ABSTRACT

Financial institutions, banks in particular have been subjected to different attacks intentionally or accidental through unauthorized access, modification, deletion or through other means of security breaches.This might be due to the inadequate security principles or negligence on the part of both the customers and the financial institutions.

The financial institutions and business environment is constantly changing and are faced with myriads of threats and scandal that is increasingly hindering internet banking, it is therefore imperative to ensure that financial institutions (banks) that use or manage the information of their consumers are continuously available. Financial sector critically depend on the reliability, security and continuous operation of their information system which had apparently been face with the threat of hackers and malicious insiders.

Therefore, considering the financial institutions business process as well as their critical dependencies, it is extremely important to develop a plan and countermeasures that will ensure tight security in internet banking. In other words, in the event of any intrusion, financial institution can respond effectively and efficiently to this threats and their business process can continue smoothly without any fear.

This project examines the threats and scandal financial institution had been facing in recent time through survey, and countermeasures used to protect the organizational data were assessed and policy was written to make the organization security expectation effective.

ACKNOWLEDGEMENT

First, my profound gratitude goes to God Almighty for giving me the wisdom, knowledge and understanding necessary to see me through this dissertation, I will forever appreciate Him for being the author and finisher of this dissertation work. I would like to thank Dr. Siraj Shaikh, of the Department of Computing with systems security management for dedicating his time to constructively criticise this project work as well as his meaningful suggestions and unflinching support towards the success of this dissertation.

I would also like to express my sincere gratitude to the staff team of University of Gloucestershire Park campus for all their useful support in the course of the whole project.

My utmost gratitude also goes to my parents, Mr & late Mrs Akinade Adekunle for playing an immeasurable role in the course of this project. And to you my Mum, when God created mothers, he gave me the best. I miss you. Thanks to my siblings too.

This acknowledgement will be in doubt without expressing my thanks to my beloved mother Mama Oguntoyinbo for her spiritual and moral support. My appreciation also goes to my foster parents Pastor and Dnss Kayode Omiwole for their unquantifiable support in every area of my Life. May God bless you.

I can never forget but sincerely recognize the invaluable support of my dotting wife Olaide Adekunle whose moral, spiritual and financial support throughout my course of study cannot be quantified.

I will not fail to appreciate my friends particularly, Alex (The genius) and my cousin Ayodeji Adedigba and those that are supportive to me throughout the course of my program; I'm saying I love you all for your contributions.

Lastly, I would like to say whole heartedly that, I will be responsible for any mistake this contribution to knowledge may have.

COMMENTS…The acknowledgement is too much; cut it down to one page please. Take out irrelevances.

CHAPTER ONE

1.0 INTRODUCTION.

Developments in information and communication technologies particularly, the growing use of internet for banking business transaction have had a great effect on the banking industry. While this is a worldwide phenomenon, the increasing tendency of internet banking transaction has raised information security matters that are to be strictly and more stringently taken care of. There seems to be various thoughts about major online security disruption of business in financial institution crisis across the globe, not until early hours of April 07, 2008 in the HSBC monthly financial journal, reports that HSBC had lost 370,000 customers' data disc via the post, were the details such as names, date of births and their level of insurance cover were lost to awful people.

Ever since that time industries, organisations most especially financial institutions were more security conscious and are seriously considering more and better security measures to be able to keep their customers' data and also protect the institution from any fraudulent act from outside or from any bad natured insider. This major incident of significant magnitude, made management of many financial organisations to quickly go back to a drawing board to readdress their plans and formulate an approved set of formal preparations to respond to security flops in a very short period of time. It is relatively knowledgeable that in an environment where uninterrupted operations are the vital part for business survival, action must be taken to safeguard information and the business that use the information. This regenerates a more complete discussion about how to go about security measures in many banks across UK especially. Information security symbolizes a vital response of an organisation when faced with any disruption or any form of insecurity.

1.1 WHAT IS INTERNET BANKING?

Online banking has been in place for the past two decades now. It was introduced in the early 1980's. But in the nineties; internet banking came to lime light. However, there is no specific definition for internet banking but according to (FFIEC handbook 2006), internet banking is another means to carry out various banking services Via a secure website which their respective banks operate. It has many functions and also allows customers to view their accounts, transfer money from their accounts to another person's account both in their banks or any other bank. But in its simplicity, Internet banking can be said to be a systems that allows bank customers to gain entry into their accounts and to access some other vital information about what services the banks provide through their personal computer system or any other intelligent device.

Anand, (2008), reports that UK banking population has rising to 10.9 million. The bank with the highest online customers was royal Bank of Scotland which has 2.9 million customers. The highest individual online banking brand was Lloyd's bank with 2. 8 million customers. The growing tendency of internet banking transaction has really signalled issues on information security that are to be noted and stringently taken care of. To get this security managed, it must be a combined effort and relationship between the customers and the financial institutions.

1.2 RESEARCH METHODOLOGY

The research methodology designed for this project work is to use both qualitative and quantitative approach that includes primary and secondary sources to gather the data, but more effort will be concentrated on primary source. Development of questionnaire for a face to face interview will be designed technically to investigate and address the issues regarding security measures used online by UK banks. The data collected will now be transformed into useful information statistically to justify the objective of the project work

1.3 SCOPE AND OBJECTIVES

The scope of the project is focused on security measures available for internet banking in UK and to investigate the fraud and scandal that are affecting both the banks and the customers as a result of the universal usage of internet transactions from different locations simultaneously as well as assessing various ways of mitigating these threats. The end product of this is the development of security measures or policies which will enable financial institutions to adequately protect their data and their consumers' with recommendations and future work on internet banking security.

1.4 OBJECTIVES OF THE STUDY

The emphasis of the impact of internet banking plans particularly regarding this dissertation work is on the investigation of security measures available for UK online banking to be able to secure information and data for both the institutions and the customers for proper and longer continuity of business based on information technology and other critical dependencies.

Therefore, the main aim of this research work is to critically analyse the existing security measures adopted by banks in the UK in relation to internet banking and to know what impact it's making on the consumer and the institution itself. These objectives also focus more on the whether banks really are complying with this security measures.

The main objectives of this project are;

  • To investigate the vulnerability and the threats affecting internet banking in UK.
  • To investigate the fraud and scandal that might affect the use of Internet banking.
  • To conduct an interview with both the customers and bank staffs on information technology security issues affecting Internet banking or problems they encounter in the process.
  • To develop a counter measures for preventing fraud and scandal for both customers and bank staffs using Internet banking in the United Kingdom.

1.5 THE IMPORTANCE OF THE PROJECT

The internet is the best medium for banks to showcase their whole products and services and to also use this means to sell them to the outside world according to the IBM, (2005). For this channel to be wholly managed and utilized, for the advantage of the customers and banks, according to this IBM Newsletter, the banks must do everything necessary to provide the customers the free will to make a range of choices on when, where and how they feel they can relate with their service provider, the bank. To achieve this, it requires a wide knowledge and use of technology for their services and interrelationships to be solid and also to let their customers to build trust on the products and services they provide them.

Management of financial institutions should adopt a means of attracting customers to start using electronic banking and to make them have understanding on how it works. Ely, D. (2002).

1.6. REPORT STATEMENT

This chapter is just to introduce you to the project work. It comprises of the meaning of internet banking, the research methodology the scope and objective of the study. It is to prepare the reader to know what the study is all about.. Chapter 2 which is the literature review will go into various research books and journals and past research works of similar study.

CHAPTER 2

2.0 LITERATURE REVIEW

This chapter is the literature review; the purpose of this chapter is to investigate past publications by different authors. This will include textbooks, articles and online publications that could enlightened the readers more on the area of banking and internet security measures, the standard and policy used for internet banking security in the United Kingdom and more importantly, the great impact of online banking and information security in the UK banking sector.Since the invention of information technology and the internet, people of different Calibres are using it to improve the services efficiently and effectively. In the retail banking sector, most of the businesses have moved majority of their physical transaction processes to online transaction process. A good example of this, I own an account with the Halifax bank for over 4years now and I cannot remember the last time I went into my branch to transact business. Most of my bills payment and transfers are done through my online banking. This very convenient for me as I do not have to go the bank to stand on a long queue waiting before making any transaction.

