Implementing improved user security for Stock broking firms

1. Implementing improved user security for Stock broking firms A CTO STANDPOINT CERTIFIED WHITEPAPER AuthShield Labs Pvt. Ltd. contact@auth-shield.com | +91.11.470.65.866

2. Overview Evolving consumer habits : Online trading The Internet Revolution has changed the way, trading takes place today. All over the world, online transactions are moving beyond the nascent stage. Increased Internet penetration and the very convenience of the process attract more and more people to resort to online transactions. In modern day stock exchanges today there is a large amount of technology in place that allows customers to access their demat accounts from virtually any location in the world at any time of the day. This remote accessibility over great distances is a great asset that allows customers to buy, sell or transfer shares, equities etc in a quick and easy manner. Though exciting, the potential of online trading is fraught with challenges. With the onset of the Internet Revolution, the scams that were till to date conducted by mail, phone and wire transfer can now be found on the World Wide Web and in email, with new cyber scams emerging almost on a daily basis. A recent survey across ten major cities in the world indicates that ninety one percent of internet users have experienced some case of cyber fraud, such as phishing, key logging, identity theft and account takeover. “ “

3. Overview "The chances of a criminal getting arrested and convicted for identity theft-related fraud are much less than a half of 1 percent" Recognizing the importance of safeguarding Investors money, legitimate brokerage firms should take steps to ensure that their transactions are secure. However, online brokerages and the investors who use them are appealing targets for attackers. The amount of financial information in a brokerage's database makes it valuable; this information can be traded or sold for personal profit. Also, because money is regularly transferred through these accounts, malicious activity may not be noticed immediately. To gain access to these databases, attackers may use Trojan horses or other types of malicious code Attackers may also attempt to collect financial information by targeting the current or potential investors directly. These attempts may take the form of social engineering or phishing attacks. With methods that include setting up fraudulent investment opportunities or redirecting users to malicious sites that appear to be legitimate, attackers try to convince investors to provide them with financial information that they can then use or sell. With the advancement of computer technology and the connectivity afforded by the Internet, it is increasingly easy for criminals, either independently or in organized gangs, to manipulate holding accounts in order to commit fraud against exchange or to deceive innocent victims. The adverse impacts of financial fraud, not only on individuals and the commercial sector but even on national economic and security systems, are increasing rapidly worldwide. Left unchecked, financial frauds using the Internet or Internet driven

4. Overview technologies could lead to the financial ruin of people and commercial enterprises as well as seriously damage multiple economies. “78% of all information security breaches are conducted by internal employees – CERT In statistics. Information security within the organization Most businesses can no longer afford to ignore the threat from within. However, the IT infrastructure of most Sri Lankan and multinational organizations are yet to address the full complexity of internal threats. Unlike external information threats to an organization, internal information breaches are multidimensional. The threats may range from misuse of official email, information for insider trading or inserting backdoors into critical applications. More importantly, these threats come from the most trustworthy of sources – company’s internal employees. These actions may/ may not be deliberate but they do take place.

5. Problem Area 1 ONLINE BUYING VIA LINKED BANK ACCOUNTS The rise of online banking, trading and electronic money transfers have brought with it a new breed of criminals, malware, and online financial scams. Fraudsters have developed elaborate cross-account, cross-channel, and cross-institution schemes to transfer shares from compromised online accounts to controlled accounts. The shares / equities are then sold disappear with the money before the illegal transfer is discovered. 2 IDENTITY THEFTS:PHISHING “One Hack attack at a Bank / Online Portal / store/ BPO /online trading etc can lead to a loss of thousands of Identities in one step” With the tremendous growth of the Internet in the world, more and more people are vulnerable to phishing and Trojan attacks. The growth of E-commerce and the growing lifestyle changes, presents a unique challenge for exchanges as increasingly more people are logging on for buying, selling or maintaining their portfolio. 3 INTERNAL FRAUDS A lot of incidents involving internal breaches are simply not reported, simply because the institution’s reputation is at stake. Most of the cases that come to light involve a third party which handles transactions or data processing (financial BPOs). However studies indicate that Internal Bank Fraud Accounts for 60% of Cases Involving a Data Breach or Theft of Funds.

