SOLUTION TO ENHANCE SHINHANBANK’S INFORMATION SYSTEM SECURITY

The world has changed over the last few years, especially within banking. It processes – from retail transaction to market operation have been transformed by technology and continue to evolve. Today’ organization increasingly rely on the third party systems in order to provide many of their digital services. This opportunity has not escaped the attention of criminals, hackers and even nation states. This is problematic for the banking. Traditional approaches to risk management focused on a single malicious agent or single points of attack. So enhancing the information technology system security is very important and essential. Based on the knowledge got from university and working time at Shinhanbank Vietnam, this is a small research about this problem. We hope that this one will help us have a look at the information technology system security of banking.

MASTER OF BUSINESS ADMINISTRATION INFORMATION TECHNOLOGY FOR MANAGERS ASSIGNMENT

TOPIC:

SOLUTION TO ENHANCE SHINHANBANK’S INFORMATION SYSTEM SECURITY

We would like to express our sincere gratitude to Dr HUY NGUYEN who instructed, gave us

a chance and inspired us to do this project

We also would like to express our thanks to Shinhanbank Vietnam for helpful information and knowledge

With kindest regards,

CONTENT TABLE

OBJECTIVES 1

I DESCRIPTION ORGANISATION 2

Introduction about Shinhanbank 2

Shinhanbank’s information system 4

II GENERAL LITERATURE REVIEW ON INFORMATION SYSTEM SECURITY ……6

The concept of Information system 6

The concept of Information security 6

Overview of Information security in Shinhanbank 6

Purpose of Information Security 8

III DESCRIPTION ABOUT SOME IT SECURITY ATTACKS 7

Description 7

Impact 10

Reason 11

IV SOLUTION TO ENHANCE SHINHANBANK’S INFORMATION SYSTEM SECURITY 12

Training 12

Enhacing Awareness of Bnaker and Customer 12

3S Programme- Shinhan Security Solution……….14

CONCLUSION

REFERENCES

The world has changed over the last few years, especially within banking It processes – fromretail transaction to market operation have been transformed by technology and continue toevolve Today’ organization increasingly rely on the third party systems in order to provide many

of their digital services This opportunity has not escaped the attention of criminals, hackers andeven nation states

This is problematic for the banking Traditional approaches to risk management focused on asingle malicious agent or single points of attack So enhancing the information technology systemsecurity is very important and essential

Based on the knowledge got from university and working time at Shinhanbank Vietnam, this is a small research about this problem We hope that this one will help us have a look at the

information technology system security of banking

I DESCRIPTION ORGANISATION

Introduction about Shinhanbank

Shinhan Bank is a bank headquartered in Seoul, South Korea Historically it was the first bank inKorea, established under the name Hanseong Bank in 1897 The bank was reestablished in 1982

It is part of the Shinhan Financial Group, along with Jeju Bank Chohung Bank merged withShinhan Bank on April 1, 2006 Shinhanbank is a member of Shinhan Group- the first civilian-controlled financial holding company in Korea It has over 22,000 employess Now, it is a leading bank in South Korea and operates globally.

Image: Headquarter of Shinhanbank in Seoul, South Korea

In Vietnam, Shinhan Bank’s history can be traced back to 1993 when Shinhan Bank first opened the representative office in Ho Chi Minh City and became one of the pioneers to promote the formal diplomatic relations between Vietnam and Korea

SHINHAN BANK VIETNAM is headquartered at Empress Tower (138 - 142 Hai Ba Trung, DaKao Ward, Dist.1 and Ho Chi Minh City) During the past 20 years of sustainable endeavor inVietnam, SHINHAN BANK VIETNAM has always been trusted and chosen by Vietnamese andforeigners, domestic enterprises and foreign investors; including Korean community in Vietnam.

Up to now, Shinhan Bank Vietnam has 18 branches, transaction office in Ho Chi Minh City, HaNoi, Binh Duong, Dong Nai, Thai Nguyen, Vinh Phuc, Hai Phong and Bac Ninh In near future,Shinhan Bank Vietnam will continue expanding branch network to many provinces and cities inVietnam and constantly enhance service quality to best serve our dearest customers

Business Principles:

Core Value

Vision:

Mission:

Shinhanbank’s Information System

Internet Banking and mobile banking are online internet banking allowing customers to

perform banking transactions anywhere, anytime via their computer or mobile devices with aninternet connection You can inquiry and transact quickly and effectively

Call centre offers the following services and supports to customers: account information

inquiry, card deactivation/ lost card report, credit card inquiry and PIN change, registerreceived card and inquiry branch information

