The literature review
CHAPTER 2.
LITERATURE REVIEW
This chapter is the literature review; the purpose of this chapter is to investigate past publications by different authors. This will include textbooks, articles and online publications that could enlightened the readers more on the area of banking and internet security measures, the standard and policy used for internet banking security in the United Kingdom and more importantly, the synergistic impact of online banking and information security in the UK banking sector.
Since the invention of information technology and the internet, people of different calibre are using it to improve the services efficiently and effectively. In the retail banking sector, most of the businesses have moved majority of their physical transaction processes to online transaction process. A good example of this, I own an account with the HSBC bank for over 4years now and I cannot remember the last time I went into my branch to transact business. Most of my bill payment and transfers are done through my online banking…….)
Irrespective of this, Lassar et al. (2005) also affirmed that financial institutions should
be able to forecast and figure out how such technology will be applied by customers.
Banks and Financial institutions rely upon mostly on Information Technology for their everyday activities; therefore the Information acquired by financial organisation is not used only by the organisation and their employees but also by their customers and stake holders and partners. The users who rely on these services anticipate constant possibility of direct access to organizational information (McAnally, et al 2000).
Comment..Your idea is good but you are not using well structured sentences and paragraphing. We need to talk about this asap!
DEFINITION OF E BANKING.
The growing tendency of e banking transaction has really signalled issues on
information security that are to be noted and stringently taken care of. To get this security managed, it must be a combined effort and relationship between the
customers and the financial institutions. (Re-structure the above paragraph)
In general, “e-banking is defined as the automated delivery of new and traditional banking products and services directly to
customers through electronic, interactive communication channels. E-banking
includes the systems that enable financial institution customers, individuals or
businesses, to access accounts, transact business, or obtain information on financial
products and services through a public or private network, including the Internet
which is an integral part of e-banking”. (FFIEC handbook, 2006). This new
development as drastically changed the phase of internet business in the United
Kingdom and it is a welcome phenomenon.
WHAT IS INTERNET BANKING.
or quite some years now, internet banking levels have been executed to be more
fficient approach through which the banking transactions are made without having
o leave your place of abode or your place of work. Some of the customers have been
ecognised to turn to internet banking as a result of frustrations with conventional
tandard of operation and practices. Anand, (2008) said further that while some
ustomers want human interaction in transaction, some of them turned to the internet
acilities for security reasons. The reason is that the customer are given assurance that
heir transactions are safe and secured and most of these transactions are made via the
nternet explorer interface. In its report in 2009 (what report?.This is not Harvard standard of referencing), he said online bankinghas risen. 25% of all the people who responded as regards to the most preferred way to bank.Mobile bankinghas not started at all. Only 1% of the people make transaction via mobile. The figure below shows how they stand:
- Online banking: 25%
- Branches: 21%
- ATM: 17%
- Mail: 9%
- Telephone: 4%
- Mobile: 1%
- Unknown: 23%
Comment
Can you represent this figures or percentage with a pie chart/graph or something more comprehensive?
He went ahead and said more people visit the bank branch than using the online banking .
The term internet banking can then be referred to as the use of internet as a secluded
way of doing banking services. These services comprise the conventional ways such
as account opening or funds transfer to different accounts and new banking services
like payments online that is customers’ permission to receive and pay bills on their
website.
Having understood the significant importance of IT and e banking and amount of
risks and threats involve in driving the business process, therefore there is need for
consistent continuation of security in business, which brings about the understanding
of Information security. It is a continuous process. “Information security, is the
process of protecting information and information system from unauthorised access,
use, disclosure, disruption, modification, destruction or bombardment, it involves
confidentiality, integrity and availability of various data irrespective of the form the
data takes. E.g. electronic, print, written verbal or in any other forms”. (ISACA and
CISA Review Manual, 2006).
Comment
You are not given your headings titles figures e.g. 2.0, 2.1, 2.2 etc
You did not give your tables title and figures either.
