security in banking

Role of an EDC:

Seignorage, the net revenue from the issuing of currency, is likely to grow in importance, as cash becomes less and less important. It arises from the difference between the face value of a coin or bank note and the cost of producing and distributing it. The banking sector multiplier of money is thus likely to grow, as the use of cards, prepaid instruments and electronic cash grows in the economy. Now that the EDC is here to stay, the use of cash will be less in proportion to the rise in the volume of financial transactions.

While the security hazards in each of these EDCs may be slightly unique, one common feature in all these is the role of password (or passphrase) or the PIN and the importance to keep it confidential. As the good old and noted Chinese author Sun Tsui said in his famous book “The Art of War” written around 6th century B.C., we have to rely “not on the likelihood of the enemy’s not coming, but on our own readiness to receive him, not on the chance of his not attacking, but rather on the fact that we have made our own position unassailable”.

Management Concern: In this article we will focus on the possibilities of various attacks on our systems, in our EDCs and our preparedness to receive the ‘attacker’ and the efforts to be taken by us to make our position unassailable. True that all the banks are taking unstinted efforts to increase awareness, provide training and to enhance the Information Systems Security initiatives viewing it more as a management concern under the close scrutiny of top management. The government on its part has put in place Indian Computer Emergency Response Team (CERT-In) “to enhance the security of India's Communications and Information Infrastructure through proactive action and effective collaboration.” CERT-In is of late becoming very popular and is playing a very pro-active role in providing information on hacking, phishing attacks, virus alerts and similar dissemination of information providing useful up-dates to the cyber community. "The purpose of the CERT- In is, to become the nation's most trusted referral agency of the Indian Community for responding to computer security incidents as and when they occur."

Now let us study the different kinds of EDCs and the relative vulnerabilities, threats and security features associated with each.

ATMs

Among the EDCs, the most popular is the ATM which often serves as an alternative to a bank counter itself! In the case of ATMs, the banks have a greater role to play in ensuring that the ATM cards are handled safely and securely in its premises and in the premises of the outsourced vendor wherever applicable until dispatch or at the branches, wherever received for re-issue or cancellation etc. Care should be taken to ensure that the ATM card and the PIN mailer never lie in the same premises nor retained concurrently before delivery to the customer. There are cases reported and un-reported of ATM cards being open to the vulnerability of misuse often by disgruntled staff as a deliberate attempt of fraud and sometimes as an innocent act of carelessness and ignorance on the part of staff members.

The problem is more complex when a customer disputes an ATM transaction when the banks have to take recourse to production of the relevant logs in ATM related applications including the ATM Switch and the connected server/s. Thanks to the enactment of Information Technology Act, 2000 resulting in an amendment to the Bankers Book Evidence Act, data stored in computers may be admitted as evidence on condition that print-outs of such data shall be accompanied by a certification as to the veracity and safeguards in the computerized systems in the bank. Fortunately in our country such reconciliation issues amongst banks is extremely less and cases of customers disputing the ATM transaction (disowning the debits to the accounts) are quite negligible compared to the volume of transactions handled by ATMs.

The other security hazard in an ATM transaction relate to the loss of ATM card and treatment thereof. Loss of an ATM card should be reported to the bank immediately and banks should have a 24 x 7 monitoring service preferably with a toll free number so that loss can be reported immediately and action taken. Admittedly, most of the public sector banks have yet to gear themselves up to this situation of 24 x 7 help-line scenario and customer service which will be of immense use especially in the case of an ATM transaction.

Banks’ responsibility does not end here. Far from it. There are many other serious security concerns in an ATM transaction to be addressed by banks. Regarding physical security in ATM, most of the public sector banks have not yet decided about provision of a security guards or installation of a video surveillance mechanism in an ATM. While tech-savvy private sector and new generation banks have gone much ahead, others are yet to catch up. Now that the consortium of Cash Tree managed by Bank of India with 11 member banks and NFS (National Financial Switch) managed by the Institute for Development and Research in Banking Technology (IDRBT) with more than 20 member banks is fully operational and instances of ATM card holders drawing money from across different banks are increasing, banks have a much greater role to play. Besides inter bank reconciliation issues, member banks may also explore the feasibility of having a common surveillance mechanism to begin with and eventually which may in the future pave the way for common maintenance of ATMs including the cash loading, physical up-keep and technological monitoring.

