A much as banks may invest in security technology and human resources, it's important they avoid any complacency against online fraud.
A potential massive leak of customer data occurred in April, when 15 e-banking websites of commercial banks and payment portals in Vietnam were reported to have been attacked by a bug called OpenSSL Heartbleed, leaving bankers hurriedly peering into their IT systems in search of potential vulnerabilities. While most e-banking homepages were fixed quickly, no one can say for certain that the entire system is now secure or will remain so.
Customer information has become an asset that needs to be safeguarded and the ability to protect it is key to a bank’s success. Along with significant efforts in promoting e-banking, in a bid to provide more convenience to customers when they bank, awareness about security levels is also increasing and each bank has invested in enhancing the security levels of its e-banking platforms, according to Ms Tran Minh Huong, Chief Information Officer (CIO) at Standard Chartered Bank Vietnam.
Although Vietnam is among the countries considered most vulnerable to an internet attack, with 40 per cent of websites containing security loopholes according to a report from internet security company BKAV, local banks remain fairly confident in their ability to protect customers banking online. “Most local banks have developed and introduced many phases of protection in their e-banking systems, including SMS, with tokens or one-time passwords (OTP),” said Mr Vu Mai Tung, CIO of the Oriental Commercial Joint Stock Bank (OCB). The worst-case scenario following the Heartbleed attack, he added, was for customers’ usernames and passwords to be stolen, but they remained safe with the existence of OTP. “Apart from verification factors by username and password, each financial transaction with a third party is always verified by another factor - OTP,” he explained. “The transaction is processed only when all of the verification factors are available.”
Long before the OpenSSL Heartbleed attack came to light, security has been something banks have worked on constantly and are vigilant about. With sophisticated technology and advanced monitoring systems, such as the Payment Card Industry Data Security Standard (PCI DSS), in place, banks say they are confident in fighting internet fraud. For instance, the VIB Internet Banking system, Mr Tran Nhat Minh, Deputy Director of the bank, told VET, is capable of conducting over 6 billion transactions per day and guarantees 100 per cent safety and accuracy. All information on customer transactions via VIB Internet Banking are encrypted in 256bit SSL standard and authenticated with OTP mechanisms through SMS or token devices. At the same time, VIB’s system monitors all transactions 24/7 for suspicious or tampered transactions, alerting customers via email and phone when needs be.
As required by the State Bank of Vietnam (SBV), commercial banks must regularly check their e-banking systems and prove that their technologies are in line with international standards. These efforts are not new but they’ve gained a heightened importance in the wake of security fraud, which continues to grab headlines because of its magnitude. The Heartbleed attack could have affected a large number of customers who use e-banking services or online payment gateways.
Banks responded to the attack pretty quickly, taking immediate action to update their OpenSSL to the latest version. Most were reported to have sent staff to deal with the attack and sent out press releases saying that their platforms were unharmed by the internet security flaw. The SBV, meanwhile, has denied a report that around 15 local e-banking websites and online payment gateways were hacked by OpenSSL Heartbleed. The message here from the central bank and from the banking industry as a whole is that Vietnam has systems in place to protect customers. “We acknowledge and appreciate the prompt action and effective direction from the SBV in relation to the recent Heartbleed incident, which helped to reduce any impact on customers and banking systems,” Ms Huong said.
Banks generally don’t share very much information about their security techniques, since they don’t want to give criminals tips on how best to attack them. Every time banks build higher walls to fight fraud, it seems, criminals get longer ladders. Industry insiders say that local banks are using security technologies of global standard, with some even willing to splash the cash to invest in the latest solutions, such as e-signature and fingerprint censored solutions. It is virtually impossible, however, to determine exactly how much banks have spent on their security systems. Mr Tung from OCB told VET that a major part of the bank’s IT budget is spent on security systems but declined to go into detail.
Choosing security solutions providers is not a decision banks should take lightly. Among a range of factors, banks like VIB may focus primarily on security technology and the service provider’s capabilities. “In order to build a full security solution for VIB e-Channel, VIB has direct support from the IT expert of its strategic partner, the Commonwealth Bank of Australia, which is one of the world’s safest banks,” Mr Minh said. “The security package at VIB has a robust vendor selection process that includes the validation of security technology and vendor capability. Moreover, VIB employs a third party security due diligence process that provides additional assurance to VIB executives in terms of vendor selection.” Meanwhile, Mr Tung feels the need to combine a number of solutions, as no single service provider can satisfy all of the bank’s requirements. By way of example, OCB has purchased equipment from Cisco Systems and engaged IBM to set up centre lock monitoring.
To a certain extent, Ms Huong believes, international banks are more experienced and better equipped to prevent and deal with security incidents. Standard Chartered recently introduced the world’s first security token ATM/Credit/Debit card with in-built keypad and LCD display in Singapore, to provide even greater online security for customers (with 3D authentication). “Our solutions are updated regularly and we leverage the expertise of third-party best-in-class security partners to ensure all of our products are secure,” she said.
Banks were indeed quick to begin assessing the risks involved in e-banking and in response to those risks many have implemented security programmes. However, the weakest link, industry insiders point out, may be the human element. Technology constantly changes and the challenge of guaranteeing they can be implemented in a secure manner is crucial to success. This is why banks must develop a team of specialists that is tasked with the mission of using these technologies and investigating fraud when it occurs. “Besides large investments in technology, much attention should be paid to developing human resources,” Mr Tung said. “At OCB we have two units - one specialising in security technology and the other in security policies and customers interaction.” Customer awareness and education regarding e-banking security should also be a continual point of emphasis, as banks consider customers to be a critical link in the security chain. This explains why banks have become more assertive in reminding people to be vigilant about checking their accounts and reporting any suspicious activity immediately.
“To ensure the safety of transactions on the internet, alongside efforts from banks, security information from customers plays an extremely important role. Customers need to comply with regulations from the bank’s management, change key transactions and use services to control transactions and account balances via email or text message. With these services, customers can monitor their accounts and respond immediately to the bank if they did not conduct a certain transaction.” Mr Tran Nhat Minh, Deputy Director, VIB
“The key here is to use best-in-class security solutions and avoid using open solutions for critical banking systems like e-banking. Banks should implement software and hardware maintenance packages from the most reputable vendors in the market, and at the same time regularly conduct security stress testing on all e-banking channels. It is also critical for them to continuously raise security awareness and vigilance not only among their IT teams and banking staff but also among customers. Alerting customers of potential security risks and educating them on how to stay safe online is just as important.” Ms Tran Minh Huong, CIO, Standard Chartered Bank Vietnam