2. Agenda
• About Customer Touch Points
• What are Basic Security Concerns or Risks
• Security Concerns at Different Touch Points
• What are Basic Risk Mitigation Measures
• Risk Mitigation at Different Touch Points
• Some Regulatory Measures
• Q & A
• About Customer Touch Points
• What are Basic Security Concerns or Risks
• Security Concerns at Different Touch Points
• What are Basic Risk Mitigation Measures
• Risk Mitigation at Different Touch Points
• Some Regulatory Measures
• Q & A
3. What are customer Touch Points?
• A Point Where
– customer Touches a Bank Or Bank Touches a Customer
For
– Service Access or Service Delivery
• Examples of Services
– Exchange of Information
– Transactional
– Relationship Development / management
• A Point Where
– customer Touches a Bank Or Bank Touches a Customer
For
– Service Access or Service Delivery
• Examples of Services
– Exchange of Information
– Transactional
– Relationship Development / management
3
5. What are customer Touch Points?
• Examples of Other Touchpoints
– Relationship Manager
– Call Center
– Cheques, Receipts, Account Statements
– Events
– Offerings
– E-mails
– Other correspondence
• Examples of Other Touchpoints
– Relationship Manager
– Call Center
– Cheques, Receipts, Account Statements
– Events
– Offerings
– E-mails
– Other correspondence
5
6. Why So Many customer Touch Points?
• Technology Driven Causes
– Rapid Innovation
– Rapid Penetration in to all segments of Society
– Rapid Adoption by Variety of Businesses and Government
• Business Driven Causes
– Drastic Reduction in Cost of Services
– Competitive Pressures
– Real Danger of Elimination
• Technology Driven Causes
– Rapid Innovation
– Rapid Penetration in to all segments of Society
– Rapid Adoption by Variety of Businesses and Government
• Business Driven Causes
– Drastic Reduction in Cost of Services
– Competitive Pressures
– Real Danger of Elimination
6
7. What are Basic Security concerns of
Banks and Customers?
• THEFT
AND
• DESTRUCTION
• THEFT
AND
• DESTRUCTION
7
8. What are Basic Security concerns of
Banks and Customers?
• THEFT
– DATA
– RESOURCES / ASSETS
• DESTRUCTION
– DATA
– RESOURCES / ASSETS
– REPUTATION
• THEFT
– DATA
– RESOURCES / ASSETS
• DESTRUCTION
– DATA
– RESOURCES / ASSETS
– REPUTATION
8
10. Some Recent Examples
Date Sr no. Security Breach Example
28-02-2013 1 14 GB of Bank of America Data hacked.
It contained sensitive information about hundreds
of thousands of its employees, globally.
2 Botnets are being legally sold on Internet for as
low as $25 for 1000 hosts
10
2 Botnets are being legally sold on Internet for as
low as $25 for 1000 hosts
06-03-2013 3 Websites of Czech Central Bank and Stock
Exchange crippled by brute force DDOS attack
4 NY police announce that cyber crime is the fastest
growing crime in NY (more than 50%)
Largest no. of crimes consist of
- Rigging of ATMs
- Card Skimming
11. Some Recent Examples
Date Sr no. Security Breach Example
06-03-2013 5 According to HP, mobile phones vulnerabilities
rose significantly (68%) from 2011 to 2012
6 Following are highly vulnerable:
- Mobile phone payments
- Tap and Pay ‘Near Field communication’ (NFC)
- Digital Wallets
( Source: Samsung, Blackberry, Mcafee)
11
Following are highly vulnerable:
- Mobile phone payments
- Tap and Pay ‘Near Field communication’ (NFC)
- Digital Wallets
( Source: Samsung, Blackberry, Mcafee)
08-03-2013 7 Mr Rajesh Aggarwal, IT secretary, Government of
Maharashtra ordered PNB to pay Rs45 Lakhs to
Mr Manmohansingh Matharu, MD, Poona Auto
Ancillaries as he lost Rs80L by responding to a
phishing email
12. Some Recent Examples
Date Sr no. Security Breach Example
11-03-2013 8 Reserve Bank of Australia’s networks were hacked
repeatedly.
It was found to be infiltrated by Chinese malware.
9 Two tech savvy brothers from Mumbai, Mr Fazrur
Rehman(26) and shahrukh(23); both college
dropouts; arrested for Rs 1 cr e-fraud by Mulund
Police.
They managed to transfer Rs 1cr from the current
a/c of a cosmetics co. to 12 different bank a/cs
within 45 minutes, using just a smartphone..