Irrespective of this, Lassar et al. (2005) also affirmed that financial institutions should be able to forecast and figure out how such technology will be applied by customers.Banks and Financial institutions rely upon mostly on Information Technology for their everyday activities; therefore the Information acquired by financial organisation is not used only by the organisation and their employees but also by their customers and stake holders and partners. The users who rely on these services anticipate constant possibility of direct access to organizational information (McAnally, et al 2000).

2.1 DEFINITION OF E BANKING.

The growing tendency of e banking transaction has really signalled issues on information security that are to be noted and stringently taken care of. To get this security managed, it must be a combined effort and relationship between the customers and the financial institutions. According to FFIEC handbook, (2006), “E-banking is defined as the automated delivery of new and traditional banking products and services directly to customers through electronic, interactive communication channels. E-banking includes the systems that enable financial institution customers, individuals or businesses, to access accounts, transact business, or obtain information on financial products and services through a public or private network, including the Internet which is an essential fraction of e-banking”.This new development has drastically changed the phase of internet business in the United Kingdom and it is a welcome phenomenon.

2.2 WHAT IS INTERNET BANKING.

For quite some years now, internet banking levels have been executed to be more efficient approach through which the banking transactions are made without having to leave your place of abode or your place of work. Some of the customers have been recognised to turn to internet banking as a result of frustrations with conventional standard of operation and practices. Anand, (2008) said further that while some customers want human interaction in transaction, some of them turned to the internet facilities for security reasons. The reason is that the customer are given assurance that their transactions are safe and secured and most of these transactions are made via the internet explorer interface. In a survey carried out by Anand, 2009, he said online bankinghas risen. 25% of all the people who responded as regards to the most preferred way to bank.Mobile bankinghas not started at all. Only 1% of the people make transaction via mobile. The data below in the figure 1 shows how they stand:

Table:2.1

Online banking

25%

Branches

21%

ATM

17%

Mail

9%

Telephone

4%

Mobile

1%

Unknown

23%

Online banking still has the highest number of people who use online banking. That goes to Show that customers are getting to know the effectiveness and benefit of online. He went ahead and said more people visit the bank branch than using the online banking .The term internet banking can then be referred to as the use of internet as a secluded way of doing banking services. These services comprise the conventional ways such as account opening or funds transfer to different accounts and new banking services like payments online that is customers' permission to receive and pay bills on their website.Having understood the significant importance of IT and e banking and amount of risks and threats involve in driving the business process, therefore there is need for consistent continuation of security in business, which brings about the understanding of Information security. It is a continuous process. “Information security, is the process of protecting information and information system from unauthorised access,use, disclosure, disruption, modification, destruction or bombardment, it involves confidentiality, integrity and availability of various data irrespective of the form the data takes. E.g. electronic, print, written verbal or in any other forms”. (ISACA and CISA Review Manual, 2006).

2.3 An Overview of Online Banking Environment in UK

An increasing competitions among the financial institutions have forced many of the competitors to offer similar prices on deposits and loans, the effort for gaining competitive advantages were shifted towards no priced-factors (Akinci et.al 2004). customers and financial institutes have noted the recent revolution in UK retail banking. The conversion from traditional banking to internet banking has been effective (kolodinsky and Hogarth, 2001). Although some researchers have bated that Online banking has not lived up to expectation e.g. Sarel and Marmorstein (2003) and Wang et al. (2003), lots of studies still say that internet banking is still the most wealthiest and profitable means to transact business (Mos, 1998;Sheshunoff, 2000).Online banking has come to stay no doubt about that and financial institutions are ready to move on with it. Luxman (1999) for example predicted that in the nearest future that the importance of internet banking will be felt most especially in the remote areas where some banks have closed their branches Going by the survey carried out for alliance and Leicester by (VOBS survey, 2004), 2,395 UK adults were interviewed, more that half of them now bank online. 61 percent now used it more than the previous couple of years. However, visiting the baking hall is very much popular with respondents preferring to go to banking and deal face to face with the banking staff for activities like paying cheques 73 percent, 20 percent withdraw cash over the counter and 20 percent will lodge on one complaints or the other. Mike Warriner (2008).said in a recent report from Forrester stated that “31% UK adults use online banking even though 75% always shop on the internet. To quote Benjamin Ensor, principal analyst at Forrester Research, "By standards internationally, online banking in UK is struggling" He also said that "The U.K. has the highest number of people (about two million) who do not use online banking any more. They said they used to bank online but have stopped".

2.4 WHAT IS WRONG WITH UK INTERNET BANKING

According to a survey carried out by Darrell R. (2009) “Medium size organizations all over the world are very much concerned about cyber threats. The number of incidents reported really justifies their doubts. At the close of mid 2009, McAfee discovered a new malware as they did in 2008 which could cause a lot of havoc in the internet world..Irrespective of this discovery; most organizations still cut their IT security budget instead of increasing it. A threat up budget down, McAfee called it “security Paradox”.Ron C. (2009) reports that most companies in the UK are struggling behind the rest of the world in information security management practices, according to a new study from PWC (PriceWaterhouseCoopers), 7,000 security professionals all over the world was surveyed, mainly in large companies consisting of 455 in the U.K. The survey found out that British organisation emerges to be less prepared to fight the risks that tackle them in their information systems. The table below shows that U.K. lags in quite a few key areas of information security. Organisations have smaller amount CISOs in place; only 37% have a clear idea of where their data is stored. Then, nearly half (49%) do not know the number of security incidents they experienced in the preceding year.

Table: 2.2: Information security management practices

COUNTRIES

INDIA

US

UK

BRAZIL

CHINA

Employ a CISO

51%

42%

37%

48%

55%

Have overall information security strategy

73%

73%

62%

58%

67%

Expect security spending to increase, stay same over 12 months

80%

59%

49%

82%

86%

Have accurate inventory of where sensitive data is stored

42%

42%

37%

29%

50%

Don't know how many security incidents occurred over the last 12 months

18%

41%

49%

15%

7%

2.5 INTERNET TRANSACTION

Transactions online help customers with the competence to conduct transactions via the website of the institution by introducing banking transactions or buying products and services. There are lots of transactions customers can engaged in on the internet this can be a small as basic retail account balance to a very big business funds transfer. Internet banking services, such as the ones carried out through some other means are categorised based on the kind of customers they bear. The table below shows some of the common retail and wholesale internet banking services offered by financial institutions. (FFIEC, 2006).

TABLE 2.3: COMMON ONLINE BANKING SERVICES

Retail Services

Wholesale Services

Management of account

Management of account

Payment of bill and presentment

Managing Cash

Opening of New account

Small business loan applications of loan to small business, Its approval or advances

Money wiring and transfers

Brokerage services and investment

Transfer and wiring of funds commercially

Approval and loan application

Payment from business-to-business

Aggregation of account

Pension administration and employee benefits

The table 2 above shows part of services rendered by online banking.

2.6 ADVANTAGES OF ONLINE BANKING.

2.6.1 Convenience

According to (Gerlach, 2000), internet banking services allow customers handle their normal banking transaction without visiting the bank building or meeting any banks staff. No need to wait until 8 or 9 in the morning before you can get answer to your bank account request or details Customers can handle their transactions anywhere they like as long as they are connected to the internet or where there is availability of internet. However, since most banks offers 24 hours online banking services 7 days a week, internet banking can allow you to view and work with your account no matter what time or day it is. Thus, they can make payments, check balance, transfer money etc at the comfort zone of their homes or offices. Hence online banking has broken the limitations of the conventional way of banking thus provides customers swiftness and convenience.

