Beruflich Dokumente
Kultur Dokumente
By
Rohit K. Agrawal
MS in Information Systems Management
Ferris State University, 2011
BS in Engineering, India, 2008
Advisor:
Dr. James H. Jones, Jr.
Assistant Professor
Accounting, Finance, and Information Systems Department
This is dedicated to my Parents, Mr. Anoop K. Agrawal and Mrs. Nisha Agrawal, for
their unconditional love, patience and understanding. I would also like to thank my
teachers and friends for their extreme support and guidance.
2
ACKNOWLEDGEMENTS
1. I would like to thank Dr. James Jones, Information Systems Management (ISM)
professor at Ferris State University, for his Valuable advice and constructive
2. Information provided in this research paper is entirely based on data obtained and
3
TABLE OF CONTENTS
Dedication 2
Acknowledgements 3
List of Tables 6
List of Figures 6
Abstract 7
CHAPTERS
Chapter 1 Introduction 8
Purpose 8
Research Points 8
Glossary of Terms 9
Financial Institution 14
Bank of America 17
Citibank 21
Summary 35
4
Chapter 3 Online Security Breaches 36
Introduction 36
Threat Categories 36
Anatomy of an Incident 43
References 69
5
LIST OF FIGURES
Figure Page
1. Evolution of Threat. .......................................................................................…24
LIST OF TABLES
Table Page
1. Source for Security breaches……………………………………………………42
6
ABSTRACT
This research paper is a requirement for MISM 799 ―Integrated Capstone Project‖ course,
a spring 2011 class at Ferris State University Master of Science in Information systems
Management Program. The objective of this research paper is to provide the reader an
institutions and their offered services. It also explains the role of authentication and
security best practices in these institutions. This research paper contains description about
Chapter 1: This chapter briefly traces the offered services by financial institutions.
Chapter 5: This chapter shows the consequences of poor online security in financial
institutions.
7
CHAPTER 1
INTRODUCTION
Purpose
The purpose of this paper is to provide the reader an introductory exploration of the
current trends and best practices in the online banking security on the internet. Please
note that this paper is not intended to offer a comprehensive analysis of any covered areas
Research points
Within the confines of the paper requirements, the ensuing pages will focus on:
Role of Authentication
8
Glossary to Terms
The Address Verification Service (AVS) is a security system designed to combat one of
the most common forms of online credit card fraud. AVS compares the billing address
information provided by the customer with the billing address on file at the customer‘s
credit card issuer. The payment gateway receives an AVS response code and then either
Anti-virus
―Software that detects, repairs, cleans, or removes virus-infected files from a computer.‖
Bank:
Banking Security:
A customer‘s card code is a three- or four-digit security code printed on a credit card‘s
signature panel in reverse italics, or following the full number on the front of the card.
Similar to AVS, Card Code Verification (CCV) compares the customer‘s card code with
the card code on file at the credit card issuer. The payment gateway receives the card
code verification response code from the customer‘s bank and either accepts or declines
the transaction according to your configured settings. Since the card code should only be
9
known to the person in possession of the physical credit card, these additional numbers
CEO:
Chief executive officer, the corporate executive responsible for the operations of the firm;
(www.wordnetweb.princeton.edu/perl/webwn)
Cloud Computing:
A new generation of computing that utilizes distant servers for data storage and
management, allowing the device to use smaller and more efficient chips that consume
Cyber Space:
dimensional model through which a virtual-reality user can move (World English
Dictionary)
Database
Database Warehouse:
10
Direct Deposit:
It is electronic transfer of a payment directly from the account of the payer to the
recipient's account.
E-Business:
This term is coined for the company that has an online presence. It involves all business
function.
E-Commerce:
Firewall:
Hackers:
Hackers are enthusiastic and skillful computer programmer or user. He can use his skills
Internet:
The Internet is a global system of interconnected computer networks that use the
Intranet:
11
Java:
Malware:
It is a computer program which protects the user computer or system from unwanted
hazardous software by removing the viruses. It is a short name for malicious software.
Security:
It is state of being secure or can also be said as safety from risks, danger, threats etc.
Spyware
Spyware are the computer software designed specially to gather information about user
browsing habits and sends information secretly to an individual or company that uses this
Threat
(WWW.dictionary.com)
Transaction
A.) Business Computing: The act of obtaining and paying for an item or service
Web Portal:
It is junction for all the information on one place. It is also known as Links page, which
presents information from varied sources in one place. A web portal offers information
12
World Wide Web (WWW):
documents and files. These servers also use hypertext to organize, connect, present and
13
Financial Institutions and Their Offered Services
Financial Institution:
There are many web definitions for the term Financial Institution. The one more
institutes are also responsible for collecting funds from the public and places them in
financial assets, such as deposits, loans, and bonds, rather than tangible property.‖
that provide financial services and advices to its clients. The financial institutions are
generally regulated by the financial laws of government authority.‖ BYU: Marriot School
mentioned in their intermediate lessons and discussions that ―There are two major types
of financial institutions: banks (i.e., deposit-type financial institutions) and nonbanks (i.e.,
non-deposit-type financial institutions). The choice of which institution you use depends
on which institution will serve your needs the best and help you achieve your goals the
fastest.‖
Commercial Banks
Credit Unions
Finance Companies
Building Societies
Retailers
The services provided by the various types of financial institutions may vary from one
institution to another. For example, the services offered by the commercial banks are
insurance services, mortgages, loans and credit cards. As mentioned in the BYU: Marriot
School intermediate lessons, ―Commercial Banks compete by offering the widest variety
of services; however, they generally do not offer the highest interest rates on deposits or
the lowest interest rates on loans.‖ BYU: Marriot School also mentioned that Commercial
also known as Deposit Type Financial Institute, is usually controlled by the members of
the union. The major difference between the credit unions and banks is that the credit
unions are owned by the members having accounts in it. As mentioned by BYU: Marriot
School, ―Credit Union banks offer higher rates on savings accounts and lower rates on
The stock brokerage firms are the other types of financial institutions that help both the
corporations and individuals to invest in the stock market. The services provided by the
15
brokerage firms, on the other hand, are different and they are insurance, securities,
mortgages, loans, credit cards, money market and check writing. [C]
Another type of financial institution is the asset management firms. The prime
functionality of these firms is to manage various securities and assets to meet the
financial goals of the investors. The firms also offer fund management advice and
The insurance companies offer - insurance services, securities, buying or selling service
of the real estates, mortgages, loans, credit cards and check writing. [C]
Large organizations, small firms or and individual family or a person, anyone or all of
these can be customers to these financial institutions. They might need any kind of
service from these institutes like loan, mortgage, insurance, bonds etc. Before dealing
with any of these financial institutes every customers ask certain questions to themselves
or they have certain requirements or needs which these Financial Institutes must fulfill.