12
Two tech savvy brothers from Mumbai, Mr Fazrur
Rehman(26) and shahrukh(23); both college
dropouts; arrested for Rs 1 cr e-fraud by Mulund
Police.
They managed to transfer Rs 1cr from the current
a/c of a cosmetics co. to 12 different bank a/cs
within 45 minutes, using just a smartphone..
13. Some Recent Examples
Date Sr no. Security Breach Example
27-03-2013 10 A new Malware called ‘Dump Grabber’ scans the
memory of POS and ATMs, captures track1 and
track 2 data and sends to a remote server.
The Malware can be installed remotely
It has affected all major US banks such as Chase,
Capitol one, Citibank, Union Bank of California etc.
13
A new Malware called ‘Dump Grabber’ scans the
memory of POS and ATMs, captures track1 and
track 2 data and sends to a remote server.
The Malware can be installed remotely
It has affected all major US banks such as Chase,
Capitol one, Citibank, Union Bank of California etc.
28-03-2013 11 Cyber attacks meant for ‘Destruction’ rather than
‘Disruption’
American Express customers could not access
their accounts today for 2 hrs.
Last week it happened to J P Morgan Chase.
32,000 computers of South Korea banks were
incapacitated last week.
14. Some Recent Examples
Date Sr no. Security Breach Example
25-04-2013 12 A new virus has been found to be spreading widely
in Indian cyberspace. It cleverly steals, bank
account details, and passwords.
This advisory was issued by CERT-IN today.
(Computer Emergency Response Team – India)
14
16. What are Basic Security concerns of
Banks and Customers?
• THEFT
– DATA
• Credentials
• Account Details
• Account Balances
• Non Account Balances
• Other Data from Customer PCs / Mobiles &
• Entire Databases
• THEFT
– DATA
• Credentials
• Account Details
• Account Balances
• Non Account Balances
• Other Data from Customer PCs / Mobiles &
• Entire Databases
16
17. What are Basic Security concerns of
Banks and Customers?
• THEFT
– RESOURCES / ASSETS
• Customer Cash
• Bank Cash
• Instruments
• Cards
• POS Terminals
• ATMs
• Documents
• Contents of SD Lockers
• Network Components
• IT Infrastructure &
• Other Assets
• THEFT
– RESOURCES / ASSETS
• Customer Cash
• Bank Cash
• Instruments
• Cards
• POS Terminals
• ATMs
• Documents
• Contents of SD Lockers
• Network Components
• IT Infrastructure &
• Other Assets
17
18. What are Basic Security concerns of
Banks and Customers?
• DESTRUCTION
– DATA
• Web sites and Portals
• Account Details
• Account Balances
• Non Account Balances
• Other Data from Customer PCs / Mobiles &
• Entire Databases
• DESTRUCTION
– DATA
• Web sites and Portals
• Account Details
• Account Balances
• Non Account Balances
• Other Data from Customer PCs / Mobiles &
• Entire Databases
18
19. What are Basic Security concerns of
Banks and Customers?
• DESTRUCTION
– RESOURCES / ASSETS
• Customer Cash
• Bank Cash
• Blank Instruments
• Blank Cards
• POS Terminals
• ATMs
• Documents
• Contents of SD Lockers
• Network Components
• IT Infrastructure &
• Other Assets
• DESTRUCTION
– RESOURCES / ASSETS
• Customer Cash
• Bank Cash
• Blank Instruments
• Blank Cards
• POS Terminals
• ATMs
• Documents
• Contents of SD Lockers
• Network Components
• IT Infrastructure &
• Other Assets
19
23. Security concerns at
Touch points - ATM
THEFT DESTRUCTION
DATA ASSETS DATA ASSETS REPUTATION
Credentials
Card Data
Account
Balances -
- Money
- Equity
- Units
- etc
Debit Card
Credit Card
Cash -
- Customer
- Bank
ATM
Other Fixures
ATM
ATM Center
Cash
- Bank
Other Fixtures
Credentials
Card Data
Account
Balances -
- Money
- Equity
- Units
- etc
Debit Card
Credit Card
Cash -
- Customer
- Bank
ATM
Other Fixures
ATM
ATM Center
Cash
- Bank
Other Fixtures
23
24. Security concerns at
Touch points - POS
THEFT DESTRUCTION
DATA ASSETS DATA ASSETS REPUTATION
Credentials
Card Data
POS Terminal POS Terminal Retailer
credibility with
Banks
24
25. Security concerns at
Touch points – Net Banking
THEFT DESTRUCTION
DATA ASSETS DATA ASSETS REPUTATION
