Anda di halaman 1dari 44

Want to have all the issues of Data Center magazine? Need to keep up with the latest IT news?

Think youve got what it takes to cooperate with our team?

Check out our website and subscribe to Data Center magazines newsletter! Visit: http://datacentermag.com/newsletter/

Dear Readers,

he newest Issue of Banking Security Magazine has been released. This time our magazine is added as a bonus to Hakin9. However, for this issue our authors have prepared even more interesting content and topics than previously. I am sure that all of you, dear Readers, will find something that will attract your attention.

The main article in this issue is Analyzing the Biggest Bank Robbery in History written by Pete Herzog. Most of you know movie Oceans Eleven, which was based on that robbery. The author is analyzing and presenting how the open source security testing can help to prevent such theft. In this issue you will also find articles about network security, online banking frauds and topic that should be of interest to the users of Iphone. In (In)security of using Iphone Financial Applications the author tries to assess how secure it is to use your mobile for banking applications and what threats await for unwary users of mobile financial software. I hope that the content of this issue will meet you expectations, and you will spend some good time with the articles published in Banking Security Magazine.

Enjoy your reading, Grzegorz Tabaka & Banking Magazine Team

Managing: Grzegorz Tabaka grzegorz.tabaka@software.com.pl Senior Consultant/Publisher: Pawe Marciniak Editor in Chief: Ewa Dudzic ewa.dudzic@software.com.pl Art Director: Marcin Zikowski DTP: Marcin Zikowski Graphics & Design Studio, www.gdstudio.pl Production Director: Andrzej Kuca andrzej.kuca@software.com.pl

Marketing Director: Grzegorz Tabaka grzegorz.tabaka@software.com.pl Proofreadres: Donald Iverson Michael Munt Elliott Bujan Flemming Laugaard Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.bankingmag.net

Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them. To create graphs and diagrams we used program by Mathematical formulas created by Design Science MathTypeDISCLAIMER! The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

Content
applying iSo/ieC 27001:2005 to a Banking inStitUtion . . . . . . . . . . . . . . 5
Florencio cana GabarDa

issue 02/2011

Data Sharing Between BankS For Better riSk aSSeSSment UnDer the BaSel ii Framework . . 23
Yuval Shalheveth

SeCUre weB Filtering . . . . . 7


Steave JenkinS

online Banking FraUD . . . . 26


Max DerMann

SoCial engineering in Banking SeCtor . . . . . . . 10


DaviD Montero abuJaS

SeCUre weBSite Development & DeSign . . . . 30


SebaStian Zuber & torSten aDler

inSeCUrity oF FinanCial appliCationS on iphone . . . 13


MritYunJaY GautaM

the growing pitFallS oF remote aCCoUnt opening . . . . . . . . . . . . . . . . 35


bob lYDDonS

analyzing the BiggeSt Bank roBBery in hiStory . . . . . . . . . . . . . . 17


Pete herZoG

henDerSon gloBal inveStorS . . . . . . . . . . . . . . 40


henDerSon Global inveStorS

2/2011

ApplyingOnline Banking Security Magazine institution ISO/IEC 27001:2005 to a banking

Applying ISO/IEC 27001:2005 to a banking institution


What is an ISMS? What is ISO 27001?
ISMS stands for Information Security Management System. ISO/IEC 27001:2005 (also known as ISO 27001) is an international standard that defines the requirements for an ISMS. If your organization implements an ISMS that covers ISO 27001 requirements, your organization can get certified by being audited by an accredited certification body. This certification aims to demonstrate to interested parties that your organization implements rigorous controls to mitigate the risks to information security in your business. In 1999, the first schemes appeared and LRQA and BSI became the first accredited certification bodies. In 2000, ISO converted, by a fast track procedure, BS7799 in ISO/IEC 17799:2000. It is important to note that BS7799 and thus ISO/IEC 17799:2000 talked about code of practice or best practices. It is in 2002 when the ISMS specification appeared as BS77992. This standard was very aligned to ISO 9000. In 2005, ISO/IEC 27001:2005 was published and BS77992 was withdrawn. This standard aligns with ISO 17799 and is compatible with ISO 9001 and ISO 14001.

ISO 27001 history

ISO 27001 is a young standard compared with other ISOs. In 1992, the Department of Trade and Industry (DTI) published a Code of Practice for Information Security that BSI, three years later, amended and republished as BS7799.

The banking institution case

Banks are huge organizations that process very valuable information. Managing information security is a big deal and in fact financial institutions spend lots of money in it. This sector is investing primarily on identity, access management tools and data loss prevention according to Deloittes 2010 Financial Services Global Security Study. All of these security requirements appear in ISO 27001 as security controls. The main benefit of ISO 27001 is not allowing the security tasks to be independent but to obligate the certified company to have a security strategy based on controlling known risks.

