Chapter One: Introduction
The banking industry has developed more rapidly in the last three decades than in the centuries following its creation.
Up until the 1970's, transactions had to be made in person, and payments could be made in cash, checks or by credit cards. At the end of the 70's, the debit card was invented, but it was not until the mid-eighties (Lambert, 2009) that they started to popularize.
The main advantage of the debit cards over their counterparts, the checks, credit cards and cash, was that it meant that the money of a transaction would electronically and immediately be deducted from the buyers account and put into the seller's, and the buyer did not have the need to carry big amounts of cash to make purchases. In addition, if a person indeed required cash to make a purchase, they could go to the closes Automatic Teller Machine (ATM) and get it without having to go directly to their bank.
With the development of the internet, the next logical step was to make online transactions possible and, as a matter of fact, that became a great priority to the banking industry. So much so, that nowadays, most of the people perform their banking transactions online instead of in person, as it used to be until maybe 5 or 10 years ago. They do not need to go to the bank anymore, unless it is for something that requires their physical presence there, like the signature of a contract. Other than that, most people just go online and pay their bills, check their balances, make purchases and even transfer money from their account into others.
Along with the banking industry, the industry of the thieves has been developing as well. A few hundred years ago, the best method to rob a bank would be to go into one, armed, and by threatening the cashier, run away with the cash. Today, the boom of electronic transactions has developed the thieving industry as well and now they use software and technology to rob the banks and other institutions: welcome to the age of electronic transactions!
Obviously, the third industry to develop on this chain has been security. As long as there are banks, there will be robbers; as long as there are robbers, there will be security present to avoid the thefts and stop the delinquents.
As expected, the security industry has developed as well, and has entered the technology age, too. In other words, we have e-banking, e-delinquency and e-security.
What is E-Security?
According to Webopedia.com (Weobopedia 2010), it refers to techniques to make sure that the information inside a computer and/or a server is not read or accessed by unauthorized people. It usually involves the use of data encryption and passwords, to stop availability. Data encryption means translating the data into a language that needs to be deciphered and password means, as it name implies, a special word or code that will allow the user to "pass" and be allowed into the next screen or next step of a process.
In the case of electronic transactions, the security takes a deeper meaning, since it will protect not only information, but assets as well. Banks especially need to take very good care of their software systems, to keep one step ahead of the delinquency and avoid attacks on any electronic front.
Since almost all banks today allow their users to handle their money and their transactions electronically, it is their responsibility to ensure its customers that their money is safe and available at all times. The main idea to keep in mind is that the better the service, the more vulnerable it is. Every time a bank opens a communication line with its customers, it is also opening a window of opportunity to the delinquents.
Therefore and for authentication proposes, not only banks but most of the online commercial establishments have developed a series of firewalls to protect their data and their investments, as well as their customer's.
As it names implies firewalls are walls to protect the inside from the outside and viceversa: in the case of computers and software, to protect the user or the companies from outside attacks and to protect the information to get out. They are designed to block unwanted visitors, while allowing authorized access to the individuals or institutions that have the corresponding certificates. As they also control the out-coming traffic, they can block messages and information that is being sent out of the net (Robertson, PD, 2009).
Depending on the type of security required, the firewall should be more or less restricted. In the case of banks, restriction is the main word: inside information should remain inside and the available data should only be available to the corresponding owner of it, namely balances, transactions and other activities about an account that only the owner of the account should have access to.
Cookies are small texts containing specific information that are sent out by the web servers and stored in the computers. They are not executable, therefore they cannot be viruses but they can be used by delinquents as spyware, because they can be used to track users and violate their privacy (Webopedia, 2010). Although they can be used against the rights of the users, the cookies are very helpful tools in helping systems identify each other and many times, if restricted, they may impede the correct work of websites.
In other words, cookies are both a blessing and a curse. They simplify the processes of e-commerce, for example, because they are the ones that allow the server to remember the user information when doing purchases. They also allow the faster loading of web pages: when the server recognizes the presence of a cookie, will upload much faster than if the cookie has to be sent along with the information package for the first time.
On the other hand, their capacity for spying on the internet movements of a user may cause a privacy issue: not many people are interested in letting the rest of the world know what pages they visit and when.
Chapter Two: Literature Review
As the aim of this research is the risk control strategies in E-banking, this chapter will review the relevant concepts and theories relating to E-banking and Risk Control.
In its most basic form, E-banking means the presence of a bank in the World Wide Web (www), via a website (Shah M, Clarke S, 2009). But it does not only involve the presence of the bank, it may also include the kind of services that the bank may provide to its customers online, such as transaction, balance review, payments, etc. whether they are individuals or another business.
When a bank is open for business on the web its level of responsibility with the customer increases. It is now required to be able to provide information and services all the time, on real time and with the outmost security.
Most banks are eager to allow the use of internet to their customers, because this distribution channel has a relatively low delivery cost, increased sales and has the potential of offering much more convenience to the clients (Shah M, Clarke S, 2009).
The importance of E-banking is in the wide variety of services that can be opened to the public in one easy channel. On one hand, the customer service increases its quality, because the customer will always be "the first in line" while online. No wait; no waste of time; no annoying line (Shah M, Clarke S, 2009). On the other, in contrast to a branch office, the online office is always available, 24/7, every day of the year. In addition, thanks to today's technology it can be accessed not only from a computer, but also from a cellular phone and other kind of digital devices.
Another great advantage, on the bank's side, is the attraction of high value customers. The technological advances attracts customer with higher income and education level, and that subsequently increases the bank's revenue. They have a higher demand of online channels and prefer the availability of the internet instead of going in person to any branch office (Shah M, Clarke S, 2009).
Since E-banking is just one form of E-Commerce, it is necessary to explain the development of E-commerce and its influence for the existence of E-banking.
E-commerce started as an online way to buy and sell services and products via internet or other electronic channels such as Electronic Data Interchage (EDI). Kalakota and Whinston (1997) have published a broad scope definition of E-commerce, from the following perspectives:
Communication: E-commerce allows the interchange of products and services and their payments through electronic media such as telephone (landline or mobile) and computer (internet).
Business Process: E-commerce is the application of technology towards the automation of business transactions and workflow.
Service: E-commerce is a tool that helps the companies and the consumer reduce the service costs at the same time that allows the improvement of the good's quality and lets the delivery be much faster.
Online: E-commerce allows the possibility of purchasing and selling products, services and information online, through the internet and other electronic channels such as EDI.
Potential advantages for the companies:
Different and arguably lower barriers to enter;
Opportunities for significant cost reduction;
The capacity to rapidly re-engineer the business processes;
Greater opportunities to sell across borders;
Potential benefits for the consumers:
Better value for money obtained through greater competition;
Better tools to manage and compare information;
Considering the above, why would the banking industry not take advantage of all this benefits for both sides?
E-banking provides the banking industry with the same benefits E-commerce provides companies: allows the gathering of personalized data on the customers, which develops in customisation and this, turns itself into the creation of specific products or services for each customer, based on his or her needs (Shah M, Clarke S, 2009).
In addition, personalized service generates customer loyalty, since they will prefer to return to where their needs are met faster and more efficiently.
