Hdfc case presentation

HDFC Case:- Securing Online Banking Section C, Group 1 Rohit Patidar-31 Siddharth Dixit-56 Sudipto Das-63 Tarun Acharya-68 Varun Sharma-75 Vasudev Kaushik-76

Indian Banking Industry Regulated by the Reserve Bank of India. Consisted of five types of banks: Public sector banks(PSB) Private Sector banks Regional Rural Banks (RRB’s) Cooperative Banks Foreign Banks PSB operations were largely branch based, burdened by legacy systems resulted in low response times. New generation Private banks able to provide 24/7 service by deploying self service channels. In March 2004 RBI mandated all transactions in excess of Rs.100,000 through RTGS(Real time Gross settlement system).

HDFC Bank Commenced operations in January 1995 promoted by Housing Development Finance Corporation (HDFC). Started offering online banking services in 2001 after the publication of guidelines by RBI. Had an income of Rs.84.1 billion and Profit after tax of Rs.11.4 billion in 2006. 10 million customers as of March 2007 of which 4.6 million were savings accounts holders. Three business segments: Retail Banking – banking services to individual customers. Wholesale Banking – commercial and transactional banking to corporate clients. Treasury – foreign exchange, derivatives, debt securities , equity. Focussed on semi urban and under banked markets, 64% of branches outside top nine Indian cities.

IS in the Banking Industry 2.52 million internet subscribers and 38.5 million users in India in 2006. Banking industry fundamentally compatible with IS demands- Used to assessing and monitoring risk can learn to cope with emerging IS risks. Generated trust over a period of time which is critical in maintaining relationships, which is important for both offline and online banking. Traditional banks find it easier to attract customer as compared to pure play online banks. Satisfaction with online experience influenced decisions to switch online account, while offline retail customers did not switch.

Issues with IS Five main criterion for a secure IS:- Authentication- Identify the user Authorization- Customer authorized to conduct transaction Privacy- Data remains private and unseen to third party Integrity- Data is correct Non-repudiation- Proof that transaction has been initiated by the user

Customer Convenience Vs Security Customer Convenience- Important for expanding market share Security- Required to maintain trust Authentication- Balance between “What customer knows”, and “What customer has” Additional checkpoints created based on past history of transactions Checkpoints include- No. of transactions in excess of a typical number, types of transactions etc. Each checkpoint creates additional layer of security/verification in case of detection. False Positive Identification- Identifying genuine users/transactions as “risky” or fraudulent Part of any IS system, need to be reduced to acceptable level False Positive Identification rate- Effective vs Paranoid system

Number of Phishing Attacks

Viruses created by hackers are malicious codes which can infect the target user and get login credentials. Security Challenges in O nline Banking

Security Issues unique to Indian E-Banking Access Control: User ID generation and password generation schemes determine the level of Internet banking security to a great extent which many are lacking. Security of Data in motion: Banks use Secured Socket layer(SSL) encryption to secure data in motion. Many banks including HDFC are using older version of SSL that have known vulnerabilities, making them susceptible to attacks. System Design: Many bank’s anti-phishing mechanism itself is cause for concern. HDFC’s bank anti-phishing mechanism, can be used to reveal if an account number is valid or invalid. Lag in timely renewal of digital certificates: Banks are laggards in timely renewal of digital certificates.

Challenges in improving Internet Security Phishing is one of the most common online frauds in developed countries like US where one in every 115 customers had lost money in 2006 due to phishing. In India, phishing attack came to light in August 2007 & HDFC was quick to take corrective measures. It signed on with RSA security. The bank introduced a “cooling period” which provides bank, the time to check transactions. Along with ensuring security, Salvi also ensured that IS protocols were not so rigorous as to cause inconvenience to customers.

Customer Convenience The bank tried to make a balance between keeping the IS transparent to the customer & also making it effective from the bank’s point of view. Standard checks were done on each transaction, irrespective of its size. Also, any transaction which is not conformity with the customer’s profile, would create a red flag. Customer wants the system to be simple but at the same time, it should be trustworthy.

