Thursday, 22 December 2011

Is Online Banking System Of India Cyber Secure?

Cyber security in India is still not considered seriously by various stakeholders. Whether it is governmental departments, financial institutions, banks, private companies, etc none of them have taken cyber security seriously so far. An implementable national cyber security policy of India is also missing. In the absence of India’s national cyber security policy, cyber security has not been suitable adopted by various stakeholders. Even there is no legal framework for cyber security in India.

Cyber security for banking and financial sectors of India is urgently required as they perform very crucial functions. Realising the necessity of ensuring cyber security for these sectors, the Reserve Bank of India (RBI) has in the past constituted a working group on information security. RBI issued a “notification” asking the banks of India to comply with its recommendations.

As per RBI’s recommendations, all banks should create a position of chief information officers (CIOs) as well as steering committees on information security at the board level at the earliest. However, banks of India have shown no willingness to incorporate cyber security into their day to day functions. Till now the directions of RBI to appoint CIOs and steering committee has not been followed by banks of India. The recommendations of the RBI have still not been implemented. Naturally, Indian banks are poor at developing cyber security policies and implementing the same.

Cyber Security Policy is an issue that is very important for Banks of India, says Praveen Dalal, managing partner of New Delhi base ICT law firm Perry4Law and leading cyber law expert of India. With the growing use of Internet Banking, ATM machines, Credit and Debit Cards, Online Banking, etc, Banks of India must also upgrade their Cyber Security Infrastructure and establish a Cyber Security Policy, suggests Dalal.

For example Citigroup had recently confirmed cyber attack upon bank’s network. It is also well known that a timely and appropriate cyber due diligence could have prevented such attacks and various cyber frauds that are growing in the banking sector of India.

Few more areas that Indian banks must keep in mind include cyber security due diligence for banks in India, e-discovery for due diligence for banks in India, cyber law compliances, ATM frauds and phishing attacks, etc. However, the big question is are Indian banks ready for cyber due diligence?

In the past, RBI imposed penalty upon 19 banks for non compliance of prescribed standards. Similarly, RBI has also directed that any strictures passed against directors of a bank by any financial sector regulators must be reported to it. Non compliance of the recommendations of RBI working group may attract both penalty and strictures. However, banks in India are least bothered regarding cyber law and cyber security due diligence in India. Times again instances of cyber crimes and cyber breaches are reported in India and the position remains the same.

For instance, Yash, a chief technology officer in a cyber-security startup firm, has developed a proof-of-concept virus to attack the ICICI Online banking using the Man-in-Middle / Man-in-Browser attack method. It shows what an attack can do to an online banking customer who uses ICICI online banking facility and how it can result in financial loss.

A video also shows how virus can control your Internet explorer and manipulate ICICI Bank transactions in real time. The user is unaware that a virus is running, he logs into ICICI Online bank and performs an online transaction, the virus modifies the destination payee information in real-time and redirects the fund to an attacker account without the knowledge of the user. The same virus can be extended to any browser.

An integrated modern banking law for India is in pipeline and it would be a good idea to make it techno legal in nature so that it can address cyber crimes and cyber security in a more effective manner. Corporate and banking laws in India are in the process of being streamlined. RBI has even issues a notification prescribing enhanced due diligence measures for high risks customers in India.

Banks in India need to adopt techno legal measures to prevent ATM and other similar financial frauds and cyber crimes. Further, cyber due diligence trainings for bank employees can also be beneficial in this regard. Banks must also appoint steering committees and CIOs as soon as possible.

Cyber due diligence for banks in India should be made mandatory by RBI and through various pending and existing legal frameworks. Cyber law due diligence in India is already applicable to banks of India in certain circumstances and these liabilities are going to be more stringent in near future. The sooner the banks adopt these due diligence practices the better it would be for these banks.


  1. Hi,

    The false and misleading 'proof of concept' mentions the exploit by a Trojan (man in the middle/man in the browser) which attacks a user's computer. It is evident that the author has no understanding of the Bank's security controls and processes on the internet banking portal. The Bank has identified and adequately dealt with such a risk & provided for mitigating controls (which have also been checked through independent sources) and takes this opportunity to reassure its internet banking customers of the safety and security of the Bank's internet banking portal. Hence,this 'proof of concept' is totally baseless and misleading, and done with some ulterior motives. The author is a software developer & has published similar content for other banks as well and appears to be seeking attention for own gains.

    ICICI Bank Team

  2. Hi

    Thanks for your comment. However, it would have been better if the same was written from an authentic and official source. Presently, your comment is showing blogger profile and nothing more. On the contrary, the author of the code has provided his official website and more authentic information.

    Without vouching the authenticity of claim of either ICICI bank or the security professional, we feel by not repudiating the claims of the author of such code through an official channel, you are not denying the fact/assertions of the code writer in the manner it should be done.

    Anyway thanks for your viewpoint. But we are constrained from announcing it as the official response of ICICI bank till it comes from an official source.