An Overview Of Online Banking Environment in UK
An increasing competitions among the financial institutions have forced many of the
competitors to offer similar prices on deposits and loans, the effort for gaining
competitive advantage were shifted towards no priced-factors (Akinci et.al 2004).
customers and financial institutes have noted the recent revolution in UK retail
banking. The conversion from traditional banking to internet banking has been
effective (kolodinsky and Hogarth, 2001). Although some researchers have bated that
online banking has not lived up to expectation e.g Sarel and Marmorstein (2003) and
Wang et al. (2003), a lots of studies still say that internet banking is still the most
wealthiest and profitable means to transact business(Mos,1998;Sheshunoff,
2000).Online banking has come to stay no doubt about that and financial institutions
are ready to move on with it. Luxman (1999) for example predicted that in the nearest
future that the importance of internet banking will be felt most especially in the
remote areas where some bans have closed their branches
Going by the survey carried out for alliance and Leicester by (VOBS survey, 2004),
2,395 UK adults were interviewed, more that half of them now bank online. 61
percent now used it more than the previous couple of years. However, visiting the
baking hall is very much popular with respondents preferring to go to banking and
deal face to face with the banking staff for activities like paying cheques 73 percent,
20 percent withdraw cash over the counter and 20 percent will lodge on one
complaints or the other.
Mike Warriner (2008).said in a recent report from Forrester stated that only 31% of
British adults bank online despite 75% regularly shopping online – to quote Benjamin
Ensor, principal analyst at Forrester Research, “By international standards, the U.K. is
an online banking laggard.” He then goes on to say that “The U.K. also has a
relatively large number of quitters, with about two million people saying that they
used to use online banking but have given up”.
WHAT IS WRONG WITH UK INTERNET BANKING
According to a survey carried out by Darrell R. (2009) “Medium size organizations all
over the world are very much concerned about cyber threats. The number of incidents
reported really justifies their doubts. At the close of mid 2009, McAfee discovered a
new malware as they did in 2008 which could cause a lot of havoc in the internet
world..Irrespective of this discovery; most organizations still cut their IT security
budget instead of increasing it. A threat up budget down, McAfee called it “security
paradox”.
Ron C. (2009) reports that most companies in the UK are lagging behind the rest of
the world in information security management practices, according to a new study
from PriceWaterhouseCoopers.
7,000 security professionals all over the world was surveyed, mainly in large
companies consisting of 455 in the U.K. The survey found out that British
organisation emerges to be less prepared to fight the risks that tackle them in their
information systems.
The table below shows that U.K. lags in quite a few key areas of information security.
Organisations have smaller amount CISOs in place; only 37% have a clear idea of
where their data is stored. Then, nearly half (49%) do not know the number of
security incidents they experienced in the preceding year.
INTERNET TRANSACTION
Transactions online help customers with the competence to conduct transactions via
the website of the institution by introducing banking transactions or buying products
and services. There are lots of transactions customers can engaged in on the internet
which can be a small as basic retail account balance to a very big business funds
transfer. Internet banking services, such as the ones carried out through some other
means are categorised based on the type of customers they support. The following
table shows some of the common retail and wholesale internet banking services
offered by financial institutions. (FFIEC, 2006)
Since transactional websites typically enable the electronic exchange of confidential.
Customer information and the transfer of funds, services through online banking
makes the financial institutions to be vulnerable to higher risk than basic.
ADVANTAGES OF ONLINE BANKING.
Convenience
According to (Gerlach, 2000), internet banking services allow customers handle their
habitual banking transaction without visiting the bank building or meeting any banks
staff. No need to wait until 8 or 9 in the morning before you can get answer to your
bank account request or details Customers can handle their transactions anywhere
they like as long as they are connected to the internet or where there is availability of
internet. However, since most banks offers 24 hours online banking services 7 days a
week, internet banking can allow you to view and work with your account no matter
what time or day it is. Thus, they can make payments, check balance, transfer money
etc at the comfort zone of their homes or offices. Hence online banking has broken the
limitations of the conventional way of banking thus provides customers swiftness and
convenience.