Implementing ISO 27001

Defining the objectives and scope The first step to implement an ISMS in an organization is defining objectives. Objectives should be SMART: specific, measurable, attainable, relevant and timely. The objectives will guide the implementation in order to focus on the important points. As this standard should be maintained and continual improvement is a fundamental requirement, it is important that the company and its employees notice the improvement. Accomplishing objectives is a good motivation driver for all interested parties. When objectives are defined, documented and approved, the company should start thinking about the ISMS scope. After good objective definition work has been completed, the selection of the scope for the ISMS will be easier. The ISMS scope is a set of processes and locations. ISMS public scopes can be found at http://www.iso27001certificates.com/Taxonomy/ScopeResults.asp. All the information assets that support these processes in these locations will be affected by the ISMS policies and procedures. A smaller scope helps to implement the ISMS by reducing the quantity of work needed but it is important to remember that: If an information asset is outside the scope, the information flow between this asset and an asset inside the scope

2/2011

Online Banking Security Magazine

should be well defined and controlled. Assets outside the scope are treated similarly to external suppliers. Processes in the scope should be core processes of the company. If a company tries to implement an ISMS in a scope that is seemingly insignificant, validity of the scope can be compromised. When doubts exist about whether a process should be inside the scope, it is probably because it should be inside it. (May need to check with author about intent here. Is this statement correct?) Determining the scope is not a trivial task and it is a phase that should not be taken lightly, because a lot of extra work will have to be completed if we do it incorrectly.

Risk analysis

Banks are companies that work with the concept of risk in almost all the operations they do. Risk also appears in Information Security in order to try to model the probability of something bad happening to our data. One fundamental concept in ISO 27001 is that risks should be identified through a risk analysis and that they should be mitigated, avoided, transferred or accepted by management. Risks can be mitigated or reduced by applying security controls from the ISO 27001 annex A or others. Risks can also be transferred. A company can transfer a risk associated with a process by outsourcing the process, for example. When you transfer the risk, the risk never disappears. The risk is combined with other risks associated with controlling the supplier. Usually, in order to avoid a risk, the only way to do it is to avoid the process or information asset that has the risk. At the end there will still appear risks that management can choose to accept.

management appears in control A.10.1.2 Change Management that says that changes to information processing facilities and systems shall be controlled. One way to control changes in an organization is by defining and implementing the concepts of a configuration baseline and the request for change. The configuration baseline is the initial state of configuration of an organization asset that should be under change control. From this point, any change that should be done in the asset configuration should be proposed through a request for change that must be approved after being analyzed by a designated responsible entity. The change is done and the configuration baseline is updated. Having a change procedure established is essential in any banking industry. Being an industry very accustomed to formal procedures helps in the ISO 27001 implementation. The main focus should then be adapting and integrating currently established procedures in ISO 27001, and improving them if possible.

Business continuity

When talking about the banking industry, business continuity is a major preoccupation. In ISO 27001 all business continuity requirements are defined by the controls of the 14 domains called Business Continuity Management. In addition, the banking industry is flooded with numerous laws that enforce business continuity requirements.

Legal compliance

Legislation is different in each country and the team that is going to implement ISO 27001 in a bank must know that without compliance with the laws ISO 27001 cant be issued.

Risk analysis methodologies

Conclusions

There exist a multitude of risk analysis methodologies previously developed, but ISO 27001 does not require using any of them. A bank can adapt its own methodology to the ISO 27001 requirements and use it to assess its information asset risks. Two very important risk analysis methodologies are Magerit and OCTAVE.

Change management

Change management is fundamental in the banking industry. It is a concept not very developed in ISO 27001 compared to other standards, but still very important. In ISO 27001 change

Implementing ISO 27001 in an organization is always a huge task. Implementing it in a bank is not an exception. There exist a number of factors that facilitate the implementation of ISO 27001 in such companies. For example, this business is already very regulated and procedural. By its very nature, it is logical to expect that every bank has already implemented a lot of the ISO 27001 requirements because they are very obvious whenever you are worried about security. The main work should be to adapt, integrate and improve the already established procedures and security controls so they can be aligned with the ISO 27001 requirements.

FLORenCIO CanO GaBaRda


I studied Computer Engineering in Politechnic University of Valencia (Spain). I specialized in operative systems and networking for later focusing in computer security. I created the startup SEINHE where we offer security consulting and auditing

References
Bankinfo Security http://www.bankinfosecurity.com/ Google Groups ISO 27001 security group ISO27001 Security http://www.iso27001security.com/ Google Groups Seguridad de la informacion group SC Magazine http://www.scmagazineuk.com/financial-institutionsincrease-security-spending-as-threats-and-regulatory-penaltiesrise/article/171986/

