It in banking

IT IN BANKING INDUSTRY
ABHISHEK B.PATOLE Page 1
KANDIVALI EDUCATION SOCIETY’S
B.K. SHROFF COLLEGE OF ARTS
AND
M.H. SHROFF COLLEGE OF COMMERCE
Bhulabhai Desai Road, Kandivali (West), Mumbai – 400067
CERTIFICATE
This is to certify that ABHISHEK B.PATOLE of
TY.BMS has successfully completed a project on TO STUDY “it in
banking industry” for the semester under the guidance of the PROF.
UMADEVI KOKKU during the Academic year 2011-2012.
Project Guide
Co-ordinator Principal
Internal Examiner External Examiner
College Seal

AND
M.H. SHROFF COLLEGE OF
COMMERCE
DECLARATION
I ABHISHEK B.PATOLE from KES Shroff College Of
Arts & Commerce and a student of T.Y. BMS here submit my
project on TO STUDY “it in banking industry”
I also declare that the project which has been in the
partial fulfillment of the requirement of the Mumbai University is
the result of my efforts.

AND
M.H. SHROFF COLLEGE OF
COMMERCE
PROJECT REPORT ON
“it in banking industry” .
SUBMITTED BY
ABHISHEK B.PATOLE
TY.BMS
SEMESTER V
SUBMITTED TO
UNIVERSITY OF MUMBAI
PROJECT GUIDE
PROF. UMADEVI KOKKU
ACADEMIC YEAR
2010 - 2011

ACKNOWLEDGEMENT
The joy of ingenuity!!! This is doubtlessly what
this project is about. Before getting to brass tacks of things. I would like
to add a heartfelt word for the people who have helped me in bringing
out the creativeness of this project.
To commence with things I would like to take this
opportunity to gratefully and humbly thank to Prof.Umadevi kokku,
who has giving me an opportunity to undertake this project in IT in
Banking Industry.
My parent‟s need special mentions here for their constant
support and love in my life. I also thank my friends and well wishers,
who have provided their whole hearted support to me in this exercise. I
believe that this Endeavor has prepared me for taking up new
challenging opportunities in future.

Sr no. Index Page
no.
Chap.1 Introduction 7-15
a. Objectives of the study
b. Limitations of the study
Chap.2 Review of literature 16-19
Chap.3 Research methodology 20-24
a. Primary data
b. Secondary data
Chap.4 Electronic cheques & evidentiary value 25-39
a. Future of plastic money
b. Leading issues in banking technology
Chap.5 Banking technology & frauds 40-73
a. Credit card frauds on internet
b. Information technology risk in
banking management &measurement
Chap.6 Data analysis 74-87
Chap.7 Conclusions 88-89
Chap.8 Suggestion 90-91
Chap.9 bibliography 92-93

Chapter- I
Introduction

Chapter -1. INTRODUCTION
The Indian Banking system has an old age legacy. Earlier there
were indigenous bankers who consisted mainly of unorganized
moneylenders, mahajans and sahukars. Later, when British came to
India they brought with themselves the concept of organized banking.
British while leaving India left behind large number of small and
privately held banks. In 1964, the first major banking reform took place
when 14 banks were nationalized. It led to the rising of Indian Public
Sector Banks. The second banking reform was witnessed in 1990s when
Indian Banking Sector underwent complete change after the
recommendations of the Narsimhan Committee. Private and MNC
banks entered banks entered into the Indian Banking arena and
challenged the monopoly of the PSU banks. The Private and MNC
banks brought new technologies and technology intensive services with
themselves. They rendered quality service, which PSU banks were not
providing, to service starved Indian customers. There were a series of
technological innovations and up-gradations, e.g., ATMs, Internet
Banking, credit cards and online banking, etc. Private banks and MNC
banks had to provide something extra and it was their service, which
attracted a bulk of customer from the PSU banks. Indian customers
were lacking the world-class service in baking; they were accustomed
to the PSU (Sarkari) culture and the service of Private and MNC banks
was a delight for them.

When private and MNC banks initiated the world class service to
their customers and started snatching customers from Public Sector
Banks, Public sectors banks were bound to follow the path of Private
Banks. The PSU banks felt the heat and realized their mistake. They
also followed the Private Banks in their technology initiatives and
services.
The Indian Banking Sector with the progress in Technology is
facing the biggest challenged of rapidly changing customer
expectations against the backdrop of LPG (Localization, Privatization
and Globalization). Retail banking clients today demand more care and
extra facilities. They want more mobility of investments, interactive
accounts, and better segmentation of banking products to cater to
different segmental needs, convenience and untimely hour services.
Even the PSU culture could not adjust to the pace of the new
technology and changes. At present also it is moulding and adapting
itself to new needs and the dynamism of the environment.
Technology is helping the Indian Banks to cater to customer
needs in a much more efficient manner continuous and error free
services to customers. With the help of computerization and the use of
modern software, which can be called the gift of technology, the banks
have been able to provide single window system to their customers. In a
single window system, all the needs of the customers are taken care at a
single counter. It is like a multipurpose counter where one can deposit
cheque, receive payments and deposit cash etc. This has been made
possible only due to the use of technology. Earlier one had to move
from one counter to the other counter for different sort of works. Thus
this type of service not only helps in better customer service but also

minimizes the customer service time as it avoids duplication of work
and unnecessary hassles to the customers. With the use of technology,
banks are trying to minimize there per customer service cost. According
to industry estimates, assume teller cost Re.1 per transaction, ATM
transactions cost Re.0.45, phone banking at Re.0.35, debit cards at
Re.0.20 and Internet banking at Re.0.10 per transaction. So, now the
emphasis is more on net banking then on real banking or brick and
mortar banking. Indian Banking system is moving from real banking
realm to virtual banking realm. Banks are establishing more and more
ATMs at different convenient locations and interconnecting these
ATMs not only with their networks but also with their partner banks.
Network with whom they have got mutual understanding for sharing
ATMs. With the least cost of Internet banking, banks are paying higher
emphasis on Internet banking.
As per IDC estimates, the total number of registered users for
Internet banking in India is over two million. But this figure needs to be
adjusted for dormant users and multiple accounts (a user having
accounts with more than one bank). India has one million active
Internet Users populations. Thus, this is just around 0.1% of the total
population; to represents 15% of the India‟s Internet user (most of the
people in India use internet from cyber café). Thus, indicating that the
concept of Internet banking is surely catching on. India is far behind in
the use of Internet banking than the other Asian countries like Korea
and Singapore where nearly 10% of their population is banking over the
Internet but India is fast catching up. In India, the biggest drawback for
Internet banking is the Internet penetration among the masses. We lack
the infrastructure facility for providing Internet services but with the IT

ministry keen on expanding the Internet penetration the day is not too
far when greater part of our population would be using the Internet
banking facilities. In India, ICICI bank was the pioneer to introduce
Internet Banking. And later Citibank, HDFC Bank and other banks
followed the suit. PSU banks have lagged far behind in adoption of the
Internet banking facilities. But State Bank of India, which entered the
arena of ATM banking quite late, was able to expand at a rapid pace
and cover almost all the cities of India. Now ATM banking has become
an integral part of traditional cheque or withdrawal based banking.
These services have helped the PSU banks to maintain their customers.
Now money is transferred more in electronic form than in physical
form. With the cost of PC fast declining and the government‟s initiative
in providing the infrastructural facilities for net banking and the faster
developments in the telecommunication sector would be helping in the
adoption of new technology and IT-based banking services. Some
authors‟ view that the Internet banking is just the extension of the
traditional banking services because it is the same service with
customer friendly technological interface. So, it is the value addition to
the existing services. Banks are reaping following benefits with the use
of technology:
With low investment, banks would be able to satisfy large
customer base. The technology has allowed the banks to move
from brick and mortar building to virtual interface which cost
less in comparison to the rising real estate prices which in turn
leads to increase investment. Low investment in turn helps in
satisfying large client base.

With modern facilities more and more customers get attracted to
the banks and they are viewed as technology savvy and modern
or state-of-the –art banks. Brand image of the banks also get
enhanced thus building their goodwill and brand equity. Even
customers want to be associated with the brand personality of the
banks.
With the increase in quality and competition, the customers are
having several choices among which to choose instead of
Hobson‟s choice in some case. Now banking services have
become customer centric instead of service centric or bank
centric approaches as in earlier cases. Now, it is the customers
market rather than a sellers (bankers) market. All the services are
customer driven.
Network sharing by different banks is enabling the banks to
reduce their investment (sharing of ATMs of partner banks) and
provide better services to the customers. This is also helping
them in delivering quick services and it also reduces the risk of
fraudulent practices as verification becomes quite easier and
quick.
These practices are leading to lower service cost per customer.
Thus leading to enhance profitability for the banks, which in turn
enhances the corporate image of the banks.

