Cbs interfaces
This presentation is the property of its rightful owner.
Sponsored Links
1 / 51

CBS Interfaces PowerPoint PPT Presentation


  • 95 Views
  • Uploaded on
  • Presentation posted in: General

CBS Interfaces. N D Kundu. Agenda. Alternate Delivery Channels Automated Teller Machines Internet Banking Real Time Gross Settlement Cash Management Systems. External Interfaces. ATM Interface ATM interface with switch Tele banking Internet banking Mobile Banking Cash Management

Download Presentation

CBS Interfaces

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Cbs interfaces

CBS Interfaces

N D Kundu


Agenda

Agenda

  • Alternate Delivery Channels

    • Automated Teller Machines

    • Internet Banking

    • Real Time Gross Settlement

    • Cash Management Systems


Cbs interfaces

External Interfaces

  • ATM Interface

  • ATM interface with switch

  • Tele banking

  • Internet banking

  • Mobile Banking

  • Cash Management

  • Real Time Gross Settlement

  • Bunch Note Acceptor


Cbs interfaces

Central Bank

Clearing House

National Payment System

Bank A

Bank B

Retail Payment System

(ATM, EFTPOS, Credit Cards

Customer

Customer

Customer

Customer

I T and Retail Payment Systems


List of interfaces and mode of connectivity

List of Interfaces and mode of connectivity


Cbs interfaces

Connect-24

  • One view to the external world through all delivery channels

  • Middleware for real time interface of delivery channels to Finacle

  • Supports traditional and emerging delivery channels viz. ATM, Telephone or Internet using ISO 8583 and OFX standards


Cbs interfaces

Connect-24

Finacle

DATABASE

DATA CENTER

CONNECT-24

e-Channels/

e-Corporate

Public

ATM

Network

ATM

SWITCH

Telebanking

POS

ATM

Desktops


Automated teller machine atm

Automated Teller Machine (ATM)

  • ATM Card & Debit Card

  • Procedure for issuing ATM Cards

  • ATM Switches

  • Host Security Module

  • Natural PIN Generation

  • Storage of PIN??

  • Track 2 on Magnetic-strip

  • Chip based Card

  • Cash Dispenser


Functions of atm

Functions of ATM

  • Cash Withdrawal

  • Balance Inquiry

  • Cheque book request

  • PIN Change

  • Mini Statement

  • Utility Bill Payment

  • Mobile Top-up

  • Updation of Mobile number ***


Atm structure

ATM Structure


Functioning of the atm

Functioning of the ATM

  • Customer swipe the card

  • Enter PIN, encrypted using HSM/SSM

  • Validation of data by SWITCH

  • Customer authenticated

  • Service request like withdrawal of cash sent to Database

  • Balance verification for adequacy

  • Account debited and on confirmation ATM dispensed cash

  • In the changed process, even the cash is not picked up, it will not gone back to the ATM BIN.

  • All details recorded in journal

  • Interchange agency – VISA, MASTER, RUPAY


Verification of pin

Verification of PIN

  • Customer insert card & enter PIN

  • Encrypted PIN sent to ATM Switch

  • ATM verifies card details from database & confirm correctness

  • Natural PIN generated

  • Switch is having the value which is difference between actual PIN & natural PIN

  • This offset value verified using HSM/SSM

  • If tallied customer/card is authenticated


Change of pin

Change of PIN

  • Card inserted, verified from Switch databases

  • PIN change option – enter old PIN, verifies through SSM/HSM

  • Enter new PIN

  • Using card no., Natural PIN new offset value generated & stored in SSM/HSM

  • Old offset value erased

  • No where in the system PIN is stored

  • There is a process of computing PIN using card no. & the offset value stored in HSM/SSM.


