How To Sign Indiana Banking Permission Slip

Industry sign banking indiana permission slip mobile

yes I welcome to mr. Sachin Raj guru money Manish is there a mr. beautiful a an assassin there Krishna's so as that our topic is their identity thefts an identity fraud we know that also nowadays identity has become a critical things for everybody after that automation D monetization now other has become a critical things for the payments as well as a four pan India for authorizations if we see that changes in their identity for the banking as well as a government regulatory related things earlier voter ID was there that has to be there for each and every population for India later on it has become banker for the unique identification for their accounts what do you do pand other things now that other has come so scenarios are changing as well as times are changing so we asked the first question to mr. such in if you see that a as a banker what are the main critical identifications for the stuff because staff is working in a bank with the contact vendor also and in your banking or in any other banks also we are seeing they are using many databases and that are not integrated with the single database so how bank can have a identity for a staff that will be unique across the bank thank you so much for this question in fact I believe everybody here will agree that no bank and effort the employees identity getting but yeah sure in fact if you see the recent case the fraud which happened Bangladesh Bank it's kind of an identity theft which has happened to one of their employees and which has resulted to you know approximately close to a billion transactions yeah with this kind of protection for employees identities within a bank systems like we have many systems I know the employees identities have been stored on many different databases but most of the controls or standards what every bank follows whether it may be a you know ISO 27000 PCI DSS or even the RBA's regulations talks about preserving these of storing these in an encrypted format so encryption is already there apart from this yeah some banks like my banks also use biometric to authenticate the users or the employees staff to certain systems which are critical systems as such apart from this yes in fact secure storage of this identification to prevent the data theft as such which is primarily you know responsible responsible for the frauds because if the data leak doesn't happen then the fraudulent would be you know the hacker or the criminal would not be able to use this information to commit any frauds thank you thank you as you said rightly that also keep that data segregation is very much required between that outsource vendors as well is that our internal stuffs also thank you in my question is it that money yeah if you see that nowadays all the peoples even be and other things they are everybody is having their accounts in the social media take a in a social media we are having all types of details even I also wants to know everybody wants to celebrate their birthday on the actual date of birth even they are hiding that actual date of birth in their service record but there I want to have a actual date of birth my parents names everybody my relatives are there also so if that customer informations as well as the other people informations are shared on a social media so how that can be saved from that social media to means financial transaction as well as other authentications the same data can exist in its exact copy in multiple locations so as I say security of data at rest in transit and whites being processed having said so if you're actually talking about protecting data these crack or let's say protecting individuals or their credentials or their existence in the virtual world there has to be a three-pronged strategy you have to protect the user you have to protect the device and you have to protect the data so to say that my strategy is only about protecting the data without having a strategy around protecting a device or protecting the user is like you know probably firing a bullet but in the wrong direction so protect the device take the user protect the data as far as social media is concerned you know social media is just one more factor amongst a lot of other online services I look at it as I don't look at it as social media I look at it as one more account so somebody may have a professional LinkedIn account you may have a you know a Facebook account which is used more for personal networking social networking not professional networking and you may have one or two bank accounts you may have a trading account as far as I am concerned I see all these as accounts that you need to protect and you know I think the world is moving to a stage where at least you know where we say passwords are passing so the traditional approach saying that look I have a long password and I you know and I'm going to change it very very frequently so security based only on a password is is passing I think the if if the assets the information I said the online information I said if it is critical enough to be protected I think the one of the natural course to follow is single sign-on the multi-factor authentication so and having said so even that by itself is not enough fashionable today so we are talking way beyond that which may be beyond the scope of this discussion so I think you know it's about protecting the identity which is what this topic is all about so how do you protect the credentials and before I finish I just want to give an example a couple of months back I'm sure all of you you know have gone through you know that stressful period of when wanna cry and petia you know hit the world the network ecosystem so some people even described it as you know