Hdfc case presentation
Download as PPTX, PDF1 like1,409 views
The document provides information about online banking security at HDFC Bank. It discusses HDFC Bank's growth and business segments. It also outlines some key security issues in online banking in India like phishing, viruses, and stolen passwords. The document considers the balance between customer convenience and security. It analyzes options for server location like onsite, offsite, and cloud. It recommends a hybrid approach of having online servers onsite and authentication servers offsite with an security vendor. Additional recommendations include separate email IDs for high profile clients and informing customers about every transaction.
Hdfc case presentation
- 1. HDFC CASE:- SECURING ONLINE BANKING Section C, Group 1 1. Rohit Patidar-31 2. Siddharth Dixit-56 3. Sudipto Das-63 4. Tarun Acharya-68 5. Varun Sharma-75 6. Vasudev Kaushik-76
- 2. INDIAN BANKING INDUSTRY • REGULATED BY THE RESERVE BANK OF INDIA. • CONSISTED OF FIVE TYPES OF BANKS: • Public sector banks(PSB) • Private Sector banks • Regional Rural Banks (RRB’s) • Cooperative Banks • Foreign Banks • PSB OPERATIONS WERE LARGELY BRANCH BASED, BURDENED BY LEGACY SYSTEMS RESULTED IN LOW RESPONSE TIMES. • NEW GENERATION PRIVATE BANKS ABLE TO PROVIDE 24/7 SERVICE BY DEPLOYING SELF SERVICE CHANNELS. • IN MARCH 2004 RBI MANDATED ALL TRANSACTIONS IN EXCESS OF RS.100,000 THROUGH RTGS(REAL TIME GROSS SETTLEMENT SYSTEM).
- 3. HDFC BANK • Commenced operations in January 1995 promoted by Housing Development Finance Corporation (HDFC). • Started offering online banking services in 2001 after the publication of guidelines by RBI. • Had an income of Rs.84.1 billion and Profit after tax of Rs.11.4 billion in 2006. • 10 million customers as of March 2007 of which 4.6 million were savings accounts holders. • Three business segments: • Retail Banking – banking services to individual customers. • Wholesale Banking – commercial and transactional banking to corporate clients. • Treasury – foreign exchange, derivatives, debt securities , equity. • Focussed on semi urban and under banked markets, 64% of branches outside top nine Indian cities.
- 4. IS IN THE BANKING INDUSTRY • 2.52 million internet subscribers and 38.5 million users in India in 2006. • Banking industry fundamentally compatible with IS demands- • Used to assessing and monitoring risk can learn to cope with emerging IS risks. • Generated trust over a period of time which is critical in maintaining relationships, which is important for both offline and online banking. • Traditional banks find it easier to attract customer as compared to pure play online banks. • Satisfaction with online experience influenced decisions to switch online account, while offline retail customers did not switch.
- 5. ISSUES WITH IS Five main criterion for a secure IS:- • Authentication- Identify the user • Authorization- Customer authorized to conduct transaction • Privacy- Data remains private and unseen to third party • Integrity- Data is correct • Non-repudiation- Proof that transaction has been initiated by the user
- 6. CUSTOMER CONVENIENCE VS SECURITY • Customer Convenience- Important for expanding market share • Security- Required to maintain trust • Authentication- Balance between “What customer knows”, and “What customer has” • Additional checkpoints created based on past history of transactions • Checkpoints include- No. of transactions in excess of a typical number, types of transactions etc. • Each checkpoint creates additional layer of security/verification in case of detection. • False Positive Identification- Identifying genuine users/transactions as “risky” or fraudulent • Part of any IS system, need to be reduced to acceptable level • False Positive Identification rate- Effective vs Paranoid system
- 7. 0 10000000 20000000 30000000 40000000 50000000 60000000 70000000 80000000 90000000 2000 2002 2003 2005 2007 2008 2009 Indian Internet User Statistics Country India
- 8. Number of Phishing Attacks
- 9. Viruses created by hackers are malicious codes which can infect the target user and get login credentials. • Stealing of User ID and PasswordPHISHING • Online browser save passwords for the user’s convenience. • Threat if the computer is lost. Saved Username & Password • Hackers able to get access to bank’s database(consumer files. Hacking into Bank’s Database Viruses SECURITY CHALLENGES IN ONLINE BANKING
- 10. SECURITY ISSUES UNIQUE TO INDIAN E-BANKING Access Control: User ID generation and password generation schemes determine the level of Internet banking security to a great extent which many are lacking. Security of Data in motion: Banks use Secured Socket layer(SSL) encryption to secure data in motion. Many banks including HDFC are using older version of SSL that have known vulnerabilities, making them susceptible to attacks. System Design: Many bank’s anti-phishing mechanism itself is cause for concern. HDFC’s bank anti- phishing mechanism, can be used to reveal if an account number is valid or invalid. Lag in timely renewal of digital certificates: Banks are laggards in timely renewal of digital certificates.
