Upload
rohitag
View
214
Download
0
Embed Size (px)
Citation preview
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
1/70
BEST PRACTICES FOR ONLINE BANKING SECURITY
By
Rohit K. Agrawal
MS in Information Systems Management
Ferris State University, 2011
BS in Engineering, India, 2008
Advisor:
Dr. James H. Jones, Jr.
Assistant Professor
Accounting, Finance, and Information Systems Department
MISM 799 - Spring 2011
Ferris State University
Big Rapids, MI
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
2/70
2
DEDICATION
This is dedicated to my Parents, Mr. Anoop K. Agrawal and Mrs. Nisha Agrawal, fortheir unconditional love, patience and understanding. I would also like to thank myteachers and friends for their extreme support and guidance.
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
3/70
3
ACKNOWLEDGEMENTS
1. I would like to thank Dr. James Jones, Information Systems Management (ISM)professor at Ferris State University, for his Valuable advice and constructive
approach and feedback and his continuous encouragement that enabled me to
complete this project on time.
2. Information provided in this research paper is entirely based on data obtained andcompiled from various reference material (textbooks, Articles and documents
from World Wide Web)
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
4/70
4
TABLE OF CONTENTS
Dedication 2
Acknowledgements 3
List of Tables 6
List of Figures 6
Abstract 7
CHAPTERS
Chapter 1 Introduction 8
Purpose 8
Research Points 8
Glossary of Terms 9
Financial Institution 14
Bank of America 17
Citibank 21
Chapter 2 Information Security Standards 23
Need for Online Banking Security Standards 23
Overview of Information Security Standards 24
Information Security Standards 27
Data Security standards for payment card industry 30
Information Security Regulations 32
Summary 35
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
5/70
5
Chapter 3 Online Security Breaches 36
Introduction 36
Threat Categories 36
The Threat Environment 39
Anatomy of an Incident 43
Chapter 4 Security Best Practices 45
Computer Security Best Practices 45
E-commerce Security Best Practices 46
Role of Authentication in an Internet Banking Environment 49
Authentication Techniques, Processes, and Methodologies 51
Chapter 5 Consequences of poor Online Security 56
What Should You Do to Address the Problem? 60
Determine What Not To Do 61
Various Delivery models 63
Conclusion and Recommendation 67
References 69
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
6/70
6
LIST OF FIGURES
Figure Page1. Evolution of Threat. .......................................................................................24
LIST OF TABLES
Table Page1. Source for Security breaches42
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
7/70
7
ABSTRACT
BEST PRACTICES FOR ONLINE BANKING SECURITY
Rohit K. Agrawal M.S. ISM
Ferris State University, 2011
Advisor: Dr. James H. Jones, Jr.
This research paper is a requirement for MISM 799 Integrated Capstone Project course,
a spring 2011 class at Ferris State University Master of Science in Information systems
Management Program. The objective of this research paper is to provide the reader an
introductory knowledge and awareness of the information security standards in financial
institutions and their offered services. It also explains the role of authentication and
security best practices in these institutions. This research paper contains description about
the security breaches and their impact on various organizations.
This paper is divided into five chapters namely:
Chapter 1: This chapter briefly traces the offered services by financial institutions.
Chapter 2: This chapter explores the various information security standards.
Chapter 3: This chapter contains information on online security breaches.
Chapter 4: This chapter gives information on security best practices.
Chapter 5: This chapter shows the consequences of poor online security in financial
institutions.
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
8/70
8
CHAPTER 1
INTRODUCTION
Purpose
The purpose of this paper is to provide the reader an introductory exploration of the
current trends and best practices in the online banking security on the internet. Please
note that this paper is not intended to offer a comprehensive analysis of any covered areas
of Internet, electronic commerce or any financial institution.
Research points
Within the confines of the paper requirements, the ensuing pages will focus on:
Financial Institutions and their offered services Information Security Standards Online Security breaches and their causes Types of Security breaches Security Best practices Role of Authentication Consequences of poor online security
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
9/70
9
Glossary to Terms
Address Verification Service
The Address Verification Service (AVS) is a security system designed to combat one of
the most common forms of online credit card fraud. AVS compares the billing address
information provided by the customer with the billing address on file at the customers
credit card issuer. The payment gateway receives an AVS response code and then either
accepts or declines the transaction according to your configured settings.
Anti-virus
Software that detects, repairs, cleans, or removes virus-infected files from a computer.
Bank:
It is a financial organization where people keep their money.
Banking Security:
Safety of organization against criminal activity such as terrorism, theft, or espionage to
protect its assets
Card Code Verification (CCV)
A customers card code is a three- or four-digit security code printed on a credit cards
signature panel in reverse italics, or following the full number on the front of the card.
Similar to AVS, Card Code Verification (CCV) compares the customers card code with
the card code on file at the credit card issuer. The payment gateway receives the card
code verification response code from the customers bank and either accepts or declines
the transaction according to your configured settings. Since the card code should only be
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
10/70
10
known to the person in possession of the physical credit card, these additional numbers
provide an extra measure of security against unauthorized credit card transactions.
CEO:
Chief executive officer, the corporate executive responsible for the operations of the firm;
reports to a board of directors; may appoint other managers and executives.
(www.wordnetweb.princeton.edu/perl/webwn)
Cloud Computing:
A new generation of computing that utilizes distant servers for data storage and
management, allowing the device to use smaller and more efficient chips that consume
less energy than standard computers. (http://www.financenewmexico.org/glossary.html)
Cyber Space:
All of the data stored in a large computer or network representedas a three-
dimensional model through which a virtual-reality user can move (World English
Dictionary)
Database
A systematized collection of data that can be accessedimmediately and manipulated by a
data-processing system for a specific purpose
Database Warehouse:
A Data Warehouse is a compilation of information/data prearranged so that it can
effortlessly use for querying and data analysis. (http://www.databasedir.com)
http://www.wordnetweb.princeton.edu/perl/webwnhttp://www.financenewmexico.org/glossary.htmlhttp://www.databasedir.com%29/http://www.databasedir.com%29/http://www.financenewmexico.org/glossary.htmlhttp://www.wordnetweb.princeton.edu/perl/webwn8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
11/70
11
Direct Deposit:
It is electronic transfer of a payment directly from the account of the payer to the
recipient's account.
E-Business:
This term is coined for the company that has an online presence. It involves all business
function.
E-Commerce:
E-commerce is a part of E-business. E-Commerce is about making transactions online
through selling and buying of products and services.
Firewall:
A part of a computer system or network that is designed to block unauthorized access
while permitting outward communication
Hackers:
Hackers are enthusiastic and skillful computer programmer or user. He can use his skills
for to gain unauthorized access to data or for protecting the data.
Internet:
The Internet is a global system of interconnected computer networks that use the
standard Internet Protocol Suite (TCP/IP).
Intranet:
It is a computer network a computer network with restricted access, as within a company,
that uses software and protocols developed for the internet.
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
12/70
12
Java:
Java is a programming language especially applicable to theWorld Wide Web
Malware:
It is a computer program which protects the user computer or system from unwanted
hazardous software by removing the viruses. It is a short name for malicious software.
Security:
It is state of being secure or can also be said as safety from risks, danger, threats etc.
Spyware
Spyware are the computer software designed specially to gather information about user
browsing habits and sends information secretly to an individual or company that uses this
data for marketing or other purposes.
Threat
A person or thing that is regarded as dangerous or likely to inflict pain or misery
(WWW.dictionary.com)
Transaction
A.)Business Computing: The act of obtaining and paying for an item or serviceB.)General Computing: The transmission and processing of an item of data.
