Reserve Bank of India
06:39
Showing posts with label Jewellery. Show all posts
Showing posts with label Jewellery. Show all posts
Monday, 28 December 2020
Monday, 24 October 2016
security
23:00
Cyber security: making banking safer
Cyber security: making banking safer
Protecting the banks’ crown jewels – money and personal data – may have become more difficult than ever, but financial institutions have fortified their defences with a little help from their fintech friends.
Cybercrime is the greatest existential threat banks face today. According to The Depository Trust & Clearing Corporation’s latest Systemic Risk Barometer Survey, cyber risk remained the number one concern globally among financial service professionals, with 70% of all respondents citing it as a top five risk.
This anxiety is well founded. Verizon’s 2015 Data Breach Investigations Report found that the financial services sector experienced 277 confirmed breaches in 2014, second in number only to the public sector.
An example of a cyber attack uncovered in early 2015, dubbed Carbanak, saw a criminal gang employ an advanced persistent threat-styled attack to successfully steal £650m ($980m) from more than 100 financial intuitions worldwide over a two-year period. One firm had $10m stolen via its online platform, according to reports.
While money is an obvious enticement, cybercriminals also look to steal valuable customer data held by banks. Simon Hales, chief information security risk officer at HSBC, says: “The current reality is that threats realised through digital channels can also target the information financial institutions hold. It depends on the motivations of those committing cyber attacks, which are increasingly global and diverse. Furthermore, the exposure also extends to the financial institution’s partners and external parties.”
The 2014 attack on JPMorgan Chase illustrates the potential magnitude of a cyber breach: hackers compromised 76 million personal accounts and more than 7 million small business accounts. Public confidence in the security of banks was shaken by this attack, considered to be one of the biggest breaches in history.
As Troels Oerting, group chief information security officer at Barclays and former head of the European Cybercrime Centre, points out: “The bank is all about trust and keeping their customers’ sensitive information safe.” A significant breach may prove costly in terms of stolen money or large regulatory fines, but it can also destroy the client relationship beyond repair.
Systemic importance
Cybercriminals also target financial institutions because of the critical role they play in a functioning economy. Governments and regulatory authorities have become acutely aware of the impact a major threat cybercrime might pose to the resilience of the financial system as a whole.
David Navetta, partner at law firm Norton Rose Fulbright (NRF), says: “Governments have a special interest in ensuring that the financial industry is secure because the global economy depends on the movement of money and open access to capital. This encourages much more cross-jurisdictional co-operation, as well as careful scrutiny of banks and financial institutions’ security practices.”
For example, on November 12, 2015, the US and UK conducted joint offline ‘war games’, dubbed Operation Resilient Shield, with global financial firms. The exercise focused on sharing information, incident response handling and public communication.
The European Parliament and European Council are in final negotiations over the Network and Information Security Directive (NISD) aimed at ensuring critical infrastructure in Europe is adequately protected against cyber attacks. Marcus Evans, a partner at NRF, says: “The real development [in the directive] is the formalised sharing of information between EU member states, as well as in due course with third-party countries such as the US.”
Governments and regulators are also paving the way for increased information sharing within national borders. For example, the US Senate passed the Cybersecurity Information Sharing Act of 2015 on October 27, 2015, encouraging sharing among private entities and between private entities and the federal government.
Bank-to-bank intelligence
While some banks remain reticent about sharing information among peers, Mr Oerting dismisses the idea that security is a competitive differentiator. “Catching crooks is something that we should all be united around,” he says, adding that if Barclays is hacked, then it is likely another bank will face the same attack. “We should share information so that the other bank can increase its security before being attacked,” he adds.
Orion Hindawi, co-founder and chief technology officer at cyber security start-up Tanium, agrees. “We know of hundreds of cases where customers were alerted by their peers which allowed them to fortify their defences,” he says.
“Criminals collaborate, learn from each other, leverage each other’s code and share system access. Yet on the flip side, we shy away and don’t want to talk about it,” adds Greg Day, vice-president and regional chief security officer, Europe, Middle East and Africa, at network and enterprise security company Palo Alto Networks.