2/2011

Online Banking Security Magazine Secure Web Filtering

Secure Web Filtering


The web is a scary place. The best thing about the web and the worst thing about the web amount to the same thing: you can find anything on the web. Movies, pictures, Christmas shopping, software, games, friends its all there. So also are computer viruses, pornography, conartists, casinos, militant radicals and hate groups. Most of the web is open-access there are no doors, no warnings, no clearly marked safe areas. Children and adults alike can find themselves in unintended places looking at content that is offensive, time wasting, fraudulent or dangerous.
nter the software intended to create order out of the chaos by cataloging the web and providing control over access to web sites based on their category. Schools have adopted the technology to keep students from downloading pirated music and viewing mature content. Businesses have adopted the technology to reduce the amount of time employees waste playing games, watching movies and to reduce liability from lawsuits by employees exposed to offensive web pages or copyright holders whose unlicensed material was downloaded to a company computer. Web filtering has become a massive undertaking as the web has exploded into billions of web pages. With the popularity of Web 2.0, many of those pages are updated continuously by users around the world. Youtube hosts videos that can be posted by anyone; Wikipedia hosts articles and images that can be added or edited by anyone; Facebook, Bebo, Blogspot, Flickr, Geocities, and hundreds of thousands of other sites are similarly driven by a constant influx of unmoderated, user submitted content. Adding to this explosion is the shift to the web as the predominant method of distributing malicious software (malware) such as computer viruses to innocent web surfers. The volume of malware found on the web has exploded while the methods used to infect users computers have become more devious. At the same time there has been an explosion of websites, dubbed phishing sites, designed to trick users into entering passwords, bank account numbers, credit card numbers and other personal info. The result of this is that the web is an even scarier place and the job of web filters is more difficult than ever before with few

web filters able to adequately keep up with these new challenges. This white paper addresses what it takes to be a secure web filter and to meet the challenges of the modern web environment.

Classic web filtering is mainly effective at blocking websites dedicated to social networking, pornography, gambling, etc. Secure web filtering is effective at identifying and blocking those same areas, but with an added emphasis on blocking sites that host malware, phishing, exploits or anything that risks the security of company information. Another distinction is that classic web filtering will take a site like Facebook or Wikipedia and give the entire site one category, but secure web filtering will examine every page of the site and separately categorize pages that are different from the rest of the site such as pages that host malware or nude pictures. It has been common over the last several years for companies to use classic web filtering in combination with anti-virus programs. The anti-virus programs are relied on to detect malicious web pages and block malicious downloads, but, in practice even the best anti-virus software has several hours of lag time between when the virus is first seen in the wild and when the anti-virus company deploys signatures. This window of time when protection is lacking is the window of time virus writers try to exploit. These days it is common to see thousands of new virus variants in a day with numerous variants being posted to the same distribution point. The virus writer preps a number of viruses not

Secure Web Filtering vs. Classic Web Filtering and Anti-Virus

2/2011

Online Banking Security Magazine

caught by top AV scanners, and then deploys them one at a time as protection comes online for each variant. However, once the distribution points for the series of virus variants are detected, access can be blocked regardless of the changing payload. In other words, secure web filtering, if done right, bridges the gap between virus release and anti-virus protection. This new environment means that security best practices need to evolve to match the evolution of threats. Without good secure web filtering computers are constantly at risk. Secure web filters are now required components in best practice security deployments along with anti-virus, intrusion prevention, firewalls, log monitoring and other now well established products.

fiker from spreading or inflicting damage by preventing the call home process of the virus.

Zero-Hour Malicious Site Protection

Hallmarks of a Secure Web Filter

It is common for web filters to advertise that they provide another layer of security, but it can be difficult to gauge how effective that protection is. As a first measure, consumers should look for these hallmarks of secure web filtering without which their web filter cannot truly claim to be secure. Targeted Categorization With billions upon billions of web sites in the wild, it is important for a web filter to have the most commonly visited sites categorized. The Active Web is comprised of web sites that receive the most traffic and are the most requested by Internet users. A secure web filter must have a very high percentage of these Active Web sites categorized, and categorized on a granular scale. A secure web filter still must carry out the functions of the classic web filter blocking access to inappropriate sites, while allowing access to critical sites. With that said, an emphasis on accuracy, particularly as it pertains to the Active Web, is needed to ensure the effectiveness and usability of a web filter in a business environment.

Malicious sites pop on and offline very rapidly; often containing malware and multiple variants to ensure they can get past definition based anti-virus undetected. In many cases, the distribution point is the same, or there will be multiple distribution points for the same malware. These sites can contain drive-by threats requiring no user interaction, hidden iframes that download malware to the computer, or any number of other Web 2.0 threats. No longer is just the computer the target, the user and their sensitive personal information is increasingly the primary target. A secure web filter works by blocking access to these distribution points, preventing access to the site before any malicious software can even be downloaded. To determine what sites should be blocked, web filtering companies should have expert knowledge of malicious code and methods used to distribute this code throughout the Internet. A web filtering vendor in the Web 2.0 environment can no longer be singly focused on URL categorization they must also be experts in virus and malware detection. Classic anti-virus programs or web filtering systems can do little to prevent infection against these zero-hour threats. Using a web filter with real-time categorization can significantly decrease the window of vulnerability to any particular virus. This window of vulnerability is the time between when a virus is released and when your anti-virus program is updated to recognize and block the virus. This can often take hours or days, whereas a secure web filter can block this traffic very quickly using cloud-based computing to perform an intensive, in-depth analysis.

