THE IMPACT OF RECONNAISSANCE IN BANKS INFORMATION SYSTEMS A CASE STUDY OF CO-OPERATIVE BANK OF KENYA CARLVIN SOLOMON EZEKIEL MASAKHALIA BBIT/MSA/08/00039 A MANAGEMENT RESEARCH PROJECT SUBMITTED IN THE PARTIAL FULFILMENT OF THE REQUIREMENTS FOR THE BACHELOR OF BUSINESS AND INFORMATION TECHNOLOGY MT KENYA UNIVERSITY APRIL 2011
1. THE IMPACT OF RECONNAISSANCE IN BANKS INFORMATION SYSTEMS A
CASE STUDY OF CO-OPERATIVE BANK OF KENYA CARLVIN SOLOMON EZEKIEL
MASAKHALIA BBIT/MSA/08/00039 A MANAGEMENT RESEARCH PROJECT
SUBMITTED IN THE PARTIAL FULFILMENT OF THE REQUIREMENTS FOR THE
BACHELOR OF BUSINESS AND INFORMATION TECHNOLOGY MT KENYA UNIVERSITY
APRIL 2011
2. Declaration This research project is my original work and
has never been presented for a degree in any other university.
Signature.........................................................................Date......................................................
CARLVIN S.E MASAKHALIA BBIT/MSA/08/00039 This project is presented
for examination with the approval of the university Supervisor.
Signature..........................................................................Date.................................................
LYNETTE KARIMI RINGEERA ICT DEPARTMENT MOUNT KENYA UNIVERSITY
ii
3. Acknowledgements Many thanks to MKU staff: the Director Mr
Barasa, Lecturers and subordinate staff. Many more thanks to all my
close friends I could not have made it this far without your
support materially and psychologically. It has been a short three
years. I love you all!! I also acknowledge God for everything he
has done in my life. Without Gods blessings, wisdom, understanding
and guidance throughout this course work I could not have lived to
get to this point. Words are never enough to say thank you but I am
really grateful. Lastly, special thanks to Ms Lynette, my
Supervisor, in this project you showed me the way when I was lost
and pushed me whenever I was stuck. God reward you immensely.
iii
4. Abstract This project is a survey of the impact of
reconnaissance in banks information systems, a case study of
cooperative bank of Kenya Kenyatta avenue branch. It was conducted
as a result of the increase in fraud cases in the banking industry
where several banks have lost millions notably Co-op Bank (November
2010) and Family Bank (Feb 2011). Co-operative bank particularly
Kenyatta Avenue was chosen for this study because the bank has
previously been attacked the most recent case was at the banks
headquarters (Jan 2011) where Kshs 90 million was lost. The first
chapter describes the overview of the bank and the history of
frauds attributed to reconnaissance attacks, statement of the
problem, objective of the study, research questions, its
significance, scope and limitation of the study. Chapter two
describes the meaning of reconnaissance and the various ways that
it can be done. It further describes the technologies used, types
of attacks, threats and vulnerabilities. Chapter three explains the
research methodology adapted for the study where questionnaires
were distributed to collect data from both customers and staff of
the bank. The fourth chapter presents and analyses the data
collected using tables and graphs .Chapter five deals with the
summary of the major findings in relation to the objectives of the
research and the research questions. Lastly, chapter six concludes
and provides recommendations of the research by giving solutions on
the best ways to defend and safeguard the bank information systems
against reconnaissance attacks. This includes advice to the banking
industry on the impact of reconnaissance. iv
5. Dedication I dedicate this work to my Late Mother Edith P.
Ogeng who taught me the value of education. You were one in a
million!! v
6. List of Acronyms and Abbreviations MKU- Mount Kenya
University NSE- Nairobi Stock Exchange ATM Automated Teller Machine
DNS- Domain Name System FTP File Transfer Protocol IT- Information
Technology IDS- Intrusion Detection Systems IIS-Internet
Information Server NT- Network Technology SPSS- Statistical Package
for the Social Sciences ICANN- Internet Corporation for Assigned
Names and Numbers WWW- World Wide Web ID- Identification i.e-that
is vi
7. TABLE OF CONTENTS PAGE Declaration
...............................................................................................................................I
Acknowledgements..................................................................................................................II
Abstract..................................................................................................................................III
Dedication...............................................................................................................................IV
List of Acronyms and
Abbreviations....................................................................................V
CHAPTER 1 1.1
Introduction.................................................................................................................1
1.2 Background
information...............................................................................................3
1.3 Statement of the
problem............................................................................................4
1.4 Objective of the
Study..................................................................................................5
1.5 Significance of the
Study...............................................................................................5
1.6 Limitation of the
Study.................................................................................................6
1.7 Scope of the
Study........................................................................................................6
CHAPTER 2 2.1 Meaning and
Definition................................................................................................7
2.2 Reconnaissance
Techniques..........................................................................................8
2.2.1 Low technology based
technique..........................................................................8
2.2.2 Web based
technique..........................................................................................10
2.2.3 Who is Database
Technique................................................................................12
2.2.4 Domain Name
System.........................................................................................13
vii
8. 2.3 Conceptual
Framework...............................................................................................15
2.4 Gaps to be
filled..........................................................................................................15
CHAPTER 3 3.1
Introduction...............................................................................................................17
3.2 Research
Design.........................................................................................................17
3.3 Population and Sample
Size........................................................................................17
3.4 Sample
Design.............................................................................................................17
3.5 Data Collection Instruments
/Tools.............................................................................18
3.6 Data Collection
Procedures.........................................................................................18
3.7 Data Presentation and Analysis
Techniques................................................................19
CHAPTER 4 4.1
Introduction................................................................................................................20
4.2 Staffs
response............................................................................................................21
4.3 Staff
Gender.................................................................................................................21
4.4 Staff Age
Category......................................................................................................22
4.5 Duration Worked with the Bank
(Staff)......................................................................22
4.6 Highest Academic Qualifications
(Staff).....................................................................23
4.7 Electronic Banking
(Staff)...........................................................................................23
4.8 Handling of Cheques
(Staff).........................................................................................24
4.9 Money Transfer Services for Example Money gram and Swift
Staff)........................25 4.10 Loan applications business
and personal loans
(Staff)...............................................26 4.11 Staff
use of Credit
cards.............................................................................................26
4.12 Internet
Banking..........................................................................................................27
4.13 Account Transactions deposit withdrawals and
enquiries...........................................28 4.14 Use of
ATM and Debit
cards.......................................................................................29
viii
9. 4.15 Mobile Banking
Services...........................................................................................30
4.16 Aspects of Social
Engineering....................................................................................32
4.17 Physical break
ins.......................................................................................................33
4.18 Leaving the work
station............................................................................................35
4.19
Disposal......................................................................................................................35
4.20 Forms of
Enquiries......................................................................................................36
4.21 Sharing User
Details....................................................................................................37
4.23 Organisations
Website................................................................................................38
4.24 Disposal of Customer
details.......................................................................................39
4.25 Level of Confidentiality of Customer
details...............................................................40
4.26 Entrusting third party with Customer
details...............................................................41
4.27 Provision of Customer details on
Telephone................................................................42
4.28 Use of the internet www in providing customer
information.......................................43 4.29
Procedures implemented to ensure physical security of
systems/networks..................44 4.30
Training..........................................................................................................................45
4.31 Gender
(Customers)......................................................................................................46
4.32 Age Category (in years),
customers...............................................................................47
4.33 Number of years they had been with bank
customers....................................................48
4.34 Electronic Banking (Customer
response)........................................................................49
4.35 Handling of Cheques (Customer
response).....................................................................50
4.36 Money Transfer Services for Example Money gram and
Swift......................................51 4.37 Loan
applications business and personal loans (Customer
response)..............................52 4.38 use of Credit cards
(Customer
response)..........................................................................53
4.39 Internet
Banking...............................................................................................................54
4.40 Account Transactions deposit withdrawals and
enquiries...............................................55 ix
10. 4.41 Use of ATM and Debit
cards........................................................................................56
4.42 Mobile Banking
Services...............................................................................................57
4.43 Aspects of Social
Engineering.......................................................................................58
4.44 Disposal of Customer
details.........................................................................................60
4.45 Sharing of Customer
details...........................................................................................62
4.46 Keeping your customer
documentation.........................................................................63
4.47
Privacy...........................................................................................................................63
4.48 Loss of
ATM..................................................................................................................64
4.49 Action taken after the loss of the
ATM..........................................................................65
4.50 Duration before
reporting...............................................................................................66
4.51 Documentation you have lost through physical break
ins..............................................67
4.52Organizations
website....................................................................................................68
4.53 Leaving
recipients...........................................................................................................69
4.54 Records of Customer
details...........................................................................................70
4.55 Disclosure of bank account details in
website.................................................................71
4.56 Sharing your financial details in internet
forums............................................................72
4.30 Training/Education
(Customers).....................................................................................73
x
11. CHAPTER 5 5.0 Summary of the Major
Findings..................................................................................75
5.1
Conclusions................................................................................................................80
5.2
Recommendations......................................................................................................81
References.......................................................................................................................84
Appendices......................................................................................................................85
Appendix 1(Staff
Questionnaire).....................................................................................85
Appendix 2(Customer
Questionnaire).............................................................................89
xi
12. CHAPTER 1 1.1INTRODUCTION Reconnaissance refers to the
gathering information about a system before the actual attack is
carried out. Reconnaissance involves an attacker taking time to
conduct detailed information before attack using publicly available
information. Through reconnaissance phase, computer attackers can
determine how best to mount their attack for success. To
effectively launch certain types of attacks, a hacker usually needs
some knowledge about the network topology or hardware used. The
technique that gathers this type of information is called
reconnaissance. Reconnaissance on its own is, in many environments,
not a threat, but the intelligence found by employing it is often
used later to attack a system or network. So, the threat of
reconnaissance attacks is mostly an indirect one: after the network
has been scanned, this information is used subsequently for
attacks. There are four common of reconnaissance techniques these
are: lowtechnology reconnaissance, general Web searches, who is
databases and domain Name System (DNS). Low-Technology
Reconnaissance usually involves social Engineering, physical
Break-In and dumpster diving. In Social Engineering, an attacker
calls an employee at the target organization on the phone and
deceives / fools the individual into revealing sensitive
information that is the attacker pretends to be an employee, a
customer or supplier. effective. Physical Break-In involves
attackers with physical access to computer systems gaining access
to accounts and data. They may plant malicious programs on the
internal systems, giving them remote control capabilities of your
systems from the outside. Dumpster Diving (Trashing) this involves
going through an organizations garbage, looking for sensitive
information i.e. the attacker looks for xii
13. discarded paper, floppy disks, tapes and even hard drives
containing sensitive data in the process the attacker may get a
complete diagram of the network architecture user IDs and
passwords. In web-based reconnaissance an attacker uses a computer
and Internet resources to learn about the target organization that
is determine the domain names, network addresses and contact
information. Techniques used are: Searching an Organizations Own
Web Site. The organizations web site could have useful information
on the employees contact or information with phone Who is Databases
is the third technique through which reconnaissance can be done in
an organization. The who is database contains a variety of data
elements regarding the assignment of Internet addresses, domain
names, and individual contacts. The registrar of domain names
ensures that your domain name is unique, and assigns it to your
organization by entering it into various databases that is
including who is databases so that your machines will be accessible
on the Internet using your domain name developed to allow people to
look for information about domain name registration services.
