The Hindu Business Line : Safety at every step

Banks need to promote data security at every level of transaction - and sensitise staff to the new culture. Only then can they plug holes in the safety net.

INFORMATION security is something that is best experienced than explained, is what V. Leeladhar, Deputy Governor of the Reserve Bank of India, said at the Banking Security Conference - 2005, when talking about `challenges in banking security'.

All of us have, at some point of time, experienced the flow of information to persons others than to the intended users - even in a non-electronic traditional environment, he said, and added that with networking and access to information being available at rates much larger than before, information security is an activity that provides some comfort to both the policy makers and the users of data.

Though textbook-like, Leeladhar laid emphasis on essential features such as: "Authentication (to verify the identity of the sender of the message to the intended recipient to prevent spoofing or impersonation), authorisation (to control the access to specific resources for unauthorised persons), confidentiality (to maintain the secrecy of the content of transmission between the authorised parties), integrity (to ensure that no changes/errors are introduced in the messages during transmission) and nonrepudiation (to ensure that an entity cannot later deny the origin and receipt and contents of the communication)."

Normally, bankers are cagey about bad news; yet, an interesting case that the Deputy Guv narrated was of a co-operative bank: "The entire operations, maintenance and management of the computer systems were totally in the hands of the firm which supplied the computer software and this led to a fraud and loss for the bank."

Leeladhar spoke about the `imperative need' to imbibe a culture of security among all operative functionaries, cutting across administrative grades. "Access to databases in computer systems and to the data contained therein has to be strictly restricted and not available to any but those authorised to make any changes in case of an eventuality for resolving a software lock/malfunction which is a conscious decision by the authorised personnel taken in conjunction with the head of the office concerned," he said.

Well, the topic of security has always been hot with bankers, more so with the recent CardSystems incident. In a June 30 datelined story, the site www.banktech.com reports about a class-action suit filed in California against CardSystems, Visa, and MasterCard "seeking a declaration that CardSystems violated due standards of care in its data-security methods and that the card companies failed to provide timely notice of the nature and extent to which credit-card data was compromised". The full text of the complaint about "the compromise of the privacy of private information of approximately 40 million consumer credit card account holders" is downloadable from www.techfirm.com and it alleges that Cardsystems failed on many counts, in not properly - installing, implementing, and maintaining a firewall to protect consumer data; analysing and restricting IP addresses to and from its computer systems; performing dynamic packet filtering; restricting access to its computers; protecting stored data; encrypting cardholder data and other sensitive information; implementing and updating adequate anti-virus and anti-spyware software; tracking and monitoring all access to network resources and cardholder data; testing security systems and processes or maintaining an adequate policy that addresses information security, or running vulnerability scans.

Rebutting Cardsystems's statement that it did not discover the security breach until May 22, the complaint mentions that MasterCard had publicly disclosed in April 2005 that it detected multiple instances of fraud traceable back to Cardsystems. More serious is the charge that the company "was notified by other entities on or around the fourth quarter of 2004 that such consumer data was exposed and/or compromised". While there may be continuing interest in the `other entities', the absence of prompt action in the culture of the company, and the point of `indifference' in bank security, a disturbing report on www.pcmag.com speaks of CardSystems admitting to have improperly stored customer data on its network for undefined "research purposes".

It is heartening, therefore, that our central bank pays attention to bank security, as evident in Leeladhar's speech, though one may be happier with a little more force given to the theme. There is also another of his speeches, available on www.rbi.org.in, where you find him highlighting `the paradigm shift in the concept of security' when addressing the IT@BFSI-200 Conclave on June 9.

With the delivery channels relating to funds-based services - such as movement of funds electronically between different accounts of customers - taking place with the use of technology, the requirements relating to security also need to undergo metamorphosis at a rapid pace, said Leeladhar, mentioning phrases such as digital signatures, certification, and secure storage.

"It will be a matter of satisfaction to note that the INFINET (Indian Financial Network) is a safe, secure and efficient communications network for the exclusive use of the banking sector, which provides for inter-bank communication," he adds, and that is both heavily reassuring and disturbingly smug. One learns that "the key advantage of the INFINET is its own security framework in the form of the Public key Infrastructure - PKI, which is in conformity to the provisions of the Information Technology Act, 2000."

Not many may be aware that IDRBT, an autonomous centre for Development and Research in Banking Technology set up by the RBI in 1996, owns the INFINET, as http://idrbtca.org.in informs. The link http://infinet.org.in that it provides doesn't open, perhaps knowing that I'm not clicking from a bank! However, if interested, you may pursue the PKI lead and find many Google strikes speaking of `problems' or `failures'.

For instance, www.computerworld.com.au carries a report dated June 8 on ePassport, Australia's new system that will allow a person's passport photo to be used to create a "detailed electronic portrait of their face", where Julian Bajkowski cites a view that large-scale PKI rollouts have `largely failed'.

Let me wrap with `A BIT of Tomorrow', a speech by another RBI Deputy Guv, K.J. Udeshi. The abbreviation, for the curious, is not binary digit but `banking and information technology'. Udeshi categorically states, "Security is the top most concern of a banker, IT security is all the more important". She recognises two components of the risk - security inadequacies and indifferent attitudes towards security issues.

For the first, the RBI has issued guidelines on issues such as Internet banking, IS Audit, Business Continuity Plan and so on. As for the second, the one about attitudes, Udeshi rightly identifies it as an HR challenge; "not one which can be addressed so easily but is one which is the core challenge". A nagging worry, that is, about `indifference' in staff culture that can make all the difference between secure transaction and a cracked one.

Picture by K.R. Deepak

ITworks@TheHindu.co.in

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
Stuck, for now

The eye of opportunity

Quiz

Performance on four pillars of knowledge

Cartoon