2.2. Risk Control
Implementing adequate measures to reduce the risk of problems is what is called Risk Control. In other words, problems, disasters, emergencies and be prevented and controlled, but never completely avoided.
On the internet, security is a very important subject nowadays, because what started as a net of researches and geeks now has become one of the most important tools of communication, entertainment and business in the last decade and a half (Cheswick W.R., Bellovin S.M. and Rubin A.D., 2003).
According to Cheswick W.R., Bellovin S.M. and Rubin A.D. (2003): "The Internet is a large city, not a series of small towns. Anyone can use it and use it nearly anonymously. The Internet is a bad neighbourhood. "
No internet system is 100% secure and even banks do not have perfect security and they are liable to be robbed, defrauded or embezzled if they leave the guard down. And because the internet is basically new, most security measures have been the reaction to a negative action. Unfortunately, since security is always a case of economics, the level of safety will be related to the type of investment made on the subject (Cheswick W.R., Bellovin S.M. and Rubin A.D., 2003).
Overlapping and redundancy in programmes is usually the first thing a student is taught to get rid of. In security, the objective is the precise opposite: every security measure should have a back-up, in case is attacked and defeated. In addition, the security measures should be included since the first design of a system, whether is software or hardware. If the security is added later, the risk of holes is greater. Nonetheless, the security also has to be painless for the user. If they cause inconvenience, the user itself may try to get around it and prove its inefficiency (Cheswick W.R., Bellovin S.M. and Rubin A.D., 2003).
There is a saying that "a chain is as strong as it weakest link". Bringing this saying into internet security, it means that all systems have to be analysed for weaknesses and, if any are found, those spots have to be reinforced to make the system as secure as possible.
In addition, not only the systems are susceptible to security risks, one of the biggest risks is the users themselves. A company may have the latest technology in firewalls and protections but, if the network gets attacked from the inside, there is no protection available. The users have to be well trained and made aware of the fact that the system's security is does not only rely on the software or the hardware, but in their hands as well (Cheswick W.R., Bellovin S.M. and Rubin A.D., 2003).
2.3. Risk Management Strategies
Especially in the banking industry, the rapid technology development has made almost a requirement the union of retail banking services and the internet. Any bank that is not online is considered by the newer generations as non-existent, and this new field is one that no bank wants to leave unattended, as it has a growing customer base. Unfortunately, on the other hand the unexpected velocity of adoption of new technologies, the global nature of online and electronic networks, hugely increase the risks taken by the banking industry, especially since most of the times their e-banking platform with legacy systems integration depend mostly on third party information services' providers (Ramakrishnan, 2001).
The types of accesses given by the banks to the online customers are divided in three basic forms (Ramakrishnan, 2001):
Informational: is low risk for both the bank and the customer, as it refers to the basic "brochure" information that the bank provides on the home page of the site and in those dedicated to description of services and advantages of the banks.
Communicative: refers to the account-related information that the customer has access to, such as addresses, statistics, extracts, etc. These sessions provide the bank material risks, because the customer is permitted access to the bank's main system.
Transactional: means that the customer may not only access information on his or her account, but is also able to make financial transactions, such as payments, transfers and even stock trading. This access carries the highest risk, especially if the customer is the kind of person that does not visit the branches regularly, but prefers online access to his or her account.
Internet banking by itself does not create a new kind of risk; it increases the existent ones that any financial institution face by default; and are shortly described as follows:
Strategic Risk: Potential and possible risk to earnings and capital that may be caused by negative business decisions or their inadequate implementation. Sometimes, senior management does not fully understand the strategic and technical aspects of Internet banking and, driven by competitiveness and peer pressure, banking institutions may try to introduce or extend their internet banking not making an informative decision regarding the cost - benefit analysis. The necessary skills to manage adequately the internet banking resources may not be present in the organization structure (Ramakrishnan, 2001).
Transaction Risk: Potential and possible risk to earnings and capital that may be caused by fraud, error, negligence and / or the inability to maintain the expected service levels. Internet banking products require highly sophisticated internal controls and total availability; therefore they generate a high level of transaction risk. The platforms used by most internet banking services are based on new platforms that use complicated interfaces to link with their corresponding legacy systems; for this reason they create an increase on transaction errors. Nonrepudiation of transactions and data integrity insurance are also needed by the systems. In addition, third-party providers also increase the transaction's risks, because over them the organizations do not have total control over a third party (Ramakrishnan, 2001).
Compliance Risks: This is the risk to earnings or capital that may be caused by violations of (or non-conformance with) laws, regulations and /or ethical standards. Reputation decrease, real monetary loss and a reduction of business opportunities may be caused by compliance risk. It is of great importance that the banks understand and interpret completely the existing laws of their environment that apply to internet banking and make sure of such same consistency regarding any other channels, such as branch banking. When the customer, the bank and / or the transactions take place in more than one countries or even continents, the risks are amplified due to conflicting laws, tax procedures and reporting requirements that have to be crossed across different jurisdictions and regulations. The customer data has to be kept private and the customer's consent has to be gotten before the banking institution shares the information, which may also become a compliance risk. Most people are not only concerned but even paranoid about the privacy of their data and for that the banks need to be seen and considered reliable keepers of such data. Finally, the customer's need to perform the transaction in real time (straight-through processing), may cause banks to relax their traditional controls, which may also cause compliance risk.
Reputation Risks: Potential and possible risk to earnings and capital that may be caused by negative public opinion. A bank's reputation can be damaged by Internet banking services that are poorly executed (e.g., limited availability, buggy software, poor response). Customers are more demanding and therefore the expectations are greater for the performance of the online services. In addition, hypertext links that could link a bank's site to other sites and may reflect an implicit endorsement of the other sites, without the bank's consent, knowledge or approval, especially if it is a disreputable site (Ramakrishnan, 2001).
Information Security Risks: This risk is especially critical, because it is based on the rapid change of technology. The internet channel is universally accessible and lax information security processes may leave the institutions exposed to malicious attacks from hackers or even insiders, as well as viruses, data theft and destruction, fraud and denial-of-service attacks (Ramakrishnan, 2001).
Credit Risks: This is the risk the bank faces regarding the customers failure to meet his or her financial obligations. Customers may apply for credit cards or any other types of credit, via internet banking, and from anywhere in the world. The institutions may have a very hard time trying to verify not only the real location but the real identity of the customers, when offering instant internet credit. In addition, the verification of collateral and the perfection of security agreements would also be very complicated. Furthermore, with international customers there may be questions about which country's jurisdiction will apply to the transactions (Ramakrishnan, 2001).
Interest Rate Risks: This risk may be caused by fluctuations in the interest rates, like how interest rate differentials between assets and liabilities are affected by interest rate changes. Larger amounts of customer are attracted to take loans and make deposits through internet banking. But because it is easier today to compare rates across banks, the institutions feel a greater pressure to react quickly to the changing rates in the market, in order to keep theirs more attractive to the customers (Ramakrishnan, 2001).
Liquidity Risks: The bank's inability to meets its obligations, may cause this risk to earnings and / or capital. Internet banking increases the volatility of deposits and assets, especially from the kind of customers who maintain accounts solely because they are getting better rates. These customers tend to close the account or simply withdraw their funds, if they get a slightly better rate anywhere else (Ramakrishnan, 2001).