Credentials
Account
Details
Account
Balances
Other data
from customer
PC
customer
- Money
- Equity
- Units
- etc
Account
Mis-use
Individual
Related Data
Entire
Databases
Customer PC
Data
Bank's Portals
Network
Components
Networks
Ransomnets
Defamation
(Disfigured
Portals)
Availability
Credibility
Reliability
Goodwill
Credentials
Account
Details
Account
Balances
Other data
from customer
PC
customer
- Money
- Equity
- Units
- etc
Account
Mis-use
Individual
Related Data
Entire
Databases
Customer PC
Data
Bank's Portals
Network
Components
Networks
Ransomnets
Defamation
(Disfigured
Portals)
Availability
Credibility
Reliability
Goodwill
25
26. Security concerns at
Touch points – MOBILES
THEFT DESTRUCTION
DATA ASSETS DATA ASSETS REPUTATION
Credentials
Account
Details
Account
Balances
Other data
from customer
mobile
Cash from
digital or
mobile wallets
customer
- Money
- Equity
- Units
- etc
Account
Mis-use
Mobile unit
SIM Cards
Memory cards
Individual
Related Data
Entire
Databases
Customer
Mobile Data
Bank's Portals
Digital / mobile
Wallets
Defamation
(Disfigured
Portals)
Availability
Credibility
Reliability
Goodwill
Credentials
Account
Details
Account
Balances
Other data
from customer
mobile
Cash from
digital or
mobile wallets
customer
- Money
- Equity
- Units
- etc
Account
Mis-use
Mobile unit
SIM Cards
Memory cards
Individual
Related Data
Entire
Databases
Customer
Mobile Data
Bank's Portals
Digital / mobile
Wallets
Defamation
(Disfigured
Portals)
Availability
Credibility
Reliability
Goodwill
26
27. Security concerns at
Touch points – PAYMENT GATEWAY
THEFT DESTRUCTION
DATA ASSETS DATA ASSETS REPUTATION
Credentials
Account
Details
Account
Balances
Other data
from customer
PC
Defamation
(Disfigured
Portals)
Availability
Credibility
Reliability
Goodwill
Credentials
Account
Details
Account
Balances
Other data
from customer
PC
Defamation
(Disfigured
Portals)
Availability
Credibility
Reliability
Goodwill
27
28. Security concerns at
Touch points – Bank Branch
THEFT DESTRUCTION
DATA ASSETS DATA ASSETS REPUTATION
Credentials
(Signatures)
Account
Details
Account
Balances
Cheques
Cash
- customer
- Bank
Safe Deposit
Vaults
Physical
documents
- FD Receipts
- Shares /
Debentures
- etc
Branch Data IT
Infrastructure
Other Branch
infrastructure
Safe deposit
vaults
Staff
Customers
Premises
Reliability (SD
Vaults)
Availability
(When
reopen?)
Credibility
(Safe to visit?)
Credentials
(Signatures)
Account
Details
Account
Balances
Cheques
Cash
- customer
- Bank
Safe Deposit
Vaults
Physical
documents
- FD Receipts
- Shares /
Debentures
- etc
IT
Infrastructure
Other Branch
infrastructure
Safe deposit
vaults
Staff
Customers
Premises
Reliability (SD
Vaults)
Availability
(When
reopen?)
Credibility
(Safe to visit?)
28
37. Risk Mitigation Measures - Prevention
• RECOVERY
– BUSINESS CONTINUITY
• DR Site
• Redundancy
• Hot swappable Devices
• DR and BC Policies
• Trainings
• simulations
– REPUTATION
• Publicity
• Transparency
• Speed of Action
• Hard Decisions
• RECOVERY
– BUSINESS CONTINUITY
• DR Site
• Redundancy
• Hot swappable Devices
• DR and BC Policies
• Trainings
• simulations
– REPUTATION
• Publicity
• Transparency
• Speed of Action
• Hard Decisions
37
38. Security and Role of Regulators
• Who are the Regulators?
• Why Are they concerned about Security?
• Who are the Regulators?
• Why Are they concerned about Security?
38
39. What are Basic Security concerns of
Regulators?
• Legal and regulatory issues
• Security and technology issues
• Supervisory and operational issues.
• Impact on Monetary Policy
• Legal and regulatory issues
• Security and technology issues
• Supervisory and operational issues.
• Impact on Monetary Policy
39
40. What are Basic Security concerns of
Regulators?
• Legal and regulatory issues
– The jurisdiction of law
– Validity of electronic contract including the question of
repudiation
– Gaps in the legal / regulatory environment for electronic
commerce.
