Banks lax with credit card security: Survey

Banks lax with credit card security: Survey

A new survey of security in Indian banks has revealed that many of them do not follow even basic measures to ensure card security or protect your personal information.

The next time you swipe your debit card at a petrol bunk, use a credit card to buy a movie ticket or pay a bill online, do it at your own risk. A new survey of security in Indian banks has revealed that many of them do not follow even basic measures to ensure card security or protect your personal information.

{mosimage}The survey finds that banks in India lag in security of cards transactions. "Against the backdrop of well known global cases of card breaches, it is surprising to note that basic measures for ensuring card security have not been adopted by many of the banks," points out the survey done by the Data Security Council of India and KPMG, under the aegis of CERT-In (Computer Emergency Response Team), the cyber security wing of the ministry of information technology.

In all, 20 public sector, private and foreign banks were surveyed and their chief information security officers (CISOs) interviewed for the study. The survey found that banks still follow highly risky practices such as storing and printing authorisation information like CVV numbers and expiry dates, and non-masking of card numbers. Merchants are allowed to create card records in plain text. All such practices followed by banks are "non-conformant to globally accepted practices for card security," the survey report states.

Most banks have put in place security provisions such as SMS alerts, a separate transaction password and a virtual keyboard for online banking, but this is not enough. According to the study, the banks have still not introduced features that will make card transactions secure such as one-time-password (a dynamic token), an identity grid and risk-based authentication.

Such additional security features are necessary because in an electronic card payment system, data is directly accessed and processed by customers, service providers as well as other partner institutions. While an integrated environment like this has made the banking experience smooth for customers, it has introduced new risks.

The survey says that while most banks enforce basic 'hygiene factors' like enforcement of password policy, password change at first login, account lockout and session timeout, some of them do not enforce expiry of password after a stipulated time. Technology systems in 37 per cent of surveyed banks require download of external applications or mobile code, which increases vulnerabilities. Most CISOs interviewed felt that managing security of online banking remained challenging task.

When it comes to privacy of customer data, the scenario is worse. Though the IT (Amendment) Act, 2008 has provisions for privacy of data, concrete systems for customers' privacy protection are yet to be implemented by many banks, the study says. Almost 80 per cent of the banks surveyed did not have a separate privacy function. Three-quarters of the banks surveyed had security teams comprising less than 10 people.

Survey results indicate that banks are constantly being exposed to sophisticated, organised and financially motivated threats and customers are being targeted through phishing, vishing and smishing attacks. Yet banks don't have mechanisms in place to track fraud and continue to largely depend on incidents being reported by customers and employees.

Internal management systems of banks are also not fully geared for the digital age. "Information security has no or minimal role in fraud management. The silo in the security and fraud management role would lead to a significant gap in banks' effort to curb financial frauds as security compromises are seen as a tool for committing financial frauds," the study says.

Information security is still seen as an IT-centric function, in contrast to global trend of positioning security as an important corporate function. The only silver lining, according to the study, is that most banks have in place appropriate protocols to ensure security of payment gateways.

Banks also encrypt card numbers and other confidential data during storage and transit. "The significance of data protection and privacy has been underscored in the IT Act, but understanding of this issue in many banks is still lacking," said Dr Kamlesh Bajaj, chief executive officer, DSCI. "Banks also need to understand the key role chief information security officers should be made to play in their overall business strategies."

Lack of adequate security and data protection measures can make customers vulnerable to attacks from fraudsters and could result in hacking or misuse of their bank and credit card accounts. The survey reveals that banks do not feel constrained due to inadequate budgets or technical skills for information security.

But they seem to be neglecting security issues due to "increasing omnipresence of banking services and endeavour to enhance customer experience", the report notes.

Banks must align internal policies, procedures and deploy technology safeguards for protecting sensitive personal information, it is suggested. Survey results reveal that understanding of data privacy in the banking sector is growing with over half of the respondents being aware of privacy principles and roles and entities for data protection.

However, data privacy has not yet fully permeated into the banking sector. Implementation of specific measures like formulation of privacy policies, privacy impact assessments and embedding of data privacy in business processes have not gained significant traction, the report pointed out.

With the customer base of banks growing, the study says, it is the responsibility of banks to make consumers aware of security issues. Some banks have launched media campaigns, but more needs to be done.

Courtesy: Mail Today 

Published on: Feb 08, 2011, 10:28 AM IST
Posted by: Surajit Dasgupta, Feb 08, 2011, 10:28 AM IST