16th

Annual Karnataka Conference

GRC Compliance to Culture
JULY 19th 2013

Topic eCOMMERCE AND

SECURED ELECTRONIC BANKING

Speaker Ms. Kalaivani Chi;aranjan

MD & CEO
eMudhra Consumer Services Ltd

Topic Outline
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o

Components and challenges in eCommerce

Growth of eCommerce Industry
Security Methodology in eCommerce
EvoluDon of Technology in the growth of Banking
Current Trends
Drivers for Growth
Future Trends
Technology Impact
Security in Banking Technology
IntroducDon to Digital Signatures
Challenges in Electronic Banking
Digital Signatures AdopDon in India and other countries
Electronic Banking Regulatory Reforms
Banking Cyber Fraud Law and JusDce
Conclusion

COMPONENTS OF E-COMMERCE

Online
Banking

Catalogue
browsing
Shopping Cart

Product Delivery;
Credit
/ Debit
Cards

Other
modes

Form lling

Form collecVon;
Service compleVon

Service
descripVons
Cash / COD

Shopping / Usage

Payment

Fulllment

Sales in USD Billion

Total number of internet users in millions

Internet penetraDon %

SECURITY METHODOLOGY

CondenVality
AuthenVcity
Non-repudiaVon
Integrity
Availability
AuthorizaVon
CONFIDENTIAL

www.emudhra.com

Source: Forrester

7%

2%

% of usage in eCommerce
Online Bank Transfers

12%
Visa

Mastercard

21%

58%
Cash / COD

Others

CONFIDENTIAL

www.emudhra.com

Source: Forrester

Technology in Banking

1950s

1980s

TradiDonal
Banking
Paper based

ComputerizaD
on, Branch
automaDon

1990s
Interbank
connecDvity,
ATM, Core
Banking,
INFINIT, PKI

2000s
RTGS,
Internet
banking

2010
Mobile
Banking

2013
Secured
Banking

Banking Current Trends

Banking Current Trends

With greater infusion of technology in banking, the incident of frauds in internet

banking has witnessed an increase in recent Dmes. Ensuring eciency of the
banking sector by way of technology infusion while minimizing the occurrence of
such fraudulent events has become one of the major objecDves of the Reserve
Bank in recent years. Complaints related to unauthorized fund transfers,
fraudulent withdrawals from ATMs using duplicate cards, phishing E-mails aimed
at extracDng personal informaDon have registered signicant increase in recent
Dmes.
Source : IT Vision Document 2011-17 : RBI

Banking Future Trends

o The consumer-driven digital economy and mobile revoluDon create disrupDon and
the need to invest in innovaDon
o Customer experience enhancements will focus on creaDng seamless cross-channel
experience, incorporaDng digital communicaDon driven by targeted analyDcs.
o ConDnuous upgrades to web and collaboraDon technology will play a vital role.
o ProliferaDon of new electronic payment mechanisms, an increase in number of
players, and growth in banking populaDon that will enforce the regulators view that
the payment system is an important aspect of the nancial system in the country.
o Enhancing the secured network across various channels of banking is the root of
technology centric banking

Banking Technology - Security

o In India, 40% of customers do their banking online, and 70% of the total transacDons are done over
the Internet. Yet proper security measures are not in place to address the online banking
environment .
o In the past 12 months:
o More than 42 million people in India fell vicDm to cybercrime
o Approx. $8 billion (Rs. 44,400 crores) in direct nancial losses
o 66% of Indian online adults have been vicDms of cybercrime in their lifeDme.
o 56% of online adults in India have experienced cybercrime
o more than 115,000 vicDms of cybercrimes every day, 80 vicDms per minute and more than 1 per
second--and the average direct nancial cost per vicDm is $192--up 18% $163 over 2011
o one in four respondents in BFSI insDtuDons in India experienced an external ahack ranging from
phishing ahempts, thei of proprietary informaDon and denial-of-service ahacks
Source: Gartner, Norton Cybercrime Report 2012, Symantec Security Check Indian Financial Services Industry 2011