Web Portal:
It is junction for all the information on one place. It is also known as Links page, which
presents information from varied sources in one place. A web portal offers information
like news, email, weather forecast, horoscope, songs, entertainment etc.
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
13/70
13
World Wide Web (WWW):
WWW is collection of several internet servers which work to support Hypertext
documents and files. These servers also use hypertext to organize, connect, present and
offer services throughout the internet.
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
14/70
14
Financial Institutions and Their Offered Services
Financial Institution:
There are many web definitions for the term Financial Institution. The one more
frequently found and relevant is obtained from Investorswords.com Financial institution
is an institution that provides financial services to its clients or members. A Financial
institutes are also responsible for collecting funds from the public and places them in
financial assets, such as deposits, loans, and bonds, rather than tangible property.
As mentioned on the Finance.mapsofworld.com, Financial institutions are the firms
that provide financial services and advices to its clients. The financial institutions are
generally regulated by the financial laws of government authority. BYU: Marriot School
mentioned in their intermediate lessons and discussions that There are two major types
of financial institutions: banks (i.e., deposit-type financial institutions) and nonbanks (i.e.,
non-deposit-type financial institutions). The choice of which institution you use depends
on which institution will serve your needs the best and help you achieve your goals the
fastest.
Various types of Financial Institutes are as follows:
Commercial Banks Credit Unions Stock brokerage firms Asset management firms
http://www.investorwords.com/2130/funds.htmlhttp://personalfinance.byu.edu/?q=taxonomy/term/70http://personalfinance.byu.edu/?q=taxonomy/term/70http://www.investorwords.com/2130/funds.html8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
15/70
15
Insurance Companies Finance Companies Building Societies Retailers
The services provided by the various typesof financial institutionsmay vary from one
institution to another. For example, the services offered by the commercial banks are
insurance services, mortgages, loans and credit cards. As mentioned in the BYU: Marriot
School intermediate lessons, Commercial Banks compete by offering the widest variety
of services; however, they generally do not offer the highest interest rates on deposits or
the lowest interest rates on loans. BYU: Marriot School also mentioned that Commercial
Banks are also known as Deposit Type Financial Institute.
Here is explanation of some other financial institutions types as mentioned on
finance.mapsofworld.com. The credit union is co-operative financial institution which is
also known as Deposit Type Financial Institute, is usually controlled by the members of
the union. The major difference between the credit unions and banks is that the credit
unions are owned by the members having accounts in it. As mentioned by BYU: Marriot
School, Credit Union banks offer higher rates on savings accounts and lower rates on
loans because they are not driven to provide a profit to shareholders.
The stock brokerage firms are the other types of financial institutions that help both the
corporations and individuals to invest in the stock market. The services provided by the
http://www.finance.mapsofworld.com/http://www.finance.mapsofworld.com/http://www.finance.mapsofworld.com/http://www.finance.mapsofworld.com/8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
16/70
16
brokerage firms, on the other hand, are different and they are insurance, securities,
mortgages, loans, credit cards, money market and check writing. [C]
Another type of financial institution is the asset management firms. The prime
functionality of these firms is to manage various securities and assets to meet the
financial goals of the investors. The firms also offer fund management advice and
decisions to the corporations and individuals. [C]
The insurance companies offer - insurance services, securities, buying or selling service
of the real estates, mortgages, loans, credit cards and check writing. [C]
Large organizations, small firms or and individual family or a person, anyone or all of
these can be customers to these financial institutions. They might need any kind of
service from these institutes like loan, mortgage, insurance, bonds etc. Before dealing
with any of these financial institutes every customers ask certain questions to themselves
or they have certain requirements or needs which these Financial Institutes must fulfill.
BYU: Marriot School mentioned in their intermediate lessons on web that, Choosing a
financial institution is a challenge. We must always try to accomplish our goals and then
seek to consider what these financial institutes can provide. Before indulging with any
kind of services or Institutes BYU have mentioned certain question which are relevant
and every user must consider. They are as follows:
Are you looking for low costs, low fees, and high returns on deposits? What services are important to you? Do you need loans, mortgages, or working capital for a small business? How important is safety for your deposits?
http://personalfinance.byu.edu/?q=taxonomy/term/70http://personalfinance.byu.edu/?q=taxonomy/term/708/6/2019 Agrawal_rohit_best Practices for Online Banking Security
17/70
17
Do you require government insurance? If so, know that this factor limits the typesof institutions you can choose.
What services does the financial institution provide? If all you require is a highreturn on your cash management assets, then your choices are much broader.
Security (All forms)
Here are the services offered by Bank of America and Citibank along with additional
information about them.
Bank of America
Company Overview:
Barlas, Demir (2011) in his article Lending Options Offered by America's Largest
Residential Mortgage Bank mentioned that Bank of America is Americas largest
residential mortgage bank. He also mentioned a short history about the foundation. In his
article Barlas (2011) mentioned that Bank of America has spent the past few years
growing by acquisition; for example, by buying LaSalle Bank for $21 billion in 2007 and
acquiring Countrywide Financial, the company most closely associated with the housing
decline of 2007, for $4 billion. Other monster acquisitions include the $50 billion deal for
FleetBoston in 2004 and the $35 billion purchase of MBNA in 2006, which brought
millions of credit card customers over to Bank of America. Acquisitions of other banks
were very beneficial for Bank of America.
http://personalfinance.byu.edu/?q=glossary/term/29http://personalfinance.byu.edu/?q=glossary/term/298/6/2019 Agrawal_rohit_best Practices for Online Banking Security
18/70
18
Here is the timeline for the various acquisitions and mergers in the bank which is
retrieved from Finance.mapsofworld.com:
In the year 2004, Bank of America acquired National Processing Company, whichwas engaged in processing of VISA and MasterCard Transactions.
In the same year of 2004, Bank of America made an acquisition deal withFleetBoston Financial. This acquisition helped Bank of America to gain market share
in the north-eastern part of USA.
In 2005, Bank of America declared that it was going to make an acquisition deal withMBNA. After getting the approval of Federal Reserve Board, the acquisition finally
took place in January, 2006. This acquisition helped Bank of America to get a strong
foothold in the credit card market of USA.
In the year 2006, Bank of America declared that it would buy out The United Statestrust Company and the deal was finally executed in January, 2007.
In 2007, Bank of America made a historic acquisition deal by acquiring LaSalle BankCorporation, LaSalle Corporate Finance and ABN Amro North America.
Recently, in January 2008, Bank of America has made an announcement that they aregoing to buy Countrywide Financial.
