-
Topic eCOMMERCE AND SECURED ELECTRONIC BANKING
Speaker Ms. Kalaivani Chi;aranjan MD & CEO eMudhra Consumer
Services Ltd
16th Annual Karnataka Conference
GRC Compliance to Culture
JULY 19th 2013
-
o Components and challenges in eCommerce o Growth of eCommerce
Industry o Security Methodology in eCommerce o EvoluDon of
Technology in the growth of Banking o Current Trends o Drivers for
Growth o Future Trends o Technology Impact o Security in Banking
Technology o IntroducDon to Digital Signatures o Challenges in
Electronic Banking o Digital Signatures AdopDon in India and other
countries o Electronic Banking Regulatory Reforms o Banking Cyber
Fraud Law and JusDce o Conclusion
Topic Outline
-
Payment Fulllment
Online Banking
Credit / Debit Cards
Cash / COD
Other modes
Catalogue browsing
Shopping Cart
Form lling Service
descripVons
Product Delivery;
Form collecVon;
Service compleVon
Shopping / Usage
COMPONENTS OF E-COMMERCE
-
Sales in USD Billion
-
Total number of internet users in millions
Internet penetraDon %
-
www.emudhra.com
CONFIDENTIAL
SECURITY METHODOLOGY
Source: Forrester
CondenVality
AuthenVcity
Non-repudiaVon
Integrity
Availability
AuthorizaVon
-
www.emudhra.com
CONFIDENTIAL Source: Forrester
58% 21%
12%
7% 2% % of usage in eCommerce
Online Bank Transfers
Visa
Mastercard
Cash / COD
Others
-
Technology in Banking
Interbank connecDvity, ATM, Core Banking, INFINIT, PKI
1950s 1980s 1990s 2000s 2010 2013 TradiDonal Banking Paper
based
ComputerizaDon, Branch automaDon
RTGS, Internet banking
Mobile Banking
Secured Banking
-
Banking Current Trends
-
Banking Current Trends
With greater infusion of technology in banking, the incident of
frauds in internet banking has witnessed an increase in recent
Dmes. Ensuring eciency of the banking sector by way of technology
infusion while minimizing the occurrence of such fraudulent events
has become one of the major objecDves of the Reserve Bank in recent
years. Complaints related to unauthorized fund transfers,
fraudulent withdrawals from ATMs using duplicate cards, phishing
E-mails aimed at extracDng personal informaDon have registered
signicant increase in recent Dmes.
Source : IT Vision Document 2011-17 : RBI
-
Banking Future Trends
o The consumer-driven digital economy and mobile revoluDon
create disrupDon and the need to invest in innovaDon
o Customer experience enhancements will focus on creaDng
seamless cross-channel experience, incorporaDng digital
communicaDon driven by targeted analyDcs.
o ConDnuous upgrades to web and collaboraDon technology will
play a vital role. o ProliferaDon of new electronic payment
mechanisms, an increase in number of
players, and growth in banking populaDon that will enforce the
regulators view that the payment system is an important aspect of
the nancial system in the country.
o Enhancing the secured network across various channels of
banking is the root of technology centric banking
-
Banking Technology - Security
o In India, 40% of customers do their banking online, and 70% of
the total transacDons are done over the Internet. Yet proper
security measures are not in place to address the online banking
environment .
o In the past 12 months: o More than 42 million people in India
fell vicDm to cybercrime o Approx. $8 billion (Rs. 44,400 crores)
in direct nancial losses o 66% of Indian online adults have been
vicDms of cybercrime in their lifeDme. o 56% of online adults in
India have experienced cybercrime o more than 115,000 vicDms of
cybercrimes every day, 80 vicDms per minute and more than 1 per
second--and the average direct nancial cost per vicDm is
$192--up 18% $163 over 2011 o one in four respondents in BFSI
insDtuDons in India experienced an external ahack ranging from
phishing ahempts, thei of proprietary informaDon and
denial-of-service ahacks
Source: Gartner, Norton Cybercrime Report 2012, Symantec
Security Check Indian Financial Services Industry 2011
-
Digital Signature CerVcates An introducVon
o Digital Signature CerDcates (DSC) is a PKI based asymmetric
cryptography technology, wherein a pair of keys are generated
Public and Private key. Private key is condenDal and is held at the
signor end and Public key is public, which is used by the receiver
to decrypt the message.
