Evaluating Security Provisions in Banking Software Systems
Banks around the world invest substantial amounts of money in banking software systems even though it is mostly the younger generation who are receptive, and the general public is slow to trust the new innovations. The mobile device platforms have created a great opportunity for the business of banking through the vast geographical coverage and reach to a global population. As a result, most banks have started introducing banking facilities through mobile applications. The ability for a user to carry out transactions such as real time payments is expected in the new generation of banking. Research shows that despite the systems availability there are only 40% mobile banking users in the case study of Sri Lanka banking. The concerns around security has been identified as the strongest reason which still encourages people to walk into banks to get their business done rather than accessing through mobile devices. As an IT professional, I would say that I belong to this segment of non-mobile users most of the time because the security threats are known and seen in abundance.
During the last two years, well organized teams of criminals have repeatedly hacked banking systems internationally and they have exploited the weaknesses of the banking systems and the software systems integration. The weaknesses of the systems include issues with interoperability, susceptibility and backdoors in the internationally distributed software and also the general deficiencies in the applied knowledge for the essential features of security in the banking systems. Phishing has been the strongest and most public attack that continues to undermine confidence in the online and mobile banking systems. It is an attempt in gathering sensitive data by means of sending e-mails pretending to be from the actual bank to the recipients and requesting personal data such as passwords, usernames and credit-card information. They also request money transfers through indirect channels and confuse potential system users. Further it re-directs the network traffic to malicious websites, denying network traffic towards web-services and modify the mechanism of protection of the target banking system and the inter-connected networks. Successful attacks could result in financial losses, loss of identity and in un-authorized disclosure of information.
In this research I collect and analyze publicly available secondary data of a hacking case, the affected people’s comments, systems information, published opinions, and my own critical reflection to build a case example. It gives knowledge for help in preventing and recovering from such attacks. The purpose of this case study is to review the Sri Lankan Banking systems and to identify possible vulnerabilities for improvement. Further the study critically analyses an experience of a Sri Lankan bank which faced a Phishing attack via online banking (All data used are public and secondary). This study brings out, how to deal with such a hazardous situation and to arrive at better defenses and post-attack responses. Chapter 4 itemizes the evidence from an investigation into the bank security breech and chapter 5 provides an analysis. Figures 5.1 to 5.3 summarize the learning from this incident.
Additionally, secondary document analysis was used to investigate bank staff and bank customer experiences with phishing attacks and bank security procedures. It shows the Sri Lankan experience of phishing attacks via online banking, the users’ backgrounds and the role of education and communication in better preparing people to distinguish and resist attacks. The research analysed phishing through case studies that highlighted some of the experiences of phishing attacks and how to deal with the problems. An emphasis was placed the prior level of knowledge of Phishing threats, how they originated, and what methods were used in undermining the security of Online banking users. Further the bank response to the problem in deploying protection for Online banking to safeguard against such Phishing attacks is documented and recommendations made for improvement.