Title: Implementing improved user security for Stock broking firms
1Implementing improved user security for Stock
broking firms A CTO STANDPOINT
CERTIFIED
WHITEPAPER
AuthShield Labs Pvt. Ltd. contact_at_auth-shield.com
91.11.470.65.866
2Overview
Evolving consumer habits Online trading The
Internet Revolution has changed the way, trading
takes place today. All over the world, online
transactions are moving beyond the nascent stage.
Increased Internet penetration and the very
convenience of the process attract more and more
people to resort to online transactions. In
modern day stock exchanges today there is a large
amount of technology in place that allows
customers to access their demat accounts from
virtually any location in the world at any time
of the day. This remote accessibility over great
distances is a great asset that allows customers
to buy, sell or transfer shares, equities etc in
a quick and easy manner. Though exciting, the
potential of online trading is fraught with
challenges. With the onset of the Internet
Revolution, the scams that were till to date
conducted by mail, phone and wire transfer can
now be found on the World Wide Web and in email,
with new cyber scams emerging almost on a daily
basis. A recent survey across ten major cities
in the world indicates that ninety one percent
of internet users have experienced some case of
cyber fraud, such as phishing, key logging,
identity theft and account takeover.
3Overview
"The chances of a criminal getting arrested and
convicted for identity theft-related fraud are
much less than a half of 1 percent" Recognizing
the importance of safeguarding Investors money,
legitimate brokerage firms should take steps to
ensure that their transactions are secure.
However, online brokerages and the investors who
use them are appealing targets for attackers. The
amount of financial information in a brokerage's
database makes it valuable this information can
be traded or sold for personal profit. Also,
because money is regularly transferred through
these accounts, malicious activity may not be
noticed immediately. To gain access to these
databases, attackers may use Trojan horses or
other types of malicious code Attackers may also
attempt to collect financial information by
targeting the current or potential investors
directly. These attempts may take the form of
social engineering or phishing attacks. With
methods that include setting up fraudulent
investment opportunities or redirecting users to
malicious sites that appear to be legitimate,
attackers try to convince investors to provide
them with financial information that they can
then use or sell. With the advancement of
computer technology and the connectivity afforded
by the Internet, it is increasingly easy for
criminals, either independently or in organized
gangs, to manipulate holding accounts in order to
commit fraud against exchange or to deceive
innocent victims. The adverse impacts of
financial fraud, not only on individuals and the
commercial sector but even on national economic
and security systems, are increasing rapidly
worldwide. Left unchecked, financial frauds using
the Internet or Internet driven
4Overview
technologies could lead to the financial ruin of
people and commercial enterprises as well as
seriously damage multiple economies. 78 of
all information security breaches are conducted
by internal employees
CERT In statistics.
Information security within the
organization Most businesses can no longer
afford to ignore the threat from within. However,
the IT infrastructure of most Sri Lankan and
multinational organizations are yet to address
the full complexity of internal threats. Unlike
external information threats to an organization,
internal information breaches are
multidimensional. The threats may range from
misuse of official email, information for insider
trading or inserting backdoors into critical
applications. More importantly, these threats
come from the most trustworthy of sources
companys internal employees. These actions may/
may not be deliberate but they do take place.
5Problem Area
1
ONLINE BUYING VIA LINKED BANK ACCOUNTS
The rise of online banking, trading and
electronic money transfers have brought with it a
new breed of criminals, malware, and online
financial scams. Fraudsters have developed
elaborate cross-account, cross-channel, and
cross-institution schemes to transfer shares from
compromised online accounts to controlled
accounts. The shares / equities are then sold
disappear with the money before the illegal
transfer is discovered.
2
IDENTITY THEFTSPHISHING
One Hack attack at a Bank / Online Portal /
store/ BPO /online trading etc can lead to a loss
of thousands of Identities in one step With the
tremendous growth of the Internet in the world,
more and more people are vulnerable to phishing
and Trojan attacks. The growth of E-commerce and
the growing lifestyle changes, presents a unique
challenge for exchanges as increasingly more
people are logging on for buying, selling or
maintaining their portfolio.
