Advertisment

SECURITY IN BANKS: Secure Money and the Big Divide

author-image
DQI Bureau
New Update

A robber, when asked about his favorite haunt, said,

"Banks, of course–that’s where all the money is."

Advertisment

According to a study conducted by the Central Vigilance

Commission, about 40% of the frauds in the country take place in the banking

sector. The Indian banking system is one of the largest in the world, with about

64,000 inland and 100 overseas branches of various banks serving more than 350

million people. Unfortunately, the system has been one of the most backward in

terms of technology. Mercifully, of late, there has been an awakening to the

need for automation and security in the sector. In order to check the number of

banking frauds, the Central Vigilance Commission, in 1998, had directed all

banks to computerize at least 70% of their business. The Reserve Bank of India

also issued recommendations for phased computerization and proper monitoring of

security among banks (See Box).

Technology implications

In response to the directives issued by the government

authorities and in the wake of the increased competition from multinationals,

Indian banks have started a drive to automate their operations. According to IDC

India, the total IT spending in the banking sector has increased from Rs 1,141

crore in 1998-99 to Rs 1,599 in 1999-00. This includes an increase in spending

from Rs 571 crore to Rs 852 crore on hardware, from Rs 166 crore to Rs 210 crore

in software and from Rs 340 crore to Rs 444 crore in services.

Advertisment

Meanwhile, private sector Indian banks such as HDFC Bank,

ICICI Bank, Global Trust, IndusInd, Centurion and UTI Bank are all expanding

their operations with fully automated branches in major Indian cities. All these

branches are connected to their headquarters with state-of-the-art equipment.

Similarly, foreign banks in India are expanding their base and setting-up ATMs

and new bank branches in other cities. These banks offer Internet and telephone

banking, and anytime banking facilities. Public sector banks such as Indian

Overseas Bank and Union Bank are already interconnected. State Bank of India,

Canara Bank, Punjab National Bank and Dena Bank are working to computerize all

their branches, interconnect them and install ATMs.

However, the introduction of technology doesn’t

automatically ensure reduction in frauds. It certainly increases efficiency of

services, but at the same time it creates newer avenues for security risks.

High-risk zone

Advertisment

Online banking, trading and insurance have generated enormous

enthusiasm throughout the world. Deutsche Banc’s Alex Brown estimates that

online trading will generate $5 billion in annual revenues in 2002. And online

insurance sales are expected to earn revenues of $19 billion a year, followed by

e-banking and e-payments, with $11.5 billion and $9 billion, respectively.

With Internet access in India increasing many-fold over the

recent years, banks and financial institutions have been enthusiastic about

setting up facilities for e-banking and e-commerce. But online banking becomes a

risky proposition due to external attacks. If a hacker can access any link on a

bank’s network or somehow reach the back-end data (see box), it could result

in a huge loss of money and customers’ faith for the bank.

If ‘going online’ is the key to gaining an edge in the

e-world, a robust security policy is the key to a secure and hassle-free

e-banking. The Indian financial services sector, which is at the forefront of

the Internet revolution in the country, needs to formulate steps to secure its

Web-based services.

Advertisment

Where is the security policy?

Few financial institutions in India have developed an

internal security policy that specifies the measures to be taken when a

suspicious activity on the institution’s computer systems is detected.

Compared to a limited number of criminals who could rob a bank in person, a

significantly large number of swindlers would be capable to commit fraud through

the Internet. And numerous break-in software programs and guidelines are

available on the Internet.

So, how prepared are the banks in the country to face such

attacks?

Advertisment

MNC AND PRIVATE BANKS: These are obviously the most

advanced in technology. For the purpose of security, most multinationals follow

the same practices all over the world. "The concept of anywhere banking and

flow of data for internal and external transactions have created a need for use

of network security solutions," says Aseem Batla, GM, Cylink. The company

has a package, which can be installed either at the WAN or the IP layer, and

uses a safe mechanism for authentication. Encryption technology and digital

signatures are also used for exchange of data, especially during online banking

transactions. Most of these banks use solutions customized according to their

specifice environments. Cisco, HCL Comnet, Tata Infotech and IBM are among the

major vendors conducting regular security audits, based on which policies are

revised from time to time in these banks.

PUBLIC SECTOR BANKS: These are still struggling to

safeguard their recently automated environments. The level of security is mainly

restricted to employee passwords, and there are no proper security guidelines or

policies in most of these banks. Says Arvind Goyal, assistant manager, Punjab

National Bank, "Security risks are higher in organizations that have online

transactions. We hardly make use of the Internet, and so we haven’t

experienced any case of data manipulation on that front."

Does that mean they don’t have a security policy at all?

"We are using password authentication and virus protection. Physical

back-ups are taken to protect against any crash. But we have plans to gradually

connect our branches and install ATMs, then we’ll have to formulate a proper

policy," says Goyal. This reflects the state of a majority of public sector

banks in the country.

Advertisment

Indian challenges

In the developed economies, the banking planks are

"specialized banks targeting specific segments" or "banking with

the most friendly bank", whereas in the Indian context, the underlying

objectives are "all banks to all people" or "banking at the

nearest bank". So it is common for public sector banks in the country to

have thousands of branches located in even the remote parts of the country as

against their MNC or private sector counterparts, which operate through a

limited number of branches in select locations.

The biggest challenge for banks is how to create a secure

network of such a mammoth size. Agarwal of Tata Infotech points out that while

Citibank would have about 20 branches in the country, a public sector bank like

State Bank of India would have over 8,000. "Multinationals can easily

modernize and implement security techniques for a few branches. But Indian banks

will have to work out a separate policy according to their size," he says.

Advertisment

Apart from the size of the Indian banking system, the

backwardness of technology being used is another hurdle. Moreover, lack of

standardization makes it very difficult to implement any security solution. Dr

Sandeep Oberoi, a member of the security sub-committee of the national task

force for IT in defense, says, "A lot needs to be done as awareness about

IS security is very low in Indian banks. Also, the current US sanction denies

strong cryptographic products to 12 countries, of which India is one. Therefore,

US manufacturers are often not able to supply appropriate security products as

they make use of the cryptographic functionality."

Although the RBI has issued guidelines and the IT task force

is working on a legal framework to facilitate e-commerce and e-banking in the

country, its development is still at a very preliminary stage. There is a need

for more elaborate security mechanisms. The measures being taken at present are

primitive by international standards.

Shweta Verma



in New Delhi

Advertisment