BIS3400

Social, Professional and Ethical

Issues in Information Systems

Milestone 1

Date:

Friday 25th March 2016

Tutor Name:
Student Name:

Aditya Santokhee
Samuel Ogogo

Student Number: M00561655

Campus:

Mauritius

Samuel Ogogo M00561655

Security issues in online banking

(A focus On Phishing)
In the world of today, the widespread use of the internet has influenced the banks to utilize
technological advancements in their major operations (Drig, I. and Isac, C., 2014). The
banks have exploited the internet to enhance the speed and quality of their services (Dawes
and Rowley, 1998), but have been exposed to many security risks. Some of these risks
include disclosure, modification of data, and denial of service (Kalakota and Whinston,
1996).
According to Shah and Clarke (2009), online banking, which is synonymous with e-banking
and internet banking, is a situation where people can access their bank accounts, transfer
money to other accounts and also make payments for different goods and services using the
internet. This was a new innovation to complement the paper banking system (Fisher and
McKenney, 1993), which involved only direct transactions inside a banking hall. However,
this shift in the banking sector from paper banking to internet banking has brought about
security threats among other issues (Hawke et al., 2000).
One of the major threats includes phishing, and some others include pharming, key logging,
WEP cracking and sniffing. Phishing is a fraudulent act of posing as a bank or operating a
counterfeit bank page to get information about a person (Jagatic et al., 2007). According to
Ollmann (2004), the main target of phishing is to get the login credentials, banking
credentials, credit card and personal details of a person.
Similar to the phishing is the pharming which involves the redirecting of customers to an
illegitimate version of a website (Drig, I. and Isac, C., 2014). Key logging involves using
surveillance programs to track user activities on a computer (Society, Electrical, and
Engineers, 2007). Sniffing involves unauthorized spying on a network while WEP cracking
is when an attacker searches for an encryption key to access a network (Davidoff and Ham,
2012). These are some of the methods people have used to perpetrate unlawful acts through
the internet. The major difference is that phishing takes advantage of, or lures the user, while
key logging, sniffing, WEP cracking takes advantage of a users computer loophole or
vulnerability (Downs, Holbrook and Cranor, 2006).
This review gives a description of the ethical, social, legal and professional issues related to
security in online banking while focussing of phishing.

Ethical Issues
Despite the numerous benefits of online banking, numerous unethical behaviour of third
parties has continued to affect innocent bank customers. These bad citizens (Abreu et al.,
2015) have exploited others as they have shown a lack of transparency, with the aim of
cheating others and have used various means to interfere with transactions, thereby causing
great harm to both banks and customers (KoenigLewis, Palmer, and Moll, 2010).
Ollmann (2004), discusses a case of phishing where a bank customer gets an email from a
fraudster that appears to be from his bank with the subject of the message titled security
2

Samuel Ogogo M00561655

update. The e-mail explains that their online banking system needs to be upgraded. The
mail further threatens to suspend the customers account within two days if he does not
update his login details by clicking on a link provided. The link then opens a fake bank page
and supplies the sender of the email with the username and password of the customer that
has been filled in. A similar scenario was mention by Jakobsson and Myers (2006).
According to the Kantian theory, the sender of the email in the above scenario who has
fraudulently collected the login details of a customer for any reason is unethical. This is
because the Kantians are of the opinion that people must do the right thing regardless of the
consequence (Dickens, 2012). According to the Kantians, we are good or bad, if we could
imagine every other person doing what we are doing (Duquenoy, Jones and Blundell, 2007).
On the other hand, the Utilitarian theory focuses on whether the act carried out was for the
benefit of the society (Dickens, 2012), which would make such act ethical. Therefore, from
the utilitarian point of view, the end would always justify the means: meaning that, if the
username and password that was gotten from the customer were to expose stolen public
funds, then such an act would be viewed as ethical. Furthermore, a government agent who
interferes with an online banking transaction between a bank and its customer, in the course
of doing his job or to track out fraudster who has been disturbing the society, would be
acceptable and ethical.

Social Issues
Having known the security threats that are involved in the online banking system, banks
ought to communicate warning security messages to their customers, so that they would be
aware of the risks involved (Koskosas, 2011). These customers need to be up-to-date with
the latest safety programs such as antivirus programs and firewall. It is, therefore, the
responsibility of the bank management, all staffs and other levels of operation, to input into
their business culture, security and risk management.
Many customers have suffered the loss of money, emotional and psychological trauma being
the victim of online fraud (Reisig, Pratt and Holtfreter, 2009). Some have gone as far as
committing suicide after losing a huge amount of money from fraudulent online banking
transactions. Many customers have chosen not to participate in any online transaction while
some have even refused to apply for their credit cards, because they feel it is insecure
(Brooks, 2006)
Apart from customers, security threats have also affected the banks negatively because they
have lost revenues, customer relationships, and millions of dollars due to fraud related
attacks (Aburrous et al., 2010). Furthermore, this online fraud through phishing attacks has
also brought damage to many banks reputations, thus leading to loss of customers: a loss
that sums up to millions of dollars. (Aburrous et al., 2010)

