Ssp fraud risk vulnerablity in ebanking
- 1. The Institute of Internal Auditors India, Madras Chapter Fraud Risk Vulnerability in E- Banking -Sathyananda Prabhu Mob : 9442502094 Email: [email protected]
- 2. “Electronic banking” “Virtual banking” “Online banking” refers to Utilization of ICT to conduct banking transactions. A system of banking where all banking needs are delivered remotely through electronic channels without need for customer to visit the branch. Benefits: Cost effective delivery channel – 10% of physical channel Excellent Customer experience Product design and Innovation. Dynamic product offer Less time to Market Easy reach to customers E- Banking
- 3. E-banking –Evolution in India Rangarajan Committee report on computerization in banks 1989 introduced centralized clearing , inter-connectivity of branches, e-banking ALPM / TBC / Core banking Clearing house, ECS , NEFT, RTGS, ATM /CDM/ Debit Card / Credit Card/ PoS Internet banking Mobile banking Online stock trading and wealth management Payment wallets , NFC , BI, Analytics, Cloud, Social Media, Bitcoin Most of the banking transactions today is online
- 4. Networked world – Highly vulnerable In 2013, 110 million Target customers either had their personal information hacked, their credit and debit card information stolen, or both. Breach occurred through PoS and a backend portal. Breach in Sony, hackers stolen over 100 terabytes of data containing Social Security numbers, salaries, movies, and other personally identifiable information. In 2014 , a Pony (a cyber-crime ring) botnet stole 85 virtual wallets filled with Bitcoins and other digital currencies, according to the security firm Trustwave. Perpetrators attempted to steal $951 million from the Bangladesh central bank's account with the Federal Reserve Bank of New York by planting malware and gaining access to credentials. The Hacking at Equifax in 2017, impacting personal information relating to 143 million U.S. consumers IoT is widening the attack vector . Any electronic device can hack into another device/bank account.
- 5. A study from Juniper Research has reported that the value of online fraudulent transactions is expected to reach $25.6 billion by 2020, up from $10.7 billion in 2016 and 27% of this will be in banking. According to 2013 Norton report by Symantec : -Average cost Per Victim doubled from 2012. -Victims concentrated in Russia (85%), China (77%), South Africa (73%), Annual number of victims has been estimated in 378 Million and amount $ 113 BN.
- 6. Few examples of Breaches in India In July 2016, union bank of India swift reconciliation team found that an amount of $171 million had been debited from the dollar account of the bank without authorization, and the money had travelled far and wide. Immediate detection and action helped retrieve amount. Card data of 3.2 million customers was stolen between 25 May and 10 July in 2016 from a network of Yes Bank Ltd ATMs managed by Hitachi Payment Services Pvt. Ltd Axis Bank reported cyber security breach in October 2016; malware found in its server , no monetary loss reported. Bank of Maharashtra lost Rs25 crore when a bug in the Unified Payments Interface (UPI) system allowed people to send money without having the necessary funds in their accounts. SBI ATM in Odisha spews out cash without any card being swiped. Physical malware attack suspected in these ATMs. PoS machine in a bank allowed withdrawals without money in the account – flaw in a new program installed on switch WannaCry Ransom ware attack Petya cyber attack. Large number of Customers compromising their credentials to phishing/vishing attacks and lost money Skimming attacks in ATMs made many to lose money
- 7. E-banking Frauds - Bangalore CID arrested the culprits in a case where Card data of large number of customers were stolen by fraudsters by planting card skimmers and pin cameras at ATMs and amount stolen through cloned cards. A customer receives a call mentioning he is calling from the Bank and obtains card information and misuses for carrying out online transactions using these credentials. Social engineering is used Paypal scammers sent out an attack email that instructs them to click on a link in order to rectify a discrepancy with their account. In actuality, the link leads to a fake PayPal login page that collects a user’s login credentials and delivers them to the attackers. In spear phishing scams, fraudsters customize their attack emails with the target’s name, position, company, work phone number and other information in an attempt to trick the recipient into believing that they have a connection with the sender. The goal is to lure the victim into clicking on a malicious URL or email attachment, so that they will hand over their personal data. Phishing , Vishing, whaling attacks
- 8. Source : PWC survey
