HUMANS The Weakest Link In Information

Security

GROUP 4Amol Darvekar (D021)Saurabh Dhole (D023)Hemant Negi (D039)Nagaraju Oruganti (D041)Subba Reddy P (D042)Harsh Shethia(D057)

Security

Need for Information Security

Source: http://www.netfast.com/xq/asp/id.1365/p.5-6-1/qx/PressRelease_view.htm

Banking

Source - http://www.journalofaccountancy.com/Issues/2007/Nov/TheHumanElementTheWeakestLinkInInformationSecurity.htm

Bank of America

Source: http://en.wikipedia.org/wiki/Bank_of_America

Previous Controversies

Introduction

• Businesses spend a significant portion of their annual information technology budgets on high-tech computer security

• But the firewalls, vaults, bunkers, locks and biometrics can be pierced by attackers targeting untrained, uninformed or unmonitored users

• This makes human link the weakest link in the information security systems

What is Phishing?

• A scammer creates a fake version of a web site, then lures victims to it with authentic looking e-mails

• The sole purpose of the fake site is to trick victims into entering their secrets – user names and passwords

• Attackers sell the captured secrets or use them to steal directly from their victims

Problem Definition

Site Key as deployed by Bank of America, does not provide appreciable protection from typical phishing scams

AS – IS Analysis

•A new login protocol-”Sitekey” product by Menlo Park,for its online banking customers

Benefits of Product:•Reassuring customers that they are

entering their user names and passwords into a real BofA web site

•Thwarting unauthorized access to accounts

Source: http://cr-labs.com/publications/WhySiteKey-20060824.pdf

What is Sitekey

Definition: It is a web-based security system that

provides one type of mutual authentication between end-users and websites

Purpose: To prevent Phishing attack by acting as

an authentication

Source: http://en.wikipedia.org/wiki/SiteKey

Sitekey Screenshot

How does Sitekey Works?

Circumventing Sitekey Authentication

TO-BE Analysis• A widespread education process to be implemented to

inform customers about the phishing attacks, how to identify them, and how to avoid becoming a victim

• A technological component has to be added by the bank to its customer-education initiative

• Introduction of a technology solution that would identify phishing attacks, provide around-the-clock monitoring, and provide real-time alerts

• Requirement of real-time fraud/threat detection with minimal impact to user experience, easy-to-use tools for forensic analysis, and a 24x7 dedicated anti-fraud cybercrime operation

• Security solution that can protect the cookie containing login authentication details of Bank of America from phishing attacks

Business Solutions(IT)RSA Securities Inc. Solution:• This technology service is designed to stop and

prevent phishing attacks that occur in the online channel

• FraudAction offers complete fraud protection and includes 24x7 monitoring and detection, real-time alerts , countermeasures, and site blocking and shut down

• In case of phishing attack, FraudAction enabled Bank of America to shut down , overseas web site within 1.22 hours.

Source: http://www.rsa.com/products/consumer/success/11639_LRGBNK_C_0212.pdf

Other steps taken by Bank of America:• Avoiding claims that web page with SiteKey

is legitimate• Not storing the persistent challenge-bypass

token until the user has logged in completely

•Limited the number of bypass tokens that can be active for a single account. Make the transfer of a token from one computer to another a big deal

Impact - SWOT Analysis• Strengths: Effective firewall protection, password

configuration/settings and information transfer protocols.

• Weaknesses: The typical weaknesses of this solution come in the form of laxity on part of customers and employees, lack of adequate education of the working of the system etc.

• Opportunities: The solution provides the bank with the opportunity to reduce the instances of phishing, limit the losses due to phishing, improve customer satisfaction, maintain brand reputation etc.

• Threats: The loyalty of employees is important for this solution to be feasible. Disloyalty on part of employees can undermine the effectiveness of this solution

Challenges

•Resistance to change by the employees•Missing the human element of the

security•Implementation of the new technology•Overeducating employees •Lack of consistent communication•Lack of commitment from management•Lack of resources

Cost-Benefit Analysis

Business Vendors

The Case - Oriental Bank of Commerce•The bank offers features such as internet

banking, phone banking NRI banking •Phishing site spoofed the login page of the

bank•Fraudster stole the credentials of the user•Hackers sent mails from

IBANK@obconline.co.in and customercare@obconline.co.in

Source: http://www.symantec.com/connect/blogs/phishing-attacks-indian-banks-rise

An Example of the Phishing Email is below:

Anti-phishing solutions

•24x7 Proactive monitoring & detection•Domain Monitoring•Abuse Email Forwarding•Evaluation and verification of potential

phishing threats•Rapid incident response web site takedown•Continuous monitoring of phishing URL's•Reporting and Forensics portal access•URL inclusion in Global Blocklists.

Data Breach

•Internal IT specialist leaked data to sell client data to Lebanese banks

•24000 clients affected•Largest in HSBC history

Source:http://www.esecurityplanet.com/news/article.php/3870071/HSBC-Confirms-Massive-Database-Security-Breach.htm

Previous Instances• In 2005 – credit card information leaked

through ‘General motors’ Master Card of over 180,000 customers.

• In 2008 – bug in imaging software• It revealed personal information of clients

going through bankruptcy proceedings• British Financial Services Authority imposed

a fine of around 5 million dollars• Largest fine ever to a banking institutionSource : http://www.msnbc.msn.com/id/7501064/ns/technology_and_science-security/

t/warned-credit-card-data-exposed/#.T3KXg9W87W0

Enhanced security Systems

•A new security device•Two step authentication process- 1) Personal username and password

2) Device generated security code valid only for 30 seconds

•Session automatically logs out after some time

•128 bit SSL Encryption

Enhanced Security Systems

•Secure Online Sessions (indications at the browser)

•Multiple Layers of Security•Multiple failed log in attempts will disable

online access unless personally contact helpline desk

Enhanced Security Systems

SSL Encryption Service Provider•BAMS Holdings

Most trusted and secure optionExtended validation128 bit to 256 bit encryptionInstallation checkerEasy Management

Future Scope

•A new generation of anti-phishing software as well as education to combat the more sophisticated ways of information theft

•Protection for Mobile Phones

•Stricter Laws

Conclusions•Consumers role plays active role in Self

Protection from Phishing Attacks•Online security systems work perfectly when

nothing is wrong (when they are not needed), and imperfectly at other times.

•Promoting high confidence in security methods that cannot always provide the advertised protections

•There is also increase the risk that overconfident users will be misled by criminals

Thank You