Upload
palakshvismay
View
213
Download
1
Embed Size (px)
DESCRIPTION
ATM
Citation preview
Topic eCOMMERCE AND SECURED ELECTRONIC BANKING
Speaker Ms. Kalaivani Chi;aranjan MD & CEO eMudhra Consumer Services Ltd
16th Annual Karnataka Conference
GRC Compliance to Culture
JULY 19th 2013
o Components and challenges in eCommerce o Growth of eCommerce Industry o Security Methodology in eCommerce o EvoluDon of Technology in the growth of Banking o Current Trends o Drivers for Growth o Future Trends o Technology Impact o Security in Banking Technology o IntroducDon to Digital Signatures o Challenges in Electronic Banking o Digital Signatures AdopDon in India and other countries o Electronic Banking Regulatory Reforms o Banking Cyber Fraud Law and JusDce o Conclusion
Topic Outline
Payment Fulllment
Online Banking
Credit / Debit Cards
Cash / COD
Other modes
Catalogue browsing
Shopping Cart
Form lling Service
descripVons
Product Delivery;
Form collecVon;
Service compleVon
Shopping / Usage
COMPONENTS OF E-COMMERCE
Sales in USD Billion
Total number of internet users in millions
Internet penetraDon %
www.emudhra.com
CONFIDENTIAL
SECURITY METHODOLOGY
Source: Forrester
CondenVality
AuthenVcity
Non-repudiaVon
Integrity
Availability
AuthorizaVon
www.emudhra.com
CONFIDENTIAL Source: Forrester
58% 21%
12%
7% 2% % of usage in eCommerce
Online Bank Transfers
Visa
Mastercard
Cash / COD
Others
Technology in Banking
Interbank connecDvity, ATM, Core Banking, INFINIT, PKI
1950s 1980s 1990s 2000s 2010 2013 TradiDonal Banking Paper based
ComputerizaDon, Branch automaDon
RTGS, Internet banking
Mobile Banking
Secured Banking
Banking Current Trends
Banking Current Trends
With greater infusion of technology in banking, the incident of frauds in internet banking has witnessed an increase in recent Dmes. Ensuring eciency of the banking sector by way of technology infusion while minimizing the occurrence of such fraudulent events has become one of the major objecDves of the Reserve Bank in recent years. Complaints related to unauthorized fund transfers, fraudulent withdrawals from ATMs using duplicate cards, phishing E-mails aimed at extracDng personal informaDon have registered signicant increase in recent Dmes.
Source : IT Vision Document 2011-17 : RBI
Banking Future Trends
o The consumer-driven digital economy and mobile revoluDon create disrupDon and the need to invest in innovaDon
o Customer experience enhancements will focus on creaDng seamless cross-channel experience, incorporaDng digital communicaDon driven by targeted analyDcs.
o ConDnuous upgrades to web and collaboraDon technology will play a vital role. o ProliferaDon of new electronic payment mechanisms, an increase in number of
players, and growth in banking populaDon that will enforce the regulators view that the payment system is an important aspect of the nancial system in the country.
o Enhancing the secured network across various channels of banking is the root of technology centric banking
Banking Technology - Security
o In India, 40% of customers do their banking online, and 70% of the total transacDons are done over the Internet. Yet proper security measures are not in place to address the online banking environment .
o In the past 12 months: o More than 42 million people in India fell vicDm to cybercrime o Approx. $8 billion (Rs. 44,400 crores) in direct nancial losses o 66% of Indian online adults have been vicDms of cybercrime in their lifeDme. o 56% of online adults in India have experienced cybercrime o more than 115,000 vicDms of cybercrimes every day, 80 vicDms per minute and more than 1 per
second--and the average direct nancial cost per vicDm is $192--up 18% $163 over 2011 o one in four respondents in BFSI insDtuDons in India experienced an external ahack ranging from
phishing ahempts, thei of proprietary informaDon and denial-of-service ahacks
Source: Gartner, Norton Cybercrime Report 2012, Symantec Security Check Indian Financial Services Industry 2011
Digital Signature CerVcates An introducVon
o Digital Signature CerDcates (DSC) is a PKI based asymmetric cryptography technology, wherein a pair of keys are generated Public and Private key. Private key is condenDal and is held at the signor end and Public key is public, which is used by the receiver to decrypt the message.
o DSC uses 2048 bit advanced encrypDon standard. The informaDon that is digitally signed using DSC ensures authenDcity, non-repudiaDon, condenDality and integrity of the data transmihed. Hence considered to be highest level of security.
o DSC is issued to an individual aier carrying out vericaDon as per the law
o DSC is issued in India by licensed CerDfying AuthoriDes under the InformaDon technology Act.
