Course Code: OPR506 Course Title: Management Information Systems

Course Instructor: Kriti Bedi Ma’am

Academic Task No.: CA2 Academic Task Title: Case Study based on HDFC bank: Securing online
banking
Date of Allotment: 28th of March 2022 Date of submission: 4th of April 2022

Student’sRoll no: B36, B42, B34 Student’s Reg. no: 11706416, 11711708, 11702720

Evaluation Parameters:

Learning Outcomes: Through this case study, various facts related to banking and
information system was explained and understood. Various concepts with respect to
online frauds were also described.

Declaration:

I declare that this Assignment is my individual work. I have not copied it from any
other student‟s work or from any other source except where due acknowledgement is
made explicitly in the text, nor has any part been written for me by any other person.

Evaluator’scomments (For Instructor’s use only)

General Observations Suggestions for Improvement Best part of assignment

Evaluator‟s Signature and Date:

Marks Obtained: Max. Marks: ______________

 Introduction to the case study

The case talks about the revolutionary change it faced when internet hit the India and
how it changed the whole banking scenario for HDFC bank as online frauds
positioned its place inside the online banking process.

The phishing attacks on banks in India were an indication that the amount of online
clients of Indian banking had shown up at least sum. Enough electronic clients had
moved enough of their resources online to make an attack worthwhile for a phished.
The hardships of IS would simply fill in the future as progressively more record
holders changed to electronic banking. HDFC expected to spread out an IS structure
that would make the particular trades of the electronic clients of HDFC Bank free
from even a smidgen of damage.

In doing thusly, he expected to measure the chance of presenting additional levels of

wellbeing for every web based trade. There was in like manner the issue of overseeing
clients who had enlisted for online banking anyway proceeded with their trades over
the counter. Another issue was whether to continue to work with the strong data on
the spot or take it offsite. Security and the IS maybe the fundamental impediment to
affirmation of IT organizations and progressed organizations as a utility ending up
being absolutely vital in a more interesting oftentimes legitimize their creation by
stating that it maintains and propels explicit attributes, routinely called non-reasonable
qualities. The Chief Information and Security Officer (CISO) of HDFC Bank Ltd, a
main private area bank in India, is breaking down the decisions before him in
fortifying the bank's web-based security resulting to a phishing assault on the bank's
clients.

Presenting an additional level of safety calling for new passages for each web-based
exchange seems an inescapable end product. In any case, the CISO should contend
with client benefit that is transforming into a wellspring of qualification in a serious
financial situation. The case offers an opportunity for students to think of a guide for
the CISO in fortifying the web-based security of a new generation bank.
 Identification of the main problem

 Phishing attacks: Stealing of user id and password was very common during
that time. Phishing is a sort of friendly designing attack regularly used to take
client information, including login accreditations and Master card numbers. It
happens when an attacker, taking on the appearance of a confided in
substance, hoodwinks a casualty into opening an email, text, or instant
message. Saved username and password, online browser save id and password
for user convenience but it’s a threat if computer is lost.

 Hacking into bank database: Hackers able to get the bank data base and can
exploit customer data. The exploiter can take a lot of data about the customer
and can manipulate according his own advantage. With respect to HDFC
bank, it faced a lot of problems dealing with such fraudulent activities. Viruses
created by hackers are malicious code which can infect user login credentials.

 Rigorous Protocol of IS: One of the goal lines for HDFC in their job as boss
chief security official was to guarantee that the IS conventions were not so
thorough as to make inconvenience customers. In spite of the fact that HDFC
Bank was not seeking after piece of the pie as a business objective by its own
doing, getting standard yearly expansions in new customer accounts was
essential to business development, and guaranteeing that current customers
remained on with the bank was similarly significant.

 Customer Convenience: The significant dilemma HDFC was facing with

regards to customer convenience was whether the IS conventions being
introduced at HDFC Bank ought to validate the character of the record holder
or whether they ought to confirm the exchange. Verification of character
focused on the record holder as an individual and required the utilization of
confirmation instruments like biometrics (which zeroed in on "what you are"
as an electronic persona) and tokens (which zeroed in on "what you have" as a
record holder). Confirmation of exchanges focused on the respectability of the
exchange as a cycle. It required the utilization of chance scoring instruments,
 for example, the sum being inside the scope of a record holder's normal
exchange and the beneficiary being a recipient assigned by the record holder.

