Evolution of Security Standards

in Indian Banking Industry

V.Radha
IDRBT
 The chronology of events (1999-2004)
• IDRBT set up INFINET
• Hyperchat was the only application
• Its VSAT based
• Banks were using Novell based net applications
• IP was enabled on INFINET and internal banks’ LAN could
be connected
• MMS Launched
• Novell was very late in bringing IP onto Netware. Today
there are no/few Novell app in Banking Industry.
• IDRBT CA
• SFMS
• NEFT
• NFS
Institue for Development and Research in
Monday, October 29, 2018 2
Banking Technology
First few threats and countermeasures
• Very low knowledge levels of Networks (Even IP
Addressing, Routing etc)
• Even Internet IP addresses that are generated from
DNS requests from browsers used to hit INFINET and
bring down the entire INFINET.
• Banks were guided to connect to INFINET through
routers with NAT, proxies, Firewalls etc
• MMS was hacked
• IS Audit was mandated
• CISA certifications were encouraged
• Internet Banking required RBI permission
• Training Programs on INFINET, Network Security, MMS
etc were launched

Institue for Development and Research in

Monday, October 29, 2018 3
Banking Technology
 Recent Initiatives
• VAPT from Cert empanelled IS auditors
• IS Governance and IT Governance from IDRBT
• Gopala Krishna Committee Guidelines on
Security, Cybercrime etc
• PCI-DSS
• Mobile Banking Security Guidelines

Institue for Development and Research in

Monday, October 29, 2018 4
Banking Technology
 Security
• Security Problems
– Man made
• Created by faulty design and implementation issues
– Phishing
– Spoofing etc
– Majority of attacks listed in OWASP
• Crossing lines of “not supposed to”
– Unauthorized Access
– Tampering Data
– Natural
• Identity Management
• AAA
• Secret Sharing etc
Institue for Development and Research in
Monday, October 29, 2018 5
Banking Technology
 Solutions
• Strengthen the weak protocols, software, OS,
implementation etc
• Prevent security threats to manifest as much
as possible
• Monitor the events of crossing lines of “not
supposed to”

Institue for Development and Research in

Monday, October 29, 2018 6
Banking Technology
 New thoughts
• Looked at phishing and solutions of anti-phishing
– Very less can be done from banks’ end on this
– Solutions like SPF has to be implemented by all across,
not just by banks.
– Domain Specific Passwords is a very good solution,
but has to be part of browsers
– Majority of the phishing techniques like domain name
look alike, URL redirection etc are taken care by
browsers
– Banks are asked to deploy adoptive authentication,
over and above 2 factor authentication (monitoring
solution)

Institue for Development and Research in

Monday, October 29, 2018 7
Banking Technology
 Source Code Review
• As we see many vulnerabilities are due to bad
coding, we felt the need for mandating source
code review on application vendors. Also, we
observed that the product vendors like OS,
Database have framed their in house
frameworks for ensuring safe and secure
software.

Institue for Development and Research in

Monday, October 29, 2018 8
Banking Technology
 Formal Methods
• New Payment Protocols
• Design Level Verification is must before
deploying the protocol
• New Privacy Issues in Mobile Telephony: Fix and
Verification by Ravishankar Borgaonkar et al

Institue for Development and Research in

Monday, October 29, 2018 9
Banking Technology
 Data Privacy

• Some cases of corporate espionage

• Some banks setting up Data Governance
Groups
• Groups include HNI, Corporate Customers,
solution vendors along with banks CISO

Institue for Development and Research in

Monday, October 29, 2018 10
Banking Technology
 Business Process Re-engineering
• Dematerialized Deposits
• Online Deposit verification
• Straight through Processing – Automated Data
Flow
• Online Lending Platforms

Institue for Development and Research in

Monday, October 29, 2018 11
Banking Technology
 Education
• Most of the security problems thrown in the
courts of solution vendors (n/w, app etc)
• Banks can resolve them only if they are
knowledgeable
• Network Security, IS Audit, IS & IT
Governance, Secure Coding practices, Fraud
Detection and Monitoring etc help them equip
with latest know how.

Institue for Development and Research in

Monday, October 29, 2018 12
Banking Technology
 Human Resources
• Banks are increasing the specialist technical
officers in Scale I and Scale II through campus
recruitment as well
• IDRBT Mtech IT with UOH, 100% placement
• We envisage that future generation of bank
employees would come up with new
innovations, appreciate the govt and regulatory
policies in taking benefits from technology, with
no or less resistance

Institue for Development and Research in

Monday, October 29, 2018 13
Banking Technology
 Thank You

Institue for Development and Research in

Monday, October 29, 2018 14
Banking Technology