STRENGTHENING OF CYBER SECURITY

Source – YOJANA – January 2018

Author: R Subramaniakumar

Digitization is inevitable for almost every industry including the banking industry. Given the importance of financial transaction in daily lives of people, financial institutions should be at the fore-front to adopt latest technologies and to enhance customer experience thus eliminating the urban rural gap.

Factors that influence digitization in banking-

1. Changing consumer behaviour in favour of digitisation.
2. Financial inclusion and government initiatives.
3. Leveraging increasing smart phone usage and mobile penetration.

A less-cash economy is one where majority of financial transactions take place digitally through modes like internet banking, mobile banking, debit and credit cards, cad-swipe or Point of Sales (PoS) machines, Unified Payment Interface (UPI)-BHIM, QR (Quick Response) Code based transactions, Touch-n-Go cards etc.

BHIM UPI – Bharat Interface for Money – Unified Payment Interface – is a payment system with sixty participant banks, 21 million users of BHIM application and 82 lakh successful transactions per month.

BHIM Aadhaar is a digital payment acceptance solution enabling merchants to receive digital payments from customers over the counter through Aadhaar biometric authentication.

With the increase in digital banking, a robust cyber security framework is required. The eco-system of digitalisation includes the following stakeholders:

1. Customer/Originator
2. Originating Institution
3. Processing Agency
4. Beneficiary Institution
5. Beneficiary

To ensure ‘cyber-sanitisation’, the following triangulation should be of paramount importance: Confidentiality; Integrity; Availability.

Norms for the stakeholders:

1. Customer/Originator: Using updated antiviruses; ‘typing’ the address for a website for an online transaction & ‘not clicking from the e-mail’; taking extra care while downloading free/suspicious software/applications; ensuring confidentiality of PIN/password.
2. Originating Institution/Beneficiary Institution: maintaining tight safety controls to ensure consistency, accuracy and trustworthiness of data.
3. Processing Agency: Most digital transactions pass through central nodal agency which could be National Payments Corporation of India, Mumbai or Institute for Development and Research in Banking Technology, Hyderabad. The IT standards must be maintained in such nodal agencies.
4. Beneficiary: Beneficiaries should never compromise the security of the account and should provide correct details like account no./IFSC Code or the Virtual Payment Address.

Steps taken by the Government of India to strengthen the cyber-security framework:

1. National Cyber Security Policy 2013 (NCSP): Released in 2013 by Ministry of Communication and Information Technology under Department of Electronics and Information Technology with a mission to protect cyberspace information and infrastructure, build capabilities to prevent and respond to cyber attacks and minimise damages. The highlights of the policy include:

• Creation of a national nodal agency to encourage organisations to designate a member of senior management as Chief Information Security Officer and development of internal cyber security policies.
• Encouraging open standards with periodic reviews, maintaining international standards and spreading awareness.
• Provision for National Computer Emergency Response Team (CERT-in) as the nodal agency for coordination of all cyber security efforts, emergency responses and crisis management.
• Securing e-governance by implementation of global best practices and wider use of Public Key Infrastructure.
• Protection of critical information infrastructure with the National Critical Information Infrastructure Protection Centre (NCIIPC) as the nodal agency.
• Promoting research, human development and capacity building.

2. Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis Centre): Government of India’s CERT-in launched Cyber Swachhta Kendra in February 2017. It is operated by CERT-in under section 70B of the Information Technology Act, 2000. The solution which is a part of the Ministry of Electronics and Information Technology’s Digital India initiative will detect and prevent botnet infections in India.

• USB Pratirodh: Launched by the government with an aim to control the unauthorized usage of USB mass storage devices like pen-drives, external hard drives etc.
• Samvid: An desktop based application which allows only pre-approved set of executable files for execution and protects desktops from suspicious applications from running.
• M-Kavach: device for security of Android mobile devices and protects personal information.
• Browser JS Guard: a tool which serves as a browser extension and detects/defends malicious attacks.

3. Information Technology Act: The Information Technology Act (IT Act) is the primary law in India dealing with cybercrime and electronic commerce. The IT Act is a comprehensive legislation dealing with definitions of terms like Digital/Electronic signature, electronic governance etc. The IT Act also provides for penalties for the offences listed below:

• Tampering with computer source document (e.g. Phishing-most common bank fraud).
• Hacking with computer system.
• Receiving stolen computer or communication device.
• Using password of another person
• Cheating using computer resource
• Acts of cyber terrorism
• Failure to maintain records
• Failure/refusal to comply with orders
• Misrepresentation
• RBI Directions: RBI has thrust upon ‘Zero Liability’ and ‘Limited Liability’ for bank customers against any fraud provided if the same is reported to the bank immediately. Customer shall be compensated for the full loss if there is contributory fraud/negligence on part of the bank or for any third party breach (even without bank involvement) if the fraud is reported within three working days of receiving communication regarding the unauthorized transaction. RBI has also mandated additional steps to be taken by banks like registering customers for SMS/e-mail alerts for transactions, easier fraud reporting mechanisms like SMS, e-mail, customer care etc. However, in case the loss is caused due to the negligence of the customer, he/she shall have to bear the entire loss.

In addition to these steps, there is a need to continuously upgrade the cyber-security mechanism as new threats shall keep emerging. Security is a journey. Awareness will enable to face and mitigate the risk.