Price Risks: Changes in the value of traded portfolios or financial instruments may cause this risk. If the banks create or increase their deposit brokering, loan sales or securitization programs, they could be exposed to price risk as a result of their internet banking activities (Ramakrishnan, 2001).
Foreign Exchange Risks: If assets in one currency are funded by liabilities in another, this creates this risk. Residents of foreign countries may feel encouraged to transact in different domestic currencies. Some customers may even take speculative positions with various currencies, thanks to the ease and lower costs of the transactions. Foreign exchange risk is increased by higher holdings and transactions in nondomestic currencies (Ramakrishnan, 2001).
As shown on these potential risks of internet banking, the responsibility for them should not be placed on the shoulders of the IT personnel of the bank, but on the upper management, as they should be considered as any other kind of risks faced in the financial industry and not as technical risks because they may occur online or because of the internet access given to the customers.
For this, specific accountability, policies and controls should be established effectively by senior management to develop adequate management control over the risks associated to any e-banking activities. In addition, and considering that ambiguity creates weaknesses that may be taken advantage from, they should also set specific objectives for their internet banking, focusing in matters such as revenue, profit, transaction cost and service level.
Key delegations and reporting mechanisms should be established by senior management, therefore setting the tone in risk management. They should also set up a formal risk assessment process in the organization, as to who is responsible for what and /or what they are involved in, regarding risk identification and mitigation. Furthermore, they should also ensure that on-going due diligence and risk analyses are performed when the bank begins or increases its Internet banking activities.
In addition, one of the most important aspects on which management has to concentrate on is the security controls that would be involved with the internet access granted to customers. The main aspects are:
Authentication: To make sure that the identities of the customers are established and verified before allowing them to conduct business over the internet. Some ways to provide this assurance are passwords, biometric methods, challenge-response systems and public key infrastructure (KPI), among others. However, there is a growing tendency towards applications that allow single-sign-on, and this means that through only one ID, the customer is able to access his entire relationship with the bank. The risk of compromise is increased, while facilitating the process to the client. It has to be considered as one main security risk (Ramakrishnan, 2001).
Nonrepudiation: This means to make sure that the customers who make internet transactions may not come later and deny the bank about having originated the transactions. Using techniques like PKI (among other digital certificates), strong nonrepudiation can be achieved (Ramakrishnan, 2001).
To diminish the chance of data integrity loss, the banks should develop clear audit trails on e-banking transactions, records and information. Furthermore, the security controls in the banks should be made stronger; to make sure that the privacy and the integrity of the customer's information is preserved. The most common and used methods available are firewalls, ethical hacking tests and physical and logical access controls.
Another point that has to be considered about risk management is the management of legal and reputational risk management, which is described as follows:
Availability: Business continuity and contingency planning processes should be placed by the banks, in order to make sure the availability of their internet banking services is continuous. This is not an easy feast, especially considering the potential for high transaction volume and the demand for 24/7 availability (Ramakrishnan, 2001).
Incident response: Internal and external attacks may cause great troubles and for that appropriate incident response plans should be formulated by the banks, to detect, manage, contain and minimize these events. Escalation paths should be totally clear, as well as a documented chain of command, and the establishment of a communication strategy both for customers and the press. In addition, collecting and preserving forensic evidence should be a documented process, in the case of a successful attack. This forensic evidence should be very useful in the event the case goes to court and criminal charges are presented (Ramakrishnan, 2001).
The risks created by Internet banking are not limited to the information security areas: they distribute themselves across all the traditional banking areas as well. Senior management should direct risk management for Internet banking and incorporate it into the risk management procedures already present in the institution. These controlling processes require to be kept updated to avoid problems due to the speedy changes in the technology.
2.4. Case Studies
Case Studies are a form of quality research that allows the researcher to explore individuals or organizations simple through complex interventions, relationships, communities, or programs (Yin, 2003) and supports the deconstruction and the subsequent reconstruction of various phenomena.
People who disagree with the case study method consider that they offer no real grounds for establishing reliability or generality of findings, due to the small number of cases studied. Others believe that because the researches are intensely exposed to the cases, their findings are biased. Some other people disregard research in the way of case studies, arguing that their usefulness is only as a tool for exploration (Baxter, 2008).
Nonetheless, researchers will continue to use the case study as a research method that is successful when studies of real-life situations, issues, and problems are carefully planned and crafted. For many years, there has been literature on many reports on case studies available in many subjects and disciplines.
Other people suggest the definition of case study as a strategy form of research that studies events in their own context of reality, through an empirical enquiry. (Lamnek, 2005). Case study research means that single and multiple case studies can include quantitative evidence; that they rely on multiple sources of evidence and take advantage of earlier theories and proposals. Many people confuse case studies with qualitative research, but the first one may be a mix of both quantitative and qualitative information, while the second, as it name implies, is based solely on the qualitative evidence. Research of single subjects may result in statistical references that can be used to interpret information from the data of a quantitative case study. The statement "The case study is a research approach, situated between concrete data taking techniques and methodological paradigms." (Lamnek, 2005) is a great description.
2.4.1. Subject of a Case Study
The subject of a Case Study may be a person, a company, an organization, an industry, etc. There are unlimited resources for subjects; as they depend entirely on the matter of study. It depends on the researcher, as to how specific the subject will be, taking into account the availability of the information regarding such subject.
Since for this dissertation the subject chosen is the HSBC, the researcher contacted the bank directly by mail to find out some information and therefore all the data below was extracted from links on their websites, provided by them in response to the request.
2.4.2. History of the Hongkong and Shanghai Banking Corporation (HSBC)
The HSBC Holdings plc was formed in 1991, is headquartered in London and is one of the largest financial and banking organizations in the world, with more than 10.000 offices in 83 countries and territories all over the planet, hence its famous slogan "The World's Local Bank" (HSBC, 2008).
This is all possible because its member companies are mostly over 100 years old and have great experience both in their local and international markets, as will be described next.
The first offices of the Hongkong and Shanghai Banking Company Limited were opened to the public in 1865, with offices in Hong Kong (March), Shanghai (April) and London (July), to offer traders financing opportunities between China and Europe (HSBC, 2008), because until that time, transaction were being handled in Hong Kong by trading houses in the absence of established banks.
Although Hong Kong was part of the British Colonies, the bank wanted to remain with local ownership and management, which required a special ordinance from the Treasury in London, because otherwise it would have required a London Head Quarter. Under such Ordinance, the bank was still allowed to issue banknotes and hold government funds (as a matter of fact, even today the HSBC issues banknotes in Hong Kong in the name of Treasury and these notes have the bank's name and logo printed on them). In addition, it contributed to the change of name of the bank, to the one it continues holding until today: Hongkong Shanghai Banking Corporation in December 1866 (HSBC, 2008). Thereafter, the bank's statutory framework remained basically unchanged until 1989, when registration under the Hong Kong Companies Ordinance was completed.