Services offered by Bank of America (BofA):
One of the Webpage of Realestatezing.com [D] mentions that Among the financial
institutions, Bank of America is the largest in the world that serves individual consumer
as well as large corporations. Wide variety of investing, banking, financial and risk
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
19/70
19
management and asset management services are provided by the Bank of America. On
the whole the bank provides the facility of Checking, Savings, Mortgages, Auto and
Student Loans, Retirement Services, Online Banking, Insurance, Business Banking,
Credit Cards, Investments, Global Corporate Credit, Capital Raising, Cash Management,
Trade Services. Along with this, Bank of America services can be categorized in the
following categories:
Personal Banking Small Business Banking Corporate and Institutional Banking
Services in Personal Banking:
Credit Cards Mortgage Auto Loans Personal Loans Insurance Investment Services Online Banking IRAs are the investment schemes that comes under retirement plans Home Equity Retirement
Realestatezing.com also mentioned that Bankof America Global Consumer and Small
Business Banking is the largest department of BofA. This also includes ATMs in other
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
20/70
20
countries through the Global ATM Alliance. Small Business Banking has the following
services:
Business Checking and Savings Healthcare Practice Loans Credit Cards Online Banking Services Automotive, dealer and marine services Health insurance Trade services
Bank of America also helps the small business to start, grow and flourish. Along with this
the finances are also handled by the Bank of America. In the sector of Corporate and
Institutional the following services are provided:
Asset Management Card Solutions Electronic Trading Services Mergers and Acquisitions advisory Private Equity Investments Trade Services Endorsed Programs
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
21/70
21
Citibank
Company Overview:
Citibank, the consumer banking division of the leading financial services firm
Citigroup, is the 3rd largest retail bank in the US based on deposits. With branch
locations and subsidiaries in over 100 countries, Citibank provides a wide gamut of
banking, investment and lending services to individuals, small businesses as well as to
investors. The bank also delivers a complete range of banking products and financial
services to meet the needs of corporations and governmental institutions. Citibank
Financial Center consists of a large network of local offices which are complemented by
electronic delivery systems, ATMs and Internet. The firm also sells products from its
parent company, and other subsidiaries of Citigroup. Citibank is headquartered in New
York. [E]
As per UBPR report on Citibank (mgt.unm.edu), Citibank is split into five divisions,
each containing one or more Citi brands: banking, credit cards, lines and loans, investing,
and planning. Each division serves individual and corporate customers, with many Citi
brands within those divisions serving customers internationally.
Services offered by Citibank
Citibank is the commercial banking arm of Citigroup, and offers basic banking
accounts, lending, and investment services to consumers and small businesses.
(http://www.mgt.unm.edu). According to companys profile as mentioned on Data
Monitor (July, 2004), Citibank offers the following products and services:
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
22/70
22
Banking services Credit cards Mortgages Loans Investments Planning/Retirement solutions Insurance Small business services Corporate/Institutional services: Asset management Government services Business Insurance Private banking
The following companies are the major competitors of Citibank:
Bank of America Corporation Deutsche Bank AG Federal Reserve Bank of New York Franklin Resources, Inc. HSBC Holdings JP Morgan Chase & Co
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
23/70
23
CHAPTER 2
INFORMATION SECURITY STANDARDS
Need for Online banking Security Standards:
As mentioned in the document byEasy solutions (2009), Electronic banking platforms
have been implemented as an ever more efficient channel through which banking
transactions can be done without having to leave the house or office. In the end, however,
these home banking platforms are web-based applications that are exposed over the
Internet making their users a very appealing target for mal-intentioned individuals. The
evolution history of these attacks began more than 7 years ago initiating what quickly
became known as phishing. Its sophistication has increased on par with the new security
technologies adopted by the bank industry intended to mitigate the problem. The
following graph shows the evolution of the security problem affecting the e-banking
platform over the last years.
The following graph shows the evolution of the security problem affecting the e-
banking platforms over the last years.
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
24/70
24
Image 1: Evolution of Threat. Retrieved from:
http://www.easysol.net/newweb/images/stories/downloads/Best_security_practices_onlin
e_banking.pdf
Overview of Information Security Standards:
Information security plays an important role in protecting the assets of an organization.
As no single formula can guarantee 100% security, there is a need for a set of
benchmarks or standards to help ensure an adequate level of security is attained,
resources are used efficiently, and the best security practices are adopted. (HKSAR,
2008)
While information security plays an important role in protecting the data and assets of
an organization, we often hear news about security incidents, such as defacement of
websites, server hacking and data leakage. Organizations need to be fully aware of the
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
25/70
25
need to devote more resources to the protection of information assets, and information
security must become a top concern in both government and business. To address the
situation, a number of governments and organizations have set up benchmarks, standards
and in some cases, legal regulations on information security to help ensure an adequate
level of security is maintained, resources are used in the right way, and the best security
practices are adopted. Some industries, such as banking, are regulated, and the guidelines
or best practices put together as part of those regulations often become a de facto
standard among members of these industries. (HKSAR, 2008)
Miller, Andrew (2006), said in his article retrieved from bankinforsecurity.com, these
laws and regulations do a good job of defining the scope of information security and
spelling out the role of information security in risk management, they have little to say
about what constitutes effective information security or how to achieve it. Fortunately,
the International Standards Organization has developed two standards that do precisely
that, and by adhering to them banks can go a long way toward satisfying regulatory
compliance requirements.
The two standards, ISO 17799 and ISO 27001, together provide a set of best practices
and a certification standard for information security. The standards are both derived from
a British standard, BS7799, which for many years served as the authority for information
security. BS7799 came in two parts; part one, BS7799:1, became ISO 17799, while
BS7799:2 became ISO 27001.
ISO 17799 provides best practice recommendations for initiating, implementing, or
maintaining information security management systems. Information security is defined
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
26/70
26
within the standard as the preservation of confidentiality (ensuring that information is
accessible only to those authorized to have access), integrity (safeguarding the accuracy
and completeness of information and processing methods) and availability (ensuring that
authorized users have access to information and associated assets when required).
The standard contains 12 sections: risk assessment and treatment; security policy;
organization of information security; asset management; access control; information
security incident management; human resources security; physical and environmental
security; communications and operations management; information systems acquisition,
development and maintenance; business continuity management; and compliance.
Within each section, information security control objectives are specified and a range of
controls are outlined that are generally regarded as best practices. For each control,
implementation guidance is provided. Each organization is expected to perform an
information security risk assessment prior to implementing controls.
The second standard, ISO 27001, specifies requirements for establishing,
implementing, maintaining, and improving an information security management system
consistent with the best practices outlined in ISO 17799. Previously, organizations could
only be officially certified against the British Standard (or national equivalents) by
certification/registration bodies accredited by the relevant national standards
organizations. Now the international standard can be used for certification.
ISO 27001 is the first standard in a proposed series of information security standards
which will be assigned numbers within the ISO 27000 series. ISO 17799 is expected to
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
27/70
27
be renamed ISO 27002 in 2007. In the works is ISO 27004 - Information Security
Management Metrics and Measurement - currently in draft mode.
Certification is entirely voluntary but is increasingly being demanded from suppliers
and business partners who are concerned about information security. Certification against
ISO 27001 brings a number of benefits. Independent assessment brings rigor and
formality to the implementation process, implying improvements to information security
and associated risk reduction, and requires management approval, which promotes
security awareness. (Miller Andrew, 2006)
Information Security Standards:
The International Organization for Standardization (ISO), established in 1947, is a non-
governmental international body that collaborates with the International Electro technical
Commission (IEC) and the International Telecommunication Union (ITU) on information
and communications technology (ICT) standards. As mentioned in the document from
HKSAR (2008), here are the commonly adopted standards and regulations for
information security which have been accepted in United States:
1. ISO/IEC 27002:2005 (Code of Practice for Information Security Management)
ISO/IEC 27002:2005 (replaced ISO/IEC 17799:2005 in April 2007) is an international
standard that originated from the BS7799-1, one that was originally laid down by the
British Standards Institute (BSI). ISO/IEC 27002:2005 refers to a code of practice for
information security management, and is intended as a common basis and practical
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
28/70
28
guideline for developing organizational security standards and effective management
practices.
This standard contains guidelines and best practices recommendations for these 10
security domains: (a) security policy; (b) organization of information security; (c) asset
management; (d) human resources security; (e) physical and environmental security; (f)
communications and operations management; (g) access control; (h) information systems
acquisition, development and maintenance; (i) information security incident
management; (j) business continuity management; and (k) compliance.
Among these 10 security domains, a total of 39 control objectives and hundreds of best-
practice information security control measures are recommended for organization have to
satisfy the control objectives and protect information assets against threats to
confidentiality, integrity and availability. [HKSAR, 2008]
2. ISO/IEC 27001:2005 (Information Security Management System - Requirements)
The international standard ISO/IEC 27001:2005 has its roots in the technical content
derived from BSI standard BS7799 Part 2:2002. It specifies the requirements for
establishing, implementing, operating, monitoring, reviewing, maintaining and improving
a documented Information Security Management System (ISMS) within an organization.