BYU: Marriot School mentioned in their intermediate lessons on web that, ―Choosing a
financial institution is a challenge. We must always try to accomplish our goals and then
seek to consider what these financial institutes can provide.‖ Before indulging with any
kind of services or Institutes BYU have mentioned certain question which are relevant
Are you looking for low costs, low fees, and high returns on deposits?
What services does the financial institution provide? If all you require is a high
return on your cash management assets, then your choices are much broader.
Here are the services offered by Bank of America and Citibank along with additional
Bank of America
Company Overview:
Barlas, Demir (2011) in his article ―Lending Options Offered by America's Largest
residential mortgage bank. He also mentioned a short history about the foundation. In his
article Barlas (2011) mentioned that ―Bank of America has spent the past few years
growing by acquisition; for example, by buying LaSalle Bank for $21 billion in 2007 and
acquiring Countrywide Financial, the company most closely associated with the housing
decline of 2007, for $4 billion. Other monster acquisitions include the $50 billion deal for
FleetBoston in 2004 and the $35 billion purchase of MBNA in 2006, which brought
millions of credit card customers over to Bank of America. Acquisitions of other banks
17
Here is the timeline for the various acquisitions and mergers in the bank which is
In the year 2004, Bank of America acquired National Processing Company, which
In the same year of 2004, Bank of America made an acquisition deal with
FleetBoston Financial. This acquisition helped Bank of America to gain market share
In 2005, Bank of America declared that it was going to make an acquisition deal with
MBNA. After getting the approval of Federal Reserve Board, the acquisition finally
took place in January, 2006. This acquisition helped Bank of America to get a strong
In the year 2006, Bank of America declared that it would buy out The United States
trust Company and the deal was finally executed in January, 2007.
In 2007, Bank of America made a historic acquisition deal by acquiring LaSalle Bank
Recently, in January 2008, Bank of America has made an announcement that they are
One of the Webpage of Realestatezing.com [D] mentions that ―Among the financial
institutions, Bank of America is the largest in the world that serves individual consumer
as well as large corporations. Wide variety of investing, banking, financial and risk
18
management and asset management services are provided by the Bank of America. On
the whole the bank provides the facility of Checking, Savings, Mortgages, Auto and
Credit Cards, Investments, Global Corporate Credit, Capital Raising, Cash Management,
Trade Services. Along with this, Bank of America services can be categorized in the
following categories:
Personal Banking
Credit Cards
Mortgage
Auto Loans
Personal Loans
Insurance
Investment Services
Online Banking
IRAs are the investment schemes that comes under retirement plans
Home Equity
Retirement
Realestatezing.com also mentioned that ―Bank of America Global Consumer and Small
Business Banking is the largest department of BofA. This also includes ATMs in other
19
countries through the Global ATM Alliance.‖ Small Business Banking has the following
services:
Credit Cards
Health insurance
Trade services
Bank of America also helps the small business to start, grow and flourish. Along with this
the finances are also handled by the Bank of America. In the sector of Corporate and
Asset Management
Card Solutions
Trade Services
Endorsed Programs
20
Citibank
Company Overview:
Citibank, the consumer banking division of the leading financial services firm
Citigroup, is the 3rd largest retail bank in the US based on deposits. With branch
locations and subsidiaries in over 100 countries, Citibank provides a wide gamut of
investors. The bank also delivers a complete range of banking products and financial
Financial Center consists of a large network of local offices which are complemented by
electronic delivery systems, ATMs and Internet. The firm also sells products from its
York. [E]
As per UBPR report on Citibank (mgt.unm.edu), Citibank is split into five divisions,
each containing one or more Citi brands: banking, credit cards, lines and loans, investing,
and planning. Each division serves individual and corporate customers, with many Citi
Citibank is the commercial banking arm of Citigroup, and offers basic banking
Monitor (July, 2004), Citibank offers the following products and services:
21
Banking services
Credit cards
Mortgages
Loans
Investments
Planning/Retirement solutions
Insurance
Corporate/Institutional services:
Asset management
Government services
Business Insurance
Private banking
Deutsche Bank AG
HSBC Holdings
22
CHAPTER 2
have been implemented as an ever more efficient channel through which banking
transactions can be done without having to leave the house or office. In the end, however,
these home banking platforms are web-based applications that are exposed over the
Internet making their users a very appealing target for mal-intentioned individuals. The
evolution history of these attacks began more than 7 years ago initiating what quickly
became known as phishing. Its sophistication has increased on par with the new security
technologies adopted by the bank industry intended to mitigate the problem. The
following graph shows the evolution of the security problem affecting the e-banking
The following graph shows the evolution of the security problem affecting the e-
23
Image 1: Evolution of Threat. Retrieved from:
http://www.easysol.net/newweb/images/stories/downloads/Best_security_practices_onlin
e_banking.pdf
As no single formula can guarantee 100% security, there is a need for a set of
resources are used efficiently, and the best security practices are adopted. (HKSAR,
2008)
While information security plays an important role in protecting the data and assets of
websites, server hacking and data leakage. Organization‘s need to be fully aware of the
24
need to devote more resources to the protection of information assets, and information
security must become a top concern in both government and business. To address the
and in some cases, legal regulations on information security to help ensure an adequate
level of security is maintained, resources are used in the right way, and the best security
practices are adopted. Some industries, such as banking, are regulated, and the guidelines
or best practices put together as part of those regulations often become a de facto
Miller, Andrew (2006), said in his article retrieved from bankinforsecurity.com, ―these
laws and regulations do a good job of defining the scope of information security and
spelling out the role of information security in risk management, they have little to say
about what constitutes effective information security or how to achieve it. Fortunately,
the International Standards Organization has developed two standards that do precisely
that, and by adhering to them banks can go a long way toward satisfying regulatory
compliance requirements.
