transaction id provided in the request.

4. As the user is submitting the request to view/create/modify/delete a transaction, itis by default authorized by the user to perform the operation by the Transaction

monitoring employee.

5. An employee can also receive a authorize a transaction request when a usertransfers an amount which is greater than the maximum amount per day.

6. There are few cases where the employee has to search and view a transaction. Insuch cases, the employee will send an authorization request to the user to view his

transaction.

7. He can see the UI where he can raise requests to IT department for systemmaintenance issues.

8. If a transaction monitoring employee deletes a transaction, the transaction is rolledback.


19/28


18 | P a g e

10.5 System GUI

11 Sub-system: Company Management Employee11.3 Introduction

A Company Management Employee is a type of regular employee who belongs to the

Company Management Department and responsible for scheduling meetings. When a

user requests to schedule a meeting, it is the company management employee who

receives that request. It is his responsibility to approve/reject the request upon his

verifications so that no meeting time clashes with another. He can also raise requests to

IT department for system maintenance issues.

11.4 System functionalityA Company management employee can perform the following functionalities:

1. A company management Employee will be able to log into his account.2. Once he logs in, he finds a queue which consists of the schedule meeting requests

from the users.

3. Upon his verifications, he may approve/reject a request so that no meeting timeclashes with another.


20/28


19 | P a g e

4. He can see the UI where he can raise requests to IT department for systemmaintenance issues.

11.5 System GUI

12 Sub-system: System Administrator12.3 IntroductionSystem Administrator is an Internal User which has kind of highest authority in the Banking System

as far as data creation and access is concerned. Any of the internal users of any designation when

they want to modify/create/delete any user account need to first send request to the system

administrator and if granted they will be able to do so.

The System administrator can add, modify or delete any user account with proper authorization.

Plus the system administrator can view the System log files, the passcodes which are required byany user to create account, as well as the RBAC files which consist of the roles/ privileges being to

different internal users.

12.4 System functionalityThe System Administrator will be provided with the following functionalities:


21/28


20 | P a g e

1) Any Internal Users Request to add, modify, delete any new External User goesto the System Administrator for approval.

2) The System Administrator can view, grant or delete the above requestsinvolving internal or external user.

3) The System Administrator can request access to the Internal or External useraccounts and if granted permission can modify or delete the accounts.

4) System Administrator can themselves add a new internal or external user.5) Each activity of System Administrator will generate an entry in the log file.6) Only the System Administrator can view the log file as it is password protected

for System Administrator access.

7) The System Administrator can access the passcodes which are necessary for theaccount generation as well as they can view RBAC (Role Based access control)information which contains the access and privileges details for each of the

internal users.

12.5 System GUI


22/28


21 | P a g e

13 Sub-system: Individual User13.3 Introduction

An Individual User is a customer of the bank. In general, Individuals having bank activities, each

of whom have a user account for performing personal banking transactions such as personal

fund transfer, debit card and credit from personal user account. He can also authorize bank

officials to review transactions on accounts he/she is responsible for. If the transaction is above

1000$, then a certificate is generated by the system private to the user and send to him via

email. In order for the transaction to be completed the user should upload the certificate in

banking website for validating that user has requested for such a transaction. The certificate is

secure as we will not run the file on the system, we will just compare its value.

13.4 System functionalityAn Individual user when logs on can see the Account number, Current Balance and list of

transactions. An Individual User can credit, debit, transfer funds from a account to other account

and he can request credit card.

13.5 System GUI

When the user loginshe can see the following information.


23/28


22 | P a g e

He can transfer money from his account to others by specifying his account no and the money to be

transferred.

He can see a list of transactions which he has done upon request.


24/28


23 | P a g e

14 Sub-system: Merchants/ External organizations14.3 Introduction

Merchants can initiate new transaction to sell their goods. In order to submit transaction

request, SDBAS demands customers digital signature to validate the transaction and then sends

it to corresponding internal user i.e., a employee of transaction monitoring department.