Use of bio-metric devices may be introduced in a greater number. ATM vendors may be provided with a common requirements criterion or a standard may be evolved suitable to Indian conditions with all banks conforming to it. Use of bio metric devices being tried more as part of the Financial Inclusion project may be made part of enhancement of security initiative as an additional factor of authentication. In addition to what you have (a physical card) bio metric authentication will serve as a second factor of authentication (what you are -- biological uniqueness) and the PIN may serve as a third factor of authentication (what you know).

Use of bullet proof filming in ATM cabins is also being considered by a few banks though the usefulness is still debated. The filming done in the glass door of the ATM room though claimed to be protecting from even bullet like attacks, may also have a negative effect inasmuch as the ATM room and the interior will not be visible to an outsider. For security reasons, it is also believed that it is better if an ATM is visible from outside for a passer-by.

In all these cases, the problems of monitoring and surveillance is more in the case of an off- site ATM as opposed to an on-site one located as part of the branch premises. In the case of an off-site ATM, there are problems of security in monitoring, cash loading, physical up- keep, vigil etc. Most of the banks are considering the option of out-sourcing the ATM management to professional security companies with some banks entering into a Service Level Agreement on all aspects of ATM management including cash loading also.

Cards -- The ‘card’inal principles

There are various types of cards: Debit Cards, Credit Cards, Smart Cards or chip-based cards. The responsibilities of banks in ensuring security, however, varies according to the functionalities of each of these types. While in the case of debit cards, the amount gets debited to the account instantly (as part of ‘Visa’ tie-up or as a Mastercard), in the case of credit card, the merchant establishment’s account gets credited normally on the next day of purchase and the bank raises a bill for the amount of purchase and gets the amount remitted by the card-holder normally within a month to 45 days.

In the case of credit cards, most often the merchant establishments do not verify the signatures in the cards and simply swipe and honour them. Surveys have revealed that credit cards with photos of female card-holders have been produced by male card-holders and have been faithfully swiped and signed by the bearer and accepted in many popular shops. The shop-keepers and banks are governed by an agreement and the terms of honouring and reimbursing payments go as per the agreement.

Smart Cards are chip-based cards which carry some data in them and often serve as a mobile bank account in banking scenario. They can incorporate a computer chip that contains a microprocessor, memory and internal operating system to store and process information. Unlike common password protected files on a hard drive, the PINs to a smart card can be auto-disabling, becoming completely unusable after a specified number of failed access. They provide a very high level of security and cannot be cloned. However smart cards are yet to gain popularity in India as a replacement for the normal debit cards or credit cards or ATM cards.

Simply skimming

One instance of credit or debit card fraud that is on the rise is ”skimming”. Skimmers are simple hand-held devices which copy the information stored in the magnetic stripe of a card, from the original to a duplicate card by simply swiping the original in the devices.

(Ironically, these devices can be officially imported for a few thousands). Subsequently the fraudsters emboss the card information in the skimmed cards and the rest, the less said the better. Such skimmed cards have been used in a very rampant manner in merchant establishments in the West and in some eastern countries as well. Fraudulent use of skimmed cards have been reported in India too. Fortunately skimming as a technology has not become very prevalent in India, though quite a few gangs have already been nabbed, one recently in Mumbai too.

One word of caution would be never to give your credit card for swiping and allow it to be taken out of sight. Never allow your card to be swiped more than once. Ensure that the card is swiped only in the swiping devices and the connectivity messages appear promptly.