The two standards, ISO 17799 and ISO 27001, together provide a set of best practices
and a certification standard for information security. The standards are both derived from
a British standard, BS7799, which for many years served as the authority for information
security. BS7799 came in two parts; part one, BS7799:1, became ISO 17799, while
accessible only to those authorized to have access), integrity (safeguarding the accuracy
and completeness of information and processing methods) and availability (ensuring that
authorized users have access to information and associated assets when required).
The standard contains 12 sections: risk assessment and treatment; security policy;
Within each section, information security control objectives are specified and a range of
controls are outlined that are generally regarded as best practices. For each control,
consistent with the best practices outlined in ISO 17799. Previously, organizations could
only be officially certified against the British Standard (or national equivalents) by
ISO 27001 is the first standard in a proposed series of information security standards
which will be assigned numbers within the ISO 27000 series. ISO 17799 is expected to
26
be renamed ISO 27002 in 2007. In the works is ISO 27004 - Information Security
and business partners who are concerned about information security. Certification against
ISO 27001 brings a number of benefits. Independent assessment brings rigor and
and associated risk reduction, and requires management approval, which promotes
governmental international body that collaborates with the International Electro technical
HKSAR (2008), here are the commonly adopted standards and regulations for
standard that originated from the BS7799-1, one that was originally laid down by the
British Standards Institute (BSI). ISO/IEC 27002:2005 refers to a code of practice for
27
guideline for developing organizational security standards and effective management
practices.
This standard contains guidelines and best practices recommendations for these 10
security domains: (a) security policy; (b) organization of information security; (c) asset
management; (d) human resources security; (e) physical and environmental security; (f)
communications and operations management; (g) access control; (h) information systems
Among these 10 security domains, a total of 39 control objectives and hundreds of best-
practice information security control measures are recommended for organization have to
satisfy the control objectives and protect information assets against threats to
The international standard ISO/IEC 27001:2005 has its roots in the technical content
derived from BSI standard BS7799 Part 2:2002. It specifies the requirements for
28
that aims to establish, implement, monitor and improve the effectiveness of an
ISO/IEC 27001 defines the requirements for ISMS, and uses ISO/IEC 27002 to outline
the most suitable information security controls within the ISMS. ISO/IEC 27002 is a code
of practice that provides suggested controls that an organization can adopt to address
and certify the security assurance of a technology product against a number of factors,
such as the security functional requirements specified in the standards. [HKSAR, 2008]
29
Hardware and software can be evaluated against CC requirements in accredited testing
laboratories to certify the exact EAL (Evaluation Assurance Level) the product or system
can attain. There are 7 EALs: EAL1 - Functionally tested, EAL2 - Structurally tested,
EAL3 - Methodically tested and checked, EAL4 - Methodically designed, tested and
designed and tested, and EAL7 - Formally verified, designed and tested. A list of
Common Criteria portal13. The list of products validated in the USA can be found on
web-site of the Common Criteria Evaluation and Validation Scheme for IT Security
As per information retrieved from HKSAR, 2008, The Payment Card Industry (PCI)
and Data Security Standard (DSS) was developed by a number of major credit card
Worldwide and Visa International) as members of the PCI Standards Council to enhance
payment account data security. The standard consists of 12 core requirements, which
and other critical measures. These requirements are organized into the following areas:
30
3. Maintain a Vulnerability Management Program
COBIT
The Control Objectives for Information and related Technology (COBIT) is ―a control
generally accepted process model, identifies the major IT resources to be leveraged and
INSTITUTE (ITGI) first released it in 1995, and the latest update is version 4.1,
published in 2007.
governance that allows managers to bridge the gap between control requirements,
technical issues and business risks. Based on COBIT 4.1, the COBIT Security Baseline
focuses on the specific risks around IT security in a way that is simple to follow and
and considers the central role of the user. It was developed by the United Kingdom's
Office of Government Commerce (OGC). Since 2005, ITIL has evolved into ISO/IEC
The self-assessment questionnaire helps evaluate the following management areas: (a)
Service Level Management, (b) Financial Management, (c) Capacity Management, (d)
Service Continuity Management, (e) Availability Management, (f) Service Desk, (g)
In addition to the various industry standards bodies and guidelines, certain regulated
businesses, such as banking, may need to observe the regulations and guidelines specified
by their own industry or professional regulatory bodies. In this section, we briefly discuss
the US regulations SOX, COSO, HIPAA, and FISMA regulations. [HKSAR, 2008]
SOX
After a number of high profile business scandals in the US, including Enron and
WorldCom, the Sarbanes-Oxley Act of 2002 (SOX) was enacted as legislation in 2002.
