HUMANS

The Weakest Link In Information Security

GROUP 4
Amol Darvekar (D021) Saurabh Dhole (D023) Hemant Negi (D039) Nagaraju Oruganti (D041) Subba Reddy P (D042) Harsh Shethia(D057)

Security
Security

A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or influences

Computer security

Technological and managerial procedures applied to computer systems to ensure the availability, integrity and confidentiality of information managed by the computer system

The result of any system of policies and/or procedures for identifying, controlling, and protecting from unauthorized disclosure, information Information whose protection is authorized by executive order or statute.
security

Need for Information Security

Increase in competition made information sharing crucial The average number of security-related events increased from 704 in 2010 to 862 in 2011 The number of organisations reporting financial losses increased from 7% to 22% over 2010 Costs associated with clean up, loss of data, liability and loss of customer confidence. Security spending of an organization increased from 11 percent in 2004 to 13 percent this year.
Source: http://www.netfast.com/xq/asp/id.1365/p.5-6-1/qx/PressRelease_view.htm

Banking
Implementing Core banking solution Trust levels of customers Securing services like online banking, m-commerce, ATM networks Increase in the number of social engineering thefts Lost $52.49 millions in one year

Source - http://www.journalofaccountancy.com/Issues/2007/Nov/TheHumanElementTheWeakestLinkInInformationSecurity.htm

Bank of America
Fourth largest bank in the U.S. by market capitalization. Revenue of US$ 115.074 billion and serves clients in more than 150 countries Net income was US$ 1.446 billion

Source: http://en.wikipedia.org/wiki/Bank_of_America

Previous Controversies
Parmala alleged the bank profited from its knowledge of Parmala's financial difficulties The bank has been criticized for allegedly seizing three properties that were not under their ownership Wikileaks - Claimed that they possess a 5 GB hard drive that could turn the U.S. bank "inside out The state of Arizona has investigated Bank of America for misleading homeowners who sought to modify their mortgage loans

Introduction
Businesses spend a significant portion of their annual information technology budgets on high-tech computer security But the firewalls, vaults, bunkers, locks and biometrics can be pierced by attackers targeting untrained, uninformed or unmonitored users This makes human link the weakest link in the information security systems

What is Phishing?
A scammer creates a fake version of a web site, then lures victims to it with authentic looking e-mails The sole purpose of the fake site is to trick victims into entering their secrets user names and passwords Attackers sell the captured secrets or use them to steal directly from their victims

Problem Definition
Site Key as deployed by Bank of America, does not provide appreciable protection from typical phishing scams

AS IS Analysis
A new login protocol-Sitekey product by Menlo Park,for its online banking customers Benefits of Product: Reassuring customers that they are entering their user names and passwords into a real BofA web site Thwarting unauthorized access to accounts
Source: http://cr-labs.com/publications/WhySiteKey-20060824.pdf

What is Sitekey
Definition: It is a web-based security system that provides one type of mutual authentication between endusers and websites Purpose: To prevent Phishing attack by acting as an authentication
Source: http://en.wikipedia.org/wiki/SiteKey

Sitekey Screenshot

How does Sitekey Works?

Circumventing Sitekey Authentication

TO-BE Analysis
A widespread education process to be implemented to inform customers about the phishing attacks, how to identify them, and how to avoid becoming a victim A technological component has to be added by the bank to its customer-education initiative Introduction of a technology solution that would identify phishing attacks, provide around-the-clock monitoring, and provide realtime alerts Requirement of real-time fraud/threat detection with minimal impact to user experience, easy-to-use tools for forensic analysis, and a 24x7 dedicated anti-fraud cybercrime operation Security solution that can protect the cookie containing login authentication details of Bank of America from phishing attacks

Business Solutions(IT)
RSA Securities Inc. Solution: This technology service is designed to stop and prevent phishing attacks that occur in the online channel FraudAction offers complete fraud protection and includes 24x7 monitoring and detection, real-time alerts , countermeasures, and site blocking and shut down In case of phishing attack, FraudAction enabled Bank of America to shut down , overseas web site within 1.22 hours.
Source: http://www.rsa.com/products/consumer/success/11639_LRGBNK_C_0212.pdf

