Fighting Bank Fraud in India: Essential StepsSecurity Experts Discuss Need for Better Risk Management
Fraud associated with online, ATM, credit card and debit card transactions in India increased in every quarter last year, with 40 percent of the cases occurring in the final quarter of the year, says Ravi Shankar Prasad, India's IT minister. For the full year, there were over 22,700 cases of fraud, according to the Reserve Bank of India.
See Also: Threat Intelligence - Hype or Hope?
Following this finding, government and security leaders have been reviewing the financial sector's security posture as the nation moves toward a cashless economy.
Although many security leaders say this level of fraud is relatively low considering the huge number of transactions, they say that fraud will escalate as attacks become more sophisticated unless appropriate security controls are deployed.
"The rise [in fraud] is because of India's drive towards a cashless economy sans preparation by banking institutions for establishing the right security controls and increasing awareness," says banking consultant Dr. Onkar Nath , the former CISO of Central Bank.
Security experts say Indian banks need to take a more agile risk management approach and make adequate security investments in real-time monitoring tools for better visibility.
Commenting on the fraud report, Prasad says: "RBI and various ministries or departments of the government will review cybersecurity developments and threats on an ongoing basis and take measures necessary to strengthen cyber resilience."
RBI has formed an interdisciplinary Standing Committee on Cybersecurity to review threats in existing and emerging technologies, study adoption of various security standards and protocols, interface with stakeholders and suggest appropriate policy interventions.
Meanwhile, the government is reviewing the security posture of the banking industry and is evaluating the parameters to set up a Fin-CERT soon, Shankar says.
RBI, in a statement to the ministry of electronics and information technology, or MeitY, noted that online transaction fraud for last year through Dec. 21 involved totalled over Rs. 16, 789 crore, which is a substantial increase compared to the previous year.
Meanwhile, in its new Annual Fraud & Risk report 2017-18, Kroll, a corporate investigations and risk consulting firm, says India's corporations witnessed a significant increase in online fraud, with 89 percent of executives confirming their companies experienced at least one fraud in the past year, up from 68 percent in 2016.
And consumer credit reporting agency Experian's most recent "Global Fraud and Identity Report," released Jan. 24, found that 72 percent of businesses globally say fraud is increasing. The report found that 76 percent of Indian businesses experienced the same or more online fraud losses in 2017 compared to 2016.
Reasons for Security Gaps
Y. V. Ramana Murthy , GM and group CISO of State Bank of India, offers an assessment of the security challenge: "More platforms are included in the banking ecosystem; there's an increase in the surface area of attack. Besides, with the change of payment ecosystem, multiple parties are involved in every transaction resulting in greater vulnerabilities."
Sriram Natarajan , COO and former chief risk officer at Quattro, a BPO organization, notes: "The biggest gap is the human one; most frauds occur due to social engineering and employees having a cavalier approach in sharing passwords/ PINs and other personal information."
Some key priorities for CISOs, Murthy says, include:
- Protecting the digital environment from unauthorized access/usage;
- Ensuring protection of data across the digital ecosystem at various stages of the data life cycle;
- Guarding against privacy breaches resulting from internal or external activity;
- Adhering to statutory requirements including technology laws, sectoral laws and regulations;
- Minimizing the risk of disruptions in operations or unavailability of services due to high dependency on tightly coupled technology.
Need for Investments
While adhering to standards, including PCI DSS, ISO 27001 and GDPR, is essential, financial institutions must making adequate security investments to build customer confidence.
"Since we are fighting against bots and other sophisticated forms of fraud, deploying big data and real-time monitoring tools is as essential as creating visibility into systems," Natarajan says.
Banks must focus on training more information security professionals and making sure they are qualified to report to the board of directors about security's role, Nath says.
SBI's Murthy says high-velocity identification, containment and eradication of intrusions is critical.
RBI has issued guidelines requiring banks to have a board-approved cybersecurity policy, a cyber crisis management plan, a gap assessment, robust vendor risk management and reporting of unusual cybersecurity incidents within two to six hours. But some security experts contend banks have made relatively little progress on boosting security. They point out, for example, that too many banks still rely on passwords as the top form of authentication.
Experian's report, however, found that about 87 per cent of Indian enterprises are interested in more advanced security measures and authentication.
Natarajan says CISOs must focus on technologies that improve both detection of anomalies and access control.
Organizations should develop advanced preventive control mechanisms and invest significantly in breach detection capabilities because cyberattackers are becoming more sophisticated, Murthy says.
"A more agile cyber risk management approach may enable ecosystem participants to harness the ongoing digital revolution to their advantage," he adds.