A

DISSERTATION ON
“Role of IT, Data Security and Privacy Issues
In Banks”
DISSERTATION PROJECT REPORT

SUBMITTED TOWARDS PARTIAL FULFILLMENT OF

POST GRADUATE DIPLOMA IN BUSINESS MANAGEMENT

(Approved by AICTE, Govt. Of India)

(Equivalent to MBA)

ACADEMIC SESSION

2009 – 2011

Under the guidance of

Prof. Sachin Malhotra
Chairperson-PGDM_IT
IMS Ghaziabad

BY: -
Gangadhar G
BM_09073

INSTITUTE OF MANAGEMENT STUDIES

LAL QUAN, GHAZIABAD
 INSTITUTE OF MANAGEMENT STUDIES
GHAZIABAD

ACKNOWLEDGEMENT
It is arduous to pen down the extent of my feelings, yet through this
acknowledgement, I wish to convey my deepest regards and gratitude towards those
who helped me to carry out and present this work.

I am grateful to Dr. R. K. Bharadwaj (Director, IMS Ghaziabad) and

Prof. Sachin Malhotra (Chairperson, PGDM-IT) for providing me an opportunity
to work on this project and also for his valuable guidance, constant encouragement &
his constructive criticism he provided, without which, it would have been impossible
to complete this project.

I take this opportunity to thank all the customers and employees of different banks
who spared their precious time to provide me with valuable inputs for project without
which it would have not been possible.

Institute of Management Studies

 Ghaziabad

CERTIFICATE

This is to certify that Mr. Gangadhar G a student of Post Graduate Diploma in

Management from Institute of Management Studies, Ghaziabad has completed his
Dissertation project report titled, “Role of IT, Data Security and Privacy issues In
Banks” under my guidance and supervision. I wish him all the best in his future
endeavors.

This work has not been submitted anywhere else for any other degree/diploma. The
assistance help received during the course of investigation and source of literature
have been duly acknowledge. During his tenure at the project, he was found to be
sincere and meticulous in there work. I appreciate his enthusiasm & dedication
towards the work assigned to him.

I am hopeful that he will prove to be a good professional and wish him grand success
for the future.

Prof. Sachin Malhotra

Chairperson PGDM_IT
IMS GHAZIABAD

Institute of Management Studies

 Ghaziabad

CANDIDATE’S DECLARATION

I hereby declare that the work that is being presented in the summer project entitled
“Role of IT, Data Security and Privacy Issues In Banks” under the guidance of
Prof. Sachin Malhotra chairperson PGDM_IT, IMS Ghaziabad, is genuine work by
me done originally by me and has not been published or submitted elsewhere for the
requirement of a degree programme. Any literature, data or works done by others and
cited within this report has been given due acknowledgement and listed in the
reference section.

Gangadhar G _________________________
(Student's name and signature)

TABLE OF CONTENTS
SNO CONTENTS PAGE
NO
1 INTRODUCTION 7-9
2 OBJECTIVES OF STUDY 10
3 ROLE OF TECHNOLOGY IN BANKING 11-13
4 ADVANTAGES AND DISADVANTAGES OF 13-16
TECHNOLOGY WRT BANKING
5 SECURITY ISSUES IN BANKING SYSTEMS 16-25
A) INTRODUCTION
B) POTENTIAL BANKING SYSTEM INTRUTIONS
C) INTRUTIONS PREVENTION
6 TECHNOLOGY INITIATIVES TAKEN BY HDFC & SBI 25-27
BANKS
7 RESEARCH METHODOLOGY 27
8 DATA COLLECTION AND REPRESENTATION 28
9 TEST STATISTICS 29-34
10 ANALYSIS AND FINDINGS 35
11 PROBABLE SOLUTIONS/ RECOMMENDATIONS 36
12 CONCLUSION, LIMITATIONS AND REFERENCES 37-39
13 QUESTIONNAIRE 40-41

LIST OF TABLES: - PAGE NO

TABLE 1 – Performance of work with the IT updation ----------------- 29

TABLE 2 - Effectiveness of technology------------------------------------30

TABLE 3 – Security to the Internet based transactions------------------31

LIST OF CHARTS: -

CHART 1 Showing the Performance of work with the IT updation ---29

CHART 2 Showing the Effectiveness of technology---------------------30

CHART3 Showing the Security to the Internet based transactions----31

INTRODUCTION:
 With the advent of dynamic technological transformation in each and every
field of operation, the resultant fruits of technology have been reaped by all segments
of the economy and the banking sector is no exception to this. in fact the banking
sector has been one of the major beneficiaries although in some cases it was also an
adventurous one. While banks in India, particularly the new generation private sector
banks, has been at the forefront of seizing the advanced technological tools at an
aggressive rate of knots to improve the quality of deliverables to their clientele-base,
to keep pace with some of the international banks, the old private sector banks and the
state owned banks had to follow suit to retain their market share lest they would befall
as non-competitors and lose their preeminence in resources mobilization and credit
delivery.

Technology has opened up new markets, new products, new services and
efficient delivery channels for the banking industry. Online electronics banking,
mobile banking and Internet banking are just a few examples. Information
Technology has also provided banking industry with the wherewithal to deal with the
challenges the new economy poses. Information technology has been the cornerstone
of recent financial sector reforms aimed at increasing the speed and reliability of
financial operations and of initiatives to strengthen the banking sector. The IT
revolution has set the stage for unprecedented increase in financial activity across the
globe.

The progress of technology and the development of worldwide networks have

significantly reduced the cost of global funds transfer. It is information technology,
which enables banks in meeting such high expectations of the customers who are
more demanding and are also more techno-savvy compared to their counterparts of
the yester years. They demand instant, anytime and anywhere banking facilities. IT
has been providing solutions to banks to take care of their accounting and back office
requirements. This has, however, now given way to large-scale usage in services
aimed at the customer of the banks
Banking environment has become highly competitive today. To be able to survive and
grow in the changing market environment banks are going for the latest technologies,
which is being perceived as an ‘enabling resource’ that can help in developing learner
and more flexible structure that can respond quickly to the dynamics of a fast
changing market scenario. It is also viewed as an instrument of cost reduction and
effective communication with people and institutions associated with the banking
business.