Secure Access Salvi was planning to introduce a 2 nd level of authentication for all online users. Another point here was asking customers to add the list of account holders with whom his transactions will be regular. One more thing to think about was whether to provide secure access to all online users to limit this to only active users.

Server Location The new IS infrastructure wants bank to have 2 types of servers:- Authentication servers Online servers Now the dilemma here was whether to locate server onsite or offsite, hosted by an IS vendor for a fee. Also, as done by RSA security, HDFC can also opt for cloud computing which has multiple options for network connectivity i.e. Internet, dedicated bandwidth or a proxy server.

Server Location Comparative Analysis

Onsite Server Offsite Server Cloud Computing Cost Highest Local infrastructure, High initial investment spread over a long term Moderate Due to servers based outside, initial investment not that high As per Usage Shift the expenses to Variable Cost. Low initial investment Reliability Highest Close control of data and infrastructure Moderate The link between the IS vendor and HDFC needs to be made secure and can be a point of vulnerability Least Dependent on a lot of factors, potential points of systemic failure Flexibility Least Fixed usage, does not change as per demand Moderate Is not as flexible as a Cloud based system Highest Pay-by-use model, can handle demand fluctuations effectively Scalability Low Huge cost involved in trying to scale up the server infrastructure Medium – High Time required to scale, to add or reduce the servers from the offsite location Highest Scale more or less as per need Adaptability Rigid system Hardware, software, network etc. are standalone units Moderate Independent services provided by the vendor Highest Adapts as per the need and the service bouquet chosen by the client Complexity Highly complex Training and development of IT personnel Moderate Depends on the enterprise solution taken by HDFC. But, require trained IT personnel Least The enterprise solution provided by the vendor would be used, reducing complexity for HDFC Miscellaneous cost Least No additional cost required Moderate Using existing hardware, but require a secure and reliable link between the server and HDFC offices. Additional bandwidth to be needed Highest Additional cost required to ensure uptime at all locations

Recommendatio n Have the online servers onsite at HDFC own data centres, while having authentication servers off-site using an IS vendor Utilize IS vendor’s expertise in secure online banking HDFC can concentrate on core banking activities HDFC able to maintain the online servers regularly , reducing potential down time . Low rate of systematic failure by having the online server as a onsite, integral part of HDFC local area network . All sensitive data will be maintained by HDFC Need to secure the medium of communication between HDFC and IS vendor

Additional Recommendations Separate email id with bank server- for high profile clients Every Transaction- Governed by OTP/Authorization Inform customer about the initiation of each transaction- App notification/SMS

Current Scenario of HDFC Security measures taken by HDFC currently Login Security A valid Customer ID and a corresponding IPIN is provided to each customer for online banking without which they cannot login to their online account. IPIN Security It is a randomly generated number delivered on tamper proof media. IPIN is to be changed by the customer immediately on registering to avoid compromise before delivery. It is encrypted so that not even the system administrator can access it. IPIN registration only can only be done online using only Debit card details and OTP.

Session Security The online session of a customer will be timed out and they will be logged out of their net banking account on prolonged inactivity. Verisign certified. EVSSL certified. Virtual Keyboard This protects the customer’s IPIN form being compromised using keylogger softwares. Insta-Alerts Instant SMS/Emails sent to the customers to cross check transaction made on their accounts. Security Solutions State of the art solution technologies. For example firewalls, anti-malwares, intrusion detection systems, intrusion prevention systems. Security Teams Skilled people working round the clock to handle any problems that might arise

Thank You

Hdfc case presentation

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Hdfc case presentation

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

FM I Chapter 3: Time Value of Money .ppt

Financial Management I Chapter Three.pdf

Md. Sirajuddwla Vs. The State and Ors. [2016] 1LNJ(HCD)177.

business finance-2nd quarter week 1.pptx

bank-reconciliation-2-240226133520-7f66bb8a.pptx

Create_a_Portfolio_Website_Showcasing_Projects_Skills_and_Contact_Info_Presentation.pdf.pdf