- 9. E-Banking : vulnerability Sources – Operational Risk Traditional banking risks + added e-banking risks Complexity of technology and lack of training and awareness among employees Internal and external frauds exploiting loop holes in the technology System failures and business disruption Mis-use of confidential information Failed or erroneous transaction processing Reconciliation issues Vulnerabilities in outsourced processes Sophisticated cyber attacks Lack of adoption of technology for internal controls and fraud risk management
- 10. E-Banking: vulnerability Sources – Strategic and Compliance risk compliance risk which may arise from non- conformance with laws, rules, regulations, prescribed practices, or ethical standards. Compliance with regard to cross border transactions People with technology knowledge with no banking knowledge may be driving in-adequacy of MIS Costs involved in overseeing e-banking activities, vendors Cost and availability of technical staff to handle diverse set of technologies involved
- 11. E-banking Frauds- Characteristics and challenges Highly imbalanced large dataset – millions of daily transactions in which very few are frauds -to be identified Need of real time detection – with in seconds transactions are complete fraudsters continually advance their techniques to defeat online banking defenses . Security is a catch up game. Weak forensic evidence mainly some external information diversity of genuine customer transactions makes it difficult to characterize fraud behavior from genuine behavior. Lack of strong legal framework It is reported that North koreans have developed an advanced cyber program that steals hundreds of millions of dollars and can trigger global havoc. State actors.
- 12. E-Banking – Threats Malware and ransom ware like Wannacry , Petya phishing attacks through spam emails looking to steal logon credentials password sharing , shoulder surfing by staff Unpatched software exploit Hacking through Social media friend request/application install request etc., Advanced persistent threat Exploiting application level vulnerabilities like SQL injection, Cross – site scripting , Password guessing/cracking Various E-com frauds /online frauds Forged documents/deposit receipts to fraudulently obtain loans Data leakage from outsourced vendor locations/help desk Unauthorized transactions by employees in customer accounts/ transfers through RTGS
- 13. E-Banking Threats Key loggers-software & hardware- invisibly records each key stroke of every activity and can email to hackers Phishing, SMSishing and whaling (phishing targeting high net worth individuals) Man in the middle attack (MITM) MITB Password cracking softwares – dictionary attacks, Brute force attacks : cain & able , john the ripper, hash cat , hydra OTP by pass Exploiting OS, NW, database level vulnerabilities Cloning Hybrid attacks – combination of attacks Fraudulent documentation involving altering, changing or modifying documents to deceive another person Complex partner , outsourced activity risks Employee/privileged users committing Frauds
- 14. Phishing Phishing scams are typically fraudulent email messages or websites appearing as legitimate enterprises These scams attempt to gather personal, financial and sensitive information. Compromised Web servers – Email and IM Port Redirection Botnets Simple (key loggers steal file/password), Botnets DNS cache poisoning attack –
- 15. Phishing attacks
- 16. Mobile banking vulnerabilities The security functionality available on the handset must be robust. The mobile network and the methods used to communicate between the handset and the mobile banking provider The degree of independence from Mobile Network Operator The development of near field communication (NFC) enabled handsets which can effectively act as a token for local purchase-The risks of the integration of NFC into mobile.
- 17. Regulations & guidelines The e-banking has many advantages – But question marks over its trust and performance – attract regulatory concern Basel committee study on bank supervision – risk implications in electronic banking by EBG in 1999. RBI guidelines on I S Audit -2002 RBI guidelines on internet banking Gopalakrishna committee recommendations Cyber security checklist from IDRBT NIST cyber security framework ISO 27001 series IT examination of banks by RBI RBI guidelines on cyber security and resilience IT Act 2000 and Amendment Act ,2008 Indian Contract Act Criminal Procedure code PMLA rules and IBA guidelines
- 18. E-Banking Fraud detection strategy Establish transaction monitoring and fraud detection unit in every business line Implement centralized transaction monitoring , AML and fraud detection software and team to monitor and respond Device identification using Mac, serial no and some configuration details from user system Global behavior monitor like large number of different accounts accessed by a single device, or the occurrence of login fail over many accounts using a single trial password Deferential analysis in which the incoming transactions are examined against the normal use pattern for a legitimate customer. Global analysis with white list , black list and suspect list of devices Suspect list and the exponentially decaying function.