2.6.2 Time Saving and Money.

When you visit banks, you will discover that most banks branches are always engaged with one activity and customers have to wait for a long time before attended to. This is a waste of time and energy. Luckily, some banking transactions can be handled at home or in office or anywhere that is convenient for the customers. In other words,customers do not need to wait for a long time in a long queue or go to their respective banks branch to carry out their banking business. Online banking therefore helps can help customers to save time and cost of travelling.

2.6.3 Ease and Efficiency

As long as they adhere to the simple steps to be followed by login in their information and clicking the right button, customers can able to check their accounts and know what their balance is, transfer funds and also carry out other valuable transactions. The timely check can help customers' overdraft charges and also to know if the transactions they made were successful and completed. Hence, banking online helps customers to manage their account more easily and conveniently.

2.6.4 On Time Gain and Update Information

Online banking systems also provide the customers a timely updates about both their existing and new products and services, banking news and other vital information that the customers need to know or be updated with. Therefore customers can benefit some relative information at the appropriate time for them to make quick and right decisions.

2.6.5 Profitability

Fewer banking building will be maintained as a result of online banking and fewer employers will be involved there is a much lower over head with online banks. The saving they get as a result of this process allows them to give greater interest rates on savings account and lower lending rates and service charge.

2.6.6 Cost Effective

Internet banking cost less; this is because there are only few buildings to maintain and salaries paid to employees will be reduced as well. Since they have more to safe now and this allows them to increase their interest rate on savings account and lower lending rate and charges

2.6.7 Easier To Catch Fraudulent Activities

Since you have the opportunity of viewing your account details at anytime, it is easier to know if any fraudulent activities have gone through your account before much damage is done. Once you log into your account, you will see immediately whether there is anything wrong when you check your deposits and debits. If you do not make any transaction and you see any strange details in your account, you will see it write away and make necessary alarm to the financial institution

While the internet offers miscellaneous advantages and opportunities, it also presents various security risks. Having this in mind, banks take wide measures to protect the information transmitted and processed when banking online. This comprises ensuring confidential data sent over the internet cannot be accessed on modified by unauthorised third party. “But banks don't normally have influence of the systems used by the customers. The choice is entirely up to them. More over a system connected that is a pc connected to the internet for example will usually be used for a number of other applications as well. The systems used by the online banking customers are therefore exposed to risks beyond the banks control”. For this reason, the bankers cannot be liable for them. Berlin, (2007). Some Dangers Faced When Using the Internet. Berlin, (2007)Third party gaining access to information transmitted or getting information under

false pretences, this can be done with the aid of the following:

  • Virus and warms: Programmes that are sent over the internet that can damage your pc when they replicate.
  • Trojans: programmes that intercepts passwords that is not known to users that

compromise computer security.

  • Phishing: Using a fake name, website or address for fraudulent purposes.
  • Pharming: Users being redirected to fraudulent server
  • Root kits; An unauthorized administrative level access without the real administrator noticing through malicious software. Their feature is almost as Trojans.
  • Hacking: Having access to a PC via the internet when not authorised.

Banks now have some numbers of measures in place that gives effective protection

against attacks when information are processed by the bankers server or when

information is sent over the internet.

2.6.8 SOME SECURITY RULES WERE ALSO GIVEN

Rule 1: Up to date scanner and security software should be installed.

Additional security software has to be installed. your normal operating system standard tools alone cannot solve some security problems. F your security is not adequately in place, you run the risk of unauthorised persons gaining access to your data.e.g never saves you PINs and TANs on your PC. A firewall can protect you from such attack

Rule 2: Sensitive data must be protected over the network.

Over the internet, data sent can be intercepted or can be viewed by an unauthorised third party when the network is not secured. Banks have now taken some measure to ensure that data sent via the internet is encrypted before transmission.

Rule 3: Make sure you know the person you are interacting with.

Not everyone on the internet are not who they claim they are. Check the URL you are in and make sure that your bank's internet address is correctly spelled.Hackers impersonate someone in a position of trust to get the information they needed. This is called “PHISHING”. It is another technique to steal confidential code.This works by redirecting you to their own rogue server.

Rule 4: Sensitive data should be cautiously kept and access media.

Your access code and media must be protected e.g. (PINs, chips) from unauthorised use. Do not save sensitive data such as Passwords PINs, access code, credit card >numbers on your hard drive especially if the PC is not been used by you alone. This could allow third party to view your data.

Rule 5: Choose a secure password.

A combination of upper case and lower case letters, numbers and symbols is a typical example of a good password usually of six to eight characters. It will be difficult for anyone to guess your password.

Rule 6: Only use a programme from a trustworthy source

Don't download from the internet any programme into your hard drive unless you are sure of the source and that it Save Reports reliable.

Rule 7: The newest programme version should be used

Use your preferred internet browser and PC operating system version that is up-to-date.

Rule 8: Run security checks on your PC

Take a few moments to run a personal security checks before using your PC to bank online. Make sure the entire security features that protects your computer are on.

Rule 9: The security setting on your internet browser must be activated.

Use “Block ActiveX Control” and let Java applet to run after confirmation. Do not make use of browser auto-completion function which is able to save your user name and passwords you enter and suggest matches.

Rule 10: Your current account should not be made available to make financial

transaction.

Any offers that is asking you to make your current account available for payment and other financial transaction for unknown firms and individual must be suspicious especially if they are located not within your country

2.7 SOME ONLINE BANKING SCURITIES AVAILABLE

2.7.1 Internet Security:

Internet security refers to the methods used in protecting data and information in a computer from unauthorized persons. It is a serious issue in the world wide today.People who use internet should be using the internet should be well conscious of the trouble aroused as a result of it. A familiar methods used by people to guarantee information secured on the internet are:

Data encryption - Data encryption involves packaging original information

into a meaningless structure that can only be read using a certain technique. This is called “cipher text”.Passwords usage -They are used to avoid illegal entry of data so that the entire system is protected. Creation of passwords must be in a way that the other people do not simply guess it.

2.7.2 Methods:

There are some several methods that helps in internet security. They are listed below; Firewalls:This is software that filters unlawful access in a network. The configuration must be right and the proxy firewall which is to protect the system must be combined with it.Data should have back up:Regularly, backup from the data from the system should be taken regularly. If the computer unexpectedly spoils or crash and the operating system of the computer failed to reboot as a result of virus attack, by taking the backup data will reduce the penalty.

Preventing Virus Attack: Viruses can affect computer, Trojan horse, worms e.t.c as a result of some infected files downloaded from the internet. They are programs that have the ability to install itself at any time the host programs run and cause malicious attack.Baleful Links:Those who use the internet can keep away their system from getting infected by the virus by keeping away links and emails that are not useful. Links may lead to download files suddenly. These causes' security problems for the computer and therefore must be avoided.File Sharing:Both original and pirated files are joined when files are shared on the internet thereby reduces the speed of the computer. This must be prevented. Routers:Some connections are prevented by certain routers from outside from the computer. NAT (Network Address Translation) is software that does this function and it's of low cost and smallest amount complexity.Preventing Spy-Ware: Internet securities are threatened by several software.Without the permission of the user some software runs along with other application.

2.7.3 Insider threat detection still a challenge

Threats detection from inside is one of the major problems they face, The ones that

invests in information security are yet focusing on saving out viruses and intruders. A

possible danger of a rascal employee can regularly be discounted, mistreated or just

take the risk of doing business.

“A recent survey conducted among 600 people that are office workers in Canary

Wharf, London and in a Street in New York, shown that many of the employees have

no doubts about how information is been mishandled. One out of three of them

alleged they would take data to assist their friend to look for a job, and 41% said they

had already taken data because they might need it someday to get employment

elsewhere”. Ron C. (2009)

The study, which was commissioned by security company Cyber-Ark Software Inc.

that took this survey said the easiest data to steal are their customers and contact

details, along with their plans, proposals, plans and product information.