Through this public key infrastructure, SDBAS can verify users identity as well as validity of

digital certificate that is used to make digital signature.

System functionality

The system to support the merchants/external organizations will perform the following

functionalities:

a. A merchant is same as (external) individual user except one additional function which caninitiate payment transaction.

b. In order to validate customers identity who is willing to pay money for goods, customeruses his/her digital certificate to apply new transaction. To sign the transaction

electronically, transaction message is encrypted by customers private key.

c. The department manager who is in charge of transaction monitoring department will beable to view transaction requests by decrypting with customers public key.

d. If digital signature is not valid, SDBAC system notifies error message to the merchant andrecords it to log file.

e. The department manager is able to view transaction request which is made by merchantsand may send it back to make merchants review one more time.

f. If the transaction has no problem, the department manager will approve its transaction sothat corresponding amount of money will be transferred from customers account to

merchants account.

14.4 System GUI


25/28


26/28


25 | P a g e

Obtain the WAR file attached in the source code submission anddeploy it into Tomcat by placing it in the web-apps folder of Tomcat.

Install Avast Internet Security which will handle the incomingconnections and provide heuristic and sandbox support to malicious

software or communication attempting to infiltrate the server.

Once the system is installed depending on the location enter theURL following by /SecureOnlineBanking.

This will bring you to the Welcome page of the application. You can then begin registering your account. As with every Banking application a passkey is required validate

user. A list of passkeys has been provided in this document for users

testing.

All accounts can be handled by the Admin. By default, the Adminaccount will already be created and the credentials are provided

below.

Appendix C will detail all the required initial user credentials tosuccessfully test the system.

B. Starting the application And Trouble-shooting. From the server-side, start the apache tomcat server which has the

deployed WAR file, now the application is started from the server side.

For the clients who are bank customers, we give the URL of ourapplication and he enters this URL in his browser and starts using the

various functionalities of the bank application.

To stop the bank application we just stop the apache tomcat from theserver side.

If we face any trouble in the application, we clean the apache tomcatserver and we restart the server.

Before starting the application we set the apache tomcat timeout starttime to 100sinstead of 45s and we enable security in server options.


27/28


26 | P a g e

If the bank customers have a problem accessing the webpage then theymay try reloading it or try it on a new browser .If the problem persists

then inform the admin about the problem.

Make sure the Avast internet Security is turned on as it handles themalicious software or communication trying to infiltrate the system.

The machine hosting the server should be active after the application isdeployed and until it is removed.

C. Credentials For testers.Internal Users

1.)SysAdmin

UsernameTestAdmin

PasswordQwerty@2

Security Question - What is your favourite movie? Answer : MI.

2.)CEO

Username-CEOtest

PasswordQwerty@2

Security Question - What is your favourite movie? Answer : MI2.

3.)president

Username - president

PasswordQwerty@2

4.)vicepresident

Usernamevicepresident

PasswordQwerty@2.

External User

The link to the passkeys is given below:


28/28


https://docs.google.com/a/asu.edu/document/d/10ACiS5rdrrwt7XpQ5c-

4heWqiBKPNlMm1kPphuJWC4k/edit
https://docs.google.com/a/asu.edu/document/d/10ACiS5rdrrwt7XpQ5c-4heWqiBKPNlMm1kPphuJWC4k/edithttps://docs.google.com/a/asu.edu/document/d/10ACiS5rdrrwt7XpQ5c-4heWqiBKPNlMm1kPphuJWC4k/edithttps://docs.google.com/a/asu.edu/document/d/10ACiS5rdrrwt7XpQ5c-4heWqiBKPNlMm1kPphuJWC4k/edithttps://docs.google.com/a/asu.edu/document/d/10ACiS5rdrrwt7XpQ5c-4heWqiBKPNlMm1kPphuJWC4k/edithttps://docs.google.com/a/asu.edu/document/d/10ACiS5rdrrwt7XpQ5c-4heWqiBKPNlMm1kPphuJWC4k/edit

Software Security bank

Documents