- 19. Security model for internet bankingControl Description Virtual Keyboards Capture information typed into the device based on Java and software- based cryptography, to thwart the efficient use of key loggers. Positive Identification Requires the user to input some information that is only known to him/her to identify him/her self. One-Time Password Tokens Devices that commonly used as a second authentication factor by dynamically changing passwords. Digital certificates Used to authenticate both users and the banking system itself using Public Key Infrastructure (PKI) and a Certificate Authority (CA). Device Registering Restricts access to banking systems to previously known and registered devices. Device Identification Applied together with device registering but also used as a standalone solution. It is based on physical characteristics of users’ devices. Browser Protection Protects the user and his/her browser against known malware by monitoring the memory area allocated by the browser. CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) Renders automatic attacks against ineffective authenticated sessions. SMS Notifies users about transactions that require their authorization. Transaction Monitoring Includes many approaches such as Artificial Intelligence, transaction history analysis and other methods for identifying fraud patterns.
- 20. E-Banking: Protections: user Level Do not use public or other unsecured computers for logging into Online Banking or for financial transactions (for example, one at a library , coffee shop). Never use public wifi and networks for e-banking transaction Review account balances and detail transactions regularly and immediately report any suspicious transactions to bank. Never leave a computer unattended while using Online Banking Never conduct banking transactions while multiple browsers are open on your computer Company users dedicate a PC solely for financial transactions (e.g., no web browsing, emails, or social media). Strong password and periodic changing : Subscribe to alerts - Balance alerts , Transfer alerts , Password change alerts, Wire Alerts
- 21. Establish limits for monetary transactions at multiple levels: per transaction, daily, weekly, or monthly limits. When you have completed a transaction, ensure you log off to close the connection with the Bank’s computer. Check your browser settings and select, at least, a medium level of security for your browsers. Never respond to a suspicious e-mail or click on any hyperlink embedded in a suspicious e-mail. Call the purported source if you are unsure who sent an e-mail Install and update computers regularly with the latest versions and patches of anti-virus and anti-spyware. Ensure computers are patched regularly, particularly operating system and key application with security patches E-Banking: Protections : User level --2
- 22. E-Banking: Protections : By Banks Identify inherent risks and controls in place and adopt appropriate cyber security framework , org structure , policies Maintain a updated inventory of all business assets Periodically evaluate critical devices , their configuration and patches Have documented SOP for all IT related activities Have firewall barrier between internal secure network and any other network Implement OWASP guidelines for applications/ ISO 27001 for security/ NIST/ RBI/IDRBT/IBA guidelines Comprehensively address database and network security Establish security Operation center (SOC) to ensure continuous surveillance Regular VA & PT of all critical and web facing devices/applications Robust BCP/DR setup and regular drills Enable /Use Virtual key boards
- 23. Enable OTP / Biometric / dual factor authentication Consumer awareness programs Malware defenses Logging and auditing the logs Encryption Smart cards with external card readers Controlled use of administrative credentials Robust Incidence response system Random key generators (CAPTCHA) Install a 3D secure system (also known as Verified by Visa or Master Card Secure Code). Have close monitoring on the activities of outsourced vendors Subscribe to anti-Phishing services to take down phishing websites Data leak prevention strategy PKI based software solution- Mutual authentication eliminates MITM attacks
- 24. Controls on wireless network Change the wireless network hardware (router /access point) administrative password from the factory default to a complex password. Disable remote administration of the wireless network hardware (router / access point). Consider disabling broadcasting the network SSID Secure your wireless network by enabling WPA/WEP encryption of the wireless network. Consider enabling MAC filtering on the network hardware