It in banking

IT IN BANKING INDUSTRY

KANDIVALI EDUCATION SOCIETY’S B.K. SHROFF COLLEGE OF ARTS

AND M.H. SHROFF COLLEGE OF COMMERCE

Bhulabhai Desai Road, Kandivali (West), Mumbai – 400067

CERTIFICATE

This is to certify that ABHISHEK B.PATOLE of

TY.BMS has successfully completed a project on TO STUDY “ it

in banking industry ” for the semester under the guidance of

the PROF. UMADEVI KOKKU during the Academic year

2011-2012.

Project Guide

Co-ordinator Principal

Internal Examiner External Examiner

College Seal

ABHISHEK B.PATOLE Page 1


KANDIVALI EDUCATION SOCIETY’SB.K. SHROFF COLLEGE OF ARTS

AND M.H. SHROFF COLLEGE OF

COMMERCE


DECLARATION

I ABHISHEK B.PATOLE from KES Shroff College Of

Arts & Commerce and a student of T.Y. BMS here submit my

project on TO STUDY “ it in banking industry ”

I also declare that the project which has been in the

partial fulfillment of the requirement of the Mumbai University is

the result of my efforts.



KANDIVALI EDUCATION SOCIETY’S B.K. SHROFF COLLEGE OF ARTS

ANDM.H. SHROFF COLLEGE OF

COMMERCE


PROJECT REPORT ON

“it in banking industry ” .

SUBMITTED BY

ABHISHEK B.PATOLE

TY.BMS SEMESTER V

SUBMITTED TOUNIVERSITY OF MUMBAI

PROJECT GUIDE

PROF. UMADEVI KOKKU

ACADEMIC YEAR 2010 - 2011



ACKNOWLEDGEMENT

The joy of ingenuity!!! This is doubtlessly what

this project is about. Before getting to brass tacks of things. I would like

to add a heartfelt word for the people who have helped me in bringing

out the creativeness of this project.

To commence with things I would like to take this

opportunity to gratefully and humbly thank to Prof.Umadevi kokku,

who has giving me an opportunity to undertake this project in IT in

Banking Industry.

My parent’s need special mentions here for their constant

support and love in my life. I also thank my friends and well wishers,

who have provided their whole hearted support to me in this exercise. I

believe that this Endeavor has prepared me for taking up new

challenging opportunities in future.



Sr no. Index Page

no.

Chap.1 Introduction 7-15

a. Objectives of the study

b. Limitations of the study

Chap.2 Review of literature 16-19

Chap.3 Research methodology 20-24

a. Primary data

b. Secondary data

Chap.4 Electronic cheques & evidentiary value 25-39

a. Future of plastic money

b. Leading issues in banking technology

Chap.5 Banking technology & frauds 40-73

a. Credit card frauds on internet

b. Information technology risk in

banking management &measurement

Chap.6 Data analysis 74-87

Chap.7 Conclusions 88-89

Chap.8 Suggestion 90-91

Chap.9 bibliography 92-93



Chapter- I

Introduction

Chapter -1. INTRODUCTION



The Indian Banking system has an old age legacy. Earlier there

were indigenous bankers who consisted mainly of unorganized

moneylenders, mahajans and sahukars. Later, when British came to

India they brought with themselves the concept of organized banking.

British while leaving India left behind large number of small and

privately held banks. In 1964, the first major banking reform took place

when 14 banks were nationalized. It led to the rising of Indian Public

Sector Banks. The second banking reform was witnessed in 1990s when

Indian Banking Sector underwent complete change after the

recommendations of the Narsimhan Committee. Private and MNC

banks entered banks entered into the Indian Banking arena and

challenged the monopoly of the PSU banks. The Private and MNC

banks brought new technologies and technology intensive services with

themselves. They rendered quality service, which PSU banks were not

providing, to service starved Indian customers. There were a series of

technological innovations and up-gradations, e.g., ATMs, Internet

Banking, credit cards and online banking, etc. Private banks and MNC

banks had to provide something extra and it was their service, which

attracted a bulk of customer from the PSU banks. Indian customers

were lacking the world-class service in baking; they were accustomed

to the PSU (Sarkari) culture and the service of Private and MNC banks

was a delight for them.

When private and MNC banks initiated the world class service to

their customers and started snatching customers from Public Sector

Banks, Public sectors banks were bound to follow the path of Private

Banks. The PSU banks felt the heat and realized their mistake. They



also followed the Private Banks in their technology initiatives and

services.

The Indian Banking Sector with the progress in Technology is

facing the biggest challenged of rapidly changing customer

expectations against the backdrop of LPG (Localization, Privatization

and Globalization). Retail banking clients today demand more care and

extra facilities. They want more mobility of investments, interactive

accounts, and better segmentation of banking products to cater to

different segmental needs, convenience and untimely hour services.

Even the PSU culture could not adjust to the pace of the new

technology and changes. At present also it is moulding and adapting

itself to new needs and the dynamism of the environment.

Technology is helping the Indian Banks to cater to customer

needs in a much more efficient manner continuous and error free

services to customers. With the help of computerization and the use of

modern software, which can be called the gift of technology, the banks

have been able to provide single window system to their customers. In a

single window system, all the needs of the customers are taken care at a

single counter. It is like a multipurpose counter where one can deposit

cheque, receive payments and deposit cash etc. This has been made

possible only due to the use of technology. Earlier one had to move

from one counter to the other counter for different sort of works. Thus

this type of service not only helps in better customer service but also

minimizes the customer service time as it avoids duplication of work

and unnecessary hassles to the customers. With the use of technology,

banks are trying to minimize there per customer service cost. According

to industry estimates, assume teller cost Re.1 per transaction, ATM



transactions cost Re.0.45, phone banking at Re.0.35, debit cards at

Re.0.20 and Internet banking at Re.0.10 per transaction. So, now the

emphasis is more on net banking then on real banking or brick and

mortar banking. Indian Banking system is moving from real banking

realm to virtual banking realm. Banks are establishing more and more

ATMs at different convenient locations and interconnecting these

ATMs not only with their networks but also with their partner banks.

Network with whom they have got mutual understanding for sharing

ATMs. With the least cost of Internet banking, banks are paying higher

emphasis on Internet banking.

As per IDC estimates, the total number of registered users for

Internet banking in India is over two million. But this figure needs to be

adjusted for dormant users and multiple accounts (a user having

accounts with more than one bank). India has one million active

Internet Users populations. Thus, this is just around 0.1% of the total

population; to represents 15% of the India’s Internet user (most of the

people in India use internet from cyber café). Thus, indicating that the

concept of Internet banking is surely catching on. India is far behind in

the use of Internet banking than the other Asian countries like Korea

and Singapore where nearly 10% of their population is banking over the

Internet but India is fast catching up. In India, the biggest drawback for

Internet banking is the Internet penetration among the masses. We lack

the infrastructure facility for providing Internet services but with the IT

ministry keen on expanding the Internet penetration the day is not too

far when greater part of our population would be using the Internet

banking facilities. In India, ICICI bank was the pioneer to introduce

Internet Banking. And later Citibank, HDFC Bank and other banks



followed the suit. PSU banks have lagged far behind in adoption of the

Internet banking facilities. But State Bank of India, which entered the

arena of ATM banking quite late, was able to expand at a rapid pace

and cover almost all the cities of India. Now ATM banking has become

an integral part of traditional cheque or withdrawal based banking.

These services have helped the PSU banks to maintain their customers.

Now money is transferred more in electronic form than in physical

form. With the cost of PC fast declining and the government’s initiative

in providing the infrastructural facilities for net banking and the faster

developments in the telecommunication sector would be helping in the

adoption of new technology and IT-based banking services. Some

authors’ view that the Internet banking is just the extension of the

traditional banking services because it is the same service with

customer friendly technological interface. So, it is the value addition to

the existing services. Banks are reaping following benefits with the use

of technology:

With low investment, banks would be able to satisfy large customer base. The technology has allowed the banks to move from brick and mortar building to virtual interface which cost less in comparison to the rising real estate prices which in turn leads to increase investment. Low investment in turn helps in satisfying large client base.

With modern facilities more and more customers get attracted to

the banks and they are viewed as technology savvy and modern

or state-of-the –art banks. Brand image of the banks also get

enhanced thus building their goodwill and brand equity. Even



customers want to be associated with the brand personality of the

banks.

With the increase in quality and competition, the customers are

having several choices among which to choose instead of

Hobson’s choice in some case. Now banking services have

become customer centric instead of service centric or bank

centric approaches as in earlier cases. Now, it is the customers

market rather than a sellers (bankers) market. All the services are

customer driven.

Network sharing by different banks is enabling the banks to

reduce their investment (sharing of ATMs of partner banks) and

provide better services to the customers. This is also helping

them in delivering quick services and it also reduces the risk of

fraudulent practices as verification becomes quite easier and

quick.

These practices are leading to lower service cost per customer.

Thus leading to enhance profitability for the banks, which in turn

enhances the corporate image of the banks.

With the use of technology banks are in a position to obtain the

customer database with a press of key and this helps the bank to

maintain high profile customers because it is an accepted

marketing principle that 80% of the revenue are generated by

20% customers (20:80 principle). Thus, the modern technology



helps in tracking the key customers and provides them better

services or customized services.