Reconnaissance attacks can also be carried out using the domain
name system (DNS). DNS is a component of the internet which is a
hierarchical database distributed around the world and stores a
variety of information, such as IP addresses, domain names and mail
server information. xiii
14. 1.2 BACKGROUND INFORMATION OVERVIEW OF THE ORGANISATION The
Co-operative Bank of Kenya Limited ('the Bank') is incorporated in
Kenya under the Company's Act and is also licensed to do the
business of banking under the Banking Act. The Bank was initially
registered under the Co-operative Societies Act at the point of
founding in 1965. This status was retained up to and until June
27th 2008 when the Bank's Special General Meeting resolved to
incorporate under the Companies Act with a view to complying with
the requirements for listing on the Nairobi Stock Exchange (NSE).
The Bank went public and was listed on December 22 2008. Shares
previously held by the 3,805 co-operatives societies and unions
were ring-fenced under Coop Holdings Co-operative Society Limited
which became the strategic investor in the Bank with a 64.56%
stake. The Bank runs three subsidiary companies, namely: Kingdom
Securities Limited, a stock broking firm with the bank holding a
controlling 60% stake, Co-op Trust Investment Services Limited, the
fund management subsidiary wholly-owned by the bank, Co-operative
Consultancy Services (K) Limited, the corporate finance, financial
advisory and capacity- building subsidiary wholly-owned by the
bank. BANK FRAUD AND RECONNAISANCE According to a daily Nation
report (14th January 2011), Cooperative bank in the last quarter
lost Kshs 300million as a result of fraud which is an increase from
the previous year. Bank xiv
15. fraud has been common in the recent past whereby customers,
institutions and the bank itself has lost millions of shillings
over as a result of this. The report claims that most frauds occur
as a result of attackers who are well informed of the banks
processes, database and administration. This information is usually
obtained using various reconnaissance techniques for example use of
low technology (social engineering) and the worldwide web. Bank
fraud is the use of fraudulent means to obtain money, assets, or
other property owned or held by a financial institution. In several
instances, bank fraud is a criminal offense and it occurs after
information about various aspects has been gathered regarding the
information systems; reconnaissance has been conducted. According
to another Daily Nation report(6th May 2011), the most common forms
of which the frauds have occurred are : stolen cheques , cheque
kiting, forgery and altered cheques, accounting fraud, uninsured
deposits, demand draft fraud, rogue traders, fraudulent loans,
fraudulent loan applications, forged or fraudulent documents, wire
fraud, bill discounting fraud, payment card fraud, stolen payment
cards, duplication or skimming of card information, empty ATM
envelope deposits, impersonation, prime bank fraud, the fictitious
'bank inspector, phishing and internet fraud, money laundering.
This report further described that most of these scams occurred as
a result of well informed attackers who had detailed knowledge
about the bank confidential information raising the concern of how
the information is obtained. 1.3 STATEMENT OF THE PROBLEM The study
aims to survey the impact of reconnaissance in banking industry.
Information systems especially in the banking industry are
susceptible to reconnaissance attacks. The bank, its customers and
employees have to ensure that confidential information is xv
16. safeguarded from reconnaissance attacks in order to prevent
fraud through which they can lose millions of shillings. The main
role of a bank is to ensure safe custody of the customers funds. In
the recent past there have been several cases where customers have
lost huge amounts of money from their accounts. Common cases
include forgery and impersonation where attackers have full
information about the client the account number, the account name,
ID number, sometimes even the pin and signatures hence they are
able to use the information to defraud the bank. This allows
attackers to have full access of customer accounts. This research
therefore uncovers reconnaissance in the banking industry. 1.4
OBJECTIVE OF THE STUDY General Objective The general objective of
this study is to survey reconnaissance in banks information
systems. Specific Objectives The specific objectives of this study
are: a)To identify areas in the banking information systems which
are affected by reconnaissance. b) To identify the ways in which
reconnaissance occurs in banks c) To create awareness of
reconnaissance in banks. Research Questions a)What areas in the
banking information systems are affected by reconnaissance? b) What
are the ways in which reconnaissance can be carried out in banks?
c) Are people (staff, customers, management) aware of
reconnaissance? 1.5 SIGNIFICANCE OF THE STUDY To the
organisation/bank xvi
17. This research is very important as it reveals areas of the
bank which are affected by reconnaissance in order for the bank to
improve security in the information systems. The research also
exposes ways in which the reconnaissance occurs. To the employees
This research will raise awareness of reconnaissance to the staff
and management this help to avoid future fraud cases. 1.6
LIMITATIONS OF THE STUDY During the research, the following
challenges were anticipated: Accessibility of information Banks
have strict rules and regulations for accessing information.
Accessing information in most cases requires authorization from the
section heads who at times fear and are careful with sensitive
information. It is therefore difficult to get some information Time
The bank staff Kenyatta Avenue branch are always busy and have
specific duties assigned to them. They may not have enough time for
me. 1.7 SCOPE OF THE STUDY The study is limited to cooperative bank
and is based at Kenyatta Avenue branch near Makupa Police Station.
It involves interviews whereby various customers of the bank and
that branch will provide information of how they confide private
information about their bank accounts. The interviews will provide
vital details on the information attackers can obtain in order to
carry out an attack. ATM outlets are also widely used by several
customers a large amount of information can be collected from these
points. This will therefore be an area of study in this case.
xvii
18. CHAPTER 2 LITERATURE REVIEW 2.1 MEANING & DEFINITION
Reconnaissance refers to gathering information .Reconnaissance
involves an attacker taking time to conduct detailed information
before attack using publicly available information. Reconnaissance
is the process by which a potential intruder will gain all of the
information they need to know about an information system (IP
Network Scanning and Security Reconnaissance ,Joe Eitel).Through
reconnaissance phase, computer attackers can determine how best to
mount their attack for success. According to an interview in the
bank technology news October 2008 By Rebecca Sausner,
reconnaissance leads to multi-channel fraud. This is a matter of
interest in the information security in banks. Sophos, a popular
site, found 16,000 Web pages per day newly infected with key
logging or other malware in August 2010. This means online banking
customers remain vulnerable to unauthorized access-the difference
now is that online reconnaissance is merely the first step in a
multi-channel fraud play. Security Curves Diana Kelley says
tracking seemingly innocuous online activities requires analytics
that are beyond most institutions' authentication xviii
19. firepower these days. Diana Kelley further says getting
online and looking at the information in the account is actually a
portion of the attack reconnaissance; the attacker is now finding
out information that can be used in other channels, in other ways.