• Legal and regulatory issues
– The jurisdiction of law
– Validity of electronic contract including the question of
repudiation
– Gaps in the legal / regulatory environment for electronic
commerce.
40
41. What are Basic Security concerns of
Regulators?
• Security and Technology Issues
– Questions of adopting internationally accepted state of the art
minimum technology standards for
• access control,
• encryption / decryption ( minimum key length etc),
• firewalls,
• verification of digital signature,
• Public Key Infrastructure (PKI) etc.
– The security policy for the banking industry,
– Security awareness and education.
• Security and Technology Issues
– Questions of adopting internationally accepted state of the art
minimum technology standards for
• access control,
• encryption / decryption ( minimum key length etc),
• firewalls,
• verification of digital signature,
• Public Key Infrastructure (PKI) etc.
– The security policy for the banking industry,
– Security awareness and education.
41
42. What are Basic Security concerns of
Regulators?
• Supervisory and Operational Issues.
– Risk control measures,
– Advance warning system,
– Information Technology audit
– Re-engineering of operational procedures.
– Whether the nature of products and services offered are within
the regulatory framework and
– Whether the transactions do not camouflage money-laundering
operations.
• Supervisory and Operational Issues.
– Risk control measures,
– Advance warning system,
– Information Technology audit
– Re-engineering of operational procedures.
– Whether the nature of products and services offered are within
the regulatory framework and
– Whether the transactions do not camouflage money-laundering
operations.
42
43. What are Basic Security concerns of
Regulators?
• Impact on Monetary Policy.
– when and where private sector initiative produces electronic
substitution of money like
• e-cheque,
• account based cards ,
• digital coins,
• M-Wallets
• Cash Cards
• Non account based cards
• e-money transfers with physical cash payments etc
• Impact on Monetary Policy.
– when and where private sector initiative produces electronic
substitution of money like
• e-cheque,
• account based cards ,
• digital coins,
• M-Wallets
• Cash Cards
• Non account based cards
• e-money transfers with physical cash payments etc
43
44. Some Recent Policy Recommendations
BY RBI
Target Date Sr no. Security Breach Example
30-06-2013 1 All new debit and credit cards to be issued only for
domestic usage unless international use is
specifically sought by the customer. Such cards
enabling international usage will have to be
essentially EMV Chip and Pin enabled.
44
30-06-2013 2 Issuing banks should convert all existing
MagStripe cards to EMV Chip card for all
customers who have used their cards
internationally at least once (for/through e-
commerce/ATM/POS)
45. Some Recent Policy Recommendations
BY RBI
Target Date Sr no. Security Breach Example
30-06-2013 3 Banks should ensure that the terminals installed at
the merchants for capturing card payments
(including the double swipe terminals used) should
be certified for PCI-DSS (Payment Card Industry-
Data Security Standards) and PA-DSS (Payment
Applications -Data Security Standards)
45
Banks should ensure that the terminals installed at
the merchants for capturing card payments
(including the double swipe terminals used) should
be certified for PCI-DSS (Payment Card Industry-
Data Security Standards) and PA-DSS (Payment
Applications -Data Security Standards)
30-06-2013 4 Banks should ensure that all acquiring
infrastructure that is currently operational on IP
(Internet Protocol) based solutions are mandatorily
made to go through PCI-DSS and PA-DSS
certification. This should include acquirers,
processors / aggregators and large merchants
46. Some Recent Policy Recommendations
BY RBI
Target Date Sr no. Security Breach Example
ASAP 5 Banks should move towards real time fraud
monitoring system at the earliest.
ASAP 6 Banks should provide easier methods (like SMS)
for the customer to block his card and get a
confirmation to that effect after blocking the card.
46
ASAP 7 Banks should provide easier methods (like SMS)
for the customer to block his card and get a
confirmation to that effect after blocking the card.
47. Some Recent Debit Card
Recommendations BY RBI
Target Date Sr no. Security Breach Example
Immediately 1 Banks may issue only online debit cards including
co-branded debit cards where there is an
immediate debit to the customers’ account, and
where straight through processing is involved.
Immediately 2 No bank shall dispatch a card to a customer
unsolicited, except in the case where the card is a
replacement for a card already held by the
customer.
47
No bank shall dispatch a card to a customer
unsolicited, except in the case where the card is a
replacement for a card already held by the
customer.
Immediately 3 The terms shall put the cardholder under an
obligation not to record the PIN or code, in any
form that would be intelligible or otherwise
accessible to any third party if access is gained to
such a record, either honestly or dishonestly.
