Transcript An Investigation into E-Banking Frauds and their Security

An Investigation into E-Banking
Frauds and their Security Implications
By Kevin Boardman
Supervisor: John Ebden
20 March 2004
About me



Joint Computer Science and Information
Systems Honours.
Interest in computer security and its
implications in e-commerce.
Email: [email protected]
Definition of project in one sentence

An investigation into internet banking frauds,
and how they are best avoided by banks on
the internet.
The Problem and Background
Internet Banking statistics - Burrows
[2004]




General increase in the use of internet banking around the
world.
The number of online banking accounts in South Africa grew by
28% to 1.04 million in the last year. These figures are expected
to increase to 30% in 2004.
More than 162 million transactions worth around R198 billion
were conducted via South Africa's online banking services last
year.
17 percent of Americans used online banking services by the
end of 2002 and this figure will continue to grow by 14 percent
up to the end of 2007.
Fraud statistics



Fraud complaints rose by around two-thirds
in the US according to the Federal Trade
Commission (FTC) from 2001 to 2002.
Identity theft accounting for 43% of
complaints.
The cost of fraud in 2002 more than doubled
that in 2001.
Fraud statistics (Continued)
Internet Related Frauds reported to Consumer
Sentinal from 2001 to 2003
180,000
160,000
140,000
120,000
100,000
80,000
60,000
40,000
20,000
0
Number of reported
frauds
2001
2002
2003
Result of combination of statistics

“Hacker cleans out bank accounts.”

“Hundreds of thousands of rands stolen via Internet from Absa clients.”
–
Who covers the costs? Irreversible damage to Absa’s image.

“New security fears for web banking”

“Banks 'must pay up if hacked‘”
–
According to the Electronic Communications and Transactions Act the bank
must refund customers if it can be proved they did not provide a safe
service.
Project Aims
Project Aims




Investigate the state of security of South African
banking facilities and compare them with facilities
used around the world.
Investigate internet banking cases in which security
breaches occurred, such as ABSA.
An inquiry and comparison into the formal
procedures and protocols (eg: Secure Electronic
Transactions Protocol) used by these banks.
Establish certain techniques that can be used to set
up a secure internet banking environment.
So what is security?
Security Definition and Project scope



Computer security is a broad area of study
Computer security - technological and managerial
procedures applied to computer systems to ensure
the availability, integrity and confidentiality of
information managed by the computer system – The
Texas state library and archives commission [2001].
Focus of the investigation will deal with aspects of
security involving fraudulent intent; thus viruses,
software bugs and operator errors will not be
examined.
My intended approach
1) Do Literature Survey





The nature of this project is mainly investigative and
therefore largely based on research.
Computer and E-commerce Security publications –
provide background to security.
Journal articles, specific to internet banking security
and fraud – provide specific insight into the problem.
Protocol specifications (eg: Secure Electronic
Transactions Protocol) and procedures – provide
specific detailed workings of current security
implementations.
Case studies – provide real life examples.
2) Case Study

A detailed analysis of some of the recent electronic banking
security breaches will be undertaken in order to find common
flaws and possible countermeasures.

Who committed the fraud.




How the breach occurred – weaknesses exposed.




Insider versus outsider
One person versus a group of people
Fraudster’s motivation
Insider information.
Easily accessible confidential documentation.
Dormant user accounts.
What techniques were used by the intruder.


Packet sniffing.
Password cracks.
Case Study (Continued)

What security measures were bypassed by the intruder.





How the breach was detected




Customer report or Bank detection.
Transfer, security logs.
Paper trails (end of month reconciliation).
What damage was done by the intruder.



Encryption.
Transfer limits.
Regular changes in access codes.
Firewalls.
Damage to system.
Loss of money
What countermeasures were put into place to prevent further attacks.



End to end encryption techniques.
Control of access to workstations.
Firewalls.
3) Formulate countermeasures

Establish certain techniques and protocols,
that can be used to set up a secure internet
banking environment.
Current Resources

Background
–
–

Chapman ,D.B., Zwickey, E.D, Building internet firewalls, O’Reilly and
Associates, Inc, 1995.- Provides a background into state of the art
firewalling techniques.
Ahuja, V . Secure Commerce on the Internet, AP Professional, 1997. Provides a broad background to security and E-commerce.
Journals
–
–
Hutchinson, D., Warren, M. Security for internet banking: a framework.
Published: 2003. Accessed: 5 March 2004. URL:
http://thesius.emeraldinsight.com/vl=6457514/cl=37/nw=1/fm=html/rpsv/cw
/mcb/09576053/v16n1/s7/p64 - Provides a framework for implementing
secure internet banking which is very relevant to the subject.
Eloff J.H.P., Van Buuren, S. Framework for evaluating security protocols
in a banking environment. In Computer Fraud and Security. Elsevier,
1998.- Provides a framework for security protocols that can be used to
protect banking systems. Authors are South African so hopefully an insight
into the South African situation.
Resources (Continued)

–
Rahda, V. Preventing Technology Based Bank Frauds. Published: February 2004.
Accessed: 11 March 2004. URL : < http://www.arraydev.com/commerce/JIBC/040205.htm >. -Specifically deals with banking frauds.
–
Rennhard, M., Rafaeli, S., Mathy, L. From SET to PSET – The pseudonymous
Secure Electronic Transaction Protocol. Published: August 2001. Accessed 3 March
2004. URL: < http://www.tik.ee.ethz.ch/~rennhard/publications/PSET.pdf >- Gives
insight into protocols such as SET used for secure credit card transactions.
Case Studies
–
Henderson, I. Electronic funds transfer fraud. Published: December 2003. Accessed:
14 March 2004. Available: doi:10.1016/S1361-3723(03)00006-X. - Anonymous case
study involving electronic funds transfer fraud
–
Cohen, F. Breaking the Bank. Computer Fraud & Security Volume 2002, Issue 11 ,
November 2002, Pages 12-14. Available: doi:10.1016/S1361-3723(02)01109-0 Anonymous case study
The expected result



Evaluation of some of the current security
protocols and procedures used in internet
banking.
Exposure of security flaws in some of the
major banking e-commercial systems.
Establish possible countermeasures to
attacks and threats from internet banking
security frauds.
Possible Extensions


Testing of some of the security software and
hardware used for internet banking, in order
to find flaws.
Consulting for banks on internet security
issues.
Questions