Académique Documents
Professionnel Documents
Culture Documents
Security
Security
A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or influences
Computer security
Technological and managerial procedures applied to computer systems to ensure the availability, integrity and confidentiality of information managed by the computer system
The result of any system of policies and/or procedures for identifying, controlling, and protecting from unauthorized disclosure, information Information whose protection is authorized by executive order or statute.
security
Banking
Implementing Core banking solution Trust levels of customers Securing services like online banking, m-commerce, ATM networks Increase in the number of social engineering thefts Lost $52.49 millions in one year
Source - http://www.journalofaccountancy.com/Issues/2007/Nov/TheHumanElementTheWeakestLinkInInformationSecurity.htm
Bank of America
Fourth largest bank in the U.S. by market capitalization. Revenue of US$ 115.074 billion and serves clients in more than 150 countries Net income was US$ 1.446 billion
Source: http://en.wikipedia.org/wiki/Bank_of_America
Previous Controversies
Parmala alleged the bank profited from its knowledge of Parmala's financial difficulties The bank has been criticized for allegedly seizing three properties that were not under their ownership Wikileaks - Claimed that they possess a 5 GB hard drive that could turn the U.S. bank "inside out The state of Arizona has investigated Bank of America for misleading homeowners who sought to modify their mortgage loans
Introduction
Businesses spend a significant portion of their annual information technology budgets on high-tech computer security But the firewalls, vaults, bunkers, locks and biometrics can be pierced by attackers targeting untrained, uninformed or unmonitored users This makes human link the weakest link in the information security systems
What is Phishing?
A scammer creates a fake version of a web site, then lures victims to it with authentic looking e-mails The sole purpose of the fake site is to trick victims into entering their secrets user names and passwords Attackers sell the captured secrets or use them to steal directly from their victims
Problem Definition
Site Key as deployed by Bank of America, does not provide appreciable protection from typical phishing scams
AS IS Analysis
A new login protocol-Sitekey product by Menlo Park,for its online banking customers Benefits of Product: Reassuring customers that they are entering their user names and passwords into a real BofA web site Thwarting unauthorized access to accounts
Source: http://cr-labs.com/publications/WhySiteKey-20060824.pdf
What is Sitekey
Definition: It is a web-based security system that provides one type of mutual authentication between endusers and websites Purpose: To prevent Phishing attack by acting as an authentication
Source: http://en.wikipedia.org/wiki/SiteKey
Sitekey Screenshot
TO-BE Analysis
A widespread education process to be implemented to inform customers about the phishing attacks, how to identify them, and how to avoid becoming a victim A technological component has to be added by the bank to its customer-education initiative Introduction of a technology solution that would identify phishing attacks, provide around-the-clock monitoring, and provide realtime alerts Requirement of real-time fraud/threat detection with minimal impact to user experience, easy-to-use tools for forensic analysis, and a 24x7 dedicated anti-fraud cybercrime operation Security solution that can protect the cookie containing login authentication details of Bank of America from phishing attacks
Business Solutions(IT)
RSA Securities Inc. Solution: This technology service is designed to stop and prevent phishing attacks that occur in the online channel FraudAction offers complete fraud protection and includes 24x7 monitoring and detection, real-time alerts , countermeasures, and site blocking and shut down In case of phishing attack, FraudAction enabled Bank of America to shut down , overseas web site within 1.22 hours.
Source: http://www.rsa.com/products/consumer/success/11639_LRGBNK_C_0212.pdf
Other steps taken by Bank of America: Avoiding claims that web page with SiteKey is legitimate Not storing the persistent challenge-bypass token until the user has logged in completely
Limited the number of bypass tokens that can be active for a single account. Make the transfer of a token from one computer to another a big deal
Challenges
Resistance to change by the employees Missing the human element of the security Implementation of the new technology Overeducating employees Lack of consistent communication Lack of commitment from management Lack of resources
Cost-Benefit Analysis
Benefits
Loss Minimisation Retention of Customer Trust and Confidence Protection from Litigation Protecting Brand Reputation Prevention of Loss of Data
Costs
Awareness amongst customers Getting the best IT Solutions in place Designing an effective grievances-redressal system
Business Vendors
Provides technology venture capital funding for seed, early stage and growth companies. Menlo Ventures invests in consumer Internet, mobile, communications Menlo Park infrastructure, enterprise, security and storage
Yodlee
Financial services company that offered developed technology to Bank of America to make back-end aggregation of bank data secure and speedy More than 250 developers have registered to the Yodlee FinApp ecosystem already to help banks create revenue-generating apps
RSA security
RSA is an American computer and network security company. Bank of America procured SecurID tokens from RSA security in order to enhance their security system.
Source: http://www.symantec.com/connect/blogs/phishing-attacks-indian-banks-rise
Anti-phishing solutions
24x7 Proactive monitoring & detection Domain Monitoring Abuse Email Forwarding Evaluation and verification of potential phishing threats Rapid incident response web site takedown Continuous monitoring of phishing URL's Reporting and Forensics portal access URL inclusion in Global Blocklists.
Data Breach
Internal IT specialist leaked data to sell client data to Lebanese banks 24000 clients affected Largest in HSBC history
Source:http://www.esecurityplanet.com/news/article.php/3870071/HSBC-Confirms-MassiveDatabase-Security-Breach.htm
Previous Instances
In 2005 credit card information leaked through General motors Master Card of over 180,000 customers. In 2008 bug in imaging software It revealed personal information of clients going through bankruptcy proceedings British Financial Services Authority imposed a fine of around 5 million dollars Largest fine ever to a banking institution
Source : http://www.msnbc.msn.com/id/7501064/ns/technology_and_science-security/t/warnedcredit-card-data-exposed/#.T3KXg9W87W0
Encryption
Layers of Security
Future Scope
A new generation of anti-phishing software as well as education to combat the more sophisticated ways of information theft Protection for Mobile Phones Stricter Laws
Conclusions
Consumers role plays active role in Self Protection from Phishing Attacks Online security systems work perfectly when nothing is wrong (when they are not needed), and imperfectly at other times. Promoting high confidence in security methods that cannot always provide the advertised protections There is also increase the risk that overconfident users will be misled by criminals
Thank You