2.7.4 CUSTOMERS' ATTITUDE

Understanding of the impact of technology based transaction system on customers perceptions and behaviour is essential. (Moutinho et al. 2000).If banks are willing to integrate new technology into their existing relationship building activities Asher (1999) argued that cooperate customers seems to be willing to use internet as a key medium in banks dealings. He said “the evidence suggest that cooperate clients have shown a preference for online banking, due to the perception of being more cost effective that conventional channels” Financial institutions use this technology in service delivery may often compromise bank business relation. (Keltner 1995) in terms of higher degree of convenience and accessibility. (Devlin 1995). Therefore Customers' perception is very high in the delivery of the electronic banking. According to Nexhmi et al.(2003). Customers participate typically is the process of enabling customers to make their services, products. It can be diversified between the types of services offered, even the services providers within the same market place for instance, Meuter et al.(2000) points out that “self service technologies are increasing the way in which customers interact with their providers in the creation of service outcomes and are a typical example of a market place transaction that require no personal interaction”

2.7.5 FINANCIAL INSTITUTION AD MANAGER'S ATTITUDE AND

APPROACH

Internet banking was still in a very young stage and its entire benefits has been realised. (Nath et. al 2001). In this case, managers of financial institution's attitude towards the perceptions of electronic channels were of significant importance. (Akinci et .al (2004). Mols (2001) state that “management support and future orientation were the two most important factors which driving the introduction and expectation of the new e-channel” In another study, Mols (2000) grouped the bank managers according to their attitude towards internet banking: The “sceptics” the “nervous”, the “positive” and the “reluctant” groups. In Scotland, Moutinho et.al (2002) emphasized the Scottish bank managers efficiency and enhancement of customer services as to perceive advantages of internet banking. Faster easier and more reliable service to customer and the imprudent of the competitive position were highlighted. (Aladwani , 2001). Based on the UK evidence, I 2001 claimed that: “the integrated banking model, around which traditional banks have built their strategies in the past were showing sign of fragmentation” In this sense, he summarised four emerging internet model in the UK. The first was based on accepting internet banking as a new delivery channel that was integrated with existing model. The second model is called “e-banking”, was based on multi banking in which the internet was the integrative component. The third model consisted of creating baby “e-banks” with their own e brand name and product range. The last model was seen as entirely a new business model without a physical network.

2.8 Laws, Directives, Regulations and Standards

Shon Harris All in One Certified Information System Security Professional Exam Guide, Fourth Edition, 2008

Different laws, directives, regulations and standards were enacted for different reasons which include data protection, software copyright, data privacy, computer misuse as well as controls on cryptography.

Health and safety, prevention of fraudulent activities, personal privacy, public order, intellectual property, environment protection and national security are reasons why the regulations can be implemented in governments and private sectors. The violation of these regulations has a severe punishment attached to them which may range from fine to jail term of up to ten years or more depending on the gravity of the crime committed.

Examples of the regulations that governs information usage and protection are discussed briefly below

2.8.1 The Sarbanes-Oxley Act (SOX)

The SOX was enacted in 2002 as a result of the corporate scandals and fraud that threatened the economy of United States of America. This is also known as the Public Company Accounting Reform and Investor Protection Act of 2002 that applied to companies that publicly trading on United States market. How organizations must track, manage and report on financial information was provided for in the SOX requirements. Processes and controls must be in place to protect data because of the organizations reliance on computer equipment and electronic storage for transacting and archiving data, the section 404 of SOX is directly applied to information technology. Chief Financial Officer (CFO), Chief Executive Officer (CEO) and others can be jailed if the law is violated.

2.8.2 The Computer Fraud and Abuse Act

This act is the primary U.S federal anti hacking statute that was written in 1986 and amended in 1996.Prohibition was made on seven forms of activities and was made federal crimes:

  • “The knowing access of computers of the federal government to attain confidential information exclusive of permission or within surplus of permission.”
  • “The deliberate means of using computer to get information needed from a financial institutions, the government, or protected computer involved in interstate or foreign communications without permission or during the use of to much of permission.”
  • “The deliberate and illegal use of computers of the government, or the computers used by the government or for the government, though it may affect the government in one way or the other using the computer”.
  • “When access is gained into a protected computer with no permission or approval with the aim to cheat or defraud”.
  • “Knowingly causing the transmission of a program, information, code, or command and, as a result of such conduct, intentionally causing damage without authorization to a protected computer”.
  • “When the passwords of the computers are known with the aim to defraud”.
  • “The spread of connections which contains threats to cause harm to a computer that is protected”.

There is penalty for breaching this act ranges from felonies to misdemeanours with corresponding small to large fines and jail sentences.

2.8.3 Employee Privacy Issues

For a company to be adequately protected, various employee privacy issues must be considered within the organization. Organization must understand what it can and cannot monitor as a result of different state with different privacy laws.

Organization must state it in its policy that monitoring in any form are done within the organization to prevent being sued by employee for invading their privacy. This is considered the best way in which organization can protect itself.

2.8.4 Data Security Standard used by payment card industry (PCI DSS)

The advent of internet and computer technology led to the increase in identity theft and credit card fraud which gives opportunity to millions to be stolen at once.

Stabilizing customer trust in credit card as a safe way of conducting transaction and to curb the problem, a proactive step was taking by the credit card industry. The standard affects any entity that processes, transmits, stores or accepts credit data.

The PCI Data Security Standard is made up of 12 main requirements that are broken down into six major categories. They are

2.8.5 A Secured Network must be built and maintained.

Requirement 1: To protect cardholder data, configuration and installation of firewall must be maintained Requirement 2: Ensure that systems passwords and other security parameters are not in vendors supplied defaults.

2.8.6 Data of Cardholder must be protected.

Requirement 3: Stored data of cardholder must be protected.

Requirement 4: Across open and public networks, cardholder data must be encrypted in transmission

2.8.7 Vulnerability Management Program must be maintained.

Requirement 5:Anti-virus software must be used and updated regularly.Requirement 6: Secured systems and applications must be developed and maintained.

2.8.8 Access Control Measures must be strong in its implementation.

Requirement 7: Based on Business need-to-know, cardholder data access must be restricted.Requirement 8: Every individual having access to computer must be given a unique ID.Requirement 9: Physical access to cardholder data must be adequately restricted.

2.8.9 Monitoring and Testing of Networks must be carried out regularly

Requirement 10: Cardholder data must be tracked and monitored when accessing the network resources Requirement 11: Security systems and processes must be regularly tested.

2.8.10 An Information Security Policy must be developed and maintained.

Requirement 12: Information security policy must be maintained.The violation of the standard does not lead to jail term but may result in financial penalties or revocation of merchant status within the credit card industry because PCI DSS is a private sector initiative.

2.9 Database Security, Compliance and Audit by Charles Le Grand and Dan Sarel. Information Systems Control Journal Vol 5, 2008.

Grand and Sarel (2008), states what it takes to adequately protect the database to ensure that compliance is met. It also provides information for auditing purposes. The objectives for ensuring database access control were also exploded by the authors.

On the conclusion note of the article the authors said that “the simple goal of ensuring database security is to ensure that only authorized individuals have access and all access is monitored. To limit access to only people whose jobs require it, access protection must apply to identifying the sensitive data elements: the methods for managing user credentials and access rights: and the records of who accessed what, when and what they did with it”.

2.9.1 Insider Threat- The fraud that puts companies At Risk by Patrick Taylor Vol 1,

2008

This article was short in context but provide real information about who normally perpetrate fraud in organization .Fraud committed by trusted employees in executive management , accounting, sales, finance or procurement position constitute 73 percent of the survey conducted by the Certified Fraud Examiner which is an annual survey and also provide what organizations can do to mitigate against the risk. Finally, it gives information into who should be adequately monitored.