 Secure Access: The issue before HDFC was whether the bank ought to give
secure admittance to each enlisted web-based client or breaking point secure
access just to dynamic clients. It was vita l to give a time span to dormant
clients to look for secure access prior to debilitating their records, however the
window must be little to forestall abuse during the interval time frame.

 Server Location: The proposed IS foundation at HDFC Bank would

incorporate two kinds of servers verification administrations and online
servers. The situation before HDFC was whether the server would it be
advisable for us we are found nearby at HDFC’s own server farms in India or
whether they ought to be offsite facilitated by an IS merchant for an expense.
the bank was in chats with RSA security previously associated with countering
the phishing assault as a logical merchant.
 Challenges in improving the Information security (IS)

In India, Phishing attack came to light in August 2007 and HDFC was quick to take
corrective measures. It signed on with RSA security. The bank has introduced a
“cooling period” which provides bank, the time to check transaction. Along with
ensuring security, Salvi also ensure that IS protocols were not so rigorous as to cause
inconveince to customer. Phishing is one of the most common online frauds in
developed countries like US where one in every 115 customer had lost money in 2006
due to phishing.

Key Issue

It was important that the data of customer is secure and safe and they should not feel
any inconvenience while using the service of the bank. Therefore, Salvi was
contemplating the options he has to achieve this objective.

Alternative Courses of Action

The bank should continue with the current level of security as it is now. The current
“adaptive risk modeling system” whereby the operating system assigned a score to
each transaction on the basis of pre-determined parameters. The higher the risk score,
the greater the system intervenes. Moreover, the system may ask the customer to use
one time password, call the customer to verify the transaction or blocking the
transaction automatically. The bank may increase the current level of security. For
instance, every online transaction, irrespective of any parameter, will go through
standard checks such as validation and authentication. The bank should have layered
security approach for the purpose whereby multiple security systems are in place to
protect customer’s data and money.

Current System

Pros:

 No cost will be incurred as there would be no change in the system.

 The current system is easy to operate and the bank knows how to do it.
 The customers have become used to operating this system and convenient with
it.
  The bank has been able to retain their customers through this system and
forms one of the factors of its’ competitive advantage.

Cons

 The current system has lower level of security as it is not able to counter the
phishing effect.

Increasing the level of security

Pros:

 This would increase the level of security and reduce the risk for their online
customers.
 A trustworthy system would be developed that would increase the reputation
of the bank.

Cons:

 A considerable amount of investment will be required to implement the new

system
 The customers may not be happy as they have to go through many hurdles to
get their transactions completed.
 The newer system would have slower response times which may also not liked
by corporate clients.
 Solutions

 Secure Login: the IPIN is generated randomly by the system and

directly printed on temper proof media. It is encrypted and stored on
the net banking system to facilitate authentication using industry
specify encryption standard. It is accessible to anyone including the
system administrator

 Session Security: It prevents interception. 128 bit encryption protects

your session to your bank webpage. Your communication cannot be
intercepted by anyone over the internet. Automatic time out of the
customers’ login session after some ideal time, to protect against
misuse.

 Digital Certificate: Be sure you are on the right site. HDFC bank
webpage are identified by the digital certificate to assure its customer’s
that they are on the correct site. The certificate is provided by Verisign.
This protects the customers from revealing their confidential account
information on fraudulent websites.

 System security: Safeguarded by the state of the art our technology.

Computer system are protected by firewalls intrusion detection and
anti-malware programs. Robust process skilled people and competent
service providers monitors the security. All high risk transaction
undergo 24*7 monitoring.

 Cooling Period: Get time to review newly added beneficiaries. First

Feature IconTransfer funds only to a new beneficiary only after 30
minutes. Second Feature IconAs soon as a beneficiary is added, the
account holder gets SMS and email alerts about the addition. Third
Feature IconThe customer therefore gets 30 minutes to review if the
beneficiary has been fraudulently or erroneously added.
 Check Card PIN: Double verification for key exchanges is crucial,
check Card PIN. First Feature IconGet twofold the security for key
exchanges and NetBanking enlistment or secret key recovery. Second
Feature IconThe online IPIN recovery and NetBanking enrollment
offices have been reinforced by including Debit Card PIN
confirmation. Third Feature IconThis is notwithstanding SMS One-
Time Password (OTP)- based validation.