weapons weapons of mass destruction and that's absolutely true one of the critical differences between the two malware is that petia if it got into at least one computer in the ecosystem did not require a vulnerability to spread all it required was to steal credentials and if those credentials had administrative capability or access across let's say a golden key kind of a scenario it would simply spread so that's how important it is to protect what credentials thank you - thank you like you said that if you want to save our identity we have to keep it our password secret so like that password is like a toothbrush we have to keep changing frequently nowadays thank you my question is with the Bijoux if we see that in a banking as a government mandatory regulations now other has to be linked with accounts it's a till 30 by December now that date has postponed up to March also yesterday it was there how that other is linked with that bank and used as a payment system whether it will go in to change the payment industry earlier like we are using the visa and other thing how it will compete with the specific identity related to a person because there are biota my biometrics is there if my password is compromised I can change the password but if my biometric is compromised what to do that also so what are the challenges will be there if that a de haar is linked to that that has become a people's identity and if it's compromised or Bank whether it will be used in future as a payment systems for that Rikki's loss it's very crucial so the like in the we had a session the morning from aware in the various security steps which both at the UID a level as well as at the agency level whether it's an au a or aka so everyone who collects the other so the biometric information from a person has to follow certain security standards which ensures that the data collected from the customer remains confidential that is very critical to both the confidentiality and the integrity has to be ensured at all days so there are various guidelines in that aspect the other act ensures that the rules are in place and there are various kinds of audits which ensures that they use agencies which uses collects the other data is kept accordingly so that is one of the main thing which we have to then again so the full mode in how the APS will come into picture is said to be known like we have for NFC can based transactions there are limits for up to certain limit early NFC can be enabled like that also we may expect that there can be just like manage that above a certain limit that can be another to a favor also may be seen so those kinds of adaptive indications strategies also will help to ensure that this is not miss utilized by any other persons yes very quick point to make yes I said I want to point out to an inadequacy in the system as of today so you know the fact is the bankers want it but I do be very forthright that we don't have the framework in place as of today I am given to the cybersecurity governance to be a thought so you hear me out of that see the the government is pushing basically towards low-cost transactions digital transactions so you have n PCI which is at the center of things sorry you have the N PCI and then you have a lot of application the beam application now Google has done something so there's a lot of activity which is happening in the payment industry ecosystem but let us understand that you have four different worlds which are converging the first is the traditional banking system right the second is your emerging banks the payment banks which are new kids on the block which come from a very very different environment altogether then you have the atharva low or the fourth world and then you the third world and then you have the fourth world a fourth ecosystem by itself and this is you know smartphone device smartphone manufacturers hardware manufacturers now the point is that what is the hardware layer is secure and hardware level security provided now if I am putting if I have to use my mobile device as a means of use our authentication for a payment what is the security that has been built into the device who recently the government has actually reached out who all mobile phone manufacturers asking them to articulate as to what is the device level security in their products now what is the challenge you have four different worlds but you don't have a common security framework which binds them together all four of them come from different planets and they all are converging into one ecosystem but you don't have a centralized framework as of today as we speak the Reserve Bank of India cybersecurity policy and the cybersecurity framework do not adequately address this so number one security of biometrics is still not being covered security of ATMs are still not covered and I say this because I am the core of the RBI ideally these frameworks or backs in India so this is a huge lack you know this is a huge gap area and this needs to be addressed very very urgently if we really want to push for a thought of integration and keep the end customer see clearly I think also in the cybersecurity framework design of insurance company some ex-banker though and we sort of extended the cybersecurity framework to when the three insurance brokers and intermediaries but there is the fifth world I would add to those four words you put up and that's the vendors the service providers sometimes the real banking operation is done by the service providers and I guess do we have them covered well I am Not sure because the same security framework doesn't apply to them it's more about it's the if I may add these security framework has the elements is outsourcing security yes it's got it's got about 50 20 controls is it enough no but at least for