A case with one particular financial institution where there
appeared to be a standard wire transfer and the request had been
faxed in, and it wasn't until they went back in the past [that
they] were able to find there was somebody who had been looking at
the account to see what was in there and get information. A lot of
what went on during the reconnaissance didn't actually appear to be
problematic. But if one thinks about what details banking accounts
have right now, it can actually be a lot of information that can be
used in a variety of ways (multi channel fraud). 2.2 RECONNAISANCE
TECHNIQUES There are several techniques for reconnaissance in
information systems however, the four most common are;
lowtechnology reconnaissance, general web searches, who is
databases, domain name system (DNS). (Penetration Testing and
Network Defense October 2005Andrew Whitaker, Daniel Newman) 2.2.1
LOW TECHNOLOGY BASED TECHNIQUE Low-Technology Reconnaissance
includes; Social Engineering, Physical Break-In and Dumpster
Diving. A social engineering attack is one in which the intended
victim is somehow tricked into doing the attacker's bidding. An
example would be responding to a phishing email, following the link
and entering your banking credentials on a fraudulent website. The
stolen credentials are then used for everything from finance fraud
to outright identity theft (Antivirus Software Blog by Mary
Landesman, October 10, 2008). Social engineering also involve an
attacker calling an employee at the target organization on the
phone and deceives / fools the individual into revealing sensitive
information that is the xix
20. attacker pretends to be an employee, a customer or
supplier. Social engineering is a deception where the attacker
develops a pretext for the call. A female voice on the phone is
more likely to gain trust in a social engineering attack than a
male voice, although attackers of either gender can be remarkably
effective. the most effective method of defending against the
social engineer is user awareness: computer users at all levels
must be trained not to give sensitive information away to a
friendly caller, the security awareness program should inform
employees about social engineering attacks, and give explicit
directions about information that should never be revealed over the
phone, employees should not give out sensitive data(Social
Engineering 101 (Q&A) by Elinor Mills August2010). Table 1:
Some Common Social Engineering Pretexts A new employee calls the
help desk trying to figure out how to do a particular task on the
computer. A manager calls a lower-level employee because his
password has suddenly stopped working A system administrator calls
an employee to fix her account, which requires using her password.
An employee in the field has lost his contact information and calls
another employee to get the remote access phone number. Source:
Prof John Durret, (Spring 2003), Reconnaissance and scanning page
53, Publisher: O'ReillyPub Letian Li ISQS 6342. Physical Break-In
involves attackers with physical access to computer systems gaining
access to accounts and data. Computer systems and networks are
vulnerable to physical attack; therefore, procedures should be
implemented to ensure that systems and networks are physically
secure. Physical access to a system or network provides the
opportunity for an intruder to damage, steal, or corrupt computer
equipment, software, and information. Attackers may plant malicious
programs on the xx
21. internal systems, giving them remote control capabilities
of your systems from the outside (Federal Agency Security
Practices. National Institute of Standards and Technology Web site:
http://csrc.nist.gov/fasp/). Dumpster Diving (Trashing) is a fancy,
glorified way of saying "trash picking". Dumpster diving, or trash
picking, can lead to information which could be used to compromise
a network or identity. If you discard bank statements, credit card
statements or other sensitive information without first shredding
or otherwise destroying it, you may be at risk for an attacker to
gain information about you through dumpster diving (Tony Bradley,
CISSP-ISSAP former About.com Guide). Basically, dumpster diving
involves going through an organizations garbage, looking for
sensitive information i.e. the attacker looks for discarded paper,
floppy disks, tapes and even hard drives containing sensitive data.
In the process the attacker may get a complete diagram of the
network architecture user IDs and passwords. Effective methods of
defending against dumpster diving could include: Paper shredders,
and should be encouraged to use them for discarding all sensitive
information. The awareness program must spell out how to discard
sensitive information. 2.2.2 WEB BASED TECHNIQUE Another technique
is web-based reconnaissance. A website is a virtual location on
WWW, containing several subject or company related web pages and
data files accessible through a browser. Each website has its own
unique web address (see uniform resource locator) which can be
reached through an internet connection(BusinessDictionary.com). In
this technique an attacker uses a computer and internet resources
to learn about the target organization that is determine the domain
names, network addresses and contact xxi
22. information. This includes searching an Organizations Own
Web Site. The organizations Web site could have useful information
on the following: employees contact information with phone numbers.
This information is useful particularly for social engineering.
Clues about the corporate culture and the language can also be
obtained. The site could include significant information about
product offerings, work locations, and even the best employees.
Digesting this information could be useful when conducting a social
engineering attack. Business Partners can be found. This knowledge
could be useful in social engineering; or, by attacking a weak
partner, the target organization could ultimately be reached.
Information about recent mergers and acquisitions can also be
obtained. During mergers many organizations forget about the
security issues & a skilful attacker may target an organization
during a merger company being acquired may have a lower security
position than the acquiring company, and the attacker can benefit
by attacking the weaker organization. Technologies being used can
also be shown. Some sites may include a description of the
computing platforms in use (say, Windows NT, with an IIS Web
Server, and an Oracle Database). Such information is useful for
attackers, who will refine their attack based on this information
(Mr Matt. Forum Italiano Discussione Utenti StoneGate- FIDUS-
hacking tools reconnaissance). Using search engines, an attacker
can retrieve information about the history, current events, and
future plans of the target organization. For example organization
name, product names, known employee names .Use of Usenet Newsgroups
can also provide critical information. Internet Usenet newsgroups
are used by employees to share information and ask questions. That
is employees may submit questions about how to configure a
particular type of system or troubleshoot problems. An attacker
could send a response giving incorrect advice about how to
configure the system tricking the user into lowering the security
standing of the xxii
23. organization Web-Based Reconnaissance can be avoided by
establishing policies regarding what type of information are
allowed on your own Web servers; you do want to make sure that you
are not making things extra easy for them by publishing sensitive
information on your own Web site. The organization must have a
policy regarding the use of newsgroups and mailing lists by
employees. The policy must be enforced by periodically and
regularly conducting searches of open, public sources such as the
Web and newsgroups, to see what the world is saying about your
organization (Kerry J. Cox, Christopher Gerg. Managing Security
with Snort and IDS Tools August 2004Page 288). 2.2.3 WHO IS
DATABASE TECHNIQUE The third technique is WHOIS databases. WHOIS
databases are the lists of names, e-mail addresses, postal
addresses, and telephone numbers for the holders of the millions of
internet domain names. The Internet Corporation for Assigned Names
and Numbers (ICANN), which oversees domain name registries for many
of the most important top-level domains, requires disclosure of
this contact information( source:privacilla.org). According to L.
Daigle (WHO IS Protocol Specification; September 2004) who is
databases provide search for information about the domain names,
people, computers, organizations, and name servers involved with
administering the Domain Name Service (DNS). A core set of this
data constitutes a unified database view shared by all of the
domain name registrars An attacker can contact the targets
registrar to obtain the following useful data: Names of persons
complete registration information, i.e. the administrative,
technical and billing contacts that an one can use to deceive
people in the target organization during a social engineering
attack. The telephone numbers associated with the contacts can be
used by an attacker. Email addresses that will indicate (to an
attacker) xxiii
24. the format of email addresses used in the target
organization; the attacker will know how to address email for any
user. Postal addresses that an attacker can use this geographic
information to conduct dumpster-diving exercises or social
engineering. Registration dates containing records that have not
been recently updated may indicate an organization that is lax in
maintaining their Internet connection for example not keep their
servers or firewalls up to data either. Name Servers get the
addresses for the DNS servers of the target. Who is Searches can be
prevented by keeping the registration information (that will appear
in the who is database) accurate and up to data. This information
can let you inform an administrator of another network that their
systems were used during the attack, if attack packets are traced
to that network (David Lindsay, 2004 .Privacy law and policy
reporter). 2.2.4 DOMAIN NAME SYSTEM The last technique is the
Domain Name System. The DNS is a system that translates internet
domain and host names to internet protocol addresses. DNS
automatically converts the names typed in a web browser address bar
to the IP addresses of Web servers hosting those sites (Bradley
Mitchell, 2011 About.com Guide). DNS implements a distributed
database to store this name and address information for all public
hosts on the Internet. DNS assumes IP addresses do not change: are
statically assigned rather than dynamically assigned. DNS is a
component of the internet which is a hierarchical database
distributed around the world and stores a variety of information,
such as IP addresses, domain names and mail server information. DNS
servers referred to as name servers store this information and make
up the hierarchy (Ron Aitchison, Pro DNS and BIND Third Edition).
Table 2: The Domain Name Service Hierarchy xxiv
25. Root DNS servers com DNS servers net DNS servers org DNS
servers company.com DNS server The Domain Name Service (DNS)
Hierarchy Source: Ron Aitchison, Pro DNS and BIND Third Edition,
page 123. According to Elinor Mills a Security expert (August 21,
2008), domain name attack starts with an attacker aim to determine
one or more DNS servers for the target organization which is
readily available in the registration records obtained from the
registrars who is database. Using the DNS server information, an
attacker can use tools such as ns lookup to get DNS information.
Through this tool, an attacker can interrogating name servers, by
asking the DNS server to transmit all information it has about all
systems associated with the given domain. Through DNS-based
reconnaissance, an attacker can find extremely useful information
such as: machine names and associated IP addresses, purpose of the
machines and the operating system type. With this information, the
machines can be scanned looking for vulnerabilities. DNS-based
Reconnaissance can be prevented by having the amount of DNS
information about the infrastructure that is publicly available
should be limited. This is because the general public on the
Internet only needs to resolve names for a small fraction of the
systems in your enterprise (such as external Web, Mail and FTP
servers). A Split DNS will allow you to separate the DNS records
that one wants the public to access from your internal name:
implement an internal DNS server and an external DNS server,
separated by a firewall. The xxv
26. external DNS server contains only DNS information about
those hosts that are publicly accessible; the internal DNS server
contains DNS information for all your internal systems (D.
