Security in The Age of Digital

Mobile Banking
& Online Banking
Fandhy H. Siregar, M.Kom

CISA, CISM, CIA, CRMA, CISSP, CEH, CEP-PM, QIA, COBIT5, CRISC, CGEIT*

Digital Banking Penetration

Affluent and younger

consumer segments
have led the adoption
of digital banking
services in the ASEAN
markets we surveyed,
with the exception of
Singapore, where use
of digital banking is
nearly universal

Source: McKinsey Asia Personal Financial Services Survey, 2014

Source: McKinsey: Digital Banking in ASEAN: Increasing Consumer Sophistication and Openness

7.2x

Digital Banking Customer Perception

Source: McKinsey Asia Personal Financial Services Survey, 2014

IBM Security Intelligence Index 2015

Financial & Insurance companies are still facing the biggest threats.

Source: IBM Security

The Challenge Ahead

Theres still a gap between

capabilities to detect with
capabilities to deliver the attacks

The defender-detection deficit (range in one-day)

Source: Verizon Data Breach Investigation Report

Do you have Dark Web threat agents internally?

Who are the bad guys?

Source:IBM Security

Dark Web: How does it look like?

Data
Populations

90%
7.9 Zetta
bytes

Source: Deepwebtech.com

Visible to
Browser

3%

Un-indexed,
Anonymous
TOR/I2P
hashed table
system to hide
database
information

Cyber Kill Chain

The Sooner The Better

1 Reconnaissance

3 Delivery

2 Weaponization

Hours to Months
Preparation

5 Installation

4 Exploitation

Seconds to Minutes
Intrusion

7 Action

4 Command & Control

Months
Active Breach
Source: Darkreading.com

Typical Mobile Apps

1

Client Apps (Android, IOS, BB, WindowsPhone)

Browser based Apps (HTML5, CSS, etc)

SMS & USSD based Apps

NFC Apps (Contactless Smart Card)

Value Added Service (VAS) Apps, STK

Various Apps

MicroATM/POS Apps

QR Code

Telematic Apps

Typical Mobile Banking Threats &

Vulnerabilities
1.
2.
3.
4.
5.
6.
7.

Mobile Apps

Fake Application
Malware Attack Phone
takeover Insecure
Application Permission
Smshing, Phishing
Man in the Middle
(MITMobile, MITBrowser,
Zeus in the Mobile)
Stolen Devices
Spyware, Keylogging

1.
2.
3.
4.

USSD/SMS Sniffing
SMS Spoofing
Message Replay Attack
Man in the Middle Attack

5.
6.

Weak Encryption
Weak Device
Management/Authenticat
ion

Weak User
Authentication
8. Weak Device
1. Weak Application (SQL
Management/AuthenticatInjection, Cross Site
ion
Scripting, Command
9. Rooted/Jailedbreak
Injection, etc)
Device
2. DDoS (Buffer Overflow)
10. Social Engineering
3. Unpatched/Obsolete
Platform, Database, O/S
4. Unlimited transactions
Mobile Apps
Provider Network/Internet
5. Insufficient AuditServer/Middleware
Trail/Log

Core
Banking

Digital Banking Countermeasures

1.

Perimeter Defense (DMZ, Firewall,

WebApp Firewall, Anti Virus)
2. Detection Tool (IDS/IPS, SIEM)
3. Asset & Vulnerability Assessment
4. Penetration Testing
1. Geographical & Historical Analysis
5. Dual Custody & Strong
Administrative User 2. Behavioral Analysis
3. Transaction Limit
6. Proper session handling
4. Blocking & Unblocking mechanism
7. Anti-DDoS
8. Fraud Detection Tool 5. Incident Response Team (CERT)
6. Financial Crime Investigation Team
9. High Availability & Disaster
7. Integration with AML/KYC system
Recovery
10. Capacity Planning
11. Testing & Preventive Vulnerability
1. Secure Design & Coding (Secure by Construction)
Scanning
2. Secure Code Review
1. Strong User Authentication (2 FA3. Protect against Obfuscation code (Cover time)
applied)
4. Vulnerability Assessment
2. Secure Change Password & Other
5. Penetration Testing
Sensitive Information
6. Official Store & Secure Updating/Deployment
3. KYC & Clear Terms & Conditions7. Strong Device Authentication (Remote Wipeout, No Local
4. User Education & Awareness
Stored Sensitive Data)
Program
8. Strong Application Authentication & Updating (Key Exchange)
5. Secure Application Permission, Non
9. Strong Encryption over Public Network (Data InTransit
rooted Device
Protection)
6. Client AntiVirus/Spyware Signature
10. Leverage for Fraud Detection (Error code, Logging, GPS
Update
Source: Secure Mobile Payments System , VISA EuropeLocation,
Risk Management
Device Fingerprinting, Rooting Detection, Debug