Operational issue

Operational Issue

  • Insufficient Cash

  • Journal paper exhausted

  • Network connection lost

  • Faulty card

  • CCTV should be there

  • Guard/ watchman should be insisted upon

  • Three wrong attempts card should be blocked

  • Limit of cash withdrawal, no. of txn per day

  • Hotlisting of cards

  • Fraud Risk Management Solution


Evaluation of controls in atm

Evaluation of Controls in ATM

  • Card & PIN generation process

  • Dealing with surrendered card

  • Security of PIN

  • Control over cash

  • Maintenance of transaction records

  • Dealing with lost/ stolen cards

  • ATM Switch operations


Card pin generation

Card & PIN Generation

  • Separate department to handle card & PIN

  • Confidentiality in PIN mailer generation

  • Reconciliation of no. of PIN mailer & card produced

  • Physical & Logical access control

  • Flow of data to card printing agency, if outsourced

  • Stock of blank cards

  • Control on card card embossing & PIN mailer

  • PIN & card should be despatched separately by different courier

  • Record maintenance

  • Handling of returned cards


Surrendered captured cards

Surrendered & Captured Cards

  • Complete documentation

  • Process for replacement of card & PIN

  • Process for making captured card ineffective

  • PIN mailer need not be returned by customer

  • Register for surrendered card

  • Removal of captured card on regular basis

  • Report from Data Centre & reconciliation

  • Capture procedure for entering wrong PIN thrice


Security of pin

Security of PIN

  • Report by customer- block immediately

  • Not to disclose PIN to anyone

  • Process of timely generation of new PIN

  • PIN/PIN offset should always be in encrypted form

  • HSM/SSM should be in self destructive mode

  • All storage for PIN encryption should be zeroised after each calculation

  • No hard copy of record of PIN produced


Atm cash management

ATM cash Management

  • Documented procedures for cash balancing

  • Journal should automatically record all withdrawals

  • Cash inserted in each BIN/ cassette should also be recorded

  • Cash reconciliation for cash dispensed, remaining cash, misfit notes

  • All discrepancies noted & reported

  • Maintenance of cash & reconciliation by 2 different persons

  • Wrong denomination – should be doubly check

  • Daily balance procedure


Record maintenance

Record maintenance

  • Journal Roll – recording of all events

  • Hard copies of journal to be preserved

  • Soft copy of EJ – no modification allowed

  • Secure storage of EJ

  • Journal roll should be checked regularly

  • Unauthorised opening of ATM should also be recorded


Lost stolen cards

Lost & Stolen Cards

  • Documented Procedure

  • Uptodate record of all stolen cards

  • Restricted access

  • Facility to identify when stolen card is used

  • Reject the transaction or capture the card on trigger

  • Procedure to note verbal instruction to stop usage

  • Replacement card after written request only

  • Legal provision to be followed

  • Report to be generated & preserved


Atm switch operations

ATM Switch Operations

  • ATM switch is also a server with dtabase

  • Card No. & its offset value stored

  • Details of hotlisted cards

  • Details of surrendered card

  • Account balance of customer


Atm audit check list

ATM- Audit Check List

  • Security guard & CCTV

  • Control on Server OS & DB

  • Sys Admin controls

  • Security of Admin password

  • Setting of parameters like max. no. of withdrawal, withdrawal per day, no. of failed attempts etc.

  • Review the procedure for configuration

  • Authorised modification only allowed

  • Security of key encryption & decryption

  • Review procedure for hot-listing

  • Review types of logs generated

  • Agreement with other Banks & agency.


Skimming sample

Skimming Sample

Picture Source: http://www.snopes.com/fraud/atm/atmcamera.asp


Skimming sample1

Skimming Sample

Picture Source: http://www.snopes.com/fraud/atm/atmcamera.asp


Skimming sample2

Skimming Sample

Picture Source: http://www.snopes.com/fraud/atm/atmcamera.asp


Internet banking

Internet Banking

  • Banking transactions through Internet

  • Permitted to registered customer only

  • Any time, any where banking 24X7

  • Adequate security to be built

  • Customer awareness to be increased

  • Beware of phishing attacks


Internet banking components

Internet Banking Components

  • Demilitarised Zone

  • Web server

  • Internet Banking Application Server

  • Internet Banking Database Server

  • Middleware – Connect 24

  • Central Database Server

  • Firewal


Cbs interfaces

Customer accesses Bank’s website using a browser

Web server sends the Bank’s Webpage to the customer

Customer types Internet Banking user name and password

IBAS requests user name and password of the customer from IBDS

Web server sends user name and password to IBAS

IBDS sends user Name and Password of Customer to IBAS

Customer chooses an IB service say “Account statementview”