The bank then initiated its expansion, being Asia the main focus of it. It opened its first branch office in Japan in 1866, and acted as an adviser to the government on currency and banking. HSBC was the first bank to be established in Thailand in 1888, and there it issued the countries' first banknotes (HSBC, 2008). By 1900, the branch had extended it network to other countries such as India, Singapore and the Philippines, and even to some cities in what are now Malaysia, Myanmar, Sri Lanka and Vietnam.
The Hongkong and Shanghai Banking Corporation's international reputation in the late 19th and early 20th centuries owed much to its achievements in government finance and the issue of banknotes in many Asian countries. It took advantage of this reputation to continue its expansion beyond Asia, entering the markets of Europe and North America and also expanding its business base.
By the end of the 20th and beginning of the 21st centuries, the bank was present in almost every country in the world, providing services that go way beyond simple banking, such as investment, insurance, personal, corporative and business banking, services which have made the bank one of the strongest in the world.
All this growth and development has required the bank to be on top of the technological developments in the financial industry and become as well one of the leaders in that field. Globalization has been the root of the bank's technological development, since people and business all over the world now want to have access to their accounts form wherever they are, whenever they want. Online banking has developed at giant paces and its security has been the main goal of the bank.
2.4.3. What the HSBC does to provide internet security:
For today's transactions, the bank provides its customers with information and secures channels to make them as safe as possible. As mentioned before, the safety of the online transactions are both in the hands of the provider and the customer, since no internet system is 100% safe; therefore the following are some of the steps the HSBC takes in order to help their customers (HSBC, 2010):
Security Device: For the customers, the HSBC provides a Security Device, which generates a random pass-number for the access of the internet accounts. It does not require a third party to generate the code, is independent of capacity issues, signal availability or the geographical location of our customers. The Security Device is also very small, light and portable. It can be used on any computer with internet access and it does not require downloads, set-ups, system adjustments, etc.
SMS Notifications: Whenever there has been a movement on an account, the customer will receive a SMS notification on his or her mobile phone. That way the customer may keep track of the transactions and / or denounce it, if it happens to be fraudulent.
Secure Sessions: the bank's website always generates secure session screens, which are not saved on the computer's temporal files. These screens are on use only during the transaction and once the customer closes it, it cannot be accessed again. In addition, the sessions are timed, so it the account remains inactive for a certain period of time, it will automatically log off, to protect the customer's information.
Encryption: 128-bit SSL (Secure Sockets Layer) Encryption technology is used within every Internet Banking session to encrypt the customer's personal information before it leaves their computer in order to ensure no one else can read it. Any email service within Internet Banking is similarly protected with encryption technology.
In addition to the technology the bank uses to secure online transactions, they dedicate complete pages of their sites to provide the customers advice on how to make their sessions safer as well (HSBC, 2010). The advice they provide includes tips as the following:
Handle of Passwords: they should not be easy or be personal words; also the customers are suggested to avoid using names, birthdays, phone numbers, ID numbers, etc. They should be easy to remember but hard to guess and they should have the combination of letters and numbers, upper and lower case. They should be kept confidential and not disclosed to anybody, not even people claiming to work for the bank, since HSBC states that no person from their staff should ever ask for anybody's password. In addition, it is recommended that they are changed regularly.
Online Banking Sessions: HSBC recommends its customers to make sure that when they connect, they do from a secure location and preferably not from a shared computer and definitely not from cyber-cafés. They suggest that the customers make sure all other internet sessions are disconnected and that, during their banking session, the customers do not open additional sessions. In addition, they remind the customers that they should always close the window of their session and log off on the main screen, to avoid anybody being able to use their account information.
Additional tips: the bank offers the customers additional safety tips such as use of good anti-viruses and firewalls to protect their computer's information. That they make sure nobody is looking at their screen during banking transactions and never leave their computers unattended if they have an open banking session. That their personal security details, such as PIN and passwords are not disclosed to anybody. That they use different PINs for different websites; that the PINs are never written down or easy to guess.
Overall, according to the bank's websites, the HSBC makes great efforts to protect the customer's information and finances, to make sure both the bank and the customers are safe from external attacks. Nonetheless, as stated before, no system is 100% safe and HSBC is not the exception of the rule. The next chapter will show occasions on which the bank's security has been compromised.
2.4.3. Available information about failures
In the last few of years, there have been some documented and unfortunately publicized events on which the websites of HSBC have not come out under a good light.
The following is the description of two most recent and publicized attacks on the security of the HSBC:
At the beginning of March, it was made public that important private data was stolen from the HSBC databases in Switzerland (Jordans, 2010).
According to the report, this theft may potentially expose many international customers of the bank to taxing prosecution in their own countries, since Swiss accounts are normally closed accounts.
According to the French authorities, the responsible person was identified as Herve Falciani, a former employee of the Swiss subsidiary of the HSBC Private Bank (Suisse) S.A. The information stolen corresponded to accounts opened before 2006 and, although over 9000 have been closed, the rest have remained opened until today (Jordans, 2010). This means that the privileged information of over 15 thousand private and personal accounts has been compromised.
The authorities have stated that the former employee will be prosecuted and the bank has stated that the affected customers do not have to worry about their data being stolen or that any unauthorized person will access their accounts. In addition, it was also confirmed that this theft affected only Swiss accounts, not any others anywhere in the world.
The main fear in this case, however, is that the information may be offered or even sold to foreign countries to track down nationals who are hiding money in Switzerland to avoid paying taxes.
The data was recovered by the French authorities and given to the Swiss authorities to be returned to the bank, but both the Swiss and the French authorities have kept copies of it. It is not clear at the end, though, if France intends or not to use the data to prosecute tax evaders.
The other situation, and probably the most dangerous one, was the hack of a website belonging to HSBC France (Constantin, 2009). In this case, a simple SQL injection vulnerability had led to a full server compromise. Not only was the hacker able to gain access to all of the databases, but even accessed the whole file system of the website.
The main machine for the site ran on a Windows Server and a MSSQL was the backend of the database. A snapshot was published of the root folders on all partitions, pointing out that the directory E:\Backup\ contained .bak files corresponding to the information on all databases.
The passwords corresponding to the administrative accounts were again stored in readable form, which is a very risky way of handling them, as is one of the easiest ways to hack them, according to Mr. Gunter Ollmann, the current research vice-president at Damballa and former Chief Security Strategist at IBM Internet Security Systems.
These two publicized events show that the HSBC is not invulnerable to attacks. As a matter of fact, the bank actually presents a huge target; if it is considered that it is one of the most biggest and important financial institutions of the world, is located in almost every country and has thousands of employees.
The first situation shows that the technology may not protect the bank and its information from internal attacks, because when it is an employee that uses its passwords and system's authorizations to commit a crime, it is very hard to stop them and sometimes even harder to catch them. The second, though, was an external attack on which wholes on the firewalls and the security measures were found and taken advantage of.
This dissertation will develop the case study on the HSBC based on the elaboration of a statistical survey.
Normally, the use of surveys is the collection of quantitative information about items in a group of people, sometimes specific, but not necessarily so. Political polls and research on government, health, social science and marketing often take advantage of surveys of human populations and institutions. Depending on their purposes, surveys may focus on opinions, factual information and they may involve asking questions to the individuals. A structured interview or researcher administrative survey is when the researcher manages the questions. When it is the other way around and the respondent manages the questions, the survey is referred to as a questionnaire or a self-administered survey (Ornstein, 1989).
