Professional Documents
Culture Documents
MD
&
CEO
eMudhra
Consumer
Services
Ltd
Topic
Outline
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
COMPONENTS OF E-COMMERCE
Online
Banking
Catalogue
browsing
Shopping
Cart
Product
Delivery;
Credit
/
Debit
Cards
Other
modes
Form lling
Form
collecVon;
Service
compleVon
Service
descripVons
Cash
/
COD
Shopping / Usage
Payment
Fulllment
Internet penetraDon %
SECURITY METHODOLOGY
CondenVality
AuthenVcity
Non-repudiaVon
Integrity
Availability
AuthorizaVon
CONFIDENTIAL
www.emudhra.com
Source: Forrester
7%
2%
%
of
usage
in
eCommerce
Online
Bank
Transfers
12%
Visa
Mastercard
21%
58%
Cash
/
COD
Others
CONFIDENTIAL
www.emudhra.com
Source: Forrester
Technology in Banking
1950s
1980s
TradiDonal
Banking
Paper
based
ComputerizaD
on,
Branch
automaDon
1990s
Interbank
connecDvity,
ATM,
Core
Banking,
INFINIT,
PKI
2000s
RTGS,
Internet
banking
2010
Mobile
Banking
2013
Secured
Banking
Enhances Trust
Liability protecVon
Security
TAT ReducVon
Electronic Banking-Challenges
Challenges
o
Data
condenDality
o
AuthenDcaDon
of
end
user
ConvenDonal
User-Ids
/
Passwords
or
weaker
authenDcaDon
tools
like
OTPs
and
PINs
being
used
for
Internet
Banking
TransacDons.
o
TransacDon
data
Integrity
Weak
authenDcaDon
tests
the
integrity
of
data
and
restricts
online
High
Value
TransacDons.
o
Non-repudiaDon
and
accountability
o
Cyber
frauds
Phishing,
Virus
Infusion,
MITM
ahacks,
Trojans,
etc.
Vulnerable
area.
High
Net-Worth
Individuals
/
Non
-Resident
Indians
Accounts
are
being
targeted
by
hackers.
Digital
Signature
o 2
Factor
AuthenDcaDon
(2FA)
with
Digital
Signature
CerDcate
based
security
soluDon
established
o Physical
AuthorizaDon
is
not
required
o User
Convenience
o Secure
and
Legally
valid
under
InformaDon
Technology
Act,
2000
o Secured
online
High
Value
Fund
Transfer
is
possible
o Establishes
the
authenDcity
of
the
transacDng
user
-
IdenDty
of
individuals
are
veried
by
the
CerDfying
AuthoriDes
CONFIDENTIAL
licensed
by
Controller
of
CerDfying
AuthoriDes,
Ministry
of
IT,
Government
of
India.
Electronic Banking-Challenges
Challenges
Digital Signature
o
Rising
insurance
cost
due
to
increasing
o Ensures
Integrity
and
CondenDality
of
the
fraud
ahacks
transacDon
Uses
advanced
encrypDon
o
Cost
of
legal
discovery
is
huge
with
technology.
Content
not
altered
in
paper-based
systems
transmission
o
Online
transacDon
liability
lies
with
the
o Non-RepudiaEon:
The
onus
of
digital
bank
signature
is
with
the
customer.
TransacDon
and
its
contents
cannot
be
denied
by
the
originator
of
the
message
requesDng
services
o Reduced
Turn-around
Time
for
transacDon
processing
CONFIDENTIAL
o Paperless
transacDons
and
reduced
cost
of
operaDons
CONFIDENTIAL
o Enhancing
customer
experience
CONFIDENTIAL
DENMARK
UK
CANADA
CHINA
JAPAN
NKOREA
SKOREA
SAUDI
ARABIA
THAILAND
INDIA
UAE
PHILILIPINES
INDONESIA
SINGAPORE
USA
BRAZIL
MAURITIUS
AUSTRALIA
CONFIDENTIAL
AdopVon
in
India
In
India
Digital
Signature
CerDcates
are
used
in
the
following
Areas:
o
o
o
o
o
o
o
o
o
o
Filing
MCA
21
Income
Tax
Department
of
India
E-Tendering
/
e-Procurement
Directorate
General
of
Foreign
Trade
(DGFT)
Real
Time
Gross
Sehlement
(RTGS)
Electronic
Fund
Transfer
(EFT)
Banking
authenDcaDon
Railway
ReservaDon
/
Agent
Bookings
Judicial
Orders
Customs
CONFIDENTIAL
CONFIDENTIAL
o For
over
twenty
years,
informaDon
security
has
held
condenVality,
integrity
and
availability
(known
as
the
CIA
triad)
to
be
the
core
principles.
There
is
conDnuous
debate
about
extending
this
classic
trio.
Other
principles
such
as
AuthenVcity,
Non-repudiaVon
and
accountability
are
also
now
becoming
key
consideraDons
for
pracDcal
security
installaDons.
o There
is
a
legal
risk
in
not
using
the
asymmetric
cryptosystem
and
hash
funcVon
for
authenVcaVng
electronic
transacVons.
However,
it
is
observed
that
some
banks
sDll
use
weak
user
id/password
based
authenDcaDon
for
fund
transfers
using
internet
banking.
