Let's Build a Responsible Cyber Society



Why CISOs of Banks  will be guilty of Murder

[P.S: This article is in continuation of my previous series of articles starting with the article titled Indian Media is Insensitive..here where I had pointed out how increasingly E banking frauds are affecting the health of banking victims and why certain persons should be considered responsible for the bloodbath ].

In the previous articles I had indicated how a Customer of a Bank had reportedly had a heart attack after his life time savings vanished from his account due to unauthorized access permitted by the Bank. While this gentleman was lucky to survive the heart attack and tell his tale, we can easily guess that there could be many who have lost their lives already because of the E Banking fraud losses. I want the Chairmen of these Banks to remember that the blood of these victims are on their hands and will haunt them for the rest of their lives since their negligence is primarily responsible for these losses.

Now, let me try to explain  why I consider the CISOs of these banks also guilty of these murders.

While it is the responsibility of the Chairpersons of Banks to promote business for their Banks and introduction of E Banking is certainly one way of improving the reach of Banks with minimization of costs, these Chairpersons can always feign ignorance of the technology aspects of E Banking and the security or lack of security in the current E-Banking systems. The CISOs however are specifically responsible for the security of the E Banking systems and if today's E Banking systems are unsafe for banking the responsibility sits squarely on the shoulders of these CISOs.

I recall my earlier article Bomb is ticking to destroy the Indian Banking System in which I had made a reference to an Expert Group to whom a security professional Mr Yash demonstrated the vulnerability of the Indian Banking System and how if a customer tries to transfer Rs X  from his account to Mr A, it gets transferred as Rs Y to Mr B. (More information is available at www.yashks.com).

The demo has also been shown to some RBI officials in Bangalore and recorded video of the demo has been sent to CERT-IN. Naavi has specifically kept Deputy Governor and Governor of RBI informed about the vulnerabilities. Besides, RBI officials in Bangalore have also drawn the attention of their counterparts in Mumbai and invited them for another demo at their convenience at Bangalore. This has also been brought to the notice of most CISOs of Banks.

However everybody seems to be remaining silent as if the vulnerability will go away if no body talks about them. Today however, another security professional has revealed through a detailed article at http://www.abuse.ch/?p=3499 and explained how the threat of the Zeus trojan is casting its shadow over the Indian Banking system where a large scale attack is possible any time. Whether the doomsday predictions of 2012 comes true or not this doomsday predictions for Indian Banks appears to be very likely.

This article on Zeus trojan indicates that a new custom version is residing in more than 70000 computers in India and programmed to attack other machines all over the world. Zeus virus enables  false transactions to be placed in a bank customer's account when he is otherwise trying to make  a genuine transaction. Indian Banking system is presently not prepared to handle this risk and hence the possibility of a large scale run on the Indian Banks is considered more than a certainty in the coming days.

If this threat materializes a few Banks will close down but more importantly many customers will die of heart attack or commit suicides.

Zeus is a technology issue and the Bank Chairmen are incapable of understanding the power of this trojan. It is therefore the responsibility of CISOs who are more techno savvy to keep their Chairpersons informed of the threat and advise appropriate "Risk Mitigation Efforts".

If in the process of such "Risk Mitigation", some Banks have to close down their Internet Banking systems and/or ATM systems, it is a decision which has to be taken.

Will the CISO's in Indian Banks realize their responsibility and start activating the defense mechanisms to protect the E Banking customers? or will they try to hide behind their Chairpersons and let the bloodbath continue?

If CISO's donot act, they shall be also responsible  for the deaths if any arising out of E banking frauds in the coming days.

(To be continued)

Previous articles:

 1. Indian Media is Insensitive..here

2. Blood of Bank fraud victims are on these hands...


February 26, 2012