For the specific case of this research, the survey on chapter four will be a structured interview, since the researcher is sending the specific questions to the respondents or interviewees.
As it is expected, the use of surveys has many advantages and disadvantages, some of which are described as follows (Groves, 1998):
They are an efficient way to collect information from large number of interviewees, which makes bigger sampling possible and, in order to establish validity, reliability and statistical meaning, statistical techniques may be used.
They are flexible and therefore may be used to collect a wide range of information, such as the study of values, attitude, beliefs and past behaviours, for example.
Errors are easier to avoid, since most of the time they are standardized.
They are relatively easy to administer.
Standardized questions create an economic data collection, because of the focus they provide. Time and money are not spent or wasted, because the questions asked, recorded, codified and analysed are only the ones the researcher is interested in.
Motivation is one of the greater threats, because the results depend on the interviewees' attitude and interest at the time of responding the questions. In addition and depending on the type of survey, the respondent may be motivated to lie and / or withhold information in order to look better.
Closed question surveys may result in low validity when researching affective variables, because responses may be affected by lack of choices in the response. For example, in a "yes and no" questionnaire, a person may respond "no" because the choice of "only once" is not available, therefore affecting the reality of the survey.
The estimates may end up being biased, since errors caused by nonresponse may exist. This means that the people who chose to answer have different responses than those who decided against it, but their voice is silenced because of their own lack of response.
The survey to be used for the research corresponding to this dissertation has avoided most of the disadvantages, because it mostly will appeal to the good disposition of the respondents. The interviewees are randomly chosen, but in order to answer the complete survey they will have to fulfil certain expectations, like being a custom of the case study subject, the HSBC.
Chapter Three: Methodology:
As stated on the previous chapter, the main method of research for this dissertation is Case Study, based on an analysis of the risks taken by private people and institutions with the online banking transactions, which have become more and more common every day.
3.1. Main Risks
In this part, the main risks will be analysed. What does a person or an institution exposes itself to, when using the internet, and even more seriously, while doing internet banking operations? The research will try to provide an answer to this very important question, while presenting a long list of risks, from phishing to hacking, through identity theft and even complete loss of privacy.
3.1.1. Identity Theft
This has been a major concern, not only for the people who may become but for the companies that end up doing business with the thief and do not get their products or services' worth, when the situation is discovered.
The identity is the most precious possession anybody possesses and, if stolen may cause great damage. An identity thief may use the name and ID number of any person to get credit cards and them use them to their limits, buy and sell any kind of items and even commit crimes in the comfort of their complete anonymity: someone else's identity.
In many cases, unfortunately, by the time the victim realizes that identity theft has been committed, it is already too late and the person has lost more than his or her credit reputation: may have lost the job and the freedom as well (Hammond, 2003). And if a person is not careful with his or her personal data, he or she may become a victim of identity theft very easily:
Wallet theft: most of the times, when a person's wallet is stolen, it contains credit cards and ID documents on it. This makes the job of the thief even easier. They can already use the cards on the charge of their victim and even
Mail Theft: by stealing the credit card statements and other correspondence, thieves may get access to the financials of a person. Impersonating the victim, they may even get new credit cards, if on the mail happened to be an offer of a pre-approved one
Pre-approved credit cards: when a person receives one of these letters and is not interested in using or accepting the card, the letter should be destroyed before disposed of, since any person may simply "take it from the trash" and then start using it until the limit is reached.
Lose sight of credit cards: on restaurants and other places, people give their cards to the employees to charge for their expenses and that is a perfect example of how a person may become an easy victim of identity theft. All the criminal needs, is the card number, the expiration date and the security code on its back, to use the card on the internet without problems.
Excess of information: on the internet, on the phone and through other media, people may pretend to be landlords, bank representatives of anybody else, to get information from their victims, convincing them of the "real importance" of the information they are requesting from them.
People may prevent these types of thieving activities by using some simple methods of protection, like never letting their credit cards out of their sights, like revising periodically their mail and also periodically checking their credit report information, as well as their bank accounts and credit card transactions and always being over-protective of their personal information.
The term phishing comes from the fact that cyber-thieves are looking for data: fishing. The f is changed for ph, due to the sophisticated techniques they use, to separate their activities from those of less complicated fishers (James, 2004).
Communications pretending to come from real and known social network sites (i.e. facebook), popular auction sites (i.e. e-bay), online payment processors (like paypal), or even IT administrators are being used frequently by the attackers to attract potential victims. The way to send these phishing invitations is through mails or instant messaging, since people might think the links are safe, since they come from a reliable source. Obviously, their its goal is usually to get users to enter personal and even private details at a fake website that looks and feels almost identical to the real one. Sometimes they use server authentication, which means that it may require great ability and knowledge to detect that the website is fake. What phishing is doing is taking advantage of the weaknesses in the security of web technologies to mislead credible users.
Institutions and governments are taking steps to deal with this growing threat, by the use of legislation, user training, public awareness, and technical security measures (James, 2004).
Current phishing methods include some type of technical scheme designed to make link in an e-mail look like it corresponds to a real organization, when it actually redirects the victim to the spoofed website. They also take advantage of tiny details like small spelling differences, for example the URL http://www.yourbank.example.com/, appears to send the person to the yourbank website; when in reality this URL points to the "yourbank" (i.e. phishing) section of the example website. A different version of this scheme is to make the anchor text for a link look as real as possible, but have it redirected to the phisher's site instead of the real site.
Before they became so advanced, phishers also used the method of sending out links with the symbol "@" in the text, making it look as if it was a username and a password. As an example, the link http://email@example.com/ could fool an innocent victim and make him or her believe that it will open a page on www.searcher.com, when in reality it will direct their browser to a page on imaphish.com, using the username www.searcher.com and the phisher's page opens perfectly, not taking into account the username supplied. Explorer (Internet Explorer) has already disabled this kind of URLs but Mozilla Firefox and Opera currently only show a warning message and give the user the option to continue to the site or cancel the process.
An additional problem with URLs is located in the handling of Internationalized domain names (IDN) in web browsers, that may permit visually identical web addresses to lead to different, most probably malicious, websites. In spite of the publicity created around this flaw, known as IDN spoofing or homograph attack, phishers have taken advantage of a similar risk, and create or open re-directing URLs on real and trusted websites, to conceal false URLs under the guise of a real and trusted domain. Even digital certificates do not solve this problem because it is really easy for a phisher to simply buy a valid certificate and therefore change the content to spoof a real website.
A phisher can even use defects in a trusted website's own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly grave, because they fool the user into signing in at their bank's site, while using a fake page, but with all the necessary tools to make believe that the web address and the security certificates and everything else is in order. Unfortunately, that link actually is on the site that is ready to attack the user and is very hard to identify, even for people with great knowledge in informatics services.
The RSA Security discovered a phishing kit they named Universal Man-in-the-middle, which was proven to provide an easy-to-use interface that lets a phisher convincingly reproduce websites and obtain log-in details entered at the false site.
