Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

ELECTIONIC MONEY INFORMATION SECUITY RISKS AND

advertisement 
ELECTIONIC MONEY; INFORMATION
SECUITY, RISKS AND IMPLICATIONS
Presented By:
Francis Karuhanga, FCCA
Head of Internal Audit
Stanbic Bank Uganda
Disclaimer
This presentation was made at the annual ISACA Kampala Chapter
Information Security Workshop on 23rd October 2012 at Protea Hotel,
Kampala. The presentation was designed to create dialogue and elicit
comments amongst the workshop participants and should be viewed
within the context of these objectives.
The presentation contains information in summary and therefore is
intended for general guidance only. If is not intended to be a substitute
of a detailed research of the exercise of professional judgement.
Stanbic Uganda and Standard Bank Group cannot accept any
responsibility for loss occasioned to any person acting or refraining
from action as a result of any material in this presentation.
Content
•
•
•
•
•
•
•
Evolution of Money
Definition of Electronic Money
Electronic Money - Payment Systems
Electronic Money and Information Security
Key Information/E-money Security Risks
Implications
Conclusion
Evolution of Money
First was:
• Barter Trade
In the past, scarce precious metals
such as gold and silver were used
because they y had intrinsic value in
the form of money, that is;
 a medium of exchange,
unit of account, and
store of value
Evolution of Money
Then
• Paper and Coins
The intrinsic value attributed to
precious metals was embedded in
paper; hence the advent of paper
money.
Paper
ideally
carries
information to which intrinsic value is
attached – as long as its issued by a
trusted authority
Evolution of Money
• The inconvenience of carrying large quantities of paper currency was
mitigated by the introduction of Cheques that contained information
identifying the owner’s account.
Evolution of Money
And Now:
• Electronic Money – From paper money to binary codes of ones (1)
and zeros (0) .
Electronic money - refers to "stored value" or
“intrinsic value” or prepaid payment mechanisms
for executing payments via point of sale
terminals, direct transfers between two devices,
or over open computer networks such as the
Internet.
Electronic money is also known as e-currency, emoney, electronic cash, electronic currency,
digital money, digital cash, digital currency, cyber
currency
E-money mainly refers to Electronic Payment
Systems/channels
Examples of E-Money (Electronic
Payment Systems
• Electronic Clearing System (ECS) - Banks use Society for Worldwide
Interbank Financial Telecommunication (SWIFT, a secure messaging
system) to electronically deliver data accompanying instruments to the
ECS.
• Electronic Funds Transfer (EFT)
• Real Time Gross Settlement (RTGS) - an online banking system for
settling transactions
• Card payment systems including ATMs, Credit cards, VISA cards etc
• Mobile Money – payment system that uses telecommunication
infrastructure
• Internet banking
• Mobile banking
• Payway , Paypal etc
Electronic Money and Information
Money has become electronic information: no gold or paper is
required. Money is just a coded series of binary digits: 1 and 0.
=
Information
Think of a mobile money user who loses his/her phone, what is the
is normally their worry, (phone, SIM card, or the PIN)?
Implying, securing information translates into security of money!
Information security and Electronic
Money
» In the past, security focused on physical security by
protecting money just as if it were gold. It was kept behind
stone walls and locked vaults; often guarded by men with
weapons.
• As money has transformed from gold and silver to paper currency, to
Cheques, and today to electronic information, the walls of the bank
have also transformed from stone and steel to electronic walls.
• Transformation of money to electronic information has resulted new
security controls including:
– Firewalls,
– intrusion detection systems,
– intrusion preventions systems, and
– access control lists are all designed to protect money as
information
Information security and Electronic
Money
• Even for paper money and Cheques; all measures were put in place to
protect the information content of money. These include:
– Use of watermarks,
– special paper,
– complex colors and graphics,
– security threads, and
– other anti-counterfeiting technologies - to ensure trust
Key Information/E-money
Security Risks
• The three major information security risks related to e-money are:
– hacking into bank computer systems through exploitation of
technical vulnerabilities,
– intentional or accidental data loss (laptop, tape or other data
breeches), and
– identity theft or unauthorized account access by gaining access
keys through theft, phishing, social engineering, or other means.
• The mode of exploitation of these risks varies from one payment
system to another (i.e. card, internet, mobile banking etc)
Key Information/E-money Security Risks
Common risks
• Duplication of devices – common in card-based systems, the
method of attack could be the creation of a new device that is
accepted by other devices as genuine. Some of the ways this is
accomplished is through:
– Reproduction, re-embossing or altering of a real card
– a criminal who secretly copies the data from the magnetic stripe of
a valid card and transfers it onto the magnetic stripe of a new
(counterfeit) card
– the genuine cardholder still has possession of his card and does
not know anything is wrong the criminal is making transactions
using the counterfeit card
Key Information/E-money Security Risks
Common risks
Duplication of devices
– Various methods:
 Fixing skimming device over ATM card slot
 Distracting cardholder and skimming data using handheld
skimming device
 Attaching skimming device to ATM lobby entrance card
swipe
 Genuine card capture
 Micro-camera
 Fake PIN pad fixed over genuine PIN pad
 ‘Shoulder surfing’
 Attaching fake PIN pad to ATM lobby entrance card
swipe
Key Information/E-money Security Risks
Common risks
• Alteration or duplication of data or software - modifying data stored
on a genuine electronic money device in an unauthorised manner..
• For example account takeover (existing accounts) - Fraudster obtains
minimal valid information required from discarded documents, mail
theft, insider collusion, theft of personal belongings and online
data/theft of public records
– Perpetrator:
• Uses some true cardholder information
• Changes cardholder’s mailing address
• Requests replacement or additional card/PIN
to be mailed to new address
– Perpetrators log on to bank web sites, enroll as legitimate
cardholder, and change the account address
Key Information/E-money Security Risks
Common risks
• Alteration of messages –
– Attackers could attempt to change the data or processes of a
device by deleting messages, replaying messages, substituting an
altered message for a valid one or observing messages with an ill
intention
– Communications between devices could be intercepted by outside
attackers when sent across telecommunications lines, through
computer networks or through direct contact between devices.
Key Information/E-money Security Risks
Common risks
• Theft - Data stored on devices could also be stolen via unauthorised
copying.
• For example, an attacker could intercept messages between a
genuine user and an issuer, or insert an unauthorized software
program into a user's personal computer that enabled the attacker to
copy electronic notes stored or in transmission.
Phishing