48. Some Recent Debit Card
Recommendations BY RBI
Target Date Sr no. Security Breach Example
Immediately 4 No cash transactions through the debit cards
should be offered at the Point of Sale under any
facility without prior authorization of Reserve Bank
of India under Section 23 of the Banking
Regulation Act, 1949.
Immediately 5 The bank shall ensure full security of the debit
card. The security of the debit card shall be the
responsibility of the bank and the losses incurred
by any party on account of breach of security or
failure of the security mechanism shall be borne by
the bank.
48
Immediately 5 The bank shall ensure full security of the debit
card. The security of the debit card shall be the
responsibility of the bank and the losses incurred
by any party on account of breach of security or
failure of the security mechanism shall be borne by
the bank.
Immediately 6 The banks should undertake review of their
operations/issue of debit cards on half-yearly
basis. The review may include, inter-alia, card
usage analysis including cards not used for long
durations due to their inherent risks.
49. Some Recent Debit Card
Recommendations BY RBI
Target Date Sr no. Security Breach Example
Immediately 7 The role of the non-bank entity under the tie-up
arrangement should be limited to marketing/
distribution of the cards or providing access to the
cardholder for the goods/services that are offered.
Immediately 8 The card issuing bank should not reveal any
information relating to customers obtained at the
time of opening the account or issuing the card
and the co-branding non-banking entity should not
be permitted to access any details of customer’s
accounts that may violate bank’s secrecy
obligations.
49
The card issuing bank should not reveal any
information relating to customers obtained at the
time of opening the account or issuing the card
and the co-branding non-banking entity should not
be permitted to access any details of customer’s
accounts that may violate bank’s secrecy
obligations.
51. ATM Security standards
Standard Security Breach Example
PCI PTS POI Standard: PCI PIN Transaction Security Point of
Interaction Security Requirements (PCI PTS POI)
Version: 1.0
Date: January 2013
Author: PCI Security Standards Council
PCI DSS PCI SSC Data Security Standard
The PCI DSS is a multifaceted security standard
that includes requirements for security
management, policies, procedures, network
architecture, software design, and other critical
protective measures. This comprehensive
standard is intended to help organizations
proactively protect customer account data
51
PCI DSS PCI SSC Data Security Standard
The PCI DSS is a multifaceted security standard
that includes requirements for security
management, policies, procedures, network
architecture, software design, and other critical
protective measures. This comprehensive
standard is intended to help organizations
proactively protect customer account data
52. ATM Security standards
Standard Security Breach Example
PCI PA-DSS PCI SSC Payment Application Data Security
Standard
This document is to be used by Payment
Application-Qualified Security Assessors (PA-
QSAs) conducting payment application reviews; so
that software vendors can validate that a payment
application complies with the PCI DSS Payment
Application Data Security Standard (PA-DSS). This
document is also to be used by PA-QSAs as a
template to create the Report on Validation.
52
PCI SSC Payment Application Data Security
Standard
This document is to be used by Payment
Application-Qualified Security Assessors (PA-
QSAs) conducting payment application reviews; so
that software vendors can validate that a payment
application complies with the PCI DSS Payment
Application Data Security Standard (PA-DSS). This
document is also to be used by PA-QSAs as a
template to create the Report on Validation.
53. ATM Security standards
Standard Security Breach Example
PCI PTS PCI PIN Transaction Security Standard
This standard includes security requirements for
vendors (PTS POI Requirements), device-
validation requirements for laboratories (Derived
Test Requirements), and a device approval
framework that produces a list of approved PTS
POI devices (against the PCI PTS POI Security
Requirements) that can be referred to by brands’
mandates.
The PCI PTS list is broken down into the following
Approval Classes of devices: PIN Entry Devices
(PEDs—standalone terminals), EPPs (generally to
be integrated into ATMs and self-service POS
devices), Unattended Payment Terminals (UPT),
Secure Card Readers (SCRs), and Non-PIN-
enabled (Non-PED) POS Terminals.
53
PCI PIN Transaction Security Standard
This standard includes security requirements for
vendors (PTS POI Requirements), device-
validation requirements for laboratories (Derived
Test Requirements), and a device approval
framework that produces a list of approved PTS
POI devices (against the PCI PTS POI Security
Requirements) that can be referred to by brands’
mandates.
The PCI PTS list is broken down into the following
Approval Classes of devices: PIN Entry Devices
(PEDs—standalone terminals), EPPs (generally to
be integrated into ATMs and self-service POS
devices), Unattended Payment Terminals (UPT),
Secure Card Readers (SCRs), and Non-PIN-
enabled (Non-PED) POS Terminals.