Digital Signature Banking Benets
CONFIDENTIAL
User Convenience
Enhances Trust
Liability protecVon
Security
TAT ReducVon
1 Vme process for 2 years No need to change passwords every 15 days
2048 bit instead of 8-16 characters in a password
Explicit transfer of liability of protecVon of key to the user. Geeng transacVons legally signed by customers protects the banks
Reduced scope for any phishing or MITM a;acks. TransacVon details as seen by user cannot be changed
Customer can use cerVcate to sign applicaVon forms/ mandates for other applicaVon resulVng in reducVon TAT for future customer
engagements
Electronic Banking-Challenges
CONFIDENTIAL
Challenges Digital Signature o Data condenDality o AuthenDcaDon of end user ConvenDonal User-Ids / Passwords or weaker authenDcaDon tools like OTPs and PINs being used for Internet Banking TransacDons. o TransacDon data Integrity Weak authenDcaDon tests the integrity of data and restricts online High Value TransacDons. o Non-repudiaDon and accountability o Cyber frauds Phishing, Virus Infusion, MITM ahacks, Trojans, etc. Vulnerable area. High Net-Worth Individuals / Non -Resident Indians Accounts are being targeted by hackers.
o 2 Factor AuthenDcaDon (2FA) with Digital Signature CerDcate based security soluDon established
o Physical AuthorizaDon is not required o User Convenience o Secure and Legally valid under InformaDon Technology Act, 2000
o Secured online High Value Fund Transfer is possible
o Establishes the authenDcity of the transacDng user - IdenDty of individuals are veried by the CerDfying AuthoriDes licensed by Controller of CerDfying AuthoriDes, Ministry of IT, Government of India.
Electronic Banking-Challenges
CONFIDENTIAL
CONFIDENTIAL
Challenges Digital Signature o Rising insurance cost due to increasing fraud ahacks o Cost of legal discovery is huge with paper-based systems o Online transacDon liability lies with the bank
o Ensures Integrity and CondenDality of the transacDon Uses advanced encrypDon technology. Content not altered in transmission
o Non-RepudiaEon: The onus of digital signature is with the customer. TransacDon and its contents cannot be denied by the originator of the message requesDng services
o Reduced Turn-around Time for transacDon processing
o Paperless transacDons and reduced cost of operaDons
o Enhancing customer experience
Online Banking India
CONFIDENTIAL
Screenshot of IDBI BANK digital signature usage page
PKI in the global arena
CONFIDENTIAL
CANADA
USA
BRAZIL
UK
DENMARK
SAUDI ARABIA UAE
CHINA NKOREA
INDIA
SINGAPORE
MAURITIUS
THAILAND
PHILILIPINES
AUSTRALIA
INDONESIA
SKOREA
JAPAN
AdopVon in India
CONFIDENTIAL
In India Digital Signature CerDcates are used in the following Areas:
o Filing MCA 21 o Income Tax Department of India o E-Tendering / e-Procurement o Directorate General of Foreign Trade (DGFT) o Real Time Gross Sehlement (RTGS) o Electronic Fund Transfer (EFT) o Banking authenDcaDon o Railway ReservaDon / Agent Bookings o Judicial Orders o Customs
Electronic Banking Regulatory Reforms
CONFIDENTIAL
Basel Commihee Report on Banking Supervision idenDes the following principles of security:
1. AuthenVcaVon of e-banking customers.
2. Non-repudiaVon and accountability for e-banking transacDons.
3. Appropriate measures to ensure segregaVon of duVes.
4. Proper authorisaVon controls within e-banking systems, databases and applicaDons.
5. Data integrity of e-banking transacDons, records, and informaDon.
6. Establishment of clear audit trails for e-banking transacDons.
7. CondenVality of key bank informaDon.
Electronic Banking Regulatory Reforms InformaVon Technology (Amendment) Act, 2008
CONFIDENTIAL
SecVon 43A: Where a body corporate, possessing, dealing or handling any sensiEve personal data or informaEon in a computer resource which it owns, controls or operates, is negligent in implemenEng and maintaining reasonable security pracEces and procedures and thereby causes wrongful loss or wrongful gain in any person, such body corporate shall be liable to pay damages by way of compensaEon to the person so aected
Electronic Banking Regulatory Reforms
CONFIDENTIAL
RBI InformaVon Security Guidelines 2011: o For over twenty years, informaDon security has held condenVality, integrity and availability (known as the CIA triad) to be the core principles. There is conDnuous debate about extending this classic trio. Other principles such as AuthenVcity, Non-repudiaVon and accountability are also now becoming key consideraDons for pracDcal security installaDons.
o There is a legal risk in not using the asymmetric cryptosystem and hash funcVon for authenVcaVng electronic transacVons. However, it is observed that some banks sDll use weak user id/password based authenDcaDon for fund transfers using internet banking. For carrying out criDcal transacDons like fund transfers, the banks, at the least, need to implement robust and dynamic two-factor authenDcaDon through user id/password combinaDon and second factor like (a) a digital signature (through a token containing digital cerVcate and associated private key) (preferably for the corporate customers) or (b) OTP/dynamic access code through various modes (like SMS over mobile phones or hardware token).