With the use of technology banks are in a position to obtain the
customer database with a press of key and this helps the bank to
maintain high profile customers because it is an accepted
marketing principle that 80% of the revenue are generated by
20% customers (20:80 principle). Thus, the modern technology
helps in tracking the key customers and provides them better
services or customized services.
The alternative channels of service helps the bankers to add new
products to their portfolio and it helps them to device new
products according to customer needs. The banks can provide
customized value added services or tailor-made service to each
customer based on his/her requirement, e.g., foreign money
transfer service, electronic money etc.
It helps the banks to manage their funds in a much better way as
the technology provides round the clock interface to the outside
world and thus it helps in hedging the risk of the banks at real
time. Banks are able to minimize the risk and maximize returns
by investing in different avenues and they have greater control
over the fund investments.
Technology helps in increasing the labor productivity because it
increases the output per labor to multifold. Earlier works had to
be performed manually and it used to take days to complete in

minutes or in seconds. So, it helps in updating the customer
status as well as increased labor productivity.
The customer service cost decreases and the productivity of the
staff increases and this adds to the profitability of the banks. This
helps the banks to take care of even larger customer base and this
will ultimately ass up too the bottom-line of the banks.
Public sector banks have been shy in implementing new
technology brick mortar banking in comparison to the technology
driven banking while the client base of Private and MNC banks are
mostly young people who are technology-savvy and who like to
interface more with the technology than man. Aged people are not
comfortable with the technological interface. They feel complexity and
uncomfortable with technology intensive services.
With the present avenues being saturated and greater competition
due to the entry of more players in the arena, the banks are diversifying
into new areas where they can use their financial expertise in financial
consultancy, insurance sectors, and fee-based earnings instead of fund-
based earnings. The mushrooming of the multichannel, multifunction,
self-service electronic delivery channels is fast replacing the brick and
mortar branches (real to virtual). There is a need to redefine the
business model of the Indian banking sector so that to optimize the
resources and deliver world class service in the light of modern day
technology. Today‟s concept is to minimize the visit of the customer to

the bank and let him use the technology or let technology handle him-
this is the new survival mantra in the cutthroat scenario for banks.
OBJECTIVES OF THE STUDY
The objectives of the project “The Study Of Application of
Information Technology In Banking Sector” includes the following:-
To know the present condition of technology in Indian banking sector.
To know about the electronic payment system.
To know about the hackers and frauds in online banking.
To know about the risk management policies of Indian banking
sector.
To know about the electronic banking sector.

LIMITATIONS OF THE STUDY
The scope of the project “ The Study Of Application Of
Information Study In Banking Sector” has been restricted to some
extent i.e. the project does not include the following: -
Supervision of Electronic Banking by Reserve Bank Of India
Information Technology in Banks in International Scenario
Software Application to Protect from Hackers & Frauds
Case Studies Related To Hackers & Frauds

Chapter –II
Review of literature

History of banking
The first banks were the merchants of the ancient world that made loans
to farmers and traders that carried goods between cities. The first
records of such activity dates back to around 2000 BC in Assyria and
Babylonia. Later in ancient Greece and during the Roman Empire
lenders based in temples would make loans but also added two
important innovations: accepting deposits and changing money. During
this period there is similar evidence of the independent development of
lending of money in ancient China and separately in ancient India.
Banking in the modern sense of the word can be traced to medieval and
early Renaissance Italy, to the rich cities in the north like Florence,
Venice and Genoa. The Bardi and Peruzzi families dominated banking
in 14th century Florence, establishing branches in many other parts of
Europe. Perhaps the most famous Italian bank was the Medici bank, set
up by Giovanni Medici in 1397.
The development of banking spread through Europe and a number of
important innovations took place in Amsterdam during the Dutch
Republic in the 16th century and in London in the 17th century. During
the 20th century developments in telecommunications and computing
resulting in major changes to the way banks operated and allowed them
to dramatically increase in size and geographic spread. The Late-2000s
financial crisis saw significant number of bank failures, including some
of the world's largest banks, and much debate about bank regulation.
Information Technology Auditing (IT auditing) began as
Electronic Data Process (EDP) Auditing and developed largely as a

result of the rise in technology in accounting systems, the need for IT
control, and the impact of computers on the ability to perform
attestation services. The last few years have been an exciting time in the
world of IT auditing as a result of the accounting scandals and
increased regulation. IT auditing has had a relatively short yet rich
history when compared to auditing as a whole and remains an ever
changing field.
The introduction of computer technology into accounting systems
changed the way data was stored, retrieved and controlled. It is believed
that the first use of a computerized accounting system was at General
Electric in 1954. During the time period of 1954 to the mid-1960s, the
auditing profession was still auditing around the computer. At this time
only mainframe computers were used and few people had the skills and
abilities to program computers. This began to change in the mid-1960s
with the introduction of new, smaller and less expensive machines. This
increased the use of computers in businesses and with it came the need
for auditors to become familiar with EDP concepts in business. Along
with the increase in computer use, came the rise of different types of
accounting systems. The industry soon realized that they needed to
develop their own software and the first of the generalized audit
software (GAS) was developed. In 1968, the American Institute of
Certified Public Accountants (AICPA) had the Big Eight (now the Big
Four) accounting firms participate in the development of EDP auditing.
The result of this was the release of Auditing & EDP. The book
included how to document EDP audits and examples of how to process
internal control reviews.

Around this time EDP auditors formed the Electronic Data Processing
Auditors Association (EDPAA). The goal of the association was to
produce guidelines, procedures and standards for EDP audits. In 1977,
the first edition of Control Objectives was published. This publication is
now known as Control Objectives for Information and related
Technology (CobiT). CobiT is the set of generally accepted IT control
objectives for IT auditors. In 1994, EDPAA changed its name to
Information Systems Audit and Control Association (ISACA). The
period from the late 1960s through today has seen rapid changes in
technology from the microcomputer and networking to the internet and
with these changes came some major events that change IT auditing
forever.
The formation and rise in popularity of the Internet and E-commerce
have had significant influences on the growth of IT audit. The Internet
influences the lives of most of the world and is a place of increased
business, entertainment and crime. IT auditing helps organizations and
individuals on the Internet find security while helping commerce and
communications to flourish.

Chapter- III
RESEARCH
METHODOLOGY

COLLECTION OF PRIMARY DATA:-
The primary data has been collected from various sources which
are as follows:
Questionnaire method.
Surveys in banks.
Surveys in banks related offices such as agent‟s office etc.
COLLECTION OF SECONDARY DATA:
The secondary data has been collected from various sources
which are as follows:
Various books related to information technology.
Brochures of various banks.
Weekly journals.
Articles in newspapers.
SAMPLE FRAME:
The data has been analyzed using ten samples of employees of
three different banks viz., Bank of Maharashtra, HDFC Bank and ICICI
Bank.

E-BANKING: IN NASCENT STAGE IN INDIA
To keep pace with the changing environment worldwide, Indian
banking industry is fast adopting technology. It has embraced many
new features like Internet banking, ATMs, Phone banking etc. With the
help of new technology, banks are now able to offer products and
services, which were difficult or impossible with traditional banking.
But the banks in India still have to go a long way before making
themselves technology savvy.
With IT integration, a paradigm shift in the banking norms is on cards.
Banking fundamentals are thus facing major overhauls/ reengineering/
restructuring.
Two major trends have emerged in the transition of traditional
banking to high-tech banking:
 Advancements and restructuring through mergers, acquisition
and alliances.
 Universal banking where one stop shop provides all related
products and services to a customer.

At this point, it should be emphasized that mergers, acquisitions,
alliances, and adoption of Universal Banking concept are just
outcomes of IT-banking integration.
Banking and IT
Advancements and innovations in IT industry have created a
revolution in the communication and distribution system of various
products and services through Web networking. Networking, as we
know has connected people around the globe, thus creating a revolution
in modern business activities.
Integration of these technological advances and existing banking
structures has changed and will change the definition and faces of
global banking. Internet banking has made banking a commodity where
quality is measured by efficient servicing and effective pricing and
timeliness.
However, PC banking is not new. Bank of Scotland Started
offering its Home Office Banking Services (HOBS), more than a
decade ago, although it was only in 1996 that it was upgraded to make
software work with the now dominant windows operating systems.
HOBS later joined hands with TSB, which in 1996 launched banking
services accessible through the CompuServe online network,
nationwide.

Technology Solutions for Indian Banks
Two types of technology stock bank products are available in the
market.
 Hardware products like ATMs and
 Software products like branch connectivity, cluster-banking
software, and trade finance software.

Chapter –IV
ELECTRONIC
CHEQUES&EVIDEN
TIARY VALUE

3. ELECTRONIC CHEQUES
ANDEVIDENTIARY VALUE
The advancement in technology has led to the creation of
electronic cheques, particularly in a business environment. Different
countries have a choice of cheque systems, which are governed by the
laws applicable to each country‟s jurisdiction. The authentication of
these electronic instruments is proposed to be endorsed by digital
signature. In India, the enactment of the Information Technology Act,
2000 obligated amendments to The Negotiable Instruments Act, 1881
in order to impart legal validity to such electronic instruments. The
authors in this article elucidate the amended provisions and examine the
evidentiary value of such electronic instruments.
The electronic cheque or simply the e-cheque is gradually
replacing the longstanding paper cheque. The Negotiable Instruments
(Amendments and Miscellaneous Provisions) Act, 2002 was amended
to include the phrase “electronic cheque” in the definition of a cheques
in Section 6 reads as “ A „cheque‟ is a bill of exchange drawn on a
specified banker and not expressed to be payable otherwise than on
demand and it includes the electronic form. “Explanation I. – For the
purpose of this section, the expression-
“A cheque in the electronic form” means a cheque which
contains the exact mirror image of a paper cheque and is generate,
written and signed in a secure system ensuring the minimum safety
standards with the use of digital signature (with or without biometrics
signature) and asymmetric cryptosystem.”