The alternative channels of service helps the bankers to add new

products to their portfolio and it helps them to device new

products according to customer needs. The banks can provide

customized value added services or tailor-made service to each

customer based on his/her requirement, e.g., foreign money

transfer service, electronic money etc.

It helps the banks to manage their funds in a much better way as

the technology provides round the clock interface to the outside

world and thus it helps in hedging the risk of the banks at real

time. Banks are able to minimize the risk and maximize returns

by investing in different avenues and they have greater control

over the fund investments.

Technology helps in increasing the labor productivity because it

increases the output per labor to multifold. Earlier works had to

be performed manually and it used to take days to complete in

minutes or in seconds. So, it helps in updating the customer

status as well as increased labor productivity.

The customer service cost decreases and the productivity of the

staff increases and this adds to the profitability of the banks. This

helps the banks to take care of even larger customer base and this

will ultimately ass up too the bottom-line of the banks.



Public sector banks have been shy in implementing new

technology brick mortar banking in comparison to the technology

driven banking while the client base of Private and MNC banks are

mostly young people who are technology-savvy and who like to

interface more with the technology than man. Aged people are not

comfortable with the technological interface. They feel complexity and

uncomfortable with technology intensive services.

With the present avenues being saturated and greater competition

due to the entry of more players in the arena, the banks are diversifying

into new areas where they can use their financial expertise in financial

consultancy, insurance sectors, and fee-based earnings instead of fund-

based earnings. The mushrooming of the multichannel, multifunction,

self-service electronic delivery channels is fast replacing the brick and

mortar branches (real to virtual). There is a need to redefine the

business model of the Indian banking sector so that to optimize the

resources and deliver world class service in the light of modern day

technology. Today’s concept is to minimize the visit of the customer to

the bank and let him use the technology or let technology handle him-

this is the new survival mantra in the cutthroat scenario for banks.

OBJECTIVES OF THE STUDY



The objectives of the project “The Study Of Application of

Information Technology In Banking Sector” includes the following:-

To know the present condition of technology in Indian banking sector.

To know about the electronic payment system.

To know about the hackers and frauds in online banking.

To know about the risk management policies of Indian banking

sector.

To know about the electronic banking sector.

LIMITATIONS OF THE STUDY



The scope of the project “ The Study Of Application Of

Information Study In Banking Sector” has been restricted to some

extent i.e. the project does not include the following: -

Supervision of Electronic Banking by Reserve Bank Of India

Information Technology in Banks in International Scenario

Software Application to Protect from Hackers & Frauds

Case Studies Related To Hackers & Frauds



Chapter –II

Review of literature

History of banking

The first banks were the merchants of the ancient world that made loans

to farmers and traders that carried goods between cities. The first

records of such activity dates back to around 2000 BC in Assyria and

Babylonia. Later in ancient Greece and during the Roman Empire

lenders based in temples would make loans but also added two



important innovations: accepting deposits and changing money. During

this period there is similar evidence of the independent development of

lending of money in ancient China and separately in ancient India.

Banking in the modern sense of the word can be traced to medieval and

early Renaissance Italy, to the rich cities in the north like Florence,

Venice and Genoa. The Bardi and Peruzzi families dominated banking

in 14th century Florence, establishing branches in many other parts of

Europe. Perhaps the most famous Italian bank was the Medici bank, set

up by Giovanni Medici in 1397.

The development of banking spread through Europe and a number of

important innovations took place in Amsterdam during the Dutch

Republic in the 16th century and in London in the 17th century. During

the 20th century developments in telecommunications and computing

resulting in major changes to the way banks operated and allowed them

to dramatically increase in size and geographic spread. The Late-2000s

financial crisis saw significant number of bank failures, including some

of the world's largest banks, and much debate about bank regulation.

Information Technology Auditing (IT auditing) began as

Electronic Data Process (EDP) Auditing and developed largely as a

result of the rise in technology in accounting systems, the need for IT

control, and the impact of computers on the ability to perform

attestation services. The last few years have been an exciting time in the

world of IT auditing as a result of the accounting scandals and

increased regulation. IT auditing has had a relatively short yet rich



history when compared to auditing as a whole and remains an ever

changing field.

The introduction of computer technology into accounting systems

changed the way data was stored, retrieved and controlled. It is believed

that the first use of a computerized accounting system was at General

Electric in 1954. During the time period of 1954 to the mid-1960s, the

auditing profession was still auditing around the computer. At this time

only mainframe computers were used and few people had the skills and

abilities to program computers. This began to change in the mid-1960s

with the introduction of new, smaller and less expensive machines. This

increased the use of computers in businesses and with it came the need

for auditors to become familiar with EDP concepts in business. Along

with the increase in computer use, came the rise of different types of

accounting systems. The industry soon realized that they needed to

develop their own software and the first of the generalized audit

software (GAS) was developed. In 1968, the American Institute of

Certified Public Accountants (AICPA) had the Big Eight (now the Big

Four) accounting firms participate in the development of EDP auditing.

The result of this was the release of Auditing & EDP. The book

included how to document EDP audits and examples of how to process

internal control reviews.

Around this time EDP auditors formed the Electronic Data Processing

Auditors Association (EDPAA). The goal of the association was to

produce guidelines, procedures and standards for EDP audits. In 1977,

the first edition of Control Objectives was published. This publication is



now known as Control Objectives for Information and related

Technology (CobiT). CobiT is the set of generally accepted IT control

objectives for IT auditors. In 1994, EDPAA changed its name to

Information Systems Audit and Control Association (ISACA). The

period from the late 1960s through today has seen rapid changes in

technology from the microcomputer and networking to the internet and

with these changes came some major events that change IT auditing

forever.

The formation and rise in popularity of the Internet and E-commerce

have had significant influences on the growth of IT audit. The Internet

influences the lives of most of the world and is a place of increased

business, entertainment and crime. IT auditing helps organizations and

individuals on the Internet find security while helping commerce and

communications to flourish.

Chapter- III



RESEARCH

METHODOLOGY

COLLECTION OF PRIMARY DATA:-

The primary data has been collected from various sources which

are as follows:

Questionnaire method.

Surveys in banks.



Surveys in banks related offices such as agent’s office etc.

COLLECTION OF SECONDARY DATA:

The secondary data has been collected from various sources

which are as follows:

Various books related to information technology.

Brochures of various banks.

Weekly journals.

Articles in newspapers.

SAMPLE FRAME:

The data has been analyzed using ten samples of employees of

three different banks viz., Bank of Maharashtra, HDFC Bank and ICICI

Bank.

E-BANKING: IN NASCENT STAGE IN INDIA

To keep pace with the changing environment worldwide, Indian

banking industry is fast adopting technology. It has embraced many



new features like Internet banking, ATMs, Phone banking etc. With the

help of new technology, banks are now able to offer products and

services, which were difficult or impossible with traditional banking.

But the banks in India still have to go a long way before making

themselves technology savvy.

With IT integration, a paradigm shift in the banking norms is on cards.

Banking fundamentals are thus facing major overhauls/ reengineering/

restructuring.

Two major trends have emerged in the transition of traditional

banking to high-tech banking:

Advancements and restructuring through mergers, acquisition

and alliances.

Universal banking where one stop shop provides all related

products and services to a customer.

At this point, it should be emphasized that mergers, acquisitions,

alliances, and adoption of Universal Banking concept are just

outcomes of IT-banking integration.

Banking and IT

Advancements and innovations in IT industry have created a

revolution in the communication and distribution system of various



products and services through Web networking. Networking, as we

know has connected people around the globe, thus creating a revolution

in modern business activities.

Integration of these technological advances and existing banking

structures has changed and will change the definition and faces of

global banking. Internet banking has made banking a commodity where

quality is measured by efficient servicing and effective pricing and

timeliness.

However, PC banking is not new. Bank of Scotland Started

offering its Home Office Banking Services (HOBS), more than a

decade ago, although it was only in 1996 that it was upgraded to make

software work with the now dominant windows operating systems.

HOBS later joined hands with TSB, which in 1996 launched banking

services accessible through the CompuServe online network,

nationwide.

Technology Solutions for Indian Banks

Two types of technology stock bank products are available in the

market.

Hardware products like ATMs and



Software products like branch connectivity, cluster-banking

software, and trade finance software.



Chapter –IV

ELECTRONIC

CHEQUES&EVIDEN

TIARY VALUE

3. ELECTRONIC CHEQUES

ANDEVIDENTIARY VALUE

The advancement in technology has led to the creation of

electronic cheques, particularly in a business environment. Different

countries have a choice of cheque systems, which are governed by the



laws applicable to each country’s jurisdiction. The authentication of

these electronic instruments is proposed to be endorsed by digital

signature. In India, the enactment of the Information Technology Act,

2000 obligated amendments to The Negotiable Instruments Act, 1881

in order to impart legal validity to such electronic instruments. The

authors in this article elucidate the amended provisions and examine the

evidentiary value of such electronic instruments.

The electronic cheque or simply the e-cheque is gradually

replacing the longstanding paper cheque. The Negotiable Instruments

(Amendments and Miscellaneous Provisions) Act, 2002 was amended

to include the phrase “electronic cheque” in the definition of a cheques

in Section 6 reads as “ A ‘cheque’ is a bill of exchange drawn on a

specified banker and not expressed to be payable otherwise than on

demand and it includes the electronic form. “Explanation I. – For the

purpose of this section, the expression-

“A cheque in the electronic form” means a cheque which

contains the exact mirror image of a paper cheque and is generate,

written and signed in a secure system ensuring the minimum safety

standards with the use of digital signature (with or without biometrics

signature) and asymmetric cryptosystem.”

