About two months ago, there was a major phishing attack on one of India's largest public sector banks.
I too received a phishing mail even though I didn’t even have an account in that bank then. When I checked with the bank if account holders had lost money, they were not sure.
Users, who enter their credentials in a phishing site and subsequently lose money, do not always admit what they have done. Instead, they blame the bank for losing money.
The increasing incidents of online fraud and hacking have put banks in a difficult position. Phishers are becoming more and more sophisticated and phishing mails have begun to appear in Hindi too, targeting the growing numbers of regional language Internet users. Also, it seems that the law applying to the loss of money in an Internet banking transaction is tilted against the banks.
A well-known legal expert says the liability of cyber crime, in which the customer is not a co-conspirator, is always on the banks. In other words, if a user loses her money, RBI may ask the concerned bank to compensate the user unless it can show that the user herself is involved in a conspiracy to steal the money.
So, even if there is no anti-virus on the user's computer or a key-logger is installed by a malicious hacker on the user's machine, banks would still be held responsible for the loss of money. To avoid these risks, experts say banks should come up with automated methods to ensure that the user's machine is secure before allowing her access to Internet banking.
But not many banks have realised the gravity of the situation and life goes on as usual for them. But surely it won't be long before banks start to realise how vulnerable they are. A chief information security officer (CISO) of a well known bank retorted when confronted with a blatant security hole in the bank's procedure: “Has a fraud happened? If not, why worry?”
This means that he will wake up only when the bank is swindled of significant money, and it may be too late then to plug the hole. The PSU banks usually do not reward performance adequately and hence, you can expect the bank personnel managing security to be not very highly motivated. Further, with their present salary structure, PSU banks fail to attract top security professionals.
Fortunately, in India the major frauds in banks are still not the ones involving hacking. In most circumstances, it is an acquaintance, who defrauds the victim. Recently, in the US, large companies such as Sony and Citibank have been hacked and passwords of millions of users stolen. Why hasn’t such an incident happened in India? My take is that hacker-criminals in India are not sophisticated enough as yet. And international criminals haven’t turned their gaze towards India as yet. But the situation could change anytime.
To be frank, not all security holes of Internet banking can be blamed on the banks. Today's Internet infrastructure is full of holes, and still, banks are moving at high speed introducing newer and newer services, without closing the holes that are found.
To give a few examples, most of the home routers come with default passwords, which few users change. As a result, it is not difficult for a hacker to log into them. Wireless networks using WEP are vulnerable to WEP cracking, and software to do so is freely available on the net. And many of Indian payment gateways have security holes.
Banks have to also worry about mobile transactions, which are becoming common.
Vulnerabilities have been found in iphones and other mobiles. Mobiles are increasingly used on wireless hotspots also, and they are particularly vulnerable there. Along with banks, the government also needs to wake up to online security needs.
Recently, Indian Institute of Science, Bangalore tied up with a major Chinese company Huawei Technologies, which has funded its center for testing security in telecom systems. It is inconceivable that our government exposes such a critical national security area to a foreign company. The UIDAI, another critical project for national security, is associated with the US companies with dubious credentials.
The government has also failed to act on cyber crime. Until a year ago, Bangalore had not had a single conviction in cyber crime. Having interacted with the cyber crime police, I can vouch for the good job the investigators are doing. However, if the grapevine is to be believed, the reason for the zero rate of conviction seems to be that the powers-that-be have a tough time distinguishing between the IT Act as in the Income Tax Act and the IT Act as in the Information Technology Act.
There are also some bright sides. The two-factor authentication --- requiring a one-time password that is sent on a mobile --- is a much needed improvement that the RBI has mandated for banking transactions. The hacker’s task has got more difficult as he now has to hack the mobile of the victim too along with the desktop computer. However, two-factor authentication is not followed in case of transactions involving share purchase as the time factor is crucial there and one cannot wait for an SMS, which might take minutes or sometimes hours before making the transaction.
What can a lay person do to protect his interest online? While the law favours the user as of now, it is an open question if banks would compensate users in case of a major breach. Thus, it would be surely a good idea for high-value depositors to spread their funds across different banks. ICICI Bank has introduced an insurance policy, which provides a cover of Rs one lakh if money is lost due to fraudulent use of an ATM card. This is a good start.
Secondly, consumer forums should tie up with banks and security companies in educating the users about security of internet banking. After all, however difficult it may look, there is nothing better than taking the bull by the horns.(Dr Kelekar, a cyber security expert, is managing director of Teknotrends, Bangalore.)