An electronic cheque simply means a cheque in the electronic
form, which is an exact replica of a physical cheque. It contains all the
information that is found on a physical cheque, but it is “signed
digitally” or “endorsed”.
In an attempt to provide authentication, an apparatus commonly
known as “signature” was evolved as a proof asserting intention. This
involved appending a unique identifier to a message to identify the
sender/recipient. Conventionally, handwritten signatures are affixed
paper-based cheques. These signatures affixed using ink are used as an
authentication tool to identify that the person signing the document has
read and understood the contents. In the anonymous digital world,
where individuals may not actually communicate with each other, much
emphasis is placed on the authentication of the electronic information.
Therefore, it becomes necessary for evolving a secure authentication
tool, which led to the promotion of digital signatures.
DIGITAL SIGNATURE – HOW IT OPERATES
It is a data string, which associates a message in the digital form
with some originating entry. It is created and verified by means of
cryptography, the branch of applied mathematics that concerns itself
with transforming messages into apparently meaningless forms and
back again. It uses a scheme or mechanism consisting of signature
generation algorithm with a method for formatting data into message to
produce a digital signature, and a related signature verification
algorithm with the method to recover data from the message to
authenticate a digital signature.

It is important to note that, the Information Technology Act,
2000, in Section 3(2) provides for a particular asymmetric cryptosystem
and hash function as a means of authentication should be recognized as
a source of legal risk.
The digital signature mechanism follows an “asymmetric
cryptosystem”. In this method of creating and verifying a digital
signature, there are two basic technical processes or functions: “Public
key encryption”, where encryption is the process by which information
is scrambled by the use of a code and “hash”.
The process of a creation and verification of digital signatures
using hash algorithm involves the following steps:
Create a data unit that is to be signed, e.g., precisely an encircled
portion of data in digital form, which can be a text document,
software or any other digital information.
Generate hash value called “Message Digest” or “Fingerprint” of
the message. A hash function is a process that creates a relatively
small number (called message digest) that represents a much
larger amount of electronic data.
This hash value is computed from the data unit- a number using a
hash algorithm, which creates the compressed digital signature.
Digital signatures use a “one way hash function” and the
important thing about such a hash value is that it is nearly
impossible to derive the original data unit without knowing the
data unit used to create the hash value. Therefore, if the data unit
is changed or otherwise tampered with, the hash value will no

longer correspond to this data unit and produces an error
message.
Encrypt hash value with the private key of the signatory.
Encryption is a process of disguising a message in such a way so
as to conceal its meaning and substance. It also consists of a
procedure of converting plain text to a cipher text. Hence, the
plain text refers to the original digital file, whereas the ciphertext
refers to the disguised file.
Final step in the verification process, which involves the
regeneration of the hash value on the basis of the same data unit
and the same algorithm. The determined hash value is again
computed with rhea public policy key, which is then compared
with the signature attached to the data unit. If the product is
matching, it will verify the signatory‟s private key, which is used
to sign and guarantee that the data unit has not been altered.
In this context, digital signatures are created when the drawer of
the cheque runs, the cheque through a one-way function creating a
message digest. The private key used by the drawer of the cheque is
known only to him. The drawer encrypts the resulting message digest
by using an asymmetric cryptosystem will allow the paying banker to
verify the signature by using it to decrypt the cheque.

EVIDENTIARY VALUE OF DIGITAL
SIGNATURE ON E-CHEQUES
Generally, authentication is achieved by what is known as
security procedure, but from the legal perspective, the security
procedure requires to be recognized by the law as a substitute for
signature.
With the emergence of cyberspace it became necessary to amend
certain provision of the Indian Evidence Act to make electronic
evidence admissible in courts of law. Accordingly, the second schedule
to the Information Technology Act has amended the Indian Evidence
Act, 1872 to remove any obstacle to the legal acceptance and validity of
electronic evidence.
According to the amended Section 3 of the Evidence Act,
electronic records stand on par with paper-based documents and will be
deemed as documentary evidence in a court of law.
While Section 22(A) of the Information Technology Act amends
Section 17 of the Indian Evidence Act, 1872 to provide that oral
admission as to the contents of the electronic records are relevant, the
written admission of the content of any document or electronic record
can be proved under Section 65 of the Evidence Act.
Section 39 of the Indian Evidence Act provides, “when any
statement of which evidence is given forms part of a longer statement,
or is contained in a document which forms part of a book, or is

contained in part of electronic record or of a connected series of letters
or papers, evidence shall be given of so much and no more of the
statement, conversation, document, electronic record, book or series of
letters or papers as the court considers necessary in that particular case
to the full understanding of the nature and effect of the statement, and
of the circumstances under which it was made.” It can be inferred from
this provision that where entry of an electronic cheque forms a part of
an electronic record, only that part which is relevant may be taken as
evidence before the court. Again what part is relevant depends on the
discretion of the court. The court must exercise this discretion judicially
to determine such relevance.
Accordingly, Section 5 of the Information Technology Act 2000
prescribes, “ Where any law provides that information or any other
matter shall be authenticated by affixing the signature or any other
document shall be signed or bear the signature of any person then, not
withstanding any document contained in such law, such requirement
shall be deemed to have been satisfied, if such information or matter is
authenticated by means of digital signature affixed in such manner as
may be prescribed by the Central Government.”
Explanation- For the purposes of this section, “signed”, with its
grammatical variations and cognate expression, shall, with reference to
a person, mean affixing of his handwritten signature or any mark on any
document and the expression “signature” shall be constructed
accordingly”.
This provision explicitly explains that a digital signature is
legally recognized as the method of authentication. The authority to use

digital signatures in the government and its agencies is accorded in
Section 6 of the Information Technology Act, 2000, which reads as-
“ 1) Where any law provides for-
a) This filing of any form, application or any other document with
any office, authority, body or agency owned or controlled by the
appropriate government in a particular manner.
b) The issue or grant of any license, permit, sanction or approval by
whatever name called in a particular manner.
c) The receipt or payment of money in a particular manner, then,
notwithstanding anything contained in any other law for the time
beginning in force, such requirement shall be deemed to have
been satisfied if such filing, issue, grant, receipt or payment, as
the case may be, is effected by means of such electronic form as
may be prescribed by the appropriate government”.
The words in Section 6(1)(C) “ the receipt or payment of money
in a particular manner … is affected by means of such electronics forms
as may be prescribed by appropriate government” may be understood to
include e-cheque.
A system of digital signature like handwritten signature is use to
protect confidential information. Form the legal perspective, two
presumptions that could be raised in respect of digital signature are:

Signatory‟s personal participation in the Act of signing or any
person authorized by him.
The intention of the signatory to endorse or approve authorship
of a text and the fact that the signatory had been at a given place
and time.
The presence of intention has an integral part of a signature is
essential as lack of intention could be raised with regard to
circumstances including fraud and unconscionable conduct.
To regulate the use of digital signature, the Central Government is
empowered to lay down rules under Section 10 of the Information
Technology Act, 2000 that reads, “The central government may, for the
purposes of this Act, by rules, prescribe-
The type of a digital signature;
The manner and format in which the digital signature shall
be affixed;
The manner or procedure which facilitates identification of
the person affixing the digital signature;

Control processes and procedures to ensure adequate
integrity, security and confidentiality or electronic records or
payments; and
Any other matter which is necessary to give legal effect to
digital signature.”
In India, evidentiary value of the digital signature has been in
question for long. A genre of evidence dominating the digital
transaction world leads to be recognized by the Indian Evidence Act,
1872, by making the necessary amendments there in.
The IT Act 2000 provides for specific evidentiary value for
secure records and secure digital signatures. Subsequently, sub-section
(2) to Section 85B of the Indian Evidence Act has been inserted to be in
consonant with the IT Act to provide that, “ In any proceedings,
involving secure digital signature, the court shall presume unless the
contrary is proved that-
The secured digital is affixed by the subscriber with the
intention of signing or approving the electronic records;
Except in the case of a secure electronic record or a secured
digital signature, nothing in this Section shall create any
presumption relating to authenticity an integrity of the
electronic record or any digital signature.”