Online smart savings service and secured loan: Support customer auto money transfer toTerm Deposit account via Internet Banking or Mobile Banking and you can use your TimeDeposit at Shinhan Bank as collateral to receive your financialsupport immediately via InternetBanking/ Mobile Banking

Bill payment service and Topup service: Free signing up for Bill Payment service is the

easiest way to pay your bills: electric, telephone, cable, ADSL, air ticket, water and Top - up

service allows customer to directly top up on their mobile phone account or buying code card ofsome telecoms companies and other supplier companies, the amount that customer request to top

up of buying code card will be debited from their bank account

Card services: ATM, Debit card, Visa card for personal and corporate customer.

II GENERAL LITERATURE REVIEW ON INFORMATION SYSTEM SECURITY

The concept of information system

According to Efraim Turban, Linda Volonino (2011), an information system (IS) collects,processes, stores, analyses and distributes information for a specific purpose or objective Basicfunctions of an IS are input, processing, output and feedback The collection of computingsystems used by an organization is termed information technology IT refers to the technologicalside of an information system and is used interchangeably with information system

An IS uses computer technology and networks to perform some or all of its tasks It can be assmall as a smartphone with a software app that can snag tags to load a Website It may includeseveral thousand computers of various types, scanners,, printers and other devices connected todatabases via wired and wireless telecommunication networks

The concept of information security

According to Efraim Turban, Linda Volonino (2011), Information security is about risk to data,information systems, and network These incidents create business and legal risks, such as whenoperations are disrupted or privacy laws are violated IT risk management includes securingcorporate systems while ensuring their availability; planning for disaters recovery and businesscontinuity; complying with government regulations and license agreements; maintaining interalcontrols; and protecting the organization against an increasing array of threats such as viruses,worms, spyware and other forms of malware Managers have a fiduciary responsibility toprotectthe confidential data of the people and partners that they collect, store and share

Overview of Information Security in Shinhanbank

An administrative/ technical method or an action exercising such method in order to protectinformation from being damaged, manipulated or leaked during collecting, processing, storing,searching and transfering information.

Business controls, risk management and security governance: policies and objectives designed toenable a business to drive its business objectives into IT security processes through an integrated,

umbrella IT security management system.

Security management, monitoring and auditing: enabling proactive sense and response tovulnerabilities, threat events, forensic analysis of security breaches that do occur and auditing forregulatory compliance and other business purposes

A series of action to securely protect/manange information asset (all kinds of tangible/intangibleassets including information, IT devices and facilities of an organization that deserves anyprotection) such as network, system (server, PC ), H/W and S/W, DB, communication andfacilities against any internal or external threats

Information flow: most of employees inquire CIF info, and use it on their PC or other peripherals

in various way Most of operational information including “Confidential” is stored in an

cooperation with external companies and sharing of internal and external information via a fileserver is growing.

Purpose of Information Security

What is the goal of Security ?

To create the most secure system?

To implement the safest IT

- To protect tangible/intangibleassests ( IT devices, facilities )from any threats and tosecurely manage them

- To avoid any damage to acorporate image and tominimize possible lossin case

of an incident

II DESCRIPTION ABOUT SOME IT SECURITY ATTACKS

The first case

On 20 March 2013, Shinhanbank suffered from frozen computer terminals in a suspected act

of cyberwarfare ATMs and mobile payments were also affected The South Koreancommunications watchdog raised their alert level on cyber-attacks to three on a scale offive North Korea has been blamed for similar attacks in 2009 and 2011 and was suspected oflaunching this attack as well South Korean officials linked the incident to a Chinese IP address,which increased suspicion of North Korea as intelligence experts believe that North Korearoutinely uses Chinese computer addresses to hide its cyber-attacks

Image: ATM system did not operate

Malware related to the attack is called "DarkSeoul" in the computer world and was first identified

in 2012 The Financial Services Commission of South Korea said that Shinhan Bank reported

of Shinhanbank) reported that operations at some of their branches had been paralyzed aftercomputers were infected with viruses and their files erased

Hackers temporarily shut down computer networks at banks in the biggest cyber attack on thenation in two years, prompting a probe into possible links with North Korea Governmentadministration set up a cyber crisis group to investigate whether North Korea is responsible.Computer shutdowns hit companies including Shinhan Bank, Nonghyup Bank, MunhwaBroadcasting Corp., YTN and Korea Broadcasting System Cyber attacks are much easierweapons for North Korea as they cost far less than missiles or nuclear tests, but they can sendmore people into a real panic Furthermore, they can do it at any time without worrying aboutinternational sanctions

