HDFC CASE:- SECURING ONLINE

BANKING

Section C, Group 1

1. Rohit Patidar-312. Siddharth Dixit-563. Sudipto Das-634. Tarun Acharya-685. Varun Sharma-75 6. Vasudev Kaushik-76

INDIAN BANKING INDUSTRY

• REGULATED BY THE RESERVE BANK OF INDIA.

• CONSISTED OF FIVE TYPES OF BANKS:

• Public sector banks(PSB)• Private Sector banks• Regional Rural Banks (RRB’s)• Cooperative Banks• Foreign Banks

• PSB OPERATIONS WERE LARGELY BRANCH BASED, BURDENED BY LEGACY SYSTEMS RESULTED IN LOW RESPONSE TIMES.

• NEW GENERATION PRIVATE BANKS ABLE TO PROVIDE 24/7 SERVICE BY DEPLOYING SELF SERVICE CHANNELS.

• IN MARCH 2004 RBI MANDATED ALL TRANSACTIONS IN EXCESS OF RS.100,000 THROUGH RTGS(REAL TIME GROSS SETTLEMENT SYSTEM).

HDFC BANK

• Commenced operations in January 1995 promoted by Housing Development Finance Corporation (HDFC).

• Started offering online banking services in 2001 after the publication of guidelines by RBI.

• Had an income of Rs.84.1 billion and Profit after tax of Rs.11.4 billion in 2006.

• 10 million customers as of March 2007 of which 4.6 million were savings accounts holders.

• Three business segments:

• Retail Banking – banking services to individual customers.• Wholesale Banking – commercial and transactional banking to corporate clients.• Treasury – foreign exchange, derivatives, debt securities , equity.

• Focussed on semi urban and under banked markets, 64% of branches outside top nine Indian cities.

IS IN THE BANKING INDUSTRY• 2.52 million internet subscribers and 38.5 million users in India in 2006.

• Banking industry fundamentally compatible with IS demands-

• Used to assessing and monitoring risk can learn to cope with emerging IS risks.• Generated trust over a period of time which is critical in maintaining relationships,

which is important for both offline and online banking.

• Traditional banks find it easier to attract customer as compared to pure play online banks.

• Satisfaction with online experience influenced decisions to switch online account, while offline retail customers did not switch.

ISSUES WITH IS

Five main criterion for a secure IS:-

• Authentication- Identify the user

• Authorization- Customer authorized to conduct transaction

• Privacy- Data remains private and unseen to third party

• Integrity- Data is correct

• Non-repudiation- Proof that transaction has been initiated by the user

CUSTOMER CONVENIENCE VS SECURITY• Customer Convenience- Important for expanding market share

• Security- Required to maintain trust

• Authentication- Balance between “What customer knows”, and “What customer has”

• Additional checkpoints created based on past history of transactions

• Checkpoints include- No. of transactions in excess of a typical number, types of transactions etc.

• Each checkpoint creates additional layer of security/verification in case of detection.

• False Positive Identification- Identifying genuine users/transactions as “risky” or fraudulent

• Part of any IS system, need to be reduced to acceptable level

• False Positive Identification rate- Effective vs Paranoid system

2000 2002 2003 2005 2007 2008 20090

10000000

20000000

30000000

40000000

50000000

60000000

70000000

80000000

90000000

Indian Internet User Statistics

Country India

Number of Phishing Attacks

Viruses created by hackers are malicious codes which can infect the target user and get login credentials.

• Stealing of User ID and Password PHISHING

• Online browser save passwords for the user’s convenience.• Threat if the computer is lost.

Saved Username & Password

• Hackers able to get access to bank’s database(consumer files.

Hacking into Bank’s Database

Viruses

SECURITY CHALLENGES IN ONLINE BANKING

SECURITY ISSUES UNIQUE TO INDIAN E-BANKING

Access Control:

User ID generation and password generation schemes determine the level of Internet banking security to a great extent which many are lacking.

Security of Data in motion:

Banks use Secured Socket layer(SSL) encryption to secure data in motion. Many banks including HDFC are using older version of SSL that have known vulnerabilities, making them susceptible to attacks.

System Design:

Many bank’s anti-phishing mechanism itself is cause for concern. HDFC’s bank anti-phishing mechanism, can be used to reveal if an account number is valid or invalid.

Lag in timely renewal of digital certificates:

Banks are laggards in timely renewal of digital certificates.

CHALLENGES IN IMPROVING INTERNET SECURITY

• Phishing is one of the most common online frauds in developed countries like US where one in every 115 customers had lost money in 2006 due to phishing.

