1 / 22

Electronic Security and Payment Systems: Some New Challenges

Electronic Security and Payment Systems: Some New Challenges. Tom Glaessner Thomas Kellermann Valerie McNevin The World Bank November 2003. Organization of Presentation. Digital Trends in Payments Nature of the Threat Market Structure and E-Risk in Emerging Economies

gerald
Download Presentation

Electronic Security and Payment Systems: Some New Challenges

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Electronic Security and Payment Systems: Some New Challenges Tom Glaessner Thomas Kellermann Valerie McNevin The World Bank November 2003

  2. Organization of Presentation • Digital Trends in Payments • Nature of the Threat • Market Structure and E-Risk in Emerging Economies • A Four Pillar Approach • Future Challenges

  3. Four Streams of E-Finance EBT EFT # of Global EFT Transactions 677,411,204 ETC EDI

  4. I. Digital Trends in Retail Payments • Increased dependence on Information Technologies • The convergence of technologies • Leapfrogging opportunities provided by e-finance stimulate growth • The growth of wireless in EMG • New, interoperable technologies dependent on the Internet infrastructure • VOIP • Satellite and cyber-location • E-commerce, retail and even micro payments

  5. Connectivity: Mobile Phones

  6. II. The Nature of the Threat • The threat is not new • A cyber world allows for crimes of greater magnitude with greater speed • Lack of incentives for reporting hides true e-security vulnerabilities • Cyber threats have been rising globally as technologies converge • Emerging markets are not immune

  7. System Access: E-Risk and Fraud • System Access in a Networked Environment • Access Tools • Hacking software vulnerabilities, viruses, worms, Trojans, Denial of Service (DOS) • Types of E-Fraud • Identity Theft • Extortion(reputation) • Salami Slice • Funds Transfer • Electronic Money Laundering

  8. III. E-Risk Market Structure in Emerging Economies • Many emerging markets have concentrated provisioning of hosting services • Interlinked ownership: Telecom companies, ISPs, e-security service companies, and banks • No real separate independent e-security industry • Shortage of human capital in EMG in this area • CISOs • E-Security providers versus white knights

  9. IV. A Four Pillar Approach

  10. Pillar 1Legal framework, Incentives, Liability • No one owns the internet so how can self-regulation work? • Basic laws in the e-security area vary a lot across countries as do penalties • Defining a money transmitter • How to define a proper service level agreement (SLA) • Downstream liability • Issues in certification and standard setting

  11. Pillar 3Certification, Standards, Policies and Processes • Certification • Software and hardware • Security vendors • E-transactions • Policies • Standards • Procedures

  12. Pillar 2Supervision and External Monitoring • Technology Supervision and Operational Risk: • Retail Payment Networks;Commercial Banks; E-Security Vendors • Capital Standards and E-Risk • On-Site IT examinations • Off-site processes • Coordination: between regulatory agencies; between supervisors and law enforcement • Cyber-Risk Insurance • Education and Prevention

  13. Pillar 4Layered Electronic Security • 12 Core Layers of proper e-security • Part of proper operational risk management • General axioms in layering e-security • Attacks and losses are inevitable • Security buys time • The network is only as secure as its weakest link

  14. Intruder Begins Attack The web server authenticates against the customer database Exploiting a hole in the internet banking software, SQL insertion is used to run system commands on the database server. The attacker runs a command that opens a remote command shell

  15. Network is completely compromised Now that the firewall security has been bypassed completely, the attacker uses the database server to take over the domain controller. The attacker can now access the mainframe as if he were sitting at the administrator’s desk. Hmmm… what else can he access from here? The administrator accesses the mainframe from his desktop, and saves all the passwords for easy access. A remote desktop is pushed back to attacker The domain passwords are cracked, and access to the administrator’s workstation is now available.

  16. Passwords Over-reliance on encryption Patch management Rogue HTTP Tunnels Outsourcing Wireless Security Select Weaknesses

  17. Technical Vulnerabilities of PKI • Keys can be: • Altered by a hacker • Captured through video-viewing • Broken by parallel processor when of limited length • Stolen through manipulation of fake names and ID’s • Compromised when password and token protection are cracked • Certificate Authorities can: • Have a different definition of “trust” • Operate with an insecure physical network security • Be broken into, and public key files altered

  18. SIM-CARD Vulnerability SMS Bombs Gateway Vulnerability WAP Vulnerability Man in the Middle Attack GSM Vulnerabilities

  19. V. Challenges Ahead • Building awareness • Creating a culture of electronic security as part of business process • Building e-security considerations into investment planning and RFP design • Assuring proper development of the four pillars in emerging markets

  20. World BankIntegrator Group 2003For further information :www1.worldbank.org/finance(click on E-security)tglaessner@worldbank.org

More Related