Digital Signature CerVcates

An introducVon

o Digital Signature CerDcates (DSC) is a PKI based asymmetric cryptography

technology, wherein a pair of keys are generated Public and Private key. Private
key is condenDal and is held at the signor end and Public key is public, which is
used by the receiver to decrypt the message.
o DSC uses 2048 bit advanced encrypDon standard. The informaDon that is digitally
signed using DSC ensures authenDcity, non-repudiaDon, condenDality and integrity
of the data transmihed. Hence considered to be highest level of security.
o DSC is issued to an individual aier carrying out vericaDon as per the law
o DSC is issued in India by licensed CerDfying AuthoriDes under the InformaDon
technology Act.

Digital Signature Banking Benets

User Convenience

1 Vme process for 2 years

No need to change passwords every 15 days

Enhances Trust

2048 bit instead of 8-16 characters in a password

Liability protecVon

Explicit transfer of liability of protecVon of key to the user. Geeng

transacVons legally signed by customers protects the banks

Security

Reduced scope for any phishing or MITM a;acks. TransacVon details as

seen by user cannot be changed

TAT ReducVon

Customer can use cerVcate to sign applicaVon forms/ mandates for

other applicaVon resulVng in reducVon TAT for future customer
CONFIDENTIAL
engagements

Electronic Banking-Challenges

Challenges
o Data condenDality
o AuthenDcaDon of end user
ConvenDonal User-Ids / Passwords or
weaker authenDcaDon tools like OTPs and
PINs being used for Internet Banking
TransacDons.
o TransacDon data Integrity Weak
authenDcaDon tests the integrity of data
and restricts online High Value
TransacDons.
o Non-repudiaDon and accountability
o Cyber frauds Phishing, Virus Infusion,
MITM ahacks, Trojans, etc. Vulnerable
area. High Net-Worth Individuals / Non
-Resident Indians Accounts are being
targeted by hackers.

Digital Signature
o 2 Factor AuthenDcaDon (2FA) with Digital
Signature CerDcate based security
soluDon established
o Physical AuthorizaDon is not required
o User Convenience
o Secure and Legally valid under
InformaDon Technology Act, 2000
o Secured online High Value Fund Transfer
is possible
o Establishes the authenDcity of the
transacDng user - IdenDty of individuals
are veried by the CerDfying AuthoriDes
CONFIDENTIAL
licensed by Controller
of CerDfying
AuthoriDes, Ministry of IT, Government of
India.

Electronic Banking-Challenges

Challenges

Digital Signature

o Rising insurance cost due to increasing o Ensures Integrity and CondenDality of the
fraud ahacks
transacDon Uses advanced encrypDon
o Cost of legal discovery is huge with
technology. Content not altered in
paper-based systems
transmission
o Online transacDon liability lies with the o Non-RepudiaEon: The onus of digital
bank
signature is with the customer. TransacDon
and its contents cannot be denied by the
originator of the message requesDng
services
o Reduced Turn-around Time for transacDon
processing
CONFIDENTIAL
o Paperless transacDons and reduced cost of
operaDons
CONFIDENTIAL
o Enhancing customer experience

Online Banking India

Screenshot of IDBI BANK digital signature usage page

CONFIDENTIAL

PKI in the global arena

DENMARK
UK

CANADA

CHINA

JAPAN

NKOREA

SKOREA
SAUDI ARABIA
THAILAND
INDIA
UAE
PHILILIPINES
INDONESIA
SINGAPORE

USA

BRAZIL

MAURITIUS

AUSTRALIA

CONFIDENTIAL

AdopVon in India
In India Digital Signature CerDcates are used in the following Areas:
o
o
o
o
o
o
o
o
o
o