In order to address this disjunction, 16 months ago Palo Alto Networks teamed up with Fortinet, Intel Security and Symantec to create the Cyber Threat Alliance. The security vendors participate in a technical collaboration forum to share information in real time. “With hundreds of thousands of customers, we have a huge crowdsourcing ability to see cyber attack trends,” says Mr Day. “We can leverage that data to provide better insight into what will hit our clients next.”
There are myriad industry alliances facilitating intelligence sharing and co-operation between governments, law enforcement and the financial services industry, including in the National Crime Agency’s National Cyber Crime Unit, the Cyber Defence Alliance, the Financial Services Information Sharing and Analysis Centre and the City of London’s Police National Fraud Intelligence Bureau, to name just a few. The next step must be to join up these separate initiatives, argues Don Randall, the Bank of England’s former head of security and chief information security officer.
Mr Randall also believes that suspicions and attempts should be included in the scope of shared information. “The main industry alliances are predominantly focused on actualities. But if a group of hackers unsuccessfully attempted to breach five major banks at the same time yesterday morning with the same methodology, we don’t have that data at the moment,” he says. “We have to get into the position of sharing this information because invariably the attempts will turn into real attacks.”
Raising the complexity bar
A number of developments have combined to boost the difficulty banks face in defending themselves and their customers against cybercrime. Overall, the modernisation and mobilisation of financial services is a fundamental shift that has seen the majority of financial transactions now conducted via cyber means, i.e. mobile phones, tablets, watches, cloud, etc.
Banks are constantly worried about whether their online customers are secure, using out-dated software or vulnerable to fraud. As oft bemoaned, the customer is the weakest link. Employees are also more mobile: working from home or a coffee shop, at a conference, satellite office or customer site, which all bypass perimeter or network-based security that a bank has already invested in.
Laurance Dine, managing principal for the Verizon Investigative Response Unit, highlights how end-user behaviour is changing due to the ‘Internet of Things’ (IoT). “The new generation wants to have access to everything, so trying to secure every single device is a difficult task,” he says. “Ongoing employee training and security awareness programmes are critical to maintain within every business.”
In addition, the financial industry has seen a lot of merger and acquisition (M&A) activity and global expansion. “Most banks face great difficulty in tying together different infrastructures, data bases and computer assets across multiple jurisdictions,” says Ben Johnson, chief security strategist at next-generation end-point security company Bit9 + Carbon Black. “Trying to defend their digital landscape in a cohesive, all-inclusive way is a huge challenge for them.”
Differentiating the motive and actors behind cyber attacks can help determine the proper level of response, resilience and budget. These range from organised crime syndicates, state-sponsored groups and militaries, hacktavists trying to make a point and insiders attempting to steal information for personal gain. “If the intention is to steal through organised crime or nation-state espionage, then the sophistication level will most likely be higher,” says Mr Randall. “But if the objective is to take down, disable or irritate, then simple old-fashioned methodologies can do the job.”
These categories are showing signs of blurring. “Some use hacktavism as a façade for a nation state attack. We also see co-operation between nation-states and organised crime,” says James Chappell, chief technology officer and co-founder at Digital Shadows, a UK-based cyber intelligence start-up. “Attributions are more difficult now because it is not easy to unpick who the culprits are. Luckily forensics is also developing at pace to help with that.”
Growing sophistication
Most experts report greater sophistication in cyber attacks. For example, cybercriminals are hitting banks with advanced distributed denial-of-service (DDoS) attacks, threatening to shut down their websites unless they pay a ransom. On November 30, the Financial Times reported that a group of hackers targeted three Greek banks and demanded 20,000 Bitcoin ($8.1m) from each institution.
DDoS attacks are also being used as smokescreens for other crimes. “As a bank automatically reacts against this very loud attack, criminals might be doing something around the back,” says Mr Oerting. “We need to have adaptive and flexible defences, so we aren’t just looking at where we hear noise but also our back doors.”
