Agrawal_rohit_best Practices for Online Banking Security

8/6/2019 Agrawal_rohit_best Practices for Online Banking Security

1/70

BEST PRACTICES FOR ONLINE BANKING SECURITY

By

Rohit K. Agrawal

MS in Information Systems Management

Ferris State University, 2011

BS in Engineering, India, 2008

Advisor:

Dr. James H. Jones, Jr.

Assistant Professor

Accounting, Finance, and Information Systems Department

MISM 799 - Spring 2011

Ferris State University

Big Rapids, MI


2/70

2

DEDICATION

This is dedicated to my Parents, Mr. Anoop K. Agrawal and Mrs. Nisha Agrawal, fortheir unconditional love, patience and understanding. I would also like to thank myteachers and friends for their extreme support and guidance.


3/70

3

ACKNOWLEDGEMENTS

1. I would like to thank Dr. James Jones, Information Systems Management (ISM)professor at Ferris State University, for his Valuable advice and constructive

approach and feedback and his continuous encouragement that enabled me to

complete this project on time.

2. Information provided in this research paper is entirely based on data obtained andcompiled from various reference material (textbooks, Articles and documents

from World Wide Web)


4/70

4

TABLE OF CONTENTS

Dedication 2

Acknowledgements 3

List of Tables 6

List of Figures 6

Abstract 7

CHAPTERS

Chapter 1 Introduction 8

Purpose 8

Research Points 8

Glossary of Terms 9

Financial Institution 14

Bank of America 17

Citibank 21

Chapter 2 Information Security Standards 23

Need for Online Banking Security Standards 23

Overview of Information Security Standards 24

Information Security Standards 27

Data Security standards for payment card industry 30

Information Security Regulations 32

Summary 35


5/70

5

Chapter 3 Online Security Breaches 36

Introduction 36

Threat Categories 36

The Threat Environment 39

Anatomy of an Incident 43

Chapter 4 Security Best Practices 45

Computer Security Best Practices 45

E-commerce Security Best Practices 46

Role of Authentication in an Internet Banking Environment 49

Authentication Techniques, Processes, and Methodologies 51

Chapter 5 Consequences of poor Online Security 56

What Should You Do to Address the Problem? 60

Determine What Not To Do 61

Various Delivery models 63

Conclusion and Recommendation 67

References 69


6/70

6

LIST OF FIGURES

Figure Page1. Evolution of Threat. .......................................................................................24

LIST OF TABLES

Table Page1. Source for Security breaches42


7/70

7

ABSTRACT

BEST PRACTICES FOR ONLINE BANKING SECURITY

Rohit K. Agrawal M.S. ISM

Ferris State University, 2011

Advisor: Dr. James H. Jones, Jr.

This research paper is a requirement for MISM 799 Integrated Capstone Project course,

a spring 2011 class at Ferris State University Master of Science in Information systems

Management Program. The objective of this research paper is to provide the reader an

introductory knowledge and awareness of the information security standards in financial

institutions and their offered services. It also explains the role of authentication and

security best practices in these institutions. This research paper contains description about

the security breaches and their impact on various organizations.

This paper is divided into five chapters namely:

Chapter 1: This chapter briefly traces the offered services by financial institutions.

Chapter 2: This chapter explores the various information security standards.

Chapter 3: This chapter contains information on online security breaches.

Chapter 4: This chapter gives information on security best practices.

Chapter 5: This chapter shows the consequences of poor online security in financial

institutions.


8/70

8

CHAPTER 1

INTRODUCTION

Purpose

The purpose of this paper is to provide the reader an introductory exploration of the

current trends and best practices in the online banking security on the internet. Please

note that this paper is not intended to offer a comprehensive analysis of any covered areas

of Internet, electronic commerce or any financial institution.

Research points

Within the confines of the paper requirements, the ensuing pages will focus on:

Financial Institutions and their offered services Information Security Standards Online Security breaches and their causes Types of Security breaches Security Best practices Role of Authentication Consequences of poor online security


9/70

9

Glossary to Terms

Address Verification Service

The Address Verification Service (AVS) is a security system designed to combat one of

the most common forms of online credit card fraud. AVS compares the billing address

information provided by the customer with the billing address on file at the customers

credit card issuer. The payment gateway receives an AVS response code and then either

accepts or declines the transaction according to your configured settings.

Anti-virus

Software that detects, repairs, cleans, or removes virus-infected files from a computer.

Bank:

It is a financial organization where people keep their money.

Banking Security:

Safety of organization against criminal activity such as terrorism, theft, or espionage to

protect its assets

Card Code Verification (CCV)

A customers card code is a three- or four-digit security code printed on a credit cards

signature panel in reverse italics, or following the full number on the front of the card.

Similar to AVS, Card Code Verification (CCV) compares the customers card code with

the card code on file at the credit card issuer. The payment gateway receives the card

code verification response code from the customers bank and either accepts or declines

the transaction according to your configured settings. Since the card code should only be


10/70

10

known to the person in possession of the physical credit card, these additional numbers

provide an extra measure of security against unauthorized credit card transactions.

CEO:

Chief executive officer, the corporate executive responsible for the operations of the firm;

reports to a board of directors; may appoint other managers and executives.

(www.wordnetweb.princeton.edu/perl/webwn)

Cloud Computing:

A new generation of computing that utilizes distant servers for data storage and

management, allowing the device to use smaller and more efficient chips that consume

less energy than standard computers. (http://www.financenewmexico.org/glossary.html)

Cyber Space:

All of the data stored in a large computer or network representedas a three-

dimensional model through which a virtual-reality user can move (World English

Dictionary)

Database

A systematized collection of data that can be accessedimmediately and manipulated by a

data-processing system for a specific purpose

Database Warehouse:

A Data Warehouse is a compilation of information/data prearranged so that it can

effortlessly use for querying and data analysis. (http://www.databasedir.com)
http://www.wordnetweb.princeton.edu/perl/webwnhttp://www.financenewmexico.org/glossary.htmlhttp://www.databasedir.com%29/http://www.databasedir.com%29/http://www.financenewmexico.org/glossary.htmlhttp://www.wordnetweb.princeton.edu/perl/webwn


11/70

11

Direct Deposit:

It is electronic transfer of a payment directly from the account of the payer to the

recipient's account.

E-Business:

This term is coined for the company that has an online presence. It involves all business

function.

E-Commerce:

E-commerce is a part of E-business. E-Commerce is about making transactions online

through selling and buying of products and services.

Firewall:

A part of a computer system or network that is designed to block unauthorized access

while permitting outward communication

Hackers:

Hackers are enthusiastic and skillful computer programmer or user. He can use his skills

for to gain unauthorized access to data or for protecting the data.

Internet:

The Internet is a global system of interconnected computer networks that use the

standard Internet Protocol Suite (TCP/IP).

Intranet:

It is a computer network a computer network with restricted access, as within a company,

that uses software and protocols developed for the internet.


12/70

12

Java:

Java is a programming language especially applicable to theWorld Wide Web

Malware:

It is a computer program which protects the user computer or system from unwanted

hazardous software by removing the viruses. It is a short name for malicious software.

Security:

It is state of being secure or can also be said as safety from risks, danger, threats etc.

Spyware

Spyware are the computer software designed specially to gather information about user

browsing habits and sends information secretly to an individual or company that uses this

data for marketing or other purposes.

Threat

A person or thing that is regarded as dangerous or likely to inflict pain or misery

(WWW.dictionary.com)

Transaction

A.)Business Computing: The act of obtaining and paying for an item or serviceB.)General Computing: The transmission and processing of an item of data.