This act is also known as the ―Public Company Accounting Reform and Investor
Protection Act‖. The purpose is to ―protect investors by improving the accuracy and
reliability of corporate disclosures made pursuant to the securities laws, and for other
purposes‖. This regulation affects all companies listed on stock exchanges in the US. As
information technology plays a major role in the financial reporting process, IT controls
would need to be assessed to see if they fully satisfy this SOX requirement.
32
Although information security requirements have not been specified directly in the
Act, there would be no way a financial system could continue to provide reliable
COSO
1. Control Environment, including factors like integrity of people within the organization
2. Risk Assessment, aiming to identify and evaluate the risks to the business;
3. Control Activities, including the policies and procedures for the organization;
business and communication channels for delivering control measures from management
to staff;
5. Monitoring, including the process used to monitor and assess the quality of all internal
33
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a US law
designed to improve the portability and continuity of health insurance coverage in both
the group and individual markets, and to combat waste, fraud, and abuse in health
insurance and health care delivery as well as other purposes. The Act defines security
standards for healthcare information, and it takes into account a number of factors
including the technical capabilities of record systems used to maintain health information,
the cost of security measures, the need for training personnel, the value of audit trails in
computerized record systems, and the needs and capabilities of small healthcare
the integrity and confidentiality of that information. In addition, the information should
be properly protected from threats to the security and integrity of that information,
The full set of rules regarding adoption of the HIPAA standards for the security of
electronic health information and privacy of personal health information can be found in
FISMA
FISMA stands for Federal Information Security Management Act, and is a part of the
US E-Government Act (Public Law 107-347) that became legislation in 2002. It requires
34
provide information security for the information (and information systems) that support
the operations and assets of the agency. Some of the requirements include:
1. Periodic risk assessments of information and information systems that support the
acceptable level
3. Plans for providing adequate security for networks and information systems
5. Periodic evaluation and testing of the effectiveness of the security policies, procedures
and controls. The frequency should not be less than annually. Remedial action to address
Summary
organization can only benefit if those standards are implemented properly. Security is
something that all parties should be involved in. Senior management, information
security practitioners, IT professionals and users all have a role to play in securing the
full cooperation at all levels of an organization, both inside and outside. [HKSAR, 2008]
35
CHAPTER 3
Introduction
Security breaches can have a far-reaching impact to not only a company‘s finances, but
to their reputation as well. As mentioned in the white Paper by Safenet (Pg-3, 2010)
―Companies are required to prove their compliance with these regulations and will be
held liable for their failure to do so. There is an expectation from customers, employees,
and partners—anyone that entrusts a company with their sensitive information—that this
information will be protected. Financial organizations must consider all of the potential
damage that can be done to their business if sensitive data is lost or stolen―lawsuits,
negative publicity, loss of sales and customer confidence, and permanently tarnished
reputations. Studies have shown that the financial services industry has become a primary
target of cyber-attacks on a global scale. This is not surprising considering the highly
valuable information that all FSPs collect and maintain on a daily basis.
Threat Categories
Bonnette, Cynthia. (Pg. 9- Pg. 11, July, 2003) mentions in her white paper that ―The
resources (facilities, equipment). Each of these factors will impact potential threat
36
sources, their motivation, method, and consequences. An understanding of threats can
best be achieved by grouping them into categories.‖ Three intuitive categories include
human, non-human, and mixed threats. Specific examples include the following:
Human: People based threats can include individuals from inside and outside the
organization. This represents the broadest category with a wide range of capabilities and
motivations. Within this broad category, a number of subgroups can be identified for
independent assessment:
technology and desire to learn more by playing with systems and testing their
intentions. While claiming a strong interest in technology, their goals tend to be criminal
Insiders – This group includes a wide range of individuals with some degree of
legitimate access to an organization‘s systems (e.g., full and part time employees at all
levels, consultants, contractors, etc.). These individuals may cause harm out of malicious
present similar concerns as insiders. Their access to information systems and data can
37
Competitors – Foreign or domestic competitors may seek to gain an advantage by
exploiting information systems. This may be done with the assistance of hired crackers or
Terrorists – This group may include political or social organizations that seek to
gain attention and influence through disruptive and harmful acts. Terrorist attacks can be
disasters such as fires, floods, earthquakes, tornadoes, hurricanes, and severe storms.
Generally, this category of threat sources consists of non-targeted events (i.e., a financial
institution is not ―singled out‖ by the threat source). However, based on the geographic
location, and other circumstances, the possibility of experiencing an event involving one
Mixed – This category consists of threat sources that are characterized by a blend
of human and non-human involvement. Examples include malicious code (Trojan horses,
viruses, worms, etc.) that is originally created by a person, but then takes on a ―life of its
own‖ on the Internet. Such mixed threats may be targeted at specific financial institutions
In CERT‘s OCTAVE Method, threat scenarios are developed based on known attack
38
The Threat Environment
providers are faced with complex challenges that directly affect their bottom line and,
potentially, their very survival in a high-churn market. Protecting sensitive and critical
data, no matter where it resides, and ensuring that only the appropriate persons have
access to that data, should be a core requirement of every company‘s security strategy.
