P r i n c i p l e 1 1 :
Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the bank's identity and
regulatory status prior to entering into e-banking transactions.
SAMA requires all banks to protect customers against fraudulent websites:
Entity authentication procedures should be implemented to avoid the capture of customer's authentication data and financial information.
Controls should be implemented to protect essential records and information from loss, destruction and falsification.
Banks should raise customer awareness on the risk of fraudulent websites. It is key in educating the customer. In this regard, the usage of recognisable SSL certificates and a URL with recognisable link to the bank (i.e. in published bank literature) is encouraged.
P r i n c i p l e 1 2 :
Banks should take appropriate measures to ensure adherence to customer privacy requirements applicable to the jurisdictions to which the bank is providing e-banking products and services.
Banks should ensure that the provision of services in any particular jurisdiction takes into account any additional safeguards necessary to protect the customer's (and the bank's) privacy in that jurisdiction. Data privacy laws may not be consistent across the world, but the laws under which the bank and their customers operate still demand equivalent protection. The remote legislation might also impose controls which are not required by the local legislation.
Banks desirous of engaging in cross-border e-banking activities should understand the challenges and risks associated with such business and take adequate measures to effectively manage these risks.
P r i n c i p l e 1 3 :
Banks should have effective capacity, business continuity and contingency planning processes to help ensure the availability of e-banking systems and services.
Banks are expected to develop plans for maintaining or restoring business operations in appropriate time scales following interruption to, or failure of, critical business processes.
All contingency plans should be part of a consistent business continuity framework.
Each plan should:
Identify priorities for testing and maintenance.
Clearly specify the conditions for its activation, as well as the individuals responsible for executing each component of the plan.
Identify and agree responsibilities and emergency procedures.
Include the regular tests and updates of the plan.
In addition, Banks should build up an appropriate disaster recovery plan, including at a minimum:
An offsite backup infrastructure.
A documented and tested recovery procedure.
Regular tests to ensure that recovery is within the maximum allowable outage (defined by the bank).
SAMA requires banks to develop capacity plans (scalability) to ensure the accommodation of future growth in e-banking. Banks have to set up appropriate capacity planning in order to support the evolution of transaction with acceptable response times. The planning will be focused on the level of capacity to be provided at each stage of the production or service delivery. Capacity planning addresses the the issue of unpredictable workload/volume of traffic due to the future evolution of the e-business to produce a competitive and cost-effective architecture and system.
The capacity building plan of a bank should cover the following at a long, medium and short term horizon:
the expected storage capacity of the system and the amount of data retrieved, created and stored within a given cycle.
the number of on line processes and the estimated likely contention.
the required performance and response required from both the system and the network i.e. the end to end performance.
the level of resilience required and the planned cycle of usage - peaks, troughs and average.
the impact of security measures e.g. encryption and decryption of all data.
the need for continuous (24x7x365) operations and the acceptability of downing the system for maintenance and other remedial work.
Redundancy to be built in the system planning infrastructure.
Threshold mark for the system resource utilization should be defined while doing the capacity planning.
P r i n c i p l e 1 4 :
Banks should develop appropriate incident response plans to manage, contain and minimise problems arising from unexpected events, including internal and external attacks, which may hamper the provision of e-banking systems and services.
SAMA believes that appropriate management of incidents is key for safe and sound e-banking in Saudi Arabia.
Banks should encourage Incident reporting from all parties especially from customers. They should introduce a special section on their websites for such purpose.
Banks are strongly advised to develop incident response plans, including at a minimum:
Mechanism to detect incidents as soon as they occur, assess their materiality, and control the risk associated with any disruption in service (special focus on reputation).
Have the ability to protect their online customers from online fraud.
Have the ability to protect their online identity from illegitimate use.
Have the ability to prevent, detect and respond to online fraud attempts and brand misuse.
Documented and tested procedures that enable a fast reaction to detected incidents and limit the probability of recurrence.
A communication plan to ensure that all relevant external parties, including a bank’s customers, counterparties and the media, are informed in a timely and appropriate manner on material e-banking disruptions and business resumption developments without creating any panic in the minds of public.