Samuel Ogogo M00561655

Legal Issues
Unlike conventional crimes which are perpetrated mostly by young men who abuse drugs
and alcohol, online crimes are committed by educated and intelligent people of the society
(Moore, Clayton, and Anderson, 2009). There are many laws against these crimes that
protect both the banks and other victims. What is illegal varies from one country to another.
In the UK, the Computer Misuse Act 1990 in section 1 sub (1) (2) (3) punishes anyone who
intentionally interferes with another persons computer, or data (Computer Misuse Act,
1990). The same Act in section 3ZA sub (1) (2) (3) states that when a person causes a
disruption of a system of communication or supply of money, he is guilty of a crime and is
punishable by 14years imprisonment. Therefore, the phisher in the aforementioned scenario
who operates a fake copy of a bank website to get peoples bank credentials and secret
details, would be punished under this Act. This law also punishes a person who installs a
key-logger on another persons computer, to capture his password details for any reason
(Computer Misuse Act, 1990).
However, according to the Freedom of Information Act 2000, local authorities, government,
and other organization have the right to monitor, disrupt, interfere, with online transactions,
if it was for the benefit of the society, and if it means doing their job (Johnson and Hampson,
2015). In line with the cited scenario, this Act protects a government agent who retrieved the
personal log in details of a person who has stolen public funds because it is beneficial to the
society.
Many of these crimes have been compared to real-world crimes by Jewkes, (2006). For
example, he compares unauthorized access to someones computer (hacking) with
trespassing and sending a virus, worms and other malicious items with vandalism. But
unlike real-world crimes, online crimes require only a computer and connection to the
internet (Jewkes, 2006). The enforcement of all these laws against online banking fraud
must, therefore, be taken serious, if not they will seem to be useless (Brenner, 2009).

Professional issues
Professional bodies have a code of conducts to regulate the functions of individual
professionals who are their members (Kizza, 2010). Examples of such bodies in the UK are
Association for Computing Machinery (ACM), British Computer Society (BCS) and The
Institution of Engineering and Technology.
The Association for Computing Machinery (ACM) code of conduct requires software
engineers who are its members to avoid harm to people, to be trustworthy, fair and
indiscriminate (ACM code of ethics and professional conduct, 2016). According to section 4.2 of
the ACM code, for the benefit of the public, its members must not expose any confidential
information gained in their professional work (ACM code of ethics and professional conduct,
2016). In relation to scenario mentioned at the onset, it is against the ACM code of conduct
for a professional to send an email to a customer with the aim of luring him to log into a
fake bank page to get his personal details. All professionals must also refrain from
unauthorized altering of online information without permission. Modifying or overwriting of
someones data for selfish gains is also unprofessional (ACM code of ethics and professional
conduct, 2016).
4

Samuel Ogogo M00561655

In the same vein, members of the BCS are required to safeguard the interest of the public by
performing their duties with care and diligence (The chartered institute for IT, 2016). The BCS
code of conduct also states that its members must not use or pass on confidential information
without permission (The chartered institute for IT, 2016). This, therefore, means that it is
against the BCS code of conduct for a professional to carry out such illegal act in the above
scenario.

Conclusion
According to Aguila Vila et al. (2013) all these security threats discussed in this review can
be categorized in the following:

Threats against end users which involves physical observation, compromise of

credentials, phishing and sniffing.
Threats against end-users device which involves hardware key-logger attack, use of
malware for identity theft and other fraudulent acts.
Threats against communication networks which includes pharming, interception and
WEP cracking.
Threats against remote banking services: This involves attacking the web banking
servers, causing bank data breach and the compromise of customer information.

Recommendation
Banks should use effective authentication programs to ensure secure online transactions
and also use different communication mediums. They must continue to inform customers
of the latest threats and attack patterns adopted by these online criminals (Koskosas,
2011). In other words, they should provide anti-phishing training tips for detecting
phishing emails and websites (Alnajim, 2011). Software engineers must develop secure
online banking applications that would focus on the direct attacks on operating systems.
These applications should also be distributed through trusted channels, reputable sites
that have been tested for security (Aguila Vila et al., 2013).

Samuel Ogogo M00561655

Bibliography
Abreu, R., David, F., Legcevic, M., Segura, L., Formigoni, H. and Mantovani, F. (2015)
Ethics and fraud in e-banking services, 2015 10th Iberian Conference on Information
Systems and Technologies (CISTI), .doi: 10.1109/cisti.2015.7170491.
Aburrous, M., Hossain, M.A., Dahal, K. and Thabtah, F., 2010. Experimental case studies
for investigating e-banking Phishing techniques and attack strategies. Springer Science +
Business Media.
ACM code of ethics and professional conduct, 2016. Available at: <https://www.acm.org/aboutacm/acm-code-of-ethics-and-professional-conduct#CONTENTS> [Accessed 25 March 2016].