With the rising incidence of threats to sensitive data, and increasing requirements to
protect that data, organizations must focus squarely on their security infrastructure. For
financial services organizations, the importance of protecting financial data and assets,
and retaining the trust of its customers, employees, and business partners, cannot be
overstated.‖
Phishing – Although passwords can also be obtained through less sophisticated means
common form of cybercrime typically carried out through e-mail or instant messaging,
providing links or instructions that direct the recipient to a fraudulent Web site
(such as user names, passwords, Social Security Numbers, and credit card/account
numbers), which is then collected by the hacker of particular attraction to phishing scams
Password Database Theft – Stolen user credentials are a valuable commodity and,
often times, cybercrime rings operate solely to obtain this information and sell it to the
highest bidder or use it themselves to access user accounts. Hackers steal user data and
39
passwords from one web site operator to hack other sites. Since many people use the
same user ID and password combination for multiple sites, the attacker can hack
years ago that is responsible for the theft of login credentials of approximately 300,000
online bank accounts and almost as many credit card accounts. In late 2009, Microsoft
Hotmail, Google Gmail, Yahoo, and AOL were victims of phishing attacks that exposed
Man-in-the-Middle (MitM) – In this type of threat, the attacker can actively inject
messages of its own into the traffic between the user's machine and the authenticating
server. One approach for MitM attacks involves pharming, which involves the usage on
compromised DNS servers, to redirect users from the legitimate site they are trying to
access to a malicious fraudulent Web site that accesses the user credentials and acts on
attack, that infects the user internet browser and inserts itself between the user and the
Web browser, modifying and intercepting data sent by the user before it reaches the
browser‘s security mechanism. A MitB attack has the ability to modify Web pages and
transaction content in a method that is undetectable by the user and host application. It
operates in a stealth manner with no detectable signs to the user or the host application.
attacker‘s account.
Identity Theft – Identity theft refers to all types of crime in which someone illicitly
obtains and uses another person's personal data through deception or fraud, typically for
monetary gain. With enough personal information about an individual, a criminal can
assume that individual's identity to carry out a wide range of crimes. Identity theft occurs
through a wide range of methods—from very low-tech means, such as check forgery and
mail theft to more high-tech schemes, such as computer spyware and social network data
mining. The following table8 illustrates well-known social Web sites that have been
attacked.
Pharming – Poisoning the DNS cache on the user‘s PC so it appears to access the
correct URL, when in reality it is redirecting the browser to a spoofed site; this can also
Spoofed Site – Presenting a link to a fake site that looks and feels like the original
Duress – Using e-mail or calling the user with a threat of shutting down the account if
41
Session Hijacking – Using an authenticated session (after the user authenticated) to
mimic a new session and conduct transactions from the compromised account.
IVR Spoofing – Faking Interactive Voice Response (IVR) systems that call on users to
Cookie Theft – Theft of software cookies that are used to assume the victim‘s digital
identity.
authenticated user (i.e. if a user views check images online or at a physical ATM / teller
location).
42
Anatomy of an Incident
commerce payment card security, He mentioned anatomy of Incidents from the previous
hacked websites and patterns. He mentioned that ―Hackers attack via common
infrastructure and web application vulnerabilities. They use newly discovered exposures
such as the Kaminsky Domain Name Service Vulnerability, which caused administrators
to scramble to patch affected systems recently. Hackers also use obscure, legacy attacks
such as session replay (where the hacker provides an authorized user with a session id,
monitors for its use and hijacks the session). Gideon T. Rasmussen (2008) also said that
―They follow trends, such as compromise of data in transmission across internal private
environment
43
Vendor or third-party connections to the cardholder environment without prior
consent and/or a trouble ticket. SQL Injection attempts in web server event logs
Authentication event log modifications (i.e. unexplained event logs being deleted)
Presence of .zip, .rar, .tar, and other types of unidentified compressed files
.
44
CHAPTER 4
The following standard computer security best practices can protect your transactions
and business. It has been retrieved from Authorize.net article ―Security Best Practices‖
(Pg.6, 2005-2006).
Install a Firewall
eliminate unauthorized or unwanted external activity and safeguard your network and
For maximum information security, you should never store sensitive customer
information, such as credit card numbers. If for some reason it is necessary to store this
Internet. If sensitive information is stored in hard copy, thoroughly shared and dispose of
Anti-virus software is another important way to protect your network and computer
systems from outside vulnerabilities. This software should be updated on a regular basis.
45
Regularly Download and Install Security Updates
Software performance and security can be optimized by installing all service and
security updates. If you ever need to reinstall your software, remember to reinstall all
updates.
Share access to network drives and individual computers only with needed, trustworthy
users. Especially avoid sharing access to files that store passwords and other confidential
or sensitive information.
online chat session. Your business should also never request or submit confidential
requesting you to submit confidential information in an insecure manner, always call the
Following are the Security Best practices based on the document by Gideon T.
1. Comply with the PCI Data Security Standard (DSS). Use the PCI DSS as a reference
46
Additional PCI guidance can be found in navigating the DSS and PCI information
supplements.
2. Protect card data in storage and transmission. Render card numbers unreadable
anywhere they are stored (DSS requirement 3.4). Options for secure storage include
strong encryption, truncation, and hashing. Use strong encryption to safeguard card data
in transmission across public networks (requirement 4.1). As a best practice, encrypt card
data across internal networks between web, application and database servers.