3
INTERNAL FRAUDS
A lot of incidents involving internal breaches
are simply not reported, simply because the
institutions reputation is at stake. Most of
the cases that come to light involve a third
party which handles transactions or data
processing (financial BPOs). However studies
indicate that Internal Bank Fraud Accounts for
60 of Cases Involving a Data Breach or Theft of
Funds.
6AFTER EFFECTS Of Online trading fraud
- As a merchant/Broking Firm, being a victim of
fraud can have a range of effects on your
business. These effects include - Immediate financial loss due to stolen
stock/earnings - Damaged reputation
- Loss of customer trust
- Loss of investor confidence
- Lowered sales
- Extra costs of time/money to manage each fraud
incident - Lowered staff morale
- Possible legal costs
- Lowered value of your stock/services
- Additional bank fees for transaction reversal
- Potential problems retaining your merchant's
bank account after too many reversed transactions - Single factor authentication and Vulnerability
- A major facilitating factor for all most of these
attacks is the single factor authentication in
vogue today (using just a password and user
name). - It becomes quite easy for an individual to
capture user names and passwords of other
individuals using the same IT infrastructure.
There are multiple techniques like Sniffing,
installing Keylogger, MIM (Man in Middle attacks)
or zombie attacks for the same. - In such a scenario multifactor authentication
offers a much safer approach. It is a fool proof
way to authenticate and verify the identity of
the person or any other entity requesting access
under security constraints.
7Preventing Financial Fraud
- Prevention is always better than cure. It is
truer for exchanges, keeping in mind the changing
commercial climate. Financial fraud can occur in
multiple forms and shapes. The time of physically
cracking into a safe, conducting a bank robbery
or carrying out an act of dacoit etc is passé.
Today the theft is conducted on the net with no
physical threats and with less cost to the
perpetrator of the crime. The only challenge that
remains is to cover ones tracks and considering
the massive flow of information on the net almost
on a daily basis, it is not much difficult
either. - Multifactor Authentication Why do you need it ?
- The best way to beat a thief is to think like
one -
- Phishers try to obtain personal information such
as your password or PIN-code by pretending to be
a legitimate entity. Using Phishing, static
passwords can be easily hacked providing
fraudsters easy access your demat accounts and
other confidential information. - The current technology used by a lot of
organizations today has a static password, which
again is risky if a fraudster is able to lay
hands on someones password. There is a need to
bring dynamic passwords in picture, because
static password ceases to be secure once stolen. -
- Multifactor Authentication maps the physical
identity of the user to the server and increases
the security of financial and other critical
systems. It helps the merchant firm to Know
their customer. -
- Integrating Stronger User Authentication system
not only helps prevent Online Credit Card fraud,
Card Cloning, Identity theft but also helps in
the capture of habitual cyber criminals. - MFID authenticates and verifies the user based on
- something only the user has (mobile phone/ land
line/ hard token) - something only the user knows (user id and
password)
8- AUTHSHIELD
- ONLINE TRADING SECURITY SOLUTIONS
- AuthShield is the only Multi-Factor
Authentication solution available in the world
today that can provide you seamless
Authentication security across all trading
technology platform used by brokers and stock
exchanges across the globe. - AUTHSHIELD PROCESS
- MF-ID follows a centralized architecture where
all IT systems can be integrated centrally.
Distributed IT systems can have their own
controlling architecture - The user logs into the LAN/VPN/Web Application
/ Database server etc and provides his
credentials - Based on users credentials, a
One-Time-Password is generated and sent to the
users mobile number. The user meanwhile is taken
to the OTP authentication application (integrated
with the AAA server). Once the users identity is
verified, the user is then provided access to the
application - All logs are stored in a secured database
(completely encrypted) for future analysis. - ADVANTAGES OF AUTHSHIELD MULTI FACTOR ID
- For Users
- Using INNEFUs two factor authentication can
help prevent- - Online fraudulent equity transfers