Extract from The Hindu Business Line -February 23, 2000
Safe banking sans sabotage
Bharat KumarN.S. Vageesh CHENNAI, Feb. 22

YOU have heard it so many times that you know the answer by-heart: ``We are open to conducting full-fledged business on the Internet, but the Cyber Bill must be passed before we can securely conduct transactions on the Internet.'' That is the answer to the question that
everyone's asking now: ``When will we be able to conduct bank and commercial transactions in  cyber space?''

Given the lack of appropriate laws, the tentativeness with regard to the interface with the external world is understandable. But what stops banks from deploying similar technology for in-house transactions?

The answer: Internal sabotage. For, unscrupulous insiders in an organisation are the most inclined to commit fraud using computers. Check out statistics as evidence of this:

I A staggering amount of $100 millions has been lost for the third straight year due to computer crime and security loopholes, according to the latest Computer Security Institute Federal Bureau of Investigation survey, that was conducted early last year.

I In the survey, 37 per cent of the 521 respondents who were computer security professionals in organisations reported unauthorised access to information by insiders in the organisation.

I Meanwhile, back home in India, 233 cases of computer crime have been reported to the privately-owned, Mumbai-based National Institute of Research into Computer Crime (NCRCC) in the last six years, as of March 1999. And, most of these are due to mischief mongers within the organisation.

Now, there are two ways to handle the situation emerging from such developments. Either continue to abhor technology, for fear that untested computer systems might worsen the situation; or surge ahead with computerisation with the latest in security technology.

Bank of Baroda (BoB) is one bank that has chosen the second path, untested though it is. It has a pilot running for its public key infrastructure (PKI) project. Using this infrastructure, authorised personnel alone can access specific data, clear transactions and communicate with counterparts in other branches securely.

A source in BoB explained this in detail: ``Let's look at a bank manager who has to clear a cheque exceeding say, Rs. 10 lakhs. This infrastructure, deploying encryption technology, allows him to electronically contact his counterpart in the receiving bank to clear the transaction. The infrastructure ensures that only this person can access data and that no tampering with the
data happens while it is in transit.''

This involves issuing digital signatures to select people within the organisation. Every message sent in every transaction has this signature encrypted and appended as a part of the despatch.

With this, the bank aims at doing away with access to data and clearing of cheques by unauthorised insiders. Further, this eliminates the possibility of the select personnel refuting at a later date _ the fact that it was not he who conducted the transaction. In BoB, this technology is now applicable to transactions where communication between two remote parties is required.

The Chennai-based Ramco Systems _ whose security solutions include the PKI confirmed that several banks, particularly private banks, and financial institutions are looking at deploying the technology. However, officials declined comment on the actual organisations that are testing the technology.

So, PKI now, what next? In the offing in Indian banks is the smart card technology. While it has wide applications in the outside world in the near future, immediate possibilities exist in internal use.

Use of smart cards makes access to information more secure. One kind of smart card solution is as follows: The user will have to punch in the usual personal identification number (PIN). In addition, the smart card will have to be swiped into the reader to input another identification number. This number in the smart card changes every 60 seconds or so and is synchronised
with a central server for identification.

This means that it is not adequate to copy or remember the number generated by the smart card. Since that number changes every minute or so, the user will necessarily have to use the smart card to gain access to data.

Ramco Systems has a tie with US-based RSA Systems, an encryption major, that provides such solutions with necessary hardware as part of the bundle.