Real-time Categorization

Web 2.0 Inspection

A secure web filter must have real-time or very near real-time updating or it cannot block malicious websites as they come online. The average lifespan of a phishing website is less than twenty-four hours. Many threats, from anonymizing proxies to P2P file sharing nodes come on and offline that fast or faster. In addition, malware is increasingly using the HTTP protocol to call home to get instructions or send information back to their publisher. To prevent access or transfer of information to these sites, website classification should take place on-the-fly using dynamic reputation services, heuristics, content and image scanning, as well as other indicators. This is often called auto-classification; the key to this is making the categorization available in the cloud immediately. This can prevent worms such as Con-

The Internet has turned into a very dynamic environment, with each site containing varying types of information including videos, blogs, forums, pictures and other user contributed information. On almost any blog or social networking page anonymous users can post content. This content can often be used with good intentions; on the other hand it could contain offensive material, links to malware downloads, malicious images or code. These sites need to be scanned regularly, looking for malware and offensive material so that they can be appropriately filtered. Prior to Web 2.0, a classic web filter would take a site like google.com, call it a search engine and trust the site and any results it returned unconditionally. While this approach may have worked in the past, it is no longer sufficient. Because users are searching on Google, they often assume the results are safe however, Google searches can also return pornographic images, links to malware downloads and malicious pages. Some worms can even redirect Google search results to their own malicious websites to download even more malware. While a secure web filter will prevent access to these dangerous searches, the classic web filter will not. The shift to the web as the predominant method of malware distribution combined with the current web atmosphere makes secure web filtering an absolute necessity.

Granular Categorization

As was touched on previously, a Web 2.0 site may have pages with all different types of content. Classic web filters might take a site like www.wikipedia.org and classify the entire site under education. While the majority of the site is inherently

2/2011

Secure Web Filtering

educational, many pages on the site should be categorized differently or have additional categories assigned to them. For example, the Wikipeida page on Naturism (advocating social nudity) contains a several nude images which might be considered offensive to some and inappropriate for school age children. This page requires an additional category, such as nudity, to correctly prevent access to the page in a work environment, or where young children could view the page. Due to the varying content from page to page across a site, many sites can no longer be grouped into one category. Each web page on a site should be inspected and classified based on the content on that given page. Granular URL classifications across a variety of categories must be used for specific pages, paths, subdomains, and parent domains. This in-depth inspection and granular categorization is required for the Web 2.0 world and any web filtering company hoping to provide a comprehensive solution must inspect all page content across the entire site.

vendors claiming to provide secure web filtering. If these companies arent rescanning sites to ensure that they have not been compromised, that they dont host malware, and verify that they havent become phishing sites, then these companies cannot claim to provide secure web filtering.

Language

Challenges of Secure Web Filtering

Securing the web is more challenging now than ever before. The new dynamic nature of the web, rapid global expansion and constantly evolving technology and threats invoke a very demanding undertaking for web filtering companies. Read on to determine how well your web filtering solution is measuring up to some of these challenges.

As the web continues to grow and become more accessible to various regions throughout the world, the percentage of non-English sites continues to rise. This will be a continuing trend and becomes an important consideration for web filtering companies and consumers. Disregarding these sites is no longer an option and has left many vendors scrambling to find solutions to this new challenge. Companies are now required to gain competence in dozens languages to achieve appropriate coverage of the web. Moreover, these vendors need to integrate these languages into their technologies used to filter and categorize these sites. The resources required for this can be extensive, not only in terms of technology and development time, but also in terms of language experts and web analyst personnel.

Performance

Size of the Web

At this point, no one knows how many pages or sites the web actually consists of. As recently as last year, Google announced they had indexed 1 trillion unique URLs but how many have they not indexed? How many were not unique and led to the same content? How many have been removed or are no longer accessible? It is amazing to think that hundreds of millions of pages are changed and added to the web per day. At the same time, this presents a difficult scenario for companies trying to index or categorize the web. Its safe to say that under current conditions the entire web will never be fully categorized. The goal of a web filtering company, and the most important part is to categorize the sites people are actually visiting. This brings back the concept of the Active Web, or sites people are actually visiting. Sure, there may be millions of dormant sites available on the internet; but if no one has visited these sites in 10 years, and there is no security threat, how important is it to have them categorized? Its not only the sites people are actually browsing to are important. To address the challenge a web filtering company must focus their coverage on the active web and getting these active sites and pages categorized correctly.

With billions of web sites, constant monitoring, in-depth analysis, malware scanning, language analysis and other considerations, performance becomes a major concern. In the world of high-speed internet, users are no longer willing to wait for categorizations to be delivered and pages to load. Web filtering vendors are challenged with the proposition of creating a fast and simultaneously secure web. The performance aspects of web filtering are endless. Cloud based lookups require datacenters located around the world with large amounts of bandwidth, redundancy and computing power. On-disk database systems require large amounts of space, constant updates and available system resources to perform fast lookups. Hybrid approaches, which are often considered the best solution, require both. At the same time, a secure web filter is expected to stop viruses, malware and other threats. Building the infrastructure and providing web filtering solution to accomplish this is very demanding and requires innovative capabilities, planning, intellectual property and execution to match the needs of todays users. Few web filtering vendors have been able to rise up and meet this challenge.