The section limits its opinion to a secure digital signature by
indicating that there shall be no presumption relating to authenticity and
integrity of a digital signature except where it is a secure digital
signature. If, by application of a security procedure agreed to by the
parties concerned it can be verified that a digital that a digital signature,
at the time it was affixed, was-
Unique to the subscriber affixing it
Capable of identifying such a subscriber
Created in a manner or using means under the exclusive
control of the subscriber and is linked to the electronic record to
which it relates in such a manner that if the electronics record
was altered the digital signature would be invalidated then such
a digital signature shall be deemed to be a secure digital
signature.
As distinct from such a secure digital signature, Section 67A of
the Indian Evidence Act provides for proof as to the digital signature,
and Section 73A prescribes the method by which such a digital
signature may be proved. According to Section 67A of the Indian
Evidence Act, “ Except in case of a secure digital signature, if the
digital signature of any subscriber is alleged to have been affixed to an

electronic record the fact that such digital signature is the digital
signature of the subscriber must be proved.”
The Information Technology Act by inserting a new Sub-Section
A to Section 47 recognizes opinions of third parties not relevant as
evidence unless specifically provided for Section 47A reads as, “ When
the court has to form an opinion as to the digital signature of any
person, the opinion of the certifying authority, which has issued the
Digital Signature Certificate, is an relevant fact”. An opinion of third
parties is in admissible and as evidence except in certain cases when the
court requires an opinion of experts. With this insertion, opinion of
third parties became relevant.
THE FUTURE OF PLASTIC MONEY
Use of plastic Money is growing at an unprecedented rate in
India. Lesser number of installed Point-of sale (PoS) terminals is the
major obstacle in the growth of debt cards; smart card has many
innovative features, which may spurt the use of cards in India. Smart
card is safer to use in electronic form than the present form of cards
“ Credit card business is a volume game and initially highly capital
intensive.”
- A senior banker

Plastic money is growing by leaps and bounds in India. Today,
many banks are offering cards. Though the foreign banks have a
dominant share, aggressive entry of the Indian banks like SBI, ICICI
and HDFC Bank may soon change the rules of the game. Today, SBI-
GE is the third largest issuer of credit cards.
The credit card market in India is projected to grow at the rate of
20-25% per annum in the coming years. There are currently around 3.8
million credit card users compared to 3.0 million in 1990. Visa credit
card grew by 46.4% in India while the growth in Asia Pacific was only
6% for Q3 of 2003. The competition among banks has been growing
and they are offering so many add-on incentives like waiver of first
year annual fee, discount on retail stores, personal loans etc., to woo the
customers.
Debit card is another segment, which is catching up fast. There
are only 80,000 to 90,000 merchants having point-of-sale (PoS)
terminals installed and majority of them are located in metros, which is
the major obstacle to the growth of debit cards. To increase the usage of
debit cards, banks should concentrate on increasing installation of PoS
terminals in semi-urban and rural areas.
Smart Card: A Future Card
Smart cards are the wave of the future for consumer use,
commercial use and terminal network security. Smart cards are in much
wider use in Europe than in US.
A smart card is a plastic card with an imbedded computer chip
that has been stored inside the card. It has the capacity to store up to 80
times more information than other magnetic stripe cards. This mini-

computer using an intelligent chip, stores payment information similar
to a magnetic stripe card, but it also includes additional information
such as online authorization controls, credit limits, stored value (gift
card), reward points (loyalty), Personal Identification Number (PIN),
etc. Smart cards can be contact less, suggesting that the chip transfers
data via a built-in antenna without physically touching the smart card
reader.
There are over 3 billion smart cards in use currently. Today,
smart cards are used worldwide and it is the most flexible payment
option available in the world. Smart cards have been used in Europe for
over 10 years and now they are the accepted mode of payment. In
developing countries and continents such as Africa and Asia, the use of
smart cards has been growing rapidly. In the US, major retailers, banks
and processors are preparing to accept global cards and some are adding
smart gift cards and promotional application to build loyalty for the
growth of their business. American Express and Financial Institutions
have issued over 21 million PIN-secured smart cards to their customers.
By the end of 2005, there will be over 100 million smart cards to their
customers. By the end of 2005, there will be over 100 million smart
cards in use in the United States.
In order to accept smart cards, the business must have an EMV
ready smart card Point-of-Sale (PoS) terminal. Merchants can be
standalone PoS smart card terminals or smart card readers that are
integrated with cash registers. Currently, over 90% PoS terminals are
not EMV smart card ready.

Smart Cards and Internet Payment
Issues of security and fraud are major drawbacks to using credit
and debit cards over the Internet. Unlike the hand-written receipts, there
are no signed sales receipts associated with today‟s e-commerce
transactions. Without such evidence, it is difficult as much as 84% of
all electronic commerce transactions.
At the same time, consumers are holding back on making Internet
purchases due to lingering security concerns. According to Master
Card, 90% of Internet non-buyers worry that their personal and
financial information may fall into the hands of hackers. It is this
reluctance that is the real barrier to building an online business. Using
smart cards along with a strong Internet authentication will help
overcome these issues.
American Express, Master Card and Visa smart cards currently
support Internet authentication and payment using built-in digital
certificates and digital signatures. For smart cards to be successful, the
cardholders must connect an EMV approved smart card reader to their
PCs. Smart cards have the capacity to replace the thirty plus years old
magnetic stripe cards.

Chapter –V
Banking Technology
& Frauds

LEADING ISSUE IN BANKING
TECHNOLOGY
Many Indian banks are adopting the information technology not
merely as a frill, but as a dire need. It is helping the banks in many core
and diversified functions. Technology is key business enabler in six
critical areas of banks. These are augmentation profit pool, operation
efficiency, customer management, product innovation, distribution and
reach, and efficient payment and settlement system. For the success of
any IT program, integration of IT and business strategy is crucial factor.
Banking basics have undergone radical shifts, thanks to the
advent of modern technology, increasing pace of globalization and the
need for stronger fundamentals to operate in the fiercely competitive
environment. The digital divide among Indian banks that was quite
discernible before the millennium has considerably narrowed down
with many banks taking to technology not merely as a frill, but as a dire
necessity. Technology today catalyzes many core and diversified
functions in banks, including issues like transaction automation and
multiple delivery channels, product innovation, data warehousing and
effective MIS, secured storage mechanisms and a real-time based
payment and settlement system.
Seen in the present context, technology is a key business enabler
in six critical areas of banking.
Augmenting Profit Pool; Operational Efficiency; Customer
Management; Product Innovation; Distribution and Reach; Efficient
Payment and Settlement.

Augmenting Profit Pool
Sustained profits and profitability have been major yardsticks for
assessing the true health of banks in a fiercely competitive and
compelling business environment. Technology has proved, at least in
case of new generation banks and major public sector banks to be a
major profit driver. With progressive decline in interest rates, banks‟
spreads have come under pressure, which per se, affects their
profitability. However, technology had a favorable effect in terms of
reducing the operating cost and improving the burden to a considerable
extent. Technology also enable commissioning of new products like
Net banking, mobile banking and other forms of 24X7 banking like
ATMs and Networked services across branches like anywhere banking,
electronic funds transfer, customer relationship management, call
centers across the banks. Hi-tech and hi-touch services, it goes without
saying, have also enlarged the clientele base in banks and commanded
considerable customer loyalty. Technology has created an enabling
environment for banks to diversify into various fee-based activities like
bancassurance and funds transfer arrangements.
operational Efficiency
Operational efficiency, in terms of optimum utilization of
resources, has been one of the most positive offshoots of technological
application in banks. Thanks to greater technological application,
banking system has seen a near consistent improvement in the
intermediation efficiency and consequent decline in transaction cost.
Yet, technology application has been by and large confined, especially

in the state-owned banks, towards cost saving and improved service
standards through product innovation. While savings in cost and
improvement in service quality could turn out to be short-term in
nature, it is essential that technology is leveraged as a long-term and
efficient cross-functional application. It is also time that the focus of
technology shifts from product innovation to process innovation
commonly referred to as Business Process Reengineering (BRP), for
banks to gain long-term operational efficiency.
Customer Management :-
Technology also spells significant benefits on the realm of
customer research and management. In a predominantly buyers‟ market
and high propensity if customers to switch service providers, customer
management need no longer be a front office function, but a bank-wide
obsession. Many banks have duly realized the significance of such
functions and introduced new models like the High Net Worth clients‟
branch, imbued with state of the art technology, exquisite ambience and
quickest possible processing of transactions. Customer management is a
very sensitive issue entity hears only from 4% of its dissatisfied
customer, while 96% of its customers quietly go away of which 91%
never come back. Technology, thus, already implemented the tech
aided e-CRM application as strategic tool to retain as well as expand
their customer base. The bottom line is that banking products are
getting commodities and price wars are slowly leading to a zero-sum
game. In such a scenario, technology backed customer orientation will
hold the key to take service standards anywhere near to world-class.

Product Research :-
In the field of product research as well, technology plays a
decisive role, in terms of swift product innovation, an active R&D set
up effective pricing of products to protect banks‟ margins and safeguard
customers‟ interests. Banking product life cycles are getting shorter day
by day and more than delivery, product servicing defines competitive
edge for banks. Marked to market product processes are equally
important for sustained improvement in the value chain of services and
command „top of the mind recall‟ from the customers. Technology also
aids product profitability research and review, which have not adequate
attention in many of the banks.
Distribution Reach :-
The thumb rule for strategic management masters is that
structure must follow strategy in any business reorganization.
Technology, thus, calls for attendant restructuring endeavors that will
be in tune with the level of technology application. For instance, many
banks need to put in a place a leaner structure and remove intermediate
decision-making tiers. That is how one can see that many of the
regional outfits of banks are slowly being dismantled while branch
expansion is not being accorded the thrust it used to be given earlier.
Rightsizing of human and physical overheads is a major strategy
adopted by many banks wherein the role of the earlier brick and mortar
banking is slowly getting dissipated. In turn, devices like Internet and
mobile banking. Technology, thus, facilitates downsizing of overheads
cost without compromising much on clientele reach. Public sector in the
rural and semi-urban areas. Many of these branches are not performing

to their potential mainly because of their typical business mix, cost
diseconomies and lack of technology-based services offered in these
branches. Technology can facilitate the branch rationalization exercise
such as setting up mobile branches and satellite branches, especially in
the rural areas, and bring many of those into the “Performing” category
without affecting the extent of client reach.
Efficient Payment and Settlement :-
Innovation in technology and worldwide revolution in
information and communication technology have emerged as dynamic
sources of productivity growth. This is true about banking as well as its
relationship with technology has become symbiotic fundamentally.
Payment system is probably the most important mechanism in the
banking sector where technology‟s interactive dynamics is getting
manifested in an increasing measure each day.
Banking system has adopted a holistic approach for designing a
modern, robust, efficient and integrated payment system. The approach
to the modernization of the payment and settlement system has been
basically three pronged – consolidation, development and integration.
Consolidation of the payment system has revolved round strengthening
computerized cheque clearing and expanding the reach of electronic
clearing services through state-of-the-art technology. Critical elements
under the developmental strategy related to the opening of new clearing
houses, interconnectivity of clearing houses through INFINET and
optimizing the development of resources the Negotiated Dealing
System, Structured Financial Messaging System (SFMS) and the
recently introduced Real-Time Gross Settlement (RTGS) system.

