HDFC Bank: Securing Online Banking

• James Rapp

Managing Information Security in Information Systems

 

Summary

The importance of banking online has grown enormously in the past decade. Making for more profit and better convenience it is not likely to fade away anytime soon. This also presents some new hurdles for the online banking community. As the number of banking online customers increases the amount of criminal attacker will also increase. The bank recognizes this trend and therefore to maintain and even grow customer confidence and trust they develop ways to keep the customer data and money safe. The bank has to take on an enormous feet which is to protect customers and staff from the attacker and themselves. The banking security is only as strong as the end user of the terminal machine or the end user/customer using a credit/debit card. Throughout this paper I will present key facts and issues of this case then I will go through these issues giving alternative solutions and engaging in the pros and cons of those solutions.

Key Facts

• Operations for HDFC bank had first got up and running during the year 1995 of the month of January
• HDFC bank was one of the first banks to set up online banking.
• HDFC is a trusted name in banking, 2,544 branches, 9,333 ATMs, 1,399 towns & cities.
• HDFC Bank is one of the leading private banks in India
• HDFC identifies public key infrastructure, during PKI’s infancy, as a suitable technology to address security.
• In the Indian sector of banking there are basically 5 types of banks: private sector banks, regional rural banks, foreign banks, Co-operative banks, and public sector banks.
• Once RBI had published the guidelines on internet banking HDFC started its online services.
• For internal risk management HDFC bank used technology-intensive models.
• The data center and backup systems where held at two different geographical locations in Mumbai.
• RBI guidelines report banks should utilize the outside experts known as ethical hackers to penetrate systems, inspect infrastructure, and test physical access controls
• HDFC has made the commitment to bring new products and attract new customers while signing with RSA security, the US based provider of IS solutions.

Key Issues

1) Improving banks services to attract and keep new customers.

2) Throughout the banking authority maintain information security.

3) Continuity in business is essential, how to maintain it?

4) What are the security challenges in online banking?

5) What are the challenges faced by Salvi?

6) Compulsions at HDFC Bank.

7) Roadmap the chief information officer (CIO) can implement.

Key Issue 1: Improving banks services to attract and keep new customers.

Alternative Course Solution:

a) Making the banking experience as fast and efficient as possible. Bringing up-to-date technologies to the front doors of the customer. State of the art website, phone applications and ATM’s will bring the banking experience to new levels.

Pros:

• By utilizing these channels of communication between the bank and the customer a very nice freeway of information exchange begins to take shape.
• This is a very effective way to monitor customer transactions and to weed out the unauthorized user.

Cons:

• At the same time tracking customers can be an issue. Unless an efficient, effective protocol is established to track customers through these various channels it could become a headache and very difficult to manage.
• To achieve a protocol that makes exchanging data over numerous channels work will endure cost. The adding of such protocol’s and policies will likely put the price tag higher.

b) Taking an effective promotional stand will attract new customer and help boost the banks reputation helping to keep those customers.

Pros:

• Setting the stage with an effective promotional scheme will certainly attract and secure new customers
• When the customer numbers increase so shall the banks revenue stream. Bringing a happy bank and happy employees.

Cons:

• To develop and implement such a promotional scheme the bank will have to put out the money. Cost is always an issue when trying to improve you business.
• Reaching out to people and trying to attract new customers can back fire. If the promotion offends people, annoys people or if it is just done poorly then it could actually have the opposite effect and could eventually hurt the bank.

c) By making use of website, phone app’s, ATM etc. . . . the bank can connect with the customer in a personal, effective way.

Pros:

• Pulling off this venture will build the relationship between bank and customer. The banks rep will grow and that is a very positive thing.
• Having all of these channels through which the bank customer can use will provide a sense of anytime banking. Online, no problem, on the phone, no problem, on the road, no problem.

Cons:

• If everything is not perfectly setup than the customer satisfaction rate will definitely suffer in which the bank will suffer.
• Ultimately by receiving a bad banking experience the bank could lose customers.

