cbs interfaces
Skip this Video
Download Presentation
CBS Interfaces

Loading in 2 Seconds...

play fullscreen
1 / 51

CBS Interfaces - PowerPoint PPT Presentation

  • Uploaded on

CBS Interfaces. N D Kundu. Agenda. Alternate Delivery Channels Automated Teller Machines Internet Banking Real Time Gross Settlement Cash Management Systems. External Interfaces. ATM Interface ATM interface with switch Tele banking Internet banking Mobile Banking Cash Management

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' CBS Interfaces' - larissa-peterson

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
  • Alternate Delivery Channels
    • Automated Teller Machines
    • Internet Banking
    • Real Time Gross Settlement
    • Cash Management Systems
External Interfaces
  • ATM Interface
  • ATM interface with switch
  • Tele banking
  • Internet banking
  • Mobile Banking
  • Cash Management
  • Real Time Gross Settlement
  • Bunch Note Acceptor
Central Bank

Clearing House

National Payment System

Bank A

Bank B

Retail Payment System

(ATM, EFTPOS, Credit Cards





I T and Retail Payment Systems

  • One view to the external world through all delivery channels
  • Middleware for real time interface of delivery channels to Finacle
  • Supports traditional and emerging delivery channels viz. ATM, Telephone or Internet using ISO 8583 and OFX standards
















automated teller machine atm
Automated Teller Machine (ATM)
  • ATM Card & Debit Card
  • Procedure for issuing ATM Cards
  • ATM Switches
  • Host Security Module
  • Natural PIN Generation
  • Storage of PIN??
  • Track 2 on Magnetic-strip
  • Chip based Card
  • Cash Dispenser
functions of atm
Functions of ATM
  • Cash Withdrawal
  • Balance Inquiry
  • Cheque book request
  • PIN Change
  • Mini Statement
  • Utility Bill Payment
  • Mobile Top-up
  • Updation of Mobile number ***
functioning of the atm
Functioning of the ATM
  • Customer swipe the card
  • Enter PIN, encrypted using HSM/SSM
  • Validation of data by SWITCH
  • Customer authenticated
  • Service request like withdrawal of cash sent to Database
  • Balance verification for adequacy
  • Account debited and on confirmation ATM dispensed cash
  • In the changed process, even the cash is not picked up, it will not gone back to the ATM BIN.
  • All details recorded in journal
  • Interchange agency – VISA, MASTER, RUPAY
verification of pin
Verification of PIN
  • Customer insert card & enter PIN
  • Encrypted PIN sent to ATM Switch
  • ATM verifies card details from database & confirm correctness
  • Natural PIN generated
  • Switch is having the value which is difference between actual PIN & natural PIN
  • This offset value verified using HSM/SSM
  • If tallied customer/card is authenticated
change of pin
Change of PIN
  • Card inserted, verified from Switch databases
  • PIN change option – enter old PIN, verifies through SSM/HSM
  • Enter new PIN
  • Using card no., Natural PIN new offset value generated & stored in SSM/HSM
  • Old offset value erased
  • No where in the system PIN is stored
  • There is a process of computing PIN using card no. & the offset value stored in HSM/SSM.
operational issue
Operational Issue
  • Insufficient Cash
  • Journal paper exhausted
  • Network connection lost
  • Faulty card
  • CCTV should be there
  • Guard/ watchman should be insisted upon
  • Three wrong attempts card should be blocked
  • Limit of cash withdrawal, no. of txn per day
  • Hotlisting of cards
  • Fraud Risk Management Solution
evaluation of controls in atm
Evaluation of Controls in ATM
  • Card & PIN generation process
  • Dealing with surrendered card
  • Security of PIN
  • Control over cash
  • Maintenance of transaction records
  • Dealing with lost/ stolen cards
  • ATM Switch operations
card pin generation
Card & PIN Generation
  • Separate department to handle card & PIN
  • Confidentiality in PIN mailer generation
  • Reconciliation of no. of PIN mailer & card produced
  • Physical & Logical access control
  • Flow of data to card printing agency, if outsourced
  • Stock of blank cards
  • Control on card card embossing & PIN mailer
  • PIN & card should be despatched separately by different courier
  • Record maintenance
  • Handling of returned cards
surrendered captured cards
Surrendered & Captured Cards
  • Complete documentation
  • Process for replacement of card & PIN
  • Process for making captured card ineffective
  • PIN mailer need not be returned by customer
  • Register for surrendered card
  • Removal of captured card on regular basis
  • Report from Data Centre & reconciliation
  • Capture procedure for entering wrong PIN thrice
security of pin
Security of PIN
  • Report by customer- block immediately
  • Not to disclose PIN to anyone
  • Process of timely generation of new PIN
  • PIN/PIN offset should always be in encrypted form
  • HSM/SSM should be in self destructive mode
  • All storage for PIN encryption should be zeroised after each calculation
  • No hard copy of record of PIN produced
atm cash management
ATM cash Management
  • Documented procedures for cash balancing
  • Journal should automatically record all withdrawals
  • Cash inserted in each BIN/ cassette should also be recorded
  • Cash reconciliation for cash dispensed, remaining cash, misfit notes
  • All discrepancies noted & reported
  • Maintenance of cash & reconciliation by 2 different persons
  • Wrong denomination – should be doubly check
  • Daily balance procedure
record maintenance
Record maintenance
  • Journal Roll – recording of all events
  • Hard copies of journal to be preserved
  • Soft copy of EJ – no modification allowed
  • Secure storage of EJ
  • Journal roll should be checked regularly
  • Unauthorised opening of ATM should also be recorded
lost stolen cards
Lost & Stolen Cards
  • Documented Procedure
  • Uptodate record of all stolen cards
  • Restricted access
  • Facility to identify when stolen card is used
  • Reject the transaction or capture the card on trigger
  • Procedure to note verbal instruction to stop usage
  • Replacement card after written request only
  • Legal provision to be followed
  • Report to be generated & preserved
atm switch operations
ATM Switch Operations
  • ATM switch is also a server with dtabase
  • Card No. & its offset value stored
  • Details of hotlisted cards
  • Details of surrendered card
  • Account balance of customer
atm audit check list
ATM- Audit Check List
  • Security guard & CCTV
  • Control on Server OS & DB
  • Sys Admin controls
  • Security of Admin password
  • Setting of parameters like max. no. of withdrawal, withdrawal per day, no. of failed attempts etc.
  • Review the procedure for configuration
  • Authorised modification only allowed
  • Security of key encryption & decryption
  • Review procedure for hot-listing
  • Review types of logs generated
  • Agreement with other Banks & agency.
skimming sample
Skimming Sample