The CVC or CVV

In a traditional retail (card present) transaction, the magnetic stripe is read by a point-of- sale (PoS) terminal. To help reduce fraud in the card-not-present environment, acquirers, merchants, and issuers use the CVV (Card Verification Value for Visa Cards) or CVC (Card Verification Code in the case of Master Cards) which are embossed at the back of the cards. This is normally a three-digit number not forming part of the 16-digit card number serving as the security value for authentication often used in cases of a railway or air ticket booking. Any credit card temporarily lying in the hands of miscreants may tempt the fraudster to remember all the card details including the 16-digit number, the expiry date and the CVC and CVV. The card holder will NOT even know that a ticket has been booked until he receives the bill say after a month or so.

Internet Banking

The next popular form of EDC is Internet Banking which may be broadly defined as a means of communication with the Bank for performing banking transactions through an internet connection. Also called online banking, it is often done through the bank’s secure website and through a web browser like Internet Explorer or Mozilla Firefox with no need for any additional software for the user. Internet banking can be done after office hours of the bank and from anywhere in the globe where there is an internet connection.

Here the banks have to ensure that their resources are always available to those intended and the access to account is only to those genuine account holders and denied to others. Internet Banking is now available in most of the banks for query transactions like ascertaining balance, viewing the account, taking statement, searching a cheque number etc. Most of the banks also permit transfer of funds from one account to another, remittances in the form of utility payments etc subject to some restrictions.

One major problem faced by banks in the case of internet banking is the growing menace or threat of “phishing”. Phishing is the act of tricking someone into giving confidential information and fraudulently acquiring sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person genuinely requiring such information in a seemingly official electronic notification or message. Many instances of phishing sites have come to light in the recent past, which look like genuine bank web-sites displaying an innocuously worded message stating that ‘we are up-dating our records, please furnish your credit card number, your internet banking user id’ etc. In one instance such a site even sought the user id and the password and in one specific case even the CVC or CVV was sought.

One thing every netizen or internet account user should always remember is that a bank will NEVER ASK for sensitive particulars like card details, user id over an email or though a web-site message. Similarly banks will never send you a mail and give a hyperlink to another site leading you to another URL and then display a form for you to fill in. Never be duped into such things. Never furnish any sensitive information through an email claiming to be from a bank and never go to any hyperlink directed from a site and give the sensitive information.

For any payment over internet banking like booking of air tickets or rail tickets, always look for a Site Certificate before you give the card particulars and before the payment gateway is opened to enable your payment. Site certification particulars are available in the browser. The moment you enter the URL to make a payment, look for the message stating that you are entering the secure site etc.

Just a few months ago, a private sector bank was the victim of a phishing attack. The Delhi police arrested four foreign nationals and an Indian in the case in which the foreign national and his accomplices allegedly sent e-mails that included a hyper-link within the e-mail itself. A click on that link took the recipients to a web page which was identical to the bank's site. After the customers had logged in with their passwords and names, the information was sent to the alleged fraudsters who then used the information to transfer large sums of money to various accounts, all over the world, using the internet banking facility.

While the number of attempts on phishing is reportedly increasing, the impact of each of these attempts is sharply declining. Just as the fraudsters are trying many things - both the banks and the customers come together to find ways to react to these attempts very rapidly. In some cases, in just a matter of two-three hours, these malicious sites have been clamped down causing no impact whatsoever on the customer

How to tackle phishing from legal point of view and arrest the offenders is a moot point. The IT Act, 2000 has extra-territorial jurisdiction applying to any person of any nationality anywhere in the world - so long as the impacted computer is physically located in India. But there are practical difficulties in making the Indian law applicable to people outside the territorial boundaries. Besides, phishing is not an offence specifically defined under the IT Act, 2000. The law enforcement authorities have to take recourse to the generic provisions of cheating and criminal breach of trust under the Indian Penal Code.

As of now, 2.11 per cent of the phishing sites are reportedly located in India. And the percentage of population getting into online banking and internet banking is rapidly rising. So even if out of the total size of frauds happening - India accounts for just one or two per cent that would be crores of rupees in quantity terms and volume.

