Thursday, 12 June 2008

Importance of Security in Financial Industry

Importance of Security in Financial Industry:

Online banking allows customers a great flexibility to do much of the banking activities very comfortably. They can check their account, make arrangement for fund transfer, make changes to account details, set transaction limit etc.
However, compromising a bank account or online banking site poses unimaginable impact like money loses, reputation loses, trust loses, cost for data recovery and ensuring business continuity etc.
As banks have large amount of money, attackers from all over the world are targeting banking websites. Every second, banking sites are being attacked by various methods. Some uses ID theft methods for gaining user's account details and some attack the website itself. Other kinds of attacks are malwares which get installed to host machine and work as a backdoor or data mining activities.

There are many classifications of attacks:

1. By visiting some sites, may be a malware get installed to user's host and steal UID & Password. The malware can be a keystroke logger, and becomes active on visiting a specific target from a list of banks.
Even though, when using a secured channel, the information passed will be encrypted by using a session key if using SSL, the key logger can record key inputs before it gets transmitted
There are different methods to install a Trojan in user's machine
May use IE or other web browser vulnerabilities
Tempt user to install one seemingly-friendly program
Cross site scripting on trusted, reliable sites to get a program installed

2. Making systems as Zombies by installing malwares and then targeting banks and other financial institutions

3. Financial fraud methods like Nigeria email scams, luring users
give out information regarding bank details (419 scams)

4. Phishing methods which asks user to enter account information to sites that look-a-like original bank sites. As the phishing mails target mass recipients, some recipients will be customers of the bank and fall for the scam, visiting the phoney site and entering their log-in details, which a criminal can use to access an account fraudulently.

5. URL obfuscation
this targets non savvy users to hide URL of the bank

6. Even if using SSL connection, a injection vulnerability may allow an attacker to inject a Trojan in to the server site and which itself installs to the user's machine. This is also a problem with SSL where it can't be protected in this way

7. Sending malware along with emails. The worm contained email may be with new and relevant head lines like Primary election in US or support-victims of Myanmar or China etc ask users to see the attachment which would be a potential worm. As the content and subject change frequently, it would be difficult for a firewall/spam filter to detect the pattern

8. Lot of users of the internet banking sites are from a various back grounds and many may not aware of recent spams.

9. Phishing attacks that may target users to visit carefully crafted URLS that look like original sites and capture personal information for authentication, TAN etc

10. Even if using SSL, fraudulent redirection cause user to provide personal data to illegitimate servers causing ID theft. Unless the bank can prove the loss is due to customer error, they may loose money by a chargeback

11. Botnets are used to convert a system as a zombie. Then they can be used for Distributed DoS

12. Injection vulnerabilities in web sites can cause an attacker to inject SQL codes in to system and to execute the same. This makes services by the DB server to stop, or to manipulate data according to the intention of the attacker. In some cases, shell codes can be executed to compromise the system security.

13 Even if using 2-factor authentication, possibilities for key loggers, or man-in-the middle attack for capturing the OT Pass code and passwords, and to make unauthorised transactions

Web services security:
1. Web services obtain message confidentiality and integrity using XML encryption and signing respectively.
2. Using tokens, signatures as the means of Web service security with SOAP messages
3. Message encryption

There are various countermeasures used to protect against various vulnerabilities and attacks.

1. Encryption of the data stored in workstations and laptops make the attacker to get no information about the actual data, unless he/she has the correct encryption algorithm and key
2. Using a HSM which makes a server to trust the origin of the Hardware subsystem and Security state of the application. Mostly it’s a laboratory implementation and not used widely. But this can be an excellent way of assuring authenticity.
3. However, even if encryption tools are used, password separation policy must be used to ensure Operating system passwords are not used for encryption. This ensures there is another password for encryption and even if one password is been compromised, encrypted files stay safe.
4. On report from a phishing victim, banks can suspend access to the account to prevent further damage using the stolen information
5. In order to counter Trojan horses and phishing attacks, stronger authentication methods like 2-factor authentication can be used to provide One time passwords
6. Methods like authorizing a third party payment setup in an online bank account
can counter third parties setting up transfers and payments on compromised accounts
7. Urging banks to adapt CHIP and PIN technology and use SDA, DDA methods for authentication. Using the TTP as brand CA ensures origin of issuer certificates.
8. A combination of methods as in 3-D secure where a central directory is used to find the authenticity of the transaction and using secure channel for information exchange are very effective in countering hackers being stealing information.

No comments:

Microsoft Passport - A Single Sign-on System

Microsoft passport is a facility from MS which offers single sign on capabilities. With SSO, user don't need to remember each password f...