As
most banks urge customers to shift to the virtual space, their ability
to create fortresses against cyber aggresses has come into the
spotlight. ET argues that banks' current defences against online fraud
are not unbreachable.
Two Indian payment processors,
ElectraCard and Enstage, were in the spotlight recently for their
alleged role in a $45-million credit card fraud impacting Indian and
international banks.
* In the last week of May,
phishers embezzled over Rs 5 lakh from the Andhra Pradesh State Road
Transport Corporation's bank accounts through refunds after booking over
100 fake tickets and cancelling them.
* Last
month, cyber criminals hacked into an RPG group company's bank account
and siphoned off Rs 2.4 crore through the real time gross settlement
system (RTGS).
* "The total amount involved in
frauds relating to credit card, debit card and internet banking rose 74 %
to Rs 38.4 crore in 2012." - IT minister to Rajyasabha
These
are a few cases of online fraud that came to light recently. With
electronic banking on the rise, lenders have become vulnerable to the
risks of such transactions, even as regulations are becoming more
stringent as far as know your customer (KYC) rules are concerned.
Internet
banking still does not account for a significant portion of total
transactions in India. In FY13, Rs 31.8 lakh crore was settled via 69.4
crore transactions through various retail electronic banking channels
while Rs 18.6 lakh crore was settled through 64 crore card-related
transactions, according to Reserve Bank of India's data. In addition, Rs
1,026 lakh crore through 6.85 crore transactions were settled through
the real time gross settlement system, or RTGS, involving both retail
and interbank transactions. The young generation is increasingly opting
for net transactions to settle bills and all kinds of bank-related work
from cash transfer and seeking cheque books to passwords for debit
cards. Moreover, with banks — including public sector ones — urging
customers to opt for net banking, the ability to shield customers from
cyber threats will be crucial to gaining their confidence.
From
just a few stray cases of identity thefts a few years ago, internet
frauds have not only risen in scale but also gone high tech, so much so
that it has become difficult to identify the origin of the crime and
nail the culprit(s). Cyber heist is an issue that not just Indian banks
are faced with. Cyber attacks ranked fourth among top global risks, in
terms of likelihood, according to the 'World Economic Forum Report:
Global Risks 2012'.
When internet banking was
introduced in the country, it was felt that having a password-protected
account was adequate to ensure safety, but not any more. The cyberthreat
landscape has changed. Five to seven years ago, most frauds were
related to identity thefts, the techniques adopted by fraudsters were
easy to trace and these did not involve big money either.
But
over the years, online heist has become an organised crime. Hackers are
spread across the globe, from Africa to Russia and China, and each one
has his or her own technique. The attacks involve compromising a bank's
database with systemlevel implications. Apart from the internet, mobile
transactions, that are finding favour among customers, could also be
hit. Globally, targeted attacks rose 42% in 2012. India is ranked third
globally in terms of vulnerability, accounting for 6.5% of the total
targeted attacks in 2012, according to California-based Symantec's
Internet Security Threat Report, 2013.
"Top
emerging information security threats in the internet banking space are
malware, social engineering, distributed-denial-of-service (DDoS) and
phishing attacks," says Nitin Bhatnagar, head of business development
SISA, an information security services provider.
Awareness, education key
From
a customer perspective, awareness and education are the keys, which
banks are taking seriously, as mandated by the RBI, through their
websites and mails to clients. Banks are also investing in adding more
security features to customers' accounts. One of the features that banks
added recently is the 'digitised signature'.
Most
frauds occur when customers show laxity in complying with security.
Information for attack can also be gathered from a bank's staff.
Awareness can act as a crucial fortress against cyber aggresses. KVS
Manian, head of consumer banking Kotak Mahindra Bank says, "RBI has
detailed guidelines on banks' IT policy which stipulates a
board-approved policy, among other things. Customer education apart, we
have to keep investing in upgrading systems as well."
Banks
have started integrating their fraud management and internet-security
systems. "Also, banks are getting more stringent with outsourcing. The
security standards that banks adopt, is also used by their business
partners," says Surinder Singh, regional director, India & SAARC,
Websense, a security solutions provider. This would ensure that
information does not leak through clients' data.
In
February, replying to questions in Parliament, minister of state for
finance Namo Narain Meena said 8,322 cases of frauds related to cards
and internet banking were reported in 2012, involving Rs 52.7 crore.
Given the value of frauds reported, these have not yet had any
balance-sheet implications. But, there could be other implications "in
terms of law suits, customer confidence and damage to reputation built
over years," says Bhatnagar.
The affected
customers may sever their relationship with banks, which in turn could
impact their business adversely. "Cyber security is not just an IT
issue, but a core business issue requiring top management attention. In
addition to updating technology and mitigating cyberfraud risks, banks
must continue to educate their customers on such emerging threats," says
Darshan Patel, executive director, forensic services, PwC India.
Internet
security experts say that one of the problems is that Indian banks do
not report fraud, in contrast to many advanced economies where there is a
legal mandate to do so. "Unfortunately, there is no legislation to make
frauds public. In India, banks are not legally mandated to put frauds
in the public domain," says Singh. Only 21% of victims reported
cybercrime to the police, according to a KPMG report of May 2012.
No comments:
Post a Comment