Time Saving and Money.
When you visit banks, you will discover that most banks branches are always engaged
with one activity and customers have to wait for a long time before attended to. This
is a waste of time and energy. Luckily, some banking transactions can be handled at
home or in office or anywhere that is convenient for the customers. In other words,
customers do not need to wait for a long time in a long queue or go to their respective
banks branch to carry out their banking business. Online banking therefore helps can
help customers to save time and cost of travelling.
Ease and Efficiency
As long as they adhere to the simple steps to be followed by login in their information
and clicking the right button, customers can able to check their accounts and know
what their balance is, transfer funds and also carry out other valuable transactions.
The timely check can help customers’ overdraft charges and also to know if the
transactions they made was successful and completed. Hence, banking online helps
customers to manage their account more easily and conveniently.
On Time Gain and Update Information
Online banking systems also provide the customers a timely updates about both their
existing and new products and services, banking news and other vital information that
the customers need to know or be updated with. Therefore customers can benefit
some relative information at the appropriate time for them to make quick and right
decisions.
Profitability
Fewer banking building will be maintained as a result of online banking and fewer
employers will be involved there is a much lower over head with online banks. The
saving they get as a result of this process allows them to give greater interest rates on
savings account and lower lending rates and service charge.
Cost Effective
Internet banking cost less, this is because there are only few buildings to maintain
and salaries paid to employees will be reduced as well. Since they have more to
safe now and this allows them to increase their interest rate on savings account and lower lending rate and charges
Easier To Catch Fraudulent Activities
Since you have the opportunity of viewing your account details at anytime, it is
easier to know if any fraudulent activities have gone through your account before
much damage is done. Once you log into your account, you will see immediately
whether there is anything wrong when you check your deposits and debits. If you
do not make any transaction and you see any strange details in your account, you
will see it write away and make necessary alarm to the financial institution
While the internet offers miscellaneous advantages and opportunities, it also presents
various security risks. Having this in mind, banks take wide measures to protect the
information transmitted and processed when banking online. This comprises ensuring
confidential data sent over the internet cannot be accessed on modified by
unauthorised third party. “But banks don’t normally have influence of the systems
used by the customers. The choice is entirely up to them. More over a system
connected that is a pc connected to the internet for example will usually be used for a
number of other applications as well. The systems used by the online banking
customers are therefore exposed to risks beyond the banks control”. For this reason, the bankers cannot be liable for them. Berlin, (2007).
Some Dangers Faced When Using the Internet. Berlin, (2007)
Third party gaining access to information transmitted or getting information under
false pretences, this can be done with the aid of the following:
Virus and warms: Programmes that are sent over the internet that can damage your pc
when they replicate.
Trojans: programmes that intercepts passwords that is not known to users that
compromise computer security.
Phishing: Using a fake name, website or address for fraudulent purposes.
Pharming: Users being redirected to fraudulent server
Root kits; An unauthorized administrative level access without the real administrator
noticing through a malicious software. Their feature is almost as Trojans.
Hacking: Having access to a PC via the internet when not authorised.
Banks now have some numbers of measures in place that gives effective protection
against attacks when information are processed by the bankers server or when
information is sent over the internet.
SOME SECURITY RULES WERE ALSO GIVEN
Rule 1: Install security software including an up to date scanner.
Additional security software has to be installed. your normal operating system
standard tools alone cannot solve some security problems. F your security is not
adequately in place, you run the risk of unauthorised persons gaining access to your
data.e.g never save you PINs and TANs on your PC. A firewall can protect you from such attack
Rule 2: Protect sensitive data when sending it over open network.
Data sent over the internet may be intercepted or viewed by an unauthorised third
party when the network is not secured. Banks have now taken some measure to ensure
that data sent via the internet is encrypted before transmission.
Rule 3: Be sure you know who you are dealing with.