The Software Packages for Banking Applications in India had their beginnings in the
middle of 80s, when the Banks started computerizing the branches in a limited
manner. The early 90s saw the plummeting hardware prices and advent of cheap and
inexpensive but high-powered PC’s and Services and banks went in for what was
called Total Branch Automation (TBA) packages. The middle and late 90s witnessed
the tornado of financial reforms, deregulation globalization etc.

Information Technology enables sophisticated product development, better market

infrastructure, implementation of reliable techniques for control of risks and helps the
financial intermediaries to reach geographically distant and diversified markets
coupled with rapid revolution in communication technologies and evolution of novel
concept of convergence of communication technologies, like internet, mobile/cell
phones etc.

Technology has continuously played on important role in the working of banking

institutions and the services provided by them. Safekeeping of public money, transfer
of money, issuing drafts, exploring investment opportunities and lending drafts,
exploring investment being provided.

Information Technology enables sophisticated product development, better market

infrastructure, implementation of reliable techniques for control of risks and helps the
financial intermediaries to reach geographically distant and diversified markets.
Internet has significantly influenced delivery channels of the banks. Internet has
emerged as an important medium for delivery of banking products and services.

The customers can view the accounts; get account statements, transfer funds and
purchase drafts by just punching on few keys. The smart card’s i.e., cards with
microprocessor chip have added new dimension to the scenario. An introduction of
‘Cyber Cash’ the exchange of cash takes place entirely through ‘Cyber-books’.
Collection of Electricity bills and telephone bills has become easy.

The upgradeability and flexibility of Internet technology after unprecedented

opportunities for the banks to reach out to its customers. No doubt banking services
have undergone drastic changes and so also the expectation of customers from the
banks has increased greater.

IT is increasingly moving from a back office function to a prime assistant in

increasing the value of a bank over time. IT does so by maximizing banks of pro-
active measures such as strengthening and standardizing banks infrastructure in
respect of security, communication and networking, achieving inter branch
connectivity, moving towards Real Time gross settlement (RTGS) environment the
forecasting of liquidity by building real time databases, use of Magnetic Ink Character
Recognition and Imaging technology for cheque clearing to name a few.
Indian banks are going for the retail banking in a big way. The key driver to charge
has largely been the increasing sophistication in technology and the growing
popularity of the Internet. The shift from traditional banking to e banking is changing
customer’s expectations.
In the view of ever increasing cyber crimes being perpetrated on banks, it has
become imperative for them to tighten their security systems in the context of huge
and valuable database at their disposal, and to plug all possible loopholes to avoid
pilferage, thefts and abuse by vested interests from both within and without. Online
banking channels are under threat of sophisticated and sustained attacks from
malicious sources. According to annual figures released by the UK cards association,
'phishing' attacks in the UK rose by 16 percent in 2009, resulting in the total amount
of online banking losses hitting 59.7 million, up 14 percent year on year.
Following on from basic Trojans that exited from many years, online banking became
susceptible to 'man-in-middle' attacks where the attackers would place themselves
between the customers' machines and those of their banks, intercepting and modifying
online instructions from the customers for their own ends.

2. OBJECTIVES OF THE STUDY:

1.To assess the Role of Information Technology in the Public Sector Banks, Private
Sector Banks and Foreign Banks
2.To Assess the Perception of the Bank Employees towards the Implementation of
Information Technology in the Banks
3.To find and analyze the basic issues and causes of data insecurity and privacy in
banks.
4.To find out and analyze the Technology readiness aspects followed in state bank of
India and HDFC with respect to security and technological advancements.
5.To find the probable solutions to improve the data security and privacy in banks.
3.ROLE OF TECHNOLOGY IN BANKING

Information Technology has basically been used under two different avenues
in Banking. One is Communication and Connectivity and other is Business Process
Reengineering. Information technology enables sophisticated product development,
better market infrastructure, implementation of reliable techniques for control of risks
and helps the financial intermediaries to reach geographically distant and diversified
markets.
In view of this, technology has changed the contours of three major
functions performed by banks, i.e., access to liquidity, transformation of assets and
monitoring of risks. Further, Information technology and the communication
networking systems have a crucial bearing on the efficiency of money, capital and
foreign exchange markets. Internet has significantly influenced delivery channels of
the banks. Internet has emerged as an important medium for delivery of banking
products & services. Detailed guidelines of RBI for Internet Banking has prepared the
necessary ground for growth of Internet Banking in India.

The Information Technology Act, 2000 has given legal recognition to creation, trans-
mission and retention of an electronic (or magnetic) data to be treated as valid proof
in a court of law, except in those areas, which continue to be governed by the
provisions of the Negotiable Instruments Act, 1881.
As stated in RBI's Annual Monetary and Credit Policy 2002-2003: "To reap the full
benefits of such electronic message transfers, it is necessary that banks bestow
sufficient attention on the computerization and networking of the branches situated at
commercially important centre’s on a time-bound basis. Intra-city and intra-bank
networking would facilitate in addressing the "last mile" problem which would in turn
result in quick and efficient funds transfers across the country".
1). Technology has opened up new markets, new products, new services and efficient
delivery channels for the banking industry. Online electronics banking, mobile
banking and Internet banking are just a few examples.
2). Information Technology has also provided banking industry with the wherewithal
to deal with the challenges the new economy poses. Information technology has been
the cornerstone of recent financial sector reforms aimed at increasing the speed and
reliability of financial operations and of initiatives to strengthen the banking sector.
3). The IT revolution has set the stage for unprecedented increase in financial activity
across the globe. The progress of technology and the development of worldwide
networks have significantly reduced the cost of global funds transfer.
4). It is information technology which enables banks in meeting such high
expectations of the customers who are more demanding and are also more techno-
savvy compared to their counterparts of the yester years. They demand instant,
anytime and anywhere banking facilities.
5). IT has been providing solutions to banks to take care of their accounting and back
office requirements. This has, however, now given way to large scale usage in
services aimed at the customer of the banks. IT also facilitates the introduction of new
delivery channels - in the form of Automated Teller Machines, Net Banking, Mobile
Banking and the like. Further, IT deployment has assumed such high levels that it is
no longer possible for banks to manage their IT implementations on a stand alone
basis with IT revolution, banks are increasingly interconnecting their computer
systems not only across branches in a city but also to other geographic locations with
high-speed network infrastructure, and setting up local area and wide area networks
and connecting them to the Internet. As a result, information systems and networks
are now exposed to a growing number

TECHNOLOGY PRODUCTS IN A BANKING SECTOR:

