Phishing typically uses spoofed emails or fake websites to trick users into revealing credentials. It is a "Social Engineering" attack.

2FA combines: 1. Knowledge (PIN/Password), 2. Possession (Card/Token/Phone), 3. Inherence (Fingerprint/Iris). "Desire" is not an authentication factor.

Like the mythical wooden horse, a Trojan appears useful/harmless to trick the user into installing it, after which it executes malicious code (stealing data, creating backdoors).

Asymmetric encryption (Public Key Infrastructure) is crucial for digital banking security (like SSL/TLS) because it allows secure exchange of data without sharing the private secret key.

Pharming is more dangerous because it manipulates the DNS (Domain Name System) server or the user's host file. Even if the user types the correct website address (e.g., www.bank.com), they are redirected to a fraudulent site without clicking any suspicious link, making it harder to detect than Phishing.

In a DDoS attack, the traffic comes from hundreds or thousands of sources (zombie computers/bots), making it nearly impossible to stop the attack simply by blocking a single IP address. This makes DDoS much more destructive and harder to mitigate than simple DoS.

Zero Trust assumes that threats exist both inside and outside the network. It requires strict identity verification for every person and device trying to access resources, regardless of whether they are sitting within the network perimeter or outside.

Ransomware (like WannaCry) encrypts the user's data and demands a ransom (usually in crypto) for the decryption key. It is a major threat to banking data availability.

Payment Card Industry Data Security Standard (PCI-DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.

FAR is a critical security metric. It measures the likelihood that the biometric security system will incorrectly accept an access attempt by an unauthorized user. In high-security banking applications (like vaults or server rooms), the system is tuned to have an extremely low FAR, even if it means a slightly higher False Rejection Rate (FRR).

Vishing stands for "Voice Phishing." Criminals pose as bank officials, RBI agents, or tech support over a phone call to create a sense of urgency (e.g., "Your card is blocked") and manipulate victims into sharing OTPs, PINs, or passwords. Smishing involves SMS; Phishing involves Email.

A Honeypot is a security mechanism set up to detect, deflect, or counteract attempts at unauthorized use of information systems. It consists of a computer, data, or network site that appears to be part of a network, but is actually isolated and monitored, looking like a valuable target to hackers.

A System Audit looks at the technical aspects (hardware, software, security settings). A Process Audit looks at the human/operational aspect—whether users are following the Standard Operating Procedures (SOPs), like password hygiene, maker-checker discipline, and authorization workflows.

RSA (Rivest–Shamir–Adleman) is the most widely used Asymmetric Encryption algorithm. It uses two different keys: a Public Key to encrypt data and a Private Key to decrypt it. This is the foundation of secure internet communication (SSL/TLS).

DLP tools monitor data in motion (network traffic), data at rest (storage), and data in use (endpoints) to ensure that sensitive/confidential data is not leaked, emailed, or uploaded to unauthorized external locations.

Vulnerability Assessment and Penetration Testing (VAPT) is a proactive security measure. While Vulnerability Assessment identifies potential weak points, Penetration Testing goes a step further by actively trying to exploit them to see how deep an attacker can get into the system, helping banks patch holes before real attacks occur.

Non-repudiation provides proof of the origin and integrity of data. Digital Signatures provide non-repudiation because only the sender has the private key to sign it; thus, they cannot later claim they didn't send it.

Keyloggers run silently in the background, capturing everything typed on the keyboard. This is a common method used to steal Netbanking login credentials.

In Pretexting, the attacker impersonates someone else in authority (e.g., "I am calling from the Bank's Fraud Dept") to manipulate the victim into divulging sensitive data like OTPs.

Inherence refers to something the user "is" (Biometrics). Password is "Knowledge" (something you know). OTP/Card is "Possession" (something you have).

Unlike generic phishing (casting a wide net), Spear Phishing targets specific victims using personalized information (name, role) to increase the success rate of the deception.

SSL (Secure Sockets Layer) or its successor TLS (Transport Layer Security) encrypts the link between the web server and the browser, ensuring privacy and data integrity. It turns HTTP into HTTPS.