/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow UsA robber, when asked about his favorite haunt, said,
"Banks, of course–that’s where all the money is."
According to a study conducted by the Central Vigilance
Commission, about 40% of the frauds in the country take place in the banking
sector. The Indian banking system is one of the largest in the world, with about
64,000 inland and 100 overseas branches of various banks serving more than 350
million people. Unfortunately, the system has been one of the most backward in
terms of technology. Mercifully, of late, there has been an awakening to the
need for automation and security in the sector. In order to check the number of
banking frauds, the Central Vigilance Commission, in 1998, had directed all
banks to computerize at least 70% of their business. The Reserve Bank of India
also issued recommendations for phased computerization and proper monitoring of
security among banks (See Box).
Technology implications
In response to the directives issued by the government
authorities and in the wake of the increased competition from multinationals,
Indian banks have started a drive to automate their operations. According to IDC
India, the total IT spending in the banking sector has increased from Rs 1,141
crore in 1998-99 to Rs 1,599 in 1999-00. This includes an increase in spending
from Rs 571 crore to Rs 852 crore on hardware, from Rs 166 crore to Rs 210 crore
in software and from Rs 340 crore to Rs 444 crore in services.
Meanwhile, private sector Indian banks such as HDFC Bank,
ICICI Bank, Global Trust, IndusInd, Centurion and UTI Bank are all expanding
their operations with fully automated branches in major Indian cities. All these
branches are connected to their headquarters with state-of-the-art equipment.
Similarly, foreign banks in India are expanding their base and setting-up ATMs
and new bank branches in other cities. These banks offer Internet and telephone
banking, and anytime banking facilities. Public sector banks such as Indian
Overseas Bank and Union Bank are already interconnected. State Bank of India,
Canara Bank, Punjab National Bank and Dena Bank are working to computerize all
their branches, interconnect them and install ATMs.
However, the introduction of technology doesn’t
automatically ensure reduction in frauds. It certainly increases efficiency of
services, but at the same time it creates newer avenues for security risks.
High-risk zone
Online banking, trading and insurance have generated enormous
enthusiasm throughout the world. Deutsche Banc’s Alex Brown estimates that
online trading will generate $5 billion in annual revenues in 2002. And online
insurance sales are expected to earn revenues of $19 billion a year, followed by
e-banking and e-payments, with $11.5 billion and $9 billion, respectively.
With Internet access in India increasing many-fold over the
recent years, banks and financial institutions have been enthusiastic about
setting up facilities for e-banking and e-commerce. But online banking becomes a
risky proposition due to external attacks. If a hacker can access any link on a
bank’s network or somehow reach the back-end data (see box), it could result
in a huge loss of money and customers’ faith for the bank.
If ‘going online’ is the key to gaining an edge in the
e-world, a robust security policy is the key to a secure and hassle-free
e-banking. The Indian financial services sector, which is at the forefront of
the Internet revolution in the country, needs to formulate steps to secure its
Web-based services.
Where is the security policy?
Few financial institutions in India have developed an
internal security policy that specifies the measures to be taken when a
suspicious activity on the institution’s computer systems is detected.
Compared to a limited number of criminals who could rob a bank in person, a
significantly large number of swindlers would be capable to commit fraud through
the Internet. And numerous break-in software programs and guidelines are
available on the Internet.
So, how prepared are the banks in the country to face such
attacks?
MNC AND PRIVATE BANKS: These are obviously the most
advanced in technology. For the purpose of security, most multinationals follow
the same practices all over the world. "The concept of anywhere banking and
flow of data for internal and external transactions have created a need for use
of network security solutions," says Aseem Batla, GM, Cylink. The company
has a package, which can be installed either at the WAN or the IP layer, and
uses a safe mechanism for authentication. Encryption technology and digital
signatures are also used for exchange of data, especially during online banking
transactions. Most of these banks use solutions customized according to their
specifice environments. Cisco, HCL Comnet, Tata Infotech and IBM are among the
major vendors conducting regular security audits, based on which policies are
revised from time to time in these banks.
PUBLIC SECTOR BANKS: These are still struggling to
safeguard their recently automated environments. The level of security is mainly
restricted to employee passwords, and there are no proper security guidelines or
policies in most of these banks. Says Arvind Goyal, assistant manager, Punjab
National Bank, "Security risks are higher in organizations that have online
transactions. We hardly make use of the Internet, and so we haven’t
experienced any case of data manipulation on that front."
Does that mean they don’t have a security policy at all?
"We are using password authentication and virus protection. Physical
back-ups are taken to protect against any crash. But we have plans to gradually
connect our branches and install ATMs, then we’ll have to formulate a proper
policy," says Goyal. This reflects the state of a majority of public sector
banks in the country.
Indian challenges
In the developed economies, the banking planks are
"specialized banks targeting specific segments" or "banking with
the most friendly bank", whereas in the Indian context, the underlying
objectives are "all banks to all people" or "banking at the
nearest bank". So it is common for public sector banks in the country to
have thousands of branches located in even the remote parts of the country as
against their MNC or private sector counterparts, which operate through a
limited number of branches in select locations.
The biggest challenge for banks is how to create a secure
network of such a mammoth size. Agarwal of Tata Infotech points out that while
Citibank would have about 20 branches in the country, a public sector bank like
State Bank of India would have over 8,000. "Multinationals can easily
modernize and implement security techniques for a few branches. But Indian banks
will have to work out a separate policy according to their size," he says.
Apart from the size of the Indian banking system, the
backwardness of technology being used is another hurdle. Moreover, lack of
standardization makes it very difficult to implement any security solution. Dr
Sandeep Oberoi, a member of the security sub-committee of the national task
force for IT in defense, says, "A lot needs to be done as awareness about
IS security is very low in Indian banks. Also, the current US sanction denies
strong cryptographic products to 12 countries, of which India is one. Therefore,
US manufacturers are often not able to supply appropriate security products as
they make use of the cryptographic functionality."
Although the RBI has issued guidelines and the IT task force
is working on a legal framework to facilitate e-commerce and e-banking in the
country, its development is still at a very preliminary stage. There is a need
for more elaborate security mechanisms. The measures being taken at present are
primitive by international standards.
Shweta Verma
in New Delhi