2.9.2 Security risk management ISO/IEC 27005:2008

The new standard form the International Organization for Standardization (ISO) and

also the International Electro technical Commission (IEC), ISO/IEC 27005:2008, explains the activities for information security through the process of risk management. It provides guidelines for information Security Risk Management.

The ISO information risk management process can be useful to the financial organisation as whole or to any discrete part of the organisation.

All types of organisation are bothered with threats that could compromise information security. Overseeing this aspect is usually the main fear for information technology departments. On this situation, Information Security Risk Management must be an essential component of all the information security administration activities and if possible to be applied to both the execution and the ongoing operation of an Information Security Management System. Information risk management comprises of:

  • Establishment of context: It aims to describe the risk management's boundary.
  • Analysis of risk (Estimation phases & risk identification)
  • It intends to assess the risk level.
  • Assessment of risk (Evaluation phases & analysis of risk)
  • It isused to formulate decisions exchanging and/or sharing information about danger between the decision makers and some other stakeholders.
  • Communication risk
  • It is used to attain conformity on how to handle risks by replacing and or by distributing information concerning danger involving the decision makers and some other stakeholders.
  • Review and risk monitoring

It is used to spot any probability in the framework of the institute at a premature phase, and also to sustain an overview of the whole risk snapshot.

This new standard is designed to support the performance of ISO/IEC 27001, the information security management system standard, although this is based on a risk running approach. understanding of the concepts, processes, models and terms explained in ISO/IEC 27002: 2005 and ISO/IEC 27001, IT Security skill - The ethics and code of conduct of practice for information security administration, is vital for a total understanding of this International Standard. (Alessandro Deidda, 2009)

According to Alessandro D, (2009): he expressed that “Today, the majority of organizations identify the significant role that information technology plays in maintaining their business objectives and with the arrival of the Internet and the prospect of carrying out online transactions and businesses, Information technology security should be in the ahead. ISO/IEC 27005: 2008 has been related to managers and staff involved with information security risk management inside an organization and, where suitable, outside parties supporting such activities.”

CHAPTER 3

This chapter discusses the methodology of the dissertation. This includes research purpose and research approach. It also outlines research strategy and sampling or interview methods.In order to gather the necessary data and information to explore issues under investigation, the researcher needs to locate the appropriate research method. The term methodology refers to as “the technique in which we approach problems and look for out answers, it also applies to how the research is being conducted. The interest, assumptions, and the purpose of the research help us to know the kind of methodology we use for that exacting issue” (Tylor & Bogdan, 1998). Methodology refers not just to tools used to obtain data for research but it also refers to the philosophical groundwork and understanding of reality that researcher holds. It encompasses how these tools are enjoyed and how the data is being interpreted. This chapter discusses the selection of quantitative study moving towards with questionnaire methodology for data collection, demonstrating its appropriateness for the study of online banking.

3.1 RESEARCH PURPOSE

Research can be divided into various types depending on the nature of the research problem or the purpose of it. According to Yin, (1994) and Zikmund, (2000) point of view, the purpose could be:Exploratory (unclear problems)Descriptive (aware of problems) or Explanatory (clearly defined problems)Saunders et al. (2000) clearly stated that more than one purpose can be employed in one research study.

3.1.1 EXPLORATORY RESEARCH

Exploratory research is conducted to clarify and research a better understanding of the nature of the problem. Consequently, exploratory research is appropriate to use when there is a little prior knowledge of the problem researched. It is a valuable means of finding out: “what exactly is happening; to seek out new insight; to ask questions and to access phenomena in a new light” (Zikmund, (2000). The purpose of exploratory research is to provide insight and understanding, not conclusive evidence. Saunders and Thornhill, (2003) argued that exploratory research is advantageous in the sense that it is very flexible and adaptable to change. When a research problem is instructed and very difficult to define, an exploratory investigation is an appropriate method to use. (Eriksson, (1999).

3.1.2 DESCRIPTIVE RESEARCH.

The main objective of a descriptive is to “portray an accurate profile of a person event, or situation” Robson, (1993), and may be n extension of, or forerunner to, a piece of exploratory research. Zikmund, (2000) describes descriptive research as when research problem is known and the researcher is not fully aware of the situation. When a particular phenomenon of a nature is under study, it is understandable that research id needed to describe it, to explain its properties and inner relationship (Huczynski and Buchanan, (1991).

3.1.3 EXPLANATORY RESEARCH

The emphasis of explanatory researches is on studying a problem or phenomena in order to establish a casual relationship among variables (Saunders et al. 2000). Explanatory research is sometimes refers to as a casual research (Zikmund, 2000).Normally, explanatory and descriptive research is conducted first and then explanatory research tries to establish and explain pattern related to phenomenon of interest. Saunders et al. (2000).The starting point of this research purpose is the research problem. The impact of e-banking: To investigate the security measures available for internet banking. Depending on the research problem, literature review has been conducted in order to specify research questions and construct frame work. The research objective and research questions reveal that this study is primarily descriptive.

3.2 RESEARCH APPROACH

QUANTITATIVE AND QUALITATIVE APPROACH

Quantitative and Qualitative methods are two broad approaches to research and are the common methods used in research methodology. While quantitative research method involves numerical representation and manipulation observation for the purpose of describing and explaining the phenomena that those observations reflect qualitative research on the other hand involves non- numerical examination and interpretation for the purpose of discovering the underlying meaning and pattern of relationship. Qualitative research emphasizes the process and the meaning that are not rigorously examined or measured in term of quality, amount of intensity or frequency. In contrast, quantitative study emphasises measurement and analysis of casual relationships between variables, and not processes. (Casebeer and verhoef, 1997: Zikmund, 2000: McDaniel and Gate, 1996: Miles, 1994; Easteby-Smith, 1991).In quantitative research variables and relationship are the central idea. (Neuman, 2003). Quantitative research is useful in providing details planning prior to data collection and analysis because it provides tools for measuring concepts, planning design stages and for dealing with population and for sampling issues. In addition, a quantitative research approach utilises a deductive model in testing the relationship between variables and to provide evidence for or against pre-specific hypothesis. (Neuman, 2003).

The table 3.1 below shows the Qualitative Versus Quantitative research. Source:

Chisnal, 1997

QUALITATIVE RESEARCH

QUANTITATIVE RESEARCH

Objective

To gain qualitative understanding of underlying reasons and motivations

To quantify the data and generalize result from sample to the population of interest

Sample

Small number of non representative cases

Large number of representative cases

Data collection

Unstructured

Structured

Data analysis

Non-statistical

Statistical

Outcome

Develop an initial understanding

Recommend a final cause of action

The main objective of this study is to investigate the vulnerability and the threats affecting internet banking in UK and also to examine the fraud and scandal that might affect the use of Internet banking. In this study, the data colleted will be analysed from sample customers and bank staffs and generalize the data to population. Therefore the theory of quantitative method will be used.

3.3 RESEARCH STRATEGY

(Cooper & Emory, 1995) define research as a systematic inquiry aimed to providing information to solve problems. In order to collect necessary data and discover key factors under investigation, the suitable research method is considered to expose the key attributes of online banking services and customers expectations. The purpose of the research methodology is to gather information of real world phenomenon and the information from reality.There are some main research strategies that can be use when collecting and analysing empirical evidence in the field research, they are, experiments, survey, archival analysis, history and case study. Each of this research strategy has a distinct condition

  • The kind of research questions created
  • Control and investigator, what degree it has in actual behavioural occurrence.
  • The extent of focus on contemporary, as opposed to past occurrence.

Find table 5 below shows the relationship of each condition and the various research

strategies.

