From skimming and POS attacks to ACH fraud and payment card hacks, 2010 was “The Year of Fraud,” and the year’s incidents have left banking institutions and their customers anxious for new solutions to prevent fraud in all its forms.

In response to the growing fraud threats – and to the demand for new solutions – Information Security Media Group just concluded its latest survey, “The Faces of Fraud: Fighting Back.”

This is the Executive Summary of the survey results and what they suggest for fighting fraud in 2011.

One of the most telling responses of the survey is to this question:

When is a fraud incident involving your organization usually detected?

In other words, despite the availability today of world-class fraud detection technology, despite broad awareness of the current fraud threats and incidents – nothing spreads faster than word of a breach – and despite what we’ve all learned about customer confidence and loyalty in the wake of fraud incidents such as the Heartland Payment Systems breach …

More than three-quarters of financial institutions learn of fraud incidents when notified by their own customers.

This response underscores the need for better fraud detection – before the incidents strike the customer — and it sets the tone for the survey results, which break down into four main themes:

The Faces of Fraud: Today’s Top Threats – What are today’s top threats? Which threats do institutions feel most prepared to face? What impact have we seen from highly-publicized ACH/wire fraud incidents?

Cross-Channel Fraud: The Great Mystery – Industry analysts tell us that cross-channel fraud is the growing trend. That no longer are fraudsters targeting just ATMs or payment cards or checks – they’re seeking to compromise your customers in every way you interact with them. But how prepared are institutions to measure and respond to these cross-channel threats?

Resources: The Ongoing Challenge — It’s been a tough two years for banking. As a result of the global recession and U.S. financial crisis, human and fiscal resources have been hard to come by for banking institutions. Yet, the survey results show encouraging trends on both fronts.

Need for Awareness, New Tools – If there is one overriding theme of this survey, it’s this: Respondent’s recognize that awareness programs – for employees and customers alike – as well as fraud detection and prevention tools, are their best weapons to fight fraud. Their challenge is to find the right tools and take the right approaches to awareness.

Download the Executive summary report to get an insight for the above.

http://docs.ismgcorp.com/files/handbooks/Fraud-Survey-Summary-2010/Fraud-Survey-ExecSummary.pdf

Source: Bankinfosecurity

Today, banks providing internet banking facilities are looking for implementing or have already implemented two factor authentications. This has been done by either identifying risks by the banks themselves or has been mandated by the regulatory authorities. Whatever has initiated this, it is more important to understand what a two factor authentication is, what are the business requirements and how is it going to impact the customers.

What are the threats that we are trying to protect by implementing a two factor authentication solution..? phishing attack, Man-in-the-middle-attack, Password sharing etc…

Two factor authentication means that you need to have two factors of authentication (to your online banking website) involved in either the initial login process and/or in further carrying out critical transactions or just while carrying out critical transactions.

So what are the factors that are involved in authentication..?

1. What you know – password, pin number, answers to security questions, security image
2. What you have – One time password (in various ways), ATM cards
3. What you are – Bio-metric solutions

There are many organizations that use any one of the above more than once. Like for example, using user ID and password while logging in to the online banking and answering some security questions while carrying out a critical transaction and claim to be implementing two-factor authentication. Whereas, in reality it is just one factor (what you know) used multiple times.

Using a combination of any of the two above is termed as two-factor authentication. A simple example would be using your ATM card and PIN number at an ATM machine. The ATM card is something that you have and the PIN number is something that you know. So two factors are used to authenticate and carry out your requirements on the ATM machine.

The password and PIN are very commonly used parameters and implementing bio-metric solution (one that authenticates by using finger scan or retina scan etc) are very expensive and does not justify the cost. There are different methods and solutions available for implementing two factor authentications, of which OTP (One Time Password) seems to be much safer from different threats. Let us see some of those solutions.

A Grid on the ATM card – Some organizations has implemented the second factor by forming a grid which is printed onto the back of an ATM card making it convenient to the customers. The login will be using a user ID and password and the next step will be to key in a combination number based on the grid values asked in the online application. The user keys in the value and the access is permitted. This same authentication factor can be used for making an online transaction.

Disadvantages:

• The card is used in many places and since it is an ATM card, it can be given to others for swiping on purchases. The grid behind the card can be easily memorized, though most do not agree with me, I am sure that I can remember and re-collect at least one card’s grid.
• If someone gets their hand to this card through any means, they can also take a photocopy of the card, the grid and use it whenever and wherever required.

A random number generating token – There are many vendors providing tokens or key fobs (known in different names) which generates random numbers and those numbers will be valid for just about 10 seconds (one form of OTP – One Time Password). This means that a new random number using some algorithm is generated every 10 seconds. Very good!