Eastlake, 3rd Cyber Cash C. Kaufman Iris January 1997). Table 3: A
split DNS Firewall Internal network Internet Internal DNSExternal
DNS Internal System External System A Split DNS Source: Ron
Aitchison, Pro DNS and BIND Third Edition, page 122 2.3 CONCEPTUAL
FRAMEWORK xxvi AREAS AFFECTED BY RECONNAISANCE IN BANKS.
27. 1.7 GAPS TO BE FILLED This research aims in identify ways
in which reconnaissance occurs in the banking industry, the areas
affected by reconnaissance attacks and the awareness among the
employees and customers of the bank. The banking industry/ sector
is vulnerable to reconnaissance attacks which usually target
weaknesses in the information system. In todays world most
financial institutions have automated work processes and
operations. Fraudsters/ attackers take advantage of the weaknesses
of these advancements such as electronic xxvii Banking Information
Systems WAYS IN WHICH RECONNAISANCE IN DONE IN BANKS. AWARENESS OF
RECONNAISANCE.
28. banking, mobile banking, internet banking and use of ATMs
to defraud banks and customers. They have adopted the latest
reconnaissance technology to gain information. The findings of
these research provides useful techniques in areas such as
information system security policies, forensic investigations and
internal and external audit trails in the banking industry to
prevent reconnaissance attacks. xxviii
29. CHAPTER 3 RESEARCH METHODOLOGY 3.1 INTRODUCTION This
chapter describes the methodology adapted in the survey. It
explains the research design population and the sample size, sample
design, data collection instruments/tools, data collection
procedures, data presentation and analysis techniques used. 3.2
RESEARCH DESIGN The survey will be conducted at Co-operative Bank
Kenyatta Avenue branch in Makupa Mombasa. It involves use of
interviews, detailed questionnaires and observations of the
information systems in order to data for the research. These will
include both employees of the bank based at Kenyatta Avenue branch
and customers who operate accounts with the bank. 3.3 POPULATION
AND SAMPLE SIZE According to the operations manager, the branch has
twenty five employees. This is a reachable group and therefore the
study interviews and questionnaires was carried out on all the
employees. The branch has a total of 3,500 customers at the moment
although the number is growing; a sample of 60 customers using
different products and services will be involved in this study
which is 2% of the entire population. 3.4 SAMPLING DESIGN The bank
has several branches across the country and therefore it will be
cumbersome to conduct the research in all branches. However most of
the operations in the different xxix
30. branches are the same therefore one branch in this case
Kenyatta Avenue will provide an adequate sample. All staff of the
branch will be involved. The bank has several products and services
for instance; savings and current accounts, mobile banking,
internet banking, personal and business loans, ATM services, debit
and credit card facilities. In sampling, the study will incorporate
customers of various products and services so as to assess the
extent to which information can be obtained about confidential
details and the banks information system as follows: Category
Number Staff 25 Account customers 10 Mobile banking customer 10
Internet banking customers 10 Personal and Business loan customers
10 ATM customers 10 Debit and Credit card customers 10 TOTAL 85 3.5
DATA COLLECTION INSTRUMENTS/TOOLS This study will use both primary
and secondary data collection tools. The main primary data
collection tools to be used are questionnaires, interview and
observations. The main secondary data collection tools to be used
are journals, articles from the IT security and forensic department
and internet articles. 3.6 DATA COLLECTION PROCEDURES To collect
data simple questionnaires were prepared in advance. The
questionnaires are then distributed to the staff and customers. I
also found time to sit with various employees to xxx
31. interview them in order to obtain for information that
could not be captured by the questionnaires. They study also
involves taking routine walks through the system, work procedure,
the products and services in order to conduct observe areas
relevant to the study. Finally, I looked for bank articles and
journals some from the security department to provide more
information on the study. 3.7 DATA PRESENTATION AND ANALYSIS
TECHNIQUES The study will involve the use of SPSS statistical
software for analysing data and bar charts, tables and graphs for
representation and analysis. xxxi
32. CHAPTER 4 DATA PRESENTATION AND ANALYSIS 4.1 Introduction:
This chapter presents the analysis of the data collected from the
questionnaires of both the staff and the customers of the bank. The
data is presented and analyzed with the help of tables, graphs and
charts. Response rate: Seventy 70 questionnaires were distributed,
twenty five were distributed to the staff of the Kenyatta avenue
cooperative branch, all were answered and returned, none was lost.
On the other hand, 60 questionnaires were distributed to customers
among them fifty one were answered and returned while seven were
never returned. Table 4.1 Staffs response Rate responded Frequency
Percentage Responded 25 100 None responded 0 0 Total 25 100 Source:
Research Data (2011) Table 4.2 Customers responses Rate responded
Frequency Percentage Responded 51 85 None responded 9 15 Total 60
100 Source: Research Data (2011) Staffs Response 4.2 Section
xxxii
33. When the staffs were asked to state which section they work
in they responded as shown in the table below: Table 4.3 Which
section do you work in? Frequenc y Percent Valid Percent Cumulative
Percent Valid managemen t 3 12.0 12.0 12.0 supervisor 4 16.0 16.0
28.0 clerk 18 72.0 72.0 100.0 Total 25 100.0 100.0 Source: Research
Data (2011) The study revealed that majority of the staff at the
Co-operative Kenyatta avenue branch are clerks that is 72% are
clerks, 16% are supervisors while12% are in the management. 4.3
Staff Gender When the staff were asked to state what is their
gender they responded as shown in the table below: Table 4.4 What
is your gender? Frequenc y Percent Valid Percent Cumulative Percent
Valid male 15 60.0 60.0 60.0 female 10 40.0 40.0 100.0 Total 25
100.0 100.0 Source: Research Data (2011) The study showed that
males are more than the female staff. The male are 60% while the
female are 40% of branch population. 4.4 Staff Age category When
the staff were asked to respond to their age category in years ,
they responded as shown below: Table 4.5 What is your age category?
xxxiii
34. Frequenc y Percent Valid Percent Cumulative Percent Valid
below 25 4 16.0 16.0 16.0 (25-35) 18 72.0 72.0 88.0 (36-45) 3 12.0
12.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) The
study shows that most of the staff in the branch are between (25-35
years). The staffs below 25 years are 16%, between 25 - 35 are 72%
and between (36-45) are 12%. 4.5 Duration worked with the Bank
(Staff) When asked how long the staff had worked in the
organization in years they responded as shown below: Table 4.6 For
how long have you been working in this organisation? Frequenc y
Percent Valid Percent Cumulative Percent Valid less than one year 4
16.0 16.0 16.0 between (1-2) 11 44.0 44.0 60.0 between (3-5) 5 20.0
20.0 80.0 between 6-10 3 12.0 12.0 92.0 xxxiv
35. Above 10 2 8.0 8.0 100.0 Total 25 100.0 100.0 Source:
Research Data (2011) The study reveals that 44% of the staff had
worked between 1-2 years, 20 % between 3-5 years, 16% less than one
year, 12% between 6-10 years and 8% above 10years. This shows that
majority of the staff in the branch have less than 5 years in the
bank. 4.6 Highest academic qualifications(Staff) When asked the
highest academic qualification the staff responded as shown below:
Table 4.7 What is your highest academic qualification? Frequenc y
Percent Valid Percent Cumulative Percent Valid diploma 3 12.0 12.0
12.0 first degree 19 76.0 76.0 88.0 post graduate 3 12.0 12.0 100.0
Total 25 100.0 100.0 Source: Research Data (2011) The study reveals
that the majority of the staff are degree holders. First degree are
76%, post graduate are 12% and diploma holders are 12%. This shows
that most staff are highly educated. 4.7 Electronic banking (Staff)
xxxv
36. When asked about safe guarding if information in electronic
banking for example direct debits the staff responded as shown
below: Table 4.8 Electronic banking for example direct debits
Frequenc y Percent Valid Percent Cumulative Percent Valid agree 22
88.0 88.0 88.0 strongly agree 3 12.0 12.0 100.0 Total 25 100.0
100.0 Source: Research Data (2011) The study shows that majority of
the staff agree with the safeguarding of information in electronic
banking that is 88% while 12% strongly agree. This shows effective
information system security in the e-baking. 4.8 Handling of
cheques (Staff) When asked about the safeguarding of information
when handling cheques the staff responded as shown below: Table 4.9
Handling of cheques Frequenc y Percent Valid Percent Cumulative
Percent Valid agree 22 88.0 88.0 88.0 strongly agree 3 12.0 12.0
100.0 Total 25 100.0 100.0 Source: Research Data (2011) xxxvi
37. strongly agreeagree Handling of cheques 100 80 60 40 20 0
Percent Handling of cheques Source: Research Data (2011) The study
shows that majority of the staff agree with the safeguarding of
information in handling of cheques that is 88% while 12% strongly
agree. This shows effective information system security in the
cheque transactions. 4.9 Money transfers services for example money
gram and swift (Staff) When asked about the safeguarding of
information on money transfers for example swift and money gram the
staff responded as shown below: xxxvii
38. Table 4.10 Money transfers services for example money gram
and swift Frequenc y Percent Valid Percent Cumulative Percent Valid
agree 19 76.0 76.0 76.0 strongly agree 6 24.0 24.0 100.0 Total 25
100.0 100.0 Source: Research Data (2011) The study shows that