An electronic cheque simply means a cheque in the electronic

form, which is an exact replica of a physical cheque. It contains all the

information that is found on a physical cheque, but it is “signed

digitally” or “endorsed”.

In an attempt to provide authentication, an apparatus commonly

known as “signature” was evolved as a proof asserting intention. This

involved appending a unique identifier to a message to identify the



sender/recipient. Conventionally, handwritten signatures are affixed

paper-based cheques. These signatures affixed using ink are used as an

authentication tool to identify that the person signing the document has

read and understood the contents. In the anonymous digital world,

where individuals may not actually communicate with each other, much

emphasis is placed on the authentication of the electronic information.

Therefore, it becomes necessary for evolving a secure authentication

tool, which led to the promotion of digital signatures.

DIGITAL SIGNATURE – HOW IT OPERATES

It is a data string, which associates a message in the digital form

with some originating entry. It is created and verified by means of

cryptography, the branch of applied mathematics that concerns itself

with transforming messages into apparently meaningless forms and

back again. It uses a scheme or mechanism consisting of signature

generation algorithm with a method for formatting data into message to

produce a digital signature, and a related signature verification

algorithm with the method to recover data from the message to

authenticate a digital signature.

It is important to note that, the Information Technology Act,

2000, in Section 3(2) provides for a particular asymmetric cryptosystem

and hash function as a means of authentication should be recognized as

a source of legal risk.

The digital signature mechanism follows an “asymmetric

cryptosystem”. In this method of creating and verifying a digital

signature, there are two basic technical processes or functions: “Public



key encryption”, where encryption is the process by which information

is scrambled by the use of a code and “hash”.

The process of a creation and verification of digital signatures

using hash algorithm involves the following steps:

Create a data unit that is to be signed, e.g., precisely an encircled

portion of data in digital form, which can be a text document,

software or any other digital information.

Generate hash value called “Message Digest” or “Fingerprint” of

the message. A hash function is a process that creates a relatively

small number (called message digest) that represents a much

larger amount of electronic data.

This hash value is computed from the data unit- a number using a

hash algorithm, which creates the compressed digital signature.

Digital signatures use a “one way hash function” and the

important thing about such a hash value is that it is nearly

impossible to derive the original data unit without knowing the

data unit used to create the hash value. Therefore, if the data unit

is changed or otherwise tampered with, the hash value will no

longer correspond to this data unit and produces an error

message.

Encrypt hash value with the private key of the signatory.

Encryption is a process of disguising a message in such a way so

as to conceal its meaning and substance. It also consists of a

procedure of converting plain text to a cipher text. Hence, the

plain text refers to the original digital file, whereas the ciphertext

refers to the disguised file.



Final step in the verification process, which involves the

regeneration of the hash value on the basis of the same data unit

and the same algorithm. The determined hash value is again

computed with rhea public policy key, which is then compared

with the signature attached to the data unit. If the product is

matching, it will verify the signatory’s private key, which is used

to sign and guarantee that the data unit has not been altered.

In this context, digital signatures are created when the drawer of

the cheque runs, the cheque through a one-way function creating a

message digest. The private key used by the drawer of the cheque is

known only to him. The drawer encrypts the resulting message digest

by using an asymmetric cryptosystem will allow the paying banker to

verify the signature by using it to decrypt the cheque.

EVIDENTIARY VALUE OF DIGITAL

SIGNATURE ON E-CHEQUES

Generally, authentication is achieved by what is known as

security procedure, but from the legal perspective, the security

procedure requires to be recognized by the law as a substitute for

signature.



With the emergence of cyberspace it became necessary to amend

certain provision of the Indian Evidence Act to make electronic

evidence admissible in courts of law. Accordingly, the second schedule

to the Information Technology Act has amended the Indian Evidence

Act, 1872 to remove any obstacle to the legal acceptance and validity of

electronic evidence.

According to the amended Section 3 of the Evidence Act,

electronic records stand on par with paper-based documents and will be

deemed as documentary evidence in a court of law.

While Section 22(A) of the Information Technology Act amends

Section 17 of the Indian Evidence Act, 1872 to provide that oral

admission as to the contents of the electronic records are relevant, the

written admission of the content of any document or electronic record

can be proved under Section 65 of the Evidence Act.

Section 39 of the Indian Evidence Act provides, “when any

statement of which evidence is given forms part of a longer statement,

or is contained in a document which forms part of a book, or is

contained in part of electronic record or of a connected series of letters

or papers, evidence shall be given of so much and no more of the

statement, conversation, document, electronic record, book or series of

letters or papers as the court considers necessary in that particular case

to the full understanding of the nature and effect of the statement, and

of the circumstances under which it was made.” It can be inferred from

this provision that where entry of an electronic cheque forms a part of

an electronic record, only that part which is relevant may be taken as

evidence before the court. Again what part is relevant depends on the



discretion of the court. The court must exercise this discretion judicially

to determine such relevance.

Accordingly, Section 5 of the Information Technology Act 2000

prescribes, “ Where any law provides that information or any other

matter shall be authenticated by affixing the signature or any other

document shall be signed or bear the signature of any person then, not

withstanding any document contained in such law, such requirement

shall be deemed to have been satisfied, if such information or matter is

authenticated by means of digital signature affixed in such manner as

may be prescribed by the Central Government.”

Explanation- For the purposes of this section, “signed”, with its

grammatical variations and cognate expression, shall, with reference to

a person, mean affixing of his handwritten signature or any mark on any

document and the expression “signature” shall be constructed

accordingly”.

This provision explicitly explains that a digital signature is

legally recognized as the method of authentication. The authority to use

digital signatures in the government and its agencies is accorded in

Section 6 of the Information Technology Act, 2000, which reads as-

“ 1) Where any law provides for-

a) This filing of any form, application or any other document with

any office, authority, body or agency owned or controlled by the

appropriate government in a particular manner.

b) The issue or grant of any license, permit, sanction or approval by

whatever name called in a particular manner.



c) The receipt or payment of money in a particular manner, then,

notwithstanding anything contained in any other law for the time

beginning in force, such requirement shall be deemed to have

been satisfied if such filing, issue, grant, receipt or payment, as

the case may be, is effected by means of such electronic form as

may be prescribed by the appropriate government”.

The words in Section 6(1)(C) “ the receipt or payment of money

in a particular manner … is affected by means of such electronics forms

as may be prescribed by appropriate government” may be understood to

include e-cheque.

A system of digital signature like handwritten signature is use to

protect confidential information. Form the legal perspective, two

presumptions that could be raised in respect of digital signature are:

Signatory’s personal participation in the Act of signing or any

person authorized by him.

The intention of the signatory to endorse or approve authorship

of a text and the fact that the signatory had been at a given

place and time.

The presence of intention has an integral part of a signature is

essential as lack of intention could be raised with regard to

circumstances including fraud and unconscionable conduct.



To regulate the use of digital signature, the Central Government is

empowered to lay down rules under Section 10 of the Information

Technology Act, 2000 that reads, “The central government may, for the

purposes of this Act, by rules, prescribe-

The type of a digital signature;

The manner and format in which the digital signature shall

be affixed;

The manner or procedure which facilitates identification of

the person affixing the digital signature;

Control processes and procedures to ensure adequate

integrity, security and confidentiality or electronic records or

payments; and

Any other matter which is necessary to give legal effect to

digital signature.”

In India, evidentiary value of the digital signature has been in

question for long. A genre of evidence dominating the digital

transaction world leads to be recognized by the Indian Evidence Act,

1872, by making the necessary amendments there in.

The IT Act 2000 provides for specific evidentiary value for

secure records and secure digital signatures. Subsequently, sub-section

(2) to Section 85B of the Indian Evidence Act has been inserted to be in



consonant with the IT Act to provide that, “ In any proceedings,

involving secure digital signature, the court shall presume unless the

contrary is proved that-

The secured digital is affixed by the subscriber with the

intention of signing or approving the electronic records;

Except in the case of a secure electronic record or a secured

digital signature, nothing in this Section shall create any

presumption relating to authenticity an integrity of the

electronic record or any digital signature.”

The section limits its opinion to a secure digital signature by

indicating that there shall be no presumption relating to authenticity and

integrity of a digital signature except where it is a secure digital

signature. If, by application of a security procedure agreed to by the

parties concerned it can be verified that a digital that a digital signature,

at the time it was affixed, was-

Unique to the subscriber affixing it

Capable of identifying such a subscriber

Created in a manner or using means under the exclusive

control of the subscriber and is linked to the electronic record to

which it relates in such a manner that if the electronics record



was altered the digital signature would be invalidated then such

a digital signature shall be deemed to be a secure digital

signature.

As distinct from such a secure digital signature, Section 67A of

the Indian Evidence Act provides for proof as to the digital signature,

and Section 73A prescribes the method by which such a digital

signature may be proved. According to Section 67A of the Indian

Evidence Act, “ Except in case of a secure digital signature, if the

digital signature of any subscriber is alleged to have been affixed to an

electronic record the fact that such digital signature is the digital

signature of the subscriber must be proved.”