An employee training plan to ensure that staff is sufficiently trained in analyzing incident detection/response systems and interpreting the significance of the related output.
In addition, incident management responsibilities and procedures should be established to ensure a quick, effective and orderly response to security incidents.
Furthermore, the exchange of information and sharing of experience between banks and other parties is encouraged. The banks are also encouraged to participate in the incident response initiative managed by the Banking Committee for Information Security (BCIS).
Appendix 1
Glossary
Senior management
Senior management is any personal occupying general manager position or above. Authentication
A feature of Internet Security software that seeks to verify the identity of a person or process.
Bandwidth
The amount of data that can be transmitted in a fixed amount of time. For analog devices, the bandwidth is expressed in cycles per second, or Hertz (Hz). And for digital devices, the bandwidth is usually expressed in bits per second (bps) or bytes per second.
Bits per second (bps)
The units at which the transmission speed of data is measured as the bits are transmitted over a communications medium.
Broadband
A type of data transmission in which a single medium (usually a wire) can carry several channels at once. Cable TV, for example, uses broadband transmission.
Browser
A program used to access and display documents from the Web and other Internet resources. Popular browsers include Netscape and Internet Explorer.
Cookie
A packet of information that is sent by a HTTP server to a client's browser and then sent back by that browser each time the client accesses the server. Typically they are used to identify, track a registered user of a website without requiring them to sign on each time they access that site.
Domain name
That part of the Internet name that specifies your computer location in the world, written as a series of names separated by full stops.
Encryption
Encoding of data travelling across the Internet to prevent it from being read by unauthorized recipients.
FB’s
Foreign Banks Firewall
A security measure on the Internet, protecting information, preventing access, or ensuring that users cannot do any harm to the underlying computer systems.
Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall which examines each message and blocks those that do not meet the specified security criteria.
FTP
File Transfer Protocol, one of the protocols on the Internet, which allows for very efficient transfer of entire data files between computers.
HTTP
(Hyper Text Transport Protocol)
A set of rules that provide the means of communicating, moving hypertext files on the World Wide Web. HTTP defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. Requires an HTTP client program on one end, and an HTTP server program on the other end. HTTP is the most popular protocol used in the World. You can normally see the http at the beginning of each web address.
HTML
HyperText Markup Language is a convention for creating documents on the World Wide Web. HTML files usually have the extension .HTML or .htm.
Hyperlink
An element in an electronic document that links to another place in the same document or to an entirely different document. Typically, you click on the hyperlink to follow the link.
Internet
The worldwide organization of computer networks stretching across the world, linking computers of many different types and protocols. The Internet provides file transfer,
remote login, electronic mail, news, and other services. No one organization has control of the Internet.
Internet service provider
An organization that offers a server computer and the software needed to access the Internet for a fee.
Intranet
A private Internet-like network internal to a particular organization, usually not accessible to the unauthorized public.
Java
A programming language used to create mini programs (known as applets), which are automatically downloaded when you come across a Java-enhanced WEB site.
Sun Microsystems developed it, and it is now used in several online games and to animate some images.
Junk or chain e-mail
Unsolicited commercial email, also called "spam".
Chain e-mail messages have the same content as chain letters but are sent through e-mail networks rather than the Mail. A chain message, or chain e-mail, is defined as any message sent to one or more people that ask the recipient to forward it to multiple others and contains some promise of reward for forwarding it or threat of punishment for not doing so.
Modem
A piece of equipment that connects a computer to a data transmission line - typically a telephone line. Usually people use modems that transfer data at speeds ranging from 1200 bits per second (bps) to 19.2 kbps.
Wireless devices have limitations that increase the security risks of wireless-based transactions and that may adversely affect customer acceptance rates.
PC banking
A form of online banking that enables customers to execute bank transactions from a PC via a modem. In most PC banking ventures, the bank offers the customer a proprietary financial software program that allows the customer to perform financial transactions from his or her home computer. The customer then dials into the bank with his or her modem, downloads data, and runs the programs that are resident on the customer’s computer. Currently, many banks offer PC banking systems that allow customers to obtain account balances and credit card statements, pay bills, and transfer funds between accounts.