Web Portal:

It is junction for all the information on one place. It is also known as Links page, which

presents information from varied sources in one place. A web portal offers information

like news, email, weather forecast, horoscope, songs, entertainment etc.


13/70

13

World Wide Web (WWW):

WWW is collection of several internet servers which work to support Hypertext

documents and files. These servers also use hypertext to organize, connect, present and

offer services throughout the internet.


14/70

14

Financial Institutions and Their Offered Services

Financial Institution:

There are many web definitions for the term Financial Institution. The one more

frequently found and relevant is obtained from Investorswords.com Financial institution

is an institution that provides financial services to its clients or members. A Financial

institutes are also responsible for collecting funds from the public and places them in

financial assets, such as deposits, loans, and bonds, rather than tangible property.

As mentioned on the Finance.mapsofworld.com, Financial institutions are the firms

that provide financial services and advices to its clients. The financial institutions are

generally regulated by the financial laws of government authority. BYU: Marriot School

mentioned in their intermediate lessons and discussions that There are two major types

of financial institutions: banks (i.e., deposit-type financial institutions) and nonbanks (i.e.,

non-deposit-type financial institutions). The choice of which institution you use depends

on which institution will serve your needs the best and help you achieve your goals the

fastest.

Various types of Financial Institutes are as follows:

Commercial Banks Credit Unions Stock brokerage firms Asset management firms
http://www.investorwords.com/2130/funds.htmlhttp://personalfinance.byu.edu/?q=taxonomy/term/70http://personalfinance.byu.edu/?q=taxonomy/term/70http://www.investorwords.com/2130/funds.html


15/70

15

Insurance Companies Finance Companies Building Societies Retailers

The services provided by the various typesof financial institutionsmay vary from one

institution to another. For example, the services offered by the commercial banks are

insurance services, mortgages, loans and credit cards. As mentioned in the BYU: Marriot

School intermediate lessons, Commercial Banks compete by offering the widest variety

of services; however, they generally do not offer the highest interest rates on deposits or

the lowest interest rates on loans. BYU: Marriot School also mentioned that Commercial

Banks are also known as Deposit Type Financial Institute.

Here is explanation of some other financial institutions types as mentioned on

finance.mapsofworld.com. The credit union is co-operative financial institution which is

also known as Deposit Type Financial Institute, is usually controlled by the members of

the union. The major difference between the credit unions and banks is that the credit

unions are owned by the members having accounts in it. As mentioned by BYU: Marriot

School, Credit Union banks offer higher rates on savings accounts and lower rates on

loans because they are not driven to provide a profit to shareholders.

The stock brokerage firms are the other types of financial institutions that help both the

corporations and individuals to invest in the stock market. The services provided by the
http://www.finance.mapsofworld.com/http://www.finance.mapsofworld.com/http://www.finance.mapsofworld.com/http://www.finance.mapsofworld.com/


16/70

16

brokerage firms, on the other hand, are different and they are insurance, securities,

mortgages, loans, credit cards, money market and check writing. [C]

Another type of financial institution is the asset management firms. The prime

functionality of these firms is to manage various securities and assets to meet the

financial goals of the investors. The firms also offer fund management advice and

decisions to the corporations and individuals. [C]

The insurance companies offer - insurance services, securities, buying or selling service

of the real estates, mortgages, loans, credit cards and check writing. [C]

Large organizations, small firms or and individual family or a person, anyone or all of

these can be customers to these financial institutions. They might need any kind of

service from these institutes like loan, mortgage, insurance, bonds etc. Before dealing

with any of these financial institutes every customers ask certain questions to themselves

or they have certain requirements or needs which these Financial Institutes must fulfill.

BYU: Marriot School mentioned in their intermediate lessons on web that, Choosing a

financial institution is a challenge. We must always try to accomplish our goals and then

seek to consider what these financial institutes can provide. Before indulging with any

kind of services or Institutes BYU have mentioned certain question which are relevant

and every user must consider. They are as follows:

Are you looking for low costs, low fees, and high returns on deposits? What services are important to you? Do you need loans, mortgages, or working capital for a small business? How important is safety for your deposits?
http://personalfinance.byu.edu/?q=taxonomy/term/70http://personalfinance.byu.edu/?q=taxonomy/term/70


17/70

17

Do you require government insurance? If so, know that this factor limits the typesof institutions you can choose.

What services does the financial institution provide? If all you require is a highreturn on your cash management assets, then your choices are much broader.

Security (All forms)

Here are the services offered by Bank of America and Citibank along with additional

information about them.

Bank of America

Company Overview:

Barlas, Demir (2011) in his article Lending Options Offered by America's Largest

Residential Mortgage Bank mentioned that Bank of America is Americas largest

residential mortgage bank. He also mentioned a short history about the foundation. In his

article Barlas (2011) mentioned that Bank of America has spent the past few years

growing by acquisition; for example, by buying LaSalle Bank for $21 billion in 2007 and

acquiring Countrywide Financial, the company most closely associated with the housing

decline of 2007, for $4 billion. Other monster acquisitions include the $50 billion deal for

FleetBoston in 2004 and the $35 billion purchase of MBNA in 2006, which brought

millions of credit card customers over to Bank of America. Acquisitions of other banks

were very beneficial for Bank of America.
http://personalfinance.byu.edu/?q=glossary/term/29http://personalfinance.byu.edu/?q=glossary/term/29


18/70

18

Here is the timeline for the various acquisitions and mergers in the bank which is

retrieved from Finance.mapsofworld.com:

In the year 2004, Bank of America acquired National Processing Company, whichwas engaged in processing of VISA and MasterCard Transactions.

In the same year of 2004, Bank of America made an acquisition deal withFleetBoston Financial. This acquisition helped Bank of America to gain market share

in the north-eastern part of USA.

In 2005, Bank of America declared that it was going to make an acquisition deal withMBNA. After getting the approval of Federal Reserve Board, the acquisition finally

took place in January, 2006. This acquisition helped Bank of America to get a strong

foothold in the credit card market of USA.

In the year 2006, Bank of America declared that it would buy out The United Statestrust Company and the deal was finally executed in January, 2007.

In 2007, Bank of America made a historic acquisition deal by acquiring LaSalle BankCorporation, LaSalle Corporate Finance and ABN Amro North America.

Recently, in January 2008, Bank of America has made an announcement that they aregoing to buy Countrywide Financial.

Services offered by Bank of America (BofA):

One of the Webpage of Realestatezing.com [D] mentions that Among the financial

institutions, Bank of America is the largest in the world that serves individual consumer

as well as large corporations. Wide variety of investing, banking, financial and risk


19/70

19

management and asset management services are provided by the Bank of America. On

the whole the bank provides the facility of Checking, Savings, Mortgages, Auto and

Student Loans, Retirement Services, Online Banking, Insurance, Business Banking,

Credit Cards, Investments, Global Corporate Credit, Capital Raising, Cash Management,

Trade Services. Along with this, Bank of America services can be categorized in the

following categories:

Personal Banking Small Business Banking Corporate and Institutional Banking

Services in Personal Banking:

Credit Cards Mortgage Auto Loans Personal Loans Insurance Investment Services Online Banking IRAs are the investment schemes that comes under retirement plans Home Equity Retirement

Realestatezing.com also mentioned that Bankof America Global Consumer and Small

Business Banking is the largest department of BofA. This also includes ATMs in other


20/70

20

countries through the Global ATM Alliance. Small Business Banking has the following

services:

Business Checking and Savings Healthcare Practice Loans Credit Cards Online Banking Services Automotive, dealer and marine services Health insurance Trade services

