Security in E-Finance

1.
What is E-finance?

The provision of financial services and markets using electronic communication and computation.

Now these services may be provided by a business entity to a consumer or by a business entity to another business entity or by a business entity to one of its employees or components. The first two deal primarily with provision of e-banking and such services to the consumer whereas the last aspect talks about the management of company funds through the use of internet. It refers to e-enabling of the decision-making process in the areas of working capital management, capital budgeting.

What is the impact?

E finance has impacted the financial world in two ways.

Firstly, it has changed the way that the players in the financial world provide their service to the consumer. From a tool of differentiation and branding, e-finance has become an enabler today and is one of the expected benefits in the developed countries. Many services have now been effectively outsourced and the banks and other similar companies are concentrating solely on their areas of expertise which is fund management and service. When providing services to the internal consumer, the finance division of a multinational company is acting more as an integrator than as a controller. It has greatly enhanced the speed and accuracy of financial decision making at a relatively low cost.

The financial markets have changed in a major way. The physical boundaries that existed between the markets no longer exist. The speed of information dissemination has increased manifold. The markets have become more informed and more investor friendly with the advent of e-finance.

Among the financial service providers, banks, brokerage firms and investment advisors have been at the forefront of the e-finance bandwagon. This has allowed these firms to increase their reach and target consumers in distant physical location without having to expend a penny on the creation and/or maintenance of expensive physical infrastructure.

But other companies like life insurance which provide a more personalized service like have not invested so heavily into consumer oriented e-finance. But almost all big companies have invested very heavily into the e-enabling of the internal fund management.

One of the byproducts of this progress has been the tremendous amount of e-frauds and cyber crimes that have been perpetrated against individuals, companies and sometimes the state itself.

E-finance comprises four primary channels:

1. Electronic funds transfers (EFTs),
   
2. Electronic data interchange (EDI),
   
3. Electronic benefits transfers (EBTs),
   
4. Electronic trade confirmations (ETCs).

All four channels of e-finance are susceptible to fraud, theft, embezzlement, pilfering, and extortion. Most of the crimes that take place over the Internet are not new—fraud, theft, impersonation, denial of service, and related extortion demands have plagued the financial services industry for years. But technology opens up new dimensions of depth, scope, and timing. Technology creates the possibility for crimes of great magnitude and complexity to be committed very quickly. In the past, stealing 50,000 credit card numbers would have taken months, perhaps years, for highly organized criminals. Today one criminal using tools freely available on the Web can hack into a database and steal that number of identities in seconds. Or a perpetrator can steal a laptop containing a database of 400,000 names and their associated credit card information. These are a few of the reasons why e-security must be taken very seriously now.

2. What is security in E-finance?

E-security can be described on the one hand as those policies, guidelines, processes, and actions needed to enable electronic transactions to be carried out with a minimum risk of breach, intrusion, or theft. On the other hand, e-security is any tool, technique, or process used to protect a system’s information assets. Information is a valuable strategic asset that must be managed and protected accordingly. The degree of e-security used for any activity should be proportional to the activity’s underlying value. Thus, security is a risk-management or risk-mitigation tool, and appropriate security means mitigation of the risk for the underlying transaction is in proportion to its value. Electronic security enhances or adds value to a naked network and is composed of soft and hard infrastructure. The soft infrastructure components are the policies, processes, protocols, and guidelines that protect the system and the data from compromise. The hard infrastructure consists of hardware and software needed to protect the system and data from threats to security from inside or outside the organization. The degree of electronic security used for any activity should be proportional to the activity’s underlying value. Security is a risk management, or risk-mitigation, tool. Appropriate security means that the risk has been mitigated for the underlying transaction in proportion to its value. Given that the Internet is a broadcasting medium, constraints have to be added to target only intended recipients. As a result, the need for security is a constant of doing business over the Internet. Electronic security will require more attention as new technology creates new risks and as technologies converge.

E-security companies and vendors generally fall into three categories:

Access, use, and assessment. Today’s industry includes companies that provide active content monitoring and data filtering, develop intrusion detection services, place firewalls, conduct penetration tests to expose hardware or software vulnerabilities, offer encryption software or services, and create authentication software or services that use passwords, tokens, keys, and biometrics to verify the identity of the parties or the integrity of the data.