Phishing
The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user’s information.
Phishing, also referred to as brand spoofing or carding, is a variation of “phishing,”
the idea being that bait is thrown out with the hopes that while most will ignore the bait, some will be tempted to bite.
Phone Banking
To access a Bank's network(s) using cellular phones, pagers, and personal digital assistants (or any similar devices) through telecommunication companies’ wireless networks. Wireless banking services supplement e-banking (Internet banking) products and services.
PIN
Personal Identification Number. Some Banks may use PIN as a synonym for password.
Protocol
A set of rules for the exchange of data between a terminal and a computer or between two computers.
Proxy
A device used to access the Internet around a "fire wall" put up to ensure security in a large system/network.
PKI
Short for public key infrastructure, a system of digital certificates, Certificate Authorities, and other registration authorities that verify and authenticate the validity
of the parties involved in an Internet transaction. PKIs are currently evolving and there is neither a single PKI nor even a single agreed-upon standard for setting up a PKI.
Search engine
A program that allows you to do keyword searches for information on the Internet.
Security certificate
An attachment to an electronic message that is used by the SSL protocol to establish a secure connection and to verify the identification of the individual/organization.
Senior management:
Senior management is any personal occupying general manager position or above.
SET, Secure Electronic Transaction
Secure electronic transaction (SET) is a standard protocol for securing credit card transactions over insecure networks, specifically, the Internet. SET was developed by VISA and MasterCard (involving other companies such as GTE, IBM, Microsoft and Netscape) starting in 1996.
SET makes use of cryptographic techniques such as digital certificates and public key cryptography to allow parties to identify themselves to each other and exchange information securely.
SET was heavily publicised in the late 1990’s as the credit card approved standard, but failed to win market share. Reasons for this include the need to install client software (an e-Wallet), its cost and complexity for merchants to offer support and the comparatively low cost and simplicity of the existing, adequate SSL based alternative.
Sniffing, packet sniffing
Packet sniffing is a form of wiretap applied to computer networks instead of phone networks. It came into vogue with Ethernet, which is known as a "shared medium"
network. This means that traffic on a segment passes by all hosts attached to that segment. Ethernet cards have a filter that prevents the host machine from seeing traffic addressed to other stations. Sniffing programs turn off the filter, and thus see everyone’s traffic.
Spoofing, Spoof Websites
Also known as brand spoofing or carding, is a variation of “phishing,” a form of cyber crime. The idea being that bait is thrown out with the hopes that while most will ignore the bait, some will be tempted to bite.
SSL
Short for Secure Sockets Layer , a protocol developed by Netscape Communications to enable encrypted, authenticated communications across the Internet. SSL works by using a private key to encrypt data that is transferred over the SSL connection.
Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers.
In an SSL connection, each side of the connection must have a Security Certificate,
which each side's software sends to the other. Each side then encrypts what it sends using information from both its own and the other side's Certificate, ensuring that only the intended recipient can de-crypt it, and that the other side can be sure the data came from the place it claims to have come from, and that the message has not been tampered with.
Token
In computing, a token is a virtual object that is passed between computers or other devices on a network and similarly authorizes them to communicate. Only the device with the token may communicate, to avoid clashing with other devices.
In computer security, token technology uses devices with embedded microchips containing information about the owner to determine security clearance. Tokens can be items such as key rings, buttons, jewelry and smart cards.
In the Windows NT family of operating systems, a token is a system object representing the subject of access control operations.
URL
Universal Resource Locator is an address that completely defines a resource of the World Wide Web. A URL has four elements:
1. The service - HTTP or FTP or a few others
2. The host - the computer that handles the resource
3. The port number (often not necessary because it defaults according to the service requested).
4. The path and filename of the resource.
URL format is: service://hostport/path.
WWW
The World Wide Web, also called the Web or W3, is a system of Internet servers that support specially formatted documents. The documents are formatted in a language called HTML that supports links to other documents, as well as graphics, audio, and video files. This means you can jump from one document to another simply by clicking on hot spots. Not all Internet servers are part of the World W ide Web.