Bank of America also helps the small business to start, grow and flourish. Along with this

the finances are also handled by the Bank of America. In the sector of Corporate and

Institutional the following services are provided:

Asset Management Card Solutions Electronic Trading Services Mergers and Acquisitions advisory Private Equity Investments Trade Services Endorsed Programs


21/70

21

Citibank

Company Overview:

Citibank, the consumer banking division of the leading financial services firm

Citigroup, is the 3rd largest retail bank in the US based on deposits. With branch

locations and subsidiaries in over 100 countries, Citibank provides a wide gamut of

banking, investment and lending services to individuals, small businesses as well as to

investors. The bank also delivers a complete range of banking products and financial

services to meet the needs of corporations and governmental institutions. Citibank

Financial Center consists of a large network of local offices which are complemented by

electronic delivery systems, ATMs and Internet. The firm also sells products from its

parent company, and other subsidiaries of Citigroup. Citibank is headquartered in New

York. [E]

As per UBPR report on Citibank (mgt.unm.edu), Citibank is split into five divisions,

each containing one or more Citi brands: banking, credit cards, lines and loans, investing,

and planning. Each division serves individual and corporate customers, with many Citi

brands within those divisions serving customers internationally.

Services offered by Citibank

Citibank is the commercial banking arm of Citigroup, and offers basic banking

accounts, lending, and investment services to consumers and small businesses.

(http://www.mgt.unm.edu). According to companys profile as mentioned on Data

Monitor (July, 2004), Citibank offers the following products and services:


22/70

22

Banking services Credit cards Mortgages Loans Investments Planning/Retirement solutions Insurance Small business services Corporate/Institutional services: Asset management Government services Business Insurance Private banking

The following companies are the major competitors of Citibank:

Bank of America Corporation Deutsche Bank AG Federal Reserve Bank of New York Franklin Resources, Inc. HSBC Holdings JP Morgan Chase & Co


23/70

23

CHAPTER 2

INFORMATION SECURITY STANDARDS

Need for Online banking Security Standards:

As mentioned in the document byEasy solutions (2009), Electronic banking platforms

have been implemented as an ever more efficient channel through which banking

transactions can be done without having to leave the house or office. In the end, however,

these home banking platforms are web-based applications that are exposed over the

Internet making their users a very appealing target for mal-intentioned individuals. The

evolution history of these attacks began more than 7 years ago initiating what quickly

became known as phishing. Its sophistication has increased on par with the new security

technologies adopted by the bank industry intended to mitigate the problem. The

following graph shows the evolution of the security problem affecting the e-banking

platform over the last years.

The following graph shows the evolution of the security problem affecting the e-

banking platforms over the last years.


24/70

24

Image 1: Evolution of Threat. Retrieved from:

http://www.easysol.net/newweb/images/stories/downloads/Best_security_practices_onlin

e_banking.pdf

Overview of Information Security Standards:

Information security plays an important role in protecting the assets of an organization.

As no single formula can guarantee 100% security, there is a need for a set of

benchmarks or standards to help ensure an adequate level of security is attained,

resources are used efficiently, and the best security practices are adopted. (HKSAR,

2008)

While information security plays an important role in protecting the data and assets of

an organization, we often hear news about security incidents, such as defacement of

websites, server hacking and data leakage. Organizations need to be fully aware of the


25/70

25

need to devote more resources to the protection of information assets, and information

security must become a top concern in both government and business. To address the

situation, a number of governments and organizations have set up benchmarks, standards

and in some cases, legal regulations on information security to help ensure an adequate

level of security is maintained, resources are used in the right way, and the best security

practices are adopted. Some industries, such as banking, are regulated, and the guidelines

or best practices put together as part of those regulations often become a de facto

standard among members of these industries. (HKSAR, 2008)

Miller, Andrew (2006), said in his article retrieved from bankinforsecurity.com, these

laws and regulations do a good job of defining the scope of information security and

spelling out the role of information security in risk management, they have little to say

about what constitutes effective information security or how to achieve it. Fortunately,

the International Standards Organization has developed two standards that do precisely

that, and by adhering to them banks can go a long way toward satisfying regulatory

compliance requirements.

The two standards, ISO 17799 and ISO 27001, together provide a set of best practices

and a certification standard for information security. The standards are both derived from

a British standard, BS7799, which for many years served as the authority for information

security. BS7799 came in two parts; part one, BS7799:1, became ISO 17799, while

BS7799:2 became ISO 27001.

ISO 17799 provides best practice recommendations for initiating, implementing, or

maintaining information security management systems. Information security is defined


26/70

26

within the standard as the preservation of confidentiality (ensuring that information is

accessible only to those authorized to have access), integrity (safeguarding the accuracy

and completeness of information and processing methods) and availability (ensuring that

authorized users have access to information and associated assets when required).

The standard contains 12 sections: risk assessment and treatment; security policy;

organization of information security; asset management; access control; information

security incident management; human resources security; physical and environmental

security; communications and operations management; information systems acquisition,

development and maintenance; business continuity management; and compliance.

Within each section, information security control objectives are specified and a range of

controls are outlined that are generally regarded as best practices. For each control,

implementation guidance is provided. Each organization is expected to perform an

information security risk assessment prior to implementing controls.

The second standard, ISO 27001, specifies requirements for establishing,

implementing, maintaining, and improving an information security management system

consistent with the best practices outlined in ISO 17799. Previously, organizations could

only be officially certified against the British Standard (or national equivalents) by

certification/registration bodies accredited by the relevant national standards

organizations. Now the international standard can be used for certification.

ISO 27001 is the first standard in a proposed series of information security standards

which will be assigned numbers within the ISO 27000 series. ISO 17799 is expected to


27/70

27

be renamed ISO 27002 in 2007. In the works is ISO 27004 - Information Security

Management Metrics and Measurement - currently in draft mode.

Certification is entirely voluntary but is increasingly being demanded from suppliers

and business partners who are concerned about information security. Certification against

ISO 27001 brings a number of benefits. Independent assessment brings rigor and

formality to the implementation process, implying improvements to information security

and associated risk reduction, and requires management approval, which promotes

security awareness. (Miller Andrew, 2006)

Information Security Standards:

The International Organization for Standardization (ISO), established in 1947, is a non-

governmental international body that collaborates with the International Electro technical

Commission (IEC) and the International Telecommunication Union (ITU) on information

and communications technology (ICT) standards. As mentioned in the document from

HKSAR (2008), here are the commonly adopted standards and regulations for

information security which have been accepted in United States:

1. ISO/IEC 27002:2005 (Code of Practice for Information Security Management)

ISO/IEC 27002:2005 (replaced ISO/IEC 17799:2005 in April 2007) is an international

standard that originated from the BS7799-1, one that was originally laid down by the

British Standards Institute (BSI). ISO/IEC 27002:2005 refers to a code of practice for

information security management, and is intended as a common basis and practical


28/70

28

guideline for developing organizational security standards and effective management

practices.

This standard contains guidelines and best practices recommendations for these 10

security domains: (a) security policy; (b) organization of information security; (c) asset

management; (d) human resources security; (e) physical and environmental security; (f)

communications and operations management; (g) access control; (h) information systems

acquisition, development and maintenance; (i) information security incident

management; (j) business continuity management; and (k) compliance.

Among these 10 security domains, a total of 39 control objectives and hundreds of best-

practice information security control measures are recommended for organization have to

satisfy the control objectives and protect information assets against threats to

confidentiality, integrity and availability. [HKSAR, 2008]

2. ISO/IEC 27001:2005 (Information Security Management System - Requirements)

The international standard ISO/IEC 27001:2005 has its roots in the technical content

derived from BSI standard BS7799 Part 2:2002. It specifies the requirements for

establishing, implementing, operating, monitoring, reviewing, maintaining and improving

a documented Information Security Management System (ISMS) within an organization.