Some of repute will not ask you to
update or change sensitive information
online.

E-mails that bear dire warnings and
request sensitive information are
probably a scam.
Key Information/E-money Security Risks
Common risks
• Repudiation of transactions - Customer completes a transaction,
but denies transaction took place, and demands reimbursement of
funds.
• Malfunctions –
– Electronic money products could suffer from instances of
accidental corruption or loss of data stored on a device, the
malfunction of an application, such as accounting or security
functions, or failures in the transmission of messages. If exploited
by unscrupulous holders before being detected, certain types of
malfunction could cause losses to the issuer
– Service provider risk - Service provider may not deliver services
expected by the bank; deficiencies in system or data integrity or
reliability may result.
Implications
• Financial loss: - access to just a PIN can cost a customer or a bank
in billions of money. These include costs associated with reimbursing
customer losses and with reconstructing accurate data on customers.
Possible losses from redeeming electronic money for which no
corresponding prepaid funds were received. Customers may perceive
the bank as being unreliable. A bank may face legal or regulatory
sanctions, and negative publicity.
• Reputation: - Customers may perceive the bank as being unreliable
hence affecting the “brand integrity”
• Litigations - as a result os failure to protect customer privacy. A bank
releases information profiling the pattern of customer financial
transactions without customer authorization.
Implications
• High cost capital and operational expense for banks –
– Most information security measures like encryption imposes an
additional processing burden on computers that may significantly
slow the performance of banking systems; hence financial
institutions have incur costs of enhancing/upgrading their systems
– The use of tamper-resistant devices incorporated into stored-value
cards and merchant hardware is another capital expenditure to the
banks
• Crime with no crime scene–
– The evolution of e-money and other technology has left access to
information open to anyone any where at anytime. Most e-money
systems are borderless. Therefore, a criminal does not have to be
on site to commit a crime.
Conclusion
• In today’s world money has been reduced to binary data hence access
to information/data is as good as access to cash. The advent of emoney is touted for having provided convenience being able access
money anywhere at any time. It has also opened to so many access
points compared to the gold and silver that would only require physical
security.
• Unauthorised access to e-money can be by anyone and anywhere at
anytime. Therefore, information security is everyone’s responsibility
and
it begins with you!
Related documents
Título da Palestra - Banco Central do Brasil
Título da Palestra - Banco Central do Brasil
Providing an Enabling Regulatory Environment to
Providing an Enabling Regulatory Environment to
what is money? - Business at Sias
what is money? - Business at Sias
DFI in Indonesia An experience how interoperability can boost DFI
DFI in Indonesia An experience how interoperability can boost DFI
Identity Theft - Highlands Community Bank
Identity Theft - Highlands Community Bank
Money Supply Process
Money Supply Process
Credit Card Authorization form
Credit Card Authorization form
Mile wide, inch deep the Uses Of e-MOney aMOng lOw
Mile wide, inch deep the Uses Of e-MOney aMOng lOw
FTNEA2019001
FTNEA2019001
Monetary Theory and Electronic Money: Reflections on the Kenyan Experience Please share
Monetary Theory and Electronic Money: Reflections on the Kenyan Experience Please share
Download
advertisement