Why CISOs of Banks will be guilty of Murder
[P.S: This article is in continuation of my
previous series of articles starting with the article titled Indian
Media is Insensitive..here where I had pointed out how
increasingly E banking frauds are affecting the health of
banking victims and why certain persons should be
considered responsible for the bloodbath ].
In the previous articles I had indicated how
a Customer of a Bank had reportedly had a heart attack after his
life time savings vanished from his account due to unauthorized
access permitted by the Bank. While this gentleman was lucky to
survive the heart attack and tell his tale, we can easily guess
that there could be many who have lost their lives already
because of the E Banking fraud losses. I want the Chairmen of
these Banks to remember that the blood of these victims are on
their hands and will haunt them for the rest of their lives
since their negligence is primarily responsible for these
losses.
Now, let me try to explain why I
consider the CISOs of these banks also guilty of these murders.
While it is the responsibility of the
Chairpersons of Banks to promote business for their Banks and
introduction of E Banking is certainly one way of improving the
reach of Banks with minimization of costs, these Chairpersons
can always feign ignorance of the technology aspects of E
Banking and the security or lack of security in the current
E-Banking systems. The CISOs however are specifically
responsible for the security of the E Banking systems and if
today's E Banking systems are unsafe for banking the
responsibility sits squarely on the shoulders of these CISOs.
I recall my earlier article
Bomb is ticking to destroy the Indian Banking System in
which I had made a reference to an Expert Group to whom a
security professional Mr Yash demonstrated the vulnerability of
the Indian Banking System and how if a customer tries to
transfer Rs X from his account to Mr A, it gets
transferred as Rs Y to Mr B. (More information is available at
www.yashks.com).
The demo has also been shown to some RBI officials in Bangalore
and recorded video of the demo has been sent to CERT-IN. Naavi
has specifically kept Deputy Governor and Governor of RBI
informed about the vulnerabilities. Besides, RBI officials in
Bangalore have also drawn the attention of their counterparts in
Mumbai and invited them for another demo at their convenience at
Bangalore. This has also been brought to the notice of most
CISOs of Banks.
However everybody seems to be remaining silent as if the
vulnerability will go away if no body talks about them. Today
however, another security professional has revealed through a
detailed article at
http://www.abuse.ch/?p=3499 and explained how the threat of
the Zeus trojan is casting its shadow over the Indian Banking
system where a large scale attack is possible any time. Whether
the doomsday predictions of 2012 comes true or not this doomsday
predictions for Indian Banks appears to be very likely.
This article on
Zeus trojan indicates
that a new custom version is residing in more than 70000
computers in India and programmed to attack other machines all
over the world. Zeus virus enables false transactions to
be placed in a bank customer's account when he is otherwise
trying to make a genuine transaction. Indian Banking
system is presently not prepared to handle this risk and hence
the possibility of a large scale run on the Indian Banks is
considered more than a certainty in the coming days.
If
this threat materializes a few Banks will close down but more
importantly many customers will die of heart attack or commit
suicides.
Zeus
is a technology issue and the Bank Chairmen are incapable of
understanding the power of this trojan. It is therefore the
responsibility of CISOs who are more techno savvy to keep their
Chairpersons informed of the threat and advise appropriate "Risk
Mitigation Efforts".
If in
the process of such "Risk Mitigation", some Banks have to close
down their Internet Banking systems and/or ATM systems, it is a
decision which has to be taken.
Will
the CISO's in Indian Banks realize their responsibility and
start activating the defense mechanisms to protect the E Banking
customers? or will they try to hide behind their Chairpersons
and let the bloodbath continue?
If
CISO's donot act, they shall be also responsible for the
deaths if any arising out of E banking frauds in the coming
days.
(To be continued)
Previous articles:
1. Indian Media is Insensitive..here
2. Blood of Bank fraud victims are on these hands...
Naavi
February 26, 2012
