security advances in banking systems
TRANSCRIPT
Security advances in banking systems by MIKE EVANS
A t a strategic level, computer activity in banking today is con- cerned primarily with consoli-
dating the information provided by existing systems, to provide a consis- tent and coherent picture. At the same time, we are conscious that the systems we develop today must pro- vide the basis for the decision support systems which will mark the next major stage of development and, after that, the systems that will be required to implement those decisions.
The fact that, at every stage, new developments rest on the foundations of existing systems perhaps accounts for what may appear as something of a paradox. The emphasis is increasingly on maintaining security through phy- sical and procedural means, particu- larly where existing networks are being linked; the software side of security has largely been sorted out on the individual networks. The early
paranoia about electronic security has gone, dispelled by the performance of these networks in practice, and the emphasis has shifted to the introduc- tion of simple and straightforward
Abstract: In retail and international banking, there is a growing demand for up- to-date information. Security is an important factor in all aspects of bank work.
Keywords: data processing, banking, computer networks.
Mike Evans is regional sales manager for Control Data, Financial Information Services.
Automatic teller machines are a good example of the emphasis on physical security.
security measures, often physical ones.
In this article, I hope to indicate the way in which developments in bank- ing are being supported by technical developments, with particular empha- sis on the implications for security.
Banks have always been up in the lead in implementing advanced and sophisticated computer systems; we are now seeing those systems being linked globally. At the same time, the banks are becoming more keenly competitive, and responding with new services and a shift in the empha- sis on traditional business areas. These two major factors have made new demands on the suppliers of banking systems, in all areas of the industry.
Retail banking
In the domestic branch bank, front office operations are highly competi- tive, and increasingly so. Banks no longer have only each other to worry about, now that building societies are developing more and more banking- type services. The current emphasis is on giving customers freer and better access to their money and the bank’s services - witness the number of automatic teller machines (ATMs), (the return of) Saturday opening, and the emergence of home banking sys- tems based on videotex networks, that are noticeable in the UK.
The ATMs are a good example of the current emphasis on physical se- curity. This is the first line of securi-
34 0011-684X/85/050034-03$03.00 0 1985 Butterworth &Co (Publishers) Ltd. data processing
applications
ty, after all; it is also relatively cheap to implement, so it repays initial investment. The manufacture of these terminals is the specialism of a small number of companies, who have made a fine art out of tamperproofing. Beyond that, responsibility for secur- ity resides in the procedures the bank uses to allocate codes to its customers, to notify them of those codes and in the individual account holder. These make a fairly complex set of security measures before we even get to the implementation of the network and its associated procedures.
ATMs rely on the existence of a good secure branch network. In fact, the new services are really adding value to an existing network. The same goes for home banking, still very much in its infancy. Here, another network is involved - Prestel in the UK - which imposes a further set of security requirements. So far, the home banking systems which exist have tended to be passive, allowing
customers to do little other than look at statements and standing orders. This softly-softly approach allows the system to be well tested in practical use before being used on more sophis- ticated and sensitive applications.
Service element
Technology itself, and particularly some of the new banking networks, have also contributed to the increas- ing emphasis that banks place on service. Electronic funds transfer (fast and necessarily more secure than pre- vious manual methods) is changing the whole face of banking. With same day clearing of cheques through the Clearing House Automated Payments System (CHAPS) and its counter- parts, there is no longer the opportun- ity to earn interest on overnight money.
So we are seeing banks eager to add new revenue-earning service elements to their business. Mortgages are one such element, portfolio management is another.
To implement these new services successfully requires the banks to get three things right - they need the right level of staff, the right comput- ers and the right procedures. All elements are of equal importance. So we are seeing the banks recruiting
marketing personnel, business an- alysts - and looking for integrated computer systems. That term is used carelessly, and is worth examining
more closely. Up to three years ago most empha-
sis was on real-time systems. These gave a bank the ability to find out the current status of all its activities - for example, it could look at the amount of its loan debt to Mexico. Now users want to go a stage further; if they are concerned about Mexico, they also want to know what individual Mexi- cans owe the bank. Take another example. It is relatively easy to obtain information on the outstanding risk with a portfolio in three European countries - but the way international finance works, with back to back deals, means the ultimate risk could reside with quite another country.
That is the level of information integration managers want today. It is an enormous demand to place on a computer system, and indeed the supplier - and one which, incidental- ly, has thinned the field of suppliers considerably.
The process of integration is helped, at Arbat, by the fact that in the Series 700 we have a spectrum of systems which will run side by side on the same hardware. So we have mess- age switching systems running with text editing and database management software, alongside electronic mail, as well as the banking-specific systems.
So the structure is all there for build- ing full electronic banking systems with gateways into other relevant local, national and international net- works.