Integration is the next stage that the banking system is currently going
through which is premised on a high degree of standardization within a
bank and seamless interfaces across banks, leading to Straight Through
Processing (STP) of transaction on a regular basis. Further, cheque
truncation system will also pave way to expedite settlement of
payments process.
However, so far as integration is concerned, Indian banks still
have a fair distance to traverse. In order to efficiency leverage an
integrated payment and settlement systems, banks, especially those in
the public sector, need to address certain core issues expeditiously.
These include the following:
Toning up of infrastructure in terms of standardization and
build up security features like firewalls, Intrusion Detecting
System (IDS) and implementing a security policy.
Total inter-branch connectivity.
Popularization of electronic funds transfer mechanism.
Institute collaborative arrangements, including outsourcing of
IT expertise.
In addition to the above, banking sector is also confronted with a
classic dilemma. It relates to differentiating between and mapping the
role of business vis-à-vis the role of information technology, a feature
typifying an enterprise wide technology initiative. This is where the
significance of integrating business and IT plans comes to the fore.

Integration of IT and Business Strategy
Many banks, especially those in the public sector, are embarking
on a comprehensive set of IT initiatives encompassing total branch
automation, core banking solution, networking of ATMs, Internet and
mobile banking, data warehousing and a comprehensive MIS backed
decision support system. Contrary to popular perception, such
initiatives are not merely because of competitive pressure from the
foreign and new generation private banks. The avowed goal of these
initiatives was to improve overall efficiency in terms of lower
intermediation cost, swifter decision-making process, grater customer
convenience and effective internal control, including an objective risk
management mechanism. It goes without saying that the fast pace of
globalization and progressive move towards reaching global operational
benchmarks also catalyzed the technology drive dividends to these
banks although the need of the hour is to consolidate the gains so far
and address the weak links.
One such weak link relates to lack of integration between the
IT strategies which, it is felt, is applicable to many of our banks.
Technology introduction can offer significant benefits only when they
are in total alignment with business strategies. Especially, in public
sector banks, a phased approach is desirable in view of the
heterogeneous nature of their branch architecture and vast area specific
differentials in their branch functioning. In the current context, business
strategies may differ from bank to bank, yet a core set of business
objectively will, for sure, be common to all the banks. Such
commonalities call for at least an open technology plan, in board

consonance with the business objectives, and the same can be fine-
tuned on an ongoing basis to suit the business model.
Recently, a study was conducted by National Institute of Bank
Management, at the behest of RBI, for suggesting a methodology to
integrate IT and business plans in banks. The study has proposed an
„Enterprise Maturity Model‟, for attaining total convergence of
technology and business strategies with focus on selected, generic
business strategies. The model suggests solutions not merely for
business and technology, but for issues related to human resources and
customers who form an integral part of banks‟ strategic road map.
The suggestions in the study promise to be useful benchmarks for
banks in their complete switchover to the virtual mode. Application of
the model can help banks to develop effective Executive Information
System as effective decision support, integration of varied workflow
processes, objective customer analysis and most importantly, devise
simulative and real-time based tools to track business, profits and
profitability. Effective and an objective technology application system
will also enable a business process reengineering mechanism that will
considerably enhance the real technological capabilities of banks.
Core Banking Solution
In the light of ongoing emphasis on business process
reengineering, one comes across many banks assiduously pursuing a
centralized server-based system, better known as Core Banking
Solution (CBS). CBS offers, among others, benefits like privilege of
single window service to customer in order to facilitate a shift from

“customer of the branch” to “customer of the bank” concept, online
transfer of funds, longer business hours, lower transaction costs,
slimmer staff structure at branches, effective monitoring of business,
comprehensive MIS as a policy support and above al, improved
visibility of the banks implementing CBS. A robust MIS also supports
vital functions like ALM, risk management, product profitability and
customer profitability analyses leading ultimately to efficient portfolio
management in banks. CBS also leads to significant mileage in terms of
staff and other overhead costs. Staff rendered surplus on account of
CBs can also be put for marketing and recovery functions, which
warrant dedicated staff in the present context.
One major issue in CBS relates to security aspects and a host of
operational risks that banks are confronted with. Be it system failure or
planned hacking or any kind of human error, centralized system is
perennially susceptible to failure which may prove to be endemic across
the financial system and result in vital data erosion. Retrieval of the
same may also cost dearly to the banks and their associates. Security
aspects like implementing a robust security policy, firewalls, IDS are,
therefore, indispensable for preventing any systematic problem. There
are even cases where multi-point security has not been able to check the
fraudulent practices. Thus, security aspects need to be examined
threadbare before putting core banking in place.

TECHNOLOGY AND FRAUDS
ATM CRIMES FRAUDS:
ATM crimes and frauds are rising throughout the world. ATM
industry and money other organizations are fighting with them in many
ways like, by issuing security tips, making ATMs more innovative etc.
In India, where the use of ATMs is growing by exponential, banks have
to take benefit from international experiences and safeguard their
customers from frauds.
ATM crimes and frauds are mounting day by day. Even
though they make up a small percentage of criminal activities they are
not less important. Criminals are raiding millions every year.
Popular Ways to Card Frauds:
Some of the popular techniques used to carry out ATM crime
are:
 Through Card Jamming ATM‟s card reader is tampered with in
order to trap a customer‟s card. Later on the criminal removes the
card.
 Card Skimming is the illegal way of stealing the card‟s security
information from the card‟s magnetic stripe.
 Card Swapping, through this customer‟s card is swapped for
another card without the knowledge of cardholder.

 Website Spoofing, here a new fictitious site is made which looks
authentic to the user and customers are asked to give their card
number, PIN and other information, which are used to reproduce
the card for removing the cash.
Global Measures to Fight the Frauds
To guard against these frauds „The Global ATM Security
Alliance (GASA)‟, which was formed in June 2003, has issued the
customers guide and some tips to prevent against card-related frauds.
The World‟s Top 20 tips for ATM Use to Enhance the ATM customer
Experience and Security
Article I. CHOOSING AN ATM
Tip 1: Where possible, use ATMs with which you are most familiar.
Alternatively, choose well-lit, well-placed ATMs where you feel
comfortable.
Tip 2: Scan the whole ATM area before you approach it. Avoid using
the ATM altogether if there are any suspicious-looking individuals
around or if it looks too isolated or unsafe.
Tip 3: Avoid opening your purse, bag or wallet while in the queue for
the ATM. Have your card ready in your hand before you approach the
ATM.
Tip 4: Notice if anything looks unusual or suspicious about the ATM
indicating it might have been altered. If the ATM appears to have any
attachments to the card slot or keypad, do not use it. Check for unusual

instructions on the display screen and for suspicious blank screens. If
you suspect that the ATM has been interfered with, proceed to another
ATM and inform the bank.
Tip 5: Avoid ATMs which have messages or signs fixed to them
indicating that the screen directions have been changed, especially if the
message is posted over the card reader. Banks and other ATM owners
will not put up messages directing you to specific ATMs, nor would
they direct you to use an ATM, which has been altered.
Article II. USING AN ATM
Tip 6: Is especially cautious when strangers offer to help you at an
ATM, even if your card is stuck or you are experiencing difficulty with
the transaction. You should not allow anyone to distract you while you
are at the ATM.
Tip 7: Check that other individuals in the queue keep an acceptable
distance from you. Be on the lookout for individuals who might be
watching you enter your PIN.
Tip 8: Stand close to the other ATM and shield the keypad with your
when keying in your PIN (you may wish to use the knuckle of your
middle finger to key in the PIN).
Tip 9: Follow the instructions on the display screen, e.g., do not key in
your PIN until the ATM request you to do so.
Tip 10: If you feel the ATM is not working normally, press the cancel
key and withdraw your card and then proceed to another ATM,
reporting the matter to your financial institution.
Tip 11: Never force your card into the card slots.
Tip 12: Keep your printed transaction record so that you can compare
your ATM receipts to your monthly statement.

Tip 13: IF your card gets jammed, retained or lost, or if you are
interfered with at an ATM, report this immediately to the bank and/or
police using the help line provided or nearest phone.
Tip 14: Do not be in a hurry during the transaction, and carefully secure
your card and in your wallet, handbag or pocket before leaving the
ATM.
Article III. MANAGING YOUR ATM USE
Tip 15: memorize your PIN (if you must write it down, do so in a
distinguished manner and never carry it with your card).
Tip 16: NEVER disclose your PIN to anyone, whether to family
member, bank staff or police.
Tip 17: Do not use obvious and guessable numbers for your date of
birth.
Tip 18: Change your PIN periodically, and, if you think it may have
been compromised, change it immediately.
Tip 19: Set your daily ATM withdrawal limit at your branch at levels
you consider reasonable.
Tip 20: Regularly check your account balance and bank statements and
report any discrepancies to your bank immediately.
While the ATM industry is aggressively addressing ATM-related
frauds and crimes, few in the industry know about these extraordinary
efforts. Some of the important works are given below:
 From time to time the Electronic Funds Transfer Association
(EFTA) with the help of ATMIA is publishing tips on PIN
security.