Mobile Risk Ecosystem

Mode Detection)

Countermeasures: Preventive vs Corrective

Security Awareness Program

Local Vulnerability & Patch

Forum

Standardized Risk Control for

RCSA

Cyber Security E-Learning

Material

Indonesia Cyber Security Forum

Cyber Security related Policy &

Procedure Amendments

SIEM Implementation

Secure Coding & Annual

Application Control Review

Annual Penetration Testing

(apps and infrastructure)

Continuous Assets Register &

Management

User Access Review (Apps, OS

& DB)

Pre-Deployment Vulnerability
Scanning, Firewall & Server
Hardening Review & External
Scanning

Data Leakage Prevention

Security Review on Design
Proposal
Failover and Incident Response
Test

Supplier/Vendor Security
Assessment

Secure Code Review

Mostly to detect:

SQL Injection
Hardcode Password
XSS & HTML Code Injection
OWASP Top 10 and SANS Top
25 Vulnerabilities
Memory leaks, buffer issue,
tainted data & file patchs
Covered much well-known web
application development
languages (ASP.Net,
Javascript, Java, C/C++, etc)

Continuous Asset Management

Asset Re-Discovery &
On-Boarding Process

Asset Registration

1. Multiple hierarchies
(by OS, region, owners)
2. Dynamic Tag Capabilities

IT Assets

CMDB

Asset Reporting & Monitoring

1. Discover Forgotten or
Rogue Devices
2. Organize and report the
devices

Proactive Patch & Vulnerability

Management

Automatic & ToolTool-Based VM

Discovers all systems attached to your

network.
Identifies and analyzes vulnerabilities
on all discovered systems.
Reports findings of discovery and
vulnerability analysis.
Confirms that remedies or workarounds
have been applied.
Local Vulnerability &
Patch Management
Forum

Proactive VM Monitoring

Windows WSUS, Security Bulletin

Mitre CVE-CWE
NIST NVD

1.
2.
3.

Implement Patches
Escalation/Approval
Vendor technical
support

Preventive Policy
Enforcement Scanning
DEVELOPMENT/PRE-PRODUCTION
ENVIRONMENT

PRODUCTION
ENVIRONMENT

Regular Scan
Pre-Deployment Scan
PreWorkstation Windows 8/10
Scanning
Server Windows
Server/UNIX Based Scanning
Web Application Scanning

Regular/Scheduled Scanning
According to Internal Standard
& SEBI
Specific Compliance Scan
PCI/DSS Compliance
Web Application Scanning
Policy Compliance
PCI Compliance
Web Application Scanning
Policy Editor

Security Awareness Program

6 Essential Components
Collateral (Newsletter, Blog)
Posters, Desktop Wallpaper

CBT/Online Training & Certification

Events, Seminar & Workshops

Security Intranet Portal

Survey & Behavioral Testing

Regulation Issue: Banking vs Non Banking

Otoritas Jasa Keuangan

Badan Regulasi Telekomunikasi

Indonesia

PBI/POJK
Manajemen Risiko
TI (Electronic
Banking) + RPOJK

PBI/POJK
Know Your
Customer

Banking
Regulation

PBI/POJK
Manajemen
Risiko
Internet
Banking

Kementerian Komunikasi &

Informatika

PP82/2012
Penyeleng
gara
Sistem
Elektronis

POJK Laku Pandai

(Branchless
Banking)

PBI/POJK E-Money
& Alat Pembayaran
Menggunakan Kartu

1.
2.
3.
4.
5.

Permenko
minfo
Over The
Top (OTT)

Issues:
Shadow Banking
Single Identity & KYC in Telco
customer
SIM Card Registration &
Replacement
Digital Certificate & Certificate
Authority
Cloud & Data Center Location

Digital Banking Task Force (OJK, Bareskrim Polri, BRTI, DK2ICN & Wantanmas)