1 / 27

and Security

and Security. Ajit Regmi. Evolution of Threats and Attacks in eBanking. Threats and Attacks- Internet Banking. Stealing Credentials. Phishing Vishing Clickjacking Crimeware . Any others?. Citibank Fake Website. Phishing email. Man in the Middle Attack(MITMA).

estell
Download Presentation

and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. and Security AjitRegmi

  2. Evolution of Threats and Attacks in eBanking

  3. Threats and Attacks- Internet Banking Stealing Credentials Phishing Vishing Clickjacking Crimeware. Any others?

  4. Citibank Fake Website

  5. Phishing email

  6. Man in the Middle Attack(MITMA)

  7. Man in the Browser Attack Malware inside customer’s Web Browser

  8. Security-Controls • Secured Socket Layer (SSL) • Protocol to secure data transmission over public network • Make use of Public and private key. • Digital certificate is installed in server – signed by CA. • Uses two methods to secure data • Authenticate the website • Encrypt the data transmitted.

  9. SSL Is the website secured? Address bar: https instead of http

  10. Digital Signature

  11. Basic Identification and Authentication • A simple user ID and password-based authentication scheme, and provides the following: • To identify which user is accessing the server • To limit users to accessing specific pages (identified as Universal Resource Locators, URLs

  12. Identification and Authentication • Identification : UserID , AccNo etc. • Authentication: 3 Factors • Something a person knows (Knowledge) • PIN, Password, Secret Question? • Least expensive to implement • Can be stolen and use in unauthorized access. • Something a persons has (ownership) • Key, swipe card, badge, access card etc. • Items can be lost or stolen

  13. Identification and Authentication • Authentication: 3Factors • Something a persons is (Characteristics) • Biometrics ( finger print, retinal scan etc.) • Expensive to implement. • Strong Authentication • Two factor authentication – requires two out of above three. • 2FA for User Authentication or Transaction authentication?

  14. Multi-factor Authentication?

  15. Mobile Banking • What you can do? • Query, Fund Transfer, Request • SMS Based • PIN + Mobile Number • Application based (Mobile Application OR SIM Based Application) • SMS or GPRS? • PIN + Application+ Mobile Number • WAP-Web Based • PIN + Mobile Number

  16. SMS Banking Security Problem in GSM Operator Leased line GSM Operator Application Server Bank SMS Gateway GSM Network GSM Operator SMS DB Bank SMS DB Bank Host

  17. Threats and Attacks- Mobile Banking • SMS Spoofing • SIM Cloning • Message Eavesdropping • Worms – Harvest Phone no and other information • Fake Applications Do you use android , iPhone or blackberry market?

  18. Security in Mobile Banking M-Commerce ? End to end SMS encryption Digital Signature ??? Web based banking

  19. EMV Card Online Mode PIN and card verified online Digitally Signed Card Offline Mode For small transaction PIN verified in card itself Yes Card Attack Europay, Mastercard and Visa CHIP based but still has magnetic stripe for backward compatibility Data is encrypted Virtually impossible to make counterfeit Card

  20. Magnetic Stripe Card • No Encryption of data • Storage is very limited (79 alphanumeric plus 40 numeric characters total!) • Cards can be easily read and re-recorded, leading to easy counterfeiting . • CVV1, Expiry Date, Card Number etc. CVV2

  21. Threats and Attacks- ATM and Cards Collecting Credentials • Skimming • POS Skimming • ATM Skimming • Dummy ATMs • Ghost ATMS • SMS Attack – Smishing • Raim Raid

  22. Telephone Banking Voice Biometrics Adaptive Authentication • Services: • IVR vs. Manual • Query, Fund Transfer? • Credentials • Phone banking Password, Debit card number, • Date of birth, address, account number etc. • Stealingcredentials.

More Related