Table 3.2.Appropriate situation for different strategies

Research strategy

Research question and its form

Control over behavioural system requirement

Contemporary focus

Experiment

How, Why

Yes

Yes

Survey

Who, What, Where, How many, How much

No

Yes

Archival analysis

Who, What, Where, How many, How much

No

Yes/No

History

How, Why

No

No

Case study

How, Why

No

No

The strategy to be used is based on the characteristics of the stated research questions. The common method of research questions are formulated as who, what, where, how and the question of why. In the case of when how - or what - question are used, the researcher can benefit by using the case studies, the survey or archival analysis. As the research question of this study is mostly based on what question, the investigator has no control over the actual behavioural events and the focus of this study is on the contemporary event, the survey approach was employed to provide rich descriptive details to gain a better understanding on the security measures available for internet banking in the UK. Since the research approach will be qualitative, the strategy chosen will be a survey.

CHAPTER 4

4.0 DATA PRESENTATION AND INTERPRETATION

Introduce this chapter by stating what the chapter is all about and the reason why you have conducted the question, plus the benefit of the research.

From all the 42 questionnaires that were distributed, only 20 were returned. This chapter will address the methodology used in gathering my data, and the analysis of the data gathered will therefore be transformed into information that will be useful for the purpose and objectives of this study. The data was generated through questionnaire since interviewing key people such as staffs of various banks responsible for that information are not willing to share the information with me via interview. The questions therefore were structured in such a way that it meets the objectives of this study and analysed as follows;

4.1 RESPONDENT DETAILS

GENDER

FREQUNCY

PERCENTAGE

MALE

12

60%

FEMALE

8

40%

TOTAL

20

100%

Table: 4.1 Gender of Respondent

The table 4.1 above is a presentation of the gender of respondents surveyed. This shows that out of the 20 questionnaires that were returned, 12 or 60% of the respondents are Male, and 8 or 40% of the respondents are Female. This table clearly shows that more male respondents

actually were interested in participating than the female. However, the difference is not much. The figure 4.1 below shows the statistic of how they stand.

Fig……give each diagram a figure and a number…..e.g. fig. 1, fig. 2

Table: 4.1.1 Age of Respondents

AGE

FREQUENCY

PERCENTAGE

BELOW 18

2

10%

18 - 55

17

85%

55 ABOVE

1

5%

Table 4.1.1 and figure 4.1.1 above are the presentation of the age distribution of respondents.It shows that 2 respondents or 10% of the sample are between age brackets 0 -17 years old or (below 18), 17 or 85% are between the age bracket 18 - 55% and 1 or 5% are respondents of people age 55 above. It is obvious that respondents' age between 18 - 55 is the one really using more of the internet banking. This also goes to show that middle age people use more of the system rather than the other age brackets. This could help in this survey as it is clearly shown that young people use the internet banking system.

4.1.2

Table: 4.1.2 profession of Respondents

PROFESSION

FREQUENCY

PERCENTAGE

STUDENTS

9

45%

ACCOUNTANT

1

5%

DOCTORS

0

0%

OTHERS

10

50%

The table 4.1.2 above also shows the profession or what the respondents do for a living. 9 or 45% of the respondents are students, 1 or 5% or them are accountants, 0 or 0% i.e. none of

the respondents are in doctor's profession and other profession is 10 or 50% do other profession apart from the other profession mentioned in this survey. Apparently, students and other profession are the people using the internet baking more that accounts and doctors .It is also represented in the figure 4.1.2 below.

Section A

4.2. Do you have a bank account? Yes (19) = 95% No (1) = 5%

As stated in figure 4.2 above, 95% or 19 of the respondents said yes that they do have a bank account and 5% or 1 out of the 20 questionnaires returned said no. This goes to show that majority of the respondents who partook from the survey have bank. It is seen here that respondents can not do without using banks for their transactions. The response analysed in figure 4.2 further shows that there are significantly awareness that people haves to use the banks or have contact with the bank for their transaction.

4.2.1 What bank do u keep your bank account with?

Barclays bank (11) = 52% Halifax (5) = 24% HSBC (3) = 14% Lloyds (3) = 5% others (1) =

5%

Figure 4.2.1 shows the different types of banks respondents keep their bank account with. 11

or 52% keep their account with Barclays bank, 5 or 24% keep their account with Halifax, 3 or 14% of the respondents keep their account with HSBC, 3 or 5% of the respondent keep their account with Lloyds TSB and respondents who keep their accounts with other banks is 1 or 5%. It is obvious that majority of the respondents actually keep their bank account with Barclays bank.

4.2.2 What type of bank account do you have?

Savings account (14) = 48% Current account (13) =45% Online account (2) = 7% Telephone account (0) = 0% others (0) =0%The below figure 4.2.2 also confirm that 14 or 48% of the respondents keep savings accounts, 13 or 45% of them keep current account, 2 or 7% . None of the respondents keep telephone account and none also keep other forms of account. Only very few respondent keep online account while respondents keeping both current and savings account are more respectively.

4.2.3 Did your bank introduce internet banking? Yes (18) = 90% No (2) = 10%

In Figure 4.2.3 below, the response of the respondents was trying to find out if any of the banks the respondents are using introduces internet banking at all. 18 or 90% of the respondent s said yes wile 2 or 10% of them said their banks did not introduce internet banking. This depicts that Majority of the respondent who have banks accounts are aware of internet banking.

4.2.4. Do you use the internet banking? Yes (14) = 70% No (6) = 30%

In figure 4.2.4, illustrate that 14 or 70% is using internet banking and about 6 or 30% is not

using the internet banking.

4.2.5 Where do you access your internet banking?

Home (14) = 66% Office (5) = 24% café (0) = 0% Branch (1) = 5% others (1) = 5%The below figure demonstrated that 14 or 66% respondents access their bank account on the internet, 5 or 24% access their account in the office, no one access its account from the café, 1 or 5% go to bank for any access and 1 or 5% were not accessing it from any of those ways

4.2.5. Who is your network provider?

BT (5) = 24% Talk-Talk (3) = 14% T mobile (2) =10% Sky broadband (5) = 24% others (6) = 28%Below is another figure 4.2.5 that illustrates what network provider do respondents subscribed to. 5 or 24% use BT, 3 or 14% use talk-talk, 2 or 10% of the respondents use T- mobile, 5 or 24% use Sky broadband while respondents who did not use any of the network subscriber are 6 or 28%. It is discovered that ‘others' network provider have more subscribers more than other networks.

4.2.6 What activities do you do using internet banking?

Pay bills (5) =15% Check account (13) =38% Money Transfer (7) =20% Check/Print statement (4) =12% others (5) =15% In this aspect of this questionnaire, it also depicts that so many activities can be carried out on the internet. According to the survey, it was shown that 5 or 15% pay bills online, 13 or 38% check their account, 7 or 20% of the respondent do transfer money to various account, 4 or 12% check or print their statement online and 5 or 15% do some other various things. That goes to show that respondents are using online banking.

4.2.7. How often do you use internet banking?

Once or more daily (2) =10% every other day (9) = 45% Weekly (4) = 20% others (5) = 25%when asked of how many times do respondent use the internet banking. The following was deduced and represented as figure 4.2.8 below,2 or 10% of the respondent said once or more daily, 9 or 45% visit every other day,4 or 20% go there every week and 5 or 25% go any time they feel like going. It is clear now that respondents can visit bank as often as possible.

4.2.8. What difficulties do you encounter when using internet banking?

Denial of service (3) = 13% Loss of service (2) = 9% Intrusion (3) = 13% Loss of information (2) = 9% Interface not user friendly (2) = 9% none (11) = 47% In the figure 4.2.8 below, the study is trying to find out what difficulties the respondents encounter while using internet banking. 3 or 13% of the respondents are faced with denial of service, 2 or 9% or the respondents are face with loss of service, 3 or 13% of the respondents are faced with intrusion, 2 or 9% encountered loss on information, 2 or 9% also encounter interface no user friend and 11 or 47% encounter none of these. Here it is noted that respondents encountered denial of service, intrusion to some certain extent of importance but respondents who encounter none of these and probably might experience difficulties in some other areas are more, almost half of the respondents attended to that.

