RBI should do a security audit of Corporation Bank new IT system

It has been pointed out in these columns that after the recent changes made in the account numbering system in Corporation Bank there have been many customer service issues. One issue that was pointed out was that though the account numbers were changed a few months back and the new cheque books carrying the new account numbers have been issued to the customers, the back end system is still not migrated to the new systems.

As a result, I had pointed out that any NEFT remittances sent to the new account number was not being accepted by the system and is being returned. It was pointed out that this amounted to a “Denial Of Service” to the customer which amounted to both “Deficiency of Service” under Consumer Protection Act and a cognizable offence under ITA 2008.

Today I observed two other issues. some of the customers who had linked their Gas Agency accounts to corporation bank account for the purpose of LPG subsidy are finding that the subsidy is not getting credited to their account. This means that the gas agency is sending the payment to the old or new account number which is getting rejected by the system. If this money goes back to the gas agency there is a possibility that it can never be recovered from the Indian Oil or HP.

I also observed that within the branch, the systems are still working under the old account system and the system is not able to recall the specimen signatures of the customers with the new numbers. The staff therefore has a problem to identify the old number and pick up the specimen signature before a cheque can be passed.

All this indicates that there is a serious flaw in the implementation of the new account numbering system. First of all it is not clear why the Bank had to change the account numbering system. They had already migrated from the old manual system to a 15 digit account numbering system which had the IFSC code, the account code and the old account number as part of the number. It was easier to remember and was already in use. The new account numbering system is a completely new set of numbers which does not identify the branch IFSC or the old account number. It appears that who ever provided the core banking system could not use the legacy account numbering system of the Bank and persuaded the bank to change its account numbering system to suit the deficient core banking system and this has led to all the problems.

There is an indication that a deficient system was thrust on the Bank without proper technical evaluation. Some body must be held accountable for this decision which is apparently does not indicate a good business decision.

I will be happy to know from the Bank if this inference is incorrect.

In the meantime, the status of the system gives rise to a possible information security risk which needs to be attended to. If the mapping of the old and new account numbers is not working, then it is quite possible that the linkng of mobile numbers of the customers to their accounts as well as their Debit and ATM cards may also get affected. This could result in problems for the customers and phishing opportunities for the fraudsters who may call the Bank customers with offers to change the ATM/Debit cards and ask for card details for committing frauds.

It is also possible that the accounts may be wrongly linked to other accounts. (Recently I found such a flaw in the NPCI when my HDFC Bank account was linked to an unknown mobile number which was subsequently corrected on my complaint). This could result in fraudulent encashments as well as denial of genuine service requests.

There is therefore a need for RBI to make an information security audit of Corporation Bank system pertaining to the new migration of accounts from the old system to the new system. Additionally the share holders of the Bank should demand that the management explain if the decision to change the systems was warranted by any business requirement or was a result of somebody puling the right strings.

Naavi

 

Print Friendly, PDF & Email

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

3 Responses to RBI should do a security audit of Corporation Bank new IT system

  1. Anon_India says:

    Dear Sir,
    another concerning news that came to light on 6th november..
    websites of indian embassy in 7 countries have been hacked and the database details have been put on pastebin… the websites contained a simple SQL injection vulnerability. The administrator passwords have been exposed too.. the passwords have not even been hashed.. showing poorest security practice in work..
    Is this our approach to ‘Digital India..??’
    just digitize everything and leave security to god’s mercy??
    the link for your reference: http://thehackernews.com/2016/11/indian-embassy-hacked.html

  2. Mohansankar PV says:

    Yes, I agree with the observations of the author in the article. Customers are facing lot of problems in renewing the deposits and closing of loan accounts there by resulting in paying more interest. Bank is unable to pay interest for the delayed period of renewal of deposits also. NEFT and RTGS transactions are not going through and alerts are not coming on mobile phones. The mobile apps like corp e pass book and corp mobile are not working. Bank is not at all responding to mails and complaints. It is a distressing scene in the branches and branch heads are helpless. Hope it will come out of these problems fast and culprits for this decision may be punished.

  3. Yesterday and today (18th Sept 2017) there is a sudden spurt in the views of this article. Thousands of people are viewing this article. I donot know what has prompted this sudden interest. If some body can clarify, it will be nice.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.