Phishers have begun to use Flash-based websites, to avoid anti-phishing techniques that scan websites for phishing-related text. These look very similar to what real websites look like, but in a multimedia object they hide text and data.
Not all phishing attacks require a fake website. Phishers also send mail messages that state to be from a bank telling users to dial a phone number regarding inconveniences with their bank accounts. As soon as that number is dialled, a computer voice requests the users to enter their account and PIN numbers. Needless to say, the number is owned by the phisher and the services is provided by Voice Over IP. This is Vishing, also known as Voice Phishing, which also sometimes uses fake caller-ID data to make it look like the calls come from a trusted organization.
Another attack used successfully is to forward the client to a bank's legitimate website, then to place make a popup window appear, where the credentials and password of the user are requested, looking as if the bank is asking for the information for real, when the popup is actually a complete fake.
To hack means to reconfigure or reprogram a system in such ways that it will not work as intended by the owner, the designer or the administrator.
The hacker or the person who performs the hack usually breaks into computers and computer systems by gaining access to the administrative controls. Since there have been programs and ways to protect them, there have been hackers trying to break through their security (Jordan T., 2004).
Since there are several ways to gain administrative access to different systems, there are also several types of hackers:
White Hat Hacker: breaks security for non-malicious reasons, for example to test if its security systems work adequately. What this hacker does is to work with the computer systems and have fun learning about them, therefore gaining a deeper understanding of the subject. These kinds of hackers usually use their skills for good and end up becoming security consultants, and most companies involved in internet transactions prefer to have one or two in their payroll, to make sure that they are protecting their systems adequately.
Black Hat Hacker: also known as "cracker", is a person who breaks into the security of a computer or a network using technology (another computer, a phone line or similar) to commit criminal acts, such as credit card fraud, piracy, identity theft and others. Obviously this is the most dangerous kind of hacker, because they commit criminal activities on purpose, not even requiring an external offer to use their abilities.
Grey Hat Hacker: as it name implies, is the mix between the white hat and the back hat hacker. They do not usually hack with criminal intent but are not above getting advantages if they find opportunities to make easy money, for example. Depending on the offer they make become white or black hat hackers, given the choice.
Script Kiddie: disliked by white, grey and black hat hackers, is the person who uses pre-designed tools to attack computer systems and, most of the times are not even proficient in computers. They use large number of effective, easily downloadable malicious programs that allow them to attack even advanced computers and networks. Such programs include WinNuke applications, Back Orifice, NetBus, Sub7, Metasploit, ProRat, PassJacker, iStealer, Snoopy, Metus, Locust Bot and/or software originally designed for legitimate security auditing. Other types of attacks they use are mass mailer worms, which are spread through e-mails and, once opened, can be automatically sent throughout entire systems, most of the times without the user ever realizing it.
184.108.40.206. Hacking Methods
Just as there are several kinds of hackers, there are several different methods the hackers use to take advantage of the system. Some of these methods are described as follows:
Security Exploit: an application that takes advantage of known weakness. Some examples of these security exploits are SQL injections, Cross Site Scripting and Cross Site Request Forgery, which take advantage of holes in the security systems caused by low-grade programming processes. A different type of exploit is used through FTP, HTTP, PHP, SSH, Telnet and other websites, which is a commonly used kind of domain / website hacking.
Vulnerability Scanner: is a computer program designed to analyse the weaknesses of computers, computer systems, networks and applications. Depending on their main focus and / or particular targets, there are many different kinds of vulnerability scanners available. Functionality may vary between different types of vulnerability scanners, but they share the common, main goal of exposing all kinds of vulnerabilities that may be in any one or more targets. In other words, these scanners are a very important component of the technology developed to implement vulnerability management within a company. In addition, there are several types of Vulnerability Scanners, depending on the objective planned to accomplish:
- Port Scanner: This application software is designed to search network hosts looking for open ports. The system's administrator generally use it to verify the security policies of their networks and the attackers use it as well to find the services running on a host and to be able to compromise it. There are two ways of running them: one is to portscan the host, which means to scan it to find listening ports on a single target host. The other one is the portsweep, which means scanning several hosts at the same time, looking for a specific listening port or service
- Network enumerating: is a type of activity which searches computers to look for usernames and information on social groups, shares and services that are retrieved on them by the users. Some people confuse it with Network mapping, which searches computers as well, but only looking for information about their networks and the operating systems that are run on them.
- Web Application Security Scanner: this is a program that communicates with a web application to look for potential security risks on the application itself. It differs from source code scanners, because it does not have access to the source code and actually detects vulnerabilities by performing multiple attacks.
Computer Worm: this is a computer program also known as malware. Its modus operandi is to use the network to send copies of itself to other computers or networks that are connected to it and does not require human intervention. Most of the times, the worms themselves do not cause harm, they only consume bandwidth and make the victim's system slower.
Spoofing Attack: this is also another form of phishing, where a program is used to disguise as another, so that it may fool the user or another program into releasing private data such as passwords, PINs, confidential information, etc.
A rootkit is designed to hide the problems in a computer's security, and may represent any of a set of programs that work to take control of an operating system from the real users. In order to avoid its discovery and removal, a rootkit will cloak its installation, sometimes even including replacements for system binaries, and therefore they become invisible to the legitimate operators, who cannot find them when analysing the process tables.
Social Engineering means getting people to give up vital information about systems. Either by impersonating a real person or by means of sweet-talking, they obtain information that should otherwise be unavailable for them.
A Trojan horse is a program that seems to be doing one thing, while in reality is doing something else. It can be programmed to open a back door in the computer system, so that the attacker is allowed to access later. (The name comes from the Greek mythology about the Trojan War, where a similar concept of deceiving defenders into bringing an intruder inside was used.)
Virus: like its name indicates, is a type of disease created for the computing systems. Just like its live counterpart it self-replicate itself and spreads over other systems or executable codes, to infect as much of the computer or the network as possible.
Keylogger: as its name indicates, it is a program designed to log, in other words record, every key that is used by the user of the infected system. It allows later retrieval of the information previously keyed and is used both by attackers and the institutions owning the systems. The first ones use it to get private information and otherwise denied accesses to systems, the other one uses to keep control of the use of its machines by the users in the company and in case of employee fraud, they may be very useful as computer forensic evidence.
In conclusion, the types of risks involved in online transactions are many, and it is most of the times in the hands of the users to protect themselves of those threats. Institutions and private people who use the internet to provide services of any kind are always exposed to the attacks mentioned above. It is in their best interest to invest in the best personnel, soft-ware and hard-ware to avoid becoming a victim.
Chapter Four: Findings and Analysis
In this chapter the research will be focused on the opinion of customers in regard to the e-banking security they feel their bank provides them, and it involves a survey / interview with a small group of 30 people, all customers of the HSBC, either here in the UK or in other countries of the world. Considering that, as mentioned before, the bank's slogan is "The World's Local Bank"; therefore it was thought that this approach, contacting customers on a wide range, would be the most appropriate.
In order to contact the customers, the researcher posted the questions on certain web groups, where people answered the questions. The only condition imposed on the beginning of the questionnaire was that the answering party had to be some kind of customer of the HSBC, but it was clearly stated that the location of the customer and / or its HSBC branch office was not important.