It is designed to ensure the selection of adequate and proportionate security controls to
protect information assets9. This standard is usually applicable to all types of
organizations, including business enterprises, government agencies, and so on. The
standard introduces a cyclic model known as the Plan-Do-Check-Act (PDCA) model
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
29/70
29
that aims to establish, implement, monitor and improve the effectiveness of an
organizations ISMS. The PDCA cycle has these four phases:
a) Plan phase establishing the ISMS
b) Do phaseimplementing and operating the ISMS
c) Check phase monitoring and reviewing the ISMS
d) Act phase maintaining and improving the ISMS
Often, ISO/IEC 27001:2005 is implemented together with ISO/IEC 27002:2005.
ISO/IEC 27001 defines the requirements for ISMS, and uses ISO/IEC 27002 to outline
the most suitable information security controls within the ISMS. ISO/IEC 27002 is a code
of practice that provides suggested controls that an organization can adopt to address
information security risks. [HKSAR, 2008]
3. ISO/IEC 15408 (Evaluation Criteria for IT Security)
The international standard ISO/IEC 15408 is commonly known as the Common
Criteria (CC). It consists of three parts: ISO/IEC 15408-1:2005 (introduction and
general model), ISO/IEC 15408-2:2005 (security functional requirements) and ISO/IEC
15408-3:2005 (security assurance requirements). This standard helps evaluate, validate,
and certify the security assurance of a technology product against a number of factors,
such as the security functional requirements specified in the standards. [HKSAR, 2008]
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
30/70
30
Hardware and software can be evaluated against CC requirements in accredited testing
laboratories to certify the exact EAL (Evaluation Assurance Level) the product or system
can attain. There are 7 EALs: EAL1 - Functionally tested, EAL2 - Structurally tested,
EAL3 - Methodically tested and checked, EAL4 - Methodically designed, tested and
reviewed, EAL5 - Semi-formally designed and tested, EAL6 - Semi-formally verified,
designed and tested, and EAL7 - Formally verified, designed and tested. A list of
accredited laboratories as well as a list of evaluated products can be found on the
Common Criteria portal13. The list of products validated in the USA can be found on
web-site of the Common Criteria Evaluation and Validation Scheme for IT Security
(CCEVS). [HKSAR, 2008]
Data Security Standard for payment Card Industry
As per information retrieved from HKSAR, 2008, The Payment Card Industry (PCI)
and Data Security Standard (DSS) was developed by a number of major credit card
companies (including American Express, Discover Financial Services, JCB, MasterCard
Worldwide and Visa International) as members of the PCI Standards Council to enhance
payment account data security. The standard consists of 12 core requirements, which
include security management, policies, procedures, network architecture, software design
and other critical measures. These requirements are organized into the following areas:
1. Build and Maintain a Secure Network
2. Protect Cardholder Data
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
31/70
31
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy
COBIT
The Control Objectives for Information and related Technology (COBIT) is a control
framework that links IT initiatives to business requirements, organizes IT activities into a
generally accepted process model, identifies the major IT resources to be leveraged and
defines the management control objectives to be considered. The IT GOVERNANCE
INSTITUTE (ITGI) first released it in 1995, and the latest update is version 4.1,
published in 2007.
COBIT is increasingly accepted internationally as a set of guidance materials for IT
governance that allows managers to bridge the gap between control requirements,
technical issues and business risks. Based on COBIT 4.1, the COBIT Security Baseline
focuses on the specific risks around IT security in a way that is simple to follow and
implement for small and large organizations. [HKSAR, 2008]
ITIL (OR ISO/IEC 20000 SERIES)
The Information Technology Infrastructure Library (ITIL) is a collection of best
practices in IT service management (ITSM), and focuses on the service processes of IT
and considers the central role of the user. It was developed by the United Kingdom's
Office of Government Commerce (OGC). Since 2005, ITIL has evolved into ISO/IEC
20000, which is an international standard within ITSM.
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
32/70
32
An ITIL service management self-assessment can be conducted with the help of an
online questionnaire maintained on the website of the IT Service Management Forum.
The self-assessment questionnaire helps evaluate the following management areas: (a)
Service Level Management, (b) Financial Management, (c) Capacity Management, (d)
Service Continuity Management, (e) Availability Management, (f) Service Desk, (g)
Incident Management, (h) Problem Management, (i) Configuration Management, (j)
Change Management, and (k) Release Management. [HKSAR, 2008]
Information Security Regulations
In addition to the various industry standards bodies and guidelines, certain regulated
businesses, such as banking, may need to observe the regulations and guidelines specified
by their own industry or professional regulatory bodies. In this section, we briefly discuss
the US regulations SOX, COSO, HIPAA, and FISMA regulations. [HKSAR, 2008]
SOX
After a number of high profile business scandals in the US, including Enron and
WorldCom, the Sarbanes-Oxley Act of 2002 (SOX) was enacted as legislation in 2002.
This act is also known as the Public Company Accounting Reform and Investor
Protection Act. The purpose is to protect investors by improving the accuracy and
reliability of corporate disclosures made pursuant to the securities laws, and for other
purposes. This regulation affects all companies listed on stock exchanges in the US. As
information technology plays a major role in the financial reporting process, IT controls
would need to be assessed to see if they fully satisfy this SOX requirement.
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
33/70
33
Although information security requirements have not been specified directly in the
Act, there would be no way a financial system could continue to provide reliable
financial information, whether due to possible unauthorized transactions or manipulation
of numbers, without appropriate security measures and controls in place. SOX
requirements indirectly compel management to consider information security controls on
systems across the organization in order to comply with SOX.
COSO
The COSO (Committee of Sponsoring Organizations of the Treadway Commission)
framework is a framework that initiates an integrated process of internal controls. It helps
improve ways of controlling enterprises by evaluating the effectiveness of internal
controls. It contains five components:
1. Control Environment, including factors like integrity of people within the organization
and management authority and responsibilities;
2. Risk Assessment, aiming to identify and evaluate the risks to the business;
3. Control Activities, including the policies and procedures for the organization;
4. Information and Communication, including identification of critical information to the
business and communication channels for delivering control measures from management
to staff;
5. Monitoring, including the process used to monitor and assess the quality of all internal
control systems over time.
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
34/70
34
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a US law
designed to improve the portability and continuity of health insurance coverage in both
the group and individual markets, and to combat waste, fraud, and abuse in health
insurance and health care delivery as well as other purposes. The Act defines security
standards for healthcare information, and it takes into account a number of factors
including the technical capabilities of record systems used to maintain health information,
the cost of security measures, the need for training personnel, the value of audit trails in
computerized record systems, and the needs and capabilities of small healthcare
providers. A person who maintains or transmits health information is required to maintain
reasonable and appropriate administrative, technical, and physical safeguards to ensure
the integrity and confidentiality of that information. In addition, the information should
be properly protected from threats to the security and integrity of that information,
unauthorized uses, or unauthorized disclosure.
The full set of rules regarding adoption of the HIPAA standards for the security of
electronic health information and privacy of personal health information can be found in
US Department of Health and Human Services website.