It is designed to ensure the selection of adequate and proportionate security controls to

protect information assets9. This standard is usually applicable to all types of

organizations, including business enterprises, government agencies, and so on. The

standard introduces a cyclic model known as the Plan-Do-Check-Act (PDCA) model


29/70

29

that aims to establish, implement, monitor and improve the effectiveness of an

organizations ISMS. The PDCA cycle has these four phases:

a) Plan phase establishing the ISMS

b) Do phaseimplementing and operating the ISMS

c) Check phase monitoring and reviewing the ISMS

d) Act phase maintaining and improving the ISMS

Often, ISO/IEC 27001:2005 is implemented together with ISO/IEC 27002:2005.

ISO/IEC 27001 defines the requirements for ISMS, and uses ISO/IEC 27002 to outline

the most suitable information security controls within the ISMS. ISO/IEC 27002 is a code

of practice that provides suggested controls that an organization can adopt to address

information security risks. [HKSAR, 2008]

3. ISO/IEC 15408 (Evaluation Criteria for IT Security)

The international standard ISO/IEC 15408 is commonly known as the Common

Criteria (CC). It consists of three parts: ISO/IEC 15408-1:2005 (introduction and

general model), ISO/IEC 15408-2:2005 (security functional requirements) and ISO/IEC

15408-3:2005 (security assurance requirements). This standard helps evaluate, validate,

and certify the security assurance of a technology product against a number of factors,

such as the security functional requirements specified in the standards. [HKSAR, 2008]


30/70

30

Hardware and software can be evaluated against CC requirements in accredited testing

laboratories to certify the exact EAL (Evaluation Assurance Level) the product or system

can attain. There are 7 EALs: EAL1 - Functionally tested, EAL2 - Structurally tested,

EAL3 - Methodically tested and checked, EAL4 - Methodically designed, tested and

reviewed, EAL5 - Semi-formally designed and tested, EAL6 - Semi-formally verified,

designed and tested, and EAL7 - Formally verified, designed and tested. A list of

accredited laboratories as well as a list of evaluated products can be found on the

Common Criteria portal13. The list of products validated in the USA can be found on

web-site of the Common Criteria Evaluation and Validation Scheme for IT Security

(CCEVS). [HKSAR, 2008]

Data Security Standard for payment Card Industry

As per information retrieved from HKSAR, 2008, The Payment Card Industry (PCI)

and Data Security Standard (DSS) was developed by a number of major credit card

companies (including American Express, Discover Financial Services, JCB, MasterCard

Worldwide and Visa International) as members of the PCI Standards Council to enhance

payment account data security. The standard consists of 12 core requirements, which

include security management, policies, procedures, network architecture, software design

and other critical measures. These requirements are organized into the following areas:

1. Build and Maintain a Secure Network

2. Protect Cardholder Data


31/70

31

3. Maintain a Vulnerability Management Program

4. Implement Strong Access Control Measures

5. Regularly Monitor and Test Networks

6. Maintain an Information Security Policy

COBIT

The Control Objectives for Information and related Technology (COBIT) is a control

framework that links IT initiatives to business requirements, organizes IT activities into a

generally accepted process model, identifies the major IT resources to be leveraged and

defines the management control objectives to be considered. The IT GOVERNANCE

INSTITUTE (ITGI) first released it in 1995, and the latest update is version 4.1,

published in 2007.

COBIT is increasingly accepted internationally as a set of guidance materials for IT

governance that allows managers to bridge the gap between control requirements,

technical issues and business risks. Based on COBIT 4.1, the COBIT Security Baseline

focuses on the specific risks around IT security in a way that is simple to follow and

implement for small and large organizations. [HKSAR, 2008]

ITIL (OR ISO/IEC 20000 SERIES)

The Information Technology Infrastructure Library (ITIL) is a collection of best

practices in IT service management (ITSM), and focuses on the service processes of IT

and considers the central role of the user. It was developed by the United Kingdom's

Office of Government Commerce (OGC). Since 2005, ITIL has evolved into ISO/IEC

20000, which is an international standard within ITSM.


32/70

32

An ITIL service management self-assessment can be conducted with the help of an

online questionnaire maintained on the website of the IT Service Management Forum.

The self-assessment questionnaire helps evaluate the following management areas: (a)

Service Level Management, (b) Financial Management, (c) Capacity Management, (d)

Service Continuity Management, (e) Availability Management, (f) Service Desk, (g)

Incident Management, (h) Problem Management, (i) Configuration Management, (j)

Change Management, and (k) Release Management. [HKSAR, 2008]

Information Security Regulations

In addition to the various industry standards bodies and guidelines, certain regulated

businesses, such as banking, may need to observe the regulations and guidelines specified

by their own industry or professional regulatory bodies. In this section, we briefly discuss

the US regulations SOX, COSO, HIPAA, and FISMA regulations. [HKSAR, 2008]

SOX

After a number of high profile business scandals in the US, including Enron and

WorldCom, the Sarbanes-Oxley Act of 2002 (SOX) was enacted as legislation in 2002.

This act is also known as the Public Company Accounting Reform and Investor

Protection Act. The purpose is to protect investors by improving the accuracy and

reliability of corporate disclosures made pursuant to the securities laws, and for other

purposes. This regulation affects all companies listed on stock exchanges in the US. As

information technology plays a major role in the financial reporting process, IT controls

would need to be assessed to see if they fully satisfy this SOX requirement.


33/70

33

Although information security requirements have not been specified directly in the

Act, there would be no way a financial system could continue to provide reliable

financial information, whether due to possible unauthorized transactions or manipulation

of numbers, without appropriate security measures and controls in place. SOX

requirements indirectly compel management to consider information security controls on

systems across the organization in order to comply with SOX.

COSO

The COSO (Committee of Sponsoring Organizations of the Treadway Commission)

framework is a framework that initiates an integrated process of internal controls. It helps

improve ways of controlling enterprises by evaluating the effectiveness of internal

controls. It contains five components:

1. Control Environment, including factors like integrity of people within the organization

and management authority and responsibilities;

2. Risk Assessment, aiming to identify and evaluate the risks to the business;

3. Control Activities, including the policies and procedures for the organization;

4. Information and Communication, including identification of critical information to the

business and communication channels for delivering control measures from management

to staff;

5. Monitoring, including the process used to monitor and assess the quality of all internal

control systems over time.


34/70

34

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a US law

designed to improve the portability and continuity of health insurance coverage in both

the group and individual markets, and to combat waste, fraud, and abuse in health

insurance and health care delivery as well as other purposes. The Act defines security

standards for healthcare information, and it takes into account a number of factors

including the technical capabilities of record systems used to maintain health information,

the cost of security measures, the need for training personnel, the value of audit trails in

computerized record systems, and the needs and capabilities of small healthcare

providers. A person who maintains or transmits health information is required to maintain

reasonable and appropriate administrative, technical, and physical safeguards to ensure

the integrity and confidentiality of that information. In addition, the information should

be properly protected from threats to the security and integrity of that information,

unauthorized uses, or unauthorized disclosure.

The full set of rules regarding adoption of the HIPAA standards for the security of

electronic health information and privacy of personal health information can be found in

US Department of Health and Human Services website.