o DSC uses 2048 bit advanced encrypDon standard. The informaDon
that is digitally signed using DSC ensures authenDcity,
non-repudiaDon, condenDality and integrity of the data transmihed.
Hence considered to be highest level of security.
o DSC is issued to an individual aier carrying out vericaDon as
per the law
o DSC is issued in India by licensed CerDfying AuthoriDes under
the InformaDon technology Act.
-
Digital Signature Banking Benets
CONFIDENTIAL
User Convenience
Enhances Trust
Liability protecVon
Security
TAT ReducVon
1 Vme process for 2 years No need to change passwords every 15
days
2048 bit instead of 8-16 characters in a password
Explicit transfer of liability of protecVon of key to the user.
Geeng transacVons legally signed by customers protects the
banks
Reduced scope for any phishing or MITM a;acks. TransacVon
details as seen by user cannot be changed
Customer can use cerVcate to sign applicaVon forms/ mandates for
other applicaVon resulVng in reducVon TAT for future customer
engagements
-
Electronic Banking-Challenges
CONFIDENTIAL
Challenges Digital Signature o Data condenDality o AuthenDcaDon
of end user ConvenDonal User-Ids / Passwords or weaker authenDcaDon
tools like OTPs and PINs being used for Internet Banking
TransacDons. o TransacDon data Integrity Weak authenDcaDon tests
the integrity of data and restricts online High Value TransacDons.
o Non-repudiaDon and accountability o Cyber frauds Phishing, Virus
Infusion, MITM ahacks, Trojans, etc. Vulnerable area. High
Net-Worth Individuals / Non -Resident Indians Accounts are being
targeted by hackers.
o 2 Factor AuthenDcaDon (2FA) with Digital Signature CerDcate
based security soluDon established
o Physical AuthorizaDon is not required o User Convenience o
Secure and Legally valid under InformaDon Technology Act, 2000
o Secured online High Value Fund Transfer is possible
o Establishes the authenDcity of the transacDng user - IdenDty
of individuals are veried by the CerDfying AuthoriDes licensed by
Controller of CerDfying AuthoriDes, Ministry of IT, Government of
India.
-
Electronic Banking-Challenges
CONFIDENTIAL
CONFIDENTIAL
Challenges Digital Signature o Rising insurance cost due to
increasing fraud ahacks o Cost of legal discovery is huge with
paper-based systems o Online transacDon liability lies with the
bank
o Ensures Integrity and CondenDality of the transacDon Uses
advanced encrypDon technology. Content not altered in
transmission
o Non-RepudiaEon: The onus of digital signature is with the
customer. TransacDon and its contents cannot be denied by the
originator of the message requesDng services
o Reduced Turn-around Time for transacDon processing
o Paperless transacDons and reduced cost of operaDons
o Enhancing customer experience
-
Online Banking India
CONFIDENTIAL
Screenshot of IDBI BANK digital signature usage page
-
PKI in the global arena
CONFIDENTIAL
CANADA
USA
BRAZIL
UK
DENMARK
SAUDI ARABIA UAE
CHINA NKOREA
INDIA
SINGAPORE
MAURITIUS
THAILAND
PHILILIPINES
AUSTRALIA
INDONESIA
SKOREA
JAPAN
-
AdopVon in India
CONFIDENTIAL
In India Digital Signature CerDcates are used in the following
Areas:
o Filing MCA 21 o Income Tax Department of India o E-Tendering /
e-Procurement o Directorate General of Foreign Trade (DGFT) o Real
Time Gross Sehlement (RTGS) o Electronic Fund Transfer (EFT) o
Banking authenDcaDon o Railway ReservaDon / Agent Bookings o
Judicial Orders o Customs
-
Electronic Banking Regulatory Reforms
CONFIDENTIAL
Basel Commihee Report on Banking Supervision idenDes the
following principles of security:
1. AuthenVcaVon of e-banking customers.
2. Non-repudiaVon and accountability for e-banking
transacDons.