The Information Technology Act by inserting a new Sub-Section

A to Section 47 recognizes opinions of third parties not relevant as

evidence unless specifically provided for Section 47A reads as, “ When

the court has to form an opinion as to the digital signature of any

person, the opinion of the certifying authority, which has issued the

Digital Signature Certificate, is an relevant fact”. An opinion of third

parties is in admissible and as evidence except in certain cases when the

court requires an opinion of experts. With this insertion, opinion of

third parties became relevant.

THE FUTURE OF PLASTIC MONEY



Use of plastic Money is growing at an unprecedented rate in

India. Lesser number of installed Point-of sale (PoS) terminals is the

major obstacle in the growth of debt cards; smart card has many

innovative features, which may spurt the use of cards in India. Smart

card is safer to use in electronic form than the present form of cards

“ Credit card business is a volume game and initially highly capital

intensive.”

- A senior banker

Plastic money is growing by leaps and bounds in India. Today,

many banks are offering cards. Though the foreign banks have a

dominant share, aggressive entry of the Indian banks like SBI, ICICI

and HDFC Bank may soon change the rules of the game. Today, SBI-

GE is the third largest issuer of credit cards.

The credit card market in India is projected to grow at the rate of

20-25% per annum in the coming years. There are currently around 3.8

million credit card users compared to 3.0 million in 1990. Visa credit

card grew by 46.4% in India while the growth in Asia Pacific was only

6% for Q3 of 2003. The competition among banks has been growing

and they are offering so many add-on incentives like waiver of first

year annual fee, discount on retail stores, personal loans etc., to woo the

customers.

Debit card is another segment, which is catching up fast. There

are only 80,000 to 90,000 merchants having point-of-sale (PoS)

terminals installed and majority of them are located in metros, which is

the major obstacle to the growth of debit cards. To increase the usage of



debit cards, banks should concentrate on increasing installation of PoS

terminals in semi-urban and rural areas.

Smart Card: A Future Card

Smart cards are the wave of the future for consumer use,

commercial use and terminal network security. Smart cards are in much

wider use in Europe than in US.

A smart card is a plastic card with an imbedded computer chip

that has been stored inside the card. It has the capacity to store up to 80

times more information than other magnetic stripe cards. This mini-

computer using an intelligent chip, stores payment information similar

to a magnetic stripe card, but it also includes additional information

such as online authorization controls, credit limits, stored value (gift

card), reward points (loyalty), Personal Identification Number (PIN),

etc. Smart cards can be contact less, suggesting that the chip transfers

data via a built-in antenna without physically touching the smart card

reader.

There are over 3 billion smart cards in use currently. Today,

smart cards are used worldwide and it is the most flexible payment

option available in the world. Smart cards have been used in Europe for

over 10 years and now they are the accepted mode of payment. In

developing countries and continents such as Africa and Asia, the use of

smart cards has been growing rapidly. In the US, major retailers, banks

and processors are preparing to accept global cards and some are adding

smart gift cards and promotional application to build loyalty for the

growth of their business. American Express and Financial Institutions

have issued over 21 million PIN-secured smart cards to their customers.



By the end of 2005, there will be over 100 million smart cards to their

customers. By the end of 2005, there will be over 100 million smart

cards in use in the United States.

In order to accept smart cards, the business must have an EMV

ready smart card Point-of-Sale (PoS) terminal. Merchants can be

standalone PoS smart card terminals or smart card readers that are

integrated with cash registers. Currently, over 90% PoS terminals are

not EMV smart card ready.

Smart Cards and Internet Payment

Issues of security and fraud are major drawbacks to using credit

and debit cards over the Internet. Unlike the hand-written receipts, there

are no signed sales receipts associated with today’s e-commerce

transactions. Without such evidence, it is difficult as much as 84% of

all electronic commerce transactions.

At the same time, consumers are holding back on making Internet

purchases due to lingering security concerns. According to Master

Card, 90% of Internet non-buyers worry that their personal and

financial information may fall into the hands of hackers. It is this

reluctance that is the real barrier to building an online business. Using

smart cards along with a strong Internet authentication will help

overcome these issues.

American Express, Master Card and Visa smart cards currently

support Internet authentication and payment using built-in digital

certificates and digital signatures. For smart cards to be successful, the

cardholders must connect an EMV approved smart card reader to their



PCs. Smart cards have the capacity to replace the thirty plus years old

magnetic stripe cards.

Chapter –V

Banking Technology

& Frauds



LEADING ISSUE IN BANKING

TECHNOLOGY

Many Indian banks are adopting the information technology not

merely as a frill, but as a dire need. It is helping the banks in many core

and diversified functions. Technology is key business enabler in six

critical areas of banks. These are augmentation profit pool, operation

efficiency, customer management, product innovation, distribution and

reach, and efficient payment and settlement system. For the success of

any IT program, integration of IT and business strategy is crucial factor.

Banking basics have undergone radical shifts, thanks to the

advent of modern technology, increasing pace of globalization and the

need for stronger fundamentals to operate in the fiercely competitive

environment. The digital divide among Indian banks that was quite

discernible before the millennium has considerably narrowed down

with many banks taking to technology not merely as a frill, but as a dire

necessity. Technology today catalyzes many core and diversified



functions in banks, including issues like transaction automation and

multiple delivery channels, product innovation, data warehousing and

effective MIS, secured storage mechanisms and a real-time based

payment and settlement system.

Seen in the present context, technology is a key business enabler

in six critical areas of banking.

Augmenting Profit Pool; Operational Efficiency; Customer

Management; Product Innovation; Distribution and Reach; Efficient

Payment and Settlement.

Augmenting Profit Pool

Sustained profits and profitability have been major yardsticks for

assessing the true health of banks in a fiercely competitive and

compelling business environment. Technology has proved, at least in

case of new generation banks and major public sector banks to be a

major profit driver. With progressive decline in interest rates, banks’

spreads have come under pressure, which per se, affects their

profitability. However, technology had a favorable effect in terms of

reducing the operating cost and improving the burden to a considerable

extent. Technology also enable commissioning of new products like

Net banking, mobile banking and other forms of 24X7 banking like

ATMs and Networked services across branches like anywhere banking,

electronic funds transfer, customer relationship management, call

centers across the banks. Hi-tech and hi-touch services, it goes without

saying, have also enlarged the clientele base in banks and commanded

considerable customer loyalty. Technology has created an enabling



environment for banks to diversify into various fee-based activities like

bancassurance and funds transfer arrangements.

operational Efficiency

Operational efficiency, in terms of optimum utilization of

resources, has been one of the most positive offshoots of technological

application in banks. Thanks to greater technological application,

banking system has seen a near consistent improvement in the

intermediation efficiency and consequent decline in transaction cost.

Yet, technology application has been by and large confined, especially

in the state-owned banks, towards cost saving and improved service

standards through product innovation. While savings in cost and

improvement in service quality could turn out to be short-term in

nature, it is essential that technology is leveraged as a long-term and

efficient cross-functional application. It is also time that the focus of

technology shifts from product innovation to process innovation

commonly referred to as Business Process Reengineering (BRP), for

banks to gain long-term operational efficiency.

Customer Management :-

Technology also spells significant benefits on the realm of

customer research and management. In a predominantly buyers’ market

and high propensity if customers to switch service providers, customer

management need no longer be a front office function, but a bank-wide

obsession. Many banks have duly realized the significance of such

functions and introduced new models like the High Net Worth clients’

branch, imbued with state of the art technology, exquisite ambience and



quickest possible processing of transactions. Customer management is a

very sensitive issue entity hears only from 4% of its dissatisfied

customer, while 96% of its customers quietly go away of which 91%

never come back. Technology, thus, already implemented the tech

aided e-CRM application as strategic tool to retain as well as expand

their customer base. The bottom line is that banking products are

getting commodities and price wars are slowly leading to a zero-sum

game. In such a scenario, technology backed customer orientation will

hold the key to take service standards anywhere near to world-class.

Product Research :-

In the field of product research as well, technology plays a

decisive role, in terms of swift product innovation, an active R&D set

up effective pricing of products to protect banks’ margins and safeguard

customers’ interests. Banking product life cycles are getting shorter day

by day and more than delivery, product servicing defines competitive

edge for banks. Marked to market product processes are equally

important for sustained improvement in the value chain of services and

command ‘top of the mind recall’ from the customers. Technology also

aids product profitability research and review, which have not adequate

attention in many of the banks.

Distribution Reach :-

The thumb rule for strategic management masters is that

structure must follow strategy in any business reorganization.

Technology, thus, calls for attendant restructuring endeavors that will

be in tune with the level of technology application. For instance, many



banks need to put in a place a leaner structure and remove intermediate

decision-making tiers. That is how one can see that many of the

regional outfits of banks are slowly being dismantled while branch

expansion is not being accorded the thrust it used to be given earlier.

Rightsizing of human and physical overheads is a major strategy

adopted by many banks wherein the role of the earlier brick and mortar

banking is slowly getting dissipated. In turn, devices like Internet and

mobile banking. Technology, thus, facilitates downsizing of overheads

cost without compromising much on clientele reach. Public sector in the

rural and semi-urban areas. Many of these branches are not performing

to their potential mainly because of their typical business mix, cost

diseconomies and lack of technology-based services offered in these

branches. Technology can facilitate the branch rationalization exercise

such as setting up mobile branches and satellite branches, especially in

the rural areas, and bring many of those into the “Performing” category

without affecting the extent of client reach.

Efficient Payment and Settlement :-

Innovation in technology and worldwide revolution in

information and communication technology have emerged as dynamic

sources of productivity growth. This is true about banking as well as its

relationship with technology has become symbiotic fundamentally.