Other steps taken by Bank of America: Avoiding claims that web page with SiteKey is legitimate Not storing the persistent challenge-bypass token until the user has logged in completely

Limited the number of bypass tokens that can be active for a single account. Make the transfer of a token from one computer to another a big deal

Impact - SWOT Analysis

Strengths: Effective firewall protection, password configuration/settings and information transfer protocols. Weaknesses: The typical weaknesses of this solution come in the form of laxity on part of customers and employees, lack of adequate education of the working of the system etc. Opportunities: The solution provides the bank with the opportunity to reduce the instances of phishing, limit the losses due to phishing, improve customer satisfaction, maintain brand reputation etc. Threats: The loyalty of employees is important for this solution to be feasible. Disloyalty on part of employees can undermine the effectiveness of this solution

Challenges
Resistance to change by the employees Missing the human element of the security Implementation of the new technology Overeducating employees Lack of consistent communication Lack of commitment from management Lack of resources

Cost-Benefit Analysis
Benefits
Loss Minimisation Retention of Customer Trust and Confidence Protection from Litigation Protecting Brand Reputation Prevention of Loss of Data

Costs

Awareness amongst customers Getting the best IT Solutions in place Designing an effective grievances-redressal system

Business Vendors
Provides technology venture capital funding for seed, early stage and growth companies. Menlo Ventures invests in consumer Internet, mobile, communications Menlo Park infrastructure, enterprise, security and storage

Yodlee

Financial services company that offered developed technology to Bank of America to make back-end aggregation of bank data secure and speedy More than 250 developers have registered to the Yodlee FinApp ecosystem already to help banks create revenue-generating apps

RSA security

RSA is an American computer and network security company. Bank of America procured SecurID tokens from RSA security in order to enhance their security system.

The Case - Oriental Bank of Commerce

The bank offers features such as internet banking, phone banking NRI banking Phishing site spoofed the login page of the bank Fraudster stole the credentials of the user Hackers sent mails from IBANK@obconline.co.in and customercare@obconline.co.in

Source: http://www.symantec.com/connect/blogs/phishing-attacks-indian-banks-rise

An Example of the Phishing Email is below:

Anti-phishing solutions
24x7 Proactive monitoring & detection Domain Monitoring Abuse Email Forwarding Evaluation and verification of potential phishing threats Rapid incident response web site takedown Continuous monitoring of phishing URL's Reporting and Forensics portal access URL inclusion in Global Blocklists.

Data Breach
Internal IT specialist leaked data to sell client data to Lebanese banks 24000 clients affected Largest in HSBC history

Source:http://www.esecurityplanet.com/news/article.php/3870071/HSBC-Confirms-MassiveDatabase-Security-Breach.htm

Previous Instances
In 2005 credit card information leaked through General motors Master Card of over 180,000 customers. In 2008 bug in imaging software It revealed personal information of clients going through bankruptcy proceedings British Financial Services Authority imposed a fine of around 5 million dollars Largest fine ever to a banking institution
Source : http://www.msnbc.msn.com/id/7501064/ns/technology_and_science-security/t/warnedcredit-card-data-exposed/#.T3KXg9W87W0

Enhanced security Systems

A new security device Two step authentication process1) Personal username and password 2) Device generated security code valid only for 30 seconds Session automatically logs out after some time 128 bit SSL Encryption

Enhanced Security Systems

Secure Online Sessions (indications at the browser) Multiple Layers of Security Multiple failed log in attempts will disable online access unless personally contact helpline desk

Enhanced Security Systems

Log Ins and Passwords Secure Online Sessions

Encryption

Layers of Security

Time outs and lockouts

SSL Encryption Service Provider

BAMS Holdings Most trusted and secure option Extended validation 128 bit to 256 bit encryption Installation checker Easy Management

Future Scope
A new generation of anti-phishing software as well as education to combat the more sophisticated ways of information theft Protection for Mobile Phones Stricter Laws

Conclusions
Consumers role plays active role in Self Protection from Phishing Attacks Online security systems work perfectly when nothing is wrong (when they are not needed), and imperfectly at other times. Promoting high confidence in security methods that cannot always provide the advertised protections There is also increase the risk that overconfident users will be misled by criminals

Thank You