E-Banking: A Malaysian Legal Paradigm

The e−banking in Malaysia is growing rapidly with the fast development of Information and Communication Technology (ICT) infrastructure under Multimedia Super Corridor (MSC). Malaysian banks have stepped in e−banking to cater the needs of innovative customers. Having started with ATM facilities in 1981, they have introduced Internet banking as another new product recently regardless of the fact that only 7% of the Malaysian population has access to Internet. Aside from highlighting world e−banking trends and the future of e−banking in Malaysia, the paper will investigate and analyze e−banking in Malaysia, the security products, the security threats, and the legal response to the abuse of e−banking. 1.Introduction: Information and communication technology has touched every aspects of life of the people around the globe. The use of IT has contributed to greater development and marvelous achievement in business, economy and banking industry. More and more people now depend on computers to carry out their financial transaction. Information technology (IT) developments have revolutionized the banking sector. This revolution in turn has resulted in new delivery channels for banking products. With the introduction of Automated Teller Machines (ATM) in 1981, the Malaysian banks started their journey towards this technology revolution. The successful implementation of ATMs had paved way for introduction of Tele−banking and PC−banking in 1990’s. Following this, the Internet− banking was launched in June 2000. It is anticipated that the introduction of e−banking will provide faster and cheaper delivery method. However, the use of computers and the computer technology have raised the question of security. Researchers all over the world had painfully admitted that computer crimes are growing rapidly. Due to security breach, the companies, especially, the financial institutions are not just suffering from financial losses, but also may have to stop operation due to intrusion. To avoid this, the commercial banks are trying to equip with proper security counter measures such as encryption, firewall, SSL and SET in order to compete and carry on in this electronic business environment. The Computer Crimes Act, 1997 was passed to punish the criminals in the event of intrusion, but the effectiveness of this Act is yet to be seen. Aside from highlighting world e−banking trends and the future of e−banking in Malaysia, the paper will investigate and analyze e−banking in Malaysia, the security products, the security threats, and the legal response to the abuse of e−banking. 1 Carter, D.L and Katz,A.J., Computer Crime Categories, FBI Law Enforcement Bulletin, Jul,15,Vol.64, Issue 7, p.21 02. E−Banking − World Overview UK is the first country opened the door for e−banking in Europe. In UK, in the year 1999 the bank branches were 11,000 but in year 2000 it dropped to 7,400 only. According to the report released by the International Data Corporation, around 2.5 million will bank online by year 2000 and it will increase dramatically in the subsequent years. The International Data Corporation Statistics2 imply a twelve−fold increase in the provision of online banking services between 1998 and 2000. Thirty−nine of the top hundred US banks currently provide "fully functioned Internet banking", a total more than double that of one year ago. According to Datamonitor, the proportion of Europeans using e−banking channels is quite impressive. In year 2001, 3.1 million people in England, 1.5 million in Sweden, 2.5 million in Germany and 0.8 million in France are utilizing the e−banking channels. Another report by International Data Corporation shows that the users of online banking is in rise. In the year 2000, 18.6 million people had used e−banking and the anticipated players in year 2002 is 37.8 million and in the year 2004, it is expected to reach 57.9 million. In the United States in the year 2000 the number was 9.9 and in year 2004 it would be 22.8. In Japan, the number of people using e−bank will increase from 6.5 in 2001 to 21.8 million in the year 2004. The Asia Pacific region excluding Japan is anticipated to reach 13.8 million in the year 2004. The report shows that more and more people are using e−banking and therefore, there is a need to have a safer and easier way of transaction. In 1999, the FBI survey on Internet security showed that majority of the 98% of users were facing vandalism problem whereas 27% faced financial fraud and another 25% encountered theft of transaction information. The banks are currently using high level encryption, SSL but few are using SET. Since SET is more comprehensive but slow responsive, only corporate institutions are utilizing it. It would be better for the bank to educate and encourage the consumers in general to use the SET. The banks at the same time can fund researches in this area of security so that they can make ways for secure and easier transaction. In a survey conducted by the American Express/ International Communications Research shows that security/ privacy over the transactions was the main concern of the customers in any e−transaction. 