An Investigation into E-Banking Frauds and their Security Implications

1
An Investigation into E-Banking Frauds and their
Security Implications 

• By Kevin Boardman
• Supervisor John Ebden
• 20 March 2004

2
About me

• Joint Computer Science and Information Systems
  Honours.
• Interest in computer security and its
  implications in e-commerce.
• Email g01b0633_at_campus.ru.ac.za

3
Definition of project in one sentence

• An investigation into internet banking frauds,
  and how they are best avoided by banks on the
  internet.

4
The Problem and Background
5
Internet Banking statistics - Burrows 2004

• General increase in the use of internet banking
  around the world.
• The number of online banking accounts in South
  Africa grew by 28 to 1.04 million in the last
  year. These figures are expected to increase to
  30 in 2004.
• More than 162 million transactions worth around
  R198 billion were conducted via South Africa's
  online banking services last year.
• 17 percent of Americans used online banking
  services by the end of 2002 and this figure will
  continue to grow by 14 percent up to the end of
  2007.

6
Fraud statistics

• Fraud complaints rose by around two-thirds in the
  US according to the Federal Trade Commission
  (FTC) from 2001 to 2002.
• Identity theft accounting for 43 of complaints.
• The cost of fraud in 2002 more than doubled that
  in 2001.

7
Fraud statistics (Continued)
8
Result of combination of statistics

• Hacker cleans out bank accounts.
• Hundreds of thousands of rands stolen via
  Internet from Absa clients.
• Who covers the costs? Irreversible damage to
  Absas image.
• New security fears for web banking
• Banks 'must pay up if hacked
• According to the Electronic Communications and
  Transactions Act the bank must refund customers
  if it can be proved they did not provide a safe
  service.

9
Project Aims
10
Project Aims

• Investigate the state of security of South
  African banking facilities and compare them with
  facilities used around the world.
• Investigate internet banking cases in which
  security breaches occurred, such as ABSA.
• An inquiry and comparison into the formal
  procedures and protocols (eg Secure Electronic
  Transactions Protocol) used by these banks.
• Establish certain techniques that can be used to
  set up a secure internet banking environment.

11
So what is security?
12
Security Definition and Project scope

• Computer security is a broad area of study
• Computer security - technological and managerial
  procedures applied to computer systems to ensure
  the availability, integrity and confidentiality
  of information managed by the computer system
  The Texas state library and archives commission
  2001.
• Focus of the investigation will deal with aspects
  of security involving fraudulent intent thus
  viruses, software bugs and operator errors will
  not be examined.

13
My intended approach
14
1) Do Literature Survey

• The nature of this project is mainly
  investigative and therefore largely based on
  research.
• Computer and E-commerce Security publications
  provide background to security.
• Journal articles, specific to internet banking
  security and fraud provide specific insight
  into the problem.
• Protocol specifications (eg Secure Electronic
  Transactions Protocol) and procedures provide
  specific detailed workings of current security
  implementations.
• Case studies provide real life examples.

15
2) Case Study

• A detailed analysis of some of the recent
  electronic banking security breaches will be
  undertaken in order to find common flaws and
  possible countermeasures.
• Who committed the fraud.
• Insider versus outsider
• One person versus a group of people
• Fraudsters motivation
• How the breach occurred weaknesses exposed.
• Insider information.
• Easily accessible confidential documentation.
• Dormant user accounts.
• What techniques were used by the intruder.
• Packet sniffing.
• Password cracks.

16
Case Study (Continued)

• What security measures were bypassed by the
  intruder.
• Encryption.
• Transfer limits.
• Regular changes in access codes.
• Firewalls.
• How the breach was detected
• Customer report or Bank detection.
• Transfer, security logs.
• Paper trails (end of month reconciliation).
• What damage was done by the intruder.
• Damage to system.
• Loss of money
• What countermeasures were put into place to
  prevent further attacks.
• End to end encryption techniques.
• Control of access to workstations.
• Firewalls.

17
3) Formulate countermeasures

• Establish certain techniques and protocols, that
  can be used to set up a secure internet banking
  environment.

18
Current Resources

• Background
• Chapman ,D.B., Zwickey, E.D, Building internet
  firewalls, OReilly and Associates, Inc, 1995.-
  Provides a background into state of the art
  firewalling techniques.
• Ahuja, V . Secure Commerce on the Internet, AP
  Professional, 1997. -Provides a broad background
  to security and E-commerce.
• Journals
• Hutchinson, D., Warren, M. Security for internet
  banking a framework. Published 2003. Accessed
  5 March 2004. URL http//thesius.emeraldinsight.c
  om/vl6457514/cl37/nw1/fmhtml/rpsv/cw/mcb/09576
  053/v16n1/s7/p64 - Provides a framework for
  implementing secure internet banking which is
  very relevant to the subject.
• Eloff J.H.P., Van Buuren, S. Framework for
  evaluating security protocols in a banking
  environment. In Computer Fraud and Security.
  Elsevier, 1998.- Provides a framework for
  security protocols that can be used to protect
  banking systems. Authors are South African so
  hopefully an insight into the South African
  situation.

19
Resources (Continued)

• Rahda, V. Preventing Technology Based Bank
  Frauds. Published February 2004. Accessed 11
  March 2004. URL lt http//www.arraydev.com/commer
  ce/JIBC/0402-05.htm gt. -Specifically deals with
  banking frauds.
• Rennhard, M., Rafaeli, S., Mathy, L. From SET to
  PSET The pseudonymous Secure Electronic
  Transaction Protocol. Published August 2001.
  Accessed 3 March 2004. URL lt http//www.tik.ee.e
  thz.ch/rennhard/publications/PSET.pdf gt- Gives
  insight into protocols such as SET used for
  secure credit card transactions.
• Case Studies
• Henderson, I. Electronic funds transfer fraud.
  Published December 2003. Accessed 14 March
  2004. Available doi10.1016/S1361-3723(03)00006-X
  . - Anonymous case study involving electronic
  funds transfer fraud
• Cohen, F. Breaking the Bank. Computer Fraud
  Security Volume 2002, Issue 11 , November 2002,
  Pages 12-14. Available doi10.1016/S1361-3723(02
  )01109-0  - Anonymous case study

20
The expected result

• Evaluation of some of the current security
  protocols and procedures used in internet
  banking.
• Exposure of security flaws in some of the major
  banking e-commercial systems.
• Establish possible countermeasures to attacks and
  threats from internet banking security frauds.

21
Possible Extensions

• Testing of some of the security software and
  hardware used for internet banking, in order to
  find flaws.
• Consulting for banks on internet security issues.

22
Questions