 To combat the cross-border crimes, GASA is working in
association with Interpol, the Metropolitan Police Flying Squad
for New Scotland Yard and leading card issuers.
 ATMIA is educating the people and ATM industry about most
effective way of fighting ATM crimes and frauds and honoring
with award that contributes significantly counter the fraud.
 Fair Isaac Card Alert – it is a service, which analyzes millions of
daily transaction, identifies the suspicious transactions and sends
the card number and related information of suspicious transaction
to the concerned bank. This services has helped a lot in solving
many card-related frauds including high-profile skimming cases.
 Leading ATM manufacturers are producing innovative ATMs,
which are helping to counter the frauds. Biometric technology is
one of the examples, which removes the need of Personal
Identification Numbers (PINs).
Biometric systems identify or authenticate a person‟s identity
using different alternatives like face expressions, fingerprint, hand
geometry, voice, retina, etc.
INTERNET BANKING AND FRAUDS
Fraudsters are using innovative ways like Web and Mail spoofing,
attacking the bank‟s server etc. to break the security walls and
commit fraud. There is a need for arrangements, which help presence
of integrity, confidentiality and authorization of information.

“Thieves are not born, but made out of opportunities”
This quote exactly reflects the present environment related
to technology, where it is changing very fast. By the time regulators
come up with preventive measures to protect customers from innovative
frauds, either the environment itself changes or new technology
emerges. This helps criminals to find new areas to commit the fraud.
Some common Internet banking frauds and their causes have
been discussed here.
 Attacking the Bank’s Server
In this case, the fraudster takes control of the server of the
bank and by visiting the bank‟s website carries out transaction through
impersonation.
These attacks are due to bad programming, which mostly
prevail in general purpose software. Such attacks are called buffer-over-
flow attacks. Due to buffer-over-flow defects in the software, fraudster
can use the commands on the server without providing essential
information like password etc.
 Mail Spoofing
In the mail spoofing or e-mail forgery, the fraudster sends the
information to bank customers in such a form that it seems that
information is from the authentic bank source. One such incident
happened with ICICI Bank customers to disclose passwords and other
information. The e-mail said:

“For security purpose your account has been randomly chosen for
verification. To verify your account information we are asking you to
provide us with all the data we are requesting. Otherwise, we will not
be able to verify your identity and access to your account will be
denied. Please click on the link below to get to the ICICI secure page
and verify your account details. Thank you.”
Mail spoofing happens due to lack of criteria to verify the source
address authenticity. Anyone can set up a mail server and can forge a
mail posing as an authentic source.
 Web Spoofing
In Web Spoofing, customers of the bank are lured to log in at the
fraudster‟s website, which is similar to the bank‟s website. Once the
customer provides sensitive information, they can be stolen easily by
the fraudster, who uses the stolen sensitive information like password
and username etc., to carry out the transaction on the bank as a real
customer.
In the whole case, the only loser is the customer because he does
not have any means to prove that it was not he who did those
transactions, but the fraudster.
Ignorance of the customer to intercept Universal Resource
Locator (URL) is the major cause of Web spoofing. Look at the
following two URLs
http://secure.bankname.com/carloanfind/carloans.asp
http://secure.bankname.com?
@569857125/carloanfind/carloans.asp

It is very difficult for a normal customer to understand the
difference between these two URLs. He can be easily cheated because
the first URL will drive him to the original site while the second one to
the fraudster‟s site.
(i) Denying Service from Bank’s Server
The fraudster‟s intent here is not to commit any fraud but to
create inconvenience for the banks. The customer here literally cannot
access the services of the bank.
Intervention of fraudster‟s with Transmission Control
Protocol/Internet Protocol (TCP/IP), the computer communication
languages, Router Poisoning that help the customers to reach different
parts of the network and Domain Name System (DNS) service, that
helps the two computers to communicate through IP number are some
reasons for such inconvenience.
It is clear that to plug all the loopholes is very difficult for any
regulator. This is a challenge to the mission of fast automation. It is
essential on the part of the banks, the regulators and the service
providers to create a source and safe automation environment that has
the confidence and trust of the customers.

CREDIT CARD FRAUD ON INTERNET
Credit card fraud has become regular on Internet. All the agencies
involved in the transaction, cardholders, online merchants and the card
issuers suffer losses. However, it is the online merchant who suffers the
most. This article examines the nature of credit card fraud, types of
credit card frauds, and the effects. This article also discusses the
preventive measures.
Internet commerce is growing very fast. From a customer base of 28.8
million spending US$12 bn in 1999, Internet Commerce has grown
exponentially during the past few years and is still growing. But,
unfortunately, the growth is not on the expected lines. The credit card
fraud, which has become common, has retarded the e-commerce
growth. A 1999 survey by US National consumer‟s league reported that
7% of customers were victims of the credit card fraud; recent surveys
indicate that one out of three online customers have become victims to
this kind of fraud. Customers, credit card companies, banks and
merchants are battling this problem; still this crime is on ascendancy.
Common Types of Card Frauds
There are different types of frauds involving credit cards. The
fraudulent activities start from the application process itself.

Application Fraud:-
In application fraud, the fraudster obtains personal confidential
information of the other person needed in the credit card applications,
like social security number, date of birth using a variety of means.
Internet search engines and databases are making these tasks easier.
Using this information, he fills in an application for a credit card and
after receiving it, uses it as if he is the true holder. The person in whose
name the card is issued might come to know about this only after the
damage is done.
Counterfeit Cards:-
In this, a criminal gains access to a valid card number and other
information. For example, the salesperson at the supermarket briefly
takes possession of the customer‟s card during payment process, which
he runs on a terminal. But without the knowledge of the cardholder, the
salesman can also run it on another machine, which can capture all the
details in the card. Using this information and tools like embossing
machines, a fraudster can create a counterfeit card. This process is
known as „skimming‟ and simple hand-held devices are now available
for the purpose. Further, the information skimmed can also be used for
purchases on the Internet or Telephone.
Account Takeover: In account takeover, the fraudster first all the
personal confidential information about the other person. Then
impersonating as the other person, he informs the bank that there is a
change in his residential or office address. Next, he informs them that
his credit card is lost and request for a new card on the new address.

After receiving the card, the criminal successfully takes over the
account.
Stolen and Lost Cards:-
By far, this is the most common form of fraud in the market
place. When the criminal has access to a stolen or lost card, he also
gains access to all the personal information. Apart from using this card
fraudulently, the criminal can also use the information to „broaden‟ the
fraud by applying for new cards or fabricating new ones.
Other Forms:-
From the point of view of a merchant, credit card frauds can be
divided into three ways. There are organized fraud, opportunistic fraud
and cardholder fraud. The advantages offered by Internet are also
attracting the criminals in a big way. In an organized criminal activity,
the gang‟s obtain credit cards using any of the means discussed above.
They normally identify a drop location like a vacant house or
warehouse, spend the card up to the maximum limit, and ask the
merchandise to be dropped at this selected location. These gangs have a
thorough understanding of the system and take advantage of the fact
that there is normally a time gap of more on to the next card.
Opportunistic fraud is committed normally by amateurs who get an
opportunity of handling credit cards, like waiters in restaurants.
Cardholder fraud involves the cardholder himself who might claim that
he never placed the order or he never received the goods. It could also

involve one of his family members or friends who used the card without
his knowledge.
Bust Out Fraud:-
According to Daniel Buttafogo of Juniper, an Internet-based
credit card company, in this fraud, true customers gradually build up as
much available credit card and then „bust out‟ with large purchases of
items that could easily resold like jewelry or draw large cash advances
etc. Here the fraudster will draw bad checks on one account to pay
when this cannot be done any longer, the customer does a vanishing act.
This kind of fraud is the most difficult to catch, as the customer exhibits
exemplary behavior till the last moment.
Friendly Fraud / Denial of Receiving Product:-
Friendly fraud occurs when the actual cardholder carries out a
transaction but later denies or claims that his card was stolen or used
without his authorization. Customers might deny receipt or signing or
even ordering the product.
Nature of E-Commerce Transactions:
In e-commerce transaction, face-to-face contact between the
merchant and customer is absent and this causes most of the credit card
frauds. In online transactions, after filling in the online order form, the
customer is expected to give his credit card number to conclude the
transaction. In real world, after the purchase, the customer hands over
the credit card, which the merchant swipes using a terminal. The

merchant also obtains the signature of the customer on the credit card
receipt. He also verifies the charge authorization. In case of fraudulent
use of a card like using a stolen card, the merchant or the customer are
reimbursed by the credit card company. In online transactions, the card
is not present during the transaction and there is no signature of the
customer on the receipt. These transaction, treated as card not present
transactions, in which the card issuing companies do not reimburse the
merchant. In reality, speed, which is the most important benefit of the
Internet, facilitates the fraud. A physical transaction takes several
minutes; where as Internet transaction takes only a few seconds. Real-
time transaction reduces the overheads, but at the same time, increase
the number of fraudulent transactions. For example, a fraudster can give
the same fraudulent card number to a number of e-business sites
simultaneously and there is no way the merchants can know about it.