Picture Source:

skimming sample1
Skimming Sample

Picture Source:

skimming sample2
Skimming Sample

Picture Source:

internet banking
Internet Banking
  • Banking transactions through Internet
  • Permitted to registered customer only
  • Any time, any where banking 24X7
  • Adequate security to be built
  • Customer awareness to be increased
  • Beware of phishing attacks
internet banking components
Internet Banking Components
  • Demilitarised Zone
  • Web server
  • Internet Banking Application Server
  • Internet Banking Database Server
  • Middleware – Connect 24
  • Central Database Server
  • Firewal
Customer accesses Bank’s website using a browser

Web server sends the Bank’s Webpage to the customer

Customer types Internet Banking user name and password

IBAS requests user name and password of the customer from IBDS

Web server sends user name and password to IBAS

IBDS sends user Name and Password of Customer to IBAS

Customer chooses an IB service say “Account statementview”

Web server presents the facing page of the Customer’s account (assuming customer is authenticated)

IBAS authenticates the customer and intimates the web server

Web server forwards the service request to IBAS for processing



IBAS requests customer account information from IBDS

IBDS requests customer account information from Core DB that is accessed via Middleware

Core DB retrieves customer account information and forwards it to the middleware

Middleware forwards request from IBDS to Core DB

Middleware converts customer account information to suit the requirements of IBDS

IBDS temporarily stores customer account information

IBAS accesses the customer information in IBDS and presents it to the Web Server

Web server presents the customer a dynamic web page with the account information

Customer is presented with the requested account statement

internet banking process
Internet Banking Process
  • Customer application – issue ID & Password
  • Login password & Transaction password
  • Change password immediately after first login
  • Browser based access through web pages
  • Website/ URL hosted in web server
  • Webserver is in DMZ of DC
  • Separate Firewall for Web server
  • Access through user-ID & login password
  • Customer detail will flow from web-server to IBAS
  • IBAS access IBDS which contains all details of IB customers
  • IBDS will verify the details, otherwise access will be denied
  • On successful authentication, customer will get access.
ib available functions
IB-available functions
  • Fund transfer – self & third party
  • Balance inquiry
  • Statement of accounts
  • Opening of Fixed Deposit & Recurring Deposit account
  • Request for Cheque Book
  • Stop Payment
  • ATM/Debit card queries
  • Other value added services
process flow
Process Flow
  • Customer choose his function say statement of account
  • Web server send information to IBAS
  • IBAS access IBDS for getting data
  • IBDS will interact with Central DB server through middleware
  • Middleware convert the data to suit the requirement of central DB
  • IBDS forward customer data to IBAS which process the request
  • Statement of accounts from central DB made available to IBDS
  • IBDS will send to IBAS then to web browser
  • Web server generate dynamic web pages
  • Customer will get their required services.
security concern
Security Concern
  • Hacking, Phracking
  • Phishing, Vishing etc
  • Incorrect account linkage
  • Fraudulent balance transfer
  • Unauthorised access
  • Cyber-related frauds
  • Lack of segregation of duties
  • Incorrect Firewall configuration
  • Insufficient built in application controls
  • Unstructured change management procedures
audit program of internet banking
Audit Program of Internet Banking
  • Security policy
  • User inentity & authentication
  • Access control to operating staff – proper segregation
  • Sysadmin roles & responsibilities
  • Firewall configuration
  • Live & test environment separation
  • Network security
  • Router configuration
  • Web server security
  • Built in operation control
  • Key Management procedure
  • HSM/SSM security
  • Change Management process
data information system security
Data/information/system security
  • Internet banking systems have security features such as
    • separate transaction passwords, two factor authentication, multi-channel process for registering payees, upper limit on transaction value and SMS alerts to customers.
  • Appropriate verification procedures should also be incorporated at all channels such as phone banking, ATMs, branches and internet to ensure that only genuine transactions are put through.