6. AFTER EFFECTS Of Online trading fraud • As a merchant/Broking Firm, being a victim of fraud can have a range of effects on your business. These effects include: • Immediate financial loss due to stolen stock/earnings • Damaged reputation • Loss of customer trust • Loss of investor confidence • Lowered sales • Extra costs of time/money to manage each fraud incident • Lowered staff morale • Possible legal costs • Lowered value of your stock/services • Additional bank fees for transaction reversal • Potential problems retaining your merchant's bank account after too many reversed transactions • Single factor authentication and Vulnerability • A major facilitating factor for all most of these attacks is the single factor authentication in vogue today (using just a password and user name). • It becomes quite easy for an individual to capture user names and passwords of other individuals using the same IT infrastructure. There are multiple techniques like Sniffing, installing Keylogger, MIM (Man in Middle attacks) or zombie attacks for the same. • In such a scenario multifactor authentication offers a much safer approach. It is a fool proof way to authenticate and verify the identity of the person or any other entity requesting access under security constraints.

7. Preventing Financial Fraud • Prevention is always better than cure. It is truer for exchanges, keeping in mind the changing commercial climate. Financial fraud can occur in multiple forms and shapes. The time of physically cracking into a safe, conducting a bank robbery or carrying out an act of dacoit etc is passé. Today the theft is conducted on the net with no physical threats and with less cost to the perpetrator of the crime. The only challenge that remains is to cover ones tracks and considering the massive flow of information on the net almost on a daily basis, it is not much difficult either. • Multifactor Authentication :Why do you need it ? • “The best way to beat a thief is to think like one” • Phishers try to obtain personal information such as your password or PIN-code by pretending to be a legitimate entity. Using Phishing, static passwords can be easily hacked providing fraudsters easy access your demat accounts and other confidential information.   • The current technology used by a lot of organizations today has a static password, which again is risky if a fraudster is able to lay hands on someone’s password. There is a need to bring dynamic passwords in picture, because static password ceases to be secure once stolen. • Multifactor Authentication maps the physical identity of the user to the server and increases the security of financial and other critical systems. It helps the merchant firm to “Know their customer”. • Integrating Stronger User Authentication system not only helps prevent Online Credit Card fraud, Card Cloning, Identity theft but also helps in the capture of habitual cyber criminals. • MFID authenticates and verifies the user based on – • something only the user has (mobile phone/ land line/ hard token) • something only the user knows (user id and password)

8. AUTHSHIELD • ONLINE TRADING SECURITY SOLUTIONS • AuthShield is the only Multi-Factor Authentication solution available in the world today that can provide you seamless Authentication security across all trading technology platform used by brokers and stock exchanges across the globe. • AUTHSHIELD PROCESS • MF-ID follows a centralized architecture where all IT systems can be integrated centrally. Distributed IT systems can have their own controlling architecture • The user logs into the LAN/VPN/Web Application / Database server etc and provides his credentials • Based on user’s credentials, a One-Time-Password is generated and sent to the user’s mobile number. The user meanwhile is taken to the OTP authentication application (integrated with the AAA server). Once the users identity is verified, the user is then provided access to the application • All logs are stored in a secured database (completely encrypted) for future analysis. • ADVANTAGES OF AUTHSHIELD MULTI FACTOR ID • For Users • Using INNEFU’s two factor authentication can help prevent- • Online fraudulent equity transfers • Phishing • Unauthorized access to data by employees. • For the organization • OS Independent Authentication Mechanism • Seamless Integration with the current business and security architecture • Increases the log on security for critical applications. • Visit us on • www.auth-shield.com • 876, 8th Floor, Aggarwal Cyber Plaza II,Netaji Subhash Place, New Delhi-110034 Contact :011-47065866 (Delhi )/022-66894444 (Mumbai)