Information security in banking: conceptual issues Текст научной статьи по специальности «Экономика и бизнес»

СОЦИАЛЬНО-ЭКОНОМИЧЕСКОЕ РАЗВИТИЕ

ТЕРРИТОРИЙ

Информационная безопасность в банковской сфере: концептуальные вопросы

Божинов

Божидар Виолинов

Кандидат экономических наук, профессор, профессор кафедры финансы и кредит Государственной академии бизнеса "Димитр Ценов", Свиштов, Болгария

Bojidar V. Bojinov

Professor, PhD, Tsenov Academy of Economics, Svishtov, Bulgaria Finance and Credit Department Full Professor

e-mail: bobi@uni-svishtov.bg

УДК 336.71

Information security in banking: conceptual issues

В статье автором исследуется термин «информационная безопасность» и проанализированы основные направления и проблемы информационной безопасности в банковской отрасли. Обсуждаются основные типы повреждений, которые банки берут на себя в результате компромисса и происшествия в сфере информационной безопасности.

Ключевые слова: банки, ИТ, информационная безопасность, дистанционное банковское обслуживание, интернет-банкинг.

The paper clarifies the term "information security" and analyzes the main directions and challenges for information security in the banking industry. The author examines the main types of damage that banks incur as a result of compromise and incident information security.

Keywords: banks, IT, information security, remote banking, internet banking.

The penetration of new information and communication technologies (ITC) in the banking business gradually and radically change the essence and nature of banking. The advent of innovative means of communication help to reduce price differences in geographically distant markets. Technological innovation and promote a higher degree of integration and communication between different units within the organization, as well as expanding the product range and used distributive channels.

The effect of the Internet banking as distributive channel for remote provision of banking services, contributing to a significant reduction of the role of physical branches. At European level, the natural branches of banks contribute 64% of the selling bank products, while the remaining 36 percent are sold through various forms of remote banking [10].

The new distributive channels impose ever-increasing costs for their creation and maintenance by the banks. For example, if in 1996, maintaining a bank site is worth in the range 5 000-500 000 dollars, then to 2005 the cost of the necessary infrastructure to provide full-featured e-banking is already moving in the range of50-150 million dollars [13].

Figure 1. Level of penetration of Internet banking in Europe (selected countries) Source: http://www.statista.com/statistics/222286/online-banking-penetration-in-leading-european-countries/

Along with competitive advantages and the direct economic impact of the introduction of high-tech innovation in the banking sector, credit institutions are facing a number of challenges, one of which is ensuring the safety of delivered products and related information. In general, information security covers all aspects of managing and maintaining the integrity of the work of an organization's information, regardless of its medium. In the context of digitalization of the society, the term «information security» began to be used in a narrower sense, covering only the management and ensuring security of information only in electronic form. Today Information Security covers the full set of measures to prevent and eliminate problems in the operation of information systems coupled with measures for protection of information flows from unauthorized access and use [7].

Figure 2. Top 5 types of economic crime experiences by the Financial Services sector (2011-2014) Source: Threats to the Financial Services sector. Financial Services sector analysis of PwC's 2014 Global

Economic Crime Survey, p. 5

Asset misappropriation Cybercrime Money Laundering Accounting fraud Bribery and corruption

I 2014 -FS I 2011 - FS

30 40

% reported frauds

70

Information security is directly linked to the manifestation of operational risk in the banking sector [2] and is a direct consequence of operational problems, organizational change, inadequate or missing procedures, lack of segregation of duties, insufficient or inadequately trained staff, violations of internal controls, fraud or unforeseen events that may lead to unexpected losses, errors, untimely execution failures in information systems, fires and disasters, leading to destruction of assets or data. [3, p. 87] The most common sources of operational risk associated with information security are: [6]

• staff (human factor), in particular:

- Unintentional and/or incompetent actions related to the lack of adequate skills and knowledge, inadequate training, lack of understanding of performance standards, methods, tools and procedures, negligence, errors, inadequate control, etc.;

- Deliberate actions related to unauthorized activities in transacting, theft, forgery of information in the accounting system, forgery of financial and payment documents, theft of cash, hacking, deliberate violation of bank rules and procedures, money laundering, trading insider information, and other intentional acts for personal gain;

Socio-Economic Development of the Areas

- Incorrect planning and management of staff - staff shortages and replacing with inadequately trained and prepared, sickness absence staff, staff turnover and other;

- Impact of clients ' interests by violating banking secrecy, disclosure of personal and/or confidential information, violation of the interests of the client and others.

• Internal processes - disorders elaborated rules, guidelines, processes, policies and control procedures, improper evaluation and measurement of risks as a result of omissions or errors in the models used;

• Systems - Problems in information systems, reflecting on complete or partial interruption of operations of the bank:

- General systemic risks associated with restricting access to systems and networks, inadequate procedures for backup and data recovery policy virus protection, policy restricting unauthorized access to systems, etc.;

- The risks associated with software used arising from failures of systems, errors in calculation and/or reporting of transactions or other programming errors due to outdated and/or inadequate technology, unauthorized access to customer accounts and data issues with archiving, etc.;

- The risks associated with the hardware associated with the use of outdated or faulty computer systems, lack of redundancy of critical servers and hardware elements, lack of systems backup and recovery, lack of emergency power supply systems, and others.