Not everyone on the internet are not who they claim they are. Check the URL you are
in and make sure that your bank’s internet address is correctly spelled.
Hackers impersonate someone in a position of trust to get the information they
needed. This is called “PHISHING”. It is another technique to steal confidential code.
This works by redirecting you to their own rogue server.
Rule 4: Be careful with sensitive data and access media
Your access code and media must be protected e.g. (PINs, chips) from unauthorised
use. Do not save sensitive data such as Passwords PINs, access code, credit card
numbers on your hard drive especially if the PC is not been used by you alone. This
could allow third party to view your data.
Rule 5: Choose a secure password.
A combination of upper case and lower case letters , numbers and symbols is a typical
example of a good password usually of six to eight characters. It will be difficult for
anyone to guess your password.
Rule 6: Only use a programme from a trustworthy source
Don’t download from the internet any programme into your hard drive unless you are
sure of the source and that its reliable.
Rule 7: Use up-to-date programme version
Use your preferred internet browser and PC operating system version that is up-to-date.
Rule 8: Run security checks on your PC
Take a few moment to run a personal security checks before using your PC to bank
online. Make sure the entire security feature that protects your computer are on.
Rule 9: The security setting on your internet browser must be activated.
Use “Block ActiveX Control” and let Java applet to run after confirmation. Do not
make use of browser auto-completion function which is able to save your user name
and passwords you enter and suggest matches.
Rule 10: Do not make your current account available for fraudulent financial transaction.
Any offers that is asking you to make your current account available for payment and
other financial transaction for unknown firms and individual must be suspicious
especially if they are located not within your country
SOME ONLINE BANKING SCURITIES AVAILABLE
Internet Security:
Internet security refers to the methods used in protecting data and information in a
computer from unauthorized persons. It is a serious issue in the world wide today.
People who use internet should be using the internet should be well conscious of the
trouble aroused as a result of it. A familiar methods used by people to guarantee
information in internet are Encryption of the data – Encryption of data deals with
packaging up the original information into an unintelligible form that can be decoded
using a certain technique. This is called cipher text.
Usage of passwords -Passwords are used to avoid illegal entry of data so that the
entire system is protected. Creation of passwords must be in a way that the other
people do not simply guess it.
Methods:
There are some several methods that helps in internet security. They are listed below;
-
Firewalls:This is software that filters unlawful access in a network. It must have a
correct configuration and has to be combined with proxy firewall for a protected
system. -
Taking Backup of Data: backup of the data from the system should be taken
regularly. If the computer unexpectedly crashes down or the operating system failed
to boot due to virus attack, by taking the backup data will reduce the penalty. -
Preventing Virus Attack: Viruses can affect computer, Trojan horse, worms etc as
a result of some infected files downloaded from the internet. They are programs that
are installed by itself and run at any time the host programs run and cause malicious
attack. -
Baleful Links:Those who use the internet can avoid their system from getting
affected by the virus by avoiding needless links and emails.Links may lead to
download files suddenly. These cause a problem to the security of the computer and
therefore must be avoided. -
File Sharing:Both original and pirated files are joined when files are shared on the
internet thereby reduces the speed of the computer. This must be prevented. -
Routers:Some connections are prevented by certain routers from outside from the
computer. NAT (Network Address Translation) is software that does this function and
it’s of low cost and smallest amount complexity. -
Preventing Spy-Ware: Internet securities are threatened by several software.
Without the permission of the user some software runs along with other application.
Insider threat detection sill a challenge
Threats detection from inside has always been a problem, but most investments in
information security still tend to focus on keeping out viruses and intruders. The
possible danger of a rascal employee can regularly be discounted, mistreated or just
take the risk of doing business.
“A new survey conducted among 600 office workers in Canary Wharf, London and
Wall Street, New York, revealed that many employees have no qualms about
mishandling information. One-third of them said they would steal data to help a friend
find a job, and 41% admitted they had already taken data, just in case they needed it
in some future employment”. Ron C. (2009)
The study, which was commissioned by security company Cyber-Ark Software Inc.,
found that customers and their contact details were the favourite files to steal,
followed by plans, proposals and product information.
