Wednesday, June 5, 2013

Why banks‘ current defences are not foolproof

As most banks urge customers to shift to the virtual space, their ability to create fortresses against cyber aggresses has come into the spotlight. ET argues that banks' current defences against online fraud are not unbreachable.
Two Indian payment processors, ElectraCard and Enstage, were in the spotlight recently for their alleged role in a $45-million credit card fraud impacting Indian and international banks.

* In the last week of May, phishers embezzled over Rs 5 lakh from the Andhra Pradesh State Road Transport Corporation's bank accounts through refunds after booking over 100 fake tickets and cancelling them.

* Last month, cyber criminals hacked into an RPG group company's bank account and siphoned off Rs 2.4 crore through the real time gross settlement system (RTGS).

* "The total amount involved in frauds relating to credit card, debit card and internet banking rose 74 % to Rs 38.4 crore in 2012." - IT minister to Rajyasabha

These are a few cases of online fraud that came to light recently. With electronic banking on the rise, lenders have become vulnerable to the risks of such transactions, even as regulations are becoming more stringent as far as know your customer (KYC) rules are concerned.

Internet banking still does not account for a significant portion of total transactions in India. In FY13, Rs 31.8 lakh crore was settled via 69.4 crore transactions through various retail electronic banking channels while Rs 18.6 lakh crore was settled through 64 crore card-related transactions, according to Reserve Bank of India's data. In addition, Rs 1,026 lakh crore through 6.85 crore transactions were settled through the real time gross settlement system, or RTGS, involving both retail and interbank transactions. The young generation is increasingly opting for net transactions to settle bills and all kinds of bank-related work from cash transfer and seeking cheque books to passwords for debit cards. Moreover, with banks — including public sector ones — urging customers to opt for net banking, the ability to shield customers from cyber threats will be crucial to gaining their confidence.

From just a few stray cases of identity thefts a few years ago, internet frauds have not only risen in scale but also gone high tech, so much so that it has become difficult to identify the origin of the crime and nail the culprit(s). Cyber heist is an issue that not just Indian banks are faced with. Cyber attacks ranked fourth among top global risks, in terms of likelihood, according to the 'World Economic Forum Report: Global Risks 2012'.

When internet banking was introduced in the country, it was felt that having a password-protected account was adequate to ensure safety, but not any more. The cyberthreat landscape has changed. Five to seven years ago, most frauds were related to identity thefts, the techniques adopted by fraudsters were easy to trace and these did not involve big money either.

But over the years, online heist has become an organised crime. Hackers are spread across the globe, from Africa to Russia and China, and each one has his or her own technique. The attacks involve compromising a bank's database with systemlevel implications. Apart from the internet, mobile transactions, that are finding favour among customers, could also be hit. Globally, targeted attacks rose 42% in 2012. India is ranked third globally in terms of vulnerability, accounting for 6.5% of the total targeted attacks in 2012, according to California-based Symantec's Internet Security Threat Report, 2013.

"Top emerging information security threats in the internet banking space are malware, social engineering, distributed-denial-of-service (DDoS) and phishing attacks," says Nitin Bhatnagar, head of business development SISA, an information security services provider.

Awareness, education key
From a customer perspective, awareness and education are the keys, which banks are taking seriously, as mandated by the RBI, through their websites and mails to clients. Banks are also investing in adding more security features to customers' accounts. One of the features that banks added recently is the 'digitised signature'.

Most frauds occur when customers show laxity in complying with security. Information for attack can also be gathered from a bank's staff. Awareness can act as a crucial fortress against cyber aggresses. KVS Manian, head of consumer banking Kotak Mahindra Bank says, "RBI has detailed guidelines on banks' IT policy which stipulates a board-approved policy, among other things. Customer education apart, we have to keep investing in upgrading systems as well."

Banks have started integrating their fraud management and internet-security systems. "Also, banks are getting more stringent with outsourcing. The security standards that banks adopt, is also used by their business partners," says Surinder Singh, regional director, India & SAARC, Websense, a security solutions provider. This would ensure that information does not leak through clients' data.

In February, replying to questions in Parliament, minister of state for finance Namo Narain Meena said 8,322 cases of frauds related to cards and internet banking were reported in 2012, involving Rs 52.7 crore. Given the value of frauds reported, these have not yet had any balance-sheet implications. But, there could be other implications "in terms of law suits, customer confidence and damage to reputation built over years," says Bhatnagar.

The affected customers may sever their relationship with banks, which in turn could impact their business adversely. "Cyber security is not just an IT issue, but a core business issue requiring top management attention. In addition to updating technology and mitigating cyberfraud risks, banks must continue to educate their customers on such emerging threats," says Darshan Patel, executive director, forensic services, PwC India.

Internet security experts say that one of the problems is that Indian banks do not report fraud, in contrast to many advanced economies where there is a legal mandate to do so. "Unfortunately, there is no legislation to make frauds public. In India, banks are not legally mandated to put frauds in the public domain," says Singh. Only 21% of victims reported cybercrime to the police, according to a KPMG report of May 2012.

0 on: "Why banks‘ current defences are not foolproof"