Payment system is probably the most important mechanism in the

banking sector where technology’s interactive dynamics is getting

manifested in an increasing measure each day.

Banking system has adopted a holistic approach for designing a

modern, robust, efficient and integrated payment system. The approach



to the modernization of the payment and settlement system has been

basically three pronged – consolidation, development and integration.

Consolidation of the payment system has revolved round strengthening

computerized cheque clearing and expanding the reach of electronic

clearing services through state-of-the-art technology. Critical elements

under the developmental strategy related to the opening of new clearing

houses, interconnectivity of clearing houses through INFINET and

optimizing the development of resources the Negotiated Dealing

System, Structured Financial Messaging System (SFMS) and the

recently introduced Real-Time Gross Settlement (RTGS) system.

Integration is the next stage that the banking system is currently going

through which is premised on a high degree of standardization within a

bank and seamless interfaces across banks, leading to Straight Through

Processing (STP) of transaction on a regular basis. Further, cheque

truncation system will also pave way to expedite settlement of

payments process.

However, so far as integration is concerned, Indian banks still

have a fair distance to traverse. In order to efficiency leverage an

integrated payment and settlement systems, banks, especially those in

the public sector, need to address certain core issues expeditiously.

These include the following:

Toning up of infrastructure in terms of standardization and

build up security features like firewalls, Intrusion Detecting

System (IDS) and implementing a security policy.

Total inter-branch connectivity.

Popularization of electronic funds transfer mechanism.



Institute collaborative arrangements, including outsourcing of

IT expertise.

In addition to the above, banking sector is also confronted with a

classic dilemma. It relates to differentiating between and mapping the

role of business vis-à-vis the role of information technology, a feature

typifying an enterprise wide technology initiative. This is where the

significance of integrating business and IT plans comes to the fore.

Integration of IT and Business Strategy

Many banks, especially those in the public sector, are embarking

on a comprehensive set of IT initiatives encompassing total branch

automation, core banking solution, networking of ATMs, Internet and

mobile banking, data warehousing and a comprehensive MIS backed

decision support system. Contrary to popular perception, such

initiatives are not merely because of competitive pressure from the

foreign and new generation private banks. The avowed goal of these

initiatives was to improve overall efficiency in terms of lower

intermediation cost, swifter decision-making process, grater customer

convenience and effective internal control, including an objective risk

management mechanism. It goes without saying that the fast pace of

globalization and progressive move towards reaching global operational

benchmarks also catalyzed the technology drive dividends to these

banks although the need of the hour is to consolidate the gains so far

and address the weak links.

One such weak link relates to lack of integration between the

IT strategies which, it is felt, is applicable to many of our banks.



Technology introduction can offer significant benefits only when they

are in total alignment with business strategies. Especially, in public

sector banks, a phased approach is desirable in view of the

heterogeneous nature of their branch architecture and vast area specific

differentials in their branch functioning. In the current context, business

strategies may differ from bank to bank, yet a core set of business

objectively will, for sure, be common to all the banks. Such

commonalities call for at least an open technology plan, in board

consonance with the business objectives, and the same can be fine-

tuned on an ongoing basis to suit the business model.

Recently, a study was conducted by National Institute of Bank

Management, at the behest of RBI, for suggesting a methodology to

integrate IT and business plans in banks. The study has proposed an

‘Enterprise Maturity Model’, for attaining total convergence of

technology and business strategies with focus on selected, generic

business strategies. The model suggests solutions not merely for

business and technology, but for issues related to human resources and

customers who form an integral part of banks’ strategic road map.

The suggestions in the study promise to be useful benchmarks for

banks in their complete switchover to the virtual mode. Application of

the model can help banks to develop effective Executive Information

System as effective decision support, integration of varied workflow

processes, objective customer analysis and most importantly, devise

simulative and real-time based tools to track business, profits and

profitability. Effective and an objective technology application system

will also enable a business process reengineering mechanism that will

considerably enhance the real technological capabilities of banks.



Core Banking Solution

In the light of ongoing emphasis on business process

reengineering, one comes across many banks assiduously pursuing a

centralized server-based system, better known as Core Banking

Solution (CBS). CBS offers, among others, benefits like privilege of

single window service to customer in order to facilitate a shift from

“customer of the branch” to “customer of the bank” concept, online

transfer of funds, longer business hours, lower transaction costs,

slimmer staff structure at branches, effective monitoring of business,

comprehensive MIS as a policy support and above al, improved

visibility of the banks implementing CBS. A robust MIS also supports

vital functions like ALM, risk management, product profitability and

customer profitability analyses leading ultimately to efficient portfolio

management in banks. CBS also leads to significant mileage in terms of

staff and other overhead costs. Staff rendered surplus on account of

CBs can also be put for marketing and recovery functions, which

warrant dedicated staff in the present context.

One major issue in CBS relates to security aspects and a host of

operational risks that banks are confronted with. Be it system failure or

planned hacking or any kind of human error, centralized system is

perennially susceptible to failure which may prove to be endemic across

the financial system and result in vital data erosion. Retrieval of the

same may also cost dearly to the banks and their associates. Security

aspects like implementing a robust security policy, firewalls, IDS are,

therefore, indispensable for preventing any systematic problem. There



are even cases where multi-point security has not been able to check the

fraudulent practices. Thus, security aspects need to be examined

threadbare before putting core banking in place.

TECHNOLOGY AND FRAUDS

ATM CRIMES FRAUDS:

ATM crimes and frauds are rising throughout the world. ATM

industry and money other organizations are fighting with them in many

ways like, by issuing security tips, making ATMs more innovative etc.

In India, where the use of ATMs is growing by exponential, banks have

to take benefit from international experiences and safeguard their

customers from frauds.

ATM crimes and frauds are mounting day by day. Even

though they make up a small percentage of criminal activities they are

not less important. Criminals are raiding millions every year.

Popular Ways to Card Frauds:

Some of the popular techniques used to carry out ATM crime

are:



Through Card Jamming ATM’s card reader is tampered with in

order to trap a customer’s card. Later on the criminal removes the

card.

Card Skimming is the illegal way of stealing the card’s security

information from the card’s magnetic stripe.

Card Swapping, through this customer’s card is swapped for

another card without the knowledge of cardholder.

Website Spoofing, here a new fictitious site is made which looks

authentic to the user and customers are asked to give their card

number, PIN and other information, which are used to reproduce

the card for removing the cash.

Global Measures to Fight the Frauds

To guard against these frauds ‘The Global ATM Security

Alliance (GASA)’, which was formed in June 2003, has issued the

customers guide and some tips to prevent against card-related frauds.

The World’s Top 20 tips for ATM Use to Enhance the ATM customer

Experience and Security

Article I. CHOOSING AN ATM

Tip 1: Where possible, use ATMs with which you are most familiar.

Alternatively, choose well-lit, well-placed ATMs where you feel

comfortable.



Tip 2: Scan the whole ATM area before you approach it. Avoid using

the ATM altogether if there are any suspicious-looking individuals

around or if it looks too isolated or unsafe.

Tip 3: Avoid opening your purse, bag or wallet while in the queue for

the ATM. Have your card ready in your hand before you approach the

ATM.

Tip 4: Notice if anything looks unusual or suspicious about the ATM

indicating it might have been altered. If the ATM appears to have any

attachments to the card slot or keypad, do not use it. Check for unusual

instructions on the display screen and for suspicious blank screens. If

you suspect that the ATM has been interfered with, proceed to another

ATM and inform the bank.

Tip 5: Avoid ATMs which have messages or signs fixed to them

indicating that the screen directions have been changed, especially if the

message is posted over the card reader. Banks and other ATM owners

will not put up messages directing you to specific ATMs, nor would

they direct you to use an ATM, which has been altered.

Article II. USING AN ATM

Tip 6: Is especially cautious when strangers offer to help you at an

ATM, even if your card is stuck or you are experiencing difficulty with

the transaction. You should not allow anyone to distract you while you

are at the ATM.

Tip 7: Check that other individuals in the queue keep an acceptable

distance from you. Be on the lookout for individuals who might be

watching you enter your PIN.



Tip 8: Stand close to the other ATM and shield the keypad with your

when keying in your PIN (you may wish to use the knuckle of your

middle finger to key in the PIN).

Tip 9: Follow the instructions on the display screen, e.g., do not key in

your PIN until the ATM request you to do so.

Tip 10: If you feel the ATM is not working normally, press the cancel

key and withdraw your card and then proceed to another ATM,

reporting the matter to your financial institution.

Tip 11: Never force your card into the card slots.

Tip 12: Keep your printed transaction record so that you can compare

your ATM receipts to your monthly statement.

Tip 13: IF your card gets jammed, retained or lost, or if you are

interfered with at an ATM, report this immediately to the bank and/or

police using the help line provided or nearest phone.

Tip 14: Do not be in a hurry during the transaction, and carefully secure

your card and in your wallet, handbag or pocket before leaving the

ATM.

Article III. MANAGING YOUR ATM USE

Tip 15: memorize your PIN (if you must write it down, do so in a

distinguished manner and never carry it with your card).

Tip 16: NEVER disclose your PIN to anyone, whether to family

member, bank staff or police.

Tip 17: Do not use obvious and guessable numbers for your date of

birth.