FISMA
FISMA stands for Federal Information Security Management Act, and is a part of the
US E-Government Act (Public Law 107-347) that became legislation in 2002. It requires
US federal agencies to develop, document, and implement an agency-wide programme to
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
35/70
35
provide information security for the information (and information systems) that support
the operations and assets of the agency. Some of the requirements include:
1. Periodic risk assessments of information and information systems that support the
operations and assets of the organization
2. Risk-based policies and procedures designed to reduce information security risks to an
acceptable level
3. Plans for providing adequate security for networks and information systems
4. Security awareness training to all personnel, including contractors
5. Periodic evaluation and testing of the effectiveness of the security policies, procedures
and controls. The frequency should not be less than annually. Remedial action to address
any deficiencies found to be properly managed.
6. A working and tested security incident handling procedure
7. A business continuity plan in place to support the operation of the organization.
Summary
Although there are a number of information security standards available, an
organization can only benefit if those standards are implemented properly. Security is
something that all parties should be involved in. Senior management, information
security practitioners, IT professionals and users all have a role to play in securing the
assets of an organization. The success of information security can only be achieved by
full cooperation at all levels of an organization, both inside and outside. [HKSAR, 2008]
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
36/70
36
CHAPTER 3
ONLINE SECURITY BREACHES
Introduction
Security breaches can have a far-reaching impact to not only a companys finances, but
to their reputation as well. As mentioned in the white Paper by Safenet (Pg-3, 2010)
Companies are required to prove their compliance with these regulations and will be
held liable for their failure to do so. There is an expectation from customers, employees,
and partnersanyone that entrusts a company with their sensitive informationthat this
information will be protected. Financial organizations must consider all of the potential
damage that can be done to their business if sensitive data is lost or stolenlawsuits,
negative publicity, loss of sales and customer confidence, and permanently tarnished
reputations. Studies have shown that the financial services industry has become a primary
target of cyber-attacks on a global scale. This is not surprising considering the highly
valuable information that all FSPs collect and maintain on a daily basis.
Threat Categories
Bonnette, Cynthia. (Pg. 9- Pg. 11, July, 2003) mentions in her white paper that The
process of threat identification begins with an understanding of the financial Institutions
environment, including its business strategy, information systems, policies and
procedures, human stakeholders (management, employees, customers), and physical
resources (facilities, equipment). Each of these factors will impact potential threat
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
37/70
37
sources, their motivation, method, and consequences. An understanding of threats can
best be achieved by grouping them into categories. Three intuitive categories include
human, non-human, and mixed threats. Specific examples include the following:
Human: People based threats can include individuals from inside and outside the
organization. This represents the broadest category with a wide range of capabilities and
motivations. Within this broad category, a number of subgroups can be identified for
independent assessment:
HackersThese individuals are characterized by their strong interest in computer
technology and desire to learn more by playing with systems and testing their
capabilities. Often this involves testing systems they do not own.
Crackers This group is distinguished from hackers by their more malicious
intentions. While claiming a strong interest in technology, their goals tend to be criminal
in nature (e.g., theft, destruction, or denial of service to data or systems).
Insiders This group includes a wide range of individuals with some degree of
legitimate access to an organizations systems (e.g., full and part time employees at all
levels, consultants, contractors, etc.). These individuals may cause harm out of malicious
intent or innocently damage systems due to error.
Partners Service providers, vendors, business partners, and their employees
present similar concerns as insiders. Their access to information systems and data can
lead to intentional or unintentional damage or compromise.
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
38/70
38
CompetitorsForeign or domestic competitors may seek to gain an advantage by
exploiting information systems. This may be done with the assistance of hired crackers or
others to gain unauthorized access to sensitive corporate data.
Terrorists This group may include political or social organizations that seek to
gain attention and influence through disruptive and harmful acts. Terrorist attacks can be
both targeted and random.
Non-human The category of non-human threats includes all types of natural
disasters such as fires, floods, earthquakes, tornadoes, hurricanes, and severe storms.
Generally, this category of threat sources consists of non-targeted events (i.e., a financial
institution is not singled out by the threat source). However, based on the geographic
location, and other circumstances, the possibility of experiencing an event involving one
of these non-human threats may be more or less likely.
MixedThis category consists of threat sources that are characterized by a blend
of human and non-human involvement. Examples include malicious code (Trojan horses,
viruses, worms, etc.) that is originally created by a person, but then takes on a life of its
own on the Internet. Such mixed threats may be targeted at specific financial institutions
or they may attack randomly.
In CERTs OCTAVE Method, threat scenarios are developed based on known attack
sources and expected outcomes. [Bonnette, Cynthia. (July, 2003)]
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
39/70
39
The Threat Environment
As mentioned in White Paper of Safenet (Pg.5- Pg.8, 2010) Financial services
providers are faced with complex challenges that directly affect their bottom line and,
potentially, their very survival in a high-churn market. Protecting sensitive and critical
data, no matter where it resides, and ensuring that only the appropriate persons have
access to that data, should be a core requirement of every companys security strategy.
With the rising incidence of threats to sensitive data, and increasing requirements to
protect that data, organizations must focus squarely on their security infrastructure. For
financial services organizations, the importance of protecting financial data and assets,
and retaining the trust of its customers, employees, and business partners, cannot be
overstated.
PhishingAlthough passwords can also be obtained through less sophisticated means
such as eavesdropping, guessing, dumpster diving, and shoulder-surfing, phishing is a
common form of cybercrime typically carried out through e-mail or instant messaging,
providing links or instructions that direct the recipient to a fraudulent Web site
masquerading as a legitimate one. The unsuspecting user enters personal information
(such as user names, passwords, Social Security Numbers, and credit card/account
numbers), which is then collected by the hacker of particular attraction to phishing scams
are online banking, payment services, and social networking sites.
Password Database Theft Stolen user credentials are a valuable commodity and,
often times, cybercrime rings operate solely to obtain this information and sell it to the
highest bidder or use it themselves to access user accounts. Hackers steal user data and
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
40/70
40
passwords from one web site operator to hack other sites. Since many people use the
same user ID and password combination for multiple sites, the attacker can hack
additional accounts that the user has.
The Sinowal Trojan is a well-known attack developed by a cybercrime group several
years ago that is responsible for the theft of login credentials of approximately 300,000
online bank accounts and almost as many credit card accounts. In late 2009, Microsoft
Hotmail, Google Gmail, Yahoo, and AOL were victims of phishing attacks that exposed
thousands of e-mail account user IDs and passwords.
Man-in-the-Middle (MitM) In this type of threat, the attacker can actively inject
messages of its own into the traffic between the user's machine and the authenticating
server. One approach for MitM attacks involves pharming, which involves the usage on
malicious network infrastructures, such as malicious wireless access points or
compromised DNS servers, to redirect users from the legitimate site they are trying to
access to a malicious fraudulent Web site that accesses the user credentials and acts on
behalf of the user to perform malicious activities.
Man-in-the-Browser (MitB) MitB is a Trojan horse program, a variant of a MitM
attack, that infects the user internet browser and inserts itself between the user and the
Web browser, modifying and intercepting data sent by the user before it reaches the
browsers security mechanism. A MitB attack has the ability to modify Web pages and
transaction content in a method that is undetectable by the user and host application. It
operates in a stealth manner with no detectable signs to the user or the host application.
Silent banker is a well-known example of a MitB attack targeted at bank transactions. It
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
41/70
41
uses a Trojan program to intercept and modify the transaction, and then redirect it into the
attackers account.
Identity Theft Identity theft refers to all types of crime in which someone illicitly
obtains and uses another person's personal data through deception or fraud, typically for
monetary gain. With enough personal information about an individual, a criminal can
assume that individual's identity to carry out a wide range of crimes. Identity theft occurs
through a wide range of methodsfrom very low-tech means, such as check forgery and
mail theft to more high-tech schemes, such as computer spyware and social network data
mining. The following table8 illustrates well-known social Web sites that have been
attacked.