3. Appropriate measures to ensure segregaVon of duVes.
4. Proper authorisaVon controls within e-banking systems,
databases and applicaDons.
5. Data integrity of e-banking transacDons, records, and
informaDon.
6. Establishment of clear audit trails for e-banking
transacDons.
7. CondenVality of key bank informaDon.
-
Electronic Banking Regulatory Reforms InformaVon Technology
(Amendment) Act, 2008
CONFIDENTIAL
SecVon 43A: Where a body corporate, possessing, dealing or
handling any sensiEve personal data or informaEon in a computer
resource which it owns, controls or operates, is negligent in
implemenEng and maintaining reasonable security pracEces and
procedures and thereby causes wrongful loss or wrongful gain in any
person, such body corporate shall be liable to pay damages by way
of compensaEon to the person so aected
-
Electronic Banking Regulatory Reforms
CONFIDENTIAL
RBI InformaVon Security Guidelines 2011: o For over twenty
years, informaDon security has held condenVality, integrity and
availability (known as the CIA triad) to be the core principles.
There is conDnuous debate about extending this classic trio. Other
principles such as AuthenVcity, Non-repudiaVon and accountability
are also now becoming key consideraDons for pracDcal security
installaDons.
o There is a legal risk in not using the asymmetric cryptosystem
and hash funcVon for authenVcaVng electronic transacVons. However,
it is observed that some banks sDll use weak user id/password based
authenDcaDon for fund transfers using internet banking. For
carrying out criDcal transacDons like fund transfers, the banks, at
the least, need to implement robust and dynamic two-factor
authenDcaDon through user id/password combinaDon and second factor
like (a) a digital signature (through a token containing digital
cerVcate and associated private key) (preferably for the corporate
customers) or (b) OTP/dynamic access code through various modes
(like SMS over mobile phones or hardware token).
-
Electronic Banking Regulatory Reforms
CONFIDENTIAL
RBI InformaVon Security Guidelines 2011: o Digital signatures
and key-based message authenVcaVon codes (KMAC) for payment or fund
transfer transacVons could be considered for the detecVon of
unauthorized modicaVon or injecVon of transacVon data in a
middleman a;ack.
o Typical areas or situaDons requiring deployment of
cryptographic techniques, given the risks involved, include
transmission and storage of criDcal and/or sensiDve data/informaDon
in an un-trusted environment or where a higher degree of security
is required, generaDon of customer PINs which are typically used
for card transacDons and online services, detecDon of any
unauthorized alteraDon of data/informaDon and vericaDon of the
authenDcity of transacDons or data/informaDon.
o Banks should encrypt customer account and transacVon data
which is transmihed, transported, delivered or couriered to
external parDes or other locaDons, taking into account all
intermediate junctures and transit points from source to
desDnaDon.
-
Electronic Banking Regulatory Reforms
CONFIDENTIAL
RBI InformaVon Security Guidelines 2011:
o It is claried that except where legally required, banks may
consider any other equivalent/beher and robust
technology/methodology based on new developments aier carrying out
a diligent evaluaDon exercise.
o Payment and fund transfer security: Digital signatures and
key-based message authenDcaDon codes (KMAC) for payment or fund
transfer transacDons could be considered for the detecDon of
unauthorized modicaDon or injecDon of transacDon data in a
middleman ahack. For this security soluVon to work eecVvely, a
customer using a hardware token would need to be able to disVnguish
the process of generaVng a one-Vme password from the process of
digitally signing a transacVon.
