On 26th December 2005, Hindu had carried an article titled "For
a secure growth of Internet banking and e-commerce" where in a mention had been
made about the current Banking practices in India and passed a few remarks such
as "Indian banks can no longer rely on luck alone to avoid costly
frauds ".."It is time regulators in India issue guidelines for improving
security of the internet banking transactions and `card not present'
transactions before the fraud statistics grows beyond imagination." etc.
In the article, attention had been drawn to the guidelines issued by FFIEC
(Federal Financial Institutions Examination Council) of the U.S. to all
American banks. The guidelines prescribed that the authentication of
customers for online transactions need to be ensured and that any data breaches
have to be informed to the customers. The article went on to add that Indian
Banks need to consider the possibility of attacks from any part of the Globe and
therefore need to improve their security systems. The article carried some
graphics in which the web page of ICICI Bank was visible. Though the author had
meant any specific reference to security aspects of ICICI Bank, the bank took
objection to the use of its name in the graphic and wrote a rejoinder objecting
to the use of its trade mark and as if the article was meant to criticize the
Bank.
In its rejoinder, ICICI Bank went on to claim as follows.
"We would like to point out that our online banking service employs the
128-bit Secure Socket Layer (SSL), which is one of the best commercially
available encryption technology most commonly used by large-scale online
merchants, banks and brokerages worldwide. Apart from using 128-bit SSL
encryption and Verisign digital certificates which are de facto standards for
security, ICICI Bank has also adopted the following mechanisms to provide a
secure online banking experience to its customers, that is, secure login page,
locking of passwords on incorrect attempts to access online banking, two levels
of authentication for financial transactions in addition to providing a detailed
security awareness webpage for our customers."
It is necessary to however observe that
a) Using encryption only allows the communication between
the client and the bank to take place in confidence. It does not add to
"Authentication" of the customer which is accomplished only with the use of
the Password.
b) Use of password authentication only authenticates the
"Access" and does not authenticate the "Electronic Document through which
instruction flows from the customer to the Bank".
c) Further ICICI Bank uses the server digital certificate
issued by Verisign which is not a licensed Certifying authority in India.
(Though Safescrypt, its subsidiary is one).
The procedure used by ICICI Bank for its online
transactions therefore does call for major revision in order to preserve its
legal recourse in respect of any of the transactions that are put through the
Internet Banking system. ICICI's defence was perhaps not fully justified.
The only solace ICICI can draw is that the mistakes being
committed by ICICI Bank is also being committed by every other Bank in India
and RBI should in fact be concerned with this mass negligence of Banks.
The main fault in this respect lies with the Software
Companies who have dumped "Non Cyber Law Compliant Software" on the Indian
Banking System" out of their own ignorance and lack of commitment to quality.
Just as the Y2K problem was committed by the software industry due to their
short sightedness which ultimately resulted in huge losses to the user
industries (with corresponding benefit to IT industry), the Software giants
who are hawking their deficient software on the unsuspecting Banking
fraternity and placing the customers at great risk.
The problem will soon transcend from the inability of Banks
to recover money lost in cyber crimes to creation of huge losses which may
bring down the Banks. (A similar situation in SBI will be discussed in a
forthcoming article).
It is time RBI takes notice of the problem and initiates
adequate measures to safeguard the industry and also the Indian economy which
will be at risk if a major Bank failure occurs in India.