79% of the respondents raised their concern over this issue; among the respondents 85% from US, 72% from Japan and 78% from UK. As far as the Middle East countries are concerned, the growth of e−banking is still in its infancy; only being offered by a handful of banks locally according to NEWTEK3, the region’s leading ’net’ business consulting and technology solutions specialist. However, it should be noted that Dubai is leading in the e−banking industry in the region. 2 http://www.ePaynews−ePayment Resources Center−eCommerce Statistics.html 3 http://www.dit.net/itnews/newsOct2000/51.html 3. Development of Electronic Banking in Malaysia Malaysian banks in 1981 had introduced Automated Teller Machines (ATM) to release the time and geographical constraint. This ATM technology, according to Balachandran, had created revolution by extending banking hours beyond office hours. Today, the ATMs can be used for balance enquiry, cash withdrawal, transfer of funds, bill payments, making payments to application for initial public offerings in Kuala Lumpur Stock Exchange and for making cash and check deposits. Later, due to high costs involved in operating ATMs and duplication of services at many off−branch premises, the banks came together to establish an ATM Network Switches. This network is called as Malaysian Electronic Payment System (MEPS). After its establishment, the customers can have access to their accounts via any ATM belongs to the MEPS Network. In 1992 another service delivery method was introduced, namely Tele−banking. The customers can be able to perform a transaction except withdrawals, which is a popular service used by the customers, by dialing into a touch−tone telephone or mobile communication. This will eventually connect an Automated Voice Response (AVR) technology. Despite the convenience offered by this Tele−banking, the Malaysian banks had shown a little interest in this service. By 1999 there were only 10 banks out of 38 had offered Tele−banking service. This runs contrary to the experience of the banks in developed countries. For example, the Dominion Trust of Canada had introduced Tele−banking in 1993 in the name of Quick Serve and it was a great success. The failure of this delivery channel in Malaysia is mainly due to poor public response to this service. Few Malaysian banks regardless of the failure of Tele−banking, went ahead and ventured into PC−based banking. The system operates by subscribing to and dialing into the bank’s Intranet via a proprietary software system. The customers are able to make use of this service from home or office or any convenient place. Unfortunately, this was only common among corporate customers than the individuals. This is due to the fact that PC−banking has the advantage of reducing cost. Multimedia kiosk was introduced by Phileo Allied Bank as another innovation of e−banking. These kiosks incorporated information counters, ATMs, the banking and banking booths. The same bank introduced the virtual multimedia bank kiosks that led to the introduction of Internet banking. The Phileo Allied and May bank are the pioneers in Internet banking. Now, Phileo Allied via eone.com, May bank via maybank2u.com, Southern bank via ecbanking.com, and Hong Leong bank via SBB.com are providing full−fledged Internet banking. This online banking allows the customers to check their balance, credit transfers and to pay the bills. Quite number of banks did not go for Internet banking, but, they maintain a web site to provide online information of their products and services.6 4. Security Measures implemented in Electronic Banking In e−banking the security is an important concern. The success of the e−banking depends on the security measures undertaken by the banks. The customers must be assured that the confidentiality in their transactions must be maintained. The banks in Malaysia had incorporated some security measures to protect the transactions from being abused or hacked. They employ Security Socket Layer (SSL) and Secure Electronic Transaction (SET) for transactional level security while they employ firewalls and passwords for system level security 4 Balachandran and Balachandher, "E−Banking Developments in Malaysia: Prospects and Problems", J.I.B.L, 2000, p. 250 5 Huff L. Sid, "Cases in E− Commerce", Mcgrew Hill, USA, 2000, p.365 6 3 Balachandran and Balachandher, "E−Banking Developments in Malaysia: Prospects and Problems", p.253. Customers accessing the e−banking system from their computers will have to go through the encryption provided by SSL(from their browsers). The message will then pass through an external firewall, after which a customer will logon to the e−bank server with a unique ID and password. This information will be transmitted further to the application server after it passes an internal firewall. The authorized customer can now view updated account information and conveniently enjoy other online banking services such as online transfer and make bill payments. 