In addition to e-security, many vendors supply a multitude of interlinking services to the e-finance providers in many countries. These services include hosting companies, Internet Service Providers (ISPs), and providers of financial services. Telecommunication companies in many emerging markets are also often the key providers of cellular, satellite, and microwave services. These companies often have a stranglehold on access to telecommunication delivery channels, and because of the scarce skilled human capital, these companies of necessity often supply hosting services and de facto money transmission services. Just as important, they often provide certain electronic security services.

The cross-linking ownership of the e-security and e-finance industries raises many complex questions, such as the need to review competition policy as well as the potential for and ramifications of multiple conflicts of interest. In the case of competition policy, do the multiple roles played by telecom companies act to inhibit competition; particularly in emerging markets where the expertise to provide such services often resides in these companies? More important may be issues of conflict and integrity of the services provided as well as incentives to report security breaches accurately. For example, will a telecommunication company that provides hosting, Internet service, and e-security to a bank act on its own volition, with no regulatory mandates, to institute adequate electronic security measures or report intrusions accurately and in a timely fashion? Will such an entity be able to provide proper certification of digital signatures when it has business interests in so many conflicting areas? Moreover, such an industry structure with an extensive use of outsourcing will need to review the extent of downstream liability required by this complex set of vendors as the extent of liability can at least mitigate some of the incentives that can exist for important conflicts. In many countries, liability stops with the user–– in this case, the financial services provider. Typically, contracts between financial entities and their providers use service-level percentages as a performance guarantee on a sliding-cost scale, but they do not build in sufficient remedies to address product performance from a security perspective.

3. Why do we need electronic security?

The tremendous growth in open networks has created a penetrable
electronic environment akin to a circle of Swiss cheese pieces. Financial institutions are increasingly relying on technology to process, store, and retrieve data, but advances in computer hardware, software, and communications technology increase the financial industry’s vulnerability to internal and external attacks. Without strong security controls, banks risk the possibility of financial loss, legal liability, and reputation harm.

The insecurity of the Internet further exposes financial institutions to undetected, global, and virtually instantaneous attacks on internal systems and proprietary information. This includes attacks by foreign governments and terrorists, as well as attacks by criminals or hackers originating domestically. Banks and vendors with weak security controls are susceptible to business disruptions, theft of data, sabotage, corruption of key records, and fraud. The development of wireless Internet access will further compound the problem by enabling foreign governments, terrorists, criminals, and hackers, singly or in concert, to operate in countries that do not have the advanced communications infrastructure or adequate security protocols in place. Hence, building awareness now of the criticality of the risks associated with e-finance and promoting industry use of aggressive mitigation is crucial.

The most frequent problems in the arena of e-finance security are

1. insider abuse
   
2. identity theft
   
3. fraud
   
4. Breaking and entering, often conducted by hackers.

The perpetrators have preferred the following means most often to commit crimes online:

• Message interception and alteration
  
• Unauthorized account access
  
• Identity theft
  
• Manipulation of stocks and bonds
  
• Extortion
  
• Unauthorized system access (e.g., system damage, or denial of service)
  
• Industrial espionage
  
• Manipulation of e-payment systems
  
• Credit Card Theft

However an even bigger headache for the enforcement agencies is the non-reporting of the cyber crimes by the victims. This has created a scenario which is ideal for the perpetrators and hopeless for the enforcers. In the United States, a 2001 CSI/FBI Computer Crime Survey identified the following five major reasons organizations did not report electronic intrusions to law enforcement:

• Negative publicity.
  
• Negative information competitors would use to their advantage––for example, to steal customers.
  
• Lack of awareness that they could report events.
  
• Decision that a civil remedy seemed best.
  
• Fear among IT personnel of reporting incident because of job security.
  

Lack of accurate intrusion reporting to regulators and law enforcement is the core reason that issues related to electronic security are not being recognized as an immediate priority.4. Tools and techniques

There should be several layers of security and monitoring in place designed to prevent unauthorized access to the business and personal information. These security measures must be designed to protect any sensitive information submitted via the Website, both online and offline.
Authentication Security

There is a need to use password authentication over a secure connection to ensure that only authorized users can access sensitive information, such as social security numbers. There are various options available, for example, VeriSign Digital ID to encrypt data with a Secure Socket Layer (SSL) connection. Companies like Verisign also offer software for secure payment as well as fraud protection.

