Press Esc to close

Hackers may catch Indian banks napping

Last updated: 12 July, 2011

With the rising incidence of cyber crime, how safe is Internet banking in India? Samir Kelekar finds out

About two months ago, there was a major phishing attack on one of India's largest public sector banks.

I too received a phishing mail even though I didn’t even have an account in that bank then. When I checked with the bank if account holders had lost money, they were not sure.

Users, who enter their credentials in a phishing site and subsequently lose money, do not always admit what they have done. Instead, they blame the bank for losing money.

The increasing incidents of online fraud and hacking have put banks in a difficult position. Phishers are becoming more and more sophisticated and phishing mails have begun to appear in Hindi too, targeting the growing numbers of regional language Internet users. Also, it seems that the law applying to the loss of money in an Internet banking transaction is tilted against the banks.

A well-known legal expert says the liability of cyber crime, in which the customer is not a co-conspirator, is always on the banks. In other words, if a user loses her money, RBI may ask the concerned bank to compensate the user unless it can show that the user herself is involved in a conspiracy to steal the money.

So, even if there is no anti-virus on the user's computer or a key-logger is installed by a malicious hacker on the user's machine, banks would still be held responsible for the loss of money. To avoid these risks, experts say banks should come up with automated methods to ensure that the user's machine is secure before allowing her access to Internet banking.

But not many banks have realised the gravity of the situation and life goes on as usual for them. But surely it won't be long before banks start to realise how vulnerable they are. A chief information security officer (CISO) of a well known bank retorted when confronted with a blatant security hole in the bank's procedure: “Has a fraud happened? If not, why worry?”

This means that he will wake up only when the bank is swindled of significant money, and it may be too late then to plug the hole. The PSU banks usually do not reward performance adequately and hence, you can expect the bank personnel managing security to be not very highly motivated. Further, with their present salary structure, PSU banks fail to attract top security professionals.

Fortunately, in India the major frauds in banks are still not the ones involving hacking. In most circumstances, it is an acquaintance, who defrauds the victim. Recently, in the US, large companies such as Sony and Citibank have been hacked and passwords of millions of users stolen. Why hasn’t such an incident happened in India? My take is that hacker-criminals in India are not sophisticated enough as yet. And international criminals haven’t turned their gaze towards India as yet. But the situation could change anytime.

To be frank, not all security holes of Internet banking can be blamed on the banks. Today's Internet infrastructure is full of holes, and still, banks are moving at high speed introducing newer and newer services, without closing the holes that are found.

To give a few examples, most of the home routers come with default passwords, which few users change. As a result, it is not difficult for a hacker to log into them. Wireless networks using WEP are vulnerable to WEP cracking, and software to do so is freely available on the net. And many of Indian payment gateways have security holes.
Banks have to also worry about mobile transactions, which are becoming common.

Vulnerabilities have been found in iphones and other mobiles. Mobiles are increasingly used on wireless hotspots also, and they are particularly vulnerable there. Along with banks, the government also needs to wake up to online security needs.

Recently, Indian Institute of Science, Bangalore tied up with a major Chinese company Huawei Technologies, which has funded its center for testing security in telecom systems. It is inconceivable that our government exposes such a critical national security area to a foreign company. The UIDAI, another critical project for national security, is associated with the US companies with dubious credentials.

The government has also failed to act on cyber crime. Until a year ago, Bangalore had not had a single conviction in cyber crime. Having interacted with the cyber crime police, I can vouch for the good job the investigators are doing. However, if the grapevine is to be believed, the reason for the zero rate of conviction seems to be that the powers-that-be have a tough time distinguishing between the IT Act as in the Income Tax Act and the IT Act as in the Information Technology Act.

There are also some bright sides. The two-factor authentication --- requiring a one-time password that is sent on a mobile --- is a much needed improvement that the RBI has mandated for banking transactions. The hacker’s task has got more difficult as he now has to hack the mobile of the victim too along with the desktop computer. However, two-factor authentication is not followed in case of transactions involving share purchase as the time factor is crucial there and one cannot wait for an SMS, which might take minutes or sometimes hours before making the transaction.

What can a lay person do to protect his interest online? While the law favours the user as of now, it is an open question if banks would compensate users in case of a major breach. Thus, it would be surely a good idea for high-value depositors to spread their funds across different banks. ICICI Bank has introduced an insurance policy, which provides a cover of Rs one lakh if money is lost due to fraudulent use of an ATM card. This is a good start.

Secondly, consumer forums should tie up with banks and security companies in educating the users about security of internet banking. After all, however difficult it may look, there is nothing better than taking the bull by the horns.

(Dr Kelekar, a cyber security expert, is managing director of Teknotrends, Bangalore.)

Go to Top

More from this section
Photo Gallery
A child disguised as PM Narendra Modi flashes victory sign after BJP's success in the state...

A child disguised as PM Narendra Modi flashes victory sign after BJP's success in the state...

Prime Minister Narendra Modi flashes victory sign after BJPs success in Himachal and Gujarat...

Prime Minister Narendra Modi flashes victory sign after BJPs success in Himachal and Gujarat...

Newly elected Congress president Rahul Gandhi arrives for the winter session of Parliament, in...

Newly elected Congress president Rahul Gandhi arrives for the winter session of Parliament, in...

BJP President Amit Shah gestures while being welcomed on his arrival at the party headquarters in...

BJP President Amit Shah gestures while being welcomed on his arrival at the party headquarters in...

Karnataka BJP BS Yeddyurappa flashes victory sign along with the party members to celebrate the...

Karnataka BJP BS Yeddyurappa flashes victory sign along with the party members to celebrate the...

Army personnel paying tributes to the mortal remains of Sepoy Koushal Singh during his last...

Army personnel paying tributes to the mortal remains of Sepoy Koushal Singh during his last...

Policemen and rescue workers inspect the debris at a damaged site after a fire broke out...

Policemen and rescue workers inspect the debris at a damaged site after a fire broke out...

Actors Arbaaz Khan, Jacqueline Fernandez and Tiger Shroff at the launch of Super Fight League...

Actors Arbaaz Khan, Jacqueline Fernandez and Tiger Shroff at the launch of Super Fight League...

Karnataka cricketer Karun Nair celebrates his century in the Ranji Trophy semi-final match...

Karnataka cricketer Karun Nair celebrates his century in the Ranji Trophy semi-final match...

Female giant panda cub Xiang Xiang sits on a tree during a press preview at the Ueno Zoological...

Female giant panda cub Xiang Xiang sits on a tree during a press preview at the Ueno Zoological...

Like us on Facebook

Copyright 2017, The Printers (Mysore) Private Ltd., 75, M.G Road, Post Box 5331, Bengaluru - 560001
Tel: +91 (80) 25880000 Fax No. +91 (80) 25880523
Powered by Yodasoft Technologies Pvt. Ltd.