1. Net Banking
2. Credit Card Online
3. Instant Alerts
4. Mobile Banking
5. e-Monies Electronic Fund Transfer
6. Online Payment of Excise & Service Tax
7. Phone Banking
8. Bill Payment
9. Shopping
10.Ticket Booking
11.Railway Ticket Booking through SMS
12.Prepaid Mobile Recharge
13.Smart Money Order
14.Card to Card Funds Transfer
15.Funds Transfer (eCheques)
16.Anywhere Banking
17.Internet Banking
18.Mobile Banking
19.Bank @ Home “Express Delivery”

4. ADVANTAGES OF TECHNOLOGY
1. From both customer and banking perspectives it shows that the Internet is a
convenience tool available whenever and wherever customers need it. It is also found
that the Internet has improved the factors in service quality like responsiveness,
communication and access. It is concluded that the Internet has an important and
positive effect on customer perceived banking services and the service quality has
been improved since the Internet has been used in banking sector.
2. It's generally secure. But make sure that the website you're using has a valid
security certificate. This lets you know that the site is protected from cyber-thieves
looking to steal your personal and financial information.
3. It gives twenty-four-hour access. When the neighborhood bank closes, you can still
access your account and make transactions online. It's a very convenient alternative
for those that can't get to the bank during normal hours because of their work
schedule, health or any other reason.
4. It allows us to access our account from virtually anywhere. If we're on a business
trip or vacationing away from home, we can still keep a watchful on our money and
financial transactions – regardless of our location.
5. Conducting business online is generally faster than going to the bank. Long teller
lines can be time-consuming, especially on a Pay Day. But online, there are no lines
to contend with. You can access your account instantly and at your leisure.
6. Many features and services are typically available online. For example, with just a
few clicks you can apply for loans, check the progress of your investments, review
interest rates and gather other important information that may be spread out over
several different brochures in the local bank.
7. Technology has opened up new markets, new products, new services and efficient
delivery channels for the banking industry. Online electronics banking, mobile
banking and internet banking are just a few examples.
8. Information Technology has also provided banking industry with the wherewithal
to deal with the challenges the new economy poses. Information technology has been
the cornerstone of recent financial sector reforms aimed at increasing the speed and
reliability of financial operations and of initiatives to strengthen the banking sector.
9. The IT revolution has set the stage for unprecedented increase in financial activity
across the globe. The progress of technology and the development of worldwide
networks have significantly reduced the cost and time of global funds transfer.
10.It is information technology which enables banks in meeting such high
expectations of the customers who are more demanding and are also more techno-
savvy compared to their counterparts of the yester years. They demand instant,
anytime and anywhere banking facilities.
11.IT has been providing solutions to banks to take care of their accounting and back
office requirements. This has, however, now given way to large scale usage in
services aimed at the customer of the banks.
12. IT also facilitates the introduction of new delivery channels--in the form of
Automated Teller Machines, Net Banking, Mobile Banking and the like.
13.Use of de-mat account and online trading enables a person to buy and sell shares
any time. The share trading companies and AMC’s can give improved and faster
service with help of technology.
14.There are many useful features and services available online besides for the usual
transactions. For example, you can apply for credit cards, manage investments, and
pay bills through your online account portal. You can also perform more mundane
tasks such as ordering new checks, requesting additional deposit slips, or reporting a
lost or stolen debit card. Certainly the above-mentioned advantages if technology
have improved the quality of service in a banking and financial sector.

DISADVANTAGES OF TECHNOLOGY

1. Yes, online banking is generally secure, but it certainly isn't always secure. Identity
theft is running rampant, and banks are by no means immune. And once your
information is compromised, it can take months or even years to correct the damage,
not to mention possibly costing you thousands of dollars, as well. This generally does
not happen in case of traditional method of banking.
2. Some online banks are more stable than others. Not all online setups are an
extension of a brick-and-mortar bank. Some operate completely in cyberspace,
without the benefit of a branch that you can actually visit if need be. With no way to
physically check out the operation, you must be sure to thoroughly do your homework
about the bank's background before giving them any of your money.
3. Before using a banking site that you aren't familiar with, check to make sure that
their deposits are FDIC-insured. If not, you could possibly lose all of your deposits if
the bank goes under, or its major shareholders decide to take an extended vacation in
Switzerland.
4. Customer service can be below the quality that you're used to. Some people simply
take comfort in being able to talk to another human being face-to-face if they
experience a problem. Although most major banks employ a dedicated customer
service department specifically for online users, going through the dreaded telephone
menu can still be quite irritating to many. Again, some are
considerably better (or worse) than others.
5. Not all online transactions are immediate. Online banking is subject to the same
business-day parameters as traditional banking. Therefore, printing out and keeping
receipts is still very important, even when banking online.
6. If your bank operates only online or simply does not have a branch office in your
local area, you will not be able to reach a representative in person for discussion of
account issues. Normally this is not a problem, but sometimes customer service by
telephone or email can be spotty and may prove to be more of a hassle if you have a
serious issue that is not easily resolved. Some banks are better than others in this
department, so you will need to do some research if this is an important consideration
for you.
7. Using online banking effectively requires some basic computer literacy and
familiarity with navigating the Internet. While this is not a problem for people like
me, those who are afflicted with technophobia or are simply inexperienced with this
particular genre may not be comfortable with this concept. There are also a significant
number of people who are suspicious of anything having to do with the Internet
because it is outside of their comfort zone. Others are simply too stubborn
to acquire the relevant knowledge and skills.

5.Security Issues on Banking Systems :

Bank is one of the example of institute that using Information Technology (IT) in its
daily task to fulfill the organization’s and customers’ need. Business transaction,
money transfer, ATM, credit card, and loan are some tasks that were done every day.
Customers’ personal information stored by the bank is also considered as private and
should not be disclose to anybody with no authorization. Only legal staff and legal
bank’s customer can operate any of the tasks. Thus, bank has its own system to ensure
their transaction works the way it is and prevent any activity that could cause lost to
the organization and its clients or customers. Whether like it or not, some
irresponsible people are always exist to challenge the robustness of a banking system.
Even an amateur that claimed themselves as hackers could transfer a sum of money
from other account to his or her account without noticed. Bank account hacking has
caused millions dollar losses around the globe. How this could happen? Was there
any obvious weaknesses in the banking system that make it easily expose to treat?
This project would discuss about the intrusion of banking system. It is important to
realize how the security aspects in a banking system can influence such illegal
activities which are then lead to a great lost to the financial institution. Some
recommendations would be included in this article to help to reduce or prevent the
intrusion in the future.
INTRODUCTION

Technology nowadays gives an opportunity to satisfy the need of faster and efficient
banking transaction. Information system that is used in a bank is not only between
business to business (B2B) but also between business to customer (B2C).
There exists large gaps in the data privacy and data protection management which
arise due to:
• Threat from insiders.
• Outsourcing of sensitive data to third parties.
• Not protecting customer data from all possible angels.
• Negligent and belligerent users.