Mr Navetta recounts a client experiencing a cyber fraud in which an email referencing a secret M&A deal was sent to a person in accounting, purportedly from the CEO. The email convinced the accountant to wire transfer millions of dollars to a Hong Kong bank, which NRF has been trying to recover for its client; while Mr Chappell reports instances of hackers proactively seeking out digital developers to obtain pre-released versions of a bank’s website code.
Adam Ely, co-founder of San Francisco-based start-up Bluebox Security, has witnessed a rapid growth in malware targeting banks’ mobile apps. “We are at a tipping point where the banks are starting to invest more heavily in mobile technology and related security because the hackers are following them into this space,” he says.
In addition, cybercriminals are continually refining their tools. Richard Boscovich, assistant general counsel at Microsoft’s Digital Crimes Unit, says that the new bots being developed today are smaller and more targeted. “We are seeing a rise in Trojan downloaders, which drop other malware. One example is the Shylock banking Trojan, which primarily targeted UK financials. We have to adjust our strategy both legally and technically to adapt to the different things they are doing,” he says.
A losing battle?
In many ways banks appear to be fighting a losing battle, particularly when it comes to organised crime or state-sponsored adversaries. As Mr Dine says: “We are facing ‘hackers for hire’: people that are paid to hack all day specifically targeting financial institutions.”
“An underground economy has cropped up – crime as a service is a reality,” adds Mr Chappell. He reports that the more advance techniques, which usually begin in the realms of the nation state, are now appearing in exploit kits and software that can be bought online.
Launching attacks has become much easier, adds Alex van Someren, managing partner of early-stage funds at Amadeus Capital Partners. “The tools for directing various forms of attacks against organisations are becoming increasingly automated, so it is easier for people who do not know much about hacking to nevertheless be successful in building attacks against enterprises,” he says.
But while attackers are stepping up their game, the industry is responding with new and innovative defences, Mr Chappell emphasises. “Together as an industry we have become much better at sharing information on attackers and how these crimes are carried out. The types of tools and services available to defend us are also progressing – there is great innovation in this space. We are part of an ecosystem of security companies that are helping banks with these problems,” he says.
Cyber security start-ups
As an investor that focuses on cyber security start-ups, Mr van Someren believes that this space presents impressive growth opportunities. In January 2015 he founded a start-up accelerator, Cyber London, to foster a more robust cyber security ecosystem in the UK. The programme helps start-ups grow their businesses faster by connecting them with customers that might help trial their products.
He is convinced that working with start-ups is the way forward for banks. “If a bank builds something in house, only they pay for it and only they get the benefit. If a start-up builds a solution externally, other banks help pay for it and it benefits the industry more generally,” he says.
Like many other banks, HSBC has an innovation investment programme that looks for organisations with innovative technology that it can help fund as well as internalise. “This engagement helps to evolve our capabilities to thwart our adversaries,” says Mr Hales. “It informs us what is possible and allows us to test out new ideas.”
At Barclays, Mr Oerting has a particular interest in start-ups exploring blockchain use cases and intelligent authentication technology. “We need to be engaged in order to build in security that is convenient and trustworthy. This will be a differentiator in the future,” he says.
Diverse solutions
Threat intelligence and next-generation data loss prevention products are areas that Mr van Someren sees attracting interest. Amadeus Capital currently invests in Exonar, a firm that identifies and controls sensitive information flows.
A few examples of the diversity of cyber security start-ups include Tanium and Bit9 + Carbon Black, whose solutions target end-points, for example, ATMs, point-of-sale terminals, servers, desktops, laptops and cloud. According to Mr Hindawi, banks can roll out Tanium’s software for monitoring and changing end-point activity. Deployed on just one server, it can scale to millions of end-points.
Mr Johnson likens Bit9 + Carbon Black’s software to a surveillance camera. “A client can install the software on each computer in the environment and it monitors end-point activity. The client can detect suspicious behaviour, respond faster to that behaviour and remediate it,” he says.
