Transcript Chapter 9
Chapter 9
Banking and Book keeping
Protecting yourself from you
Why bankbook keeping??
Main business of computer industry
Transaction Processing systems
launched commercial cryptography
Must understand to tackle problems of Ecommerce
Multilateral security aimed at Authenticity
rather than confidentiality
Origins of Bookkeeping
8500 BC
Invented right after agriculture
Keep track of stored food
Double entry bookkeeping
1300 AD
Each transaction in 2 separate books
Debit and credit
Books should balance at end of day
Bank computer systems
Very early automators (60’s and 70’s)
Nightly Batch processing
Applies transactions to ledgers
Ledgers must balance
Therefore can not “make money”
Must take it from somewhere to assure
everything balances
Installation of new code tightly controlled
Clark-Wilson Security Policy Model
Separation of Duties
Really against human nature
Dual control
2 people must act together to authorize transaction
Nuclear 2 or more people must turn keys at same time to
launch missiles
Functional separation
2 or more people act on a transaction at different
points in the path
Purchase transaction manager makes purchase decision
purchase clerk, writes PO warehouse records arrival
of goods invoice arrives accounts clerk matches
invoice to PO and warehouse receipt creates check
accounts manager signs check.
Separation of Duties in OS
Spilt signings using digital signatures
Put users in separately administered domains
Separate controls between sys admin and
auditor
Logs , rights,……
Tends to be tedious to set-up and people are
lax with it, meaning system admins have to
much control and often can commit fraud
If back-office balancing controls are in place this
should catch this fraud, unless these are
computerized also…..
What goes wrong?
82% is employees
Most times controls were ignored
Or adjustments to circumvent controls were
exploited
There will always be risk, manage it
Wholesale Payment Systems
SWIFT (Society for Worldwide International Financial Telecommunications)
Encryption
Authentication
Nonrepudiation services
SWIFT ran for 20 years with out fraud
MAC keys now shared using PK
Cryptography
Digital signatures also used
ATMs
Block Ciphers
Tamper-resistant hardware
Supporting protocols
ATM Basics
Operations on clear pins on tamper resistant
hardware
Cards and PINs handled by different facilities
Terminal master keys supplied to each ATM
via 2 printed components
PINs can be encrypted locally or on network
If locally encrypted PIN sent to ATM
If on network centrally PIN encrypted and sent
PIN translation done in hardware security
module, therefore clear value not available to
programmers
What goes wrong
Processing errors
Theft by mail
Fraud by bank staff
List pages 201 – 202
Fake PIN harvesting machines
Enter card and PIN get cigarettes
Software glitches
Lack of procedures
Bottom line most ATM fraud was not
sophisticated attacks on machines
Discussion articles
Article dealing with multiple being
involved in fraud to break separation of
duties
Good current article on successful bank
fraud
Article on ATM fraud
Articles
Here is an article about bank fraud:
http://www.usdoj.gov/criminal/cybercrime/th
omasIndict.htm
Here are some articles on the genetic
database in Iceland.
http://www.mannvernd.is/frettir/abc.wnt9902
18_iceland.html
http://www.actionbioscience.org/genomic/hl
odan.html
List of Resources
History
Double entry
http://en.wikipedia.org/wiki/Accountancy
http://en.wikipedia.org/wiki/Doubleentry_accounting_system
Clark-Wilson security model
http://www.answers.com/topic/clark-wilsonmodel
List of Resources
Separation of duties
http://szabo.best.vwh.net/separationofduties
.html
http://hissa.nist.gov/rbac/paper/node6.html
SWIFT
http://www.swift.com/
List of Resources
ATM security
http://partnernetwork.visa.com/dv/pin/main.j
sp
http://partnernetwork.visa.com/dv/pin/pdf/Vi
sa_ATM_Eval_Vendor_Quest.pdf
http://usa.visa.com/business/accepting_visa
/ops_risk_management/cisp.html?ep=v_sy
m_cisp
http://www.atmmarketplace.com/research.ht
m?article_id=25310&pavilion=4&step=story