CUSTOMER’S ATTITUDE
Understanding of the impact of technology based transaction system on customer’s
perceptions and behaviour is essential. (Moutinho et al. 2000).If banks are willing to
integrate new technology into their existing relationship buildng activities Asher
(1999) argued that cooperate customers seems to be willing to use internet as a key
medium in banks dealings. He said “the evidence suggest that coperate clints have
shown a preference for online banking, due to the perception of being more cost
effevtiv thah conventional channels” Financial institutions use this technology in
service delivery may often compromise bank business relation. (Keltner 1995) in
terms of higher degree of convinience and accessability. (Devlin 1995) Therfore
customers perception is very high in the delivery of the electronic banking. According
to Nexhmi et al.(2003). Customers participate typically is the process of enabling
customers to make their services, products. It can be diversified between the types of
services offered, even the services providers within the same market place for intance.
Meuter et al.(2000) points out that “self service technologies are increasing the way in
which customers interact with their providers in the creation of service outcomes and
are a typical example of a market place transaction that require no personal
interaction”
FINANCIAL INSTITUTION AD MANAGER’S ATTITUDE AND APPROACH
Internet banking was still in a very young stage and its entire benefits has been
realised.(Nath et. al 2001). In this case, managers of financial institution’s attitude
towards the perceptions of electronic channels were of significant importance.(Akinci
et .al( 2004). Mols (2001) state that ” management support and future orientation were
the two most important factors which driving the introduction and expectation of the
new e-channel” In another study, Mols (2000) grouped the bank managers according
to their attitude towards internet banking: The “sceptics” the “nervous”, the “positive”
and the “reluctant” groups. In Scotland, Moutinho et.al (2002) emphasized he scotish
bank managers efficiency and enhancement of customer services as to perceive
advantages of internet banking. Faster easier and more reliable service to customer
and the improment of the competitive position were highlighted. (Aladwani ,2001).
Based on the UK evidence,Li 2001 claimed that: ” the integrated banking model,
around which traditional banks have built their strategies in the past were showing
sign of fragmentation” In this sense, he sumerised four emerging internet model in
the UK. The first was based on accepting internet banking as a new delivery channel
that was integrated with existing model. The second model is called “e-banking”, was
based on multibanking in which the internet was the integrative component. The third
model consisted of creating baby “e-banks” with their own e brand name and product
range. The last model was seen as entirely a new business model without a physical
network.
Laws, Directives, Regulations and Standards
Shon Harris All in One Certified Information System Security Professional Exam Guide, Fourth Edition, 2008
Different laws, directives, regulations and standards were enacted for different reasons which include data protection, software copyright, data privacy, computer misuse as well as controls on cryptography.
Health and safety, prevention of fraudulent activities, personal privacy, public order, intellectual property, environment protection and national security are reasons why the regulations can be implemented in governments and private sectors. The violation of these regulations has a severe punishment attached to them which may range from fine to jail term of up to ten years or more depending on the gravity of the crime committed.
Examples of the regulations that governs information usage and protection are discussed briefly below
The Sarbanes-Oxley Act (SOX)
The SOX was enacted in 2002 as a result of the corporate scandals and fraud that threatened the economy of United States of America. This is also known as the Public Company Accounting Reform and Investor Protection Act of 2002 that applied to companies that publicly trading on United States market. How organizations must track, manage and report on financial information was provided for in the SOX requirements. Processes and controls must be in place to protect data because of the organizations reliance on computer equipment and electronic storage for transacting and archiving data, the section 404 of SOX is directly applied to information technology. Chief Financial Officer (CFO), Chief Executive Officer (CEO) and others can be jailed if the law is violated.
The Computer Fraud and Abuse Act
This act is the primary U.S federal antihacking statute that was written in 1986 and amended in 1996.Prohibition was made on seven forms of activities and was made federal crimes:
- The knowing access of computers of the federal government to obtain classified information without authorization or in excess of authorization..