4.2.9. How often do you visit your bank branch?

Once a day (1) = 5% every other day (6) = 30% Once a week (8) = 40% Once a month (3) = 15% others (2) = 10%Figure 4.2.9 shows the number of times respondents visit their bank branch. 1 or 5% of the respondents visit once a day, 6 or 30% of the respondents visit every other day, 8 or 40% of the respondents visit once a week, 3 or 15% visit the bank once a month and 2 or 10% visit the bank every other time. This shows that all respondents still visit the bank irrespective of their online transactions with respondents who visit the bank once a week with the highest frequency.

4.2.10. What is your main concern about internet banking?

Loss of information (3) =13% Fraud (8) = 35% Insecurity (6) = 26% Data violation. (6) = 26% Others (0) = 0%Figure 4.2.10 below shows the main concern about internet banking by the respondent. 3 or 13% of respondents are concerned about loss of information, 8 or 35% of the respondent are concerned about fraud, 6 or 26% are concerned about data violation and also 6 or 26% of the respondents are concerned about insecurity and 0 or 0% had no concern about others. This demonstrates that majority of the respondents are concerned and aware about internet fraud.

4.2.11. Have you ever been defrauded using internet banking? Yes (5) = 25% No (15) =75%

The figure 4.2.11 below also illustrates whether or not respondents have been defrauded in one time or the other. 25% or 5 of the respondents said yes and 75% or 15 of the respondents said no. This shows that with the 25% or 5 that said yes, there are still some amounts of insecurity on the internet banking.

4.2.12. If YES to Question 13, what action did you take? Otherwise skip question 13.

Report to branch (4) = 80% Report to Police (0) = 0% Stopped using internet banking (1) = 20% others (0) = 0% In Figure 4.2.12 below explains the action taken by the respondents that have fall victim of internet fraud. 4 or 80% of the respondents said they reported to the bank branch. None of the respondents reported to the police, 1 or 20% of the respondents said they stopped using the internet. This proves that 80% of the respondent that reported to the bank branch thought the fault is from the bank.

4.2.13 Do you use your account for your wage? Yes (16) = 80% No (4) = 20%

Figure 4.2.13 below explains those respondents that use their bank account for their wage. 16 or 80% of the respondents chose yes and 4 or 20% of them chose no. This shows that respondents will make one transaction or the other on their bank account either through the traditional way or via the internet banking.

4.2.14. What is your level of income per annum?

Below £20,000 (6) = 30% £ 20,000 - 40,000 (12) = 60% £40, 000 above (2) = 10%Figure 4.2.14 below shows the level of income of respondents per annum. 6 or 30% of the respondents earn below £20,000, 12 or 60% of the respondents earn between £20,000 - £40,000, while 2 or 10% of them earn above £40,000. This demonstrates that for respondents to be earning this much, they will be very conscious of their money in their account not to get lost or disappear when making any form of transactions.

4.2.15. Do you prefer internet banking to visiting your bank branch? Yes (11) = 61% No (7)

= 39%Figure 4.2.15 shows the percentage of the respondents who prefer internet banking to visiting the bank branch. 11 or 61% of the respondents said yes while 7 or 39% of the respondents said no. It then proves that, though it seems internet banking has improved drastically right from its advent, a very meaningful fraction of the respondent still prefer going to the banking to do their various activities.Convenience (9) = 39% Efficient (5) = 22% Fast (5) = 22% Time saving and money (4) =17% others (0) = 0%Figure 4.2.16 shows the reason why respondents that said yes to internet banking prefer it to going to the bank physically. 9 or 39% of the respondents said it is very convenient, 5 or 22% said it is very efficient, 5 or 22% also said it is fast, 4 or 17% said it is time and money saving. None of the respondents chose other reason.

CONCLUSION.

From the analysis or from the collated in chapter 4.It can be deduced that out of the 19 respondents or 95% that have bank account,11 or 52% use Barclays bank, this could say that Barclays might have a better security measures than others to protect their customers from any fraudulent act….explain why Barclays is better compare to any other bank…” its because Barclays bank send an hand held device to all its customers that they use to generate one time password when they want to access their internet account”. One can also deduce that 14 or 70% of the respondent use internet banking, this goes to say that respondents are aware of doing business via the internet, 18 or 90% of the respondents bank have introduced internet banking. 3 or 13% encountered denial of service, this is an indication that banks need to improve as this is a fault from the financial institutions themselves. 5 or 25% said they have been defrauded before at one time or the other. Even though UK banks have improved on their security measures to protect their customers and institutions, 25% of customers defrauded is still a lot of figure that should be concerned about for banking business to continue without any disruption.. From the literature review in table so so so which stated clearly that “don't know how many security incidents occurred over the last 12 month, UK has the highest of 49% against other countries. In lieu of this, 11 or 61% still prefer internet banking to traditional way.

CHAPTER 5

5.0 The Threats

A threat is defined as intentional or unintentional situation or events that affect the organisation system adversely (Connolly and Begg, 1998). The harm can be tangible or --intangible in nature. Tangible harm includes software, hardware or data while intangible are loss of credibility or client confidence. The difficulty to detect all possible threats facing organisation is the problem organisation do encountered. Successfulness of breach of security by any threat must be viewed as critical because this will have certain impact on the organisation. The table below summaries various threats that organisation could encountered with their corresponding consequences on the organization.

Table 5.0 - Examples of threats

Threat

Theft and fraud

Loss of confidentiality

Loss of privacy

Loss of integrity

Loss of availability

Using another person's means of access

Yes

Yes

Yes

No

No

Unauthorised amendment or copying of data

Yes

No

No

Yes

No

Program alteration

Yes

No

No

Yes

Yes

Inadequate policies and procedures that allow a mix of confidential and normal data

Yes

Yes

Yes

No

No

Wire tapping

Yes

Yes

Yes

No

No

Illegal entry by hacker

Yes

Yes

Yes

No

No

Blackmail

Yes

Yes

Yes

No

No

Creating trapdoor into system

Yes

Yes

Yes

No

No

Theft of data, programs, and equipment

Yes

Yes

Yes

No

Yes

Failure of security mechanisms, giving greater access than normal

Yes

Yes

Yes

No

No

Staff shortage or strikes

No

No

No

Yes

Yes

Inadequate staff training

No

Yes

Yes

Yes

Yes

Viewing and disclosing unauthorized data

Yes

Yes

Yes

No

No

Electronic interference and radiation

No

No

No

Yes

Yes

Data corruption due to power loss or surge

No

No

No

Yes

Yes

Fire(electrical fault, lightning strike, arson),flood, bomb

No

No

No

Yes

Yes

Physical damage to equipment

No

No

No

Yes

Yes

Breaking cables or disconnection of cables

No

No

No

Yes

Yes

Introduction of viruses

No

No

No

Yes

Yes

Source: Connelly and Begg, 1998

Some other forms of attack are:

5.1 SNIFFERS

This can also be recognized as network monitors, it is software that cn be used capture keystrokes in a particular computer system. This software is capable of could detecting logon passwords and IDs

5.2 PASSWORD GUESSING

It is used by using some kind software to examination all likely combinations to gain entrance into a network.

5.3 BRUTE FORCE

A procedure to capture messages that are encrypted then using software to gain access to messages by breaking through the code user ID's, and passwords.

5.4 DIALING RANDOMLY

With this technique you can dial any number that exist on the bank telephone exchange. The purpose is to find a modem linked to the network. This can the be used as a point of attack.

5.5 SOCIAL ENGINEERING

An attacker calls the bank's help desk pretending to be an approved user to gain information about the system including passwords changing.

5.6 TROJAN HORSE

A programmer can implant code into a system that will permit the programmer or another person unauthorized entry into the system or network.

A single threat can have multiple effects on the organization for example theft of data, programs, and equipment has the consequences of theft and fraud, loss of confidentiality, loss of privacy and availability. But the presence of many factors such as contingency plans and existence of countermeasures will reveal the extent to which organization will suffer.

Appropriate plans and countermeasure must be initiated by organization after possible threat has been identified and evaluated.