majority of the staff agree with the safeguarding of information in
money transfer services that is 76% while 24% strongly agree. This
shows that there is an effective information system security in the
money transfers services. 4.10 Loan applications business and
personal loans (Staff) When asked about the safeguarding of
information in loan applications in the business and personal loans
the staff responded as shown below: Table 4.11 loan applications
business and personal loans Frequenc y Percent Valid Percent
Cumulative Percent Valid not certain 8 32.0 32.0 32.0 agree 12 48.0
48.0 80.0 strongly agree 5 20.0 20.0 100.0 Total 25 100.0 100.0
Source: Research Data (2011) The study shows that majority of the
staff agree with the safeguarding of information in loan an
application that is 48% while 32% are not sure and 24% strongly
agree. This shows that the information system security in the loan
applications is effective but has some uncertainty. 4.11 Staff use
of credit cards When asked about safeguarding of information in the
use of credit cards the staff responded as shown below:
xxxviii
39. Table 4.12 use of credit cards Frequenc y Percent Valid
Percent Cumulative Percent Valid not certain 10 40.0 40.0 40.0
agree 11 44.0 44.0 84.0 strongly agree 4 16.0 16.0 100.0 Total 25
100.0 100.0 Source: Research Data (2011) The study shows that
majority of the staff agree with the safeguarding of information in
the use of credit cards that is 44% while 40% are not sure which is
also a high number and 16% are strongly agree. This shows that the
information system security in the use of credit cards is effective
but there is some element of doubt/ uncertainty by other staff
members. 4.12 Internet banking When asked about safeguarding of
information in internet banking the staff responded as shown below:
Table 4.13 internet banking Frequenc y Percent Valid Percent
Cumulative Percent Valid not certain 5 20.0 20.0 20.0 agree 14 56.0
56.0 76.0 strongly agree 6 24.0 24.0 100.0 Total 25 100.0 100.0
Source: Research Data (2011) xxxix
40. strongly agreeagreenot certain internet banking 60 50 40 30
20 10 0 Percent internet banking Source: Research Data (2011) The
study shows that majority of the staff agree with the safeguarding
of information in internet banking that is 56%, 24% strongly agree
and 20% are not sure. This shows that the information system
security in internet banking is effective but there is some
uncertainty. 4.13 Account transactions: deposit withdrawals and
enquiries When asked about safeguarding of information in account
transactions deposits, withdrawals and enquiries the staff
responded as shown below: Table 4.14 Account transactions: deposit
withdrawals and enquiries Frequenc y Percent Valid Percent
Cumulative Percent Valid not certain 1 4.0 4.0 4.0 agree 19 76.0
76.0 80.0 strongly 5 20.0 20.0 100.0 xl
41. agree Total 25 100.0 100.0 Source: Research Data (2011) The
study shows that majority of the staff agree with the safeguarding
of information in account transactions that is 76%, 20% strongly
agree and 4% are not sure. This shows that information system
security in account transactions is effective but there is some
uncertainty. 4.14 Use of the ATM and debit cards When asked about
safeguarding of information in the use of the ATM and debit cards
the staff responded as shown below: Table 4.15 Use of the ATM and
debit cards Frequenc y Percent Valid Percent Cumulative Percent
Valid strongly disagree 1 4.0 4.0 4.0 disagree 2 8.0 8.0 12.0 agree
16 64.0 64.0 76.0 strongly agree 6 24.0 24.0 100.0 Total 25 100.0
100.0 Source: Research Data (2011) xli
42. strongly agreeagreedisagreestrongly disagree use of the ATM
and debit cards 70 60 50 40 30 20 10 0 Percent use of the ATM and
debit cards Source: Research Data (2011) The study shows that
majority of the staff agree with the safeguarding of information in
the use of the ATM and a debit card that is 64%, 24% strongly
agree, 8% disagree and 4% strongly disagree. This shows that
although information system security is effective in the use of the
ATM and debit cards there are some vulnerability. 4.15 Mobile
banking services When asked about the safeguarding of information
in mobile banking services the staff responded as shown below:
Table 4.16 Mobile banking services Frequenc y Percent Valid Percent
Cumulative Percent Valid not certain 2 8.0 8.0 8.0 xlii
43. disagree 2 8.0 8.0 16.0 agree 17 68.0 68.0 84.0 strongly
agree 4 16.0 16.0 100.0 Total 25 100.0 100.0 Source: Research Data
(2011) strongly agreeagreedisagreenot certain Mobile banking
services 70 60 50 40 30 20 10 0 Percent Mobile banking services
Source: Research Data (2011) The study shows that majority of the
staff agree with the safeguarding of information in mobile banking
that is 68%, 16% strongly agree, 8% disagree and 8% are not
certain. This shows that although information system security is
effective in mobile banking there are some vulnerabilities and
threats to this service. 4.16 Aspects of social engineering
xliii
44. When asked which aspects of social engineering they had
encountered the staff responded as follows: Table 4.17 Which of the
following aspects of social engineering have you encountered?
Frequenc y Percent Valid Percent Cumulative Percent Valid a
colleague /a new employee calling the help desk 13 52.0 52.0 52.0 a
system admin calls to fix your account 5 20.0 20.0 72.0 an employee
has lost his contact info and calls 7 28.0 28.0 100.0 Total 25
100.0 100.0 Source: Research Data (2011) The study shows that
majority of the staff had a colleague /new employee calling from a
helpdesk which was 52% of the respondents, 28% had an employee who
lost his info calling, and 20% had a system administrator calling
to fix his account. This study reveals evidence of social
engineering aspects in the information system which is a technique
that can be used to carry out reconnaissance attacks. xliv
45. an employee has lost his contact info and calls a system
admin calls to fix your account a collegue /a new employee calling
the help desk Which of the following aspects of social engineering
have you encountered? 60 50 40 30 20 10 0 Percent Which of the
following aspects of social engineering have you encountered?
Source: Research Data (2011) 4.17 Physical breaks ins When asked
which experiences they had encountered in terms of physical break
ins/ access to the computer the staff responded as follows:
xlv
46. Table 4.18 Which of the following experiences have you
encountered in terms of physical break ins/access to the computer
Frequenc y Percent Valid Percent Cumulative Percent Valid corrupted
files and document 7 28.0 28.0 28.0 accessed files 5 20.0 20.0 48.0
unavailable password/user 2 8.0 8.0 56.0 none of the above 11 44.0
44.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) none
of the aboveunavailable password/user accessed filescorrupted files
and document Which of the following experiences have you
encountered in terms of physical break ins/access to the computer
50 40 30 20 10 0 Percent Which of the following experiences have
you encountered in terms of physical break ins/access to the
computer Source: Research Data (2011) xlvi
47. The study shows that majority of the staff had not
experienced any physical break ins that is 44%, however 28% of the
respondents had their files corrupted, 20% had their files accessed
and 8% had unavailable password/user. This study reveals evidence
of some aspects of physical break ins in the information system a
technique that can be used to carry out reconnaissance attacks.
4.18 Leaving the work station When asked what they do when leaving
the work station /computer the staff responded as shown below:
Table 4.19 What do you do when leaving your work station/computer?
Frequency Percent Valid Percent Cumulative Percent Valid minimise
files 7 28.0 28.0 28.0 close files 10 40.0 40.0 68.0 lock/turn off
the computer 7 28.0 28.0 96.0 not sure 1 4.0 4.0 100.0 Total 25
100.0 100.0 Source: Research Data (2011) The study shows that
majority of the staff close files in their computers when leaving
the work station that is 40%, 28% of the respondents minimize their
files and 28% lock off the computer while 4% are not sure. Thus the
study reveals that most staff do not lock/turn off their when
leaving. xlvii
48. 4.19 Disposal When asked how they dispose customers waste
papers/ materials such as bills, bank statements, ATM receipts and
credit card offers the staff responded as shown below: Table 4.20
How do you dispose customers waste papers/ materials such as bills,
bank statements, ATM, receipts and credit card offers? Frequenc y
Percent Valid Percent Cumulative Percent Valid throw in the waste
18 72.0 72.0 72.0 fold and disposal 2 8.0 8.0 80.0 shred 3 12.0
12.0 92.0 file 2 8.0 8.0 100.0 Total 25 100.0 100.0 Source:
Research Data (2011) The study shows that majority of the staff
throw the waste material of customers that is 72%, only 12% of the
respondents shred the customer waste details, 8% file and 8% fold
when disposing. Thus the study reveals that most staff do not shred
customer trash and dumpster diving a reconnaissance technique can
be adopted. 4.20 Forms of enquires When asked what forms of
enquiries they had used to disclose customer information in
addition to actual customer visits the staff responded as shown
below: xlviii
49. Table 4.21 What forms of enquires have you used to disclose
customer information in addition to the actual customer visit?
Frequency Percent Valid Percent Cumulative Percent Valid a close
and trusted third party(relative/friend) 4 16.0 16.0 16.0 telephone
16 64.0 64.0 80.0 none of the above 5 20.0 20.0 100.0 Total 25
100.0 100.0 Source: Research Data (2011) none of the
abovetelephonea close and trusted third party (relative/friend)
What forms of enquries have you used to disclose customer
information in addition to the actual customer visit? 70 60 50 40
30 20 10 0 Percent What forms of enquries have you used to disclose
customer information in addition to the actual customer visit?
