Tackling Cyber Threats at Indian BanksEffective Customer Awareness Programs Needed
"Banks need to work on how to have affective customer awareness programs as far as cyber fraud and banking fraud are concerned," Shah says in an interview with BankInfoSecurity.com's Tom Field [transcript below].
The technology currently in place, as well as the infrastructure, is fairly secure, Shah says. Financial institutions need to make sure they are addressing security concerns and following the guidance that's already out there.
A notification was sent out a few months back by the Reserve Bank of India stating that every bank needs a mandatory CISO position to be accountable for the risks. Other standards, such as one-time passwords, have helped to protect Indian banks and their customers.
In an exclusive interview about cybercrime in India, Shah discusses:
- His new book, "Are You Protected?";
- Top cyber risks to banks and banking customers;
- How banks can better protect themselves from fraudsters.
Shah is an information security professional having over seven years of experience and provides consulting and advisory services for information security practices, information security awareness, corporate fraud investigations, incident handling and response, computer forensics services, cyber crime prevention methodology, training and research.
He was invited by The Reserve Bank of India, Mumbai to address the High Level Committee Meeting on Governance, Risk and Compliance, The Indian Bank Association, Gujarat Government, Maharashtra Police in recent past among various other important organizations and has been working with Rajasthan Police, Haryana Police, Chennai Police, Kolkata Police, Mumbai Police and various other departments on as is basis for Investigations.
Shah also has written many articles and papers and has been speaker for over 50 seminars/workshops/events combing his previous assignments while serving as employee of NASSCOM and DSCI and since last one year through The Eagle Eye. He has been involved in training over 7500 police officers across India in Investigations of cyber crimes, judiciary and public prosecutors.
TOM FIELD: To start with, why don't you tell me a little bit about yourself and your experience in both information security and cybercrime?
VICKY SHAH: I've been working in the information security domain for over seven years now. In terms of educational qualifications I'm a master of computer applications, having two diplomas in IT and cyber laws. I was a forensic examiner from 2009-2010 and a lead auditor in ISO 27001. I'm also preparing for my CFE, certified foreign examiner. It's been a great experience that started seven to ten years back with NASSCOM. NASSCOM is India's IT industry association. My primary job was to create law enforcement agencies with the association of cybercrime techniques. I grew into an administrator and management role in about two years. Lastly, when I left I was part of DSCI, which is the Data Security Council of India, an initiative by NASSCOM which is a self-regulatory organization and was instrumental in setting up the same. Also, I have had a chance to work with the IT industry, the regulators and compliance authorities. Now with my firm, The Eagle Eye, I'm working with various privacy industries comprised of insurance banks, loan departments and police agencies.
In terms of experience in cybercrime, I've been fortunate to work in several cases. We provide technical assistance to law enforcement agencies in India, because here now law enforcement is capable of investigating these cases. Five years back that was a different scenario. We basically help companies in considering and training for the advisory role, and we help them to be more proactive rather than reactive.
"Are you Protected?"FIELD: Now you just authored a new book entitled "Are you Protected?" Who is the audience for this book and what would you say the main messages are?
SHAH: This book isn't a substitute for cybercrimes or other computer offenses. It's intended to sell as an information handbook for educational guidance, reference and initiating processes. In all my years, I've been fortunate to address several conferences and workshop training events in India where we get a lot of questions from users. There's a lack of knowledge on the subject. There's lack of responsibility on where this issue is because people don't want to accept their role in this security domain. Questions represented by the associates vary from those who are ready to very fundamental concepts, definitions, attributes, prevention and intellectual property when it comes to corporate and those related to practical applications.
This book is useful for each and every person who uses internet or mobile services, as far as India is concerned. It's generally used for academia purposes, for educating the officers in IT security for the states of India. We educate auditors, the Bollywood industry and a lot of intellectual property that's being used. But there are a lot of risks which are associated with it. We have industries; we have chambers of commerce and so and on and so forth. As I said it's for everybody who uses technology because there are many definitions and explanations that are very confusing.
For example, people are always confused with hacking and a denial-of-service, because both, in terms of concept, are the same as far as the secure access is concerned. This handbook attempts to clear misconceptions and provide a business understanding with India being the focus. It also helps people outside of India who want to do business in India as to what are the rules, laws in India and what are the governing rules which would be applicable to them if they are using any IT in India, IT infrastructure or setting up new IT infrastructure in India.
It's a handbook which aims to build awareness about cybercrimes. And there are about 54 types of cybercrimes which I have particularly mentioned in my book, which is an FAQ and question-and-answer format, with the crime definition, example, the rich IT law it falls under and what the punishments specific for it are. It's more of an intellectual book. It has no context of various cyber cells across India, whom to contact, what to do, how to report the crime or how to protect and prevent one from being a victim. Usually IT users are victims of various offenses, mostly unknowingly due to the lack of awareness or due to intentional or unintentional crimes which are committed by the Internet or actual people. To summarize, the threat to the Internet is unpredictable, but it's still manageable. This book aims to give answers.
Top Cyber Risks to Indian BanksFIELD: That's a very good overview and I would like to talk with you specifically about financial institutions. What do you see as the top cyber risks to Indian banks today?
