electronic security and payment systems some new challenges l.
Skip this Video
Loading SlideShow in 5 Seconds..
Electronic Security and Payment Systems: Some New Challenges PowerPoint Presentation
Download Presentation
Electronic Security and Payment Systems: Some New Challenges

Loading in 2 Seconds...

play fullscreen
1 / 22

Electronic Security and Payment Systems: Some New Challenges - PowerPoint PPT Presentation

  • Uploaded on

Electronic Security and Payment Systems: Some New Challenges. Tom Glaessner Thomas Kellermann Valerie McNevin The World Bank November 2003. Organization of Presentation. Digital Trends in Payments Nature of the Threat Market Structure and E-Risk in Emerging Economies

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Electronic Security and Payment Systems: Some New Challenges' - gerald

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
electronic security and payment systems some new challenges

Electronic Security and Payment Systems: Some New Challenges

Tom Glaessner

Thomas Kellermann

Valerie McNevin

The World Bank

November 2003

organization of presentation
Organization of Presentation
  • Digital Trends in Payments
  • Nature of the Threat
  • Market Structure and E-Risk in Emerging Economies
  • A Four Pillar Approach
  • Future Challenges
four streams of e finance
Four Streams of E-Finance



# of Global EFT





i digital trends in retail payments
I. Digital Trends in Retail Payments
  • Increased dependence on Information Technologies
    • The convergence of technologies
    • Leapfrogging opportunities provided by e-finance stimulate growth
    • The growth of wireless in EMG
  • New, interoperable technologies dependent on the Internet infrastructure
    • VOIP
    • Satellite and cyber-location
  • E-commerce, retail and even micro payments
ii the nature of the threat
II. The Nature of the Threat
  • The threat is not new
  • A cyber world allows for crimes of greater magnitude with greater speed
  • Lack of incentives for reporting hides true e-security vulnerabilities
  • Cyber threats have been rising globally as technologies converge
  • Emerging markets are not immune
system access e risk and fraud
System Access: E-Risk and Fraud
  • System Access in a Networked Environment
  • Access Tools
    • Hacking software vulnerabilities, viruses, worms, Trojans, Denial of Service (DOS)
  • Types of E-Fraud
    • Identity Theft
    • Extortion(reputation)
    • Salami Slice
    • Funds Transfer
    • Electronic Money Laundering
iii e risk market structure in emerging economies
III. E-Risk Market Structure in Emerging Economies
  • Many emerging markets have concentrated provisioning of hosting services
  • Interlinked ownership: Telecom companies, ISPs, e-security service companies, and banks
  • No real separate independent e-security industry
  • Shortage of human capital in EMG in this area
    • CISOs
    • E-Security providers versus white knights
pillar 1 legal framework incentives liability
Pillar 1Legal framework, Incentives, Liability
  • No one owns the internet so how can self-regulation work?
  • Basic laws in the e-security area vary a lot across countries as do penalties
  • Defining a money transmitter
  • How to define a proper service level agreement (SLA)
  • Downstream liability
  • Issues in certification and standard setting
pillar 3 certification standards policies and processes
Pillar 3Certification, Standards, Policies and Processes
  • Certification
    • Software and hardware
    • Security vendors
    • E-transactions
  • Policies
  • Standards
  • Procedures
pillar 2 supervision and external monitoring
Pillar 2Supervision and External Monitoring
  • Technology Supervision and Operational Risk:
    • Retail Payment Networks;Commercial Banks; E-Security Vendors
    • Capital Standards and E-Risk
    • On-Site IT examinations
    • Off-site processes
    • Coordination: between regulatory agencies; between supervisors and law enforcement
  • Cyber-Risk Insurance
  • Education and Prevention
pillar 4 layered electronic security
Pillar 4Layered Electronic Security
  • 12 Core Layers of proper e-security
  • Part of proper operational risk management
  • General axioms in layering e-security
    • Attacks and losses are inevitable
    • Security buys time
    • The network is only as secure as its weakest link
intruder begins attack
Intruder Begins Attack

The web server authenticates against the customer database

Exploiting a hole in the internet banking software, SQL insertion is used to run system commands on the database server.

The attacker runs a command that opens a remote command shell

network is completely compromised
Network is completely compromised

Now that the firewall security has been bypassed completely, the attacker uses the database server to take over the domain controller.

The attacker can now access the mainframe as if he were sitting at the administrator’s desk. Hmmm… what else can he access from here?

The administrator accesses the mainframe from his desktop, and saves all the passwords for easy access. A remote desktop is pushed back to attacker

The domain passwords are cracked, and access to the administrator’s workstation is now available.

select weaknesses

Over-reliance on encryption

Patch management

Rogue HTTP Tunnels


Wireless Security

Select Weaknesses
technical vulnerabilities of pki
Technical Vulnerabilities of PKI
  • Keys can be:
    • Altered by a hacker
    • Captured through video-viewing
    • Broken by parallel processor when of limited length
    • Stolen through manipulation of fake names and ID’s
    • Compromised when password and token protection are cracked
  • Certificate Authorities can:
    • Have a different definition of “trust”
    • Operate with an insecure physical network security
    • Be broken into, and public key files altered
gsm vulnerabilities
SIM-CARD Vulnerability

SMS Bombs

Gateway Vulnerability

WAP Vulnerability

Man in the Middle Attack

GSM Vulnerabilities
v challenges ahead
V. Challenges Ahead
  • Building awareness
  • Creating a culture of electronic security as part of business process
  • Building e-security considerations into investment planning and RFP design
  • Assuring proper development of the four pillars in emerging markets
World BankIntegrator Group 2003For further information :www1.worldbank.org/finance(click on E-security)tglaessner@worldbank.org