Abangale, Frank. W (Pg.5-Pg.9, 2006-2007) also mentioned some threats on the41.com
related to online banking security. They are as follows:
Pharming Poisoning the DNS cache on the users PC so it appears to access the
correct URL, when in reality it is redirecting the browser to a spoofed site; this can also
be done to a DNS server which poisons an entire region.
Spoofed Site Presenting a link to a fake site that looks and feels like the original
financial institution or merchant site.
Duress Using e-mail or calling the user with a threat of shutting down the account if
they fail to respond and provide their user credentials.
Malware Installing malicious software on the users PC to collect information
through keyboard logging, screenshots and file searches.
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
42/70
42
Session Hijacking Using an authenticated session (after the user authenticated) to
mimic a new session and conduct transactions from the compromised account.
IVR Spoofing
Faking Interactive Voice Response (IVR) systems that call on users to
dial and provide their account information and/or credentials.
Cookie Theft Theft of software cookies that are used to assume the victims digital
identity.
Shoulder Surfing Viewing of sensitive information behind the shoulder of an
authenticated user (i.e. if a user views check images online or at a physical ATM / teller
location).
Table 1: Security Breaches Retrieved from Safenet (Pg.5- Pg.8, 2010)
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
43/70
43
Anatomy of an Incident
According to the document from Gideon T. Rasmussen (2008), Bank of America on E-
commerce payment card security, He mentioned anatomy of Incidents from the previous
hacked websites and patterns. He mentioned that Hackers attack via common
infrastructure and web application vulnerabilities. They use newly discovered exposures
such as the Kaminsky Domain Name Service Vulnerability, which caused administrators
to scramble to patch affected systems recently. Hackers also use obscure, legacy attacks
such as session replay (where the hacker provides an authorized user with a session id,
monitors for its use and hijacks the session). Gideon T. Rasmussen (2008) also said that
They follow trends, such as compromise of data in transmission across internal private
networks. A compromise may be detected by the merchant, a service provider or Visa
common point of purchase fraud investigations.
Visa has documented the following indications of a security breach:
Unknown or unexpected outgoing Internet network traffic from the cardholderenvironment
Presence of unexpected IP addresses on store and wireless networks Unknown or unexpected network traffic from store to headquarter locations Unknown or unexpected services and applications configured to launch
automatically on system boot
Anti-virus programs malfunctioning or becoming disabled for unknown reasons Failed login attempts in system authentication and event logs
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
44/70
44
Vendor or third-party connections to the cardholder environment without priorconsent and/or a trouble ticket. SQL Injection attempts in web server event logs
Authentication event log modifications (i.e. unexplained event logs being deleted) Suspicious after-hours file system activity. Presence of .zip, .rar, .tar, and other types of unidentified compressed files
containing cardholder data.
.
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
45/70
45
CHAPTER 4
SECURITY BEST PRACTICES
Computer Security Best Practices
The following standard computer security best practices can protect your transactions
and business. It has been retrieved from Authorize.net article Security Best Practices
(Pg.6, 2005-2006).
Install a Firewall
A firewall is a hardware or software solution that monitors the activity of external
connections (primarily the Internet) to an internal network of servers. Firewalls help to
eliminate unauthorized or unwanted external activity and safeguard your network and
connections from outside threats.
Store All Sensitive or Confidential Information Separate from Web Servers
For maximum information security, you should never store sensitive customer
information, such as credit card numbers. If for some reason it is necessary to store this
data, do so in a secure, encrypted database on a server that is not connected to the
Internet. If sensitive information is stored in hard copy, thoroughly shared and dispose of
the information on a regular basis.
Use Anti-Virus Software and Update It Often
Anti-virus software is another important way to protect your network and computer
systems from outside vulnerabilities. This software should be updated on a regular basis.
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
46/70
46
Regularly Download and Install Security Updates
Software performance and security can be optimized by installing all service and
security updates. If you ever need to reinstall your software, remember to reinstall all
updates.
Avoid File Sharing
Share access to network drives and individual computers only with needed, trustworthy
users. Especially avoid sharing access to files that store passwords and other confidential
or sensitive information.
Avoid Sending or Requesting Confidential Information via Insecure Methods
As a standard security practice, legitimate businesses will never request confidential
information (such as credit card information or passwords) from you in an e-mail or
online chat session. Your business should also never request or submit confidential
information via e-mail or other insecure methods. If you receive a communication
requesting you to submit confidential information in an insecure manner, always call the
soliciting business to confirm the request before responding.
E-commerce Security Best Practices
Following are the Security Best practices based on the document by Gideon T.
Rasmussen (2008), Bank of America on E-commerce payment card security:
1. Comply with the PCI Data Security Standard (DSS). Use the PCI DSS as a reference
document. It contains PCI requirements and testing procedures used by assessors.
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
47/70
47
Additional PCI guidance can be found in navigating the DSS and PCI information
supplements.
2. Protect card data in storage and transmission. Render card numbers unreadable
anywhere they are stored (DSS requirement 3.4). Options for secure storage include
strong encryption, truncation, and hashing. Use strong encryption to safeguard card data
in transmission across public networks (requirement 4.1). As a best practice, encrypt card
data across internal networks between web, application and database servers.
3. Do not store prohibited data. E-commerce merchants often provide the ability for
customers to store their card number in order to make future transactions. Under PCI
standards, it is forbidden to store CVV2 data (the three digit number on the back of a
card). Hackers can use CVV2 codes combined with card numbers to conduct fraudulent
transactions.
4. Focus on data flow. Ensure appropriate controls are in place anywhere card data is
stored, processed or transmitted. This key DSS directive is absolutely critical to keeping
card data secure.
5. Implement world class network security. The DSS provides detailed requirements for
network security via router and firewall configurations, demilitarized zone networks,
databases on an internal network, etc.
6. Harden systems against attack. Configure operating systems and commercial
applications in accordance with industry standard hardening guides. Install anti-virus and
malware protection software. Install relevant security patches within 30 days.
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
48/70
48
7. Actively manage software development. Develop custom applications in accordance
with an industry standard methodology. Refer to the Secure Software Development Life
Cycle Processes document as a resource. Ensure the security team is involved in
development initiatives. Hire developers with secure coding experience. Establish a
targeted security awareness program for developers.
8. Evaluate web-facing applications. DSS requirement 6.6 provides two options: conduct
code reviews or implement application firewalls.
9. Perform penetration testing. Establish a penetration testing program in accordance with
DSS requirement. Adopt a well-regarded penetration testing methodology such as the
Open Source Security Testing Methodology Manual (OSSTMM) or the Information
System Security Framework (ISSAF). Penetration testing is critical to the security of
networked devices and web applications.
10. Conduct network scans. For improved security posture, increase scans intervals to
once a month. Scanning once a quarter may leave a vulnerability undiscovered for 90
days, increasing the risk of compromise.
11. Use secure payment applications. Use software from Visa's List of Validated
Payment Applications as a best practice.
12. Have emphasis on detective controls. A layered monitoring program is necessary to
detect attacks and provide forensic information for incident response. If an incident
occurs, the goal should be to detect it early on and limit further data compromise.
13. Monitor for new threats and vulnerabilities. New vulnerabilities are detected daily.
14. Thoroughly evaluate service providers. Merchants are liable when card data is shared
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
49/70
49
with a service provider. Therefore, it is prudent to thoroughly evaluate their security
controls based upon services provided
15. Evaluate custom application functionality. Conduct a review of existing card
applications. Determine if authorized access to card data is appropriately restricted by
business need. For example, if an end users duties only require access to one card
number at a time, ensure controls are in place to limit access by those constraints.