Digital Shadows, on the other hand, provides a complete view of a customer’s digital footprint, identifying defence weaknesses and data loss. It also tracks attackers by looking at their tactics, techniques and procedures. By monitoring malware, how it is being used, the relative prevalence of different malware types and criminal techniques, clients can better align their defences to defend from those attacks, explains Mr Chappell.
And Bluebox Security focuses on securing mobile apps. The technology allows organisations to produce self-defending applications, according to Mr Ely. “If another app tries to modify the Bluebox-secured banking app, the latter can defend itself. It can respond by either shutting down and notifying the user of the problem, or preventing the attack to keep malware at bay,” he explains.
Much more than IT
In order to combat cyber threats and engage with innovative security technology, over the past two years many banks have elevated the chief information security officer to a more strategic role.
The financial sector has the highest percentage (88%) of chief information security officers, followed closely by IT/telecom (86%), according to the Governance of Cybersecurity: 2015 Report by Georgia Tech Information Security Centre. In addition, the sector increased the percentage of chief information security officers/chief security officers reporting to the CEO/chief operating officer.
“The chief information security officer role has been elevated to a truly C-level position in banks,” says Mr Hindawi. “They are being moved out of IT and placed either under the chief operating officer or report directly to the board. Even if they don’t have direct access to the board, they are often invited to give a cyber update and educate on the new existential risk.”
The chief information security officer’s remit should include policy and standards, education and awareness, intelligence and investigations, and forensics, providing the bank with a threat landscape, according to Mr Randall. He also recommends including a geopolitical analyst in the cyber team, a suggestion that may have raised eyebrows a few years ago but is more accepted today.
Barclays, for one, has adopted this management structure. Mr Oerting, who took up the chief information security officer role at Barclays in February 2015, reports directly to Michael Harte, Barclays’ chief operations and technology officer.
He drafted the bank’s first security strategy focused solely on cyber rather than an overall technology strategy. It includes four key priorities: protect the ‘data estate’, regardless of whether they are on premise or in the cloud; enable the bank to go to market in a fast but safe manner; innovate, including partnerships with accelerators and start-ups; and educate.
“Education is aimed at the whole staff, regardless of whether they work in communication, IT, a branch or HR – every employee must know that security is in our DNA,” says Mr Oerting. “I believe that culture eats strategy for breakfast. Any management can send out new strategies but if it is not in the cultural of an organisation, then employees won’t implement them.”
Barclays has three cyber centres: a security operations centre; a solutions and innovation centre, with an internal ‘white hat’ hacking team; and a security control centre, which includes third-party vendors that report to Mr Oerting. “We now have a global security system that applies to the whole bank,” he says.
HSBC has taken a different approach and drives information security risk management through the chief information security officer, which reports into the chief information officer, and a chief information security risk officer, which reports into the chief risk officer. This decision was taken following the application of an Operational Risk Management Three Lines of Defence framework.
As chief information security risk officer, Mr Hales is responsible for setting policy and strategy, and aligning both to an organisation’s risk appetite around information security incidents. He also ensures that the businesses receive independent advice and guidance regarding operational risks. The chief information security officer, on the other hand, is responsible for day-to-day operational controls and development of technical controls.
Mr Hales continually challenges existing controls, not only to see if they are working effectively, but also to ascertain if they are fit for purpose. “We research current threats, not just the ones that impact us directly but those that are materialising in other business areas that may impact us,” he says. “This includes geopolitical concerns and other non-technical areas where threats materialise.”
The interplay between the lines of defence provides HSBC with greater assurance that it is getting security right. Mr Hales says: “The design, supported by audit as the third line of defence, ensures we are better positioned to manage the risk holistically, and provides management and regulators with a greater level of assurance.”
Source:The Banker.com
Saturday, 15 October 2016
Loans
07:46
Case of fraud against six bank employees
Case of fraud against six bank employees
The District Crime Branch (DCB) wing has registered a case against six employees of the Pudukottai branch of State Bank of Travancore here on a charge of having committed fraud in the customers’ accounts.