Never do an internet banking from a cyber café. Beware, there are key logger softwares (a software already ported in the system even clandestinely) which can capture all your keystrokes in the systems and transmit the same to a remote system without your knowledge. A remote user, thus can know your user-id and the password and in a minute can trap your account and do an internet banking transaction. To overcome such keyloggers, some banks display a keyboard on the monitor as the first screen of internet banking and seek mouse clicks to enter the password thus creating a virtual keyboard. Thankfully fraudsters and criminals are yet to invent a mouse-logger (though attempts have been made in this regard as reported in the press recently) and hence for the time being mouse-click entry of password may be taken as relatively safer for the present!

It is best to disable password save features in the browser. Similarly other normal precautions include: securing or erasing files stored in PC by the browser, emptying the cache in the internet contents, deleting the internet contents, clearing the files history and the list of sites accessed etc.

Banks have a very significant role to play on security issues in internet banking. The personal and financial information should be protected while in transit between the PC and the internet banking server of the bank. To ensure this, banks use industry standard security techniques, including Secure Socket Layers (SSL), certain encryption standards and also https (the cryptography version of Hyper Text Transfer Protocol) the communication protocol of the World Wide Web invented by Netscape Communications Corporation to provide authentication. Most banks also have introduced “Automatic Session time-outs” – a system to automatically lock the internet session if there are no activity say for two minutes.

The other threat faced by most banks is “hacking”. Fortunately hacking has been dealt with by Information Technology Act 2000 and hence can be easily tacked. Denial of Service Attack (DoS) is another common threat that a bank faces quite often. Though we have stringent provisions in the I.T. Act 2000 to take care of these, instances of such attacks are still on the rise, thanks to the knowledge about hacking and the dime a dozen courses being conducted on it, including the various programmes on ethical hacking. The necessity to conduct courses on hacking and DoS Attacks and operating systems vulnerabilities is often debated though when once the industry matures and a general awareness spreads on these, people will begin to realize the meaning and significance of such courses.

e-mail as a secure means of communication has not come to stay in a pervasive manner in the country. In most of the banks, only routine correspondence (not involving financial nature or approvals) is being done through email.

However digital signature as a means of authentication and non-reputability in transaction of financial nature has gained popularity, more so as a regulatory requirement for RTGS (Real Time Gross Settlement) transactions between banks, e-filing of charges for advances to corporate customers etc. Despite the convenience in digital signature, the technology is also user friendly ensuring a high level of security. Banks may introduce a digital signature based mail messaging system and send digitally signed email documents to customers on matters involving financial nature and significant legal import. Another comforting factor about digital signature is that there have been no reported cases of forgery of digital signature so far in the country. In fact cases of misuse or fraudulent use of digital signature are also almost nil presumably because the technical know-how on the functioning of a digital signature has not yet spread so much.

Many banks in the country have taken serious efforts to educate the net users on the significance of e-security. Text and reading material on Phishing, ‘Dos and Donts’ in an ATM transaction, guidelines to be followed in a credit/debit card usage have been published by banks and prominently displayed in their website and in the ATM rooms and branch premises. Besides, awareness is also spread through training initiatives and conference, programmes and seminars.

As a measure to check fraud in credit cards, some banks have an intellectual model in place, which tracks business transaction and informs customers through SMS alerts of a transaction over a threshold limit. On the online banking channel some banks have already introduced the system of alerting the customer with an SMS for all ATM debits and all Debit Card debits at PoS terminals. Some public sector banks have introduced the system of alerting the customer requesting them for a change and replacement of a card itself whenever they return from abroad ie after every withdrawal from an ATM overseas.

Banks have also put in place Firewalls, demilitarized zones and similar boundary security technologies to protect their systems from network based and internet driven attacks. Security initiatives on providing perimeter security to the bank’s systems are on the rise and banks can ill-afford to ignore the threats of a DoS attack on their server. With such concerted efforts though it is felt that the number of attempts to execute frauds have risen, successful frauds where customers have incurred financial loss, is still very low.