Tip 18: Change your PIN periodically, and, if you think it may have

been compromised, change it immediately.



Tip 19: Set your daily ATM withdrawal limit at your branch at levels

you consider reasonable.

Tip 20: Regularly check your account balance and bank statements and

report any discrepancies to your bank immediately.

While the ATM industry is aggressively addressing ATM-related

frauds and crimes, few in the industry know about these extraordinary

efforts. Some of the important works are given below:

From time to time the Electronic Funds Transfer Association

(EFTA) with the help of ATMIA is publishing tips on PIN

security.

To combat the cross-border crimes, GASA is working in

association with Interpol, the Metropolitan Police Flying Squad

for New Scotland Yard and leading card issuers.

ATMIA is educating the people and ATM industry about most

effective way of fighting ATM crimes and frauds and honoring

with award that contributes significantly counter the fraud.

Fair Isaac Card Alert – it is a service, which analyzes millions of

daily transaction, identifies the suspicious transactions and sends

the card number and related information of suspicious transaction

to the concerned bank. This services has helped a lot in solving

many card-related frauds including high-profile skimming cases.

Leading ATM manufacturers are producing innovative ATMs,

which are helping to counter the frauds. Biometric technology is

one of the examples, which removes the need of Personal

Identification Numbers (PINs).



Biometric systems identify or authenticate a person’s identity

using different alternatives like face expressions, fingerprint, hand

geometry, voice, retina, etc.

INTERNET BANKING AND FRAUDS

Fraudsters are using innovative ways like Web and Mail spoofing,

attacking the bank’s server etc. to break the security walls and

commit fraud. There is a need for arrangements, which help presence

of integrity, confidentiality and authorization of information.

“Thieves are not born, but made out of opportunities”

This quote exactly reflects the present environment related

to technology, where it is changing very fast. By the time regulators

come up with preventive measures to protect customers from innovative

frauds, either the environment itself changes or new technology

emerges. This helps criminals to find new areas to commit the fraud.

Some common Internet banking frauds and their causes have

been discussed here.

Attacking the Bank’s Server

In this case, the fraudster takes control of the server of the

bank and by visiting the bank’s website carries out transaction through

impersonation.

These attacks are due to bad programming, which mostly

prevail in general purpose software. Such attacks are called buffer-over-



flow attacks. Due to buffer-over-flow defects in the software, fraudster

can use the commands on the server without providing essential

information like password etc.

Mail Spoofing

In the mail spoofing or e-mail forgery, the fraudster sends the

information to bank customers in such a form that it seems that

information is from the authentic bank source. One such incident

happened with ICICI Bank customers to disclose passwords and other

information. The e-mail said:

“For security purpose your account has been randomly chosen for

verification. To verify your account information we are asking you to

provide us with all the data we are requesting. Otherwise, we will not

be able to verify your identity and access to your account will be

denied. Please click on the link below to get to the ICICI secure page

and verify your account details. Thank you.”

Mail spoofing happens due to lack of criteria to verify the source

address authenticity. Anyone can set up a mail server and can forge a

mail posing as an authentic source.

Web Spoofing

In Web Spoofing, customers of the bank are lured to log in at the

fraudster’s website, which is similar to the bank’s website. Once the

customer provides sensitive information, they can be stolen easily by

the fraudster, who uses the stolen sensitive information like password

and username etc., to carry out the transaction on the bank as a real

customer.



In the whole case, the only loser is the customer because he does

not have any means to prove that it was not he who did those

transactions, but the fraudster.

Ignorance of the customer to intercept Universal Resource

Locator (URL) is the major cause of Web spoofing. Look at the

following two URLs

http://secure.bankname.com/carloanfind/carloans.asp

http://secure.bankname.com?

@569857125/carloanfind/carloans.asp

It is very difficult for a normal customer to understand the

difference between these two URLs. He can be easily cheated because

the first URL will drive him to the original site while the second one to

the fraudster’s site.

(i) Denying Service from Bank’s Server

The fraudster’s intent here is not to commit any fraud but to

create inconvenience for the banks. The customer here literally cannot

access the services of the bank.

Intervention of fraudster’s with Transmission Control

Protocol/Internet Protocol (TCP/IP), the computer communication

languages, Router Poisoning that help the customers to reach different

parts of the network and Domain Name System (DNS) service, that

helps the two computers to communicate through IP number are some

reasons for such inconvenience.



It is clear that to plug all the loopholes is very difficult for any

regulator. This is a challenge to the mission of fast automation. It is

essential on the part of the banks, the regulators and the service

providers to create a source and safe automation environment that has

the confidence and trust of the customers.

CREDIT CARD FRAUD ON INTERNET

Credit card fraud has become regular on Internet. All the agencies

involved in the transaction, cardholders, online merchants and the card

issuers suffer losses. However, it is the online merchant who suffers the

most. This article examines the nature of credit card fraud, types of

credit card frauds, and the effects. This article also discusses the

preventive measures.

Internet commerce is growing very fast. From a customer base of 28.8

million spending US$12 bn in 1999, Internet Commerce has grown

exponentially during the past few years and is still growing. But,

unfortunately, the growth is not on the expected lines. The credit card

fraud, which has become common, has retarded the e-commerce

growth. A 1999 survey by US National consumer’s league reported that

7% of customers were victims of the credit card fraud; recent surveys

indicate that one out of three online customers have become victims to



this kind of fraud. Customers, credit card companies, banks and

merchants are battling this problem; still this crime is on ascendancy.

Common Types of Card Frauds

There are different types of frauds involving credit cards. The

fraudulent activities start from the application process itself.

Application Fraud:-

In application fraud, the fraudster obtains personal confidential

information of the other person needed in the credit card applications,

like social security number, date of birth using a variety of means.

Internet search engines and databases are making these tasks easier.

Using this information, he fills in an application for a credit card and

after receiving it, uses it as if he is the true holder. The person in whose

name the card is issued might come to know about this only after the

damage is done.

Counterfeit Cards:-

In this, a criminal gains access to a valid card number and other

information. For example, the salesperson at the supermarket briefly

takes possession of the customer’s card during payment process, which

he runs on a terminal. But without the knowledge of the cardholder, the

salesman can also run it on another machine, which can capture all the

details in the card. Using this information and tools like embossing



machines, a fraudster can create a counterfeit card. This process is

known as ‘skimming’ and simple hand-held devices are now available

for the purpose. Further, the information skimmed can also be used for

purchases on the Internet or Telephone.

Account Takeover: In account takeover, the fraudster first all the

personal confidential information about the other person. Then

impersonating as the other person, he informs the bank that there is a

change in his residential or office address. Next, he informs them that

his credit card is lost and request for a new card on the new address.

After receiving the card, the criminal successfully takes over the

account.

Stolen and Lost Cards:-

By far, this is the most common form of fraud in the market

place. When the criminal has access to a stolen or lost card, he also

gains access to all the personal information. Apart from using this card

fraudulently, the criminal can also use the information to ‘broaden’ the

fraud by applying for new cards or fabricating new ones.

Other Forms:-

From the point of view of a merchant, credit card frauds can be

divided into three ways. There are organized fraud, opportunistic fraud

and cardholder fraud. The advantages offered by Internet are also

attracting the criminals in a big way. In an organized criminal activity,

the gang’s obtain credit cards using any of the means discussed above.

They normally identify a drop location like a vacant house or



warehouse, spend the card up to the maximum limit, and ask the

merchandise to be dropped at this selected location. These gangs have a

thorough understanding of the system and take advantage of the fact

that there is normally a time gap of more on to the next card.

Opportunistic fraud is committed normally by amateurs who get an

opportunity of handling credit cards, like waiters in restaurants.

Cardholder fraud involves the cardholder himself who might claim that

he never placed the order or he never received the goods. It could also

involve one of his family members or friends who used the card without

his knowledge.

Bust Out Fraud:-

According to Daniel Buttafogo of Juniper, an Internet-based

credit card company, in this fraud, true customers gradually build up as

much available credit card and then ‘bust out’ with large purchases of

items that could easily resold like jewelry or draw large cash advances

etc. Here the fraudster will draw bad checks on one account to pay

when this cannot be done any longer, the customer does a vanishing act.

This kind of fraud is the most difficult to catch, as the customer exhibits

exemplary behavior till the last moment.

Friendly Fraud / Denial of Receiving Product:-

Friendly fraud occurs when the actual cardholder carries out a

transaction but later denies or claims that his card was stolen or used

without his authorization. Customers might deny receipt or signing or

even ordering the product.



Nature of E-Commerce Transactions:

In e-commerce transaction, face-to-face contact between the

merchant and customer is absent and this causes most of the credit card

frauds. In online transactions, after filling in the online order form, the

customer is expected to give his credit card number to conclude the

transaction. In real world, after the purchase, the customer hands over

the credit card, which the merchant swipes using a terminal. The

merchant also obtains the signature of the customer on the credit card

receipt. He also verifies the charge authorization. In case of fraudulent

use of a card like using a stolen card, the merchant or the customer are

reimbursed by the credit card company. In online transactions, the card

is not present during the transaction and there is no signature of the

customer on the receipt. These transaction, treated as card not present

transactions, in which the card issuing companies do not reimburse the

merchant. In reality, speed, which is the most important benefit of the

Internet, facilitates the fraud. A physical transaction takes several

minutes; where as Internet transaction takes only a few seconds. Real-

time transaction reduces the overheads, but at the same time, increase

the number of fraudulent transactions. For example, a fraudster can give

the same fraudulent card number to a number of e-business sites

simultaneously and there is no way the merchants can know about it.