Accidental incident result in most computer breaches and must be recorded with the frequency of occurrence as well as the person by whom it is caused, if frequent, organization should review the procedure or policies through improvement in other to eliminate the future occurrence.

To minimize the impact of threat on organization, risk analysis must be carried out to evaluate every potential threat effectively. (Connelly and Begg, 1998).

5.7 COUNTERMEASURES

The ways of protecting information on system are many, which can be computer-based and non computer-based. In protecting the database from unauthorized access or disclosure the two protections methods are discussed in details.

5.7.1 COMPUTER-BASED CONTROLS

Due to the close relationship between the DBMS and the operating system, it security is as important as that of the operating system. Countermeasure that ranges from physical controls to administrative procedures is used to fight against various threats that face the computer systems.

Since organizations operate in multi-user computer environment and computer-based security for such environment will be discussed. This includes:

  • Authorization
  • Integrity
  • Encryption
  • Associated procedures

5.7.2 AUTHORIZATION

Is enabling a subject to have legitimate access to a system or a system's object as a result of granted right or privilege. It approves what user can access and do and can be built into the software. Subject refers to a user or program and object can be a view, database table, procedure, application or any other object that can be created within the system.

5.7.3 AUTHENTICATION

Individual user account is created by the system administrator to permit users to have access to a computer system. The operating system used the unique identifier created for the user and the password to verify or authenticate the user. This does not grant user access to the database but a similar process is undertaking by the database administrator or staff because access is granted to only information required by the user to perform his or her duty. The unique identifier must be different from that of the operating system.

5.7.4 INTEGRITY

Preventing data from becoming invalid so that a secured database system can be maintained is possible by integrity control.

5.7.5 ENCRYPTION

It is advisable that when a system contains highly sensitive information, it must be encrypted so that unauthorized access, deletion, copying or modification is not possible due to its sensitivity. Information transmitted over the communication lines is also protected. (Connelly and Begg, 1998)

5.7.6 ASSOCIATED PROCEDURES

Having discussed various mechanism used in the protection of information, adequate security is not ensured until they are controlled and properly used. They must be used with identified associated procedures. These procedure are discussed below

5.7.7 AUTHORIZATION AND AUTHENTICATION

The system should contain the encrypted form of the user identifier and password because of the sensitivity to the user. At regular intervals password must be change and must be kept secret not shared and at login time it should not be displayed. Password length must be specified and the use of alpha-numeric character should be implemented.

Access and authorization should change as user job role changes within the organization; this will help in keeping track of authorization and actions.

5.7.8 NON-COMPUTER-BASED CONTROLS

Policies, agreements and other administrative controls are concerned matters that are associated with non-computer-based controls. They are

  • Security policy and contingency plan
  • Personnel controls
  • Secure positioning of equipment
  • Maintenance agreements
  • Physical access controls

5.7.9 SECURITY POLICY AND CONTINGENCY PLAN

Security policy is a high level document written by higher management in an organization to maintain a secure system while contingency plan provide information on how continuous functioning of organization can be possible in any given emergency situation. The two are very essential for organization performance.

5.7.10 SECURITY POLICY

This should address areas like

  • The business area(s) it covers
  • Employees' responsibilities and obligation.
  • The disciplinary action that will result from breach of the policy
  • Procedures that must be followed.

The security policy must be upgraded periodically as changes made to the system.

5.7.11 PERSONNEL CONTROLS

The conduct and attitudes of the people involved are significant when system security is considered, because people are relied on in operating commercial DBMS effectively. It should be noted that internal threats constitute the greatest risk than the external threats, so, in minimizing this adequate controls regarding personnel is required.

5.7.12 SECURE POSITIONING AND STORAGE

Equipment with sensitive information must be locked in a room with access to only authorized personnel such as printer that print sensitive information. Portable equipment should be fastened and alarmed protected to prevent theft. Essential information must be kept offsite in real time to provide for continuous operation in time of disaster.

5.7.13 PHYSICAL ACCESS CONTROLS

The physical access control to information security is divided into two namely the internal controls and the external controls.

5.7.14 INTERNAL CONTROLS

This type of control is used to govern who have access to particular areas of the building and it is applicable within the building e.g. access to the computer rooms. Keys, Cardreaders, entry of a code as well as password are used but for sophisticated techniques fingerprint, eye, voice or handwriting recognition is used. This is now being used by organization with sensitive confidential information.

5.7.15 EXTERNAL CONTROLS

This is controlling access to the site or building itself, which is building surroundings, external control is adopted. Entry and Exist of staff and visitors to the organization is monitored by security personnel through the use of close circuit television (CCTV) visitors badge and book. It should be cost effective and impediment of staff functionalities should be avoided (Connelly and Begg, 1998)

5.8 ETHICAL HACKING

Assurance is still not provided that adequate security had been met until it is evaluated or tested. The way this can be done is through a process called Penetration Testing.Penetration Testing is defined as the process of simulating attacks on network and its systems at the request of the owner, which is the senior management. (Shon, 2008).

5.8.1 WHY CONDUCT A PENETRATION TEST

From a business perspective, penetration testing helps safeguard your organisation against failure, through: Avoiding financial loss through fraud (hackers, extortionists and unhappy employees) or through lost income due to unreliable business systems and processes. Proving due diligence and compliance to your industry regulators, customers and shareholders. Non-compliance can result in your organization losing business, receiving heavy fines, gathering bad PR or ultimately failing. At a personal level it can also mean the loss of your job, prosecution and sometimes even imprisonment. Protecting your brand by avoiding loss of consumer confidence and business reputation. From an operational perspective, penetration testing helps shape information security strategy through: Identifying vulnerabilities and quantifying their impact and likelihood so that they can be managed proactively; budget can be allocated and corrective measures implemented.

5.8.2 WHAT CAN BE TESTED

All parts of the way that your organisation captures, stores and processes information can be assessed; the systems that the information is stored in, the transmission channels that transport it, and the processes and personnel that manage it. Examples of areas that are commonly tested are: Off-the-shelf products (operating systems, applications, databases, networking equipment etc.) Bespoke development (dynamic web sites, in-house applications etc.) Telephony (war-dialling, remote access etc.) Wireless (WIFI, Bluetooth, IR, GSM, RFID etc.) Personnel (screening process, social engineering etc.) Physical (access controls, dumpster diving etc.)

5.8.3 WHAT SHOULD BE TESTED

Ideally, your organisation should have already conducted a risk assessment, so will be aware of the main threats (such as communications failure, e-commerce failure, loss of confidential information etc.), and can now use a security assessment to identify any vulnerabilities that are related to these threats. If you haven't conducted a risk assessment, then it is common to start with the areas of greatest exposure, such as the public facing systems; web sites, email gateways, remote access platforms etc. Sometimes the 'what' of the process may be dictated by the standards that your organisation is required to comply with. For example, a credit-card handling standard (like PCI) may require that all the components that store or process card-holder data are assessed. The objective s is to evaluate the security strength of financial institutions through the use of tools available to hackers in compromising organization security. The scope of the test is defined by the senior management. A formal letter is always issue to the penetration tester to avoid been jailed if anything goes wrong.The security experts scan all systems and report all vulnerabilities discovered to the senior management for actions. This test is also called Ethical Hacking.

Source: Essay UK - http://doghouse.net/free-essays/information-technology/financial-institutions-banks.php


Not what you're looking for?

Search:


About this resource

This Information Technology essay was submitted to us by a student in order to help you with your studies.


Rating:

Rating  
No ratings yet!


Word count:

This page has approximately words.


Share:


Cite:

If you use part of this page in your own work, you need to provide a citation, as follows:

Essay UK, Financial institutions banks. Available from: <http://doghouse.net/free-essays/information-technology/financial-institutions-banks.php> [22-02-19].


More information:

If you are the original author of this content and no longer wish to have it published on our website then please click on the link below to request removal:


Essay and dissertation help

badges