FISMA

FISMA stands for Federal Information Security Management Act, and is a part of the

US E-Government Act (Public Law 107-347) that became legislation in 2002. It requires

US federal agencies to develop, document, and implement an agency-wide programme to


35/70

35

provide information security for the information (and information systems) that support

the operations and assets of the agency. Some of the requirements include:

1. Periodic risk assessments of information and information systems that support the

operations and assets of the organization

2. Risk-based policies and procedures designed to reduce information security risks to an

acceptable level

3. Plans for providing adequate security for networks and information systems

4. Security awareness training to all personnel, including contractors

5. Periodic evaluation and testing of the effectiveness of the security policies, procedures

and controls. The frequency should not be less than annually. Remedial action to address

any deficiencies found to be properly managed.

6. A working and tested security incident handling procedure

7. A business continuity plan in place to support the operation of the organization.

Summary

Although there are a number of information security standards available, an

organization can only benefit if those standards are implemented properly. Security is

something that all parties should be involved in. Senior management, information

security practitioners, IT professionals and users all have a role to play in securing the

assets of an organization. The success of information security can only be achieved by

full cooperation at all levels of an organization, both inside and outside. [HKSAR, 2008]


36/70

36

CHAPTER 3

ONLINE SECURITY BREACHES

Introduction

Security breaches can have a far-reaching impact to not only a companys finances, but

to their reputation as well. As mentioned in the white Paper by Safenet (Pg-3, 2010)

Companies are required to prove their compliance with these regulations and will be

held liable for their failure to do so. There is an expectation from customers, employees,

and partnersanyone that entrusts a company with their sensitive informationthat this

information will be protected. Financial organizations must consider all of the potential

damage that can be done to their business if sensitive data is lost or stolenlawsuits,

negative publicity, loss of sales and customer confidence, and permanently tarnished

reputations. Studies have shown that the financial services industry has become a primary

target of cyber-attacks on a global scale. This is not surprising considering the highly

valuable information that all FSPs collect and maintain on a daily basis.

Threat Categories

Bonnette, Cynthia. (Pg. 9- Pg. 11, July, 2003) mentions in her white paper that The

process of threat identification begins with an understanding of the financial Institutions

environment, including its business strategy, information systems, policies and

procedures, human stakeholders (management, employees, customers), and physical

resources (facilities, equipment). Each of these factors will impact potential threat


37/70

37

sources, their motivation, method, and consequences. An understanding of threats can

best be achieved by grouping them into categories. Three intuitive categories include

human, non-human, and mixed threats. Specific examples include the following:

Human: People based threats can include individuals from inside and outside the

organization. This represents the broadest category with a wide range of capabilities and

motivations. Within this broad category, a number of subgroups can be identified for

independent assessment:

HackersThese individuals are characterized by their strong interest in computer

technology and desire to learn more by playing with systems and testing their

capabilities. Often this involves testing systems they do not own.

Crackers This group is distinguished from hackers by their more malicious

intentions. While claiming a strong interest in technology, their goals tend to be criminal

in nature (e.g., theft, destruction, or denial of service to data or systems).

Insiders This group includes a wide range of individuals with some degree of

legitimate access to an organizations systems (e.g., full and part time employees at all

levels, consultants, contractors, etc.). These individuals may cause harm out of malicious

intent or innocently damage systems due to error.

Partners Service providers, vendors, business partners, and their employees

present similar concerns as insiders. Their access to information systems and data can

lead to intentional or unintentional damage or compromise.


38/70

38

CompetitorsForeign or domestic competitors may seek to gain an advantage by

exploiting information systems. This may be done with the assistance of hired crackers or

others to gain unauthorized access to sensitive corporate data.

Terrorists This group may include political or social organizations that seek to

gain attention and influence through disruptive and harmful acts. Terrorist attacks can be

both targeted and random.

Non-human The category of non-human threats includes all types of natural

disasters such as fires, floods, earthquakes, tornadoes, hurricanes, and severe storms.

Generally, this category of threat sources consists of non-targeted events (i.e., a financial

institution is not singled out by the threat source). However, based on the geographic

location, and other circumstances, the possibility of experiencing an event involving one

of these non-human threats may be more or less likely.

MixedThis category consists of threat sources that are characterized by a blend

of human and non-human involvement. Examples include malicious code (Trojan horses,

viruses, worms, etc.) that is originally created by a person, but then takes on a life of its

own on the Internet. Such mixed threats may be targeted at specific financial institutions

or they may attack randomly.

In CERTs OCTAVE Method, threat scenarios are developed based on known attack

sources and expected outcomes. [Bonnette, Cynthia. (July, 2003)]


39/70

39

The Threat Environment

As mentioned in White Paper of Safenet (Pg.5- Pg.8, 2010) Financial services

providers are faced with complex challenges that directly affect their bottom line and,

potentially, their very survival in a high-churn market. Protecting sensitive and critical

data, no matter where it resides, and ensuring that only the appropriate persons have

access to that data, should be a core requirement of every companys security strategy.

With the rising incidence of threats to sensitive data, and increasing requirements to

protect that data, organizations must focus squarely on their security infrastructure. For

financial services organizations, the importance of protecting financial data and assets,

and retaining the trust of its customers, employees, and business partners, cannot be

overstated.

PhishingAlthough passwords can also be obtained through less sophisticated means

such as eavesdropping, guessing, dumpster diving, and shoulder-surfing, phishing is a

common form of cybercrime typically carried out through e-mail or instant messaging,

providing links or instructions that direct the recipient to a fraudulent Web site

masquerading as a legitimate one. The unsuspecting user enters personal information

(such as user names, passwords, Social Security Numbers, and credit card/account

numbers), which is then collected by the hacker of particular attraction to phishing scams

are online banking, payment services, and social networking sites.

Password Database Theft Stolen user credentials are a valuable commodity and,

often times, cybercrime rings operate solely to obtain this information and sell it to the

highest bidder or use it themselves to access user accounts. Hackers steal user data and


40/70

40

passwords from one web site operator to hack other sites. Since many people use the

same user ID and password combination for multiple sites, the attacker can hack

additional accounts that the user has.

The Sinowal Trojan is a well-known attack developed by a cybercrime group several

years ago that is responsible for the theft of login credentials of approximately 300,000

online bank accounts and almost as many credit card accounts. In late 2009, Microsoft

Hotmail, Google Gmail, Yahoo, and AOL were victims of phishing attacks that exposed

thousands of e-mail account user IDs and passwords.

Man-in-the-Middle (MitM) In this type of threat, the attacker can actively inject

messages of its own into the traffic between the user's machine and the authenticating

server. One approach for MitM attacks involves pharming, which involves the usage on

malicious network infrastructures, such as malicious wireless access points or

compromised DNS servers, to redirect users from the legitimate site they are trying to

access to a malicious fraudulent Web site that accesses the user credentials and acts on

behalf of the user to perform malicious activities.

Man-in-the-Browser (MitB) MitB is a Trojan horse program, a variant of a MitM

attack, that infects the user internet browser and inserts itself between the user and the

Web browser, modifying and intercepting data sent by the user before it reaches the

browsers security mechanism. A MitB attack has the ability to modify Web pages and

transaction content in a method that is undetectable by the user and host application. It

operates in a stealth manner with no detectable signs to the user or the host application.

Silent banker is a well-known example of a MitB attack targeted at bank transactions. It


41/70

41

uses a Trojan program to intercept and modify the transaction, and then redirect it into the

attackers account.

Identity Theft Identity theft refers to all types of crime in which someone illicitly

obtains and uses another person's personal data through deception or fraud, typically for

monetary gain. With enough personal information about an individual, a criminal can

assume that individual's identity to carry out a wide range of crimes. Identity theft occurs

through a wide range of methodsfrom very low-tech means, such as check forgery and

mail theft to more high-tech schemes, such as computer spyware and social network data

mining. The following table8 illustrates well-known social Web sites that have been

attacked.