Protect Your Network with eSoft

Quality and Freshness

Accuracy is as important as anything else when considering a web filtering solution. With the enormous size of the web, and sites constantly changing as contributions and updates are made to Web 2.0 pages there is a perpetual struggle to maintain accurate categorizations. What was once a personal web page could be filled with pornographic images the next. How long would it take to catch the changes and block this page? It is easy for a web filtering company to categorize a site, but once that categorization has been assigned, how often is a page revisited? These are some important questions. Rescanning of already categorized web sites is a requirement for web filtering companies and should take place frequently. This is especially true for

Secure web filtering is an integral security deployment for any business network, large or small. eSoft network appliances with Web ThreatPak provide comprehensive security coverage against the newest web based threats. For more information on how eSoft can help to secure your network, email and web traffic, visit our website at http://www.esoft.com, or contact our sales team at 888-903-7638.

SteVe JeNkINS
VP EMEA, Q1 Labs

2/2011

Online Banking Security Magazine

SOCIAL ENGINEERING IN THE BANKING SECTOR


Any computer attack is usually for one of three motives: ego, ideals and / or money. By ego the youngest hackers make mistakes, as well as seeking recognition by their peers. By ideals people carry their actions to the bitter end, defending his political, religious or other reasons. By money...
he banking sector is subject to this third type of motivation, a sector that has become a target for hackers. On the other hand, social engineering, as practice for obtaining confidential information by manipulation of legitimate users, it has become one of the greatest threats from many quarters, especially the banking sector. The aim of this paper is to lay the foundations of social engineering applied to the banking sector, the most common attacks, and other less common, in addition to the formulas that we have to defend ourselves. Social engineering is a technique that allows an attacker to obtain sensitive and confidential information of an organization taking advantage of a known safety slogan people (users) are the weakest link in the chain. An organization can invest tens of thousands of dollars on security devices and systems, that investment will be useless if a user or an administrator inadvertently gave his password to an attacker. We do not want to miss this opportunity to recall the principles set out by one of the most renowned social engineer Kevin Mitnick, to explain the success of this technique. We all want to help. The first movement is always trusted the other. We do not like to say no. We all like to be praised.

Additionally, this is also used to introduce some kind of malware into an organization. The combination of attacks by physical and electronic banking is rare but can cause a great impact on any organization. Operationally, outside of the principles of Mr. Mitnick, there are two or three additional premises so we can give a more accurate picture of why these attacks work: The sense of humor is essential in social engineering, because a user becomes relaxed, and this lowers the level of alertness in the victim. Gaining the trust of a user is not always a conscious decision made by the victim, usually it is instinctive

Social engineering

Why it works in the banking sector?

These principles represent a declaration of intent, and also a revelation to any attacker with minimal computer knowledge and social skills. In relation to the types of social engineering attacks available, attacks by physical and electronic media are the most common. The types of social engineering attacks by electronic means used are: Phone calls. Thus, a skilled attacker can persuade the victim to provide users, passwords, network names, etc Mass emails or specific. This is the most frequent way victims enter a phishing attack or bank fraud.

The banking sector has two features that work best in social engineering attacks: trust and delocalization.Financial institutions need to build trust and closeness in dealing with customers, more than any other sector, since there is a large amount of financial services available in the market place, customers tend to go where they feel safe. If an employee or office manager does not attempt to gain the trust of a client, they are unlikely to retain that client as a customer. It is precisely this confidence that initially the worker provides the hook for a potential attacker through the figure of a social engineer. On the other hand, there is a huge geographical delocalization ofvarious offices that usually make up the network of any bank. The geographic delocalization means that they can spend months or years until two workers from two different offices actually meet or talk on the phone. Obtaining personal data of a specific employee of a bank can provide a social engineering attack in another office that is geographically far, just based on this delocalization. These aspects, combined with the use of electronic banking systems, provide an environment that greatly facilitates social engineering attacks.

Impact

For the banking sector, social engineering attacks should represent the main threat in a formal risk analysis. Although in most

10

2/2011

SOCIAL ENGINEERING IN THE BANKING SECTOR

cases the targets of the attacks are their customers and financial losses are for them, the attacks have a significant impact on the reputation and customer confidence of the financial institution that is successfully breached.

Measures

The banking industry has implemented various preventive measures to minimize the risk and impact when subjected to social engineering attacks. These measures include the establishment of security protocols, digital signatures, and of course, training and awareness. We find particularly relevant SMS confirmations bank transfers that have been imposed in certain organizations, and to provide an effective defense against phishing attacks. On the other hand, the establishment of coordinate cards for access to the account or authentication operations is rampant among the various banks. The establishment of specialized units in information security within organizations in the banking sector has made efforts to centralize the management of risks, but there is still a long way to go, especially in small and medium-sized banks.