the first time it recognizes the fact that security is largely being outsourced so we have due diligence enhance due diligence background check confidentiality some audits right to audit security framework I'm not sure at all so we have a 5th world also there and the challenge is again the linking that's what happened every single person who handles financial you're the insurer and you the broker everybody is gonna link at that number and number and everything is out there so we are now facing a world where the personal information or that number time number is no more unique it's going to be free-flowing and a multimodal network and data was doubling every year now it's going to exponentially rise IDC International Data Corporation said by 2 0 to 0 it's going to rise exponentially which means personal information is going to of freely freely flow across multimodal network never it brings back to the point that he raised single sign-on with multi-factor authentication is what is their solution at cross and cross the 5 volts yes not it's it's no joke it's gonna be a tough proposition to sue the Toros 2 0 to 0 is not far away and we're already losing time and in fact it is a very important point mr. Manish has raised about the hardware level security you've been missed out of it's not been enough thought given on the hardware framework or Hardware securities that we using the mobile devices or maybe any one is from the defense and maybe by car you know anything that our defense of you know they procure they have a complete robust check on the securities and you know our capabilities of all the devices you like and then you believe in that absolutely yeah so this is this is a major miss out in fact we we never know what are the threats or risk associated with the hardware level things which we are using in our pockets like if if it could take case of mobile devices we don't know like what exactly are there any bank doors or is there any data which has been going back to the manufacturer you know now even like IOT is coming up there will be lot of devices connected to the Internet so it's gonna be little challenging to protect our own identities between nowhere which all databases are having our identities flashed out Isis Thank You sundar and Thank You Sachin also sooner my question is for you nowadays we are seeing that organizations I am NOT taking only the bank like insurance company and other things they are having a outsourcing staffs they are having a cloud hosting database they are doing the co-hosting sub services also and if we say the regulatory guidelines are as well as that Bank security policy also financial data should not be hosted on that cloud like that because the data is there but organizations are hosting their hrms related data their non-financial data may be mail boxes and other things they are hosting there also they are complete customer as well as stuff informations are there and organization are not having that much control on the cloud which they are having in their own data centers so in this scenario what are the security points that organization should take care when it is a hosting their data outside their premises to save their the biggest challenge today and that is resulting in credential theft which is the topic of what we are really discussing is that because in a cloud model there are there is a there is something known as a shared responsibility model between a cloud service provider and a customer in most of the cases including a recent case of one of the big four because the way you want your question I think and let's let's call the Big Shot it's the it's the Deloitte a story which one of the main reason is that lack of endpoint security which is the customer's responsibility so you can have the best security at one end but the weakest link in the chain would still be your endpoint security and if your endpoint security is not there you end up compromising one set of credentials which could happen to be the golden key you have given the golden key to your house this point this opening remarks I mentioned user device and data we address device indeed a user is where we need to address awareness is pathetic and you need to ensure how do you do the privacy privacy settings in all the social media across how do you give key information on the for even if it's a call center verification you need to really really be careful what information you need to give because I think especially they shouldn't subcontinent users give very freely information away and then then they come back to you and I am recipient of most complaints as the chief risk officer and I will go through and be sympathetic at the end of the day because we would not much on the user education and naturally we'll have to address and resolv the complaints and face the loss but the point is that's a weak point and we need to be careful so you coming back to your question how do you address the challenge from a privacy perspective I will taken the consent from users to share information with outsourcing service providers I will taken consent from the user or the customer to share information to the group I am part of a big conglomerate so we try to address this so we said let's put the consent clause in the proposal form of the application form but that Kim the regulator said no you just stick and then customer will not know we've complaints where do your agenda stick to your customer your salesperson stick that form SSSs and share the information but later on customer comes back and screams and I haven't seen the clause so then they said okay you take a separate consent from the customer to share the personal information identity related information and so you would need to address and with the Supreme Court judgement