Transcript Chapter 9
Chapter 9 Banking and Book keeping Protecting yourself from you Why bankbook keeping?? Main business of computer industry Transaction Processing systems launched commercial cryptography Must understand to tackle problems of Ecommerce Multilateral security aimed at Authenticity rather than confidentiality Origins of Bookkeeping 8500 BC Invented right after agriculture Keep track of stored food Double entry bookkeeping 1300 AD Each transaction in 2 separate books Debit and credit Books should balance at end of day Bank computer systems Very early automators (60’s and 70’s) Nightly Batch processing Applies transactions to ledgers Ledgers must balance Therefore can not “make money” Must take it from somewhere to assure everything balances Installation of new code tightly controlled Clark-Wilson Security Policy Model Separation of Duties Really against human nature Dual control 2 people must act together to authorize transaction Nuclear 2 or more people must turn keys at same time to launch missiles Functional separation 2 or more people act on a transaction at different points in the path Purchase transaction manager makes purchase decision purchase clerk, writes PO warehouse records arrival of goods invoice arrives accounts clerk matches invoice to PO and warehouse receipt creates check accounts manager signs check. Separation of Duties in OS Spilt signings using digital signatures Put users in separately administered domains Separate controls between sys admin and auditor Logs , rights,…… Tends to be tedious to set-up and people are lax with it, meaning system admins have to much control and often can commit fraud If back-office balancing controls are in place this should catch this fraud, unless these are computerized also….. What goes wrong? 82% is employees Most times controls were ignored Or adjustments to circumvent controls were exploited There will always be risk, manage it Wholesale Payment Systems SWIFT (Society for Worldwide International Financial Telecommunications) Encryption Authentication Nonrepudiation services SWIFT ran for 20 years with out fraud MAC keys now shared using PK Cryptography Digital signatures also used ATMs Block Ciphers Tamper-resistant hardware Supporting protocols ATM Basics Operations on clear pins on tamper resistant hardware Cards and PINs handled by different facilities Terminal master keys supplied to each ATM via 2 printed components PINs can be encrypted locally or on network If locally encrypted PIN sent to ATM If on network centrally PIN encrypted and sent PIN translation done in hardware security module, therefore clear value not available to programmers What goes wrong Processing errors Theft by mail Fraud by bank staff List pages 201 – 202 Fake PIN harvesting machines Enter card and PIN get cigarettes Software glitches Lack of procedures Bottom line most ATM fraud was not sophisticated attacks on machines Discussion articles Article dealing with multiple being involved in fraud to break separation of duties Good current article on successful bank fraud Article on ATM fraud Articles Here is an article about bank fraud: http://www.usdoj.gov/criminal/cybercrime/th omasIndict.htm Here are some articles on the genetic database in Iceland. http://www.mannvernd.is/frettir/abc.wnt9902 18_iceland.html http://www.actionbioscience.org/genomic/hl odan.html List of Resources History Double entry http://en.wikipedia.org/wiki/Accountancy http://en.wikipedia.org/wiki/Doubleentry_accounting_system Clark-Wilson security model http://www.answers.com/topic/clark-wilsonmodel List of Resources Separation of duties http://szabo.best.vwh.net/separationofduties .html http://hissa.nist.gov/rbac/paper/node6.html SWIFT http://www.swift.com/ List of Resources ATM security http://partnernetwork.visa.com/dv/pin/main.j sp http://partnernetwork.visa.com/dv/pin/pdf/Vi sa_ATM_Eval_Vendor_Quest.pdf http://usa.visa.com/business/accepting_visa /ops_risk_management/cisp.html?ep=v_sy m_cisp http://www.atmmarketplace.com/research.ht m?article_id=25310&pavilion=4&step=story