Trusted employee attack

After seeing a formal introduction to social engineering attacks we will see many very effective social engineering methods with which an attacker can obtain sensitive information which is important for more sophisticated attacks. Begin to harness the trust of unsuspecting employees, with an example, although it could be called suspicious customers. In an office of a financial institution comes a potential customer who wants to open a bank account, and is likely to operate a high usage bank account. The office manager asks you to bring your documents in physical form, and the customer says if it can be submitted electronically, which for him is easier because everything is scanned. Additionally, we sought information electronic safety measures of the bank, emphasizing unpleasant past experiences in other financial institutions: credit information theft, phishing, etc. Some bank employees reveal a lot, others show less, but all reveal something, because in a proper environment for dialogue, everyone wants to win the confidence of potential customers, potential and evil. When the client sends the evil director of the office documents to their corporate email, and requires an electronic confirmation of reading. This fact, which any person can be considered as normal to ensure the reception has a hidden purpose, read the email header back, along with information of ICT infrastructure that accompanies it: email manager system, servers, firewalls IP addresses, etc.. This ss another form of fingerprinting, but faster and first-hand. Additionally, employees of bank branches usually like to explain to a customer about the banks internal operations, like: you look at the application X rating is bad, we have communication problems with the application And ... If prior to this the director or employee of a bank is authenticated before us, we can obtain a variant of shoulder surfing, username and password in an instant. After a while, and some visits to the same office, tens of thousands of dollars of banks investment in computer security systems are bypassed by a trusted employee... and a suspicious customer. We can assure you that this works, from experience. The formula to protect against this attack, like other types of social engineering attacks is the same, two parts of awareness and training. Phishing or electronic banking fraud is currently the main concern for banks, since supplanting the corporate website of a bank, the attackers get users to provide their usernames and passwords.

Over recent years several rootkits have appeared with which to create phishing attacks mimicking the interfaces and functionality of the pages of electronic banking. These rootkits can be obtained via the Internet or by money, but are easily accessible, quite a problem that leads to the proliferation of such crimes. Analyzing a little phishing figures, the study of the second quarter 2010 of APWG, the sectors hardest hit by phishing are the financial and payment services, with 71% of phishing attacks. This gives us a good indicator of where we are focusing the efforts of hackers. Regarding the geographic distribution of phishing servers, according to the same study shows that U.S. accounts for 68.17% of phishing servers worldwide, it does not imply that computer attackers belong to those countries, but that they are the attack platforms. These values are usually quite stable, especially those related to the high percentage associated with U.S.As for the rest of values tend to fluctuate in and out of European and Asian countries. A phishing attack does not directly affect the bank, but their online banking users, without their knowledge by providing access codes to computer attackers bank account, which are then used to transfer money or buy on the Internet without authorization. Phishing attacks are usually combined with a barrage of spam, because you have to convince thousands of potential users of the bank that something has happened, and to connect to a web page, which obviously contains the malware phishing. Experience tells us that the attackers computer platforms are often ride their phishing attacks and spam in a unified way, utilizing previously attacked foreign servers. I remember recently a small company in Spain whose owner, owner in turn hired Internet line, was charged in dozens of cities across the country, because they had used the company server to mount this kind of platform, committing turn to bank robbery offenses for legitimate users, and running the allegations in the hometowns of the victims. (not sure what he means to be saying here This case is one of hundreds that occur worldwide each year. The methods that have been set up by banks to minimize the risks of phishing is the awareness and training of users of online banking, through manuals and information documents, to a greater or lesser extent depending on the size bank. Therefore, computer attackers do not usually focus on large banks, but banks, small and medium size, with fewer safeguards and lower levels of awareness of users of electronic banking. On the other hand, we have implemented coordinate cards or SMS confirmations that minimize risk rather than a users bank is the victim of a phishing attack. Organized crime has focused on this type of crime, since they are white collar, and the benefits are enormous. In fact, have you heard of Hackerville? Well, maybe not, is the nickname (bad position because being a hacker is another matter) of a small town in Romania has gone from motorcycle dealers to low cylinder luxury car dealerships and high-powered, what is the reason this change? Internet users are not aware and weak security measures in some organizations of banking and financial sector ...

False employee attack

Phishing attacks

This attack was created by our company due to the circumstances faced by banking institutions: trust and delocalization. The false employee attack is a mixture of social engineering by electronic means and physical media, the basis is to create a false identity for the attacker. It is difficult to mount the full attack, since it is subject to obtaining prior information and technical circumstances, but if they get together these factors, it is really effective. The first thing you do is get the email address of the technical service or service to internal users of the bank, you can

2/2011

11

Online Banking Security Magazine

get in a couple of visits to any office of the entity, by charlatanism or shoulder surfing. Can also be obtained by any former employee, contact the bank or otherwise, the world is not as great as one might think, nor as secure corporate data ... The next step is to play with the mail server of the financial institution, you telnet to the SMTP service and manually creating an e-mail we sent to the director of the bank office. The origin of email is the internal technical service electronic address that is a valid address for the mail server, and the body of the message is something like this: Hello, tomorrow we are checking the equipment of his office. As a security measure, please note that the person who will review your equipment is: D. XXXXXXXX .... We just created a false email used for the purposes of the director of the office, that 90% of cases does not prove, since the sender address is the usual and has much work to do on a day to day. The next step is again on the physical environment, presents the false employee with the name specified in the mail to the director of the office, and handles sensitive information and / or copies of documents from the teams, depending on who are entitled or USB ports on computers, information can also be obtained during the first phase of the attack. Its surprising the possibilities and variations that have this attack, which is based on exploiting two concepts: the SMTP server vulnerabilities and trust that provides a known email address. We can increase the effectiveness of this attack if you select an office manager who is confident, and this is ascertained by visiting several different offices to give to our victim.

by physical means. In fact, it is difficult to establish an effective attack rate by the middle of Hi, I am the Customer Support Center to take a look at the teams, we encountered some problems. The reasons for the decrease in effectiveness of social engineering attacks by physical means are related to several factors: credibility, eloquence and physical presence.

