Singapore Internet Banking and Technology Risk Management Guidelines Security and Control Objectives – Summary of Requirements

• By: Staff Editor
• Date: March 28, 2013

The Monetary Authority of Singapore published its Internet Banking and Technology Risk Management guidelines in June 2008. This article provides an overview of the security and control objectives that the guidelines detail.

Safety fears arise from Denial of Service attacks, spoofing, spamming, phishing, key-logging, hacking, middleman interception, mutating virus and worm, and other malware poses great risks to technology platforms that banks use. As banks increase in size and operations and expand to new geographies, these challenges will grow bigger. Banks must ensure to its customers that all the online funds transfer are reliable and free from any threat and authentic and legitimate.

Banks have to establish a security strategy that fulfills the following security objectives:

1. Data confidentiality
2. System integrity
3. System availability
4. Customer and transaction authenticity
5. Customer protection
    

These are explained in detail below:

1. Data Confidentiality

• The encryption of a bank’s online system should be appropriate to the type and extent of risk its network, systems and operations face.
• Banks should only choose those encryption algorithms that are in accordance with recognized international standards.
• The algorithms should have been subject to rigorous testing by an international community of cryptographers or approved by authoritative professional bodies, reputable security vendors or government agencies.
• Cryptographic keys that are used – master keys, key encrypting keys or data encrypting keys – must be protected.
• One individual alone should not know what the keys are or have access to all parts that comprise the keys.
• Keys should be created, stored, distributed or changed under the strictest and most secure conditions.
• Data sensitivity and operational criticality should determine the frequency of key changes
• The most secure way to carry out encryption and decryption activities is on hardware security modules and similar tamper-resistant devices. Other methods that are equally secure are also acceptable
• Encryption security relating to the customer's PIN and other sensitive data should be kept intact from point of data entry to final system destination where decryption or authentication is carried out.

2. System Integrity

• Online banking system integrity – or accuracy, reliability and completeness of information processed through online banking systems – should be properly maintained. This should be consistent with the complexity of a bank’s online operations
• Banks should install monitoring/surveillance systems that provide alerts if unusual online transactions or any other erratic system activities take place
• Following controls should be implemented in order to maintain the integrity of an online banking system:
  • Logical access security – these are preventive and detective measures that restrict a user’s access to data/information to only what is permitted
  • Physical access security – these controls include preventive measures which grant selective physical access to specific individuals.
  • Processing and transmission controls – these can be preventive, detective or corrective in dealing with errors, irregularities or deviations.

3. System Availability

• Users should be able to use online banking systems for transactions 24/7 throughout the year – this means that ideally there should be zero downtime
• Banks, their service providers and vendors have to make sure that they have ample resources and hardware and software capacity to deliver consistently reliable service
• Front-end and backend systems should have the same availability profile to provide reliable service to customers.
• Banks should maintain standby hardware, software and network components that are necessary for fast recovery in case of system damage/malfunction
• In order to ensure availability of services, management should ensure that procedures and monitoring tools are in place to track:
  • system performance,
  • server processes,
  • traffic volumes,
  • transaction duration and
  • capacity utilization

4. Customer and Transaction Authenticity

• Banks should implement two-factor authentication at login for all types of internet banking systems and for authorizing transactions.
• Banks should also require the repeated use of the second authentication factor by the customer for high value transactions or for changes to sensitive customer data. Second authentication tools include one-time-passwords. Sensitive data in this case can include office and home addresses of the customer, email and telephone contact details.
• Authenticated sessions and the accompanying encryption protocols should remain intact during the customer-online system interaction
• If there’s any sign of interference during this session, it should be terminated
• Customers should be promptly notified about such incidents at the time of the session conclusion or subsequently via emails/telephone
• Cryptographic functions, algorithms and protocols should be used to authenticate logins and protect communication sessions between the customer and the bank.
• The bank should implement second channel procedures in case of:
  • Transactions above pre-set values
  • Creation of new account linkages
  • Registration of third party payee details
  • Changing account details or
  • Revisions to funds transfer limits
• Other security mechanisms to be used to authenticate a bank’s website from the customer end include:
  • Personal assurance messages/images
  • Exchange of challenge response security codes or
  • The secure sockets layer (SSL) server certificate verification

5. Customer Protection

• The bank must authenticate and verify the customer’s identity before granting access to sensitive customer data (such as personal details) or online banking functions
• Customer data that is very sensitive consists of personal details of the customer and the details of his bank account.
• Banks should, as part of the two-factor authentication architecture, implement measures to minimize exposure to a middleman attack - more commonly known as
  • man-in-the-middle attack (MITMA)
  • man-in-the browser attack or
  • man-in-the application attack
• Banks should not distribute software to their customers via the internet or through a web-based system unless they can provide adequate security and safeguards for the customers.

Additional Resources

Read the Singapore Internet Banking and Technology Risk Management Guidelines in full here.