3. Do not store prohibited data. E-commerce merchants often provide the ability for
customers to store their card number in order to make future transactions. Under PCI
standards, it is forbidden to store CVV2 data (the three digit number on the back of a
card). Hackers can use CVV2 codes combined with card numbers to conduct fraudulent
transactions.
4. Focus on data flow. Ensure appropriate controls are in place anywhere card data is
stored, processed or transmitted. This key DSS directive is absolutely critical to keeping
5. Implement world class network security. The DSS provides detailed requirements for
network security via router and firewall configurations, demilitarized zone networks,
applications in accordance with industry standard hardening guides. Install anti-virus and
47
7. Actively manage software development. Develop custom applications in accordance
with an industry standard methodology. Refer to the Secure Software Development Life
8. Evaluate web-facing applications. DSS requirement 6.6 provides two options: conduct
10. Conduct network scans. For improved security posture, increase scans intervals to
once a month. Scanning once a quarter may leave a vulnerability undiscovered for 90
11. Use secure payment applications. Use software from Visa's List of Validated
detect attacks and provide forensic information for incident response. If an incident
occurs, the goal should be to detect it early on and limit further data compromise.
13. Monitor for new threats and vulnerabilities. New vulnerabilities are detected daily.
14. Thoroughly evaluate service providers. Merchants are liable when card data is shared
48
with a service provider. Therefore, it is prudent to thoroughly evaluate their security
business need. For example, if an end user‘s duties only require access to one card
number at a time, ensure controls are in place to limit access by those constraints.
16. Implement fraud detection measures. Monitor access to card data for fraudulent
Internet-based products and services to their customers should use effective methods to
authenticate the identity of customers using those products and services. Consistent with
services,
Financial institutions engaging in any form of Internet banking should have effective and
money laundering and terrorist financing to reduce fraud, to inhibit identity theft, and to
promote the legal enforceability of their electronic agreements and transactions. The risks
banking environment can result in financial loss and reputation damage through fraud,
• Something the user has (e.g., ATM card, smart card); and
Authentication methods that depend on more than one factor are more difficult to
deterrents.
Shared Secrets
Shared secrets (something a person knows) are information elements that are known or
shared by both the customer and the authenticating entity. Passwords and PINs are the
best known shared secret techniques but some new and different types are now being
used as well.
Tokens
Tokens are physical devices (something the person has) and may be part of a multifactor
authentication scheme. Three types of tokens are discussed here: the USB token device,
The USB token device is typically the size of a house key. It plugs directly into a
computer‘s USB port and therefore does not require the installation of any special
hardware on the user‘s computer. Once the USB token is recognized, the customer is
prompted to enter his or her password (the second authenticating factor) in order to gain
Smart Card
A smart card is the size of a credit card and contains a microprocessor that enables it to
store and process data. Inclusion of the microprocessor enables software developers to
use more robust authentication schemes. To be used, a smart card must be inserted into a
51
compatible reader attached to the customer‘s computer. If the smart card is recognized as
valid (first factor), the customer is prompted to enter his or her password (second factor)
Password-Generating Token
password each time it is used. The token ensures that the same OTP is not used
consecutively. The OTP is displayed on a small screen on the token. The customer first
enters his or her user name and regular password (first factor), followed by the OTP
generated by the token (second factor). The customer is authenticated if (1) the regular
password matches and (2) the OTP generated by the token matches the password on the
systems, every 30 seconds. This very brief period is the life span of that password. OTP
Biometrics
Biometric technologies identify or authenticate the identity of a living person on the basis
characteristics include, for example, the rate and flow of movements, such as the pattern
from one or more physiological or physical characteristics; the samples are converted into
52
a mathematical model, or template; and the template is registered into a database on
person has).
Various biometric techniques and identifiers are being developed and tested, these
include:
• Fingerprint recognition;
• Face recognition;
• Voice recognition;
• Keystroke recognition;
• Handwriting recognition;
• Iris scans.
Two biometric techniques that are increasingly gaining acceptance are fingerprint
Scratch cards (something a person has) are less-expensive, ―low-tech‖ versions of the
OTP generating tokens discussed previously. The card, similar to a bingo card or map
format, i.e., a grid. The size of the card determines the number of cells in the grid.
53
Used in a multifactor authentication process, the customer first enters his or her user
name and password in the established manner. Assuming the information is input
correctly, the customer will then be asked to input, as a second authentication factor, the
characters contained in a randomly chosen cell in the grid. The customer will respond by
typing in the data contained in the grid cell element that corresponds to the challenge
coordinates.
Out-of-Band Authentication
Out-of-band authentication includes any technique that allows the identity of the
one the customer is using to initiate the transaction. This type of layered authentication
has been used in the commercial banking/brokerage business for many years.
One technique to filter an online transaction is to know who is assigned to the requesting
Internet Protocol Address. Each computer on the Internet has an IPA, which is assigned
either by an Internet Service Provider or as part of the user‘s network. If all users were
issued a unique IPA that was constantly maintained on an official register, authentication
by IPA would simply be a matter of collecting IPAs and cross-referencing them to their
owners. However, IPAs are not owned, may change frequently, and in some cases can be
―spoofed.‖ Additionally, there is no single source for associating an IPA with its current
where they are or, conversely, where they are not. Geo-location software inspects and
54
analyzes the small bits of time required for Internet communications to move through the
network. These electronic travel times are converted into cyberspace distances. After
these cyberspace distances have been determined for a user, they are compared with
cyberspace distances for known locations. If the comparison is considered reasonable, the
Customer verification complements the authentication process and should occur during
matches information available from trusted third party sources. More specifically, a
database.
do the telephone area code, ZIP code, and street address match).