INFORMATION TECHNOLOGY RISK IN BANKING:

MANAGEMENT & MEASUREMENT

Information Technology (IT) is not merely a technical function, but a management

process, which needs to be managed effectively. To measure the IT risk in banks

there are various methodologies available. All of them at large follow the same

primary steps like threat analyst etc. for technology risk assessment; American

Banker Association has recommended various resources.

Risk management approach had widely the baseline approach in

which a baseline/ standard set of polices and practices are followed in

taking business decision without considering the criticality of the

business asset or decision. In business sense, risk is the probability of

getting loss from taking or not taking a business decision. The loss can

be tangible or intangible. Risks can be avoided, controlled, shared,

transferred and accepted. Risks can be controlled through objectives,

policies and procedures.

Risk management approach enables the management to give

appropriate treatment to the business assets and decisions based on their

criticality to business goals and business continuity. While the basic

concepts remain the same, Information Technology introduces new

vulnerabilities as well as new techniques for risk management. As such,



technology risk management, while following the fundamentals, needs

to address these new vulnerabilities.

Technology Risk Management

Information Technology Risk is the risk that can arise due to

use or non-use of technology in business or for business. The primary

objective of an organization and its ability to conduct business. The

business of IT in business is to see that the business continues. IT risks

management has to ensure that this purpose is achieved. As such IT risk

management process should not be treated as a mere technical function

carried out by the IT people and should not just confine to IT assets. It

is essentially a management function. However, the role of IT people is

also vital because IT security and IT risk management are interrelated

and an effective risk management process is an important component of

a successful IT security program.

The broad objective of performing IT risk management is to

enable the organization to achieve its business goals by better securing

the IT systems and enabling management to make well-informed risk

management decisions in areas where technology is involved.

IT risk management is to the process that helps to balance the

operational and economic costs of risk mitigation measures and achieve

gains by protecting the IT systems and data that support their

organization’s goals. A well-structured risk management methodology,



when used effectively, can help management identify appropriate

controls for providing the mission-essential security capabilities.

Various organizations worldwide have come out with risk

management frameworks, policies, standards and principles that are

quite useful in IT risk management and measurement.

The committee set up Bank for International Settlement (BIS) has

identified fourteen Risk Management Principles for Electronic Banking

to help banking institutions expand their existing risk management

policies and processes to cover their electronic banking activities.

Similarly, the Committee of sponsoring Organizations of the

Tread way Commission (COSO) Board and Project Advisory Council

took on the responsibility to expand and address the remodeled

components of internal control. The end product of this is the COSO

Enterprise Risk Management (ERM) Framework.

The Information Systems Audit and Control Association

(ISACA) has developed a framework called Control Objectives for

Information and related Technologies (COBIT) which helps in IT risk

management.

The ERM and COBIT frameworks provide a useful evaluation

tool for informing management, directors and other stakeholders about

a process, procedure and policy to identify, measure, prioritize and

respond to finding risk.

In India, RBI has been providing much guidance in this area to

Indian banks. There is a good number of references and guidelines

provide in the reports of various RBI Committees. The report of the

RBI Committee on computer audit provide a comprehensive checklist



covering many technology-related areas, which is useful in Technology

Risk Assessment.

Technology Risk Assessment/Measurement:-

Risk assessment/measurement is a process used to identify and

evaluate risks and their potential effect/exposure. Risk exposure is

equal to the amount of probability multiplied with impact on business.

Risk management covers three processes: Risk assessment, risk

mitigation, and evaluation. Risk assessment is the first process in the

risk management methodology and also is necessary for the extent of

the potential threat and the risk associated with an IT system throughout

is System Development Life Cycle (SDLC). The output of IT risk

assessment process helps to identify appropriate controls for reducing

or eliminating risk during the risk mitigation process.

Unlike financial risk, technology risk cannot be easily quantified

or measured. But, banks can gain financial and operational benefits by

conducting an effective Technology Risk Assessment (TRA). These

include enhancing corporate governance over IT activities, proactively

identifying vulnerabilities and implementing risk business imperatives,

and efficiently using corporate risk management resource, including

audit, in ensuring a cost-benefit control environment.

Threats to an IT system must be analyzed in conjunction with the

potential vulnerabilities and the controls in place for the IT system to

determine the likelihood of a future adverse event and its impact.



Impact refers to the magnitude of harm that could be caused by a threat.

The level of impact is governed by the potential impact on

organizational goals and, in turn, determines the level of criticality of an

IT asset/resource.

Technology Risk Assessment (TRA) Methodologies:-

The quality of the technology risk assessment affects the

effectiveness of risk-based decision of management. With the

increasing interest in operational risk management and concerns about

corporate governance, may proprietary enterprise risk-management

methods/solutions came in the market to help banks to meet the

assessment challenge. Since these methodologies are mostly developed

for and by traditional risk managers, they are generally weak in areas

relating to technology, although they provide an adequate perspective

from a credit, financial, and environmental standpoint.

Risk assessment methodology generally follows the following

primary steps:

Threat and Vulnerability Identification

Probability/Likelihood Determination

Impact Analysis

Risk Determination

Control Recommendations

Results Documentation



Technology Risk Assessment (TRA) methodologies are not

much different from general risk assessment methodologies and they,

too, follow these steps. However, the risk assessment tools would be

different in case of technology risk because to assess adequately and to

prioritize technology risk, the risk assessment tools must be

supplemented with methodologies specifically geared to technology.

As in the case of enterprise risk assessment tools, ready-made

methods and tools developed by vendors can be used for TRA also.

However, a number of challenges are involved in using these ready-

made tools like vendor methodologies which may not continuously

update the TRA throughout the year due to the costs involved; the

outsourced methodology/tool may not understand the bank’s specific

issues, etc.

The American Bankers Association lists the following

recommended resources for TRAs:

International Standards Organization (ISO) 17799 (ISO

Standards)

Control Objectives for Information Technology (COBIT)

SysTrust

Operationally Critical Threat, Asset and Vulnerability Evaluation

(OCTAVE)

National Institute of Standards and Technology (NIST)

These resources are inexpensive to implement and serve the

purpose in most cases. They are based on extensive research from

government and professional security experts and are vendor neutral.

These methodologies enjoy excellent reputation among corporate

governance experts.



A summary description of each of the above TRA methods is as

follows:

ISO Standards

The ISO along with the International Electro-technical

Commission forms the specialized system for worldwide

standardization. The stated purpose of the ISO standards is to “provide

a common basis for developing organizational security standards and

effective security management practice and to provide confidence in

inter organizational dealings.” Originally, developed in Britain, it is a

favored TRA approach in Europe. The standard is often referenced and

leveraged by other prominent methods and covers 10 areas namely,

Security policy, Communications and operations management,

Organizational security, Access control, Asset classification and

control, System development and maintenance, Personal security,

Business continuity management, Physical and environment security,

and Compliance.

COBIT

COBIT has been developed as a generally applicable and

accepted standard for good IT security and control practices that

provides a reference framework for IT governance. COBIT is

sponsored by the IT Governance Institute, established by the

Information Systems Audit and Control Association (ISACA), and



addresses risk from both the business and technology perspectives. It is

an internationally recognized tool, incorporating both operation

management and audit concerns, which have been adopted in

organizations including the US House of Representatives, Charles

Schwab & Co., and Swift.

The framework compromises 34 high-level control objectives

belonging to four domains. For each control objective, audit procedures

and management guidelines are provided. The latter guidelines uniquely

provide COBIT with a business management perspective; maturity

models, critical success factors, key goal indicators, and key

performance indicators are provided for each of the high-level control

objectives.

COBIT focuses on processes and their ownership. It provides

excellent methodology for various parts of an organization to have the

same perspective at IT risk management. However, COBIT is more of a

general assessment tool and detailed issues are to be considered in the

form of audit programs. As such some consider it to be too theoretical.

Sys Trust

The American Institute of Certified Public Accountants (AICPA)

and the Canadian Institute of Chartered Accountants (CICA) introduced

a service to provide assurance on the reliability of systems. The purpose

of this service, known as Sys Trust, is to increase the comfort of

management, customers and business partners with the systems that

support a business or particular activity. The service considers four

principles to evaluate whether a system is reliable.



Availability: The system is available for operation and use at

times set forth in service level statements or agreements.

Security: The system is protected against unauthorized physical

and logical access.

Integrity: System processing is complete, accurate, timely and

authorized.

Maintainability: The system can be updated when required in a

manner that continues to provide for system availability, security

and integrity.

Although, SysTrust was not necessarily developed as a risk

management tool, many organizations have found that the SysTrust

principles could be adopted as an effective RA tool since the principle

provide a stake holder’s perspective on the impact of technology on

business activities. The AICPA/CICA is currently considering a new

version of the SysTrust tool that would also incorporate e-commerce

activities. Under the revision, five principles would replace the four

above. Principles consider would include security, availability,

processing integrity, online privacy and confidentiality.

SysTrust provides good high-level questions for an overview on

overall reliability but may not provide detailed methods for intended

objectives. It is more of an executive level assessment perspective

rather than at operational level. However, it also has provision for third

party assessment and covers security also.