Intrusion is an action of accessing one place or system without the permission of the
owner. If a system has been intruded, it means that it has compromise with the
security aspects that is applied in the system. Intrusion might be done by anyone with
security knowledge and could happen for any purpose – to gain and alter confidential
data or to steal sum of money from the financial institution. Fault and failure caused
by this intrusion not only decrease the system performance but also client and
customer’s trust towards this financial institution due to the risk of losing their money
and assets in the bank. In U.S, the government requires banks to report all losses.
According to Michael Higgins, a financial computer security consultant of Para-
Protect in Alexandria, Virginia, banks usually want to avoid bad publicity by
reporting losses as accounting efficiency errors

II. POTENTIAL BANKING SYSTEMS INTRUSIONS

Distributed Denial-of-Service Attack:

Denial of Service (DoS) is ranked as FBI’s third highest threat after terrorism and
espionage. Financial institutions facing DoS attack could experience great lose of
money due to losing clients and customer. It is also required high cost to repair the
damage done by the attack. Distributed Denial of Service (DDoS) is the most
common attack that could happen in the banking system. DDoS involve hundreds or
more ‘zombie’ computers to launch the attack to the targeted system.

Before an attack is occur, attacker build an attack network by scanning for open port,
poorly secure computer with no firewall or anti-virus software. A new program is
installed in the ‘zombie’ computer. The program can self-propagates and
automatically create a large attack network. It might possibly contain both the code
for sourcing a variety of attacks and some basic communications infrastructure that
allow remote control. These ‘zombie’ would send large number of packets to the
system at the same time and force the real requested packets to drop due to time out.
This type of intrusion can affect the availability and continuity of the banking system.
The financial institution would fail to conduct transaction with its customer, business
partner and vendors.
Another risk posed by the distributed denial of service attack is it can result a great
number of loss of time, customers, money, and also compliance violations. Common
risk that any financial institution or banking system would encounter is their
operational, reputation and their regulatory. The operational risk may arise from
fraud, error, or unavailability of products or services. Reputation risk is all about
operational disruption cause by denial of service, which includes errors, delays,
unavailability of information and the unauthorized access towards the system
information or the banking systems. The regulatory risk covered about the lawsuit and
enforcement actions towards the banks.

B. Data Breach
Financial institutions have to aware about threats that would affect the system security
in their organization. A data breach, one of the threat exists allows the information
and data to go out from the system, making it viewable to others. A data breach is a
very well known phenomenon where it involves highly sensitive and confidential data
that might have been viewed, stolen, and also have been used by any person or any
organization without being authorized to do so. For example in security data breach, a
case where involves five Connecticut banks are resulting from security data
Breach, affected from New Jersey Company that processes credit card payments,
according to the newspaper and Internet reports.
The effect of the data breach takes a great number of losses for the financial
institution, where their credit card companies such as Visa and MasterCard contacted
them about the breach, according to the internet site BankinfoSecurity.com Data
breach happens when there are loopholes in the banking system, enables those
unauthorized individual to get access to the system itself. It is due to the lack of
security assessment, and also resulting from poor security system. Many banks have
suffered loss when there exists data breach; losing information, losing capital, and in
above example, losing card credit information and thus might influence the
customer’s trust towards the bank’s service. Further analysis would result to several
issues relating to the data breach, is a poor authorization management and lack of
authentication mechanism, which will take to the confidentiality and integrity issue of
the system.
Loss of authentication or stolen identification, result from identity theft is the ticket
for the criminal or unauthorized individual to simply get the authentication needed
their own benefits. From the case example provided, the lost of credit card
information for the financial institution is mostly due to the lack of authentication and
poor authorization itself, that can lead to the data breaches. Without proper
authentication and authorization, an individual can act by entering the system
illegally, and thus taking any information they want. That is why the authentication
and authorization being the utmost importance to protect any information system,
especially when running a financial institutions.
Confidentiality and the integrity of the data in the system would likely been violated
whenever there are security data breaches, done by unauthorized person. The data
might loss its confidentiality when these unauthorized person view, alter or steal the
personal information of the customer or the information security of the organization
uses. The integrity of the system can also be affected, when these irresponsible people
alter and changing the data information in the system, for example exchange a sum of
money to their own account.

Malware
Malware is software program that design to alter and modify the computer’s system
without the authority of the user or owner, and this malware move from computer to
computer and network to network. Malware can be including viruses, Trojan horses,
worms; scripts attack and also rogue Internet code. The malware attack can influence
the confidentiality, integrity and availability of the banking system. In confidentiality,
malware attacks are all including capturing keystroke, passwords and credit card
numbers, uploading and downloading files, and also observing what is going on the
server’s screen.
An attack against integrity however is also harming the banking system, where it
modifies system, such as the infected file and also data. Corruption of data files and
also application files by unauthorized file writers, changing configurations of the
banking system and also overwriting data are all influence the integrity of the banking
system. Availability of the banking system can also be effected, where it includes the
deletion of files and subdirectories, renaming of files, reboot or disabling the security
systems and also denial of service attacks.
The damage resulting from malware attacks could be severe. An example for a
malware attack is ATM breaches in Russia and Ukraine. Trust wave, a Chicago-based
provider of information security and card industry have uncovered malware while
investigate ATMs in Russia and Ukraine, for over few month. During the attack,
about 20 ATMs were infected by the malware, allowing the attackers to steal data,
PINs and also money. In the case, they were certain that the attackers was an inside
work, because the attackers needs the physical access to the ATM in order to install
the malware, and execute it. Ti would also seem that the attackers could be someone
who gets a copy of the key to the ATM, opens the machine and loads the malware
into the system.
Another example is The World Bank Group's computer network as one of the largest
repositories of sensitive data about the economies of every nation has been raided
repeatedly by outsiders for more than a year. In this case, it is still not known how
much information was stolen. Sources inside the bank confirm that servers in the
institution's highly restricted treasury unit were deeply compromised with spy
software. The attackers also had full access to the rest of the bank's network for nearly
a month in June and July 2009. In total, at least six major intrusions occur, two of
them using the same group of IP addresses originating from China that have been
detected at the World Bank since 2007, with the most recent breach occurring just a
month before.
These two examples show the attacks done by malwares to the banking systems. In
the attacks, the information in the banking systems was compromise, the information
are either stolen or altered, and the security system in the banking system is violated.
The result by the attacks may lead to a loss worth millions, and also it also influence
customer’s trust and customer’s loyalty to the financial industry. Malware such as
spyware are the most commonly used by attackers in order to maliciously steal the
system’s information, and violate the system’s confidentiality and the system’s
integrity. The attackers as in the example are usually the worker or the insider of the
organization, installed the software program in order to gain illegal information and to
steal, modify, and also delete the information contained in the systems.