Source: Research Data (2011) xlix
50. The study shows that majority of the staff disclose
customer details on telephone that is 64%, 20% of the respondents
do not provide information other than to the actual customer, 16%
disclose to close people and trusted third partys. Thus the study
reveals that some staff disclose customer information to other
people other than the actual customer. 4.21 Sharing User Details
When asked with whom they had shared their details such as user
names, passwords staff responded as shown below: Table 4.22 With
whom have you shared with customer details such as user names,
passwords and account numbers? Frequenc y Percent Valid Percent
Cumulative Percent Valid a colleague 3 12.0 12.0 12.0 never shared
22 88.0 88.0 100.0 Total 25 100.0 100.0 Source: Research Data
(2011) The study shows that majority of the staff have never shared
their user details 88%, while 12% of the respondents have shared
with a colleague. Thus the study reveals that although some staff
have never shared others have provide their users to colleagues.
4.23 Organizations website When asked what useful information they
had ever obtained from the organizations website the staff
responded as shown below: Table 4.24. What useful information have
you ever obtained from the organisations website? Please tick as
many as possible. Frequenc Percent Valid Cumulative l
51. y Percent Percent Valid employees contact information
(phone numbers and e-mail info 3 12.0 12.0 12.0 products/services
information 8 32.0 32.0 44.0 best employee info 3 12.0 12.0 56.0
recent mergers 5 20.0 20.0 76.0 work locations 3 12.0 12.0 88.0
business partners 3 12.0 12.0 100.0 Total 25 100.0 100.0 Source:
Research Data (2011) The study shows that majority of the staff can
obtain a variety of information from the organizations website. The
organization website contains 32% information on products and
services, 20% information on recent mergers, 12% information on
employees, best employees, work locations and business partners
each. 4.24 Disposal of customer details When asked about proper
disposal of customer details the staff responded as shown below:
Table 4.25 Proper disposal of customer details Frequenc y Percent
Valid Percent Cumulative Percent Valid not certain 1 4.0 4.0 4.0
disagree 1 4.0 4.0 8.0 li
52. agree 19 76.0 76.0 84.0 strongly agree 3 12.0 12.0 96.0
6.00 1 4.0 4.0 100.0 Total 25 100.0 100.0 Source: Research Data
(2011) 6.00strongly agreeagreedisagreenot certain Proper disposal
of customer details 80 60 40 20 0 Percent Proper disposal of
customer details Source: Research Data (2011) The study shows that
majority of the staff agree the proper disposal of customer details
76% however others such as not certain, disagree are 4% while
strongly agree is 12%. Thus the study shows that customer details
are well disposed. 4.25 Level of confidentiality of customer
details When asked about the level of confidentiality of customer
bank details the staff responded as shown below: lii
53. Table 4.26 Level of confidentiality of customer details
Frequenc y Percent Valid Percent Cumulative Percent Valid strongly
disagree 1 4.0 4.0 4.0 agree 22 88.0 88.0 92.0 strongly agree 2 8.0
8.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) The
study shows that majority of the staff agree on the high level of
confidentiality 88%, 8% strongly agree and 4% strongly disagree.
Therefore the study shows that customer details are usually kept
confidential. 4.26 Entrusting third party with customer details
When asked about the entrusting of third party with bank details of
customers the staff responded as shown below: TABLE 4.27 Entrusting
third party with customer details Frequency Percent Valid Percent
Cumulative Percent Valid strongly disagree 1 4.0 4.0 4.0 disagree 2
8.0 8.0 12.0 agree 18 72.0 72.0 84.0 strongly agree 4 16.0 16.0
100.0 Total 25 100.0 100.0 Source: Research Data (2011) The study
shows that majority of the staff agree on not entrusting customer
details to third parties that is 72%, 16% strongly agree, 8%
disagree and 4% strongly disagree. Therefore the liii
54. study shows that customer details are not to be entrusted
to third parties although some employees breach this. strongly
agreeagreedisagreestrongly disagree entrusting third party with
customer details 80 60 40 20 0 Percent entrusting third party with
customer details Source: Research Data (2011) 4.27 Provision of
customer details on telephone When asked about the provision of
customer details on telephone the staff responded as shown below:
Table 4.28 Provision of customer details on telephone liv
55. Frequenc y Percent Valid Percent Cumulative Percent Valid
disagree 3 12.0 12.0 12.0 agree 18 72.0 72.0 84.0 strongly agree 4
16.0 16.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011)
The study shows that majority of the staff agree that they do not
provide customer details on phone 72%, 16% strongly agree and 12%
disagree. Therefore the study shows that customer details are not
to be to be provided on telephone although some staff breach this.
4.28 When asked about the use of the internet www in providing /
obtaining information the staff responded as shown below: Table
4.29 Use of the internet www in providing customer information
Frequenc y Percent Valid Percent Cumulative Percent Valid not
certain 1 4.0 4.0 4.0 agree 20 80.0 80.0 84.0 strongly agree 4 16.0
16.0 100.0 Total 25 100.0 100.0 Source: Research Data (2011) The
study shows that majority of the staff agree that they do not
provide customer details on the internet 80%, 16% strongly agree
and 4% disagree. Therefore the study shows that customer details
are not to be to be provided over the internet although a small
part of the staff breach this. lv
56. strongly agreeagreenot certain Use of the internet www in
providing customer information 80 60 40 20 0 Percent Use of the
internet www in providing customer information Source: Research
Data (2011) 4.29 Procedures implemented to ensure physical security
of systems/ networks When asked about the procedures implemented to
ensure physical security of the system and network the staff
responded as shown below: Table 4.30 Procedures implemented to
ensure physical security of systems/ networks lvi
57. Frequenc y Percent Valid Percent Cumulative Percent Valid
agree 22 88.0 88.0 88.0 strongly agree 3 12.0 12.0 100.0 Total 25
100.0 100.0 Source: Research Data (2011) The study shows that
majority of the staff agree that the procedures implemented to
ensure physical security are effective that is 88%and 12% strongly
agreed. Therefore the study shows that the bank has safe physical
security devices and procedures. strongly agreeagree procedures
implemented to ensure physical security of systems/ networks 100 80
60 40 20 0 Percent procedures implemented to ensure physical
security of systems/ networks Source: Research Data (2011) 4.30
Training lvii
58. When asked how often training on information system
protection is done the staff responded as shown below: Table 4.31
How often is information systems protection done? Frequenc y
Percent Valid Percent Cumulative Percent Valid quarter ly 25 100.0
100.0 100.0 Source: Research Data (2011) The study shows that all
staff agreed that the training on information system security is
done quarterly. Customers responses: 4.31 Gender (Customers) When
asked about their gender customer responses were as follows: Table
4.32 What is your gender? Frequenc y Percent Valid Percent
Cumulative Percent Valid male 33 64.7 64.7 64.7 female 18 35.3 35.3
100.0 Total 51 100.0 100.0 Source: Research Data (2011) The study
showed that males are more than the female customers. The male are
64.7% while the female are 35.3% of branch customers. lviii
59. femalemale What is your gender? 40 30 20 10 0 Frequency
What is your gender? Source: Research Data (2011) 4.32 Age category
(in years), customers When asked about age category (in years),
customers responded as follows: Table 4.33 What is your age
category in years? Frequency Percent Valid Percent Cumulative
Percent Valid below 25 7 13.7 13.7 13.7 (26-35) 23 45.1 45.1 58.8
(36-45) 16 31.4 31.4 90.2 (46-55) 2 3.9 3.9 94.1 Above 3 5.9 5.9
100.0 Total 51 100.0 100.0 Source: Research Data (2011) The study
shows that most of the customers are between (26-35 years). The
customers below 25 years are 13.7%, between 26- 35years are 45.1%,
between (36-45years) are 31.4%, between (46-55years) are 3.9% and
above 55 are 5.9%. lix
60. 4.33 Number of years they had been with the bank customers
When asked the number of years they had been with the bank
customers response were as follows: Table 4.34 How many years have
you been a customer with this bank? Frequenc y Percent Valid
Percent Cumulative Percent Valid below 1 3 5.9 5.9 5.9 (1-3) 13
25.5 25.5 31.4 (3-5) 20 39.2 39.2 70.6 (5-8) 5 9.8 9.8 80.4 Above 8
10 19.6 19.6 100.0 Total 51 100.0 100.0 Source: Research Data
(2011) The study reveals that 39.2% of the customers had been in
the bank between 3-5 years, 25.5 % between 1-3 years, 19.6% above 8
years , 9.8% between 5-8 years and 5.9% below one year. This shows
that majority of the customers of the have been there for less than
5 years. lx
61. Above 8(5-8)(3-5)(1-3)below 1 How many years have you been
a customer with this bank? 20 15 10 5 0 Frequency How many years
have you been a customer with this bank? Source: Research Data
(2011) 4.34 Electronic banking When asked about safeguarding of
information in electronic banking for example direct debit
instructions customers responded as follows: Table 4.35 Electronic
banking for example direct debits Frequency Percent Valid Percent
Cumulative Percent Valid not certain 5 9.8 9.8 9.8 strongly
disagree 1 2.0 2.0 11.8 disagree 1 2.0 2.0 13.7 agree 43 84.3 84.3
98.0 strongly agree 1 2.0 2.0 100.0 Total 51 100.0 100.0 Source:
Research Data (2011) The study shows that majority of the customers
agree with the safeguarding of information in electronic banking
that is 84.3% while 2% strongly agree, disagree, strongly disagree
and 9.8% are uncertain. This shows an effective information system
security in the e-banking. lxi
62. 4.35 Handling of Cheques When asked about the safeguarding
of information in handling of cheques the customers responded as
follows: Table 4.36 Handling of cheques Frequenc y Percent Valid
Percent Cumulative Percent Valid not certain 16 31.4 31.4 31.4
agree 34 66.7 66.7 98.0 strongly agree 1 2.0 2.0 100.0 Total 51
100.0 100.0 Source: Research Data (2011) strongly agreeagreenot
certain Handling of cheques 40 30 20 10 0 Frequency Handling of
cheques Source: Research Data (2011) The study shows that majority
of the customers agree with the safeguarding of information in
handling of cheques that is 66.67%, 31.4 % are not certain while 2%
strongly agree. This shows effective information system security in
the cheque transactions. lxii
63. 4.36 Money transfers services When asked about safeguarding
of information in money transfers for example money gram and swift
the customers responded as follows: Table 4.37 Money transfers
services for example money gram and swift Frequency Percent Valid
Percent Cumulative Percent Valid not certain 10 19.6 19.6 19.6
agree 41 80.4 80.4 100.0 Total 51 100.0 100.0 Source: Research Data
(2011) The study shows that majority of the customers agree with
the safeguarding of information in money transfer services that is
80.4% while 19.6% are not certain. This shows that there is an
effective information system security in the money transfers
services although some customers are not aware. 4.37 Loan
applications When asked about safeguarding of information in loan
applications in business and personal loans the customers responded
as follows: Table 4.38 loan applications business and personal
loans Frequency Percent Valid Percent Cumulative Percent Valid not
certain 27 52.9 52.9 52.9 agree 24 47.1 47.1 100.0 Total 51 100.0
100.0 Source: Research Data (2011) lxiii
64. agreenot certain loan applications business and personal
loans 30 25 20 15 10 5 0 Frequency loan applications business and
personal loans Source: Research Data (2011) The study shows that
majority of the customers are not sure with the safeguarding of
information in loan applications that is 52.9% while 47.1% agree.