This is a statistical survey, since it will be based on the personal opinions of the interviewees (McBurney, 2010). In addition, all participants were informed and accepted that no payment would be given for their participation, and they also agreed to have their last name and country of residency possibly published, in case their answer (s) were used on the research paper.
4.1. Questions of the survey / interview
The questions used in this survey / interview, were the following:
How long have you had an account with HSBC?
What kind of account is it? (Savings, checking, corporate, etc.)
Do you use the bank's internet site?
Do you find the site user's friendly? What improvements would you suggest?
Do you feel safe, using the bank's web tools?
Have you ever had any problems with the service provided to you through the site?
If yes, please elaborate, if not, please continue to the next question.
What kind of tools or suggestions has the bank given you, to help you protect yourself better from online attacks?
Would you recommend others to get an account at the HSBC? Why?
4.2. Methods of obtaining the information
As stated earlier, the contact method of choice for this survey / interview was posting of the questionnaire on web groups, as well as personal mails sent to the private accounts of some volunteers that were met personally by the researcher. In addition the researcher states that all the responses were received in writing and back up of them remains in the hard-drive of the researcher's personal computer.
Furthermore, the researcher would like to state that no person got paid to answer this survey; every one of the interviewees did it willingly and without any kind of pressure from the researcher or any other source.
To finalize, the responses obtained will not be published beyond this dissertation and will not be distributed in any way to any other person or institution, including the case study subject, HSBC Group.
4.3. Types of responses received
The following are extracts of the responses received and a small analysis of each of the questions, regarding their corresponding answers. Three subjects were elected randomly, to have a sample of 10% of the answers received. As far as the knowledge of the surveyor, the respondents do not know each other.
How long have you had an account with HSBC?
I opened my account with HSBC almost one year ago.
I recently opened it. Less than 3 months ago.
At least 3 to 4 years.
This question was mostly informative, since it does not have heavy relevance the time for which the customers have had their accounts. Nonetheless, with a response like Christine's, the researcher proved that the bank is growing is customer base frequently and not depending only on the established customers.
What kind of account is it? (Savings, Checking, Corporate, etc.)
It is a Commercial Business Vantage Account. I opened a Limited Trading Company, around 10 months ago and for it, I wanted that all the International transactions established between the customers and my company could count on the services that are offered by one the most reliable, important and solid banks of the world.
I have a HSBC Visa Platinum Card. I wanted to have a credit card that I could use anywhere in the world and that offered me great benefits that will help me to make a better use of my money.
(I have) a Commercial Business Direct Account. I wanted to have all the services and products offered by HSBC in one simple and effective package.
This is a question that got several different kinds of responses, since the bank offers different account choices: Personal, Premier, Advance, Commercial and Corporate. Commercial and Corporate accounts hold savings and checking accounts together, to offer more choices to the customers.
It came to the attention of the researcher that there are not many persons with personal accounts. Considering that the bank since its beginnings was aimed at the traders and business, under a closer observation it was noticed that the services provided through a personal account are very limited and therefore most people try to get an account of a different kind, such as Premier.
Chapter five: Conclusions and Recommendations
As seen on the previous chapter, from the original 30 responses analysed for the research, above are the responses of three separate individuals from separate countries and even continents. Nonetheless, their opinions do not differ much, in spite of their geographical distance. Therefore it may as well be stated that the bank's logo "The World's Local Bank" is well put.
This shows through the survey that most of the customers of the HSBC Group, no matter what kind of account or service they get from the bank, are very satisfied with the services provided and the security implied on their transactions.
In addition, most customers are very happy with their choice in banking, not only for the security provided but for the simplicity of the processes. According to the survey, most of the clients do not go to the bank's offices unless it is strictly necessary, which is basically the day the open the account and not much more. The customers also agree that their sites are very user-friendly, therefore do not cause many complications to use and interact with the service at any time of day or night.
Simplicity and practicality are not common on banking websites, most of them are famous for the complexity of their transaction's processes, making customers go more to their offices than their sites. In the case of HSBC is the other way around. They make transactions easy for the customers no matter their location or the time of day or night they decide to access the sites. Nonetheless, the simplicity and availability of the sites does not imply that they are vulnerable to external attacks; they are well designed and protected from such events and the main proof is that they have not been seriously attacked in the recent times.
It is true, that no system is invulnerable, but HSBC goes through great lengths to provide extra help to its customers, giving those tips and suggestions on how to make their own systems securer, by giving them information about anti-virus soft-wares, firewalls and other types of protections they can take by themselves.
As stated earlier, the responsibility for the safety of a person's or institution's bank account and private banking information does not lie totally in the hands of the bank. It lies, sometimes in an even bigger proportion on the hands of the account owners, who may unintentionally risk their account if they happen to be careless with their private information. Therefore the warnings, suggestions and tips supplied by the HSBC's websites in all their locations become of greater importance when it comes to making the customer aware of his or her own responsibility in keeping his information and assets safe from external attacks.
On the other hand, and especially considering the second case presented on this dissertation about a security problem that occurred at the HSBC in Switzerland, the main goal of the Group, as a whole, should be to make sure that their internal security measures are more forcefully implemented, as the whole problem was caused by a person inside their multiple firewalls and not from an outside attack.
In other words, the main concern for the Group should not be an outside attack, but an attack from the inside, from someone or some-ones that are within the firewall and have greater access. The best alternative in this case is to increase the security checks on any personnel with multiple accesses and super-passwords, as they are the most capable of really causing the HSBC Group great damage.
Session recording and random auditing of their internal processes is two of the proposals for increasing the internal security systems. In times like the current, where industrial espionage is not taken out of a movie but more real and present threats to security, traceability is one of the main tools that can be used to avoid any kind of misuse of power.
To sum up, to attract customers, the HSBC Group is providing the security and reliability the people require, ask for and even aim to have. From an outside attack, which could cause customers to lose their capital or even worse, their trust in the group, the HSBC's customers are protected to the best of the banks abilities, with the most modern and available tools. What the Group needs to concentrate on is the threat of internal breaches, which may or may not cause the Group huge amounts of money, but leaves the customer's information unprotected and liable to threats.
In the case of the specifics of the case study of this dissertation, there are, have been and will always be risks involved in the processes of internet banking; both for the banking institutions and for the customers. If both parties make the effort to protect their transactions in the best way possible, through security codes, personal identification numbers, security keys, firewalls and anti-virus soft-wares, they greatly reduce the risks of attacks, both internal and external.
Companies with more than one person responsible for banking access must make sure to be able to make a complete follow up of any type of transaction each of their people is making. Also take security measures before hiring new people into their companies, to make sure that they are trustworthy and not involved on any type of illegal activities.
On their side, the banks must do the same thing regarding the type of personnel they hire for the management and handle of their online processes. Those should be the people with the highest security clearances and, at the same time, the most controlled ones, since they hold in their hands the information and the finances of the bank's customers. In addition, and since most of the time the internal attacks cases are based on money offered to the perpetrator, they should be paid what they are worth, to avoid them getting greedy and accepting bribes.