These are wireless tokens and there is a related component (server) that sits at the organization’s environment for validating the numbers generated on the tokens. Both, the server and token work on the same algorithm and is based on time stamps. So the server can understand what will be the number in the token during a particular time.

The user logs-in by providing a user ID and password along with a randomly generated number which will be keyed into the application. The application internally validates this number and allows access.

Disadvantages:

• The burden is in procuring these tokens, distributing it to customers, maintaining, customers losing these tokens etc.
• This solution is prone to Man-in-the-browser attack, which is similar to Man-in-the-middle attack

SMS on your mobile – A much better solution is using SMS as the second factor authentication (another form of OTP – One Time Password). Though it has some draw backs. Here the user logs in into the application using a user ID and password and no second factor is applied in the initial login. The screens available using this process is limited and information such as account number is limited to last 4 digits, customer name is not available, etc it is just your masked account number, the balance and a maximum of 10 previous transactions or you could customize the first page to provide very minimal information. There will be no access to the customer profile page as well.

When the customer requires to make any profile change or make online transactions, the user will be sent a onetime PIN number SMSed to the users registered mobile number which has to be keyed in using a virtual keyboard and that authorizes the transaction/change.

This second factor can be implemented for various transactions viz, adding beneficiaries, profile change, online transfers, changes to transaction amount limits, password change on lockout, statement above 10 transactions etc. The main advantage of this solution is that the customer is not bothered to carry any additional device for this purpose, and this cannot be compromised unless the mobile phone is timely compromised to obtain the PIN and also carry out the transaction. Since unique PIN numbers are used to carry out different transactions/changes, it also mitigates the man-in-the-browser attack to a great extent.

Disadvantages:

1. SMS sent is delayed in transit.
2. SMS sent does not reach the customer due to various reasons
3. Cost implications – payment to be made to the ISP’s for sending SMS’s
4. Customer out of the country and does not have roaming facility
5. ISP’s prioritizing private SMS’s over the SMS’s from the banks

I would prefer the last option, though it lists more disadvantages than the others. Let’s try and justify the disadvantages listed. Frauds that happen and result in financial loss are global issues and I think that all relevant stakeholders should come together for a solution to work and the government should be the enforcer and the regulatory bodies should be the initiators of this cause.

If the government, the ISP, the banks and the regulatory bodies come together, it would solve the disadvantages 1, 3, and 5. Point number 2 can be left as a risk in any business, if there is nothing we can do about it and point number 4, why is a customer trying to do a critical change or transaction while the customer is out of the country..? If it is a corporate account then it is a different scenario.

Your thoughts.

The Parkerian Hexad attributes are the following:

• Confidentiality
• Possession or Control
• Integrity
• Authenticity
• Availability
• Utility

These attributes of information are atomic in that they are not broken down into further constituents; they are non-overlapping in that they refer to unique aspects of information. Any information security breach can be described as affecting one or more of these fundamental attributes of information.

I think I don’t require to provide the explanation of C-I-A here. Let’s look at the other attributes.

Possession or Control

Suppose a thief were to steal a sealed envelope containing a bank debit card and (foolishly) its personal identification number. Even if the thief did not open that envelope, the victim of the theft would legitimately be concerned that (s)he could do so at any time without the control of the owner. That situation illustrates a loss of control or possession of information but does not involve the breach of confidentiality.

Authenticity

Authenticity refers to correct labeling or attribution of information. For example, if a criminal forges e-mail headers to make it look as if an innocent person is sending threatening e-mail messages, there has been no breach of confidentiality (the thief uses his or her own e-mail account), possession (no information has been taken out of the control of the victim), or integrity (the e-mail messages are exactly as intended by the criminal).

What is breached is authenticity: the e-mail is incorrectly attributed to someone else. Similarly, misusing a field in a database to store information that is incorrectly labeled is a breach of authenticity; e.g., storing a merchant’s tax code in a field labeled as the merchant’s ZIP code would violate the authenticity of the information.

Utility

Utility means usefulness. For example, suppose someone encrypted data on disk to prevent unauthorized access or undetected modifications – and then lost the decryption key: that would be a breach of utility. The data would be confidential, controlled, integral, authentic, and available – they just wouldn’t be useful in that form.

Similarly, conversion of salary data from one currency into an inappropriate currency would be a breach of utility, as would the storage of data in a format inappropriate for a specific computer architecture; e.g., EBCDIC instead of ASCII or 9-track magnetic tape instead of DVD-ROM. A tabular representation of data substituted for a graph could be described as a breach of utility if the substitution made it more difficult to interpret the data. Utility is often confused with availability because breaches such as those described in these examples may also require time to work around the change in data format or presentation. However, the concept of usefulness is distinct from that of availability.

