|the-south-asian.com NOVEMBER 2001|
|about us contact us data bank past issues the craft shop the print gallery|
NOVEMBER 2001 Contents
Page 4 of 6
Security and Trust in Internet Banking
THE SECURITY PROBLEM in Banking & Telecoms :
User, Computer & Network Security.
Security Problem Solution
Message Eavesdropping Encryption and decryption
Message Authentication Hash functions
User Authentication Public Key Infrastructure,
Combination of Digital X.509.v3 certificate specification [ serial #, Signature information, issuer name, owner’s name , owner’s public key information, validity, issuer’s digital signature ] recommended by the International Telecommunications Union (ITU) , LDAP/ DAP [ X.500 ] is a directory protocol [ names, address schema ] so that system administrators can manage the problem of administering new employees and changes in employees.
Non- Repudiation Digital Signatures, Time Stamps.
Security in Banking Operations & Products .
The basic concept is "Dual Control". This means each Transaction operates on a "Maker-Checker" concept. One person makes the data entry for the transaction into the computer terminal and his supervisor checks the same .The assumption is that two people will not collude for too long on fraud.
Banking Security is based on Monitoring Transaction Logs, Transaction Audit Trails through staff and process / procedures in Internal Controls, & Internal Audit Groups.
Banking Application Security Examples :
PLASTIC CREDENTIALS :
Credit Cards Security :
The Credit Card Number is a 16 digit number : 4321 5678 9012 1234
Comprising the System # , Bank #, Account #, Checkdigit #
Digit 1 = System –
3 = Amex [ 37 ] / Diners Club [ 38 ]
4 = Visa
5 = Master Card
The Structure varies by system .
VISA – digits 2-6 are bank number. 7-12/15 is the account number, 13/16 is a check digit
Amex – digits 3,4 are type & Currency, 5-11 is account #, 12-15 is card #
Credit Card encryption process:
1. SWIPE card – Electronic Data Capture Terminal Software in Point-of-Sale -POS terminal.
2. POS dials via modem to "Acquirer".
3. Acquirer checks the transaction & record on Card Magnetic stripe
-- [ Merchant ID, Card #, Exp, date , Limit , Card use.]
PIN is checked in a Data Base ; PIN can be on card or Bank’s DB.
4. Link between ATM and Bank is encrypted.
Money Transfer Application :
Manual Legacy Systems for Large value Money Transfers using Tested Telexes. Tested Telexes use a Test Card containing a key & fixed serial number normally mailed to the Bank.
A testkey value is calculated by combining a set of numbers, known as contributions, which are selected from tables associated with such message elements as amount, currency, value date, etc., and usually include a fixed number uniquely exchanged between the two parties. This is how telexes were encrypted and decrypted.
Telexes are obsolete and have been replaced by SWIFT II. SWIFT is a banks cooperative based in Brussels and is used to carry out large value bank to bank transfers using automation of the Tested Telexes described above.
Trade Finance – Letter of Credit – L/C
The L/C is a Document Processing Intensive transaction .By introducing PKI type encryption to the L/C the following advantages occur .
-- the Exporter focuses on Core business & has faster access to funds.
The Importer focuses on early delivery of goods.
Banks enjoy pushing in – House processing costs OUT to customer.
Automatic Reconciliation :
The General Ledger accounts for All Branches are balanced at close of business.
If differences arise, then depending on amount value [interest claim] found through Automatic reconciliation of accounts, escalations to senior management and Audit Groups are done.
Internal Audit/Control Groups monitor analysis of System Logs, Editors with Dual Sign-on on a daily basis and monthly reports are signed-off by Data Center, Communications Operations .
U.S. Federal Security Controls:
Under US Treasury Department, Financial Crimes Enforcement Network [ FinCEN ] uses Data Mining and a Artificial Intelligence System to detect Financial Money Laundering in conjunction with other Federal & Commercial Data Bases .FinCEN uses a combination of Cray and IBM Vector Processors.
Banks are typically required by Federal Law to report transactions of over $ 10,000 and even under $ 10,000 if the banks think they are suspicious.US accounts are also linked to the Social security number.
In south Asian countries there is virtually none of this sort of Governmental Financial Monitoring :
Bank Treasury Divisions use special technology called Turret Phone systems for Foreign Exchange – FX & Money Market - MM [ local currency ] Dealers. This allows real-time logging of all telephone bids/offers in case of repudiation, in view of the large transaction amounts involved. The Global Daily FX transactions value is about $ 1.5 trillion and Treasury departments use Cash Management Optimization [ e.g. Money Market , Bonds ] - which is where a Bank treasurer typically puts his end of day funds with minimum risk..
Banking & Internet Networks Security Architectures .
USA Banks follow the 1984 Regulation from Dept. of Treasury for the Federal Electronic Funds Transfer rules.
Citibank uses Network Hardware encryption between Branch Physical Line and Host Computer .
This sort of encryption is called LINK - LEVEL Encryption and is the hardest to break.
"Cylink" Encryption devices with 56-bit DES key changed every month in 1987.
Currently, using DES 128 – bit key, the master encryption device generates the starting key or seed key and downloads the Public key to the slave .
Change of Keys is done every day.
PROM in front of the encryption device is used to input the large numbers .
For Engineers Remote Access to Banking Switches or Computers , an authentication server is used and if any information is written or changed in a Network Switch, the Internal Information Security Group , will send the Engineer an Email asking for an explanation.
IP Packet Filtering [ access control lists, controlled source & destination IP address , authorized device traffic only ] .
Firewalls [ passive –].similar to above techniques , think of a firewall as a Gate .
You can create further safety & security by using Proxy servers and De-Militarized zones , creating two firewalls separating a Bank’s Local Network and the Internet .
Intrusion Detection Systems .IDS are now part of Routers. CISCO has a product called NetRanger .
IDS uses sniffers & an expert rules-based systems that distills large volumes of IP network traffic, router system logs into meaningful security events. This is done in real-time.
Protection is also done by Observation [ Traffic Policing ].and implementing Physical Security
Threats to Network Security --Examples of Hacking :
Methods: Port Scans , Ping of death , Finger , MS IE attacks, E-Mail spam.
Ping of Death : It is possible to crash, reboot or otherwise kill a large number of systems [ including Printers and routers ] by sending a ping of a certain size from a remote machine.Some systems don't like being pinged with a packet greater than 65536 bytes (as opposed to the default 64 bytes).
Operating Systems -- Virtually all operating systems are vulnerable to this Ping unless a patch has been applied to the OS kernel.
[ 80% of Financial losses come from within the network ]
Copyright © 2000 - 2001 [the-south-asian.com]. Intellectual Property. All rights reserved.