- The intentional access of computer to obtain information from a financial institution, the federal government, or nay protected computer involved in interstate or foreign communications without authorization or through use of excess of authorization.
- The intentional and unauthorized access of computers of the federal government, or computers used by or for government when the .access affects the government’s use of that computer.
- The knowing access of a protected computer without authorization or in excess of authorization with the intent to defraud.
- Knowingly causing the transmission of a program, information, code, or command and, as a result of such conduct, intentionally causing damage without authorization to a protected computer.
- The knowing trafficking of computer passwords with the intent to defraud.
- The transmission of communications containing threats to cause damage to a protected computer.
The penalty for breaching this act ranges from felonies to misdemeanors with corresponding small to large fines and jail sentences.
Employee Privacy Issues
For a company to be adequately protected, various employee privacy issues must be considered within the organization. Organization must understand what it can and cannot monitor as a result of different state with different privacy laws.
Organization must state it in its policy that monitoring in any form are done within the organization to prevent being sued by employee for invading their privacy. This is considered the best way in which organization can protect itself.
Payment Card Industry Data Security Standard (PCI DSS)
The advent of internet and computer technology led to the increase in identity theft and credit card fraud which gives opportunity to millions to be stolen at once.
Stabilizing customer trust in credit card as a safe way of conducting transaction and to curb the problem, a proactive step was taking by the credit card industry. The standard affects any entity that processes, transmits, stores or accepts credit data.
The PCI Data Security Standard is made up of 12 main requirements that are broken down into six major categories. They are
A Secured Network must be built and maintained.
- Requirement 1: To protect cardholder data, a firewall configuration must be installed and maintained
- Requirement 2: Ensure that systems passwords and other security parameters are not in vendors supplied defaults.
Data of Cardholder must be protected.
- Requirement 3: Stored data of cardholder must be protected.
- Requirement 4: Across open and public networks, cardholder data must be encrypted in transmission
Vulnerability Management Program must be maintained.
- Requirement 5:Anti-virus software must be used and updated regularly.
- Requirement 6: Secured systems and applications must be developed and maintained.
Access Control Measures must be strong in its implementation.
- Requirement 7: Based on Business need-to-know, cardholder data access must be restricted.
- Requirement 8: Every individual having access to computer must be given a unique ID.
- Requirement 9: Physical access to cardholder data must be adequately restricted.
Monitoring and Testing of Networks must be carried out regularly
- Requirement 10: All access to network resources and cardholder data must be tracked and monitored.
- Requirement 11: Security systems and processes must be regularly tested.
An Information Security Policy must be developed and maintained.
- Requirement 12: A policy that addresses information security must be maintained
The violation of the standard does not lead to jail term but may result in financial penalties or revocation of merchant status within the credit card industry because PCI DSS is a private sector initiative.
2.5 Database Security, Compliance and Audit by Charles Le Grand and Dan Sarel. Information Systems Control Journal Vol 5, 2008.
Grand and Sarel (2008), states what it takes to adequately protect the database to ensure that compliance is met. It also provides information for auditing purposes. The objectives for ensuring database access control were also exploded by the authors.
On the conclusion note of the article the authors said that “the simple goal of ensuring database security is to ensure that only authorized individuals have access and all access is monitored. To limit access to only people whose jobs require it, access protection must apply to identifying the sensitive data elements: the methods for managing user credentials and access rights: and the records of who accessed what, when and what they did with it”.
Insider Threat- The fraud that puts companies At Risk by Patrick Taylor Vol 1, 2008
This article was short in context but provide real information about who normally perpetrate fraud in organization .Fraud committed by trusted employees in executive management , accounting, sales, finance or procurement position constitute73percent of the survey conducted by the Certified Fraud Examiner which is an annual survey and alsoprovide what organizations can do to mitigate against the risk. Finally, it gives information into who should be adequately monitored.