Web server presents the facing page of the Customer’s account (assuming customer is authenticated)

IBAS authenticates the customer and intimates the web server

Web server forwards the service request to IBAS for processing

A


Cbs interfaces

A

IBAS requests customer account information from IBDS

IBDS requests customer account information from Core DB that is accessed via Middleware

Core DB retrieves customer account information and forwards it to the middleware

Middleware forwards request from IBDS to Core DB

Middleware converts customer account information to suit the requirements of IBDS

IBDS temporarily stores customer account information

IBAS accesses the customer information in IBDS and presents it to the Web Server

Web server presents the customer a dynamic web page with the account information

Customer is presented with the requested account statement


Internet banking process

Internet Banking Process

  • Customer application – issue ID & Password

  • Login password & Transaction password

  • Change password immediately after first login

  • Browser based access through web pages

  • Website/ URL hosted in web server

  • Webserver is in DMZ of DC

  • Separate Firewall for Web server

  • Access through user-ID & login password

  • Customer detail will flow from web-server to IBAS

  • IBAS access IBDS which contains all details of IB customers

  • IBDS will verify the details, otherwise access will be denied

  • On successful authentication, customer will get access.


Ib available functions

IB-available functions

  • Fund transfer – self & third party

  • Balance inquiry

  • Statement of accounts

  • Opening of Fixed Deposit & Recurring Deposit account

  • Request for Cheque Book

  • Stop Payment

  • ATM/Debit card queries

  • Other value added services


Process flow

Process Flow

  • Customer choose his function say statement of account

  • Web server send information to IBAS

  • IBAS access IBDS for getting data

  • IBDS will interact with Central DB server through middleware

  • Middleware convert the data to suit the requirement of central DB

  • IBDS forward customer data to IBAS which process the request

  • Statement of accounts from central DB made available to IBDS

  • IBDS will send to IBAS then to web browser

  • Web server generate dynamic web pages

  • Customer will get their required services.


Security concern

Security Concern

  • Hacking, Phracking

  • Phishing, Vishing etc

  • Incorrect account linkage

  • Fraudulent balance transfer

  • Unauthorised access

  • Cyber-related frauds

  • Lack of segregation of duties

  • Incorrect Firewall configuration

  • Insufficient built in application controls

  • Unstructured change management procedures


Audit program of internet banking

Audit Program of Internet Banking

  • Security policy

  • User inentity & authentication

  • Access control to operating staff – proper segregation

  • Sysadmin roles & responsibilities

  • Firewall configuration

  • Live & test environment separation

  • Network security

  • Router configuration

  • Web server security

  • Built in operation control

  • Key Management procedure

  • HSM/SSM security

  • Change Management process


Data information system security

Data/information/system security

  • Internet banking systems have security features such as

    • separate transaction passwords, two factor authentication, multi-channel process for registering payees, upper limit on transaction value and SMS alerts to customers.