• External factors related to:

- Force majeure - natural disasters, fires, vandalism, terrorist attacks, etc.;

- Deliberate acts of third parties - robbery, fraud on behalf of the bank, hacker attacks, misappropriation of access to customer accounts, other intentional actions;

- The risk of service providers - telephone service providers, power supply, telecom connectivity, outsourcing,

etc.

Research from 2015 shows that 82% of prescribed bank crimes are related to manipulation or unauthorized access to financial documentation. The most part of it are directed to misappropriation of proprietary information or assets, while implemented with the help of computer and information technologies make up only 7% of all bank crimes [4, p. 99]. This type of crimes are committed by persons associated with the bank (or former employees), [5, p. 119] who hold managerial positions (45%) and have a clean criminal record (87%) or operating with non-technical orientation (80%) [11, p. 4-11]. Research on Bulgarian bank sector shows that over the past five years 58% of the surveyed banks officials have tried for embezzlement and misuse of bank assets and other 54% companies-contractors have acquired information regarding the performance of contractual obligations are done attempts to misuse of the information provided [1, p. 32].

From this point of view, an essential aspect of banking security is related to the provision of information safety of bank assets, as well as related and management information. Particular attention deserves two main areas: (1) documentary safety, in particular: ensuring the protection of information contained in physical documents, and (2) information security, expressed in ensuring the security of information in electronic form. Problems with documentary safety of bank information most often associated with document fraud by third parties; document fraud by internal bank entities; loss, theft or misuse of bank and corporate information; and participation and concealment of financial crimes.

The main attempts to undermine information security of banking systems through embezzlement, manipulation or destruction of information are dictated by the desire to get rich quick or carry and conceal another crime. They are usually related to the misappropriation of another's identity, acquiring confidential information through espionage, use of banking infrastructure for financial and tax crimes, incl. money laundering, and cybercrime [12, p. 8]. The most commonly used approaches in carrying out these crimes are related to the use of malware, A-man-in-the-browser approach (MITB), various forms of Social Engineering, vishing, whaling, SMS phishing, smishing, using the weaknesses of online platforms, DoS or DDoS attacks, and the insiders [8, p. 3-5].

The main types of damages that the bank suffers as a result of implemented information security breaches involving direct and indirect financial damage, undermining the image and reputation, loss of profits and costs of information security [12, p. 11-12]. This requires banks to seek adequate tools for operational management and minimize risks associated with information security. Some of the new approaches in this field include the use of multifactor authentication, geolocation, device identification, analysis of consumer behavior and other similar means [8, p. 5-6].

Multifactor authentication is linked to the introduction of a multi-step process for unique identification of the user, which beyond the standard username and password, using a variety of technical methods and devices combined

with previously provided by client personal information (eg. Favorite team, the first car, home pet etc.), contributing to its unique identification of automated information systems of the bank. In terms of technical equipment and devices used for authentication of the user, the banks mostly use tokens (to generate random numbers), USB devices (as a carrier of electronic signature or other unique identifying information), SMS notification (incl. for sending a confirmation code for one-time usage).

The recent trend in the range of technical tools that banks use MAC addresses of the devices on the client (PC, tablet, phone) and services by geolocation (by IP address or GPS) to assess the potential risk of the originator and requesting additional information uniquely identify the originator. Moreover, increasingly also introduced automated expert systems through which banks perform analysis of user behavior (eg. The usual time of logging systems, typical actions usual size, frequency, direction and method of payment used devices) and this base looking for anomalies (so-called. «red flags") that indicate a potential attempt to deceive incl. and using a stolen identity.

In recent years, as part of policies for information security management, banks began to pay particular attention to plans for action in emergency situations (ie. Disaster Recovery Plans) by including them in measures to identify and build alternative mechanisms and channels to resume the service in case of disruption (redundancy of equipment, technology, communications, emergency power supply, etc.), building backup systems with fast recovery of archived data with minimal or no loss of information (construction of cluster systems, use of systems virtualization, duplication of data in real time, high frequency of backups) and create Disaster Recovery centers incl. and through the use of outside vendors or cloud services.

References

1. Биолчева, П. Разработване и оценяване на проекти за повишаване на физическата сигурност на търговските банки. Автореферат, София, 2014.

2. Божинов, Б. Управление на рисковете в търговската банка. библиотека Образование и наука, бр. 58, АИ Ценов, Свищов, 2013

3. Димитрова, Т. Вътрешният одит - ефективен инструмент на банковия мениджмънт, библиотека Образование и наука, бр. 38, АИ Ценов, Свищов, 2013.

4. Звезда, И.И. К вопросу о классификации способов мошенничества в банковской сфере. Известия Тульского государственного университета. Экономические и юридические науки, 2015, том 3-2, 97-105.

5. Миляев, П.В. Мошенничество в банковской сфере.

6. Трифонова, С. Управление на операционния риск на банките. Вътрешен одитор, VII, N 1, 2010.

7. Тютюнник А.В., Турбанов А.В. Банковское дело. Финансы и статистика, Москва, 2005.

8. ACI Universal Payment. Fighting online fraud: an industry perspective, volume 3, 2014.

9. Bojinov, B. What Bulgarian Banks Offer via Internet: an overview.

10. EFMA. Final 2010 MultichanelBanking in Europe Report.

11. Insider Fraud in Financial Services.

12. Lagazio, M., Sherif, N., Cushman, M. A multi-level Approach to understanding the Impact of Cyber Crime on the Financial Sector.

13. Tuchila, R. Servicii bancare prin Internet. E-finance Romania, 2000.