-
Banking Cyber Frauds Law and JusVce
CONFIDENTIAL
Thomas Raju (customer) .PeVVon No.3 of 2011 dated 16th May 2011
in the oce of the adjudicaVng ocer, Principal Secretary to
Government of Tamil Nadu, InformaVon Technology
Department. The customers account was debited for an amount of
Rs. 162800/-, which the customer had not authorized. The customer
had taken adequate precauDons in not compromising his passwords and
accessing the internet banking account through secured VPNs.
Judgement: Bank has failed to establish due diligence in
prevenDng the unauthorized access into the customers account in
this case and in providing adequate checks and safeguards that
would have given the much needed security to the account of the
customer. The KYC norms have apparently not been adhered to and
there is a complete lack of concern to the customer who had placed
his trust on the bank and IT framework provided by the Bank.
-
Banking Cyber Frauds Law and JusVce
CONFIDENTIAL
Umashankar Sivasubramanian (customer) .PeVVon No.2462 of 2008
dated 12th April 2010 in the oce of the adjudicaVng ocer, Principal
Secretary to Government of Tamil Nadu, InformaVon Technology
Department.
The customer had a balance of Rs.646,046/- in his account at the
Dme of incident. The incident begins when the customer received a
security update from [email protected] for updaDon and assuming
it to be a rouDne mail from the Bank that had sent similar mails
earlier, the customer had complied with the request consequent to
which his account had been debited to the extent of the balance in
the account. Further this amount was transferred to another
customers account of the same bank and amount was encashed with
bearer cheque
-
Banking Cyber Frauds Law and JusVce
CONFIDENTIAL
Judgement:
o AuthenDcaDon and validaDon is a key element in any transacDon
and more so when nancial transacDons are the mainstay of the
acDvity. A facile and simple method would have been for the bank to
acquire a digital signature for the ocer responsible for
communicaDng with customers and thereby provide one layer in
authenDcaDon of such mails. Even in the maher of drawal of money
from the account, addiDonal layers of safeguards could have
contained the damage to the customer.
o It appears that the Bank has violated certain important
instrucDons issued by RBI in connecDon with customers being
serviced over the counter or over the internet and KYC norms /
AnD-Money Laundering standards / etc.
o The Bank has failed to put in place a foolproof internet
banking system with adequate levels of authenDcaDons and validaDon
which would have prevented the type of unauthorized access in the
instant case that has led to a serious nancial loss to the
customer.
-
Conclusion
CONFIDENTIAL
o All roads in Banking leads to digital world. Growing Gen Y
populaVon and 90% cost saving (against manual transacVon) are
compelling need. Enhanced technology calls for be;er risk
assessment and management.
o More than 95% of the value of electronic transacDons are
through RTGS. Making this channel secured is very important.
o Risk tolerance is low in Banking. The whole banking system is
built upon trust. Lose of trust will collapse the countrys economy.
It is in this view, the regulator has taken the step to bring
compliance in IT security.
o Increased transparency and creaVng awareness of security in
online banking builds trust. o Today, Corporates are already using
digital signatures for ling documents with Registrar of
companies,
commercial taxes department , eProcurement and Income tax
department. Extending the usage will be easier to proliferate
secured banking.
o An OTP dongle being replaced by a crypto token holding a
secured private key to encrypt the transacDon details will ensure
smooth transiDon to be;er security opVons.
o Non-implementaDon exposes the customers interest and the bank
to reputaVon and nancial risk. This now also exposes the top
execuDves of the Bank to civil and criminal liability.
o Important eGovernment transacDons such ling of income tax
returns, commercial tax returns, customs forms, Tendering,
Registrar of companies, etc. have made usage of digital signature
cerDcates mandatory. Banking is no excepVon and risk is also high.
RBI guideline is a rst step in this direcVon.
-
CONFIDENTIAL
Q & A