  • Appropriate verification procedures should also be incorporated at all channels such as phone banking, ATMs, branches and internet to ensure that only genuine transactions are put through.

ujvala consultants


Defeating 2 factor

Defeating 2-factor

  • Vishing attacks

    • Phisher poses as Bank’s call center personnel on telephone and requests customer for SMS OTP for verification

  • Smartphone malware to capture OTP

    • Malware on symbian and Palm OS for stealing sms from banks

  • Physical SIM replacement

    • Multiple cases seen in India over last year

Enterprise Security- trends & concepts


Phishing netbanking call center fraud example

CardApplication

Account Balance

My Accounts

Get Personal Data from Autoforms

Internet Banking

Authenticate using Personal Details and gets new PIN

Request Transfer

Call Center

Phishing, NetBanking & Call Center Fraud Example

Uses Harvested Web Credentials


Cbs interfaces

Universal Teller

Customer Sales Officer

Customer Care Team

Discussion Room

Customer Waiting Area

Reception


Internal transaction fraud

Internal Transaction Fraud

  • 30 crore transferred in 12 minutes using RTGS

  • Fraud transactions were carried out early morning before the branch is fully operational

  • Bank employee logs in with an user-id with “Maker” privileges

  • Creates a RTGS transaction for 17 Crore debiting a corporate account in another branch. Beneficiary is a corporate account in external bank

  • Logs out and Logs in from same machine with user-id with “Checker” privileges and approves transaction

  • Repeats the same cycle to put a second RTGS transaction of 13 Crore from same account

  • All fraud transactions were carried out from a new IP in the branch subnet range

Presentation Name


Risk based authentication internet banking

Risk Based Authentication – Internet Banking

Token, Knowledge Based, SMS, Soft tokens, Device Based, Interactive

Customer Challenge

Block

Policies

Fail

High Risk

Pass

Continue

Login /Transaction activity

Real Time Risk Assessment

Low Risk


Risk based authentication flow

Risk Based Authentication Flow


Cash management system

Cash Management System

  • Exclusive utility for all India based customers

  • Collection & Payment at different location – large scale

  • High volume of disbursement for salary, dividend payment

  • Need not open account in multiple centres

  • Multiple centresauthorised to receive cheques etc.

  • Credit to base account on same day subject to limit

  • MIS generated, partywise, location wise report available

  • Information through e-mail


Parameter setting

Parameter setting

  • Clearing cycle

  • Credit limit

  • Slab maintenance

  • Interest calculation

  • Processing charges

  • Waiver of charges

  • Validation of data

  • Encryption


Controls

Controls

  • Calculation process to be verified

  • Any modification allowed in middle?

  • Integrity of data – implement encryption

  • Security on data moving through internet

  • Authentication & verification

  • EOD processing

  • Pooling account – reconciliation- zeroise daily

  • Interface with CBS

  • Built in controls for exception reporting

  • Audit trail to be maintained.


Real time gross settlement

Real Time Gross Settlement

  • Inter Bank Money transfer system

  • No waiting period- immediate within 2 hours

  • All transaction are gross, reflected in central bank account

  • Payment is final & irrevokable

  • Minimum amount 1 lac, no upper limit

  • Debit first to customer account & credit through RBI

  • Customer make the application, rest is automatic

  • Correct account number and IFSC code of the Bank branch

  • Money will return within 2 hours, if not credited.


Rtgs information

RTGS information

  • Amount to be remitted

  • Customer account number

  • Name of beneficiary Bank

  • Name of beneficiary

  • Account number of Beneficiary

  • IFSC Code

  • Type of account


Rtgs technology

RTGS Technology

  • Routed through INFINET

  • SFMS formats are used for messages

  • RBI CBS used mainframe to handle the system

  • Inter Bank Fund Transfer Processor (IFTP) & Integrated Accounting System of RBI used.

  • Message in standard MQ series software of IBM

  • RTGS Client software is participant interface-PI

  • PI processes the inward and outward messages

  • IFTP transmit it to RTGS of RBI

  • From RBI it will travel to destination Bank in the same way.


Cbs interfaces

RTGS


Rtgs message flow

RTGS Message Flow

  • Participant Interface

  • Inter Bank Fund Transfer Processor at RBI

  • RTGS System at RBI

  • Communication Systems

  • Encryption Process of Transactions

  • PI Interface

    - Gateway Module

    - Outward Message Manager at OMM server

    - Inward Message Manager at IMM server

  • User Control Tool

  • Settlement


Cbs interfaces

RTGS


  • Login