Misappropriated loan amount
According to a complaint lodged with the DCB by the branch manager, Gopalakrishnan, the employees -- Sivakumar, appraiser, Charat Lal and Narasimhan, both accounts managers, Ganapathy, Joe Daniel Arokiam and Rubesh, all chief cashiers -- had misappropriated about Rs. 63.67 lakh by “pledging” fake ornaments along with gold jewels of customers while sanctioning jewel loans.
They had misappropriated the additional loan amount from 31 accounts of 24 customers.
The fraud was committed between July 13, 2015 to July 12, 2016. The fraud came to light during the course of audit, according to the complaint.
Meanwhile, panic stricken customers whose accounts had been fraudulently used by the bank employees, assembled at the branch. They said that the bank officials, whenever they came to pledge their jewels, used to get signatures in a number of jewel loan forms.
The police have registered case under Sec120 B (Criminal conspiracy), Sec. 406 (Criminal breach of trust), Sec. 409 (Criminal breach of trust by banker), Sec. 465 (Forgery), Sec. 467 (Forgery of valuable security), Sec. 468 (Forgery for the purpose of cheating) and Sec 471 (Using as genuine, a forged document) of the IPC. No arrest has been made yet.
Source:BankingUpdates
Friday, 23 October 2015
Narendra Modi
09:30
Banks free to fix interest rates on gold deposit scheme: RBI
Banks free to fix interest rates on gold deposit scheme: RBI
Reserve Bank today issued guidelines for the Gold Monetisation Scheme that allow banks to fix their own interest rates on gold deposits.
The RBI notification in this regard comes ahead of the formal launch of the scheme by Prime Minister Narendra Modi on Novermber 5.
The gold deposit scheme is aimed at mobilising a part of an estimated 20,000 tonnes of idle precious metal with households and institutions.
As per the guidelines, banks will be free to set interest rate on such deposit, and principal and interest of the deposit will be denominated in gold.
“Redemption of principal and interest at maturity will, at the option of the depositor be either in Indian Rupee equivalent of the deposited gold and accrued interest based on the price of gold prevailing at the time of redemption, or in gold. The option in this regard shall be made in writing by the depositor at the time of making the deposit and shall be irrevocable,” it said.
The interest will be credited in the deposit accounts on the respective due dates and will be withdrawable periodically or at maturity as per the terms of the deposit, it said.
“The designated banks will accept gold deposits under the Short Term (1-3 years) Bank Deposit (STBD) as well as Medium (5-7 years) and Long (12-15 years) Term Government Deposit Schemes. While the former will be accepted by banks on their own account, the latter will be on behalf of Government of India,” it said.
The short term bank deposits will attract applicable cash reserve ratio (CRR) and statutory liquidity ratio (SLR), it said.
However, it said, the stock of gold mobilised under the scheme by banks will count towards the general SLR requirement, a move that will provide additional capital to banks for lending towards productive sectors.
The CRR is the portion of the total deposits, which has to be kept with RBI in cash, while SLR is the portion of deposit compulsorily parked in government securities.
Currently, banks have to set aside 4 per cent of the total deposit for CRR while 21.5 per cent for meeting SLR requirement.
As per the RBI guidelines, there will be provision for premature withdrawal subject to a minimum lock-in period and penalty to be determined by individual banks, it said. The government had in September cleared the gold monetisation scheme aimed at tapping part of an estimated 20,000 tonnes of idle gold worth about Rs 5,40,000 crore into the banking system.
There is no bar for maximum deposit but the minimum deposit at any one time should be raw gold (bars, coins, jewellery excluding stones and other metals) equivalent to 30 grams of 995 fineness, it said.
Interest on deposits under the scheme will start accruing from the date of conversion of gold deposited into tradable gold bars after refinement or 30 days after the receipt of gold at the bank’s designated branch, it said.
With regard to utilisation of mobilised gold, the RBI notification said, the designated banks may sell or lend the gold accepted under the deposit to MMTC for minting India Gold Coins (IGC) and to jewellers, or sell it to other designated banks.
The gold deposited under medium to log term government deposit scheme will be auctioned by MMTC or any other agency authorised by the Central Government and the sale proceeds credited to the Central Government’s account with the Reserve Bank.