INFORMATION TECHNOLOGY RISK IN BANKING:
MANAGEMENT & MEASUREMENT
Information Technology (IT) is not merely a technical function, but a management
process, which needs to be managed effectively. To measure the IT risk in banks
there are various methodologies available. All of them at large follow the same
primary steps like threat analyst etc. for technology risk assessment; American
Banker Association has recommended various resources.
Risk management approach had widely the baseline approach in
which a baseline/ standard set of polices and practices are followed in
taking business decision without considering the criticality of the
business asset or decision. In business sense, risk is the probability of
getting loss from taking or not taking a business decision. The loss can
be tangible or intangible. Risks can be avoided, controlled, shared,
transferred and accepted. Risks can be controlled through objectives,
policies and procedures.
Risk management approach enables the management to give
appropriate treatment to the business assets and decisions based on their
criticality to business goals and business continuity. While the basic
concepts remain the same, Information Technology introduces new
vulnerabilities as well as new techniques for risk management. As such,
technology risk management, while following the fundamentals, needs
to address these new vulnerabilities.

Technology Risk Management
Information Technology Risk is the risk that can arise due to
use or non-use of technology in business or for business. The primary
objective of an organization and its ability to conduct business. The
business of IT in business is to see that the business continues. IT risks
management has to ensure that this purpose is achieved. As such IT risk
management process should not be treated as a mere technical function
carried out by the IT people and should not just confine to IT assets. It
is essentially a management function. However, the role of IT people is
also vital because IT security and IT risk management are interrelated
and an effective risk management process is an important component of
a successful IT security program.
The broad objective of performing IT risk management is to
enable the organization to achieve its business goals by better securing
the IT systems and enabling management to make well-informed risk
management decisions in areas where technology is involved.
IT risk management is to the process that helps to balance the
operational and economic costs of risk mitigation measures and achieve
gains by protecting the IT systems and data that support their
organization‟s goals. A well-structured risk management methodology,
when used effectively, can help management identify appropriate
controls for providing the mission-essential security capabilities.
Various organizations worldwide have come out with risk
management frameworks, policies, standards and principles that are
quite useful in IT risk management and measurement.

The committee set up Bank for International Settlement (BIS) has
identified fourteen Risk Management Principles for Electronic Banking
to help banking institutions expand their existing risk management
policies and processes to cover their electronic banking activities.
Similarly, the Committee of sponsoring Organizations of the
Tread way Commission (COSO) Board and Project Advisory Council
took on the responsibility to expand and address the remodeled
components of internal control. The end product of this is the COSO
Enterprise Risk Management (ERM) Framework.
The Information Systems Audit and Control Association
(ISACA) has developed a framework called Control Objectives for
Information and related Technologies (COBIT) which helps in IT risk
management.
The ERM and COBIT frameworks provide a useful evaluation
tool for informing management, directors and other stakeholders about
a process, procedure and policy to identify, measure, prioritize and
respond to finding risk.
In India, RBI has been providing much guidance in this area to
Indian banks. There is a good number of references and guidelines
provide in the reports of various RBI Committees. The report of the
RBI Committee on computer audit provide a comprehensive checklist
covering many technology-related areas, which is useful in Technology
Risk Assessment.

Technology Risk Assessment/Measurement:-
Risk assessment/measurement is a process used to identify and
evaluate risks and their potential effect/exposure. Risk exposure is
equal to the amount of probability multiplied with impact on business.
Risk management covers three processes: Risk assessment, risk
mitigation, and evaluation. Risk assessment is the first process in the
risk management methodology and also is necessary for the extent of
the potential threat and the risk associated with an IT system throughout
is System Development Life Cycle (SDLC). The output of IT risk
assessment process helps to identify appropriate controls for reducing
or eliminating risk during the risk mitigation process.
Unlike financial risk, technology risk cannot be easily quantified
or measured. But, banks can gain financial and operational benefits by
conducting an effective Technology Risk Assessment (TRA). These
include enhancing corporate governance over IT activities, proactively
identifying vulnerabilities and implementing risk business imperatives,
and efficiently using corporate risk management resource, including
audit, in ensuring a cost-benefit control environment.
Threats to an IT system must be analyzed in conjunction with the
potential vulnerabilities and the controls in place for the IT system to
determine the likelihood of a future adverse event and its impact.
Impact refers to the magnitude of harm that could be caused by a threat.
The level of impact is governed by the potential impact on
organizational goals and, in turn, determines the level of criticality of an
IT asset/resource.

Technology Risk Assessment (TRA) Methodologies:-
The quality of the technology risk assessment affects the
effectiveness of risk-based decision of management. With the
increasing interest in operational risk management and concerns about
corporate governance, may proprietary enterprise risk-management
methods/solutions came in the market to help banks to meet the
assessment challenge. Since these methodologies are mostly developed
for and by traditional risk managers, they are generally weak in areas
relating to technology, although they provide an adequate perspective
from a credit, financial, and environmental standpoint.
Risk assessment methodology generally follows the following
primary steps:
Threat and Vulnerability Identification
Probability/Likelihood Determination
Impact Analysis
Risk Determination
Control Recommendations
Results Documentation
Technology Risk Assessment (TRA) methodologies are not much
different from general risk assessment methodologies and they, too,
follow these steps. However, the risk assessment tools would be
different in case of technology risk because to assess adequately and to
prioritize technology risk, the risk assessment tools must be
supplemented with methodologies specifically geared to technology.

As in the case of enterprise risk assessment tools, ready-made
methods and tools developed by vendors can be used for TRA also.
However, a number of challenges are involved in using these ready-
made tools like vendor methodologies which may not continuously
update the TRA throughout the year due to the costs involved; the
outsourced methodology/tool may not understand the bank‟s specific
issues, etc.
The American Bankers Association lists the following
recommended resources for TRAs:
International Standards Organization (ISO) 17799 (ISO
Standards)
Control Objectives for Information Technology (COBIT)
SysTrust
Operationally Critical Threat, Asset and Vulnerability Evaluation
(OCTAVE)
National Institute of Standards and Technology (NIST)
These resources are inexpensive to implement and serve the
purpose in most cases. They are based on extensive research from
government and professional security experts and are vendor neutral.
These methodologies enjoy excellent reputation among corporate
governance experts.
A summary description of each of the above TRA methods is as
follows:

ISO Standards
The ISO along with the International Electro-technical
Commission forms the specialized system for worldwide
standardization. The stated purpose of the ISO standards is to “provide
a common basis for developing organizational security standards and
effective security management practice and to provide confidence in
inter organizational dealings.” Originally, developed in Britain, it is a
favored TRA approach in Europe. The standard is often referenced and
leveraged by other prominent methods and covers 10 areas namely,
Security policy, Communications and operations management,
Organizational security, Access control, Asset classification and
control, System development and maintenance, Personal security,
Business continuity management, Physical and environment security,
and Compliance.
COBIT
COBIT has been developed as a generally applicable and
accepted standard for good IT security and control practices that
provides a reference framework for IT governance. COBIT is
sponsored by the IT Governance Institute, established by the
Information Systems Audit and Control Association (ISACA), and
addresses risk from both the business and technology perspectives. It is
an internationally recognized tool, incorporating both operation
management and audit concerns, which have been adopted in
organizations including the US House of Representatives, Charles
Schwab & Co., and Swift.

The framework compromises 34 high-level control objectives
belonging to four domains. For each control objective, audit procedures
and management guidelines are provided. The latter guidelines uniquely
provide COBIT with a business management perspective; maturity
models, critical success factors, key goal indicators, and key
performance indicators are provided for each of the high-level control
objectives.
COBIT focuses on processes and their ownership. It provides
excellent methodology for various parts of an organization to have the
same perspective at IT risk management. However, COBIT is more of a
general assessment tool and detailed issues are to be considered in the
form of audit programs. As such some consider it to be too theoretical.
Sys Trust
The American Institute of Certified Public Accountants (AICPA)
and the Canadian Institute of Chartered Accountants (CICA) introduced
a service to provide assurance on the reliability of systems. The purpose
of this service, known as Sys Trust, is to increase the comfort of
management, customers and business partners with the systems that
support a business or particular activity. The service considers four
principles to evaluate whether a system is reliable.
Availability: The system is available for operation and use at
times set forth in service level statements or agreements.