Electronic Banking Regulatory Reforms
CONFIDENTIAL
RBI InformaVon Security Guidelines 2011: o Digital signatures and key-based message authenVcaVon codes (KMAC) for payment or fund transfer transacVons could be considered for the detecVon of unauthorized modicaVon or injecVon of transacVon data in a middleman a;ack.
o Typical areas or situaDons requiring deployment of cryptographic techniques, given the risks involved, include transmission and storage of criDcal and/or sensiDve data/informaDon in an un-trusted environment or where a higher degree of security is required, generaDon of customer PINs which are typically used for card transacDons and online services, detecDon of any unauthorized alteraDon of data/informaDon and vericaDon of the authenDcity of transacDons or data/informaDon.
o Banks should encrypt customer account and transacVon data which is transmihed, transported, delivered or couriered to external parDes or other locaDons, taking into account all intermediate junctures and transit points from source to desDnaDon.
Electronic Banking Regulatory Reforms
CONFIDENTIAL
RBI InformaVon Security Guidelines 2011:
o It is claried that except where legally required, banks may consider any other equivalent/beher and robust technology/methodology based on new developments aier carrying out a diligent evaluaDon exercise.
o Payment and fund transfer security: Digital signatures and key-based message authenDcaDon codes (KMAC) for payment or fund transfer transacDons could be considered for the detecDon of unauthorized modicaDon or injecDon of transacDon data in a middleman ahack. For this security soluVon to work eecVvely, a customer using a hardware token would need to be able to disVnguish the process of generaVng a one-Vme password from the process of digitally signing a transacVon.
Banking Cyber Frauds Law and JusVce
CONFIDENTIAL
Thomas Raju (customer) .PeVVon No.3 of 2011 dated 16th May 2011 in the oce of the adjudicaVng ocer, Principal Secretary to Government of Tamil Nadu, InformaVon Technology
Department. The customers account was debited for an amount of Rs. 162800/-, which the customer had not authorized. The customer had taken adequate precauDons in not compromising his passwords and accessing the internet banking account through secured VPNs.
Judgement: Bank has failed to establish due diligence in prevenDng the unauthorized access into the customers account in this case and in providing adequate checks and safeguards that would have given the much needed security to the account of the customer. The KYC norms have apparently not been adhered to and there is a complete lack of concern to the customer who had placed his trust on the bank and IT framework provided by the Bank.
Banking Cyber Frauds Law and JusVce
CONFIDENTIAL
Umashankar Sivasubramanian (customer) .PeVVon No.2462 of 2008 dated 12th April 2010 in the oce of the adjudicaVng ocer, Principal Secretary to Government of Tamil Nadu, InformaVon Technology Department.
The customer had a balance of Rs.646,046/- in his account at the Dme of incident. The incident begins when the customer received a security update from [email protected] for updaDon and assuming it to be a rouDne mail from the Bank that had sent similar mails earlier, the customer had complied with the request consequent to which his account had been debited to the extent of the balance in the account. Further this amount was transferred to another customers account of the same bank and amount was encashed with bearer cheque
Banking Cyber Frauds Law and JusVce
CONFIDENTIAL
Judgement:
o AuthenDcaDon and validaDon is a key element in any transacDon and more so when nancial transacDons are the mainstay of the acDvity. A facile and simple method would have been for the bank to acquire a digital signature for the ocer responsible for communicaDng with customers and thereby provide one layer in authenDcaDon of such mails. Even in the maher of drawal of money from the account, addiDonal layers of safeguards could have contained the damage to the customer.
o It appears that the Bank has violated certain important instrucDons issued by RBI in connecDon with customers being serviced over the counter or over the internet and KYC norms / AnD-Money Laundering standards / etc.
o The Bank has failed to put in place a foolproof internet banking system with adequate levels of authenDcaDons and validaDon which would have prevented the type of unauthorized access in the instant case that has led to a serious nancial loss to the customer.
Conclusion
CONFIDENTIAL
o All roads in Banking leads to digital world. Growing Gen Y populaVon and 90% cost saving (against manual transacVon) are compelling need. Enhanced technology calls for be;er risk assessment and management.
o More than 95% of the value of electronic transacDons are through RTGS. Making this channel secured is very important.
o Risk tolerance is low in Banking. The whole banking system is built upon trust. Lose of trust will collapse the countrys economy. It is in this view, the regulator has taken the step to bring compliance in IT security.
o Increased transparency and creaVng awareness of security in online banking builds trust. o Today, Corporates are already using digital signatures for ling documents with Registrar of companies,
commercial taxes department , eProcurement and Income tax department. Extending the usage will be easier to proliferate secured banking.
o An OTP dongle being replaced by a crypto token holding a secured private key to encrypt the transacDon details will ensure smooth transiDon to be;er security opVons.
o Non-implementaDon exposes the customers interest and the bank to reputaVon and nancial risk. This now also exposes the top execuDves of the Bank to civil and criminal liability.
o Important eGovernment transacDons such ling of income tax returns, commercial tax returns, customs forms, Tendering, Registrar of companies, etc. have made usage of digital signature cerDcates mandatory. Banking is no excepVon and risk is also high. RBI guideline is a rst step in this direcVon.
CONFIDENTIAL
Q & A