- 11. CHALLENGES IN IMPROVING INTERNET SECURITY • Phishing is one of the most common online frauds in developed countries like US where one in every 115 customers had lost money in 2006 due to phishing. • In India, phishing attack came to light in August 2007 & HDFC was quick to take corrective measures. It signed on with RSA security. • The bank introduced a “cooling period” which provides bank, the time to check transactions. • Along with ensuring security, Salvi also ensured that IS protocols were not so rigorous as to cause inconvenience to customers.
- 12. CUSTOMER CONVENIENCE • The bank tried to make a balance between keeping the IS transparent to the customer & also making it effective from the bank’s point of view. • Standard checks were done on each transaction, irrespective of its size. • Also, any transaction which is not conformity with the customer’s profile, would create a red flag. • Customer wants the system to be simple but at the same time, it should be trustworthy.
- 13. SECURE ACCESS • Salvi was planning to introduce a 2nd level of authentication for all online users. • Another point here was asking customers to add the list of account holders with whom his transactions will be regular. • One more thing to think about was whether to provide secure access to all online users to limit this to only active users.
- 14. SERVER LOCATION • The new IS infrastructure wants bank to have 2 types of servers:- • Authentication servers • Online servers • Now the dilemma here was whether to locate server onsite or offsite, hosted by an IS vendor for a fee. • Also, as done by RSA security, HDFC can also opt for cloud computing which has multiple options for network connectivity i.e. Internet, dedicated bandwidth or a proxy server.
- 16. Onsite Server Offsite Server Cloud Computing Cost Highest Local infrastructure, High initial investment spread over a long term Moderate Due to servers based outside, initial investment not that high As per Usage Shift the expenses to Variable Cost. Low initial investment Reliability Highest Close control of data and infrastructure Moderate The link between the IS vendor and HDFC needs to be made secure and can be a point of vulnerability Least Dependent on a lot of factors, potential points of systemic failure Flexibility Least Fixed usage, does not change as per demand Moderate Is not as flexible as a Cloud based system Highest Pay-by-use model, can handle demand fluctuations effectively Scalability Low Huge cost involved in trying to scale up the server infrastructure Medium – High Time required to scale, to add or reduce the servers from the offsite location Highest Scale more or less as per need Adaptability Rigid system Hardware, software, network etc. are standalone units Moderate Independent services provided by the vendor Highest Adapts as per the need and the service bouquet chosen by the client Complexity Highly complex Training and development of IT personnel Moderate Depends on the enterprise solution taken by HDFC. But, require trained IT personnel Least The enterprise solution provided by the vendor would be used, reducing complexity for HDFC Miscellaneous Least Moderate Using existing hardware, but require a secure and reliable link between the server and HDFC offices. Additional bandwidth to be Highest Additional cost required to ensure
- 17. RECOMMENDATION • Have the online servers onsite at HDFC own data centres, while having authentication servers off-site using an IS vendor • Utilize IS vendor’s expertise in secure online banking • HDFC can concentrate on core banking activities • HDFC able to maintain the online servers regularly, reducing potential down time . • Low rate of systematic failure by having the online server as a onsite, integral part of HDFC local area network. • All sensitive data will be maintained by HDFC • Need to secure the medium of communication between HDFC and IS vendor
- 18. ADDITIONAL RECOMMENDATIONS • Separate email id with bank server- for high profile clients • Every Transaction- Governed by OTP/Authorization • Inform customer about the initiation of each transaction- App notification/SMS
- 19. Current Scenario of HDFC Security measures taken by HDFC currently • Login Security A valid Customer ID and a corresponding IPIN is provided to each customer for online banking without which they cannot login to their online account. • IPIN Security It is a randomly generated number delivered on tamper proof media. IPIN is to be changed by the customer immediately on registering to avoid compromise before delivery. It is encrypted so that not even the system administrator can access it. IPIN registration only can only be done online using only Debit card details and OTP.
- 20. • Session Security The online session of a customer will be timed out and they will be logged out of their net banking account on prolonged inactivity. • Verisign certified. • EVSSL certified. • Virtual Keyboard This protects the customer’s IPIN form being compromised using keylogger softwares. • Insta-Alerts Instant SMS/Emails sent to the customers to cross check transaction made on their accounts. • Security Solutions State of the art solution technologies. For example firewalls, anti-malwares, intrusion detection systems, intrusion prevention systems. • Security Teams Skilled people working round the clock to handle any problems that might arise
- 21. THANK YOU
Editor's Notes
- #10: the Clampi virus, which spread across thousands of computers in Great Britain and the United States, captured customers' credit card passwords and login information when they logged into some online bank websites where they could access your information and make purchases on your behalf.