Network Security

There should be a firewall to prevent unauthorized network access to the databases where the financial data of companies is stored. Only limited types of Internet traffic should be allowed through the firewall. Traffic should be monitored to detect any unusual or unauthorized activity. Network security can be outsourced to a reliable and reputed company which does not have stakes in e-finance itself. The servers storing personally identifiable information must be kept in a secure environment, for example, inside a locked cage.

Database Security

Certain key fields of the database should be encrypted before they are stored. Intruders would thus have difficulty reading or using sensitive customer data. This way, even if an intruder does get some data, it will be partial and incomplete, and he would not be able to use it. For example, if the names of the companies are encrypted, then someone obtaining just numerical data will find it quite useless.

Physical Security

Systems should be hosted at highly secure facility locations. The buildings should be reinforced in an effort to prevent data loss or collapse because of an earthquake or a terrorist attack. There should also be reliable backing-up of data to ensure that in case of a 9-11 like event, operations can be resumed soon.

Employee Screening

There should be a set of effective human and technological security systems in place to prevent unauthorized physical access. The backgrounds of all employees hired to handle confidential data should be thoroughly checked. This is crucial to avoid situations akin to insider trading.5. Need of a Comprehensive public policy

To effectively counter the growing menace of cyber crimes, we need a policy which not only address the security in e-finance but all the aspects of the internet economy as a whole. Following are the reasons, why we feel that such a policy should be adopted.

First, telecommunications, energy and financial services are crucial components to the critical infrastructure of every country. Given the risks that electronic vulnerabilities pose to critical infrastructure, e-security is important in promoting and protecting public health and welfare. For example, the electronic economy is exposed to and dependent on the Internet and the public-switched network as its main transmission vehicles. In a related way, the critical elements of the electronic economy are integrally connected, from financial services to electricity through the phone system. Breaches can quickly disarm or even compromise such key infrastructure areas as telephones or electricity and detrimentally affect the payment system. Hence, in addition to the concerns raised by the structure of the growing security industry and the dependence of the e-finance industry on the continuous access to telecommunications. There is a fundamental public interest case for a government to regulate the e-finance industry and to ensure that the financial system and its related components use at least a minimum level of electronic security.

Second, a market failure is occurring because inadequate incentives exist within the workplace, as well as within the regulatory and enforcement arenas, to require the timely and accurate reporting of electronic security breaches. Often, financial entities and corporations do not report losses, suspected losses, or breaches for fear of losing consumer or shareholder confidence. Clearly, regulators have a role to play in overcoming this dilemma. By requiring timely and accurate reporting with sufficiently strong penalties for failing to report, management and/or employees can be provided incentives to report a breach incident to appropriate authorities.

Third, formulation of policy in this area must balance a number of complex competing concerns; in the end, electronic security cannot be seen as an end in itself but rather as only one aspect of risk management. Trade-offs exist between the costs of financial services provided, the size of transactions, and the sophistication of the electronic security arrangements that might have to be in place. Similarly, the quality of a financial service can suffer if security arrangements slow down transaction processing speed or result in other encumbrances for consumers of financial services. Electronic -security-related regulations or laws should strive to be technology neutral in order to encourage and promote technologically innovative solutions. An example is digital signatures, often defined even in statutes as “requiring public key infrastructure” (PKI) when other authentication technologies might also be appropriate and should not be precluded by legislation or regulation. Finally, it is necessary to carefully weigh essential trade-offs between security as a protection component and the privacy element of access.

6. Recommendations:

Security of e-finance transactions is of prime importance today. The progress and the conduct of business will depend more and more on the efficiency aspect. Internet has bridged the physical gaps to a large extent. To continue the progress, an infrastructure has to be created which will address the security issues facing the e-finance industry. We feel that the following steps should be taken to address this issue.

1. Legal and enforcement framework which is technology neutral
   
2. Arrangements to ensure electronic security of payment systems
   
3. Supervision and prevention regime that creates better incentives to implement appropriate layered risk-management systems, including electronic security for financial services providers
   
4. Encourage and promote a framework within which private insurance companies can insure against and monitor e-risk, thereby helping to improve standards in this area via the underwriting covenants they require
   
5. Develop certification standards and processes established with respect to digital signatures and more broadly, to vendors operating in the electronic security industry
   
6. Actions to improve the accuracy of information available about e-security incidents and the roles of the public and private sectors in this process
   
7. Educate citizens, employees, and management on security issues as a means of preventing e-security incidents
   

Ensure that the role of the government is limited to a watchdog that ensures that the business is conducted in a smooth manner and leave the technology part to the market.