Flaws in Banking Policies The Secur

Flaws in Banking Policies
The Security Policy is intended to define what is expected from an organization with respect to security of Information Systems. The overall objective is to control or guide human behavior in an attempt to reduce the risk to information assets by accidental or deliberate actions[17]. Protecting customers' privacy and security is important to every bank. So, every bank has some security policies that they publish online in order to help users understand the security measures the bank is taking to make their information secure. It tells how bank is committed to keeping users safe online and uses state of the art fraud prevention and detection technology, monitored around the clock by a dedicated team, to actively protect their finances and confidential information. But along with this users have to play an important role in security.
Policy also includes do and don‟ts by users and also about hoax emails and security tips for users. So that they can enjoy peace of mind when doing online banking. Security policies should include:
• Security Policy for general users
• Security Policy for banks
• Security Policy for network
• Security Policy for software
• Backup Policy

Security policy for general users should include all the security tips for users i.e what they should do and should not do while doing online banking .
Security policies of bank should clearly indicate that this Privacy Statement does not extend to third party sites linked to this website and advise users to always read the privacy and security statements on these websites. Most of the banking sites has inadequate policies for user IDs and Passwords. Social security numbers and e-mail addresses and date of Births are used for user ids and passwords that can be easily guessed or collected from internet. Banking sites don‟t have any stated policy regarding user IDs and passwords that can protect account against dictionary attacks. But online banking password „strength meter‟ can provide a visible indication of how secure your password is when you are registering or changing your online banking password. The risk assessments indicate that single-factor authentication is the only control mechanism, that is inadequate in the case of high-risk transactions involving access to customer information or the movement of funds to other parties, so banks should try to shift from single factor authentication policy to multifactor authentication like use of One time password(TAN) and security tokens or smart cards and biometrics[11]and most latest PKI. There should be some provision for automatic timeout periods and password lockout so that if user logged in to account, but haven‟t been using it for a certain period of time, account will automatically logout user so that anyone else cannot access banking details if user leave computer unattended. And password lockout policy helps if someone does try to guess password of user, account will be locked after a set number of unsuccessful attempts.
The network must be designed and configured to deliver high performance and reliability to meet the needs of the operations whilst providing a high degree of access controls and range of privilege restrictions. System hardware, operating and application software, the networks and communication systems must all be adequately configured and safeguarded against both physical attack and unauthorized network intrusion .So there should be strong policies regarding use of Intrusion detection systems, firewall configurations used and virus scanning tools to protect against unauthorized persons and viruses from entering our systems of bank. To make all communication secure from user‟s computer to bank, data should be encrypted to ensure the confidentiality of all data sent and received, 256-bit SSL encryption technology should be used. A padlock symbol displayed on web browser tells the user that you are viewing a secure web page. Bank should regularly employs independent security consultants to confirm the security of systems by reviews of areas such as architecture, firewall configurations , the security of web server and the security of the different applications on site. So every bank should make policy regarding use of firewall configurations, network device security, web server security and web application security and security audits.
Banks should strongly advise users to keep an OS and browser up-to-date with security patches .Even most of banks in India support, out-dated browser versions such as IE 5.5 and Firefox 1.0. Updating OS, browser, firewall and anti-malware is challenging for many Internet users. Patch management includes collecting all necessary patches, dealing with postpatch conflicts, determining the trustworthiness of a patch source etc. [9], which is a difficult problem even for enterprise IT departments. In addition to usability problems, such updates may even frustrate or fool diligent users. For example, Bellissimo et al. [6] showed that some popular software updates (e.g. McAfee VirusScan) were vulnerable to man-inthe-middle attacks; i.e., a malicious party could install malware exploiting several software update vulnerabilities. [7]. Other problem is that no Universal Standard format for a Privacy Policy has been designed and declared for banks in India yet. It will be very helpful for online banking consumers, if there is an authority to monitor and control the proper format and points included in the privacy policy for banks. Some policies are too small whereas some of them are too large and difficult to understand and some banks policy links are inactive[3].Changed policies should be uploaded to the banking sites along with date of change and information regarding this should be given to users either in the form of highlights or new events. According to a survey only 11% sites notify users about change in policy[3]. Even the Reserve Bank of India (RBI) that is the main body, has been issuing various directions and recommendations from time to time to strengthen cyber security of banks operating in India, however, Indian banks are not following the directions of RBI in this regard in toto and a majority of banks in India still do not have a well defined cyber security policy. RBI observed that at present some banks do not have proper security policy and methods to monitor the service level agreements with third parties and have inadequate audit trail, so it has issued warning to banks to comply the directions of RBI by Oct,2012[16].
According to a research report only 43% of the banks have posted their privacy policies on their web sites. It is observed that in some cases, like PNB , privacy policy is exceptionally small and does not include even minimum number of points which are essential to make a privacy policy, i.e it does not include general user policy means what is expected from user‟s side. These types of privacy policies should be improved.9% websites are having inactive link of privacy policy on their home page which is not fair with the consumer[3].The presence of Privacy Seal in privacy policy makes the users feel more secure for their personal information but it is a finding here that very few websites have privacy seal. According to a research report 37% of Banking websites security policy clearly spells the restriction in disclosure of the information to third party. Only 26% banking sites provide links to the policy on all important user centric data forms. Only 26% banks, policy list the security countermeasures deployed to secure the information and above all only 42% banks display their privacy policy on corporate website of the bank[4].