D. TCP/IP Spoofing

TCP/IP spoofing is one of the common forms of on-line camouflage. In IP spoofing,

an attacker gains unauthorized access to a computer or a network by making it appear
that a malicious message has come from a trusted machine by “spoof” the IP address
of the machine. IP address spoofing is the technique that can make the attacker to
send packets on a network, without being intercepted and blocked by the firewall
system. These firewall systems usually filter any external IP address who tried to
communicate with it. However, using IP spoofing, the attacker can mask its identity
by making their IP address to appear to come from the internal network, thus making
the firewall unable to intercept it, and so packets can easily transferred by the
attackers.
The objective and goal for this attack is that to enable the attacker to gain root access
to the victim server, in this case the banking system, allowing the creation of a
backdoor entry path into the targeted systems. Whenever the loophole for the past
attack being covered, there is always a backdoor for the attackers to sneak in back to
the server at any time. With the TCP/IP formats, it is very easy to mask a source
address by manipulating an IP header.
This technique used for obvious reason, to access unauthorized system and sends
packet which may contains malwares, to gain information such as the customer’s
bank accounts, PINs, identification numbers, credit card numbers and so on. IP
address spoofing’s favorite target is the financial institutions, or the banking system
where they can gain profits. Recent survey shows that $2.4 billion in losses to banks
is from the internet-based scammers, derived from spoofing and phishing. The major
victims of spoofed emails include Bank of America, BankOne, First Union Bank,
Barclays Bank and Lloyd’s Bank.
Another possible threat for spoofing is it can lead into confidential data breach. One
possible example is Rocky Mountain Bank, which have sent confidential and
sensitive information to the wrong Gmail account. The biggest loss in this example is
the customer’s trust towards the bank’s service. The confidentiality and the integrity
of the information have been violate, thus it also violates the customers’ trust to the
bank.
The lost of confidentiality is a very serious matter, because it contain sensitive and
important information about the client, and even about the institution and
organization, and so confidentiality of a system needs to be taken care well by the
organization itself. Loss of integrity however can result of loss of customer
relationship, where the privilege given to the customer is being violated by any
means, in this case by IP spoofing.

III. INTRUSIONS PREVENTION

Authentication mechanism is very important in ensuring the data in the system is
protected from any unauthorized access that could interfere with the integrity of the
banking system. Authentication also would make sure that the system is functioning
well and trusted by any parties. To improve authentication, the banking system should
increase their security performance by having two levels of authentication. First level
is the password, and the second level is by providing with the user’s personal
information such as passport number or identification number.
These can make the authentication security much safer and invulnerable. An
authentication that involving password usage should consider these things; the length
and strength of the password, considering upper case sensitivity, character set and
lifespan of the password. Password lifespan is the duration of time that the password
can be use to access to the banking system. The shorter lifespan the password has, the
lower risk of password compromising it takes. It a particular user does not access to
the system for certain duration of time, the password should be terminated and the
user needs to set a new password if he/she wishes to access to the system again.
But, for some cases, even with two levels authentication can’t ensure the safeness of
the information stored in a banking system. To eliminate these any other possible
problem, three levels of authentication can be adapted. It is requires to use the
biometrics authentication. Biometric is a way of identifying a person by its unique
physical feature. The idea using biometrics authentication has already been
developed, where the person’s for example the eye and thumb being used as
identification. Sending wrong email to a wrong person might look like a minor
problem to a sender. But if the content of data, which is highly confidential such as
customers, account information and the receiver has bad intention toward the email
that he received, the organization could face major losses.
According to Steve Jones; a Chief Technology Officer at Signal Financial Federal
Credit Union in Washington, data leakage is a major treat thus such mistaken should
be reduce and prevent with a technology hardware solution. “When Jones decided on
one data loss prevention solution, he saw it taking out this human element to a data
breach. With three locations to cover, Jones needed three boxes: one at the credit
union’s primary location, a second one at the disaster recovery site and the third at the
credit union’s co- location site. These boxes scanned outgoing content on all types of
TCP/IP traffic, http, FTP, even https traffic and stopped any traffic that had pre-
defined information within them, including customer account numbers and other
sensitive information. These features help scans data in email body and attachments.
Thus it could reduce the accidental data breaches .”
When installing and updating systems equipment, the security parameters and setting
should be review to make sure it is consistent with the intrusion risk assessment plan
that the financial institution has. Firewall is placed between network and the Internet.
It is operates from a specific computer and was separated from the network. Firewall
function like a guard or a gatekeeper to a private network or computer system and
determine incoming requests from reaching the network resources.
Firewall controls what kind of network traffic that can access through the network.
Usually unauthorized communication or any possibility of attack from the Internet to
the network would be block. Well, of course the configuration setting of a firewall
can be change to suit preference. Firewall is different from routers. Routers transport
the data between networks while firewall screens the data that is going to be sent
across a network. Firewall helps block uninvited guest or unauthorized personal from
trying to connect or gain access to any file share that a bank organization has set up.
At the same time, the organization own activities are not block and interrupted.
There are two types of firewall, which is the hardware firewall, and the software
firewall. The difference between these two type is hardware firewall are built within
devices such as routers where else software firewall are program that is installed on
computers. Since hardware firewall is placed in a router, it functions to protect the
whole network while the other kind protects individual computers. In banking system,
firewall can be used to control access to a certain system within the corporate network
of the bank. It can restrict or limit the access to highly sensitive banking system to
particular employees.
Traffic filtered is based on a set of security rules, depending on the need of security
of the bank organization. For example the firewall filters as having a breach on the
defined rules flag a packet of data coming into the network, it will be denied entry to
the network. Methods through which a firewall can regulate traffic in and out of a
network include packet filtering, a proxy service or stateful inspection. A firewall can
either be a hardware or software firewall. Ideally, a firewall should consist of both.
For an issue related to information integrity, there are lots of ways to prevent it from
happen. Major threats for banking system is the employees as the insider, working in
the bank itself, who have all the authority to manage and view related data and
information, including customer’s information.
Especially those terminated employee, they would likely used their knowledge and
authority to put the bank into catastrophe by deleting or violate important data. As
administrator for the bank, it is strongly suggested to change or reset all passwords or
any means, as the access to the database or data storage that the terminated employee
can sneak into. Other than that, one time password can also be implemented, where
the computers can only be accessed by password being prepared by the main server,
monitored by manager responsible for the server. This method is an easy practice but
yet it can protect millions of data, and thus protect the information integrity for the
bank system.
For insiders that currently works at a bank, and have the intention violating banking
system’s information, monitoring privileged user activities is another strategy in
protecting data integrity. All users and activities are recorded to analysis, recovery
and develop additional security measure and development of legal action. Using this
method, administrator can easily track down any irregular behavior. The method
includes monitoring the employee’s activity, on the basis who do the job, what task
did they do, when they did the task and where the employee do the job. By using such
information, administrator can compare their job time by time, and thus, if any
irregular activity or behavior is being done, administrator can quickly prevent it.
The employee’s privacy might be violated, but the importance on securing the
customer’s information is more important and must be taken seriously. Not only
meant for the staff monitoring, this method could detect any outsider intruder.
Information about system and file system, networks, and application is collected. The
record must be keeping safely and located in a physical location separate from the
devices generating the records. A good Intrusion Prevention System (IPS) is not only
able to detect harmful intrusion but also essential to ensure protection of confidential
data and assets in a banking system. The IPS must able to identify any potential
dangerous intrusions accurately and minimize false positives alarm.
With this feature, it actually could decrease the cost of damage and potential impact
from an attack or intrusion such as the Denial of Service (DoS), buffer overflows, and
malware. On example of IPS that has these outstanding features is the McAfee
Network Security Platform. It’s not only protect the banking system network, servers
and desktops but also offering other advantages. A centralized, consolidated
dashboard and robust reporting has saves IT administration time and money from
monitoring the network. The highly stable solution has also improved network
performance and, by preventing attacks, reduces network downtime and the risk of
interruptions to online banking services. This IPS also is only IPS that could prevent
encryption attack.

