CBD tightens up website security
Commercial Bank of Dubai (CBD) is tightening up its online security, with the bank moving the hosting of its website in-house and planning to roll out an authentication system for online banking customers.
Commercial Bank of Dubai (CBD) is tightening up its online security, with the bank moving the hosting of its website
in-house and planning to roll out an authentication system for online banking customers.
CBD has taken the decision to move the hosting for its
website in-house following an attack on the site last year, which led to a hacker defacing the site (see IT Weekly 22- 28
Although the bank’s own systems were not breached in any way, executives at CBD said the bank was unhappy with the security of the third-party firm which was hosting the site, Interactive Limited.
“Since this date, since the security breach, we have decided that they are not following the same security level that we have as a standard here in our bank,” a senior IT manager at CBD said.
“So yes they have a hosting service but they can’t follow the same security standards that we have here,” he added.
CBD said the hacking attack did not put online banking
customers at risk as the internet banking site is separate from the company website and already hosted in-house by CBD itself.
However the website which was attacked does contain a link to the internet banking site — a factor which made the incident even more worrying, the IT manager said.
“It is one of the main concerns of course, because, if you go to this site, if you click on the link you will be redirected to the main CBD online website,” he explained.
“In a problem like this okay, there’s no data loss but the image was severely affected. So we can’t take this risk anymore, so that’s why we’re taking the website back to our own network,” he added.
Interactive Limited, which has also worked with Pepsi Beverages International Middle East and Emirates Academy of Hospitality and Management, is a Dubai-based company that claims to have more than 12 years experience in providing web-hosting services.
It said at the time of the incident that it had been under “constant attack” from hackers trying to break into its servers and that the CBD incident was only the second time that a website it was hosting had ever been broken into.
“We maintain hosting security that is based on world-class standards and best practice methodologies, and invest heavily every quarter in updating our hosting team and infrastructure,” Basheir Hashim, consulting manager at Interactive, said in a statement.
“Commercial Bank of Dubai is a valued client at Interactive; it is among several dozen clients that continue to host with [Interactive], and we are always working to meet their
requirements,” the statement continued.
“While no hosting solution worldwide will ever be 100% full proof, we are confident that our hosting security is reliable. Interactive dealt with the incident that happened in September 2005 by enacting its 24-hour support and skills to serve and protect the client,” the statement continued.
“Our combined efforts ensured CBD maintained full control over its applications and that no damage was suffered as a result,” it concluded.
Following the incident, CBD decided to introduce a new form of authentication device for online banking, retail and corporate customers.
An executive at the bank said it is planning to implement this year a ‘one-time password’ solution for e-banking to minimise the risk of different security incidents, such as phishing attacks.
The solution would provide a password valid for one session only with a hardware device generating a new password every 60 seconds, so even if a user provided a valid password in an attack attempt, it would only be valid for one minute.
The executive said the bank had already selected such a solution for its customers but would not provide details on the vendor as a final contract has not yet been signed.