Advices

Baiting

The formal management of incidents on which phishing has become a priority for the banking sector, by building on the work of companies such as PhishTank, or creating your own record. In the case of creating a record of their own, either individually or collectively, should be as current as possible with false addresses phishing affecting the bank, and communicate via a secure channel for electronic banking users. Thus, we not only educate, but we can report what happens. This record can be maintained in a common way with the various CERTs present in each country. The key to operating this type of registry is the refresh rate, since from an attacker sends a massmailing to a legitimate user connects to the fake page may take a few minutes at most. The highest point on the crime occurred between the time and three hours after the mailing is sent. On the other hand, we must educate and train internally to employees, from first to last. The creation of a stable political security of Social Engineering is an enormous contribution to minimize internal risk of attack. This fact, as part of a System Security Management (ISMS) based on ISO /IEC27001,will allow us to efficiently manage an information security within our organization.

It is an attack that lights take the curiosity or greed of employees in the form of USB memory, CD-ROM or similar device properly labeled with corporate logos and a good hook text such as Confidential: Wages HR2012 or personal forecast2012, but actually is infected with malware. To be honest, you could even call this a Trojan Horse attack, because the basis is the same. The malware infects your computer once you access this medium and then the attacker can obtain sensitive and confidential information of the same. It is an attack that works especially well with employees who often work with laptops, as safety is usually lower than desktops. The defense against this attack goes through the formula of awareness, and complete protection with anti-malware software each and every one of the information processing equipment of the organization, including laptops.

Conclusions

Facing the harsh reality

The measurement of actual levels of awareness and training within a bank or financial institution in the field of social engineering can lead to real headaches for those responsible for information security, not for their process but by its results. We venture to say, without risk of error, that nine out of ten workers in the banking sector think that social engineering is something else, something far more benevolent than it really is. Security Officers not only have to educate users of electronic banking, rather complicated in itself, but also employees of the organization. Therefore the task for the security officers of banks to minimize the risks of such attacks is hard, especially because it is very difficult to change user behavior, especially the natural resistance to change we all have. But everything is complicated when you have to convince them to maintain minimum levels of alert when dealing with their own environment. The reality is harsh in relation to social engineering by electronic means, although much less in relation to social engineering attacks

Social engineering in the banking sector has become a concern not only about the potential impact on domestic assets, but also the impact to your users and customers, in terms of economic losses and loss of image. This is in keeping with the loss of confidence in your environment, something that no bank can afford. Measures to minimize the risk and impact go through improving awareness and training of users of electronic banking and the creation of various internal policies and implementing security controls required in the field of social engineering. This combined with operating ISMS we can provide a significant reduction in the companys internal risk. In relation to security checks, we believe very effective implementation of coordinate cards for authentication of users of electronic banking and SMS confirmation of all bank transfer is made from the customers account. Just remember is something we all know, we invest in our organization tens of thousands of dollars on devices, applications, penetration testing or expertise, but with an effective social engineering attack, all this investment will be futile, because the social engineering always hits the weakest link in the chain, man.

Mr. DAvID MonTero ABujAS (1976),


aka Raistlin, is CISA, CISM and CRISC by ISACA, as well as the only one degree ISMS Lead Auditor issued by IRCA in Spain. OWASP Andalucia chapter leader and belongs to the ISO subcommittee JTC1/SC27/WG1 of Spain, where he has worked in the edition of ISO 27001, ISO 27007, ISO 27010 and other standards of ISO 27000. In 2006 he founded and now runs as CEO, Grupo iSoluciones, a group of consulting companies specializing in information security and ethical hacking, with headquarters in Spain and Uruguay, providing services worldwide. He can be contacted david.montero@isoluciones.es

12

2/2011

Online Banking Security Magazine (In)Security of Using Financial Applications on iPhone

(In)Security of Using Financial Applications on iPhone


Do you have an iphone ? This is a very small question which has a much deeper connotation. Today, iphone is slowly becoming a requirement of the youth as well as the corporate professionals. This device bearing an Apple logo is a status symbol in developing nations. With iphone, comes a variety of apps which are provided by the Apple Store.

eedless to say, the store is a very rich source of all kinds of applications. Some of these are utility based apps and some are games. Apple store has a significant section called Finance apps which contains a huge list of applications used for banking, credit card transactions, money transfer and related usage. Some of the applications which I could spot at a quick glance of Apple store are Western Union, Barclaycard, Bank of Oklahoma Mobile Banking, Citibank SG, Union Bank, Bank of America Mobile Banking, U.S. Bank Mobile Wallet, PayPal, Etrade, Fidelity, ING Direct, J.P. Morgan etc. In this article, we would discuss about the insecurities of iPhone, and try to assess that how secure is to use mobile for banking applications.