Filing MCA 21
Income Tax Department of India
E-Tendering / e-Procurement
Directorate General of Foreign Trade (DGFT)
Real Time Gross Sehlement (RTGS)
Electronic Fund Transfer (EFT)
Banking authenDcaDon
Railway ReservaDon / Agent Bookings
Judicial Orders
Customs
CONFIDENTIAL

Electronic Banking Regulatory Reforms

Basel Commihee Report on Banking Supervision idenDes the following principles of security:
1. AuthenVcaVon of e-banking customers.
2. Non-repudiaVon and accountability for e-banking transacDons.
3. Appropriate measures to ensure segregaVon of duVes.
4. Proper authorisaVon controls within e-banking systems, databases and applicaDons.
5. Data integrity of e-banking transacDons, records, and informaDon.
6. Establishment of clear audit trails for e-banking transacDons.
7. CondenVality of key bank informaDon.

CONFIDENTIAL

Electronic Banking Regulatory Reforms

InformaVon Technology (Amendment) Act, 2008
SecVon 43A:
Where a body corporate, possessing, dealing or handling any sensiEve
personal data or informaEon in a computer resource which it owns,
controls or operates, is negligent in implemenEng and maintaining
reasonable security pracEces and procedures and thereby causes
wrongful loss or wrongful gain in any person, such body corporate shall
be liable to pay damages by way of compensaEon to the person so
aected
CONFIDENTIAL

Electronic Banking Regulatory Reforms

RBI InformaVon Security Guidelines 2011:

o For over twenty years, informaDon security has held condenVality, integrity and
availability (known as the CIA triad) to be the core principles. There is conDnuous debate
about extending this classic trio. Other principles such as AuthenVcity, Non-repudiaVon
and accountability are also now becoming key consideraDons for pracDcal security
installaDons.
o There is a legal risk in not using the asymmetric cryptosystem and hash funcVon for
authenVcaVng electronic transacVons. However, it is observed that some banks sDll use
weak user id/password based authenDcaDon for fund transfers using internet banking. For
carrying out criDcal transacDons like fund transfers, the banks, at the least, need to
implement robust and dynamic two-factor authenDcaDon through user id/password
combinaDon and second factor like (a) a digital signature (through a token containing
CONFIDENTIAL
digital cerVcate and associated private key) (preferably for the
corporate customers) or
(b) OTP/dynamic access code through various modes (like SMS over mobile phones or
hardware token).

Electronic Banking Regulatory Reforms

RBI InformaVon Security Guidelines 2011:

o Digital signatures and key-based message authenVcaVon codes (KMAC) for payment or
fund transfer transacVons could be considered for the detecVon of unauthorized
modicaVon or injecVon of transacVon data in a middleman a;ack.
o Typical areas or situaDons requiring deployment of cryptographic techniques, given the
risks involved, include transmission and storage of criDcal and/or sensiDve data/
informaDon in an un-trusted environment or where a higher degree of security is
required, generaDon of customer PINs which are typically used for card transacDons and
online services, detecDon of any unauthorized alteraDon of data/informaDon and
vericaDon of the authenDcity of transacDons or data/informaDon.
o Banks should encrypt customer account and transacVon data which is transmihed,
CONFIDENTIAL
transported, delivered or couriered to external parDes or other
locaDons, taking into
account all intermediate junctures and transit points from source to desDnaDon.

Electronic Banking Regulatory Reforms

RBI InformaVon Security Guidelines 2011:
o It is claried that except where legally required, banks may consider any other equivalent/beher and
robust technology/methodology based on new developments aier carrying out a diligent evaluaDon
exercise.
o Payment and fund transfer security: Digital signatures and key-based message authenDcaDon codes
(KMAC) for payment or fund transfer transacDons could be considered for the detecDon of unauthorized
modicaDon or injecDon of transacDon data in a middleman ahack. For this security soluVon to work
eecVvely, a customer using a hardware token would need to be able to disVnguish the process of
generaVng a one-Vme password from the process of digitally signing a transacVon.

