“We have tied up with ISPs for countering DDoS attacks and we are and closely working with regulators and dedicated agencies like Cert-IN and IDRBT to identify such attacks early and thwart them in-time,” says P Sitaram, Executive Director, IDBI Bank. In conversation with Ankush Kumar, Sitaram shares his thoughts on the criticality of ever increasing cyber threats in the banking sector and the key steps that IDBI has taken to mitigate them.
Edited Excerpts :
What are the key security measures that your bank has taken for safeguarding customer’s privacy and data?
The security of IDBI’s online banking is achieved through prudent security practices i.e. security access codes (user-ID & password), privacy of data transfer through encryption (SSL-128 bit encryption protocol from entrust), firewalls (allows customers access to particular services, while at the same time deny access to systems and databases with classified bank data and information), security of personal information, session time-out, etc. The bank uses two-factor authentication mechanism via OTP to ensure the transactions are secured. Privacy of customers’ information is secured both from internal and external accesses. Bank has implemented Data Loss Prevention (DLP) tool to alert any leakage of information.
IDBI bank regularly conducts awareness sessions for employees to sensitize and educate them about safeguarding customer’s privacy and data. IDBI bank has also deployed a data leakage prevention tool to check and prevent any data leakages from the bank’s environment.
What has been the biggest security challenge for the banking CIOs/ IT Heads in recent times?
In recent years Distributed Denial of Service (DDoS) attacks have become a mainstream threat to businesses, governmental agencies and critical infrastructure worldwide. DDoS attacks have grown in complexity, volume and sophistication. DDoS attack is a strewn challenge where the spurious or fake packets are sent to the victim in abnormally large number. DDoS attempts to block important services running on victim’s server by flooding the victim’s server with packets.
The difference with DoS is that DDoS is an attack that does not originate from a single host or network but from multiple hosts or networks which might have already been compromised. IDBI Bank has tied up with internet service provider for the DDoS/DoS mitigant and closely working with regulators and dedicated agencies like Cert-IN and IDRBT to identify such attacks early and thwart them in-time.
How is IT being used by your bank for better customer service delivery?
IDBI Bank’s customer-centric orientation in product constructs and service delivery is reflected in its vision and mission statement. The mission of IDBI bank is to delight customers with excellent service and a comprehensive suite of best-in-class financial solutions to achieve the vision of being the most preferred and trusted bank by enhancing value for all stakeholders. IDBI bank endeavors on a sustained basis to adhere to this corporate philosophy at each customer touch-point. IDBI provides services to customers through wide network of branches, ATM. Further customers can transact through Net, Mobile, POS, etc. and customers can make various utility payments through these channels. IDBI bank is one of the first banks to provide to their customers an online portal through which both Direct and State taxes can be paid. IDBI bank monitors customer satisfaction on an ongoing basis through a feedback form hosted on its website. This enables customers to rate IDBI bank and provide suggestions for improvement. IDBI bank’s revamped website not only facilitates a more user-friendly web interface and better navigating experience to its visitors, but also includes an innovative tool for locating your bank’s branches and ATMs.
Tell us about the steps that have been taken to safeguard the digital assets of the bank and customers accounts?
IDBI Information Security Policy is based on the recommendations of RBI appointed Gopalakrishna Committee on information security, electronic banking, technology risk management and cyber frauds. The Policy and processes in the bank are implemented very judiciously. The IT infrastructure and systems are implemented within a robust Information Security framework. IDBI Bank’s Centralised Data Centre and Disaster Recovery Site have been accredited with the latest ISO 27001:2013 certification, a reputed information security certification.
IDBI bank is one of the first banks to have built near DR site to reduce RPO to Zero. Measures to enhance the security levels for taking effective actions against ‘Phishing’ attacks are in place. Apart from conducting regular information security awareness programmes for employees, various Information Security precautions are communicated to the customers. IDBI Bank is taking necessary steps to enhance safety, security and efficiency in banking processes. As such, no event of hacking of customer accounts/data has occurred in the bank and has adequately safeguarded its digital assets.
Online banking and mobile banking is yet to gain momentum in India due to increasing security threats. Are your platforms secured enough?
IDBI bank’s Go Mobile App is a highly secured platform and requires Two-Factor authentication in the form of a dynamic OTP for each and every transaction. The MPIN created by the user, is securely encrypted on the mobile handset. No account information or any other account-sensitive credentials is stored on the mobile phone, making it completely safe and secure. These measures help boost customer confidence in banking with us.
The security issues will keep growing in future. Are the banks in India well prepared? What is required to be done?
As hacktavists and even the enemy states keep coming up with newer attacks vector like Zero Day attacks, DDoS, newer lethal malware which create an havoc, would be ahead of the mitigants that the organization put in place. It is very important now that a joint effort is made by all affected organizations as a collaborative effort to thwart the attacks in-time. It is also being realized that only a market-wide response can provide serious, long-term answers to the global industry challenges caused by cyber threats to banking.
Government has setup a National Critical Information Infrastructure Centre (NCIIPC), which is working as an organization that provides various guidelines in protecting critical information infrastructure (CII) of the country. Banking industry has been identified as CII and NCIIPC makes effort in alerting the CIIs in advance. Cert-IN is also collaborating with NCIIPC is advising CII. IDRBT too, under the advice of RBI, has setup a collaborative forum of CISOs from banking industries where information sharing and mitigants/ technologies used are freely exchanged and thus Bank’s are better equipped to manage any security risk.