ujvala consultants

defeating 2 factor
Defeating 2-factor
  • Vishing attacks
    • Phisher poses as Bank’s call center personnel on telephone and requests customer for SMS OTP for verification
  • Smartphone malware to capture OTP
    • Malware on symbian and Palm OS for stealing sms from banks
  • Physical SIM replacement
    • Multiple cases seen in India over last year

Enterprise Security- trends & concepts

phishing netbanking call center fraud example

Account Balance

My Accounts

Get Personal Data from Autoforms

Internet Banking

Authenticate using Personal Details and gets new PIN

Request Transfer

Call Center

Phishing, NetBanking & Call Center Fraud Example

Uses Harvested Web Credentials

Universal Teller

Customer Sales Officer

Customer Care Team

Discussion Room

Customer Waiting Area


internal transaction fraud
Internal Transaction Fraud
  • 30 crore transferred in 12 minutes using RTGS
  • Fraud transactions were carried out early morning before the branch is fully operational
  • Bank employee logs in with an user-id with “Maker” privileges
  • Creates a RTGS transaction for 17 Crore debiting a corporate account in another branch. Beneficiary is a corporate account in external bank
  • Logs out and Logs in from same machine with user-id with “Checker” privileges and approves transaction
  • Repeats the same cycle to put a second RTGS transaction of 13 Crore from same account
  • All fraud transactions were carried out from a new IP in the branch subnet range

Presentation Name

risk based authentication internet banking
Risk Based Authentication – Internet Banking

Token, Knowledge Based, SMS, Soft tokens, Device Based, Interactive

Customer Challenge




High Risk



Login /Transaction activity

Real Time Risk Assessment

Low Risk

cash management system
Cash Management System
  • Exclusive utility for all India based customers
  • Collection & Payment at different location – large scale
  • High volume of disbursement for salary, dividend payment
  • Need not open account in multiple centres
  • Multiple centresauthorised to receive cheques etc.
  • Credit to base account on same day subject to limit
  • MIS generated, partywise, location wise report available
  • Information through e-mail
parameter setting
Parameter setting
  • Clearing cycle
  • Credit limit
  • Slab maintenance
  • Interest calculation
  • Processing charges
  • Waiver of charges
  • Validation of data
  • Encryption
  • Calculation process to be verified
  • Any modification allowed in middle?
  • Integrity of data – implement encryption
  • Security on data moving through internet
  • Authentication & verification
  • EOD processing
  • Pooling account – reconciliation- zeroise daily
  • Interface with CBS
  • Built in controls for exception reporting
  • Audit trail to be maintained.
real time gross settlement
Real Time Gross Settlement
  • Inter Bank Money transfer system
  • No waiting period- immediate within 2 hours
  • All transaction are gross, reflected in central bank account
  • Payment is final & irrevokable
  • Minimum amount 1 lac, no upper limit
  • Debit first to customer account & credit through RBI
  • Customer make the application, rest is automatic
  • Correct account number and IFSC code of the Bank branch
  • Money will return within 2 hours, if not credited.
rtgs information
RTGS information
  • Amount to be remitted
  • Customer account number
  • Name of beneficiary Bank
  • Name of beneficiary
  • Account number of Beneficiary
  • IFSC Code
  • Type of account
rtgs technology
RTGS Technology
  • Routed through INFINET
  • SFMS formats are used for messages
  • RBI CBS used mainframe to handle the system
  • Inter Bank Fund Transfer Processor (IFTP) & Integrated Accounting System of RBI used.
  • Message in standard MQ series software of IBM
  • RTGS Client software is participant interface-PI
  • PI processes the inward and outward messages
  • IFTP transmit it to RTGS of RBI
  • From RBI it will travel to destination Bank in the same way.
rtgs message flow
RTGS Message Flow
  • Participant Interface
  • Inter Bank Fund Transfer Processor at RBI
  • RTGS System at RBI
  • Communication Systems
  • Encryption Process of Transactions
  • PI Interface

- Gateway Module

- Outward Message Manager at OMM server

- Inward Message Manager at IMM server

  • User Control Tool
  • Settlement