Online: Many Banks 'Not Ready'Gartner's Matthew Cheung on Asian, Indian Threat Landscape
The biggest security concern is with the online banking platform, which is emerging at a rapid rate. In India, for example, 40 percent of customers do their banking online, and 70 percent of the total transactions are done over the Internet.
Yet financial institutions don't have proper security measures to address the online banking environment. "With that kind of system, if they don't have very good security measures in place, it would expose them to hackers and identity theft," says Cheung, principal research analyst in Gartner's Hong Kong office.
Card skimming is another top threat because many cardholders still use magnetic-stripe, which continues to lead to identity theft, especially through ATMs. And the overabundance of customer data which needs to be retired at financial institutions can often lead to data leakage.
Looking ahead to 2012, authentication is an emerging area, Cheung says in an interview with BankInfoSecurity.com's Tom Field [transcript below].
"The cybersecurity trends we need to watch out for ... include dual passwords, some interesting authentication methods and also social media," he says.
In an exclusive interview on the threat landscape in Asia-Pac and India, Cheung discusses:
- Top threats to banks and customers;
- Regulatory trends and their impact on security;
- Trends to watch as we head toward 2012.
Cheung is a principal analyst with the Gartner Technology and Service Provider Research group, where he specializes in infrastructure software markets, such as operating systems, IT operations management, security and storage. He has more than nine years of experience in the IT industry.
Prior to joining Gartner Research, he worked in Gartner Consulting for more than two years, formulating go-to-market strategies for governments, multinational vendors and financial institutions in Asia/Pacific. Mr. Cheung also worked in cross-functional areas in the IT industry and has extensive experience in IT project management.
Current Threat LandscapeTOM FIELD: To get us started, maybe you could tell us a little bit about the current threat landscape that you see in Asia Pacific, as well as in India.
MATTHEW CHEUNG: Sure. I can share a little bit about the banking systems and what they're facing today regarding the security landscape, and in particular the Indian market. What we're seeing in the industry is that there are many security threats around Asian banks; especially once you look at their operations. Because all these Asian banks traditionally just get the focus from ordinary people. Now they are expanding their business into different areas, for example management, insurance or other types of business. Because of that, in defense they have to manage data security when they transfer that kind of certification. This is normal for banks. They are facing this because they need to manage the data security that has been issued where they handle that kind of information.
The second point is that traditionally Asian banks have to deal with a lot of customer data, and they have to also retire the data that has been kept for a long time. That's why they need to sometimes dispose of the paperwork. They put information on paper; and traditionally they use a lot of paper to store the client's information. When they retire data and when they have to dispose of it in a secure way, sometimes there is some leakage because of the kinds of activities they use in retiring such data. That would also impose some policy issue or data loss issue for these banks.
The other fact is online banking, because Asian banks are also developing online banking systems, and they will come under cyber attack. With that kind of system, if they don't have very good security measures in place, it would expose them to hackers and identity theft dealing with customer information.
And, the last issue I would share is the credit card issue because in Asia many banks are still issuing magnetic-stripe credit cards. So there is a lot of identity theft. They would use technology that installs onto ATM machines and they will steal information from customers which they can make use of, exploiting that type of information and accessing their accounts to get money from individuals. That would also be an important driver for Asian banks to move to a more secure type of credit card payment system.
These are all issues Asian banks are facing right now.
Online BankingFIELD: As we look around the globe we see many of the same threats - skimming, account takeover and online issues. If you were to narrow it down to the single biggest threat to the institutions that you see today, what would you say that threat is?
CHEUNG: Online banking would be the biggest because that is emerging in terms of the technology and many banks aren't ready for that. But they want to request the business opportunities so that they go into online banking effectively. Take India for example. We see that about 40 percent of Indian citizens are using online banking and 70 percent of transactions are being done online. That's a very big amount. It would be very important for banks to have some security elements for online banking systems.
FIELD: Again, looking at the institutions, how do you see them responding to these threats in terms of information security and privacy? From your perspective, what is working and what still needs some work to get them to the level they need to be?
CHEUNG: I think they have some systems in place to prevent that from happening in the market. For example, they need to use data loss prevention systems. Many banks would be using that kind of system to prevent some of the data loss leakage. But on the other side, they have to comply with regulations. For example, in payments they have a PCI data security standard. Some banks in Asia are going to begin to comply with the same kind of industry standard so that there will be some items in place to prevent privacy and data leakage issues. Also, there are different pieces of regulation in this country that enforce compliance and data privacy among Asian countries. For example, in Hong Kong there is a personal data ordinance and some banking acts governing how banks should operate in terms of protecting personal data. All these institutions have to comply with that regulation.
In terms of India, I think particularly there was an IT amendment in 2008. That one will also govern banking regulations to protect and require banks to have some sort of IT system in place so that customer data is protected.
FIELD: You mentioned regulatory issues. What are some of the regulatory trends that you're looking at in the market place that are going to impact banking security?
CHEUNG: Just recently I mentioned personal information, protection and regulation, which is a narrowed down version of privacy law happening Asia Pacific-wide. And we see that, for example, Hong Kong is a pioneer. Japan is a pioneer of such law and Australia just recently passed a law that requires enterprises that lost customer data to find the data subject. That kind of privacy and personal information law is just happening in Asia Pacific. For example, Singapore actually has some privacy protection bits and pieces in different laws. They aren't putting together a privacy law that is in a draft stage. And also in China, they have been talking about a personal information protection law for quite a while. That's the trend in Asia Pacific; all these developing countries are working on privacy, data protection, and personal information protection laws.
Security InvestmentsFIELD: As we look ahead into 2012, where do you see banking institutions making their biggest security investments?
CHEUNG: I think the biggest security investment for banks would be for them to look at where the information is protected in an online system, like online banking, and then try to get people to use the online banking systems more. Banks can also cut many costs in terms of retail branches. They would need to do online banking. They would need to push online banking. Also for the customer, we're focusing on the security of online banking where they adopt such technology. The banks will try to improve the security in online banking so that the system is secured and the users would be willing to use that kind of technology when the risks are lower.
Also, the security investment would be implemented in many ways because from online security there would be many different types of security measures to defend off the security threat. For example, some banks would be combining a password with a one-time password from the mobile device. Some other banks would use a smaller machine, smaller tokens, something like that. And they have clients so they can make use of the tokens to get a one-time password. There are many ways to do online security for banking systems which is a very important investment for them.
FIELD: Just a final question for you. We've talked an awful lot about threats, trends, regulations and investments. As we look to 2012, in terms of banking and security, what are the trends you are most going to be watching?
CHEUNG: The cybersecurity trends we need to watch out for, and there will be many innovations in that area, include dual passwords, some interesting authentication methods and also social media, combined with marketing for banks. That would also be interesting to watch out for.