This shows that the information system security in the loan
applications is effective but not certain. 4.38 Use of credit cards
When asked about safeguarding of information in the use of credit
cards the customers responded as follows: Table 4.39 use of credit
cards Frequency Percent Valid Percent Cumulative Percent Valid not
certain 29 56.9 56.9 56.9 agree 20 39.2 39.2 96.1 strongly agree 2
3.9 3.9 100.0 Total 51 100.0 100.0 Source: Research Data (2011) The
study shows that majority of the customers are not certain about
the safeguarding of information in the use of the ATM and debit
cards that is 56.9%, 39.2% agree that lxiv
65. information systems are safeguarded and 3.9% strongly
disagree. This shows that although information system security is
effective in the use of the ATM and debit cards there are some
vulnerabilities. 4.39 Internet banking When asked about
safeguarding of information in internet banking the customers
responses were as follows: Table 4.40 Internet banking Frequency
Percent Valid Percent Cumulative Percent Valid not certain 27 52.9
52.9 52.9 agree 23 45.1 45.1 98.0 strongly agree 1 2.0 2.0 100.0
Total 51 100.0 100.0 Source: Research Data (2011) lxv
66. strongly agreeagreenot certain internet banking 30 25 20 15
10 5 0 Frequency internet banking Source: Research Data (2011) The
study shows that majority of the customers are not certain about
the safeguarding of information in internet banking that is 52.9%,
45.1% agree that information systems are safeguarded and 2%
strongly agree. This shows that although information system
security is effective in internet banking there are some
vulnerabilities. 4.40 Account transactions When asked about the
safe guarding of information in account transaction such as
deposits, withdrawals and enquiries customers responses were as
follows: Table 4.41: Account transactions: deposit withdrawals and
enquiries Frequency Percent Valid Percent Cumulative Percent Valid
not certain 16 31.4 31.4 31.4 agree 33 64.7 64.7 96.1 strongly
agree 2 3.9 3.9 100.0 Total 51 100.0 100.0 lxvi
67. Source: Research Data (2011) The study shows that majority
of the customers agree with the safeguarding of information in
account transactions that is 64.7%, 31.4% are not certain that
information systems are safeguarded and 3.9% strongly agree. This
shows that although information system security is effective in
account transactions. 4.41 Use of the ATM and debit cards When
asked about the safeguarding of information in the use of the ATM
and debit cards the customers responded as follows: Table 4.42 Use
of the ATM and debit cards Frequency Percent Valid Percent
Cumulativ e Percent Valid not certain 12 23.5 23.5 23.5 agree 37
72.5 72.5 96.1 strongly agree 2 3.9 3.9 100.0 Total 51 100.0 100.0
Source: Research Data (2011) The study shows that majority of the
customers agree with the safeguarding of information in the use of
ATM and debit cards that is 72.5%, 23.5% are not certain that
information systems are safeguarded and 3.9% strongly agree. This
shows that although information system security is effective in the
use of ATM and debit cards 4.42 Mobile banking services lxvii
68. When asked about the safeguarding of information in mobile
banking services customers responded as follows: Table 4.43 Mobile
banking services Frequency Percent Valid Percent Cumulative Percent
Valid not certain 9 17.6 17.6 17.6 agree 42 82.4 82.4 100.0 Total
51 100.0 100.0 Source: Research Data (2011) The study shows that
majority of the customers agree with the safeguarding of
information in mobile banking that is 82.4%, and 17.6% are not
certain that information systems are safeguarded and 3.9% strongly
agree. This shows that although information system security is
effective in mobile banking but is also vulnerable. lxviii
69. agreenot certain Mobile banking services 50 40 30 20 10 0
Frequency Mobile banking services Source: Research Data (2011) 4.43
Social engineering When asked which aspect of social engineering
they had encountered customers responded as follows: Table
4.44Which of the following aspects of social engineering have you
encountered? Frequency Percent Valid Percent Cumulative Percent
lxix
70. Valid an employee / agent of the bank calling to ask about
details 10 19.6 19.6 19.6 a manager calling because he wants to
update your acc 4 7.8 7.8 27.5 a bank representative calls to fix
your acc 36 70.6 70.6 98.0 none of the above 1 2.0 2.0 100.0 Total
51 100.0 100.0 Source: Research Data (2011) The study shows that
majority of the customers had received a call from a bank
representative to fix an account this was 70.6% of the respondents,
19.6% of the customers had an employee / agent of the bank calling
to ask about details and 7.8% had a manager calling because he
wants to update their acc. This study reveals evidence of social
engineering aspects in the information system. This is a technique
that can be used to carry out reconnaissance attacks. lxx
71. none of the abovea bank representative calls to fix your
acc a manager calling because he wants to update your acc an
employee / agent of the bank calling to ask about details Which of
the following aspects of social engineering have you encountered?
40 30 20 10 0 Frequency Which of the following aspects of social
engineering have you encountered? Source: Research Data (2011) 4.44
Disposal of customer details When asked how they dispose customer
information such as bills, bank statements, ATM receipts and credit
card offers customers responded as follows: Table 4.45 How do you
dispose off your customer information such as bills bank
statements, ATMS? Frequency Percent Valid Percent Cumulative
Percent Valid throw in the waste bin 43 84.3 84.3 84.3 fold and
dispose 7 13.7 13.7 98.0 burn/shred 1 2.0 2.0 100.0 Total 51 100.0
100.0 Source: Research Data (2011) lxxi
72. The study shows that majority of the customers throw their
waste material in bins 84.3%, 13.7% of the respondents fold and
dispose their wastes while 2% fold when disposing. Thus the study
reveals that most customers do not shred/burn customer trash and
therefore dumpster diving a reconnaissance technique can be
adopted. burn/shredfold and disposethrow in the waste bin How do
you dispose off your customer information such as bills bank
statements, ATMS? 50 40 30 20 10 0 Frequency How do you dispose off
your customer information such as bills bank statements, ATMS?
Source: Research Data (2011) 4.45 Sharing of customer details When
asked with whom they share their details with customers responses
were as follows: lxxii
73. Table 4.46 With whom do you share your customer details?
Frequency Percent Valid Percent Cumulative Percent Valid relative 2
3.9 3.9 3.9 none 12 23.5 23.5 27.5 financial institutions 37 72.5
72.5 100.0 Total 51 100.0 100.0 Source: Research Data (2011) The
study shows that majority of the customers have shared their
details with financial institutions 72.5%, while 23.5% of the
respondent customers have never shared their information. 3.9% of
customers have shared their customer details with their relatives.
Thus the study reveals that although customers have shared their
customer detail which is not allowed. 4.46 Keeping your customer
documentation When asked where they keep their customer
documentation (ATM/Debit cards, credit cards, and national ID and
bank statements) customers responded as follows: Table 4.47 Where
do you keep your customer documentation? Frequency Percent Valid
Percent Cumulative Percent Valid home 22 43.1 43.1 43.1 in a safe
at home 3 5.9 5.9 49.0 wallet and purse 23 45.1 45.1 94.1 office 3
5.9 5.9 100.0 Total 51 100.0 100.0 Source: Research Data (2011) The
study shows that majority of the customers keep their customer
documentation in their wallet/purse and at home 45.1% and 43.1%
respectively. Other customers keep their lxxiii
74. documents in a safe at home and in the office both at 5.9%.