16. Implement fraud detection measures. Monitor access to card data for fraudulent
activity. [Gideon T. Rasmussen. Bank of America E-commerce payment card security]
Role ofAuthentication in an Internet Banking Environment
On August 8, 2001, the FFIEC agencies1 (agencies) issued guidance entitled
Authentication in an Electronic Banking Environment (2001 Guidance). All the
following data on Authentication is being retrieved from a document by Federal
Financial Institutions Examination Council (N.A.) on Authentication in an Internet
Banking Environment (www.ffiec.gov). The 2001 Guidance focused on risk
management controls necessary to authenticate the identity of retail and commercial
customers accessing Internet-based financial services. Financial institutions offering
Internet-based products and services to their customers should use effective methods to
authenticate the identity of customers using those products and services. Consistent with
the FFIEC Information Technology Examination Handbook, Information Security
Booklet, December 2002, financial institutions should periodically:
Ensure that their information security program:
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
50/70
50
Identifies and assesses the risks associated with Internet-based products and
services,
Identifies risk mitigation actions, including appropriate authentication strength, and
Measures and evaluates customer awareness efforts;
Adjust, as appropriate, their information security program in light of any relevantchanges in technology, the sensitivity of its customer information, and internal or
external threats to information; and
Implement appropriate risk mitigation strategies.Financial institutions engaging in any form of Internet banking should have effective and
reliable methods to authenticate customers. An effective authentication system is
necessary for compliance with requirements to safeguard customer information to prevent
money laundering and terrorist financing to reduce fraud, to inhibit identity theft, and to
promote the legal enforceability of their electronic agreements and transactions. The risks
of doing business with unauthorized or incorrectly identified persons in an Internet
banking environment can result in financial loss and reputation damage through fraud,
disclosure of customer information, corruption of data, or unenforceable agreements.
Existing authentication methodologies involve three basic factors:
Something the userknows (e.g., password, PIN);
Something the userhas (e.g., ATM card, smart card); and
Something the useris (e.g., biometric characteristic, such as a fingerprint).
Authentication methods that depend on more than one factor are more difficult to
compromise than single-factor methods. Accordingly, properly designed and
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
51/70
51
implemented multifactor authentication methods are more reliable and stronger fraud
deterrents.
Authentication Techniques, Processes, and Methodologies
Shared Secrets
Shared secrets (something a person knows) are information elements that are known or
shared by both the customer and the authenticating entity. Passwords and PINs are the
best known shared secret techniques but some new and different types are now being
used as well.
Tokens
Tokens are physical devices (something the person has) and may be part of a multifactor
authentication scheme. Three types of tokens are discussed here: the USB token device,
the smart card, and the password-generating token.
USB Token Device
The USB token device is typically the size of a house key. It plugs directly into a
computers USB port and therefore does not require the installation of any special
hardware on the users computer. Once the USB token is recognized, the customer is
prompted to enter his or her password (the second authenticating factor) in order to gain
access to the computer system.
Smart Card
A smart card is the size of a credit card and contains a microprocessor that enables it to
store and process data. Inclusion of the microprocessor enables software developers to
use more robust authentication schemes. To be used, a smart card must be inserted into a
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
52/70
52
compatible reader attached to the customers computer. If the smart card is recognized as
valid (first factor), the customer is prompted to enter his or her password (second factor)
to complete the authentication process.
Password-Generating Token
A password-generating token produces a unique pass-code, also known as a one-time
password each time it is used. The token ensures that the same OTP is not used
consecutively. The OTP is displayed on a small screen on the token. The customer first
enters his or her user name and regular password (first factor), followed by the OTP
generated by the token (second factor). The customer is authenticated if (1) the regular
password matches and (2) the OTP generated by the token matches the password on the
authentication server. A new OTP is typically generated every 60 secondsin some
systems, every 30 seconds. This very brief period is the life span of that password. OTP
tokens generally last 4 to 5 years before they need to be replaced.
Biometrics
Biometric technologies identify or authenticate the identity of a living person on the basis
of a physiological or physical characteristic (something a person is). Physiological
characteristics include fingerprints, iris configuration, and facial structure. Physical
characteristics include, for example, the rate and flow of movements, such as the pattern
of data entry on a computer keyboard. The process of introducing people into a
biometrics-based system is called enrollment. In enrollment, samples of data are taken
from one or more physiological or physical characteristics; the samples are converted into
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
53/70
53
a mathematical model, or template; and the template is registered into a database on
which a software application can perform analysis.
Biometric identifiers are most commonly used as part of a multifactor authentication
system, combined with a password (something a person knows) or a token (something a
person has).
Various biometric techniques and identifiers are being developed and tested, these
include:
Fingerprint recognition;
Face recognition;
Voice recognition;
Keystroke recognition;
Handwriting recognition;
Finger and hand geometry;
Retinal scan; and
Iris scans.
Two biometric techniques that are increasingly gaining acceptance are fingerprint
recognition and face recognition.
Non-Hardware-Based One-Time-Password Scratch Card
Scratch cards (something a person has) are less-expensive, low-tech versions of the
OTP generating tokens discussed previously. The card, similar to a bingo card or map
location look-up, usually contains numbers and letters arranged in a row-and-column
format, i.e., a grid. The size of the card determines the number of cells in the grid.
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
54/70
54
Used in a multifactor authentication process, the customer first enters his or her user
name and password in the established manner. Assuming the information is input
correctly, the customer will then be asked to input, as a second authentication factor, the
characters contained in a randomly chosen cell in the grid. The customer will respond by
typing in the data contained in the grid cell element that corresponds to the challenge
coordinates.
Out-of-Band Authentication
Out-of-band authentication includes any technique that allows the identity of the
individual originating a transaction to be verified through a channel different from the
one the customer is using to initiate the transaction. This type of layered authentication
has been used in the commercial banking/brokerage business for many years.
Internet Protocol Address (IPA) Location and Geo-Location
One technique to filter an online transaction is to know who is assigned to the requesting
Internet Protocol Address. Each computer on the Internet has an IPA, which is assigned
either by an Internet Service Provider or as part of the users network. If all users were
issued a unique IPA that was constantly maintained on an official register, authentication
by IPA would simply be a matter of collecting IPAs and cross-referencing them to their
owners. However, IPAs are not owned, may change frequently, and in some cases can be
spoofed. Additionally, there is no single source for associating an IPA with its current
owner, and in some cases matching the two may be impossible.
Geo-location technology is another technique to limit Internet users by determining
where they are or, conversely, where they are not. Geo-location software inspects and
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
55/70
55
analyzes the small bits of time required for Internet communications to move through the
network. These electronic travel times are converted into cyberspace distances. After
these cyberspace distances have been determined for a user, they are compared with
cyberspace distances for known locations. If the comparison is considered reasonable, the
user's location can be authenticated. If the distance is considered unreasonable or for
some reason is not calculable, the user will not be authenticated.
Customer Verification Techniques
Customer verification is a related but separate process from that of authentication.
Customer verification complements the authentication process and should occur during
account origination. Verification of personal information may be achieved in three ways:
Positive verification to ensure that material information provided by applicantmatches information available from trusted third party sources. More specifically, a
financial institution can verify a potential customer's identity by comparing the
applicant's answers to a series of detailed questions against information in a trusted
database.
Logical verification to ensure that information provided is logically consistent (e.g.,do the telephone area code, ZIP code, and street address match).
Negative verification to ensure that information provided has not previously beenassociated with fraudulent activity.