• In India, phishing attack came to light in August 2007 & HDFC was quick to take corrective measures. It signed on with RSA security.

• The bank introduced a “cooling period” which provides bank, the time to check transactions.

• Along with ensuring security, Salvi also ensured that IS protocols were not so rigorous as to cause inconvenience to customers.

CUSTOMER CONVENIENCE• The bank tried to make a balance between keeping the IS transparent to the

customer & also making it effective from the bank’s point of view.

• Standard checks were done on each transaction, irrespective of its size.

• Also, any transaction which is not conformity with the customer’s profile, would create a red flag.

• Customer wants the system to be simple but at the same time, it should be trustworthy.

SECURE ACCESS

• Salvi was planning to introduce a 2nd level of authentication for all online users.

• Another point here was asking customers to add the list of account holders with whom his transactions will be regular.

• One more thing to think about was whether to provide secure access to all online users to limit this to only active users.

SERVER LOCATION

• The new IS infrastructure wants bank to have 2 types of servers:-

• Authentication servers• Online servers

• Now the dilemma here was whether to locate server onsite or offsite, hosted by an IS vendor for a fee.

• Also, as done by RSA security, HDFC can also opt for cloud computing which has multiple options for network connectivity i.e. Internet, dedicated bandwidth or a proxy server.

SERVER LOCATIONCOMPARATIVE ANALYSIS

Onsite Server Offsite Server Cloud Computing

Cost

HighestLocal infrastructure, High initial investment spread over a long term

ModerateDue to servers based outside, initial investment not that high

As per UsageShift the expenses to Variable Cost. Low initial investment

Reliability

HighestClose control of data and infrastructure

ModerateThe link between the IS vendor and HDFC needs to be made secure and can be a point of vulnerability

LeastDependent on a lot of factors, potential points of systemic failure

Flexibility

LeastFixed usage, does not change as per demand

ModerateIs not as flexible as a Cloud based system

HighestPay-by-use model, can handle demand fluctuations effectively

Scalability

LowHuge cost involved in trying to scale up the server infrastructure

Medium – HighTime required to scale, to add or reduce the servers from the offsite location

HighestScale more or less as per need

Adaptability

Rigid systemHardware, software, network etc. are standalone units

ModerateIndependent services provided by the vendor

HighestAdapts as per the need and the service bouquet chosen by the client

Complexity

Highly complexTraining and development of IT personnel

ModerateDepends on the enterprise solution taken by HDFC. But, require trained IT personnel

LeastThe enterprise solution provided by the vendor would be used, reducing complexity for HDFC

Miscellaneous cost

LeastNo additional cost required

ModerateUsing existing hardware, but require a secure and reliable link between the server and HDFC offices. Additional bandwidth to be needed

HighestAdditional cost required to ensure uptime at all locations

RECOMMENDATION

• Have the online servers onsite at HDFC own data centres, while having authentication servers off-site using an IS vendor

• Utilize IS vendor’s expertise in secure online banking

• HDFC can concentrate on core banking activities

• HDFC able to maintain the online servers regularly, reducing potential down time .

• Low rate of systematic failure by having the online server as a onsite, integral part of HDFC local area network.

• All sensitive data will be maintained by HDFC

• Need to secure the medium of communication between HDFC and IS vendor

ADDITIONAL RECOMMENDATIONS

• Separate email id with bank server- for high profile clients

• Every Transaction- Governed by OTP/Authorization

• Inform customer about the initiation of each transaction- App notification/SMS

Current Scenario of HDFC

Security measures taken by HDFC currently

• Login Security

A valid Customer ID and a corresponding IPIN is provided to each customer for

online banking without which they cannot login to their online account.

• IPIN Security

It is a randomly generated number delivered on tamper proof media.

IPIN is to be changed by the customer immediately on registering to avoid

compromise before delivery.

It is encrypted so that not even the system administrator can access it.

IPIN registration only can only be done online using only Debit card details and

OTP.

• Session Security

The online session of a customer will be timed out and they will be logged out of their net banking account on prolonged

inactivity.

• Verisign certified.

• EVSSL certified.

• Virtual Keyboard

This protects the customer’s IPIN form being compromised using keylogger softwares.

• Insta-Alerts

Instant SMS/Emails sent to the customers to cross check transaction made on their accounts.

• Security Solutions

State of the art solution technologies. For example firewalls, anti-malwares, intrusion detection systems, intrusion prevention

systems.

• Security Teams

Skilled people working round the clock to handle any problems that might arise

THANK YOU