6.HDFC bank technological readiness and its usage

Technology helped HDFC bank in better serving their customers and at the same time
it gives competitive edge with respect to their competitors in the following ways:
• Auto loan
With the help of technology they are able to sanction the loan with in a short
span of three hours.
• E-mail account statement
In this case bank sends monthly e-mail statements to savings account- holders.
In case of current account holders’ daily\weekly\monthly statements are sent free of
cost.
• Round the clock mobile refilling service
The customers can now recharge his/her mobile phone
a) Through HDFC bank website.
b) At any HDFC bank ATM centre, or SMS.
• Easy shop business debit card
• Cash back
 For every purchase of Rs 200 spent on customer business debit card at merchant
outlets, a customer will receive cash back of Re.1
• Petrol surcharge waiver
• Higher card limits
• Insurance cover-loss of baggage, fire, burglary
• Special alliances by master card
• Accepted worldwide
• E-age banking
a) Free PAP Cheque book
b) International debit card
c) Three free cash transaction on SBI/Andhra bank ATMs a month
d) Free net banking
e) Free phone banking and Free mobile banking
g) Free instaAlert
h) Bill pay
i) Inter-city\ inter-branch banking
j) Average quarterly balance requirements
Online investment in mutual funds

Technology in the banking sector has been an international phenomenon foe over two
decades. Technology implementation poses innumerable issues and options,
especially banks. The HDFC bank is using the latest technology to attract the
customers and also to face the tough competition.

Technology Initiatives by state bank of India

Some of the technological initiatives taken by state bank of India in order to face
tough competition and to attract the customers on a large scale are
• Core banking solutions
• Networking of branches
• Automated teller machines (ATM)
• Mobile banking
• Internet services
• Advancements on technological fronts
• IT policy and IS security policy documentation
• Disaster recovery plan and back up
• Microfilming
• Other initiatives
The other initiatives taken by the bank are becoming a member of the society for
worldwide Interbank Financial Telecommunication (SWIFT) Enabling it to supply
secure messaging services, adopting electronic accounting system in Excise and
service Tax (EASIEST), adopting online tax accounting system (OLTAS) web
payment of central excise, payment of income tax and corporate tax etc..

The bank has made great strides in adopting technology on ward off competition
faced from the foreign banks and new private sector banks and because of this it has
led the bank from a mere government controlled bank in to a more responsible
organization to meet the challenges of a globalized economy. The threat of foreign
banks and new private sector banks are there to stay. IT allows the bank to meet the
stiff competition successfully and at the same time offers state-of-the-art banking
experience to the customers.

7. RESEARCH METHODOLOGY:

Research Design Descriptive

Data Source Primary data, Secondary data

Research Instrument Questionnaire

Sample Technique Convenient Sampling technique

Sample size 100

Sample location Across the country

Sample element Employees and customers of different

banks
Type of Data Used: -
Primary Data: -
The data from the Primary sources have been collected with the help Employees of
the Bank and customers through mails (gmail, yahoo), social networking sites like
face book, Orcut, linked In, Twitter etc…. with the help of friends.
Secondary Data: -
Secondary data is the type of data researcher collects from different informational
sources like as previously done work or research on similar topics It helps in
generating elaborative information about the topic or the research subjects .It also lead
to understand different perspectives about the given topics and varied findings
Sources of Secondary Data: -
1. Internet
2. Journals
3. Magazines
4. Articles
5. Newspapers

Area of Study: -
Across the country.

Sampling Unit: -

Convenient sampling Technique was used to select the Employees and Customers of
the Banks into the Sample Size. The sample size taken for the analysis is 100
including employees and customers.
TEST STATISTICS
TABLE: 1 showing the employees/customers perception related to performance of
work with the implementation of latest technology modules in their operation

Perception of employees/customers No of respondents

Strongly agree 55
Agree 20
Neither agree nor disagree 12
Disagree 07
Strongly disagree 06

Chart: 1 showing the employees/customers perception related to performance of

work with the implementation of latest technology modules in their operation.