Abangale, Frank. W (Pg.5-Pg.9, 2006-2007) also mentioned some threats on the41.com

related to online banking security. They are as follows:

Pharming Poisoning the DNS cache on the users PC so it appears to access the

correct URL, when in reality it is redirecting the browser to a spoofed site; this can also

be done to a DNS server which poisons an entire region.

Spoofed Site Presenting a link to a fake site that looks and feels like the original

financial institution or merchant site.

Duress Using e-mail or calling the user with a threat of shutting down the account if

they fail to respond and provide their user credentials.

Malware Installing malicious software on the users PC to collect information

through keyboard logging, screenshots and file searches.


42/70

42

Session Hijacking Using an authenticated session (after the user authenticated) to

mimic a new session and conduct transactions from the compromised account.

IVR Spoofing

Faking Interactive Voice Response (IVR) systems that call on users to

dial and provide their account information and/or credentials.

Cookie Theft Theft of software cookies that are used to assume the victims digital

identity.

Shoulder Surfing Viewing of sensitive information behind the shoulder of an

authenticated user (i.e. if a user views check images online or at a physical ATM / teller

location).

Table 1: Security Breaches Retrieved from Safenet (Pg.5- Pg.8, 2010)


43/70

43

Anatomy of an Incident

According to the document from Gideon T. Rasmussen (2008), Bank of America on E-

commerce payment card security, He mentioned anatomy of Incidents from the previous

hacked websites and patterns. He mentioned that Hackers attack via common

infrastructure and web application vulnerabilities. They use newly discovered exposures

such as the Kaminsky Domain Name Service Vulnerability, which caused administrators

to scramble to patch affected systems recently. Hackers also use obscure, legacy attacks

such as session replay (where the hacker provides an authorized user with a session id,

monitors for its use and hijacks the session). Gideon T. Rasmussen (2008) also said that

They follow trends, such as compromise of data in transmission across internal private

networks. A compromise may be detected by the merchant, a service provider or Visa

common point of purchase fraud investigations.

Visa has documented the following indications of a security breach:

Unknown or unexpected outgoing Internet network traffic from the cardholderenvironment

Presence of unexpected IP addresses on store and wireless networks Unknown or unexpected network traffic from store to headquarter locations Unknown or unexpected services and applications configured to launch

automatically on system boot

Anti-virus programs malfunctioning or becoming disabled for unknown reasons Failed login attempts in system authentication and event logs


44/70

44

Vendor or third-party connections to the cardholder environment without priorconsent and/or a trouble ticket. SQL Injection attempts in web server event logs

Authentication event log modifications (i.e. unexplained event logs being deleted) Suspicious after-hours file system activity. Presence of .zip, .rar, .tar, and other types of unidentified compressed files

containing cardholder data.

.


45/70

45

CHAPTER 4

SECURITY BEST PRACTICES

Computer Security Best Practices

The following standard computer security best practices can protect your transactions

and business. It has been retrieved from Authorize.net article Security Best Practices

(Pg.6, 2005-2006).

Install a Firewall

A firewall is a hardware or software solution that monitors the activity of external

connections (primarily the Internet) to an internal network of servers. Firewalls help to

eliminate unauthorized or unwanted external activity and safeguard your network and

connections from outside threats.

Store All Sensitive or Confidential Information Separate from Web Servers

For maximum information security, you should never store sensitive customer

information, such as credit card numbers. If for some reason it is necessary to store this

data, do so in a secure, encrypted database on a server that is not connected to the

Internet. If sensitive information is stored in hard copy, thoroughly shared and dispose of

the information on a regular basis.

Use Anti-Virus Software and Update It Often

Anti-virus software is another important way to protect your network and computer

systems from outside vulnerabilities. This software should be updated on a regular basis.


46/70

46

Regularly Download and Install Security Updates

Software performance and security can be optimized by installing all service and

security updates. If you ever need to reinstall your software, remember to reinstall all

updates.

Avoid File Sharing

Share access to network drives and individual computers only with needed, trustworthy

users. Especially avoid sharing access to files that store passwords and other confidential

or sensitive information.

Avoid Sending or Requesting Confidential Information via Insecure Methods

As a standard security practice, legitimate businesses will never request confidential

information (such as credit card information or passwords) from you in an e-mail or

online chat session. Your business should also never request or submit confidential

information via e-mail or other insecure methods. If you receive a communication

requesting you to submit confidential information in an insecure manner, always call the

soliciting business to confirm the request before responding.

E-commerce Security Best Practices

Following are the Security Best practices based on the document by Gideon T.

Rasmussen (2008), Bank of America on E-commerce payment card security:

1. Comply with the PCI Data Security Standard (DSS). Use the PCI DSS as a reference

document. It contains PCI requirements and testing procedures used by assessors.


47/70

47

Additional PCI guidance can be found in navigating the DSS and PCI information

supplements.

2. Protect card data in storage and transmission. Render card numbers unreadable

anywhere they are stored (DSS requirement 3.4). Options for secure storage include

strong encryption, truncation, and hashing. Use strong encryption to safeguard card data

in transmission across public networks (requirement 4.1). As a best practice, encrypt card

data across internal networks between web, application and database servers.

3. Do not store prohibited data. E-commerce merchants often provide the ability for

customers to store their card number in order to make future transactions. Under PCI

standards, it is forbidden to store CVV2 data (the three digit number on the back of a

card). Hackers can use CVV2 codes combined with card numbers to conduct fraudulent

transactions.

4. Focus on data flow. Ensure appropriate controls are in place anywhere card data is

stored, processed or transmitted. This key DSS directive is absolutely critical to keeping

card data secure.

5. Implement world class network security. The DSS provides detailed requirements for

network security via router and firewall configurations, demilitarized zone networks,

databases on an internal network, etc.

6. Harden systems against attack. Configure operating systems and commercial

applications in accordance with industry standard hardening guides. Install anti-virus and

malware protection software. Install relevant security patches within 30 days.


48/70

48

7. Actively manage software development. Develop custom applications in accordance

with an industry standard methodology. Refer to the Secure Software Development Life

Cycle Processes document as a resource. Ensure the security team is involved in

development initiatives. Hire developers with secure coding experience. Establish a

targeted security awareness program for developers.

8. Evaluate web-facing applications. DSS requirement 6.6 provides two options: conduct

code reviews or implement application firewalls.

9. Perform penetration testing. Establish a penetration testing program in accordance with

DSS requirement. Adopt a well-regarded penetration testing methodology such as the

Open Source Security Testing Methodology Manual (OSSTMM) or the Information

System Security Framework (ISSAF). Penetration testing is critical to the security of

networked devices and web applications.

10. Conduct network scans. For improved security posture, increase scans intervals to

once a month. Scanning once a quarter may leave a vulnerability undiscovered for 90

days, increasing the risk of compromise.

11. Use secure payment applications. Use software from Visa's List of Validated

Payment Applications as a best practice.

12. Have emphasis on detective controls. A layered monitoring program is necessary to

detect attacks and provide forensic information for incident response. If an incident

occurs, the goal should be to detect it early on and limit further data compromise.

13. Monitor for new threats and vulnerabilities. New vulnerabilities are detected daily.

14. Thoroughly evaluate service providers. Merchants are liable when card data is shared


49/70

49

with a service provider. Therefore, it is prudent to thoroughly evaluate their security

controls based upon services provided

15. Evaluate custom application functionality. Conduct a review of existing card

applications. Determine if authorized access to card data is appropriately restricted by

business need. For example, if an end users duties only require access to one card

number at a time, ensure controls are in place to limit access by those constraints.