Thus the study reveals that customers are usually careful with
their documentation customer detail which is not allowed. 4.47
Privacy When asked how private is the storage place where they keep
their documentation ( ATM/Debit cards, credit cards, national ID
and bank statements) customers responded as follows: Table 4.48 How
private is the storage area where you keep your customer
documentation? Frequency Percent Valid Percent Cumulative Percent
Valid very private 5 9.8 9.8 9.8 private 24 47.1 47.1 56.9 not sure
22 43.1 43.1 100.0 Total 51 100.0 100.0 Source: Research Data
(2011) The study shows that majority of the customers value privacy
although some are not sure of privacy as follows. 47.1% of the
customers consider their storage private, 43.1% are not sure and
9.8 % consider there storage as very private. 5.9%. Thus the study
reveals that customers information privacy varies. lxxiv
75. not sureprivatevery private How private is the storage area
where you keep your customer documentation? 25 20 15 10 5 0
Frequency How private is the storage area where you keep your
customer documentation? Source: Research Data (2011) 4.48 Loss of
ATM When asked whether they had ever lost their ATM cards customer
responses were as follows: Table 4.49Have you ever lost your ATM
card/ customer details? Frequency Percent Valid Percent Cumulative
Percent Valid no 4 7.8 7.8 7.8 yes 47 92.2 92.2 100.0 Total 51
100.0 100.0 Source: Research Data (2011) The study shows that
majority of the customers 92.2% have lost their ATM cards against
7.8% who have not. Thus the study reveals that customers
information privacy varies. lxxv
76. 4.49Action taken after the loss of the ATM When customers
who had lost their ATMs were asked what they did about it they
responded as follows: Table 4.50 If yes, what did you do about it?
Frequency Percent Valid Percent Cumulative Percent Valid nothing 1
2.0 2.1 2.1 reported the case to the police 8 15.7 16.7 18.8
reported the case to the bank 39 76.5 81.3 100.0 Total 48 94.1
100.0 Missin g System 3 5.9 Total 51 100.0 Source: Research Data
(2011) The study shows that majority of the customers who had lost
their ATMs reported the case to the bank this was 76.5%, 15.7%
reported the case to the police and 2%did nothing. Thus the study
reveals that most customers are aware of the right action to take
although not all. 4.50 Duration before reporting When customers who
had reported to the bank were asked how long they took to report
the incident they responded as follows: Table 4.51If you reported
to the bank, how long did it take you to report the incident?
lxxvi
77. Frequency Percent Valid Percent Cumulative Percent Valid
immediately 3 5.9 6.3 6.3 after a month 2 3.9 4.2 10.4 after a few
days 15 29.4 31.3 41.7 never reported 1 2.0 2.1 43.8 after a week
27 52.9 56.3 100.0 Total 48 94.1 100.0 Missin g System 3 5.9 Total
51 100.0 Source: Research Data (2011) The study shows that majority
of the customers reported the incident after a week these was 52.9%
of the respondents,29.4% of the respondents reported after a few
days , 5.9 reported immediately , 3.9% after a month and 2% were
not sure. Thus the study reveals that most customers despite
reporting the lost of ATM they do it immediately. 4.51
Documentation have you lost through physical break ins When asked
what other documentation they had lost through physical break ins
the customers responded as follows: Table 4.52 What other customer
documentation have you lost through physical break ins? Frequenc y
Percent Valid Percent Cumulative Percent Valid national ID 33 64.7
64.7 64.7 bank plate 14 27.5 27.5 92.2 bank statement 3 5.9 5.9
98.0 none 1 2.0 2.0 100.0 lxxvii
78. Total 51 100.0 100.0 Source: Research Data (2011) The study
shows that majority of the customers reported several
documentations through physical break ins as follows national ID
64.7%, bank plate 27.5%, bank statement 5.9%, none 2%. Thus the
study reveals that most customers have lost several customer
documentations in addition to the ATM card. nonebank statementbank
platenational ID What other customer documentation have you lost
through physical break ins? 40 30 20 10 0 Frequency What other
customer documentation have you lost through physical break ins?
Source: Research Data (2011) 4.52 Organizations website When asked
what useful information can be obtained from the banks website the
customers responded as follows: Table 4.53What useful information
have you ever obtained from the banks website? lxxviii
79. Frequency Percent Valid Percent Cumulative Percent Valid
employee contact information 4 7.8 7.8 7.8 products/services info
26 51.0 51.0 58.8 best employee information 2 3.9 3.9 62.7 recent
mergers 4 7.8 7.8 70.6 work location 1 2.0 2.0 72.5 business
partners 11 21.6 21.6 94.1 others 3 5.9 5.9 100.0 Total 51 100.0
100.0 Source: Research Data (2011) The study shows that majority
customers obtain a variety of information from the organizations
website. The organization website contains 51% information on
products and services, 21.6%information on business partners, 7.8%
information on recent mergers, 3.9% information on employees, best
employees, and 2%work locations. Thus the study reveals that plenty
of information is can be obtained from the organizations website.
4.53 Leaving receipts When asked whether they leave receipts at ATM
, bank counters or attended gasoline pumps customers responded as
follows: Table 4.54 Do you leave receipts at ATM, bank counters or
unattended gas pumps? Frequenc y Percent Valid Percent Cumulative
Percent Valid yes 51 100.0 100.0 100.0 lxxix
80. yes Do you leave receipts at ATM, bank counters or
unattended gas pumps? 60 50 40 30 20 10 0 Frequency Do you leave
receipts at ATM, bank counters or unattended gas pumps? Source:
Research Data (2011) The study shows that all customers leave their
receipts at ATM points, bank counters or unattended gas pumps. Thus
the study reveals that customers are not aware of the risk that
customer information should not be left anywhere. 4.54 Records of
Customer details When asked whether they record social security
numbers or passwords on paper and store them in wallet /purse the
customers responded as follows: Table 4.55 Do you record your
social security number/passwords on paper and store them in your
wallet/purse? Frequenc Percent Valid Cumulative lxxx
81. y Percent Percent Valid yes 51 100.0 100.0 100.0 Source:
Research Data (2011) The study shows that majority of the customers
record their social security number/passwords on paper and store
them in your wallet/purse. yes Do you record your social security
number/passwords on paper and store them in your wallet/purse? 60
50 40 30 20 10 0 Frequency Do you record your social security
number/passwords on paper and store them in your wallet/purse?
Source: Research Data (2011) 4.55 Disclosure of bank account
details on websites When asked whether they have ever disclosed
bank account numbers, credit card numbers or any other personal
financial details on website on line service locations unless they
had received a secured authentication key from the provider
customers responded as follows: Table 4.56 Have you ever disclosed
your bank account details on and website? lxxxi
82. Frequenc y Percent Valid Percent Cumulative Percent Valid
yes 1 2.0 2.0 2.0 no 50 98.0 98.0 100.0 Total 51 100.0 100.0
Source: Research Data (2011) The study shows that majority of the
customers do not disclose their bank account details on and website
98%compared to those who disclose 2%. The study reveals that most
customers are aware of the implications of having their information
on websites. 4.56 Sharing your financial details in internet forums
When asked whether they share financial details in internet
forums/on line sites the customers responded as follows: Table
4.57Do you share your financial details in internet forums Frequenc
y Percent Valid Percent Cumulative Percent Valid yes 3 5.9 5.9 5.9
no 48 94.1 94.1 100.0 Total 51 100.0 100.0 Source: Research Data
(2011) The study shows that majority of the customers do not share
their bank account details on and website 94.1%compared to those
who share 5.9%. The study reveals that most customers are aware of
the implications of having their information on websites.
lxxxii
83. noyes Do you share your financial details in internet
forums 50 40 30 20 10 0 Frequency Do you share your financial
details in internet forums Source: Research Data (2011) 4.57
Training/Education When asked where they had been trained /
educated on the importance of safeguarding personal information
regarding bank details the customers responded as follows: Where
have you been trained /educated on the importance of safeguarding
personal information regarding bank details? Frequency Percent
Valid Percent Cumulative Percent Valid media 3 5.9 5.9 5.9 bank 48
94.1 94.1 100.0 Total 51 100.0 100.0 Source: Research Data (2011)
lxxxiii
84. The study shows that majority of the customers have been
educated by the bank on the importance of safeguarding personal
information 94.1% other have been educated through the media 5.9%.
lxxxiv
85. CHAPTER 5 SUMMARY OF THE MAJOR FINDINGS STAFF RESPONSES
5.01 Section The studies revealed that majority of the staff at the
Co-operative Kenyatta avenue branch are clerks that are 72%, 16%
are supervisors while12% are in the management. 5.02 Duration
worked with the Bank (Staff) The study reveals that 44% of the
staff had worked between 1-2 years, 20 % between 3-5 years, 16%
less than one year, 12% between 6-10 years and 8% above 10years.
This shows that majority of the staff in the branch have less than
5 years in the bank. 5.03 Aspects of social engineering The study
shows that