Ratan Jyoti, Chief Manager (Information Security), Vijaya Bank
The era of internet escalated banking has brought the banking channels to customer’s hand. This is possible because of communications and exchange of a very large set of data. Many of these communications involves interchange of confidential data. As the data belongs to customers, their security is the prime concerns for the banks. Privacy preservation is of also equally important as no party can be trusted enough over the public networks without checks and verification.
Information security and privacy are now considered major concerns in the Indian Banking environment. The web and mobile environment constructs an amazing infrastructure for the current day banking transactions. A genuine security issue revolves around electronic currency and digital cash which is built around critical customer information for which customer can be exposed to and thus information security and privacy becomes the important matter in Indian digital economy.
India is supposed to be new favourite destination for data theft and banking sector is not untouched. For Banking sector customer data can not only be used to perpetrate cyber frauds but can also be sold in the black market for other business gains. In last year or two there has been spurt in data theft in Indian banks. It is estimated that Indian Banks are directly losing a significant part of their income due to data theft. In terms of reported incidents, the figure of loss for public sector banks is lesser as compared to the private and foreign banks in India. However, it is a wakeup call for all the banks in India.
Some banks processing customer data fail to fully secure their systems, mainly because they feel that data security is related only to Information Technology. However manual and non-IT controls are a bigger security risk today. Some banks, for example, fail to identify the boundaries of their system and may not be in a position to mitigate all of the risks. In this instance, residual risk may prove to be very costly. The inadequate controlling of logical and physical access to systems containing customer data and insufficient logging and monitoring of security-related events on systems are other reasons for data theft. Service providers are responsible for validating their own compliance, but managing third party service providers’ risk is one of the biggest challenges for banks. Some banks have inadequate risk management systems and practices, as well as ambiguous information security policies, which also leave them open to data theft and related incidents.
Building and Implementing security within the banking system is fundamental to success. The safe storage of customer data is of foremost importance and, for it to be achieved, it is crucial that the bank’s systems must not store the critical and sensitive customer data unless it is key business requirement. After authorisation of the transactions all sensitive data must be expunged immediately. Authentication is another area where banks are required to put suitable controls. Risk based authentication is one of the best way to achieve it.
All passwords must be encrypted at rest or when they are in transit. For important activities, a logging, auditing and authorisation system with maker and checker facility should be in place. The customer should always be informed about a card transaction via an encrypted e-mail or through other secure channels. The application should not send any sensitive information in the URL as it can be sniffed out by the hacker. Limiting access to computing resources and Suitable Role Based Access Control (RBAC) should be adopted by banks. If the bank does not send HTML emails and does not mention any sensitive information including card number in its communications with the customer, then the probability of a phishing attack will be reduced. Customer education is the only control which can avoid this problem completely. The database used to store and process customer data must be sanitised and access control and privileges should be clearly defined and set. Only one primary function per server should be allowed and the server’s security setting should be configured with all unnecessary and insecure services and protocols disabled.
The independent development, test and production environment for the card data environment is one of the most important areas to be considered. Testing, vulnerability assessment, penetration testing and code review of all web components and network including the wireless segment should be regularly carried out by qualified professionals. Availability of the skilled and qualified information security resources can be the key challenge for all the banks.
Suitable encryption methods and a key management process should be in place which includes the generation of strong keys, secure distribution of these keys, secure key storage, periodic key changes, destruction of old and obsolete keys and split knowledge.
Banks should be committed to safeguard privacy and the confidentiality of customer’s personal information. Secure technology and Enhanced identity protection are key to achieve the same. Since every bank is different, the controls chosen can be different but the customer and employee awareness can be the key.