Log in ....Tribune

Dot.ComLatest in ITFree DownloadsOn hardware

Monday, May 28, 2001
Lead Article

IT way of getting cash
by Peeyush Agnihotri


THE acronym ATM means neither "avoid travelling with money" nor "any time money," but certainly implies both. Slim ATM cards are fast replacing confounding withdrawal forms as a convenient way of getting your money from banks. In a way, they are rewriting the rules of financial transaction.

A smart person no longer needs to carry a wallet-full of paper money on his person. All he needs to do is fish out an ATM (automated teller machine) card, insert it in the slot, punch in a few details and go home with hard cash.

The IT revolution has permeated the global retail banking industry. It has broken down business models and has given customers an unprecedented position of power. In the space of a decade, the Internet as well as the Intranet have evolved into legitimate distribution channels for financial services. They have become a major influencing factor on banking strategy, overall.

Today there is a scramble among all financial institutions, both nationalised and private ones, to reach out to the masses. Automated teller machines is one ploy being used by them to make their presence felt by proxy. As a Canara Bank manager puts it "the focus is on serving the classes as well as masses." Whatever direction a bank decides to take, these modes are influencing their market value.

Transacting business through either the ATMs or the Internet in India has just five years of operational history to refer to, with the bulk of strategic activity having taken place during the past two years or so. The market is yet untapped. ATM installation went up by almost 100 per cent during the past two years. India had 3,000 ATMs this March-end and reports have suggested that the figure may cross the 34,000 mark within the next four years.

"The Chandigarh centre of the State Bank of India (SBI) is being connected with the main switch at Belapur in July. Each branch would have V-SAT connectivity. This would mean that Chandigarh residents are going to have all-over India access within a month or so. Right now, just eight other cities have this facility," tells an Assistant General Manager of the SBI.

With 301 commercial banks and a network of around 67,000 branches, India today has the largest network of banks in the world. The advent of the new economic policy had many private banks, such as HDFC Bank, ICICI Bank and the Bank of Punjab, jump into the fray.


Providing the ATM facility is just a value-added service to make the customer happy. Several banks (mainly the foreign and private ones) provide the ATM facility in the metros and other large cities. Most of the ATM centres provide 24-hour service to their customers. With the availability of the latest technology, Internet banking and multi-branch banking facilities are also available.

So strong has been the influence of this convenience banking that more than 20 nationalised banks and a few private ones have pooled in their resources to launch a consortium of more than 200 ATMs in Mumbai. Dubbed "Swadhan scheme," this means a client from any of the listed banks can withdraw cash from any of the outlets, which could even be of a rival private bank.

ATM penetration per million persons in Asian countries

"This is all about providing a multitude of services to customers. We have introduced a doorstep account opening facility with just Rs 500. The customer can withdraw even this amount and maintain a zero balance without the hassle of paying charges for not maintaining minimum balance. We do not gain anything, but this is what we call e-banking," says a marketing manager from the Bank of Punjab, and adds their Global e-Bank Card allows online access to accounts worldwide.

ATM outlets have permeated into even rural India. The SBI plans to open 1,000 ATM counters by March 31, 2002, many in rural areas. "The bank has already tied up with HCL Comnet for networking details," a senior-level technical manager from the bank reveals, and adds that with just 1,200 nationalised bank ATMs, India could be a good potential market.

Banks and financial institutions are using the latest tools to woo the customer. HDFC Bank claims to be the first one to introduce mobile commerce in India. Similarly, ICICI Bank says that it was the first one to have introduced Net banking in India. In Internet banking, a customer transacts through the World Wide Web while he accesses the bank’s server if he operates an ATM card.

"We introduced Net banking two years ago on an experimental basis. The response was slow initially, but now the number of customers has increased by 25 per cent. The typical consumer profile is literate, computer-savvy persons with Net access, in the age group of 20 to 50 years. Senior citizens have not taken to Net banking in as big a way in Chandigarh as metros," says Anand Kumar, a senior vice-president with the ICICI Bank.

While a few say the concept of Net banking is at a "primitive stage" in India, others like Navtej Singh from the HDFC say that the response is good. "Statistical figures should only consider those who have a Net connection if you actually want to see how many persons access the Net for banking purposes. This way you’ll find the response to be encouraging," he says.

But are they safe? Reports indicate that frauds involving ATM cards average Rs 30,000 a day in India. Britain’s Barclays Bank was recently forced to suspend its online banking service after Internet customers were given the account numbers of its 1.25-million other customers.

"Recently I was asked to assess an online bank and I found a poorly designed Web application, weak passwords, poor policies and procedures, and a vulnerable infrastructure, transmitting information in the clear, which is not encouraging if you do your banking online," says R. Nash, a bank evaluation expert.

Interestingly, every bank visited by this correspondent claimed to be 100 per cent foolproof and denied their bank ever having been at the receiving end. Most of the banks depend on firewalls and SSL protocols.

"With the advent of new technology almost every reputed bank provides a number of checks, like firewall, 128-bit encryption and SSL, to ensure that there is no hacking or cracking," Vikas Monga, a regional coordinator with a private bank, says.

Hi-tech banking is in a state of flux. Banks have to enter the huge untapped market cautiously, keeping in view the security aspects. But then is banking not all about details? Doing it through ATMs and the Net is just one more detail.



