Académique Documents
Professionnel Documents
Culture Documents
Mobile Banking
& Online Banking
Fandhy H. Siregar, M.Kom
CISA, CISM, CIA, CRMA, CISSP, CEH, CEP-PM, QIA, COBIT5, CRISC, CGEIT*
7.2x
Financial & Insurance companies are still facing the biggest threats.
90%
7.9 Zetta
bytes
Source: Deepwebtech.com
Visible to
Browser
3%
Un-indexed,
Anonymous
TOR/I2P
hashed table
system to hide
database
information
1 Reconnaissance
3 Delivery
2 Weaponization
Hours to Months
Preparation
5 Installation
4 Exploitation
Seconds to Minutes
Intrusion
7 Action
Months
Active Breach
Source: Darkreading.com
Various Apps
MicroATM/POS Apps
QR Code
Telematic Apps
Mobile Apps
Fake Application
Malware Attack Phone
takeover Insecure
Application Permission
Smshing, Phishing
Man in the Middle
(MITMobile, MITBrowser,
Zeus in the Mobile)
Stolen Devices
Spyware, Keylogging
1.
2.
3.
4.
USSD/SMS Sniffing
SMS Spoofing
Message Replay Attack
Man in the Middle Attack
5.
6.
Weak Encryption
Weak Device
Management/Authenticat
ion
Weak User
Authentication
8. Weak Device
1. Weak Application (SQL
Management/AuthenticatInjection, Cross Site
ion
Scripting, Command
9. Rooted/Jailedbreak
Injection, etc)
Device
2. DDoS (Buffer Overflow)
10. Social Engineering
3. Unpatched/Obsolete
Platform, Database, O/S
4. Unlimited transactions
Mobile Apps
Provider Network/Internet
5. Insufficient AuditServer/Middleware
Trail/Log
Core
Banking
Mode Detection)
SIEM Implementation
Pre-Deployment Vulnerability
Scanning, Firewall & Server
Hardening Review & External
Scanning
Supplier/Vendor Security
Assessment
SQL Injection
Hardcode Password
XSS & HTML Code Injection
OWASP Top 10 and SANS Top
25 Vulnerabilities
Memory leaks, buffer issue,
tainted data & file patchs
Covered much well-known web
application development
languages (ASP.Net,
Javascript, Java, C/C++, etc)
Asset Registration
1. Multiple hierarchies
(by OS, region, owners)
2. Dynamic Tag Capabilities
IT Assets
CMDB
1. Discover Forgotten or
Rogue Devices
2. Organize and report the
devices
Proactive VM Monitoring
1.
2.
3.
Implement Patches
Escalation/Approval
Vendor technical
support
Preventive Policy
Enforcement Scanning
DEVELOPMENT/PRE-PRODUCTION
ENVIRONMENT
PRODUCTION
ENVIRONMENT
Regular Scan
Pre-Deployment Scan
PreWorkstation Windows 8/10
Scanning
Server Windows
Server/UNIX Based Scanning
Web Application Scanning
Regular/Scheduled Scanning
According to Internal Standard
& SEBI
Specific Compliance Scan
PCI/DSS Compliance
Web Application Scanning
Policy Compliance
PCI Compliance
Web Application Scanning
Policy Editor
PBI/POJK
Manajemen Risiko
TI (Electronic
Banking) + RPOJK
PBI/POJK
Know Your
Customer
Banking
Regulation
PBI/POJK
Manajemen
Risiko
Internet
Banking
PP82/2012
Penyeleng
gara
Sistem
Elektronis
PBI/POJK E-Money
& Alat Pembayaran
Menggunakan Kartu
1.
2.
3.
4.
5.
Permenko
minfo
Over The
Top (OTT)
Issues:
Shadow Banking
Single Identity & KYC in Telco
customer
SIM Card Registration &
Replacement
Digital Certificate & Certificate
Authority
Cloud & Data Center Location
Digital Banking Task Force (OJK, Bareskrim Polri, BRTI, DK2ICN & Wantanmas)