TABLE 2 showing the perceptions of employees/customers wrt to better service, time

saving, security improvement, efficiency & effectiveness and technology updation
 Strongly Agree Neither Disagree Strongly
agree agree nor disagree
disagree
Perception
Better service 45 25 15 08 07
Time saving 60 20 06 04 10
Security 48 24 12 05 11
improvement
Efficiency & 54 23 09 08 06
Effectiveness
Technology 15 26 24 10 25
updation

Chart-2

TABLE-3 showing the perceptions of employees/customers wrt to whether IT

enabled services helps in providing security to the Internet based transactions

Perception of employees/customers No of respondents

Strongly agree 35
Agree 24
Neither agree nor disagree 30
Disagree 06
Strongly disagree 05

CHART-3

Chi-square tests between Q1 and Q2 : -

Case Processing Summary

Cases
Valid Missing Total
N Percent N Percent N Percent
Q1 * Q2 99 100.0% 0 .0% 99 100.0%
 Q1 * Q2 Crosstabulation
Count
Q2
1.00 2.00 3.00 4.00 5.00 Total
Q1 1.00 48 5 0 1 0 54
3.00 30 13 1 0 1 45
Total 78 18 1 1 1 99

Chi-Square Tests
Asymp. Sig. (2-
Value df sided)
Pearson Chi-Square 9.974a 4 .041
Likelihood Ratio 11.214 4 .024
Linear-by-Linear Association 4.559 1 .033
N of Valid Cases 99

Conclusion: -
From the above analysis it is inferred that null hypothesis is rejected, as
significant value is <0.05
Hence we can say that there is significant difference between the IT usage in
performance of work and in better serving the customers.

Correlation between Q6 and Q7 : -

Case Processing Summary

Cases
Valid Missing Total
N Percent N Percent N Percent
Q6 * Q7 99 100.0% 0 .0% 99 100.0%
 Q6 * Q7 Crosstabulation
Count
Q7
1.00 2.00 3.00 4.00 5.00 Total
Q6 1.00 0 0 0 5 0 5
2.00 0 0 2 4 0 6
3.00 2 1 7 3 5 18
4.00 3 4 7 24 7 45
5.00 2 2 5 7 9 25
Total 7 7 21 43 21 99

Symmetric Measures
Asymp. Std.
Value Errora Approx. Tb Approx. Sig.
Interval by Interval Pearson's R .008 .081 .080 .936c
Ordinal by Ordinal Spearman .080 .101 .789 .432c
Correlation
N of Valid Cases 99
a. Not assuming the null hypothesis.
b. Using the asymptotic standard error assuming the null hypothesis.
c. Based on normal approximation.

Conclusion: -
From the above analysis it is inferred that there is positive correlation exists
between the frequent update of technology and attracting the customers at a large
scale & in giving competitive edge to its competitors.

Chi-square test between Q8 and Q9: -

Case Processing Summary

Cases
Valid Missing Total
N Percent N Percent N Percent
Q8 * Q9 99 100.0% 0 .0% 99 100.0%
 Q8 * Q9 Crosstabulation
Count
Q9
1.00 2.00 3.00 4.00 5.00 Total
Q8 1.00 2 0 4 4 1 11
2.00 1 1 1 9 2 14
3.00 1 1 7 17 11 37
4.00 0 4 5 6 8 23
5.00 1 0 9 4 0 14
Total 5 6 26 40 22 99

Chi-Square Tests
Asymp. Sig. (2-
Value df sided)
Pearson Chi-Square 34.575a 16 .005
Likelihood Ratio 35.918 16 .003
Linear-by-Linear Association .036 1 .850
N of Valid Cases 99

Conclusion: -
From the above analysis it is inferred that the null hypothesis is accepted as
the significant value is > 0.05. Hence we can say that there is no significant difference
between better serving and data security, privacy issues after implementation of
updated technology from time to time.

8. Analysis and findings: -

• From the entire analysis we came to know that updated technology helped in
attracting the customers at a large scale, speeding the performance of work,
giving competitive edge to their competitors.
• Many people did not like frequent updation of technology, as they are not
interested in learning the new modules at the older age.
• At the same time they believe that tremendous changes in IT is helping them
to be more secure compared to earlier days.
 • IT plays a vital role in managing their time and in giving better Services to the
customers.

9. Probable solutions/Recommendations wrt to security and privacy

preservation in banking Industry:

The software systems used by banks are being reviewed, modified and improved
from time to time by external agencies who are entrusted with such tasks and hence
the data going into hands of unscrupulous persons cannot be ruled out. Banks will
have to do masking and sub-setting of data before handing over the assignment for
development and testing. Sensitive and confidential personal information and
business data need to be protected from piracy, especially when reliable persons
transfer them across inter/intra offices.
User access rights are to be periodically verified and documented for surveillance.
Banks in the future may look to use ‘multiband’ authentication requiring use of
secondary device (such as smart phone) to confirm online banking transactions. One
of the most successful and widespread security strategies developed to combat data
theft is ‘one time password’ (OTP) technology. It adds on an extra layer of protection
that can help stem the tide of fraud.
Data loss prevention of business records and that of customers are the prime
focus of data security. The banks need to build customers’ Loyalty, trust and
confidence not only in terms of their product brands but also their data security
concerns. They may be authorized to view and correct their personal information and
have in place a redressal mechanism through mediation, arbitration etc.
Help line for customers to seek clarification and report abuse may be thought of. All
employees may be gently monitored at random, through surveillance methods
particularly new ones while they operate emails and inter-office correspondence.
It is also suggested that banks take up security mechanisms such as ‘whole disk
encryption’ to prevent customers and business data on laptop and portable devices
from being stolen or lost. It is therefore necessary for banks to secure their network
and enterprise systems and test their sensitivity from time to time.
While transacting records of information with outside business partners, extraordinary
care and caution need to be exercised while drafting legal documents fixing the onus
on them in case of any pilferage or leak or abuse of data by incorporating relevant
covenant for malfeasance or misfeasance.