16. Implement fraud detection measures. Monitor access to card data for fraudulent

activity. [Gideon T. Rasmussen. Bank of America E-commerce payment card security]

Role ofAuthentication in an Internet Banking Environment

On August 8, 2001, the FFIEC agencies1 (agencies) issued guidance entitled

Authentication in an Electronic Banking Environment (2001 Guidance). All the

following data on Authentication is being retrieved from a document by Federal

Financial Institutions Examination Council (N.A.) on Authentication in an Internet

Banking Environment (www.ffiec.gov). The 2001 Guidance focused on risk

management controls necessary to authenticate the identity of retail and commercial

customers accessing Internet-based financial services. Financial institutions offering

Internet-based products and services to their customers should use effective methods to

authenticate the identity of customers using those products and services. Consistent with

the FFIEC Information Technology Examination Handbook, Information Security

Booklet, December 2002, financial institutions should periodically:

Ensure that their information security program:


50/70

50

Identifies and assesses the risks associated with Internet-based products and

services,

Identifies risk mitigation actions, including appropriate authentication strength, and

Measures and evaluates customer awareness efforts;

Adjust, as appropriate, their information security program in light of any relevantchanges in technology, the sensitivity of its customer information, and internal or

external threats to information; and

Implement appropriate risk mitigation strategies.Financial institutions engaging in any form of Internet banking should have effective and

reliable methods to authenticate customers. An effective authentication system is

necessary for compliance with requirements to safeguard customer information to prevent

money laundering and terrorist financing to reduce fraud, to inhibit identity theft, and to

promote the legal enforceability of their electronic agreements and transactions. The risks

of doing business with unauthorized or incorrectly identified persons in an Internet

banking environment can result in financial loss and reputation damage through fraud,

disclosure of customer information, corruption of data, or unenforceable agreements.

Existing authentication methodologies involve three basic factors:

Something the userknows (e.g., password, PIN);

Something the userhas (e.g., ATM card, smart card); and

Something the useris (e.g., biometric characteristic, such as a fingerprint).

Authentication methods that depend on more than one factor are more difficult to

compromise than single-factor methods. Accordingly, properly designed and


51/70

51

implemented multifactor authentication methods are more reliable and stronger fraud

deterrents.

Authentication Techniques, Processes, and Methodologies

Shared Secrets

Shared secrets (something a person knows) are information elements that are known or

shared by both the customer and the authenticating entity. Passwords and PINs are the

best known shared secret techniques but some new and different types are now being

used as well.

Tokens

Tokens are physical devices (something the person has) and may be part of a multifactor

authentication scheme. Three types of tokens are discussed here: the USB token device,

the smart card, and the password-generating token.

USB Token Device

The USB token device is typically the size of a house key. It plugs directly into a

computers USB port and therefore does not require the installation of any special

hardware on the users computer. Once the USB token is recognized, the customer is

prompted to enter his or her password (the second authenticating factor) in order to gain

access to the computer system.

Smart Card

A smart card is the size of a credit card and contains a microprocessor that enables it to

store and process data. Inclusion of the microprocessor enables software developers to

use more robust authentication schemes. To be used, a smart card must be inserted into a


52/70

52

compatible reader attached to the customers computer. If the smart card is recognized as

valid (first factor), the customer is prompted to enter his or her password (second factor)

to complete the authentication process.

Password-Generating Token

A password-generating token produces a unique pass-code, also known as a one-time

password each time it is used. The token ensures that the same OTP is not used

consecutively. The OTP is displayed on a small screen on the token. The customer first

enters his or her user name and regular password (first factor), followed by the OTP

generated by the token (second factor). The customer is authenticated if (1) the regular

password matches and (2) the OTP generated by the token matches the password on the

authentication server. A new OTP is typically generated every 60 secondsin some

systems, every 30 seconds. This very brief period is the life span of that password. OTP

tokens generally last 4 to 5 years before they need to be replaced.

Biometrics

Biometric technologies identify or authenticate the identity of a living person on the basis

of a physiological or physical characteristic (something a person is). Physiological

characteristics include fingerprints, iris configuration, and facial structure. Physical

characteristics include, for example, the rate and flow of movements, such as the pattern

of data entry on a computer keyboard. The process of introducing people into a

biometrics-based system is called enrollment. In enrollment, samples of data are taken

from one or more physiological or physical characteristics; the samples are converted into


53/70

53

a mathematical model, or template; and the template is registered into a database on

which a software application can perform analysis.

Biometric identifiers are most commonly used as part of a multifactor authentication

system, combined with a password (something a person knows) or a token (something a

person has).

Various biometric techniques and identifiers are being developed and tested, these

include:

Fingerprint recognition;

Face recognition;

Voice recognition;

Keystroke recognition;

Handwriting recognition;

Finger and hand geometry;

Retinal scan; and

Iris scans.

Two biometric techniques that are increasingly gaining acceptance are fingerprint

recognition and face recognition.

Non-Hardware-Based One-Time-Password Scratch Card

Scratch cards (something a person has) are less-expensive, low-tech versions of the

OTP generating tokens discussed previously. The card, similar to a bingo card or map

location look-up, usually contains numbers and letters arranged in a row-and-column

format, i.e., a grid. The size of the card determines the number of cells in the grid.


54/70

54

Used in a multifactor authentication process, the customer first enters his or her user

name and password in the established manner. Assuming the information is input

correctly, the customer will then be asked to input, as a second authentication factor, the

characters contained in a randomly chosen cell in the grid. The customer will respond by

typing in the data contained in the grid cell element that corresponds to the challenge

coordinates.

Out-of-Band Authentication

Out-of-band authentication includes any technique that allows the identity of the

individual originating a transaction to be verified through a channel different from the

one the customer is using to initiate the transaction. This type of layered authentication

has been used in the commercial banking/brokerage business for many years.

Internet Protocol Address (IPA) Location and Geo-Location

One technique to filter an online transaction is to know who is assigned to the requesting

Internet Protocol Address. Each computer on the Internet has an IPA, which is assigned

either by an Internet Service Provider or as part of the users network. If all users were

issued a unique IPA that was constantly maintained on an official register, authentication

by IPA would simply be a matter of collecting IPAs and cross-referencing them to their

owners. However, IPAs are not owned, may change frequently, and in some cases can be

spoofed. Additionally, there is no single source for associating an IPA with its current

owner, and in some cases matching the two may be impossible.

Geo-location technology is another technique to limit Internet users by determining

where they are or, conversely, where they are not. Geo-location software inspects and


55/70

55

analyzes the small bits of time required for Internet communications to move through the

network. These electronic travel times are converted into cyberspace distances. After

these cyberspace distances have been determined for a user, they are compared with

cyberspace distances for known locations. If the comparison is considered reasonable, the

user's location can be authenticated. If the distance is considered unreasonable or for

some reason is not calculable, the user will not be authenticated.

Customer Verification Techniques

Customer verification is a related but separate process from that of authentication.

Customer verification complements the authentication process and should occur during

account origination. Verification of personal information may be achieved in three ways:

Positive verification to ensure that material information provided by applicantmatches information available from trusted third party sources. More specifically, a

financial institution can verify a potential customer's identity by comparing the

applicant's answers to a series of detailed questions against information in a trusted

database.

Logical verification to ensure that information provided is logically consistent (e.g.,do the telephone area code, ZIP code, and street address match).

Negative verification to ensure that information provided has not previously beenassociated with fraudulent activity.