In conclusion, the HSBC Group does attract customers with their advantages on e-banking, both the easy way of using their online services and with the security they provide to the transactions. The bank lives up to its logo and satisfies customers on a worldwide basis.
- Abramson, J.J. and Abramson, Z.H. (1999) "Survey Methods: Epidemiological Research, Programme Evaluation" (5th edition). London: Churchill Livingstone.
- Baxter P and Jack S. (2008) Qualitative Case Study Methodology: Study Design and Implementation for Novice Researchers [online] [Accessed March 23rd 2010] Available at: http://www.nova.edu/ssss/QR/QR13-4/baxter.pdf
- Cheswick W.R., Bellovin S.M. and Rubin A.D. (2003) Firewalls and Internet Security: repelling the wily hacker. 2nd Ed. USA: Addison-Wesley.
- Costantin L. (2009) Hacked: ING Belgium, Dexia and HSBC France Websites. Softpedia September 5th 2009 [accessed February 1st 2010], available at: http://news.softpedia.com/news/ING-Belgium-Dexia-and-HSBC-France-Websites-Hacked-120991.shtml
- Creswell, J. (1998). Research design: Qualitative, quantitative, and mixed methods approaches (2nd ed.). Thousand Oaks, CA: Sage.
- Crouhy M. Galai D. Mark R. (2005) The Essentials of Risk Management. McGraw-Hill
- Erikson J. (2003). Hacking: the art of exploitation. No Stack Press Inc.
- Fyodor (2006) Advanced Network Reconnaissance with Nmap [online] [Accessed on March 23rd 2010] Available online at: http://insecure.org/presentations/Shmoo06/shmoo-fyodor-011406.pdf
- Groves, R.M. 1989. Survey Errors and Survey Costs. New York: Wiley.
- Hamel, J. (with Dufour, S., & Fortin, D.). (1993). Case study methods. Newbury Park, CA: Sage.
- Hammond, R.J. Jr. (2003) Identity Theft, How to Protect Your Most Valuable Asset. Franklin Lakes, NJ, Career Press
- Hancock, D. R., & Algozzine, B. (2006). Doing case study research: A practical guide for beginning researchers. New York: Teachers College Press.
- Hayward CL (2004) Identity Theft. Novinka Books, Nova Science Publishers Inc.
- HSBC (2008), The HSBC Group, A brief History [online]. [Accessed on March 3rd 2010]. Available at: http://www.hsbc.com.hk/1/PA_1_3_S5/content/about/about-hsbc/hsbc-s-history/pdf/brief_history_feb08.pdf
- HSBC (2010). Security and Fraud Centre, Internet Banking [online], [Accessed on March 20th 2010]. Available at: http://www.hsbc.com.hk/1/2/hk/personal/sfc/internet-banking
- HSBC (2010). Online Security [online], [Accessed on March 20th 2010]. Available at: https://www.commercial.hsbc.com.hk/1/2/commercial/advice-centre/online-security
- James, L. (2005)Phishing Exposed. Rockland MA, USA, Syngress Publishing.
- Jakobsson M. Myers S (2007) Phishing and Countermeasures. Wiley-Interscience, A John Wiley and Sons Publication.
- Jordan F (2010), HSBC: data on 24,000 Swiss account holders stolen. Associated Press [online] March 11th 2010 [Accessed on March 13th 2010] Available at: http://news.yahoo.com/s/ap/20100311/ap_on_re_eu/eu_switzerland_hsbc
- Jordan T. Taylor P.A. (2004). Hacktivism and Cyberwars. Routledge.
- Khosrow-Pour M. (2004) E-Commerce Security: Advice from Experts. UK: CyberTech Publishing Shoniregun Charles A. (2007) Synchronizing Internet Protocol Security (SIPsec). UK: Springer Science-Business Media LLC
- Lambert M. (2009), The History of Debit Cards [online]. [Accessed on February 15th 2010]. Available at: http://www.brighthub.com/money/personal-finance/articles/42073.aspx
- McClure S. Scambray J. Kurtz G. (2009) Hacking exposed 6: network security secrets & solutions. McGraw-Hill.
- McClure S. Shah S. Shah S. (2003) Web hacking: attacks and defence. Pearson Education Inc.
- Miles, M. B., & Huberman, A. M. (1994). Qualitative data analysis: An expanded source book (2nd ed.). Thousand Oaks, CA: Sage.
- Ornstein, M.D. 1998. "Survey Research." Current Sociology 46(4)
- Patton, M. (1990). Qualitative evaluation and research methods (2nd ed.). Newbury Park, CA: Sage.
- Ramakrishnan, G. (2001) Risk Management for Internet Banking [online] [Accessed on March 16th 2010] available at: http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=17424&TEMPLATE=/ContentManagement/ContentDisplay.cfm
- Richards, T. J., & Richards, L. (1998). Using computers in qualitative research. In N. K. Denzin & Y. S. Lincoln (Eds.), Collecting and interpreting qualitative materials (pp. 445-462). London: Sage.
- Robertson P.D. (2009), Internet Firewalls FAQ, [online]. [Accessed on February 17th 2010]. Available at: http://www.interhack.net/pubs/fwfaq/
- Shah M. and Clarke M. (2009) E-Banking Management: Issues, Solutions, Strategies. London: Information Science Reference p. 2 - 5, 23-25.
- Shaughnessy, J. J., Zechmeister, E. B., & Zechmeister, J. S. (2006). Research Methods in Psychology (Seventh Edition ed). New York, New York: Higher Education.
- Soy, S.K. (1997). The case study as a research method. Unpublished paper, University of Texas at Austin [online]. [Accessed on March 15th 2010] available at: http://www.ischool.utexas.edu/~ssoy/usesusers/l391d1b.htm
- Tapiero CS. (2004) Risk and Financial Management: Mathematical and Computational Methods. John Wiley & Sons Ltd.
- The Issa Journal (2006) Information Security [online] [Accessed on March 22nd 2010] Available at: http://www.arxceo.com/documents/ISSA_antirecon_article.pdf
- Vacca JR. (2003) Identity Theft. Pearson Education Inc.
- Walton, J. (1992). Making the theoretical case. In C. C. Ragin & H. S. Becker (Eds.), What is a case? Exploring the foundations of social inquiry (pp. 121-137). Cambridge, UK: Cambridge University Press.
- Webopedia (2010), Meaning of the word Security [online]. [Accessed on February 15th 2010]. Available at: http://www.webopedia.com/TERM/S/security.html
- Webopedia (2010), Meaning of the word Cookies [online]. [Accessed on February 17th 2010]. Available at: http://www.webopedia.com/TERM/S/security.html
- Wickham, M., & Woods, M. (2005). Reflecting on the strategic use of CAQDAS to manage and report on the qualitative research process. The Qualitative Report, 10(4), p. 687-702.
- Wong C. (2006) XML Port Scanning - Bypassing Restrictive Perimeter Firewalls [online] [Accessed on March 25th 2010]. Available at: http://www.sift.com.au/assets/downloads/SIFT-XML-Port-Scanning-v1-00.pdf
- Yin, R. K. (2003). Case study research: Design and methods (3rd ed.). Thousand Oaks, CA: Sage.