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
56/70
56
CHAPTER 5
CONSEQUENCES OF POOR ONLINE SECURITY
Consequences of Poor Online Security
As per White Paper by Osterman Research (2011), the problems associated with
security exploits impact just about every aspect of an organization
Decrease in employee and IT staff productivity
Employees waiting for malware to be removed from their computers will be
significantly less productive during these downtime periods in some cases, 100% less
productive. Further, any sort of messaging or Web exploit will require IT staff to address
the issue as soon as possible after the problem is discovered. This can lead to IT staff
working on weekends, the delay of various IT projects, rebuilding desktops, and other
costs that may be difficult to estimate. Security exploits can also lead to extended email
or other service outages that can have serious ramifications on user productivity.
Financial losses
Loss of funds that arise from the use of malware like Zeus that is designed to steal
money from victims financial accounts can have a devastating impact on an organization.
Just one of the many examples of Zeus victims is Parkinson Construction, a firm with
$20 million in annual revenue that lost $92,000 nearly 0.5% of its annual revenue, simply
because the owner of the firm clicked on email claiming to be from the Social Security
Administration.
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
57/70
57
Loss of customer data
Data breaches can result in the need to remediate them in expensive ways, such as
notifying customers via postal mail that their data was lost, provision of credit reporting
services to the victims for a year or longer, loss of future business, embarrassing press
coverage and loss of goodwill. The Ponemon Institute has determined that the cost of a
single data breach ranges from $98 in the United Kingdom to $204 in the United States.
Loss of internal data
Trade secrets, confidential information and other intellectual property can be lost as a
result of poor security. These losses can occur across a wide range of venues and
activities, including sensitive content that is mistakenly sent in an email or an
unencrypted file transfer, data that is lost on an unencrypted mobile device or flash drive,
or data that is taken home by employees and stored without any IT controls. Osterman
Research (2011),
Violation of statutes and compliance requirements
If adequate security defenses are not maintained, organizations can run afoul of a wide
variety of statutes that require data to be protected and retained. Osterman Research
(2011), also mentions that decision makers in one out of five organizations do not know
which compliance laws apply to their organization. A small sampling of these lists
includes the following:
The Payment Card Industry Data Security Standard (PCI DSS) encompasses a setof requirements for protecting the security of consumers and others payment
account information. It includes provisions for building and maintaining a secure
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
58/70
58
network, encrypting cardholder data when it is sent over public networks and
assigning unique IDs to each individual that has access to cardholder information.
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions that holdpersonal information to transmit and store this information in such a way that its
integrity is not compromised. GLBA requires financial institutions to comply with
a variety of Securities and Exchange Commission and NASD rules.
The UK Data Protection Act imposes requirements on businesses operating in theUnited Kingdom to protect the security of the personal information it holds.
Japans Personal Data Protection Law is designed to protect consumers andemployees personal information. It includes provisions for ensuring the security
and disclosure of databases that contain this information, among other
requirements.
The Personal Information Protection and Electronic Documents Act (PIPEDA) isa Canadian privacy law that applies to all companies operating in Canada. Like
many other privacy laws, it requires that personal information be stored and
transmitted securely.
Californias SB1386 (the Database Security Breach Notification Act) is a farreaching law that requires any holder of personal information about a California
resident regardless of where they are located to notify each resident whose
information may have been compromised in some way. Since California passed
this groundbreaking data breach notification law, most other US states have
passed similar laws. These laws require organizations to notify customers and
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
59/70
59
others for whom sensitive data is held if their data is exposed to an unauthorized
partyan expensive proposition in almost every case.
Other issues
Osterman Research (2011) also mentions that there are a number of other problems that
can occur from malware and other threats delivered via email, the Web, Web 2.0
applications and other capabilities, including:
Internet service outages, which can create serious problems for core businessservices such as email, collaboration, and cloud-based CRM systems. Related to
these outages are the potential for data leakage, and lack of compliance with
monitoring capabilities and archiving requirements when employees use personal
Webmail systems to send corporate data.
Web sites being taken down for long periods in order to patch the code toeliminate an exploit.
The exposure of FTP and other login credentials to attackers and othercybercriminals
The download of malware that can turn corporate and home-based computers intozombies used as part of a bot network.
Users downloading illegal content, such as copyrighted works or pornographyusing corporate assets.
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
60/70
60
What Should You Do to Address the Problem?
It may sound obvious, but IT and business decision makers must determine exactly
what they must protect today, and what they can reasonably expect that they will need to
protect over the next few years. For example, this list should include things like:
On-premise, IT-deployed corporate email systems, smartphones, iPads and othercapabilities from spam and malware.
Threats introduced by employee devices that are brought into the workplace andthat are used to access corporate resources. This should include iPads, personal
smartphones, personal laptops, etc. Monitoring and/or preventing what leaves the
organization via corporate email, personal Webmail, laptops, smartphones and
other mobile devices, social media posts, flash drives, portable hard drives, etc. to
protect against data loss.
Encryption of sensitive communications to remain in compliance with bothregulatory requirements and best practices.
Monitoring internal communications for sexually or racially offensive content, aswell as sensitive information that could be stored on desktops, servers or other
systems without appropriate access controls.
Monitoring employees activities when accessing corporate resources frompersonally owned devices when working from home or remotely.
Archiving business records that should be retained. Non-traditional security threats, such as confidential information that might be
left on PCs at a hotels business center. For example, a senior manager at a
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
61/70
61
leading anti-virus company recently reported that he found the itinerary for a
generals visit to a military installation on a hotel business centers PC.
Determine What Not To Do
As important as establishing what must be done is to establish what must not be done.
For example, a blanket prohibition on the use of social media tools like Facebook or
Twitter, or preventing users from employing personal Webmail systems at work can have
negative ramifications on a number of levels. Employee morale may suffer as a result, as
well as user productivity if employees are not permitted to use certain consumer-focused
tools that can help them get their work done. Plus, employees will probably use these
tools anyway unless IT imposes draconian controls that will most likely have the side
effect of impairing employee productivity. Osterman Research (2011).
Establish Detailed and Thorough Policies
Any organization that seeks to protect their users, data and networks from Web-based
threats must establish detailed and thorough policies about acceptable use of all of their
online tools: email, instant messaging, Web 2.0 applications, collaboration tools,
smartphones, flash drives and the Web itself. Successfully addressing these problems
must start with an acknowledgement of the threat landscape and the corresponding
policies about how tools will be used before technologies are deployed to address the
problems. Further, there must be buy-in across the organization in order for policies to be
effective. For example, a policy against the use of social media tools may seriously
impact a marketing departments effectiveness at building the corporate brand; similarly,
8/6/2019 Agrawal_rohit_best Practices for Online Banking Security
62/70
62
not allowing the use of unauthorized file transfer tools may prevent users from sending
large files to prospects or customers in a timely manner.
It is important to note that communication policies must be appropriate and not so
broad as to prevent employees from participating in lawful activities. Corporate policies
that prevent employees from discussing their employer on their own time, sharing
comments about union organization, etc. may not be legal. Osterman Research (2011).
Deploy a Multi-Layered, Multi-Level Defense Strategy
It is also important to deploy a multi-layered, multi-level defense strategy. This is
becoming increasingly critical as the network perimeter becomes less well defined over
time as noted earlier. For example, traditional security architecture had a clearly defined
firewall that separated internal IT-managed resources from the outside world. However,
the increasing use of personal devices that can connect as easily to a Starbucks Wi-Fi
network as they can to a corporate network, Web 2.0 applications like Twitter, or
employees using their personal smartphones to access corporate email on weekends
means that the network perimeter is rapidly disappearing. This has made security a much
more difficult proposition for IT decision makers, largely because there are so many more
devices and data sources to protect. Consequently, any organization should consider
deploying:
Email-based defenses that include anti-virus, anti-malware, anti-spam and DLPcapabilities.
W