56/70

56

CHAPTER 5

CONSEQUENCES OF POOR ONLINE SECURITY

Consequences of Poor Online Security

As per White Paper by Osterman Research (2011), the problems associated with

security exploits impact just about every aspect of an organization

Decrease in employee and IT staff productivity

Employees waiting for malware to be removed from their computers will be

significantly less productive during these downtime periods in some cases, 100% less

productive. Further, any sort of messaging or Web exploit will require IT staff to address

the issue as soon as possible after the problem is discovered. This can lead to IT staff

working on weekends, the delay of various IT projects, rebuilding desktops, and other

costs that may be difficult to estimate. Security exploits can also lead to extended email

or other service outages that can have serious ramifications on user productivity.

Financial losses

Loss of funds that arise from the use of malware like Zeus that is designed to steal

money from victims financial accounts can have a devastating impact on an organization.

Just one of the many examples of Zeus victims is Parkinson Construction, a firm with

$20 million in annual revenue that lost $92,000 nearly 0.5% of its annual revenue, simply

because the owner of the firm clicked on email claiming to be from the Social Security

Administration.


57/70

57

Loss of customer data

Data breaches can result in the need to remediate them in expensive ways, such as

notifying customers via postal mail that their data was lost, provision of credit reporting

services to the victims for a year or longer, loss of future business, embarrassing press

coverage and loss of goodwill. The Ponemon Institute has determined that the cost of a

single data breach ranges from $98 in the United Kingdom to $204 in the United States.

Loss of internal data

Trade secrets, confidential information and other intellectual property can be lost as a

result of poor security. These losses can occur across a wide range of venues and

activities, including sensitive content that is mistakenly sent in an email or an

unencrypted file transfer, data that is lost on an unencrypted mobile device or flash drive,

or data that is taken home by employees and stored without any IT controls. Osterman

Research (2011),

Violation of statutes and compliance requirements

If adequate security defenses are not maintained, organizations can run afoul of a wide

variety of statutes that require data to be protected and retained. Osterman Research

(2011), also mentions that decision makers in one out of five organizations do not know

which compliance laws apply to their organization. A small sampling of these lists

includes the following:

The Payment Card Industry Data Security Standard (PCI DSS) encompasses a setof requirements for protecting the security of consumers and others payment

account information. It includes provisions for building and maintaining a secure


58/70

58

network, encrypting cardholder data when it is sent over public networks and

assigning unique IDs to each individual that has access to cardholder information.

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions that holdpersonal information to transmit and store this information in such a way that its

integrity is not compromised. GLBA requires financial institutions to comply with

a variety of Securities and Exchange Commission and NASD rules.

The UK Data Protection Act imposes requirements on businesses operating in theUnited Kingdom to protect the security of the personal information it holds.

Japans Personal Data Protection Law is designed to protect consumers andemployees personal information. It includes provisions for ensuring the security

and disclosure of databases that contain this information, among other

requirements.

The Personal Information Protection and Electronic Documents Act (PIPEDA) isa Canadian privacy law that applies to all companies operating in Canada. Like

many other privacy laws, it requires that personal information be stored and

transmitted securely.

Californias SB1386 (the Database Security Breach Notification Act) is a farreaching law that requires any holder of personal information about a California

resident regardless of where they are located to notify each resident whose

information may have been compromised in some way. Since California passed

this groundbreaking data breach notification law, most other US states have

passed similar laws. These laws require organizations to notify customers and


59/70

59

others for whom sensitive data is held if their data is exposed to an unauthorized

partyan expensive proposition in almost every case.

Other issues

Osterman Research (2011) also mentions that there are a number of other problems that

can occur from malware and other threats delivered via email, the Web, Web 2.0

applications and other capabilities, including:

Internet service outages, which can create serious problems for core businessservices such as email, collaboration, and cloud-based CRM systems. Related to

these outages are the potential for data leakage, and lack of compliance with

monitoring capabilities and archiving requirements when employees use personal

Webmail systems to send corporate data.

Web sites being taken down for long periods in order to patch the code toeliminate an exploit.

The exposure of FTP and other login credentials to attackers and othercybercriminals

The download of malware that can turn corporate and home-based computers intozombies used as part of a bot network.

Users downloading illegal content, such as copyrighted works or pornographyusing corporate assets.


60/70

60

What Should You Do to Address the Problem?

It may sound obvious, but IT and business decision makers must determine exactly

what they must protect today, and what they can reasonably expect that they will need to

protect over the next few years. For example, this list should include things like:

On-premise, IT-deployed corporate email systems, smartphones, iPads and othercapabilities from spam and malware.

Threats introduced by employee devices that are brought into the workplace andthat are used to access corporate resources. This should include iPads, personal

smartphones, personal laptops, etc. Monitoring and/or preventing what leaves the

organization via corporate email, personal Webmail, laptops, smartphones and

other mobile devices, social media posts, flash drives, portable hard drives, etc. to

protect against data loss.

Encryption of sensitive communications to remain in compliance with bothregulatory requirements and best practices.

Monitoring internal communications for sexually or racially offensive content, aswell as sensitive information that could be stored on desktops, servers or other

systems without appropriate access controls.

Monitoring employees activities when accessing corporate resources frompersonally owned devices when working from home or remotely.

Archiving business records that should be retained. Non-traditional security threats, such as confidential information that might be

left on PCs at a hotels business center. For example, a senior manager at a


61/70

61

leading anti-virus company recently reported that he found the itinerary for a

generals visit to a military installation on a hotel business centers PC.

Determine What Not To Do

As important as establishing what must be done is to establish what must not be done.

For example, a blanket prohibition on the use of social media tools like Facebook or

Twitter, or preventing users from employing personal Webmail systems at work can have

negative ramifications on a number of levels. Employee morale may suffer as a result, as

well as user productivity if employees are not permitted to use certain consumer-focused

tools that can help them get their work done. Plus, employees will probably use these

tools anyway unless IT imposes draconian controls that will most likely have the side

effect of impairing employee productivity. Osterman Research (2011).

Establish Detailed and Thorough Policies

Any organization that seeks to protect their users, data and networks from Web-based

threats must establish detailed and thorough policies about acceptable use of all of their

online tools: email, instant messaging, Web 2.0 applications, collaboration tools,

smartphones, flash drives and the Web itself. Successfully addressing these problems

must start with an acknowledgement of the threat landscape and the corresponding

policies about how tools will be used before technologies are deployed to address the

problems. Further, there must be buy-in across the organization in order for policies to be

effective. For example, a policy against the use of social media tools may seriously

impact a marketing departments effectiveness at building the corporate brand; similarly,


62/70

62

not allowing the use of unauthorized file transfer tools may prevent users from sending

large files to prospects or customers in a timely manner.

It is important to note that communication policies must be appropriate and not so

broad as to prevent employees from participating in lawful activities. Corporate policies

that prevent employees from discussing their employer on their own time, sharing

comments about union organization, etc. may not be legal. Osterman Research (2011).

Deploy a Multi-Layered, Multi-Level Defense Strategy

It is also important to deploy a multi-layered, multi-level defense strategy. This is

becoming increasingly critical as the network perimeter becomes less well defined over

time as noted earlier. For example, traditional security architecture had a clearly defined

firewall that separated internal IT-managed resources from the outside world. However,

the increasing use of personal devices that can connect as easily to a Starbucks Wi-Fi

network as they can to a corporate network, Web 2.0 applications like Twitter, or

employees using their personal smartphones to access corporate email on weekends

means that the network perimeter is rapidly disappearing. This has made security a much

more difficult proposition for IT decision makers, largely because there are so many more

devices and data sources to protect. Consequently, any organization should consider

deploying:

Email-based defenses that include anti-virus, anti-malware, anti-spam and DLPcapabilities.

W