Source: www.wikipedia.org

Having said this, I would like to discuss the possible controls that can be implemented to mitigate risks for the above 3 attributes.

In a normal scenario, everyone uses a template that captures assests under different cateogories, viz

• Information Asset – deals with electronic and paper based data
• Hardware Asset – includes all your hardware, cupboards, safe, etc
• Software Asset – includes all software’s used or implemented in the organization.
• Service Asset – services that a department avails from the organization
• People Asset – talks about people / employees

 Now the discussion went like this:

 We capture service assets and also get the availability value of that asset from each department to determine the asset value. Now, a disruption in service is caused to one or more of the following:

• A failure of hardware
• A failure of software
• A failure of people

One or more of the above failures will cause a service disruption and we are already capturing the availability values of these parameters under hardware asset, software asset and people asset respectively.

The question arise was is it not a duplication of effort and capturing of availability value in the above case. If yes, why do we do this?

Now in security perspective:

1. Hardware is identified / recorded only if the end user has a direct interaction wit that server. For example: File Server
2. If it is a service availed by the end user, he/she is unaware of hardware that is used for providing that service. Hence he will only term that as an service and will not be captured as a part of hardware asset.
3. When it comes to the IT department, they will identify all the hardware that is available under their control. Now they will identify the hardware, but will be unable to determine the availability parameter of the service provided through that hardware from a business perspective.

Hence it is required to capture the service assets from various departments while we carry out a function based risk assessment exercise.

Further, it is not only about failures that are looked into while capturing the service assets. As a part of the control recommendations, based on the inputs from various user departments, it could also be possible that the recommendation will be to provide the service on a fail over module or utilize and load balancer etc.

Now, looking at the other aspect of capturing service assets would be to understand the services availed from the organization, where, the organization has procured it from a third party. For example: An internet connection from the ISP.

We will not be capturing the hardware, software or people asset outside our organization, but still will be using a particular service. There might be one piece of asset that is connecting between the organization and the ISP, but after that we have no controls. Hence we will require to capture the service assets which will help in defining SLA’s with the vendors and procure adequate service.

 Looking forward for your thoughts.

Up until now some of the aspects that we look into while implementing a control is as mentioned below; 

1. Is the control implementation cost less than or equal to loss of the damage a threat could cause to an organization?
2. Does the control implementation enable process improvements?
3. Is the control implementation required as a part of legal, regulator or contractual requirements?

The effectiveness of each control that we implement should ensure that the risk is mitigated and for those risks where a control is not available or cannot be implemented (due to various reasons) is considered to be a residual risk. How does an organization determine the depth of a control implementation?

Let me give you an example from the recent discussion. One of the organizations was planning to have their tele-working process rolled-out and hence wanted to know the security controls that can be implemented. After a long discussion all of them agreed for controls such as encryption of the disks and that users should store their data on a particular folder which would automatically get backed-up while they connect to the organization network, bio-metric authentication is in the pipe line and that closed the discussion.

The trigger for a debate came up when one of the stakeholders raised the point of having a physical lock to the laptop which would ensure that the laptop is cannot be stolen or causes a delay or deters the malicious intended person in steeling the laptop. The other members mentioned that the physical lock was not required and that the laptop user should take care of his/her laptop.

Here comes to what depth that control should have been implemented. I look at the following points which say why we should implement the physical lock to the computer. 

1. The location of storing the data in the laptop is up to the user. He/She can store it either on the folder that gets backed-up automatically or elsewhere which will not get backed-up. This is user driven.
2.  The data stored in other locations could be critical to the organization and the storage cannot be monitored all the time.
3. The drive is encrypted and so the data cannot get exposed. But the intent of certain malicious persons are not only data theft, it is destruction of data or destruction of service.
4. So if the laptop is stolen what is the amount of time required for the user to get back to his/her normal work with all of the data been restored.
5. Will all the data be restored?
6. Of course the cost of the laptop needs to be considered.

“I would recommend that a dependency on a user to ensure security” should only be done in the following two cases: 

1. If the cost of the control is more than the loss that a damage by a threat could cause.
2. If there are no possible controls that can be implemented after that particular point.

The first point is clear as all is aware of the same. Let us relate the second point to the example above. As you look at the physical lock to be implemented, we are not transferring the responsibility of securing the laptop from theft to the user. We have implemented a control to take care of that. But it is still the choice of the user to either lock the laptop or leave open.  Now we can transfer the responsibility to the user, because I cannot see any other control that can be implemented after the physical lock.

Looking forward for your responses.