recently on privacy being the fundamental right you would order right not a fundamental right but you need to address then the consent issue how do you take consent when you share personal information with your service providers or group companies baby cross-sell or upsell or down sale or out your outsource partner then you know you share so many privilege to information of customer with they also sparked them so these are issues that are going to come up and increasingly you will find that there are suits filed for compensation a hand that could be a class-action suit which is now also part of the public legislation corporate legislation so that is going to be a challenging time with all these challenges coming in and you as organization user ecosystem you need to be ready to face this point that personal information is going to freely flow across multimodal network therefore we have to come up with mitigating risk solutions mitigation such as multi-factor authentication definitely that's a good one encryption of the communications because hacking is again a big risk man in the middle attack you might send our OTP to the mobile but the mobile number would be the ecers mobile although you would have a big number so you still have issues even with very good solutions like OTP a multi-factor resolution theoretically it's easily possible for him to do the perpetrate attacks my question is with that Manisha like that we have seen that other is there and security for that biometrics and others are there you IDI has suggested that also if we see that today's scenario most of the people's they are switching their jobs two to three years four years now that mode of attendance in there are biometry in many organizations even hospitals even small organizations even a small shopkeepers they are putting their thumb impression as a attendance so biometrics are everywhere with the same person in different different organizations if we see the hospitals also somewhere I have seen their also they are taking full five fingers five fingers in that scenario if later on that their previous organizations or maybe some staff is there they will misuse their data so how we will say that also in today that biometric is a unique authentication as well as their number is a unique identification will be used for future the first is that there is no silver purity I come back to that old thing there is nothing called a silver bullet so there is no silver bullet solution out here I think the second is I would say a bad solution to this complex problem is again multi-factor authentication the third thing is encryption how do you encrypt a certain amount of data and ensure data privacy the fourth is a very strong so India it's not to do with IT security or you know I think all those who have even more gray hair than I have now in the audience you will appreciate when I say we have been a country which has been amazing at creating rules but terribly poor at actually implementing them so enforcement is something which you know we have been very poor at but what is required is that it is you know when you talk about biometrics it cannot be spoken at a national level only in the context of the PSSI sector and that's why I said it's a very good question it has to be spoken in the context to a larger ecosystem today all central ministries in Delhi are using biometric to mark the attendance of bureaucrats amazing awesome it is they at least they are claimed they you know they land up in office on time hopefully and and hopefully get some work done the point is how do you protect this so you need national standard which defines rules and regulations that when company comes up with a biometric based solution what are the security or you know safeguards that need to be put into it not just to protect the lead protected from leakage but also protected from misuse and this must be supported with a framework a national framework which gives very clear guidelines to companies which adopt these technologies so and there must be there must be a price to pay in case someone is found to have flout it either from the manufacturers perspective or from a company implementation I'll give you an example the the GDP are the data privacy regulations or the you that are coming there is a very very strict penalty a sizable percentage of the global turnover of that company in case they were found to be willfully violating in violation of the GDP are laws that's a huge huge sum of money I think in a banker's complaint you will understand the concept by saying he bought it it's money that counts make organizations you know liable from a monetary perspective believe me in India everybody will follow yes I agree in that earlier days when we see that also bank robbery is there so that and the bank were looted in that online channel when her hacking or robbery is their customers are looted you brought a very good question and I would so you know we have I hope you have some insurance sector people out here so increasingly your own young CRO you have a CRO this should be very important for you so your or here we are seeing a significant increase in the amount of losses financial losses financial institutions are facing on account of cyber fraud Jim now increasingly I don't think there is any Bank which is not taking an insurance cover again something known as cyber risk am i right no I think I mean only know everybody is know cyber insurance has come in capture so imagine if the insurance companies were to dive deeper the level of compliance for every bank with respect to a security baseline even the basic security baseline set up by RBI last year well I can tell you because I worked with the entire ecosystem everybody is not at the same level and hence it's like this when I when