The Hindu Business Line : Take security into account

Public and private sector banks have completely networked their operations, or are in the process of doing so, over the last three years. This electronic networking was intended to improve the speed of transactions and customer services. Both these have improved substantially.

But this has also has made India's banking networks vulnerable to savaging by cyber criminals and terrorists, says J. Prasanna, Cyber Society of India joint secretary and director, and IT Security auditor.

Just how would a terrorist/cyber criminal strike impact the banking network? ATMs could stop functioning. A devastating attack could lead to Network failures or shut downs, paralysing transactions, wreaking havoc on the banking system and imposing unimaginable financial costs on the country's economy. Prasanna says, "This is not a doomsday scenario. These are all possibilities that could descend from the virtual to the real world."

Such events could be triggered by not just terrorists or criminals, but also by foreign nations unfriendly to India. Are banks really prepared for such events?

Safety measures

Corporation Bank's Chairman and Managing director, B Sambamurthy, admits, "It is a dicey situation." Sambamurthy has overseen the technological transition in three of the large public sector banks that include the Syndicate Bank and the Indian Bank. "We have taken precautions," he says.

Safety measures in place include firewalls and isolation of banking networks. The networks are not linked to the Internet directly. Yet even these measures are not fail-safe mechanisms. There could be breaches. The reason is that there are stand-alone personal computers that link up to the Internet, which have floppy/disc drives. In addition, the machines have USB ports accessible with pen, flash drives. The discs or pen drives often shuttle between the Bank's own network and the Internet for uploading/downloading data or software updates. Parking a dormant bug in these bits of data is a mugs game for cyber criminals/terrorists.

Events in the US and the rest of the Western world in the past have proved that no networks are safe.

The bugs could be activated from places as remote as Ouagadougou, Burkina Faso in Africa.

In fact, a study by the US-based Computer Technology Association in April this year has said, "The primary cause of security breaches — human error — is not being adequately addressed. The person behind the PC continues to be the primary area where weaknesses are exposed."

The study has said that at least 60 per cent of information security breaches occurred due to human error. This is a view that is also endorsed by ISO 270001 auditor, Sivaram Sivasubramaniam.

"Technology, per se, is not necessarily the problem. It is the processes that create breaches," he says. "The choice of technologies is not necessarily appropriate. They are more driven by peer pressures," he says.

Attack through hardware

A security breach through bugging of hardware is also a possibility. This is because equipment procurement is done almost entirely from international vendors through a competitive bidding process. Bids are usually awarded to the lowest bidder. When IBM secured orders from PSBs, it was through bid processes.

But John M Lutz, General Manager, Global Financial Services, IBM, declines to say where the hardware was sourced. "We have been able to meet all the conditions and have won the bids despite the intense competition," he says.

Transnational companies such as IBM and Sun Microsystems have plants worldwide.

Accordingly they have the option to source the hardware from any of their plants worldwide consistent with cost considerations.

One of the preferred locations for servicing East and South Asia are plants located in China's Shenzen province. IBM, for instance, already has an 80:20 joint venture, called the International Information Products (Shenzen) Co Ltd with the Great Wall Computer Company Ltd for making servers for the Asia-Pacific region. Great Wall Computer is a subsidiary of Great Wall Industry Corporation that in turn is partly owned by China Aerospace and Science Corporation, where the People's Liberation Army has interests.

As a result there is an element of security awareness despite vendor's cost shaving mechanisms.

Testing for bugs

Bankers say any equipment procured is routinely tested for bugs by their respective IT safety inspectors. Sambamurthy says, "Nothing has happened to the banking sector in the past." That no attacks have taken place in the past is also because no terrorist/criminal has physically compromised the ATM network cable and left a virus/worm.

What makes them vulnerable is that ATM network machines once installed are not patched regularly for latest operating system/application vulnerabilities. (Patching is a process where bugs/deficiencies in the software are periodically corrected through patches sent by the vendor).

Even if patched, unmanned ATM terminals could still be attacked, security experts say. This is because most banks currently use ATM protocols that are not encrypted.

If the lines are tapped and a sniffer with a radio transmitter installed, data could be purloined. Such losses could lead to redlined bank balance sheets.

Further, few banks do a complete review of the core banking software supplied by vendors. How many public sector banks do a complete code review for security vulnerabilities before the software is installed is not very clear.

Companies who write core banking software or banks have only application coders with a bit of auditing knowledge.

Recently a `white hat hacker' found fixed major cross scripting vulnerabilities in two large banks' Web sites. Consequently, software/hardware is audited on an ongoing basis.

The tests usually are done through ethical hacking. This hacking is done for checking penetration levels and enhancing security procedures accordingly. This enhancement involves constantly upgrading the firewalls and the antivirus programmes.

Lutz says"We also conduct these security drills periodically."

But the distinction between ethical hacking and inimical hacking is tenuous. For instance, unfriendly countries actually sanction inimical hacking or sabotaging enemy nations' computer systems. This becomes an act of patriotism!! Bugs in the hardware/software facilitate these potential acts of sabotage. Consequently security drills by themselves are far short of neutralising threats.

Locating bugs is a very difficult process. It requires people capable of reverse engineering the hardware and software. There should be an organisation with enough reverse engineering talent to be able to find bugs. The Indian software industry is still driven by end-to-end solutions. Banking security still does not fall into that ambit.

Other countries, have, however moved forward to forestalling potential threats. The US army and large American institutions prefer to prescribe their own hardware and OS standards where source codes are known.

India is yet to move in that direction. Few Indian banks have software in their systems that are Linux-compliant. Linux is free OS software with transparent source codes. In fact, there are few fall-back options, other than taking recourse to the central emergency response teams. Is the banking sector waiting for disaster to strike before migrating to those standards?

shiv@thehindu.co.in