 Security Teams: Presenting nonstop security is pivotal as per the

banking process. First Feature IconOffering nonstop insurance, our
security group alongside oversaw frameworks help in shielding.
Second Feature IconWe have hearty cycles, talented individuals and
equipped specialist co-ops. Third Feature IconMonitor the security of
our frameworks nonstop.

 Charge Card PIN: Double validation for key exchanges is another step
towards safe transactions. First Feature IconGet twofold the security
for key exchanges and NetBanking enrollment or secret key recovery.
Second Feature IconThe online IPIN recovery and NetBanking
enrollment offices have been fortified by including Debit Card PIN
validation. Third Feature IconThis is notwithstanding SMS One-Time
Password (OTP)- based confirmation.
 Recommendations

 Separate email id with bank server - for high profile clients.

 Every transaction should be governed by OTP authorization with registered
mobile number or 2 factor authentications with different options to make it
more secure and safe.
 Inform the customers about the initiation of each transaction with the app
notification via SMS
 HDFC can focus on center financial exercises.
 HDFC can keep up with the web-based servers regularly, reducing potential
personal time.
 Low pace of precise disappointment by having the web-based server as an on
location, essential piece of HDFC neighborhood.
 All delicate information will be kept up with by HDFC
 Need to get the mechanism of correspondence among HDFC and IS merchant.
 Have the internet-based servers on location at HDFC own server farms while
having confirmation servers off webpage utilizing an IS seller.
 Use IS seller mastery in secure internet banking.
 Conclusion

The phishing assaults on banks in India were a sign that the quantity of web-based
clients of Indian banking had arrived at a minimum amount. Enough web-based
clients had moved enough of their assets online to make an assault advantageous for a
phished. The difficulties of IS would just fill in the future as increasingly more record
holders changed to web-based banking. HDFC needed to lay out an IS structure that
would make the singular exchanges of the web-based clients of HDFC Bank free from
even a hint of harm. In doing as such, he needed to gauge the possibility of
introducing extra degrees of safety for each internet-based exchange. There was
likewise the issue of managing clients who had enrolled for web-based banking
however went through with their exchanges over the counter. Another issue was
whether to keep on facilitating the solid information on location or take it offsite.
Security and the IS perhaps the main hindrance to acknowledgment of IT
administrations and advanced administrations as a utility turning out to be totally
pivotal in a more unique frequently legitimize their creation by asserting that it
upholds and advances specific characteristics, regularly called non-practical
characteristics. Bank-Focused framework model, however less risky, does not offer a
lot of with regards to stretching out monetary assistance effort to poor people and
unbanked. Both Bank-Led and Nonbank-Led framework models offer a more
noteworthy potential to accomplish this goal. These framework models,
notwithstanding, shift in their true capacity as well as dangers. The choice regarding
which model should be taken on ought to be made after cautiously gauging the
gamble bring tradeoff back. A cautious methodology might be taken on to begin with
the safer bank-drove model and steadily adding more choices as the players and
stakeholders become more experienced. When a model of branchless banking is
chosen, run after establishing an empowering administrative climate for execution of
that model ought to begin. A large number of such a climate are now set up if bank-
drove framework model is embraced. Nonetheless, Clear rules with respect to
different parts of suitable exercises ought to be given to stay away from
vulnerabilities. Further, a powerful annihilation of any unlawful and unapproved
administrations and contributions (by and large given by unlicensed players) - which
might grow up - is an absolute necessity to advance and shield the interest of
certifiable players and the general framework. Banking frameworks ordinarily
contains inheritance frameworks alongside extremely enormous data set frameworks.
For web banking applications countless points of interaction are joined to work with
the clients particularly in buyer banking applications. Treatment of monetary
exchanges requires dealing with different issues including validation, purchaser
security, illegal tax avoidance, obligation for unapproved exchanges.