I insurance company comes to me when I approach an insurance company for life insurance cover there are certain questions do you smoke if I say yes prop up the insurance cost goes up by five percent premium do you drink how many times well another 10% I see escalation in insurance cost so why should that not happen in the banking sector why I'm not using the word why I'm saying this is coming so increasingly the banking sector needs to do a lot of introspection to see that with respect you not leader and security baseline is a security baseline but at least the security baseline and upwards of that how compliant are you otherwise you're going to see a significant increase in insurance cost there are many other factors which increasingly insurance companies and the actuaries are you know currently working on because you can't have an exponential increase in losses on account of cyber frauds year-on-year which are offset to insurance companies without answering some difficult questions sure and so this is something that the banking sector has to be prepared for I just had to that so recently when a private bank was act and so and the active cyber insurance I think everybody knows the name so and again the big five big four auditor was appointed to find out the extent value and the volume of loss and there were several audits carried on by that company to identify how much is the loss so yes so there is lot of expenditure yes yes and yes the insurance company would have also faced a huge it see there it's not that the insurance companies are not making money otherwise these insurance companies would not have been in the business they would have rolled up the cyber is very sure but yes but what they are see is perhaps the amount of premium they are seeking from bang was not commensurate with the kind of risk that is being offset on to the insurance companies so the actuaries are working on this I think this is the time for the banking sector to do a solid introspection to wake up to this otherwise you are going to see a significant and exponential increase that is fully agree because for regulator also customer is a first means if we see that customer protection liability circular which is that RBI has recently released in an June or July so if they have mentioned they are also key that onus to prove that customer liability and their security breaches their lies on bank means we have to show that there are some lapses from the customer side and that like that you told about that cyber insurance to every organizations or even banks they are taking even when they are outsourcing that privity they are asking their outsource when their also to take the cyber insurance to protect their liabilities another thing companies like yes such an I think ocean area stores like I have 80 80 questions - yeah absolutely dude that kind of the challenge today is that you know you mentioned Bangladesh Bank well the Central Bank in Bangladesh was highly compliant so there is no Bank which says hey I have only fifty percent or eighty percent compliant everybody's compliant they're still they as we speak there is still 82 million dollars which is untraceable and it's not going to come back because it's gone through the casino industry somebody had a great time in philippines manila the bottom line is this that the time has also come to do an introspection on the quality of audits being performed it's like this if I go to a doctor and I'm not well and I expect the doctor to tell me hey all is well and instead of hundred bucks I'm going to charge you 200 rupees because I'm telling you all is well all be not be well I don't come back any better in fact I come back of worse so audits whether a risk assessment whether a wonder ability assessment penetration testing the whole process and even financial risk assessment this entire thing is performed for a purpose and it must be done you know with due diligence and I think somewhere in the industry this is being missed out I fully agree actually myself and soon there was there in one discussions earlier at one so that time we told that also everybody knows about the controls and other things like that there are preventive detective correctives like that also but I think the new control has to be come in picture is strongly that is a monitoring control preventive control is a preventive till that you are not monitoring because you applied some patch and something is there that may become detective that may have become like that means like that it's not working later but if you are applying a monitoring as a control means like there something has to be reviewed periodically then your controller systems will work effectively so monitoring has to be there for each and every level even your encryption is working even your denial of firewall rules are working then your system will be robust is there this audience are actually using digital signatures to say okay in the banking system which bank is operating in the country can say that look across my entire ecosystem we ensure that every mail which goes out we sign it with their digital signature and then yes you have to protect your private key as well if you're using public key infrastructure not to my knowledge and how many decisions end up getting taking place you know end up you know based on Neil's instructions work that happens down on Wales these are fundamental issues which is why when I started my first comment was that the time has come to go back to the basics so we can create a huge skyscraper you can end up spending tons and tons of money and which it really pains me to see the banking sector today is spending tons and tons of money and perhaps you're not getting your money's worth in fact not perhaps you are actually not getting your