SHAH: With the advances in IT, most banks in India have migrated to core banking firms and have moved transactions to payment cards, debit/credit and to electronic channels like ATM, Internet banking and mobile banking. The threat has followed customers into cyberspace with mechanisms like phishing, keylogging, spyware, malware and other internet-based frauds targeted specifically to the bank customers. And phishing is a major concern for India. There was a study released by the Ministry of Finance in 2009 where only 340 companies were registered in India and the loss was around 15.6 crores. I'm sure this status only talks about the crimes which are reported, and the crimes which aren't reported there's no data available as to how much financial loss was there.
Often in the press and media we find once or twice a month there are instances of banking fraud because of the lack of user awareness and security. A lot of the finances and funds are getting lost. Also, IT governance from the bank perspective and the information security audit which a new amendment that's come into place which mandates that the audit has to be done annually and bi-annually for specific processes. The outsourcing job of bank operations, like KYC norms, has further documentation. The human element is a big, big risk in Indian banks today because people are collecting and handling the information of customers - they are the biggest challenge. That's why I keep on saying human behavior is the biggest risk in security, specifically in bank security. In a nutshell, the banks need to work on how to have affective customer awareness programs as far as cyber fraud and banking fraud are concerned in order to reduce this thing.
FIELD: What would you say are some of the specific risks to both the consumers as well as the corporate customers of the banks?
SHAH: Consumers always want a secure environment, a peace of mind kind of feeling. Suppose a customer wants to do some transaction online, he or she wants their systems secure, their data not known to others and their finances safe. But at the same time their security and responsibility is in their hands. No bank can provide a facility. They are just a facilitator to provide you a service. They can't guarantee you 100 percent security in terms of the password laws or ignorance of the user.
From the corporate perspective of corporate customers, their risks are more to do with the sales and the websites. And in terms of the consumer it's more individualistic where they're concerned about their accounts and the financial part of it. There are two different perspectives here. For the consumers' it's more about individual requirement, protection of data, theft and hacking of their accounts. Whereas corporate customers would be more worried about the larger spectrum of the said brand reputation, which could be lost with the risk.
Are Banks Protected?FIELD: From your perspective Vicky, how well protected would you say the banks are today from these cyber risks we just talked about?
SHAH: One hundred percent security isn't possible for anyone in this world. Banks are skeptical and are unavailable for certain risks like human risk where they're dealing with a lot of confidential data of the customers, the account opening procedures and the KYC norms which are part of the RBI. Those are the areas where banks need to improve upon. But as far as the technology and infrastructure are concerned, I think banks are fairly secure. They have double authentication after the August 2009 notification from the RBI, and they're also now initiating one-time bank passwords and IVR-based passwords. You get one-time passwords on your mobile phone, where you register, get an SMS and a password pin. As far as the banks are concerned, I think they're very well protected. The only thing is the human element which needs to be improved upon.
FIELD: Now take a step back from the banks and look at cybersecurity law. How would you assess the state of cybersecurity law in India today?
SHAH: If you see the laws in India, it takes time for them to be discussed, updated and connected. We first had the India Information Technology Act in 2000 and the amendment came in 2009. The time it took for this amendment was a very huge time gap. But the amendments have given new scope, ideas and thought processes. Earlier they were very vague in terms of actually what to do and how to go about it, but now the new law after the amendment is fairly good.
Also, I would like to highlight that ignorance of law is not acceptable. Most of the IT users do not know the many useful provisions which are there. It also applies to corporate. They're just focusing more on the infrastructure and not on the other aspects which the law provides. With India most challenges come in developing criminal law procedures, because the context of crimes that involve the internet or the computer are different. A lot of technologically associated challenges are changing and faced with new challenges. In a nutshell, the laws are fairly there. We have good company laws. The IT Act, corporate affairs and the company laws are there, so things are stable.
Key Fraud TrendsFIELD: I know you are a student of fraud. What would you say are some of the key fraud trends that most interest you right now?
SHAH: In the last quarter or so, we've had a lot of innovative frauds which are dealing with the income tax refund money given by the Indian government. The tax payers get a refund after paying the excess tax. The fraudsters have started sending mail which is more personal in customizing them and changing the value to the specifics. Financial frauds, the variation of financial frauds in terms of income tax refund and your phishing banking frauds are common, innovative ways we are getting the funds from the transfers of shares. A lot of financial fraud is coming. These are the new trends which are coming up.
Also, a lot of exploitive transactions are being reported. I have complaints coming from clients where most of the time people change the e-mail. E-mail spoofing currently brings fraud because it looks deceptive, and people are being victimized by such fraud where a person intercepts the e-mail IDs of party A and B and then the transactions happen. A lot of financial fraud is out there in multiple variations. These are the new trends now.
FIELD: Just a final question, I want to bring you back to the banks for a minute. If you could offer a single piece of advice to the banks, for a way that they could protect themselves and their customers better than they are today, what advice would you offer?
SHAH: The banks are already doing a lot as far as RBI Guidance and adopting the new processes which are being specified. A couple of months back there was a notification which said that every bank needs to have a mandatory CISO position to be accountable for the risks and also there needs to be committees set up within the bank for data security issues and reporting of the same. For those banks that haven't already incorporated this, they can do it. They can initiate this.
Apart from this, there are a lot of sensitivity, compliance and norms issues which are there. With credit cards and debit cards being in circulation, they're also adopting the PCI/DSS standards which are there. Banks which are in India are ISO 27001 compliant, so they need to follow the guidelines on time. Five months back there was a report from the Reserve Bank of India by the working committee on risk technology, cyber frauds and risk management. So there are a lot of best practices and approaches which are given in that report which they could adopt and follow so there would be systems that are more robust.