Negative verification to ensure that information provided has not previously been
55
CHAPTER 5
As per White Paper by Osterman Research (2011), the problems associated with
significantly less productive during these downtime periods in some cases, 100% less
productive. Further, any sort of messaging or Web exploit will require IT staff to address
the issue as soon as possible after the problem is discovered. This can lead to IT staff
working on weekends, the delay of various IT projects, rebuilding desktops, and other
costs that may be difficult to estimate. Security exploits can also lead to extended email
or other service outages that can have serious ramifications on user productivity.
Financial losses
Loss of funds that arise from the use of malware like Zeus that is designed to steal
money from victims financial accounts can have a devastating impact on an organization.
Just one of the many examples of Zeus ‗victims is Parkinson Construction, a firm with
$20 million in annual revenue that lost $92,000 nearly 0.5% of its annual revenue, simply
because the owner of the firm clicked on email claiming to be from the Social Security
Administration.
56
Loss of customer data
Data breaches can result in the need to remediate them in expensive ways, such as
notifying customers via postal mail that their data was lost, provision of credit reporting
services to the victims for a year or longer, loss of future business, embarrassing press
coverage and loss of goodwill. The Ponemon Institute has determined that the cost of a
single data breach ranges from $98 in the United Kingdom to $204 in the United States.
Trade secrets, confidential information and other intellectual property can be lost as a
result of poor security. These losses can occur across a wide range of venues and
unencrypted file transfer, data that is lost on an unencrypted mobile device or flash drive,
or data that is taken home by employees and stored without any IT controls. Osterman
Research (2011),
If adequate security defenses are not maintained, organizations can run afoul of a wide
variety of statutes that require data to be protected and retained. Osterman Research
(2011), also mentions that ―decision makers in one out of five organizations do not know
which compliance laws apply to their organization. A small sampling of these lists
The Payment Card Industry Data Security Standard (PCI DSS) encompasses a set
assigning unique IDs to each individual that has access to cardholder information.
personal information to transmit and store this information in such a way that its
requirements.
a Canadian privacy law that applies to all companies operating in Canada. Like
many other privacy laws, it requires that personal information be stored and
transmitted securely.
reaching law that requires any holder of personal information about a California
resident – regardless of where they are located – to notify each resident whose
information may have been compromised in some way. Since California passed
this groundbreaking data breach notification law, most other US states have
passed similar laws. These laws require organizations to notify customers and
58
others for whom sensitive data is held if their data is exposed to an unauthorized
Other issues
Osterman Research (2011) also mentions that there are a number of other problems that
can occur from malware and other threats delivered via email, the Web, Web 2.0
Internet service outages, which can create serious problems for core business
these outages are the potential for data leakage, and lack of compliance with
Web sites being taken down for long periods in order to patch the code to
eliminate an exploit.
The exposure of FTP and other login credentials to attackers and other
cybercriminals
The download of malware that can turn corporate and home-based computers into
59
What Should You Do to Address the Problem?
It may sound obvious, but IT and business decision makers must determine exactly
what they must protect today, and what they can reasonably expect that they will need to
protect over the next few years. For example, this list should include things like:
Threats introduced by employee devices that are brought into the workplace and
that are used to access corporate resources. This should include iPads, personal
smartphones, personal laptops, etc. Monitoring and/or preventing what leaves the
other mobile devices, social media posts, flash drives, portable hard drives, etc. to
As important as establishing what must be done is to establish what must not be done.
For example, a blanket prohibition on the use of social media tools like Facebook or
Twitter, or preventing users from employing personal Webmail systems at work can have
well as user productivity if employees are not permitted to use certain consumer-focused
tools that can help them get their work done. Plus, employees will probably use these
tools anyway unless IT imposes draconian controls that will most likely have the side
Any organization that seeks to protect their users, data and networks from Web-based
threats must establish detailed and thorough policies about acceptable use of all of their
online tools: email, instant messaging, Web 2.0 applications, collaboration tools,
smartphones, flash drives and the Web itself. Successfully addressing these problems
must start with an acknowledgement of the threat landscape and the corresponding
policies about how tools will be used before technologies are deployed to address the
problems. Further, there must be buy-in across the organization in order for policies to be
effective. For example, a policy against the use of social media tools may seriously
61
not allowing the use of unauthorized file transfer tools may prevent users from sending
that prevent employees from discussing their employer on their own time, sharing
comments about union organization, etc. may not be legal. Osterman Research (2011).
becoming increasingly critical as the network perimeter becomes less well defined over
time as noted earlier. For example, traditional security architecture had a clearly defined
firewall that separated internal IT-managed resources from the outside world. However,
the increasing use of personal devices that can connect as easily to a Starbucks Wi-Fi
network as they can to a corporate network, Web 2.0 applications like Twitter, or
means that the network perimeter is rapidly disappearing. This has made security a much
more difficult proposition for IT decision makers, largely because there are so many more
devices and data sources to protect. Consequently, any organization should consider
deploying:
capabilities.
Web content monitoring capabilities that include basic URL filtering, granular
Integrated Web and email security as a way to defend against more sophisticated
home-based platforms.
corporate network.
Real-time monitoring and reporting capabilities that will provide visibility into
Feedback loop systems that will enable community-watch defenses and reports on
There are a variety of ways in which messaging and Web security capabilities can be
managed, including:
Server-based systems
On-premise solutions deployed at the server level, where most data typically resides,
resolve many of the problems associated with client-side systems by allowing easier
deployment and management capabilities, as well as the ability to more easily enforce
Gateway security stops threats at the earliest possible point in the on-premise
infrastructure and is a best practice for organizations that manage on-premise defenses.