CONFIDENTIAL

Banking Cyber Frauds Law and JusVce

Thomas Raju (customer) .PeVVon No.3 of 2011 dated 16th May 2011 in the oce of the
adjudicaVng ocer, Principal Secretary to Government of Tamil Nadu, InformaVon Technology
Department.

The customers account was debited for an amount of Rs. 162800/-, which the customer had not authorized. The
customer had taken adequate precauDons in not compromising his passwords and accessing the internet banking
account through secured VPNs.

Judgement:

Bank has failed to establish due diligence in prevenDng the unauthorized access into the customers account in
this case and in providing adequate checks and safeguards that would have given the much needed security to
the account of the customer. The KYC norms have apparently not been adhered to and there is a complete lack of
concern to the customer who had placed his trust on the bank and IT framework provided by the Bank.
CONFIDENTIAL

Banking Cyber Frauds Law and JusVce

Umashankar Sivasubramanian (customer) .PeVVon No.2462 of 2008 dated 12th April 2010 in the
oce of the adjudicaVng ocer, Principal Secretary to Government of Tamil Nadu, InformaVon
Technology Department.
The customer had a balance of Rs.646,046/- in his account at the Dme of incident. The incident begins when the
customer received a security update from customercare@xxxx.com for updaDon and assuming it to be a rouDne
mail from the Bank that had sent similar mails earlier, the customer had complied with the request consequent to
which his account had been debited to the extent of the balance in the account. Further this amount was
transferred to another customers account of the same bank and amount was encashed with bearer cheque

CONFIDENTIAL

Banking Cyber Frauds Law and JusVce

Judgement:
o AuthenDcaDon and validaDon is a key element in any transacDon and more so when nancial transacDons are the
mainstay of the acDvity. A facile and simple method would have been for the bank to acquire a digital signature for the
ocer responsible for communicaDng with customers and thereby provide one layer in authenDcaDon of such mails.
Even in the maher of drawal of money from the account, addiDonal layers of safeguards could have contained the
damage to the customer.
o It appears that the Bank has violated certain important instrucDons issued by RBI in connecDon with customers being
serviced over the counter or over the internet and KYC norms / AnD-Money Laundering standards / etc.
o The Bank has failed to put in place a foolproof internet banking system with adequate levels of authenDcaDons and
validaDon which would have prevented the type of unauthorized access in the instant case that has led to a serious
nancial loss to the customer.
CONFIDENTIAL

Conclusion
o All roads in Banking leads to digital world. Growing Gen Y populaVon and 90% cost saving (against manual
transacVon) are compelling need. Enhanced technology calls for be;er risk assessment and management.
o More than 95% of the value of electronic transacDons are through RTGS. Making this channel secured is very
important.
o Risk tolerance is low in Banking. The whole banking system is built upon trust. Lose of trust will collapse the
countrys economy. It is in this view, the regulator has taken the step to bring compliance in IT security.
o Increased transparency and creaVng awareness of security in online banking builds trust.
o Today, Corporates are already using digital signatures for ling documents with Registrar of companies,
commercial taxes department , eProcurement and Income tax department. Extending the usage will be easier
to proliferate secured banking.
o An OTP dongle being replaced by a crypto token holding a secured private key to encrypt the transacDon
details will ensure smooth transiDon to be;er security opVons.
o Non-implementaDon exposes the customers interest and the bank to reputaVon and nancial risk. This now
also exposes the top execuDves of the Bank to civil and criminal liability.
o Important eGovernment transacDons such ling of income tax returns, commercial tax returns, customs forms,
CONFIDENTIAL
Tendering, Registrar of companies, etc. have made usage of digital signature cerDcates mandatory. Banking is
no excepVon and risk is also high. RBI guideline is a rst step in this direcVon.

Q&A
CONFIDENTIAL