OCTAVE

Developed by the Software Engineering Institute (SEI) at

Carnegie Mellon University, OCTAVE is a comprehensive, self-

directed approach to TRA. It differs from traditional TRAs in that it

first determines which information assets really need to be protected

and then evaluates the technology infrastructure to determine the

vulnerability of those assets. OCTAVE presents an exciting TRA to

ORMs because the SEI is home to the CERT alerts and other

information relating to managing security vulnerabilities. This

robustness of tools, workshops, and publications relating to OCTAVE

significantly enhances an effective assessment by the ORM.

Specially, OCTAVE uses a three-phased approach to identify the

technology risk management needs of an enterprise:

Build asset-based threat profiles: Identify important

information assets, the threats to those assets, security and current risk

mitigation strategies.

Identify infrastructure vulnerabilities: Examine technology

infrastructure for vulnerabilities that can be compromised.

Develop security strategy and plans: Based on the results of the

first two phases, develop a strategy-based on business priorities to

mitigate risks.

OCTAVE is a full methodology with supporting tools and

leverages from a combination of academic research and industry

practices but, it is geared to larger institutions and the use of it without

formal training is difficult.



NIST

The Information Technology Laboratory (ITL) at the NIST in

USA is a body, which provides technical leadership for the nation’s

measurement and standards infrastructure. These include developing

standards and guidelines for the cost-effective security and privacy of

sensitive unclassified information in federal computer systems.

Like the other organizations mentioned previously, NIST

provides a detailed checklist of IT-related risk mitigation strategies that

should be assessed as a part of a TRA. In addition to its detailed

coverage of security issues, the checklist enables to determine if risk is

managed by using five “levels of effectiveness”.

1. Control objectives documented in a security policy.

2. Security controls documented as procedures.

3. Procedures have been implemented.

4. Procedures and security controls are tested and reviewed.

5. Procedures and security controls are fully integrated in to a

comprehensive program.

However, this is mostly followed by big government

organizations and following these methodologies could be too

burdensome in a smaller organization.



Chapter -VI

Data analysis



PRIMARY DATA & ITS ANALYSIS

The primary data has been collected through surveys in banks

(questionnaire) viz., Bank of Maharashtra, ICICI bank, HDFC bank.

Q.1) I.T. in banks is much more advanced than traditional banking?

Agree Disagree Fifty-Fifty

Section III.02 ANALYSIS: -

Bank of

Maharashtra

ICICI HDFC

AGREE 96% 98% 100%

DISAGREE 3% 2% 0%

FIFTY-FIFTY 1% 0% 0%



GRAPH: -

Bank of Maha-rashtra

ICICI HDFC94%

95%

96%

97%

98%

99%

100%

AGREE DISAGREE FIFTY-FIFTY

EXPLANATION: -

It is cleared from questionnaire method that every one agrees to

the statement “I.T. in banks is much more advance than traditional

banking”. Approximately ninety eight percent of bank employees agree

to the above statement.



Q.2) The ratio of online transaction v/s manual transaction.

1:2 2:1 Equal Can’t Say

ANALYSIS: -

Bank of Maharashtra ICICI HDFC

1:2 30% 0% 0%

2:1 60% 100% 100%

Equal 0% 0% 0%

Can’t Say 10% 0% 0%

GRAPH: -



HDFC ICICI Bank of Maha-rashtra

0%

20%

40%

60%

80%

100%

Can’t Say

Equal

2:1

1:2

Section III.03 EXPLANATION: -

According to the above data collected it is clear that

approximately ten percentage of employees says that the ratio of online

transaction v/s manual transaction is 1:2, eighty seven percentage says

it is 2:1, zero percent says it is equal & three percent cant say anything.

Q.3) Information technology in banks encouraging online frauds.

Yes No To some extent

ANALYSIS: -




Yes 90% 92% 98%

No 6% 5% 1%

To some extent 4% 3% 1%

GRAPH: -

Bank of Ma-

harash-tra

ICICI HDFC84%86%88%90%92%94%96%98%

100%

To some extent

No

Yes

Section III.04 EXPLANATION: -




approximately ninety three percent of employees says yes, four percent

says no and three percent says to some extent.

Q.4) Type of banking facility that will be friendly to illiterate

customer.

Online banking Manual-banking Both

ANALYSIS: -


Online banking 2% 0% 0%

Manual banking 97% 98% 100%

Both 1% 2% 0%



GRAPH: -


ICICI HDFC0%

20%

40%

60%

80%

100%

0.0

2

0 0

0.9

70

00

00

00

00

00

01

0.9

8

1

0.0

1

0.0

2

0

Online banking Manual banking Both

EXPLANATION: -


approximately ninety seven percent of employees says that manual

banking type of facility is friendly to illiterate customers, two percent

says online banking and one percent says both online as well as manual

banking is friendly to the illiterate customers.



Q.5) In what way I.T. in banks affects the work of the employees.

Increases the work Decreases the work

Same at both levels

ANALYSIS: -


Increases the work 45% 30% 40%

Decreases the work 50% 63% 55%

Same at both levels 5% 7% 5%

GRAPH: -




ICICI HDFC0%

20%

40%

60%

80%

100%

120%

0.4

5 0.3

0.4

0.5

0.6

30

00

00

00

00

00

05

0.5

5

0.0

5

0.0

7

0.0

5

Increases the work Decreases the work Same at both levels

EXPLANATION: -


approximately thirty eight percent says I.T. in banks increases the work

of the employees, fifty six percent says decreases the work and six

percent says it is same at both the levels.



Q.6) Does I.T. in banks increasing the cost of banking operations /

banking transaction.

Yes No Equal

ANALYSIS: -


Yes 98% 94% 100%

No 2% 5% 0%

Equal 0% 1% 0%

GRAPH: -




ICICI HDFC91%92%93%94%95%96%97%98%99%

100%

0.9

8

0.9

40

00

00

00

00

00

01

1

0.0

2

0.0

5

00 0.0

1

0

Yes No Equal

EXPLANATION: -


approximately eighty seven percent of employees says yes i.e. I.T.

increases the cost of banking operations or banking transactions, two

percent says no and one percent says equal.



9. SECONDARY DATA AND ANALYSIS

Article IV.

Article V. Indian Scenario

Major players in the Indian Market

Banks No. of cards in lakhs

Citibank

Stan Chart

SBI-GE

2010 2011

16

14

9

20

18

13

According to an analyst, it is estimated that the Indian smart card

industry is growing around 45% annually, would reach the size of $6 bn

by 2010. In the next five years, the number of smart cards being used in

the country can touch 400 million from around 50 million cards today.

To standardize the smart card, the Government has recently

standardized the technical aspects of smart cards. An operating system

called “SCOSTA” (Smart Card Operating System for Transport

Application) developed by IIT Kanpur has been chosen as the standard

operating system for transport-related projects. India is planning to

issue smart card based identity cards to citizens. State Governments are

also planning to issue smart card based driving licenses. Kerala recently

tried a ration card project at Thiruvananthapuram. But the lack of



resources with state governments may halt many such projects. States

like Kerala have stopped several smart card related projects due to

resources crunch.

“ It is the market for SIM cards for mobile phone that is growing

faster in India-at about 70-80% annually. Once the National Identity

Card project is launched, the demand for smart cards will skyrocket,”

opines Sanjay Dharwadkar, Head of Systems Marketing, Smart Chip

Ltd.



Chapter-VII

Conclusion

10. FINDINGS AND CONCLUSIONS

According to the survey conducted in Bank of Maharashtra, ICICI

Bank & HDFC Bank, the following points are concluded:



1. I.T. in banking sector is much more advanced than traditional

banking.

2. Online transactions are widely used than manual transactions.

3. Manual banking facility is more friendly to illiterate customers.

4. I.T. in banks to some extents reduces the work of employees.

5. I.T. in banks to some extent encourages online frauds.

6. Online banking is much more costlier than manual banking. It

increases the cost of banking operations.

7. Online banking facility can lead to progress of the banking

sector.



Chapter -VIII

Suggestions

11. SUGGESTIONS AND RECOMMENDATIONS



1. Some highly advanced softwares / programs should be

implemented in banking sector in order to prevent hackers and frauds.

2. Online banking operations cost or banking transaction cost should be

reduced so that middle class customer can have access to online

banking facility.

3. Further research can be done in topics related to this project viz.,

software application in banking sector, technology and frauds.

4. Awareness programs related to online banking for middle class

people.



Chapter-IX

Bibliography

BIBLIOGRAPHY

Article VI. REFERENCE RELATED TO BOOKS

Katuri Nageshwara Rao & Yashpaul Pahuja, (2005), ‘IT IN

BANKS – EMERGING TRENDS’



Kamlesh k Bajaj & Debjani Nag, ‘ELECTRONIC

COMMERCE- THE CUTTING EDGE OF BUSINESS’,

Delhi, Tata McGraw Hill Publishing Co. Ltd.

Section VI.01 JOURNALS AND MAGAZINES

Ravi Kumar Sharma, ‘PROFESSIONAL BANKER’, Nov.2005.

Section VI.02 RESEARCH REPORTS

THE EFFECT OF INFORMATION AND COMMUNICATION

ON THE BANKING SECTOR AND PAYMENT SYSTEM

-BY ARBUSSA REIXACH

INTERNET BANKING

COMPTROLLERS HANDBOOK

Section VI.03 INTERNET

www.banknetindia.com

www.microsoft.com


http://www.banknetindia.com/

Economy & Finance

It in banking