Security: The system is protected against unauthorized physical
and logical access.
Integrity: System processing is complete, accurate, timely and
authorized.
Maintainability: The system can be updated when required in a
manner that continues to provide for system availability, security
and integrity.
Although, SysTrust was not necessarily developed as a risk
management tool, many organizations have found that the SysTrust
principles could be adopted as an effective RA tool since the principle
provide a stake holder‟s perspective on the impact of technology on
business activities. The AICPA/CICA is currently considering a new
version of the SysTrust tool that would also incorporate e-commerce
activities. Under the revision, five principles would replace the four
above. Principles consider would include security, availability,
processing integrity, online privacy and confidentiality.
SysTrust provides good high-level questions for an overview on
overall reliability but may not provide detailed methods for intended
objectives. It is more of an executive level assessment perspective
rather than at operational level. However, it also has provision for third
party assessment and covers security also.
OCTAVE
Developed by the Software Engineering Institute (SEI) at
Carnegie Mellon University, OCTAVE is a comprehensive, self-

directed approach to TRA. It differs from traditional TRAs in that it
first determines which information assets really need to be protected
and then evaluates the technology infrastructure to determine the
vulnerability of those assets. OCTAVE presents an exciting TRA to
ORMs because the SEI is home to the CERT alerts and other
information relating to managing security vulnerabilities. This
robustness of tools, workshops, and publications relating to OCTAVE
significantly enhances an effective assessment by the ORM.
Specially, OCTAVE uses a three-phased approach to identify the
technology risk management needs of an enterprise:
Build asset-based threat profiles: Identify important
information assets, the threats to those assets, security and current risk
mitigation strategies.
Identify infrastructure vulnerabilities: Examine technology
infrastructure for vulnerabilities that can be compromised.
Develop security strategy and plans: Based on the results of the
first two phases, develop a strategy-based on business priorities to
mitigate risks.
OCTAVE is a full methodology with supporting tools and
leverages from a combination of academic research and industry
practices but, it is geared to larger institutions and the use of it without
formal training is difficult.
NIST

The Information Technology Laboratory (ITL) at the NIST in
USA is a body, which provides technical leadership for the nation‟s
measurement and standards infrastructure. These include developing
standards and guidelines for the cost-effective security and privacy of
sensitive unclassified information in federal computer systems.
Like the other organizations mentioned previously, NIST
provides a detailed checklist of IT-related risk mitigation strategies that
should be assessed as a part of a TRA. In addition to its detailed
coverage of security issues, the checklist enables to determine if risk is
managed by using five “levels of effectiveness”.
1. Control objectives documented in a security policy.
2. Security controls documented as procedures.
3. Procedures have been implemented.
4. Procedures and security controls are tested and reviewed.
5. Procedures and security controls are fully integrated in to a
comprehensive program.
However, this is mostly followed by big government
organizations and following these methodologies could be too
burdensome in a smaller organization.

Chapter -VI
Data analysis

PRIMARY DATA & ITS ANALYSIS
The primary data has been collected through surveys in banks
(questionnaire) viz., Bank of Maharashtra, ICICI bank, HDFC bank.
Q.1) I.T. in banks is much more advanced than traditional banking?
⁭Agree ⁭Disagree ⁭Fifty-Fifty
Section 3.02 ANALYSIS: -
Bank of
Maharashtra
ICICI HDFC
AGREE 96% 98% 100%
DISAGREE 3% 2% 0%
FIFTY-FIFTY 1% 0% 0%

GRAPH: -
EXPLANATION: -
It is cleared from questionnaire method that every one agrees to
the statement “I.T. in banks is much more advance than traditional
banking”. Approximately ninety eight percent of bank employees agree
to the above statement.
94%
95%
96%
97%
98%
99%
100%
101%
Bank of
Maharashtra
ICICI HDFC
AGREE DISAGREE FIFTY-FIFTY

Q.2) The ratio of online transaction v/s manual transaction.
⁭1:2 ⁭2:1 ⁭Equal ⁭Can‟t Say
ANALYSIS: -
Bank of Maharashtra ICICI HDFC
1:2 30% 0% 0%
2:1 60% 100% 100%
Equal 0% 0% 0%
Can‟t Say 10% 0% 0%
GRAPH: -
0%
20%
40%
60%
80%
100%
HDFC ICICI Bank of
Maharashtra
Can’t Say
Equal
2:1
1:2

Section 3.03 EXPLANATION: -
According to the above data collected it is clear that
approximately ten percentage of employees says that the ratio of online
transaction v/s manual transaction is 1:2, eighty seven percentage says
it is 2:1, zero percent says it is equal & three percent cant say anything.
Q.3) Information technology in banks encouraging online frauds.
⁭Yes ⁭No ⁭To some extent
ANALYSIS: -
Yes 90% 92% 98%
No 6% 5% 1%
To some extent 4% 3% 1%

GRAPH: -
Section 3.04 EXPLANATION: -
approximately ninety three percent of employees says yes, four percent
says no and three percent says to some extent.
Q.4) Type of banking facility that will be friendly to illiterate
customer.
⁭Online banking ⁭Manual-banking ⁭Both
84%
86%
88%
90%
92%
94%
96%
98%
100%
To some extent
No
Yes

ANALYSIS: -
Online banking 2% 0% 0%
Manual banking 97% 98% 100%
Both 1% 2% 0%
GRAPH: -

EXPLANATION: -
approximately ninety seven percent of employees says that manual
banking type of facility is friendly to illiterate customers, two percent
says online banking and one percent says both online as well as manual
banking is friendly to the illiterate customers.
0%
20%
40%
60%
80%
100%
Bank of Maharashtra ICICI HDFC2%
0%
0%
97%
98%
100%
1%
2%
0%
Online banking Manual banking Both

Q.5) In what way I.T. in banks affects the work of the employees.
⁭Increases the work ⁭Decreases the work
⁭Same at both levels
ANALYSIS: -
Increases the work 45% 30% 40%
Decreases the work 50% 63% 55%
Same at both levels 5% 7% 5%
GRAPH: -

EXPLANATION: -
approximately thirty eight percent says I.T. in banks increases the work
of the employees, fifty six percent says decreases the work and six
percent says it is same at both the levels.
0%
20%
40%
60%
80%
100%
120%
Bank of Maharashtra ICICI HDFC45%
30%
40%
50%
63%
55%
5%
7%
5%
Increases the work Decreases the work Same at both levels

Q.6) Does I.T. in banks increasing the cost of banking operations /
banking transaction.
⁭Yes ⁭No ⁭Equal
ANALYSIS: -
Yes 98% 94% 100%
No 2% 5% 0%
Equal 0% 1% 0%
GRAPH: -

EXPLANATION: -
approximately eighty seven percent of employees says yes i.e. I.T.
increases the cost of banking operations or banking transactions, two
percent says no and one percent says equal.
91%
92%
93%
94%
95%
96%
97%
98%
99%
100%
98%
94%
100%
2%
5%
0%
0%
1%
0%
Yes No Equal

9. SECONDARY DATA AND ANALYSIS
Article IV.
Article V. Indian Scenario
Major players in the Indian Market
Banks No. of cards in lakhs
Citibank
Stan Chart
SBI-GE
2010 2011
16
14
9
20
18
13
According to an analyst, it is estimated that the Indian smart card
industry is growing around 45% annually, would reach the size of $6 bn
by 2010. In the next five years, the number of smart cards being used in
the country can touch 400 million from around 50 million cards today.
To standardize the smart card, the Government has recently
standardized the technical aspects of smart cards. An operating system
called “SCOSTA” (Smart Card Operating System for Transport
Application) developed by IIT Kanpur has been chosen as the standard
operating system for transport-related projects. India is planning to
issue smart card based identity cards to citizens. State Governments are

also planning to issue smart card based driving licenses. Kerala recently
tried a ration card project at Thiruvananthapuram. But the lack of
resources with state governments may halt many such projects. States
like Kerala have stopped several smart card related projects due to
resources crunch.
“ It is the market for SIM cards for mobile phone that is growing
faster in India-at about 70-80% annually. Once the National Identity
Card project is launched, the demand for smart cards will skyrocket,”
opines Sanjay Dharwadkar, Head of Systems Marketing, Smart Chip
Ltd.

Chapter-VII
Conclusion

10. FINDINGS AND CONCLUSIONS
According to the survey conducted in Bank of Maharashtra, ICICI
Bank & HDFC Bank, the following points are concluded:
1. I.T. in banking sector is much more advanced than traditional
banking.
2. Online transactions are widely used than manual transactions.
3. Manual banking facility is more friendly to illiterate customers.
4. I.T. in banks to some extents reduces the work of employees.
5. I.T. in banks to some extent encourages online frauds.
6. Online banking is much more costlier than manual banking. It
increases the cost of banking operations.
7. Online banking facility can lead to progress of the banking
sector.

Chapter -VIII
Suggestions

11. SUGGESTIONS AND RECOMMENDATIONS
1. Some highly advanced softwares / programs should be
implemented in banking sector in order to prevent hackers and frauds.
2. Online banking operations cost or banking transaction cost should be
reduced so that middle class customer can have access to online
banking facility.
3. Further research can be done in topics related to this project viz.,
software application in banking sector, technology and frauds.
4. Awareness programs related to online banking for middle class
people.

Chapter-IX
Bibliography

BIBLIOGRAPHY
Article VI. REFERENCE RELATED TO BOOKS
Katuri Nageshwara Rao & Yashpaul Pahuja, (2005), „IT IN
BANKS – EMERGING TRENDS‟
Kamlesh k Bajaj & Debjani Nag, „ELECTRONIC
COMMERCE- THE CUTTING EDGE OF BUSINESS‟,
Delhi, Tata McGraw Hill Publishing Co. Ltd.
Section 6.01JOURNALS AND MAGAZINES
Ravi Kumar Sharma, „PROFESSIONAL BANKER‟, Nov.2005.
Section 6.02RESEARCH REPORTS
THE EFFECT OF INFORMATION AND COMMUNICATION
ON THE BANKING SECTOR AND PAYMENT SYSTEM
-BY ARBUSSA REIXACH
INTERNET BANKING
COMPTROLLERS HANDBOOK
Section 6.03 INTERNET
www.banknetindia.com
www.microsoft.com

It in banking

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie It in banking

Ähnlich wie It in banking (20)

Mehr von Dharmik

Mehr von Dharmik (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

It in banking