This is how the security works

SECURITY begins with the WWW browser. Netscape’s SSL protocol (Secure Sockets Layer) is used to provide privacy for the data flowing between the browser and the bank server. When a customer’s account is created, the bank assigns a password that is sent to the customer along with an account verification letter. In addition to password protection, Internet banking applications should also provide server authentication and client authentication using the latest in public key cryptography. Public and private key pairs are used specifically for authentication.

The private key is kept a secret. A message encrypted with a public key can only be read after decryption with the private key. To start a transaction, the customer uses his or her browser to send a secure message via SSL to the bank. The bank responds by sending a certificate that contains the bank’s public key. The browser authenticates the certificate, and then generates a session key that is used to encrypt data travelling between the customer’s browser and the bank server. The session key is encrypted using the bank’s public key, and sent back to the bank. The bank decrypts this message using its private key, and then uses the session key for the remainder of the communication.

Besides security protections for transmissions over the Internet, the bank should also be protected by a system of filtering routers and firewalls, which form a barrier between the outside Internet and the internal bank network. The filtering router verifies the source and destination of each network packet and determines whether or not to let the packet through. Access is denied if the packet is not directed at a specific, available service. The firewall is used to shield the bank’s customer service network from the Internet. The proxy verifies the source and destination of each information packet.

While their are important security issues associated with transit across the Internet, the greatest risk to the bank’s financial information occurs within the bank itself. Internet banking applications should address this issue using systems such as SecureWare’s SecureWeb platform. The trusted operating system acts as a ‘virtual vault’, protecting customer information and funds inside the bank. It uses multi-level technology and contains privilege and authorisation mechanisms to control access to functions and commands. Strict internal procedures should be in place within the bank, controlling every aspect of bank administration from training employees to confirming customer transactions, and to prevent service interruptions.


Customers have their own set of responsibilities in providing security for their Internet bank account. Passwords must be kept a secret. Users should make sure that no one is physically watching as passwords are entered. It is important to remember to exit the browser when leaving the computer. If the PC is left unattended with the browser running and a valid user name and password cached, anyone can gain access to the account. Users should also take precautions to keep computers clean and free from viruses that could be used to capture password keystrokes.

In case the ATM card is misplaced or gets lost, the user can forward a request letter to the bank concerned. "The PIN number is should in all cases be kept a secret. If the person in possession of the lost card has your PIN number, God help you. The best possible option is to ask the bank to immediately freeze the transaction," Mohit, a bank executive says. — PA



Do banks hide frauds?
by S.C. Dhall

UNDERSTANDABLY, banks worldwide are tightlipped about computerised embezzlement, not wanting their customers to know how easy it is to penetrate or hoodwink their computer networks. With the Indian sector opting for large-scale computerisation, there are increasing opportunities for computer literate criminals in India as well.

Widespread use of computer networks in the banking industry worldwide has only made embezzlement easier — the criminals do not even have to forge signatures or steal or alter cheques. A group of international regulators warned financial institutions to improve the security of electronic retail banking or face expensive consequences.

A study released by the Basle Committee on Banking Supervision, a group of regulators from 11 major industrial countries, said the dangers ranged from electronic counterfeiting to hi-tech break-ins. Banks have to design special programmes that can teach customers the use of computer related applications. How this can be worked out remains a question. Privacy in computerised banking is a concern that is often raised by customers. Customers are not confident about the complete secrecy of transactions. They do not know to what extent they can trust computerised system.

How the banks can build up this faith? The problems related to technical failure have been severe. A country with inadequate or underdeveloped expertise can land itself in deep trouble. A number of authors support the view that many banks hide the cases of fraud to protect their public image.

The finance sector is particularly vulnerable to computer crimes. According to reports computer crimes in the US involve a sum of about $ 3.5 billion annually and is likely growing at the rate of 35 per cent. The turnover from an average computer crime was $ 5,60,000 vis-a-vis $ 19,000 from an average bank robbery.

In India, the incidence of computer crime is low, mainly because the country started late on computerisation and the level of computer penetration is still low. The Government’s vision envisages a revolution in computerisation by 2010. The directive recently issued by the Central Vigilance Commission (CVC) to banks wanted the latter to computerise 70 per cent of banking business by January 2001. The CVC had also desired that the listed companies compulsorily offer the Electronic Clearing Services to their customers for payment of dividend and interest warrants.

The RBI has been making constant efforts to make the banks aware of this lurking phenomenon. In order to prevent computer crimes, the RBI has laid down specific norms for each activity area involving computers.

It has issued guidelines to banks maintenance of minimum records in computerised environment so that subsequent investigations are not hampered by the lack of understanding or lack of access to computer data.

The banking acts deal only with routine matters of banks. In the USA there are many cases before the Supreme Court that have been filed by data processing service bureau industry, challenging banks on the rights of offering computer services.

In one survey, the following reasons were reported for financial losses caused by abnormal computer incidents, ignorance/negligence (50 per cent) dishonesty (15 per cent) sabotage by "internal" persons (15 per cent) and theft/damage by outside (5 per cent).

All banks should recognise the potential threat of computer frauds and crimes, and focus on its prevention, so that the future of computerisation becomes safe and sound. The government should come out with laws to handle computer crimes expeditiously.