Client-side systems
Client-based systems, such as URL filtering tools, anti-virus tools, spyware blockers
and the like provide useful capabilities and can be effective at preventing a variety of
threats client-side anti-virus tools, for example, are an important best practice for any
organization to prevent malware from being introduced via flash drives or other local
SaaS/cloud-based services
SaaS and hosted services are increasing in popularity and offer another option for
advantages of this model are that no investments in infrastructure are required, up-front
costs are minimal, ongoing costs are predictable, and all management and upgrades of the
system are provided by the SaaS or cloud service. A potential disadvantage of SaaS or
cloud services, particularly for Web traffic, is proxying all traffic to the host and
addressing latency issues. Their costs can be higher than for on-premise systems in some
Managed services
Managed services are similar in concept to hosted services, but a third party – either
with staff on-site or via a remote service – manages the on-premise infrastructure, installs
64
upgrades, and updates signature files and the like. Costs can vary widely for managed
personnel are located on-premise or in the third party‘s data center, and other factors.
Virtual appliances
Another option, and one that is finding significant uptake in security applications, is the
and security software that runs in a virtualized environment. Advantages of the virtual
appliance approach include the ease of deploying new capabilities, the ability to move
virtual appliances from one physical server to another for purposes of maintenance or
failover protection, very high availability, reduced power consumption and minimal IT
Hybrid offerings
infrastructure with hosted or cloud based services. For example, an email security vendor
may provide a malware-filtering appliance on-site, but couple this with a hosted filtering
service that acts as a sort of pre-filter; or they may rely on a hosted antivirus service and
desktop anti-virus tools. The fundamental advantage of this approach is that the on-
premise infrastructure is protected from spikes and overall increases in the volume of
malicious traffic over time, thereby preserving the on-premise investment and
deployed for Web security, where on-premise infrastructure is used to secure larger
65
offices and cloud-based services are used to secure smaller sites where on-premise
66
CONCLUSION
Online Banking security is very essential for every financial institution. Information or
data plays a major role in every organization. A small mistake or loop hole can lead to a
major disaster or huge loss to the company. So, information security has become very
important for every organization especially financial institutions. Every year many new
virus and malicious codes are created to attack our systems which are intended to steal
personal information like Social Security number, bank account number and other
personal identifications. So, it has become a challenge for us and many e-commerce
Financial institutions have made, and should continue to make, efforts to educate their
customers. Because customer awareness is a key defense against fraud and identity theft,
effectiveness include tracking the number of customers who report fraudulent attempts to
information security links on Web sites, the number of statement stuffers or other direct
mail communications, the dollar amount of losses relating to identity theft, etc.‖
organizations can secure their digital communication and transaction systems, and
electronic transactions, such as credit and debit cards purchases, and online banking and
67
investments, it is increasingly important for financial services providers to institute strict
control over how customer information is protected on their networks, both during and
and preserving the financial service brand. Financial institutions should conduct a risk
assessment to identify the types and levels of risk associated with their Internet banking
applications. Where risk assessments indicate that the use of single-factor authentication
security, or other controls reasonably calculated to mitigate those risks. The agencies
organization can only benefit if those standards are implemented properly. Security is
something that all parties should be involved in. Senior management, information
security practitioners, IT professionals and users all have a role to play in securing the
68
REFERENCES
[A] Investorswords.com. Retrieved on Sunday, April 10, 2011 from the World
Wide Web: http://www.investorwords.com/1950/financial_institution.html
[B] Wikipedia.org. Retrieved on Sunday, April 10, 2011 from the World Wide
Web: http://en.wikipedia.org/wiki/Financial_institutions
[C] Mapsofworld.com. Retrieved on Sunday, April 10, 2011 from the World
Wide Web: http://finance.mapsofworld.com/financial-institutions/types.html
[D] Realestatezing.com. Retrieved on Monday, April 11, 2011 from the World
Wide Web: http://www.realestatezing.com/banks-in-usa/bank-of-america/history-
bofa.html
Wikiinvest.com. Retrieved on Saturday, April 09, 2011 from the World Wide
Web: http://www.wikinvest.com/stock/Bank_of_America_(BAC)
DataMonitor (July, 2004). Citibank N.A. Company Profile. Retrieved from World
Wide Web on April 12, 2011:
http://213.194.86.162/Webtools/Basvurular/!webpubpic/file/Citibank.pdf
Easy Solutions, Inc. (2009). Best Practices in online Banking Platforms. Retrieved
on April 05, 2011 from:
http://www.easysol.net/newweb/images/stories/downloads/Best_security_practice
s_online_banking.pdf
69
Miller, Andrew. (October 2, 2006). ISO 17799 and 27001: Setting the Standards
for Information Security. Retrieved on March 25, 2011 from:
http://www.bankinfosecurity.com/articles.php?art_id=165&opg=1
Mapsofworld.com. Retrieved on Sunday, April 01, 2011 from the World Wide
Web: http://finance.mapsofworld.com/merger-acquisition/bank/bank-
americas.html
Personalfinance.com. Retrieved on Sunday, April 01, 2011 from the World Wide
Web: http://personalfinance.byu.edu/?q=node/583
Authorize.net. Retrieved on Saturday, March 26, 2011 from the World Wide
Web: www.authorize.net/files/developerbestpractices.pdf
An Osterman Research White Paper. (March, 2011). Messaging and best web
security Practices for 2011 and beyond. Retrieved on April 07 from:
http://www.ostermanresearch.com/whitepapers/or_or0311.pdf
70