Aguila Vila, J., Serna-Olvera, J., Fernandez, L., Medina, M. and Sfakianakis, A. (2013) A
professional view on ebanking authentication: Challenges and recommendations. Institute of
Electrical & Electronics Engineers (IEEE).
A. M. Alnajim, "High level anti-phishing countermeasure: A case study," Internet Security
(WorldCIS),
2011
World
Congress
on,
London,
2011,
pp.
139-144.
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?
tp=&arnumber=5749899&isnumber=5749844
BCS

code

of

conduct.

The chartered institute for

<http://www.bcs.org/category/6030> [Accessed 25 March 2016].

IT,

2016.

Available

at:

Brenner, S.W. (2009) Order & disorder: Crime, war, and terrorism. Oxford University Press
(OUP).
Brooks, J., 2006. Anti-phishing best practices: keys to aggressively and effectively
protecting your organization from phishing attacks. White Paper, Cyveillance.
Davidoff, S. and Ham, J. (2012) Network forensics tracking hackers through cyberspace.
Upper Saddle River, NJ: Prentice Hall.
Dickens, J. (2012) Social work, law and ethics. New York, NY: Taylor & Francis.
Downs, J.S., Holbrook, M.B. and Cranor, L.F., 2006. Decision strategies and susceptibility
to phishing. Proceedings of the second symposium on Usable privacy and security - SOUPS
06, pp.7990.
Drig, I. and Isac, C., 2014. E-banking servicesfeatures, challenges and benefits. Annals of
the University of Petroani, Economics, 14(1), pp.41-50.
Duquenoy, P., Jones, S. and Blundell, B.G., 2007. Ethical, legal and professional issues in
computing. United Kingdom: CENGAGE Lrng Business Press.
Fisher, A.W. and McKenney, J.L. (1993) The development of the ERMA banking system:
Lessons from history. (15 Vols). Institute of Electrical & Electronics Engineers (IEEE).
Hawke, J.D., Mr, P., Mr, A.D., Deslandes, J., Bundesbank, D., Am, F., Ms, M., Mr, M.H.,
Kloefer, A., Kreditwesen, B.F.D., Mr, B., Mr, R., Mr, T., Mori, T., Hiroaki, Ms, K., Suzuki,
T., Kojima, K., De Nederlandsche Bank, H., Smid, E., Bankenkommission, E., Kunz, M.,
6

Samuel Ogogo M00561655

Ms, Q., Martin, K., Washington, D.C., John, C., Federal, Y., Mr, G.J., Mr, C., Barbara, Y.,
Federal, R., Ms, H., Richards, J., Mr, D.C., Mr, H.K., Wilke, C., Mr, J.-P., Commission
Bancaire, Uwe Neumann Banca D italia and Filippo Siracusano Bank Of Japan (2000)
Electronic banking group initiatives and white papers Basel committee for banking
supervision, Office of the Comptroller of the Currency, .
Jagatic, T.N., Johnson, N.A., Jakobsson, M. and Menczer, F. (2007) Social phishing,
Communications of the ACM, 50(10), pp. 94100. doi: 10.1145/1290958.1290968.
Jakobsson, M. and Myers, S. eds., 2006. Phishing and countermeasures: Understanding the
increasing problem of electronic identity theft. United States: Wiley-Interscience.
Jewkes, Y. (ed.) (2006) Crime online: Committing, policing and regulating Cybercrime.
United Kingdom: Willan Publishing.
Johnson, D. and Hampson, E. (2015) Utilising the UK freedom of information act 2000 for
crime record data, Records Management Journal, 25(3), pp. 248268. doi: 10.1108/rmj-052015-0020.
Kalakota, R. and Whinston, A.B. (1996) Electronic commerce: A managers guide. 10th edn.
Reading, MA: Addison-Wesley Educational Publishers.
Kizza, J.M. (2010) Ethical and social issues in the information age. 3rd edn. London:
Springer-Verlag New York.
KoenigLewis, N., Palmer, A. and Moll, A. (2010) Predicting young consumers take up of
mobile banking services, International Journal of Bank Marketing, 28(5), pp. 410432. doi:
10.1108/02652321011064917.
Koskosas, I. (2011) E-banking security: A communication perspective, Risk manag (Bas),
13(1-2), pp. 8199. doi: 10.1057/rm.2011.3.
Moore, T., Clayton, R. and Anderson, R. (2009) The economics of online crime. (23 Vols).
American Economic Association.
Ollmann, G., 2004. The Phishing GuideUnderstanding & Preventing Phishing Attacks.
NGS Software Insight Security Research.
Computer
misuse
act
1990,
c.
Available
http://www.legislation.gov.uk/ukpga/1990/18/section/1 (Accessed: 5 March 2016).

at:

Reisig, M.D., Pratt, T.C. and Holtfreter, K., 2009. Perceived risk of Internet theft Victimization:
Examining the effects of social vulnerability and financial Impulsivity. Criminal Justice and
Behavior, 36(4), pp.369384.

Shah, M. and Clarke, S. (2009) E-banking management: Issues, solutions, and strategies.
United States: Information Science Reference.
Society, I.I.E., Electrical, I. of and Engineers, E. (2007) 2007 inaugural IEEE international
conference on digital Ecosystems and technologies: [DEST 07]; 21 - 23 February 2007, .