money's worth because we are not addressing the core fundamental pillars of cybersecurity so it's like creating a skyscraper or a huge building without strong foundation fully agree with you my question is with the Siachen nowadays every bank are advising to that customers we don't ask any passwords and other things don't believe any call and other things so in future what will happen when a bank will genuinely call to that customer and tell that also there is some problem is there in your accounts and other things and customer will tell that also no no because this is a fake call and other things also that is a one scenario second scenario because all the informations are available in social media and other things how customer will authenticate to himself in a bank call center yes I am a genuine customer I want to change their these details in my account so what will be the challenges in there to establish a identity for a bank or as well as a customer yes I am a genuine customers the customer is not going to believe this caller as a banker because the level of you know preaching or customer awareness programs have reached so many banks are following so many emails been thrown out to the customers inbox about training you know on an awareness basis whether it may be a you know fishing awareness or because it has reached to such an extent no I think it has been overdose to a customer and if he gets a call or something from bang he might not be able to you know believe that it's gonna be an authentic or legitimate call from the bank at such yeah talking onto the fishing kind of a things on an identity theft you seem like you know in the recent article have read like it's has grown up to five hundred percent increased on a year-on-year basis on and phishing attempts to the question was hidden financial industry specifically yeah of course this is the very easiest way for the hackers or criminals to gain personal identification or a user identity axis of an user or customer by attempting any kind of you know fishing Adams just day before yesterday I saw an email as a phishing attempt to one of my friend as it it looks like it's been sent by the our IT department income tax department saying that the income tax department has approved a return of so 25,000 amount or so and so so if you want to get this deposited to your account please fill up the attached for message I don't believe like in from you know IT department will send such emails as such because if the return is approved a directly credit to the bank account which is already there with their in the database so phishing phishing items on you know gaining access of personal identification or identity to have kind of an attacks has been crowing the banks and financial institutions are really want to focus more on this have more controls on this because I see like even my bank's websites I've been duplicated and know my customers have been sent an email which replicates the similar kind of a front page of the bank asking them user IDs and passwords this has become in today's industry yes yes I agree with that my quick question with the b2 is there like that I asked him also to establish a identity for a bank as well as a customer see now every data is there with that public so if suppose tomorrow Bank customer calls to Bank like that K I have forget to change my mobile number my address my email ID so what are the things that Bank will take in notice key yes we can authenticate I think there is only the mobile number and no TP will be there because that is a dynamic because whatever things are there aesthetic that can be compromised today or tomorrow or any later day so what is your opinion in that also just r ally handy never it is a good man so for example the mention case itself mobile number change or email ad or some other confidential information so but nowadays each of the banks are providing many options to the customers like from simple options like go to the ATM so in that case the customer can authenticate the transition by using the ATM card and they didn't pin that is something which he has and something which he knows so the transition can be done in a secret man so your layer compared to only like I we are facilities for over phone and now we each of the bank's provide multiple facilities to a customer without going to the appliance premises itself so in any case the basic thing is that the bank has to authenticate ensure that the authentication is done it is the same customer itself so I said earlier the owners of proving that it was genuine transition lies on the bank so it's from a customer protection act lowly so we helping you in a three steps to the customer's measures facilitate the customer to witnesses manner just to add more but is given now to associated processes for it so supposing you change your credential say oh by what you will do is then you will send SMS to the old mobile and the new buh-bye yeah and then inform you obtain you alert the customer and also you now we run analytics so for instance in the insurance policy just six months before the policy is going to mature somebody changes the credentials that immediately thrown us an alert in the fraud monitoring system and then we find out is this real or is a fraudster whose nose inside a fraudster who knows this information trying to misuse the information so you have good analytics use of analytics now alerts monitoring mechanisms in place for at least credential changes the way they are handled but people process technology all are important awareness of given to employees users how do we handle these things processes more importantly and certification and of those processes and of course technology-based controls great thanks to all my panel members - thank you thanks a lot