Key Issue 2: Through the banking authority how to maintain information security?

Alternative Course Solution:

a) Keeping the personal data, confidential data out of the hands of non-authorized personal.

Pros:

• Keeping sensitive information such as home addresses, telephone numbers, social-security numbers out of unauthorized hands will prevent fraud in credit, debit and account information.
• By maintaining the personal data in-house it will also make for a more informed staff making for a better service and more complete work force.

Con:

• This security measure could hurt relationships. The sharing of information if done correctly could actually build a relationship and by taking this out of the equation it could actually prevent a great binding.
• The fact that an employee may use the information for a sinister purpose will always be a concern. The bank has to do the best they can with this type of in-house problem.

b) Using a strategy that employ’s ethical hackers to attempt penetration on systems and network infrastructure.

Pros:

• Will give the bank an awareness on which system programs are vulnerable to attack.
• Maintaining all personal info: home addresses, social security numbers and credit card numbers.

Cons:

• By using ethical hackers the bank put its sensitive information out there. It gives up very sensitive information, its secrets so to speak.
• When bringing in outside help the bank also brings in additional expenses. To hire an ethical hacker the price tag could be very large. A salary for an ethical hacker shows the story.

c) Maintaining software by way of updating and personal training.

Pros:

• By testing and keeping watch of your systems the bank will achieve the ultimate efficiency.
• System programs, web applications, data servers etc. . . . all will be extremely enhanced.

Cons:

• As we found with employing ethical hackers the price tag will no doubt go up.
• It is also possible that by taking this route the deliberate modification of some admin tools could take place.

Key Issue 3: Continuity in business is essential, how to maintain it?

Alternative Course Solutions:

a) Backing up data, being able to recover if the need should ever arise.

Pros:

• By backing up data the bank ensures itself in times of natural disaster, robbery, and any other type of event that could otherwise cause the bank to lose precious personal data.
• The fact the banking organizations have such a spread of devices and applications, channels of communication between the public having data backed up can make for a well programmed system in which real time information is received in a more-timely manner.

Cons:

• Having information especially sensitive information always bring the possibility of the misuse of such data.
• The data will be stored on databases and SQL injections and other database driven attacks will be a real threat.
• The cost to ensure the correct safety measures and data systems will go up.

b) Making use of geographically locations, having more than one location.

Pros:

• Like other pro’s the bank can attract more and a new variety of customers by utilizing numerous bank locations.
• The range of people the bank will reach will increase thus bringing in new customers.
• By having more locations than the banking organization can spread. In doing this the bank will bring in better network connections and new and long lasting customers.

Cons:

• If the bank does decide to invest in new locations that is exactly what they will have to do, invest. Putting out more money to open new locations, staff, devices, new protocols all add up.
• Deciding where to put these new branches could also be time consuming and costly. If a bank location go through and does not work out it would be like a money pit for the bank.

Key Issues 4: What are the security challenges in online banking?

Alternative Course Solutions:

a) Making sure the customers data is stored safe and soundly.

Pros:

• If this is done correctly the bank will gain a respectable reputation and with this will develop more customers.
• Having this much data and the type of data that it is can make for some pretty exciting and state-of-the-art systems.

Cons:

• This is a task that is a lot easier said than done. If the security systems that are put into place to hold this data is not completely secure data theft could be a real possibility.
• Holding this much data will bring with it the cost factor. The more data and the more complex the system gets the more money will be needed to develop and implement a secure database system.

b) Keeping a close relationship with the customer, not relying too much on automated systems.

Pros:

• Making the effort to still provide a personal experience for the customer brings a sense that the bank cares and that they understand in a personal way.
• By keeping the personal connection with the banking customer the bank itself can tell what the vibe is on the back, hear what is trending, and basically have a view that is from the other side, the customer side.

Cons:

• It is possible that by building such close bonds between bank staff and open public banking customer the bank opens up the door to insider attack.
• Employees that might have a negative view on the bank could reveal trade secrets, banking data, or sabotage.

