Press Esc to close

Hackers may catch Indian banks napping

Last updated: 12 July, 2011

With the rising incidence of cyber crime, how safe is Internet banking in India? Samir Kelekar finds out

About two months ago, there was a major phishing attack on one of India's largest public sector banks.

I too received a phishing mail even though I didn’t even have an account in that bank then. When I checked with the bank if account holders had lost money, they were not sure.

Users, who enter their credentials in a phishing site and subsequently lose money, do not always admit what they have done. Instead, they blame the bank for losing money.

The increasing incidents of online fraud and hacking have put banks in a difficult position. Phishers are becoming more and more sophisticated and phishing mails have begun to appear in Hindi too, targeting the growing numbers of regional language Internet users. Also, it seems that the law applying to the loss of money in an Internet banking transaction is tilted against the banks.

A well-known legal expert says the liability of cyber crime, in which the customer is not a co-conspirator, is always on the banks. In other words, if a user loses her money, RBI may ask the concerned bank to compensate the user unless it can show that the user herself is involved in a conspiracy to steal the money.

So, even if there is no anti-virus on the user's computer or a key-logger is installed by a malicious hacker on the user's machine, banks would still be held responsible for the loss of money. To avoid these risks, experts say banks should come up with automated methods to ensure that the user's machine is secure before allowing her access to Internet banking.

But not many banks have realised the gravity of the situation and life goes on as usual for them. But surely it won't be long before banks start to realise how vulnerable they are. A chief information security officer (CISO) of a well known bank retorted when confronted with a blatant security hole in the bank's procedure: “Has a fraud happened? If not, why worry?”

This means that he will wake up only when the bank is swindled of significant money, and it may be too late then to plug the hole. The PSU banks usually do not reward performance adequately and hence, you can expect the bank personnel managing security to be not very highly motivated. Further, with their present salary structure, PSU banks fail to attract top security professionals.

Fortunately, in India the major frauds in banks are still not the ones involving hacking. In most circumstances, it is an acquaintance, who defrauds the victim. Recently, in the US, large companies such as Sony and Citibank have been hacked and passwords of millions of users stolen. Why hasn’t such an incident happened in India? My take is that hacker-criminals in India are not sophisticated enough as yet. And international criminals haven’t turned their gaze towards India as yet. But the situation could change anytime.

To be frank, not all security holes of Internet banking can be blamed on the banks. Today's Internet infrastructure is full of holes, and still, banks are moving at high speed introducing newer and newer services, without closing the holes that are found.

To give a few examples, most of the home routers come with default passwords, which few users change. As a result, it is not difficult for a hacker to log into them. Wireless networks using WEP are vulnerable to WEP cracking, and software to do so is freely available on the net. And many of Indian payment gateways have security holes.
Banks have to also worry about mobile transactions, which are becoming common.

Vulnerabilities have been found in iphones and other mobiles. Mobiles are increasingly used on wireless hotspots also, and they are particularly vulnerable there. Along with banks, the government also needs to wake up to online security needs.

Recently, Indian Institute of Science, Bangalore tied up with a major Chinese company Huawei Technologies, which has funded its center for testing security in telecom systems. It is inconceivable that our government exposes such a critical national security area to a foreign company. The UIDAI, another critical project for national security, is associated with the US companies with dubious credentials.

The government has also failed to act on cyber crime. Until a year ago, Bangalore had not had a single conviction in cyber crime. Having interacted with the cyber crime police, I can vouch for the good job the investigators are doing. However, if the grapevine is to be believed, the reason for the zero rate of conviction seems to be that the powers-that-be have a tough time distinguishing between the IT Act as in the Income Tax Act and the IT Act as in the Information Technology Act.

There are also some bright sides. The two-factor authentication --- requiring a one-time password that is sent on a mobile --- is a much needed improvement that the RBI has mandated for banking transactions. The hacker’s task has got more difficult as he now has to hack the mobile of the victim too along with the desktop computer. However, two-factor authentication is not followed in case of transactions involving share purchase as the time factor is crucial there and one cannot wait for an SMS, which might take minutes or sometimes hours before making the transaction.

What can a lay person do to protect his interest online? While the law favours the user as of now, it is an open question if banks would compensate users in case of a major breach. Thus, it would be surely a good idea for high-value depositors to spread their funds across different banks. ICICI Bank has introduced an insurance policy, which provides a cover of Rs one lakh if money is lost due to fraudulent use of an ATM card. This is a good start.

Secondly, consumer forums should tie up with banks and security companies in educating the users about security of internet banking. After all, however difficult it may look, there is nothing better than taking the bull by the horns.

(Dr Kelekar, a cyber security expert, is managing director of Teknotrends, Bangalore.)

Go to Top

Photo Gallery
CPI(M) workers chant slogans at a protest rally outside BJP headquarters in New Delhi on Tuesday...

CPI(M) workers chant slogans at a protest rally outside BJP headquarters in New Delhi on Tuesday...

Woman teachers pose with Diwali greeting messages at a school in Moradabad on Tuesday...

Woman teachers pose with Diwali greeting messages at a school in Moradabad on Tuesday...

A girl buying decorative items in a market on the occasion of Dhanteras festival in Bhopal on ...

A girl buying decorative items in a market on the occasion of Dhanteras festival in Bhopal on ...

Vendors show lanterns to customers at a roadside market ahead of the Hindu festival of Diwali in ...

Vendors show lanterns to customers at a roadside market ahead of the Hindu festival of Diwali in ...

BJP National President Amit Shah and BJP Kerala state president Kummanam Rajasekharan wave to the ..

BJP National President Amit Shah and BJP Kerala state president Kummanam Rajasekharan wave to the ..

England Midfielder Callum Hudson-Odoi(14) and Hinata Kida(6),Midfielder of Japan vie for the ball ..

England Midfielder Callum Hudson-Odoi(14) and Hinata Kida(6),Midfielder of Japan vie for the ball ..

Actress and BJP MP Hema Malini along with her daughters Ahana and Esha cutting a cake to celebrate..

Actress and BJP MP Hema Malini along with her daughters Ahana and Esha cutting a cake to celebrate..

Union Minister for Defence, Nirmala Sitharaman with Chief of Naval Staff, Admiral Sunil Lanba and ..

Union Minister for Defence, Nirmala Sitharaman with Chief of Naval Staff, Admiral Sunil Lanba and ..

Kamaraj Congress (KKC) and Most Backward Communities Federation demonstrators lying on the road in..

Kamaraj Congress (KKC) and Most Backward Communities Federation demonstrators lying on the road in..

Rajesh Talwar arrives at his residence in Noida on Monday after he, along with his wife Nupur, was..

Rajesh Talwar arrives at his residence in Noida on Monday after he, along with his wife Nupur, was..

Like us on Facebook

Copyright 2017, The Printers (Mysore) Private Ltd., 75, M.G Road, Post Box 5331, Bengaluru - 560001
Tel: +91 (80) 25880000 Fax No. +91 (80) 25880523
Powered by Yodasoft Technologies Pvt. Ltd.