Disruption to networks at Shinhan Bank and Cheju Bank began around 2.20pm Malware codewas distributed through targeted organizations’ servers, destroying their computers’ ability toboot This is the biggest and most serious cyber attack in two years There haven’t beensimultaneous attacks on more than one target since 2011

All transactions at Shinhan Bank stalled 2 pm afternoon Transactions through Internet andmobile banking were affected a part.Operations at the bank were back to normal later in theafternoon South Korea blamed North Korea for an attack on about 40 websites in 2011 TheSouth also blamed the North for an attack on some banks a month later that kept almost 20million clients from using automated teller machines and online banking services

Image : The computers were frozen during the attacks

The second case

In August 2016, some emails with malicious code were sent to officer’s email in ShinhanbankVietnam Information technology department of headquarter reminded officer not to open thatemail But some staffs did not note and opened email The hackers used email attatchments toattack the bank internal network This one made some computers been infected malicious ITdepartment closed banking software in 15 minutes to solve Fortunately, transaction time ofShinhanbank Vietnam starts from 8.30 am This one did not affect to transaction of customers butATM system also did not operate in 15 minutes

In January 2017, a customer of Shinhanbank Vietnam – Bien Hoa Branch reflect to the bankabout losing 5 millions VND in account suddently, although he had not made any transactions.When banker checked statement, they saw a money tranfer by internetbanking But this customerinsisted that he never made that transaction He said that when the bank gave him a security cardwith numbers to make internetbanking transaction He used iphone to take a photograph ofsecurity card and destroy this card Internetbanking tranfer need to have username, password andsecurity numbers on the card He often lend other his iphone to use The bank cancelled the oldsecurity card and supply for him a new one.

Image: Security card of Shinhanbank

Impact

Attacking to information technology system of a bank will affect so much to operation of thatbank and lose customer’s belief because a bank is an organization to trade special goods –MONEY The reputation and image of a bank are very important These one are impacted bypublic communication and social networks.

Attacks to Shinhanbank made staff’s computer shut down ATM, mobile banking,internetbanking was affected All systems were paralysed although only in several hours Thisone affected to transactions of customers and partners The bank will lose some customers to goanother bank

Shinhankbank is a global bank Attack in 2013, South Korean stocks tumbled, with the KospiIndex losing 1%, compared with a 0.1% drop in the MSCI Asia Pacific Excluding Japan Index

The won slid 0.5% to 1,116.30 per dollar in Seoul, according to data compiled by Bloomberg.

The yield on South Korea’s 2.75% bonds due December 2015 rose one basis point to 2.60%,according to prices from Korea Exchange Inc

Reason

Information security management is crucial and vital in banking operations In attacks toShinhanbank, malware and malicious codes are frequently used by hackers to attack computerand software system of the bank The central processing system of banking could not react timelywhen be attacked Additionly, the frequency upgrades Corebanking system is also a chance forhackers to seize to attack They make banking system be paralysed and not to operate in a shorttime Lacking of awareness or consideration of some staffs is one of the main reason for hackerstaking advantages of to attack to banking information technology system Attackers usually sendattachments emails with malicious code or send linking lines and ask staffs/ customers to submit

The quality level of staffs remains limitation Therefore, they can not adapt or follow moderntechnology.

Customers have not enough knowledge and skills to protect their information So, they often areeasy to lose basic information to prevent risks Hackers and criminal are very sophisticated toattack internetbanking system or transaction manipulation of customers Customers have to becautious to protect themselves

IV SOLUTION TO ENHANCE SHINHANBANK’S INFORMATION SYSTEM

SECURITY

Training

Training is one of the essential and importan solution to protec information technology systemsecurity The bank’s officer always have to learn by heart about keeping the information secret ofthe bank and customers They can not been disclosure

Processing, removing all information in document or file related to customers have a closedcycle Information/ documents being printed from banking information system are not allowed to

go out the bank

The bank should promulgate the moral standards the behavioral rules for staff to comply If there

is any violations related to information technology system security, we need to have suitabledisciplines

If there are any incidients to happen, staffs should contact to IT department to solve Whenspecialists will prevent information leak to protect our banking system

Enhancing Awarenss of Banker and Customer

Human element plays an important role in establishing and development of any organization Abank want to protect information technology system need to focus its staffs Investing oninfrastructue, upgrading banking information system and applying technology advances are