You really need that skeleton of systems, before you can put on the flesh of full integration - if you do not have it, as a supplier, you prob-
ably cannot attempt that level of consolidation.
Productivity
Integration of functions also helps support the banks’ target of greater productivity - getting maximum effect from existing staff, in other words. The electronic transfer of funds means that everything is gener- ated electronically from input at front office, the funds travelling by telex, message switch or Society for World- wide Interbank Financial Telecom- munications (SWIFT).
I said earlier that security problems had largely been solved on individual
networks. Each component here has its own level of security - that is a major design criterion, and all these networks are well-proven in use. But there have been software develop- ments recently which have greatly enhanced the security of information where discrete systems are electronic- ally linked.
Traditionally, the integrity of telex communications between banks is maintained by a system of test keys. Information included in the message is coded according to a system agreed between the sending and receiving banks, and the resulting key included in the telex. On receipt, the process is gone through again and if the keys match, the recipient knows the mess- age has not been tampered with en route.
That manual system was extremely effective but it was also very demand- ing on staff resources, as it managed to combine repetition with a high level of stress.
We developed an online system to
do the same job much faster. It is interesting to note that as far as security is concerned, the computer system is no more and no less secure than the manual. Any frauds have to happen before the key is encoded, just as with the manual telex system. That takes us back to physical security again.
~0127 no 5 june 1985 35
The requirement in foreign exchange dealing is to capture data quickly.
The financial community has, to a great extent, recovered from the al- most paranoic state which overtook it when extended networks were first introduced. It was this that gave birth to the encryption devices which caused such operational problems. As
a far simpler and more satisfactory technique, authentication has eased encryption out the picture.
While wire tapping - the corrup- tion of information in electronic tran- sit - is not a problem, accidental corruption during electronic trans- mission is. SWIFT uses an authenti- cation process, by which a number is agreed with the correspondent, pro- cessed by an agreed algorithmic pro- cess, and appended to the message. The recipient’s computer reverses the
process. SWIFT has imposed a standard in
this process, something that the telex never could do. Everyone has to adopt a common format for the date, for example, which prevents ambiguities
and errors. The standardized interbank mess-
age, combined with the authentica- tion procedures, is a particularly straightforward and successful secur- ity measure.
Foreign exchange
The requirement here is to capture and record information at speed. The availability of a number of different information networks is a mixed
36
blessing for the exchange dealers, since they can end up with a desk full of terminal equipment.
As a profession, dealers have not taken happily to keyboard techno- logy. The best solution seems to be a pad and sensors.
Foreign exchange is proving an increasingly demanding area for the system supplier. Managers are start- ing to ask for ‘what if?’ information,
while the computer systems are still geared to ‘what is’. There is a neces-
sary interim stage to be gone through, however.
Trading in money is now a 24-hour business - it follows the sun. The national and international networks are now in place to pick up the information, the next stage is to pull it all together through global networks. SWIFT 2 is instrumental in this area. After 1988, we shall see the imple- mentation of global networks capable of supporting the banks’ own applica- tions, and providing complex links with all areas of the world.
Banks will be able to use their own applications for cash management, consolidation, and so on, and at this stage the management business deci- sion system, capable of answering ‘what if?’ will be required.
Back office
Perhaps a more mundane area, but the back office is where the real workhorse systems of the banks are
installed and integration is key here, too. Information entered by a cur- rency dealer updates customer limits, in real time, and updates currency forward limits. The system generates settlement instructions, management reports for loan officers, portfolio analysts, performs revaluations (at end of day, or during the day) as the value of the stock holding of currency changes. Some banks also want to accrue profits on a daily basis; the interest on interest bearing accounts needs to be calculated.
Audit is a back office function too. Auditors want a history of everything that took place, when it happened and
who initiated it. We believe that, on average, audit control makes up 15 20% of any banking computer system. While internal audit depends on the individual bank, the statutory
requirements such as the returns which each bank makes to the Bank of England impose fairly rigid require- ment for computer systems.
There are, of course, many other back office activities which are com- mon to all industries - administra- tion, personnel, and so on, and simi-
lar levels of security apply, particular- ly on a physical level.
Overall, I have presented a fairly
sanguine picture of security: it is not, however, a complacent one. There are one or two areas which do give cause for extra concern. Remote data entry, for example, will present a number of security problems, on a physical and precedural level as well as the elec- tronic.
And possibly ironically for the com- puter supplier, one of the areas where electronic security needs to be tightest is where centralized support is pro- vided by dial in lines - our proce- dures really come under the micro- scope here, and we can only get the required access by satisfying very exacting criteria. 0
Control Data, Financial Information Services, 160 Queen Victoria St, London EC4B 4DA, UK.