4.1. Transactional Level Security It refers to the ability of two entities on the Internet to conduct a transaction; privately and with authentication. 4.1.1. SSL (Secure Socket Layer): This provides encryption on all data transmitted between client’s computer and the e−bank server, which helps ensure privacy of the data and authentication of the session while preserving the integrity of the message. For operation of SSL, the client’s web browser and the bank’s web browser have to use public key encryption and digital signature to set up the interaction. By using the cryptography only, the originating client and the target server will be able to decrypt the message. Thereby, the authenticity of the client’s transaction is maintained. In other words, SSL secures the channel by providing end−to−end encryption of the data that is sent between a web client and web server. The SSL will secure messages from tempering while transmitting the message from client to server. According to Ghosh, although an intermediary may be able to see the data in transmission, the encryption will scramble the data so that it can not be interrupted.8 In SSL, there is a possibility that the sensitive information like credit card number can be exposed to the server. This might occur when the data resides on the web client’s machine and on the web server’s machine before, it is encrypted and after it is encrypted. For example, when an information about a transaction is saved to a file on the hard disks of the customer and bank as well, it may be available for anyone to read by way of evasedropping if the recipient’s host system is insecure or criminals may bypass the security provided by SSL and can retrieve confidential information. However, by using higher level of encryption bit, this can be avoided. But still a hacker can go into the exit and entry points. 7 Ghosh Anop K , E−Commerce Security: Weak Links, Best Defenses, Wiley Computer Publishing, New York, 1998, 103 − 104. 8 Ibid. 118 Workstation Firewall Workstation Server Firewall Server Data Customer Computer Encrypted SSL session External Firewall Logon Screen:ID and Password E−Bank Server Internal Firewall E−Bank Application Server Customer Account Database It is important to stress that it is pertinent to check which server has been authenticated by certification authority before sending any confidential information. There is a possibility that two different web sites registered with Certification Authority (CA) may appear to be similar in name and address while advertising in the content of the web page. For example, a customer visiting maybank2u.com might visit maybank2u.org instead and in the process there is a possibility that certain sensitive information like password, user name or PIN number can be transmitted to an unwanted person. The possibility of using a wrong web site is high when the session is established with authentication from CA.9 4.1.2. Secure Electronic Transaction (SET): This is an open standard multi−party protocol for conducting secure bankcard payment over the Internet. SET requires a digital certificate, a certification authority to authenticate all parties in the transaction, and an electronic wallet to keep the credit card information in the software of the customers’ computers. In SET, the credit card information is separate from the other information and thereby, the customers’ privacy in transaction is maintained. SET secures the transaction information, specially the credit card number which is prone to fraud. SET uses public key cryptography algorithms to encrypt the credit card number so that only the credit card processing center will be able to access and thereby card number will not be accessed by the merchants.10 A digital certificate is used to verify that a customer is authorized to use the credit card. The digital certificate contains the identity and the public key of the customer. The certificate is digitally signed by the financial institution. The certificate is offered by customer to the merchant to verify the identity. To sign digitally, private key of the customer is used. This private key signature is verified by the merchant who compares the signature with the consumer’s public key that is stored in the digital certificate.11 Compared to SSL, SET is claimed to be more secured because SSL does not include digital wallet (customer certificate requiring special software). Since SSL is built into the browser, no special software is needed. However, SET did not propagate as fast as it was expected because of its slow response and the need for a digital wallet to be installed in the customer’s computer. In addition, SET users need to have a device which is a card reader attached to the users PC. Due to the complex process, Malaysian banks offering e−banking use SSL instead of SET with the exception of Maybank which uses SET for corporate clients’ transaction. 4.2. System Level Security: The Malaysian banks utilize this security measure to help protect against corruption of service, and control user access to system resources.