HDFC case

Housing development finance corporation (HDFC), India’s leading housing finance company, HDFC Bank is one of India’s premier banks providing a wide range of financial products and services to its customers across over three hundred cities using multiple distribution channels including a Pan-India network of branches, ATMs, phone banking, net banking and mobile banking. By the end of 2007, the bank had a network of 754 branches and 1,906 ATMs in 327 cities. For the quarter ended December 31, 2007, the bank reported a net profit of Rs. 4.3 billion, up 45.2%, over the corresponding quarter of previous year. Total balance sheet size too grew by 46.7% to Rs.1, 314.4 billion. Beginning in late 2006, it was reported that a large number of Indian bank customers of had received emails, which were falsely misrepresented to have been originated from their bank. In August 2007, HDFC was the fourth Indian bank to encounter this online fraud, known as 'phishing.” The recipients of the emails were told to update their bank account information on some pretext. These emails included a hyperlink within the email itself and a click to that link took recipients to a web page, which was a fake look alike to the bank’s web page. The key issue was some of the unsuspecting recipients responded to these mails and gave their login information and passwords. Later on, through net banking and by using the information collected, a large number of illegal/falsified transactions took place. Vulnerabilities in bank security include: single layer access controls on some accounts, outdated SSL encryption, and flawed anti-phishing mechanism in system design. The online security consisted of the use of a user ID and password, namely the first level of security. Phishing occurred which affected 28% of customers who were banking online. HDFC's plan to implement a second level of authentication posed a problem with dormant online accounts. Dormant accounts were vulnerable to attacks because