For
carrying
out
criDcal
transacDons
like
fund
transfers,
the
banks,
at
the
least,
need
to
implement
robust
and
dynamic
two-factor
authenDcaDon
through
user
id/password
combinaDon
and
second
factor
like
(a)
a
digital
signature
(through
a
token
containing
CONFIDENTIAL
digital
cerVcate
and
associated
private
key)
(preferably
for
the
corporate
customers)
or
(b)
OTP/dynamic
access
code
through
various
modes
(like
SMS
over
mobile
phones
or
hardware
token).
o Digital
signatures
and
key-based
message
authenVcaVon
codes
(KMAC)
for
payment
or
fund
transfer
transacVons
could
be
considered
for
the
detecVon
of
unauthorized
modicaVon
or
injecVon
of
transacVon
data
in
a
middleman
a;ack.
o Typical
areas
or
situaDons
requiring
deployment
of
cryptographic
techniques,
given
the
risks
involved,
include
transmission
and
storage
of
criDcal
and/or
sensiDve
data/
informaDon
in
an
un-trusted
environment
or
where
a
higher
degree
of
security
is
required,
generaDon
of
customer
PINs
which
are
typically
used
for
card
transacDons
and
online
services,
detecDon
of
any
unauthorized
alteraDon
of
data/informaDon
and
vericaDon
of
the
authenDcity
of
transacDons
or
data/informaDon.
o Banks
should
encrypt
customer
account
and
transacVon
data
which
is
transmihed,
CONFIDENTIAL
transported,
delivered
or
couriered
to
external
parDes
or
other
locaDons,
taking
into
account
all
intermediate
junctures
and
transit
points
from
source
to
desDnaDon.
CONFIDENTIAL
The
customers
account
was
debited
for
an
amount
of
Rs.
162800/-,
which
the
customer
had
not
authorized.
The
customer
had
taken
adequate
precauDons
in
not
compromising
his
passwords
and
accessing
the
internet
banking
account
through
secured
VPNs.
Judgement:
Bank
has
failed
to
establish
due
diligence
in
prevenDng
the
unauthorized
access
into
the
customers
account
in
this
case
and
in
providing
adequate
checks
and
safeguards
that
would
have
given
the
much
needed
security
to
the
account
of
the
customer.
The
KYC
norms
have
apparently
not
been
adhered
to
and
there
is
a
complete
lack
of
concern
to
the
customer
who
had
placed
his
trust
on
the
bank
and
IT
framework
provided
by
the
Bank.
CONFIDENTIAL
Umashankar
Sivasubramanian
(customer)
.PeVVon
No.2462
of
2008
dated
12th
April
2010
in
the
oce
of
the
adjudicaVng
ocer,
Principal
Secretary
to
Government
of
Tamil
Nadu,
InformaVon
Technology
Department.
The
customer
had
a
balance
of
Rs.646,046/-
in
his
account
at
the
Dme
of
incident.
The
incident
begins
when
the
customer
received
a
security
update
from
customercare@xxxx.com
for
updaDon
and
assuming
it
to
be
a
rouDne
mail
from
the
Bank
that
had
sent
similar
mails
earlier,
the
customer
had
complied
with
the
request
consequent
to
which
his
account
had
been
debited
to
the
extent
of
the
balance
in
the
account.
Further
this
amount
was
transferred
to
another
customers
account
of
the
same
bank
and
amount
was
encashed
with
bearer
cheque
CONFIDENTIAL
Conclusion
o All
roads
in
Banking
leads
to
digital
world.
Growing
Gen
Y
populaVon
and
90%
cost
saving
(against
manual
transacVon)
are
compelling
need.
Enhanced
technology
calls
for
be;er
risk
assessment
and
management.
o More
than
95%
of
the
value
of
electronic
transacDons
are
through
RTGS.
Making
this
channel
secured
is
very
important.
o Risk
tolerance
is
low
in
Banking.
The
whole
banking
system
is
built
upon
trust.
Lose
of
trust
will
collapse
the
countrys
economy.
It
is
in
this
view,
the
regulator
has
taken
the
step
to
bring
compliance
in
IT
security.
o Increased
transparency
and
creaVng
awareness
of
security
in
online
banking
builds
trust.
o Today,
Corporates
are
already
using
digital
signatures
for
ling
documents
with
Registrar
of
companies,
commercial
taxes
department
,
eProcurement
and
Income
tax
department.
Extending
the
usage
will
be
easier
to
proliferate
secured
banking.
o An
OTP
dongle
being
replaced
by
a
crypto
token
holding
a
secured
private
key
to
encrypt
the
transacDon
details
will
ensure
smooth
transiDon
to
be;er
security
opVons.
o Non-implementaDon
exposes
the
customers
interest
and
the
bank
to
reputaVon
and
nancial
risk.
This
now
also
exposes
the
top
execuDves
of
the
Bank
to
civil
and
criminal
liability.
o Important
eGovernment
transacDons
such
ling
of
income
tax
returns,
commercial
tax
returns,
customs
forms,
CONFIDENTIAL
Tendering,
Registrar
of
companies,
etc.
have
made
usage
of
digital
signature
cerDcates
mandatory.
Banking
is
no
excepVon
and
risk
is
also
high.
RBI
guideline
is
a
rst
step
in
this
direcVon.
Q&A
CONFIDENTIAL