Banks are telling people not to click on links. Now e-mails are coming saying that call us on this number for some particular reason and when people dial that number, actually it's not going to the interactive voice response or IVR of the bank, it's going to some other IVR, which mimics the IVR of the bank and you are asked your credit card details or some other details. So, new ways of such data theft and identity theft will keep coming up, new methods to cheat, new modus operandi to dupe, new technological innovations!

At the industry level, the Indian Banks Association (IBA) is reportedly setting up a website that will have information of frauds committed on banks. All member banks of IBA will have the facility to access the information at a nominal fee. Currently Individual banks report instances of fraud to the Reserve Bank of India. The role of CERT-In has already been discussed earlier in this article.

Physically be secure

Before we conclude, a simple Dos and Donts on e-security: Always log out the session;

Never leave a session (internet banking, ATM logins unattended) even for a few seconds. Always keep the cheque book, ATM or other cards safe and secure

Never reveal the PIN or password to any one nor write it anywhere

Never do any internet banking from a common place (like cyber cafes etc) Never take the help of stranger in any ATM transaction

Never download any unauthorized or suspicious software into your system

Ensure the latest anti-virus, anti-spam, personal firewalls are ported in your system.

The Legal angle

In the recent past, money was withdrawn from the accounts of a set of customers of bank in UK. A person in India had provided indirect assistance to fraudsters by accessing some of the information about the accounts obtained from the private sector bank in its Bangalore branch. In this case, both the law enforcing agencies and the police swung into swift action and with a proper interpretation of the provisions of the IT Act the culprits were brought to book under the provisions of Sec 66 of the IT Act referring to “whoever … alters information residing inside a computer or diminishes its value or utility…” referring to hacking and the punishment thereof. The Indian accomplice could therefore be charged under the I.T. Act along with the others in UK and could be arrested. There have been similar judgements in the recent past when the IT Act has been well interpreted and relied upon.

In a cyber crime, the law enforcement forces, the investigating agencies and the judiciary have a bigger role to play since they have to keep pace with the fraudsters and keep abreast of technology. Mostly banks are to some extent, ill equipped to face a cyber crime. Though most of the banks do have a vigilance department, an inspection mechanism and an IT Department, a full fledged cyber forensics division or an Investigation machinery for cyber offences has not been set up. However the day is not far off when the Information Systems Security Division in banks should be well equipped to deal with cyber offences and to combat cyber crime as a detective measure in general and to evolve the relevant guidelines as a preventive measure and to spread the confidence among the public that the bank is geared up technologically to face any technological war-fare

According to KPMG report on India Fraud Survey 2006, fraud risk threat is perceived to be highest in the financial sector. Within the financial sector, 23% of the respondents believed that banking, insurance, mutual funds and asset management companies are most vulnerable to fraud risk, and 17% believed that non-banking financial companies, investment banks were more vulnerable to fraud risk.

Kautilya in his famous administrative treatise Arthashastra speaking about making conquests, discusses the strategies and tactics for the prevention of conquest and adds that there was no element of surprise and there were strict rules about seasons of warfare…

“rigid codes about close combat between warriors were observed. In all this, there was no room for strategy or tactics.” In sum there were very clear rules of war. But in these days of computerization and modern technology, there are no rules for any attack, no rules for crime and especially in a cyber crime, the concept of “mens rea” takes an entirely different proposition, for in a computer fraud or in an act of hacking, the intent to commit an offence or the motive itself may not be for any monetary gain or pecuniary benefit but may be even for showing supremacy in technological know-how to prove to the world and to say “Look, I have hacked your site and have entered your server”.

The woods are lovely dark and deep

The ease and comfort of an e-transaction is really not just lovely but also delightful and enchanting, but just like the woods they are also inscrutable making the cyber world a quagmire of unfathomable marshland daring the adventurous ones to tread it with confidence. Certainly the three important players viz the regulators (like the Reserve Bank of India) service providers (Banks, Internet Service Providers etc) and the users (net-savvy public) have lots of promises to keep and miles to go before we sleep fearlessly.

V. Rajendran

IT Department

Indian Overseas Bank