Public Banks Fail To Plug It Security Holes

Information systems (IS) audits recommended by the central bank show that public and cooperative banks are not yet geared up to operate in an computerised environment. The Reserve Bank of India, which has initiated IS audits in computerised branches, received startling information, R B Barman, executive director, RBI, said.

Passwords have become public property. Software vendors often have free access to a branch's server. Consequently, internal and external persons not authorised to carry out certain tasks can and actually do them merrily under the garb of expediency. Back-ups are not taken regularly. If taken, the floppies are not kept at off-site locations.

Some banks are even giving free access to customers to view their bank accounts on computer terminals on the bank's system. Private and foreign banks have initiated customer accessibility through smart cards and personal identification numbers. But when branches of public banks permit customers accessibility on their own terminals networked to the system, they are inviting trouble, said Sharad D Varde, who has complied 24 out of a 100 case studies on information systems security in banks.

"Inadequate exposure to computer-based systems and insufficient awareness of computer-related threats among employees are the weakest links in our computerisation," said Varde, especially when billions of deposits of small investors are at stake.

As banking technology advances to offer new tools -- Internet banking, any branch banking, tele-banking, mobile ATM, digital signatures -- the move towards core banking solutions demands greater level of security. The danger of not having proper security in place or failure to undertake an information systems audit as recommended by the central bank could well lead to huge number of frauds among public banks, Anjay Agarwal, a chartered accountant and treasurer at ISACA, said.

The RBI has directed computerised bank branches to put in place an appropriate audit and security infrastructure for their IT systems --right from their hardware, software, networking, ATM, bank employees, their work habits under a computerised environment, which includes confidentiality of passwords, maintenance of control registers, back ups and all.

These actual case studies expose the numerous lacuna at the grassroot level and sometimes even at the head office level, leaving the doors open to frauds that can be several times larger than what takes place otherwise in a manual set-up. A government of India advertisement revealed that 98.5 per cent of organisations surveyed had experienced computer crimes.

Failure of branch managers to maintain confidentiality of their passwords has resulted in cases where temporary personnel hired by public sector banks were found to be stripping dormant accounts bit by bit regularly.

Reiterating what many IS audits have revealed, Baman said: "Banks have suffered quite a lot giving the job (outsourcing) to the software vendor". He was speaking at a one-day seminar on "Banks Survival in Digital Era", organised by Information Systems Audit and Control Association (ISACA) on Saturday.

Many branch-level computers are loaded with a lot of unauthorised software programmes installed through floppy or CD drives. Many types of software -- games and music -- are installed in computers, unrelated to banking, and most of which is pirated. Pirated software has two disastrous implications: one, untested for virus, it can spread the virus instantly to other terminals; two, it is illegal and under the IT Act 2000, and the Copyright Act 1999, the chief executive -- chairman, managing director, CEO or executive directors -- are held personally liable, said Varde in his case studies.