Key Issues 5: What are the challenges faced by Salvi?

Alternative Solution Course:

a) Making HDFC a “World class Indian bank”.

Pros:

• This is a respectable ambition and it definitely sets the bar.
• Under the watch of Salvi the customer should know that customer care and satisfaction will be at the highest priority.

Cons:

• Putting this type of standard in the mix could affect decisions, in turn the customer could suffer.
• To become a World class bank HDFC must transform the offline user to the online user. This is obvious but it is also a costly and very cumbersome project.

b) Securing Online Banking.

Pros:

• Without question making the hard transition from offline banking to online banking will create a more efficient better class of bank.
• If Salvi can make online banking secure than growing into the world class bank should follow.

Cons:

• Online banking brings new security risks: authentication, authorization, privacy, integrity, and non-repudiation.
• The higher the banks reputation might actually make it a target for criminal trying to make a name for themselves.

c) Reducing false positives

Pros:

• This would help to not bother the law abiding, everyday banker.
• Over time the false positives should work themselves out and the banking system will be greater for it.

Key Issues 6: Compulsions at HDFC Bank.

Alternative Solution Course:

a) Keeping customers in the automated channel. ATMS, online banking, mobile devices etc. . .

Pros:

• This will provide customers with better services. By keeping up-to-date with the state-of-the-art technologies the bank keeps efficiency at an all-time high.
• This can attract new customers they like the fact that they can do banking business from the safety of their homes.

Cons:

• The one-to-one bank teller to customer relationship gets forgotten about.
• Most Indian Bankers are familiar with the one-to-one banking, they like the personal service.

b) Increasing customers

Pros:

• The more customers the more money/revenue the bank will receive.
• Growth, gain, and prosperity are some key virtues of a bank and with this in mind HDFC should always be on top of their game.

Cons:

• Always promoting, reaching out to increase the customer rate the bank could lose focus on what their really there for.
• The more customers the more problems.

Key Issues 7: Roadmap the chief information officer (CIO) can implement.

Alternative Solution Course:

a) Secure the customer transition from offline to online banker.

Pros:

• This will grow the banks revenue, increase customers, making for a very efficient banking system.
• This has to be accomplish if Salvi will reach the ultimate goal of World Class Bank.

Cons:

• As is apparent phishing scams will come to light.
• With the online banking operation comes more security issues.
• Lose the personal relationship between customer and staff.

b) Secure online banking.

Pros:

• The online banker will feel more comfortable when doing business online.
• This is a step in the direction to become a world class bank.
• Will bring more with it a better reputation and more customers.

Cons:

• The cost will always be a negative aspect of any progress.
• With the online banking even if it is considered secure the criminal element will be more of an issue.

c) Evolve into the world class bank

Pros:

• This is the goal that Salvi wishes to reach and it is a prestige’s accomplishment.
• With this comes the attention to detail, finer service a World Class elegance.

Cons:

• With this with also bring the increasing of hardware and software maintenance, upkeep of websites, management of data centers.

References

Bose, Indranil. The University Of Honk Kong. “HDFC Bank: Securing Online Banking” Retrieved From: https://cb.hbsp.harvard.edu/cbmp/access/35744031. April 4, 2015

PayScale, Inc. 2015. “Average Salary for Certification: Certified Ethical Hacker (CEH)” Retrieved From: http://www.payscale.com/research/US/Certification=Certified_Ethical_Hacker_%28CEH%29/Salary

Rajpreet, Jassel. Ravinder, Sehgal. International Journal of Advanced Research in Computer Science and Software Engineering. “Online Banking Security Flaws: A study” Retrieved From: http://www.ijarcsse.com/docs/papers/Volume_3/8_August2013/V3I2-0257.pdf

Odyssey Technologies. “Implementing Transaction Security For HDFC Bank” Retrieved From: http://www.odysseytec.com/Documents/CaseStudies/HDFC_SnorkelTX_CaseStudy.pdf

1