10. CONCLUSION:

IT development has undoubtedly brought-in-enormous benefits to banks, particularly

in terms of productivity increases, cost reduction through labour saving and increased
profitability. Consequently, IT development in banks has become more product
centric and retail and wholesale IT products have positively influenced productivity
and profitability. IT use has increased outputs and reduced costs as both IT capital
investments and IT human resources have a positive relationship to productivity.
Banks should stay ahead of the game and sustain growth by taking bold decisions to
survive and beat competition. The time has come to move towards a customer-centric
approach, as customers should be given an opportunity to enjoy their share of benefits
stemming from IT development. This would increase banks competitiveness through
differentiation and customer service improvement, reduced transaction costs, better
risk avoidance and maintaining a stable customer base and market share.
It is possible to extent the capabilities of the existing systems at a lower cost rather
than by increasing mainframe capacities, if core banking and related legacy systems
can be modernized by exploring a more service-oriented customer centric
architecture. Discussions should be held with vendors and service providers to use
web service and service-oriented architecture that are technology and platform-
neutral. Banks’ new IT strategy should not only be based on a customer-centric
approach but it should also enable transaction cost reduction, financial inclusion and
speedy and efficient services to customers. Banks should also aim to pass on
concessions and benefits that the government or regulators have given them, or at
least share such benefits with customers. To make a real impact, banks should change
their mind set, better utilize their IT human resources and capabilities and move
towards more cost-effective common or shared IT platforms which will help improve
customer services and financial inclusion.
System intrusion is not somewhat new that occurs around the world, but it have been
occur a long time ago since the existence of computers. In the previous years, times
when the early development of computers shows that the computer system intrusion is
lesser than today, it is probably because the technology back then was still poor, and
the consciousness about intruding computer’s system is yet to be developed. Banking
system intrusion shows the vulnerabilities that exists in financial institution, that have
been used by those illegal and unauthorized individuals or groups to intrude an area
with secure environment. The violation of system security is all about the money,
challenges to intercept data, challenges with acquaintance, data breach, and poor
authentication and authorization. With all of the weaknesses occur, well, it is a treat
for anybody with high experience and knowledge in information systems to get into
the system, using, stealing, modifying and even deleting information in the system.
Financial industry such as banks plays major role in prepare the people a good
service, good system, and the best security systems that can meet customer’s
expectation and also to attract prospective customers to use trust and using their
system to keep their personal data, information and most importantly their money
safe. Although there is always vulnerabilities occur around the time, banking system
should have a backup plan or other shields in order to handle any malicious behavior,
that intend to violate the customer’s information. Ways of prevention should be taken
care like the one that has being stated in this paperwork. As the conclusion, with the
developing of high technology and information systems around the world, banking
system should not be left behind in term of security system, and should keep a sharp
eye when there any vulnerabilities in authentication and authorization that may lead to
confidentiality, availability and integrity issues.

LIMITATIONS

• Wrong information given by the respondents: Some respondents might be

reluctant to divulge personal and financial information, which can affect the
validity of all responses.

• In a rapidly changing industry, analysis on one day or in one segment can

change very quickly. The economical changes are vital to be considered in
order to assimilate the findings.

• Limited time – Due to the less time available in the internship, could not able
to devote much tome to the research part thus able to get the response from
140 respondents only.

• Non co-operation of people during the survey – People were not willing to
fill the entire questionnaire due to the less time available to them.

REFERENCES

• “The Indian banker” a monthly journal published by the Indian banks

association vol no .6 June 2010
• http://www.networkmagazineindia.com/200502/coverstory01.shtml.
• http://en.wikipedia.org/wiki/state_bank_of_india.
• http://www.fundinguniverse.com/company-histories/state-bank-of-india-
company-history.html/
 • http://forms.sbi.co.in/information_technology_20080610.pdf-ANNUAL
REPORT for the year 2009-2010.
• http://www.moneycontrol.com/india/news/pressmarket/sbi-results-
%E2%80%93-fy06-07/280905.
• David H. Freedman. “How To Hack A Bank.”, Forbes ASAP, 2000.
• Larry Rogers, “What is a Distributed Denial of Service (DDoS)Attack
and What Can I Do About It?”, CERT Carnegie Mellon University,
2004.
• Mark S., David K., “Credit card breach affect Conn. banks and credit
Unions”, Waterbury Republican-American (Connecticut), 2009.
• Grimes, R.A., “Malicious Mobile Code – Virus Protection for
Windows”, O'Reilly Media Inc., Sebastopol, CA, 2001.
• Marsia, S., Information Security magazine, 2009.
• Richard B., “World Bank under Cyber Siege in ‘Unprecedented
Crisis’”, Fox News, 2008.
• http://www.hdfcbank.com
• http://www.cbsl.gov.lk.
• http://www.oppapers.com/essays/Role-Of-It-In-Banking-Sector/481869
• http://web.usm.my/aamj/14.2.2009/AAMJ_14.2.4.pdf

QUESTIONNAIRE

NAME: NAME OF THE BANK:

DESIGNATION: PLACE:

1. Do you feel that IT helps in performing the work easier

a) strongly agree b) agree c) neither agree nor disagree d)disagree e) strongly

disagree
2. Do you think IT helps in better serving the customers

a) strongly agree b) agree c)neither agree nor disagree d)disagree e) strongly

disagree

3.will you agree that IT plays a vital role in improving the efficiency and
effectiveness of work

a) strongly agree b) agree c)neither agree nor disagree d)disagree e) strongly

disagree

4. DO you really think that tremendous growth in IT helps in time saving in making
different transactions

a) strongly agree b)agree c)neither agree nor disagree d)disagree e) strongly

disagree

5. Do you feel that IT modules that are frequently changing in implementation are
easy to learn

a) strongly agree b)agree c)neither agree nor disagree d)disagree e) strongly

disagree

6. Is it good to update the modules frequently with changes in technology

a) strongly agree b)agree c)neither agree nor disagree d)disagree e) strongly

disagree

7. Do you feel that technology helps in attracting the customers and giving
competitive edge to others

a) strongly agree b)agree c)neither agree nor disagree d)disagree e) strongly

disagree

8.Is IT time to time updation helps in securing the data and privacy aspects

a) strongly agree b)agree c)neither agree nor disagree d)disagree e) strongly

disagree

9.Do you think banks are providing better service now after the implementation of IT

a) strongly agree b)agree c)neither agree nor disagree d)disagree e) strongly

disagree

10. Is IT enabled services helps in providing security to the Internet based

transactions

a) strongly agree b) agree c) neither agree nor disagree d)disagree e) strongly

disagree