that, you successfully by-pass the Remote Wipe feature of iphone. What is left is just your confidential data, at the mercy of the thief. Another buzz word was Hardware Encryption (3GS). What does it mean in practice? All it means is that the iphone hardware ensures that your entire data is encrypted automatically. Someone who is a bit knowledgeable would be able to use any of the standard jail-breaking technologies of iphone which would invoke the hardware chip responsible for encryption to go ahead and decrypt the data by itself before transferring it to the computer. So, even if the data is stored encrypted on the iphone, when you mirror that image on the computer, it is unencrypted.

False Security of iPhone Hardware

When the consumers use iphone as a device, they do so because of the marketing buzz-words like Remote Wipe and Hardware Encryption. These words are mere marketing terms intended to create a false sense of security among the consumers. The sales person would tell you that if your iphone is lost, you can initiate the remote wipe of the device, hence ensuring that no part of your confidential data is compromised. What they fail to mention is, this can be done only if the SIM card is present inside the iphone. Think like a thief and tell, what is the first thing you would do when you steal an iphone? Yes, you would remove the SIM card and throw it away. And along with

Platform Security of iPhone Operating System

While we are discussing about the topic of jail-breaking, we must know that jail breaking of iphone happens because there is no encryption of PKI based protection on the iphone boot loader. Once the jail is broken, the bunch of security features provided by the iOS (iphone OS) goes for a toss. But before we describe the effect of jail breaking, let us take a look at some of the security features that the IOS provides. 1. Application Sandboxing The idea of a sandbox is to jail any process in a folder so that it is unable to access any resources on the file system beyond

2/2011

13

Online Banking Security Magazine

those folders. If you are a Linux user, you may want to revisit you chroot command which is typically used to jail the process. Similarly, there is a concept of sandboxing in web servers where a securely written web server ensures that the web requests are unable to get out of the webroot and touch other parts of the file system. IOS provides application sandboxing which suggests that there is a secure folder which is created separately for each application on iphone. This folder contains files which are specific to this application, including the temporary files. No application would be able to access the files in the sandbox of any other application. For example, the browser cache of Safari installed on the iphone would not be able to access the files created by the Banking Application; hence, ensuring the data which you stored while using the banking app is safe from unauthorized access. The only way to access the files created by another application is to explicitly create a link between the two apps in the code itself. 2. Restricted Bluetooth Connectivity A big way of data loss is though Bluetooth connectivity where any paired device is able to share files over Bluetooth. The Bluetooth configuration of iphone restricts it from pairing with any device other than a second IOS based device. Hence, an iphone can pair with an ipad but not with your Lenovo based Bluetooth machine. Moreover, the pairing requires a manual intervention where a randomly generated 6 digit code has to be entered on the other device for successful pairing. Even after pairing, we are only allowed to push files through some specialized application because a direct access to files is not possible, as discussed in the next part. 3. No Access to FS Iphone or rather any IOS based device like ipad, does not allow a direct access to the file system if the device is not jail broken. The underlying file system is HFS but it is completely shielded from direct user access. Even the browser application like Safari does not have any menu option like Save which can initiate the file system browse. Hence, this is an additional step to ensure that the Application Sandbox is not invaded. Looking at just the security features as discussed above, the device seems to be very reassuring to handle the financial applications securely. Now, here is where it fails.

iPhone Security Flaws


1. 3GS Security Broken The famed 3GS security which claims hardware encryption and hence implies that the device is ready to handle confidential information related to your finance as well as your corporate emails and documents is actually broken. If iTunes is used to backup the device to a machine, the entire encryption can be bypassed and we can get an unencrypted copy of the disk data. Additionally, when the device is booting up, it is forced to unencrypt the disk for a successful booting operation. This is a time when an attacker with correct set of tools can extract out the entire data from the disk. 2. Files Deleted Are NOT Deleted Like any standard UNIX based system, any delete operation does not remove the file from the disk. All it does is to mark the inode related to this file as inactive and then delete the entry of this inode from the parent directory inode. Hence, the actual data blocks stay as is on the disk till the point in time when the same disk blocks are overwritten by another file. The iphone device has a huge amount of disk space and hence, the typical time before this section of disk gets overwritten takes is in the order of months. If the device is stolen or jail-broken at any point in time, the attack not only gets the data readily available from the file system but he can use standard recovery tools to extract out the deleted files as well. This becomes a serious concern if the files contained some sensitive information related to the financial data. 3. Iphone as a Key-Logger To enhance the usability features of iphone, the device keeps track of all the words that were ever typed in the device by the user. It keeps adding these words to its database to ensure that word prediction works fine. This is supposed to be a usability feature to auto-learn the users typing habits. This information is stored on the device in the form of files which can easily be accessed by an attacker once the device is jail-broken. Most users are not even aware of the wealth of data which is getting stored on the iphone everyday when they use this device. From a financial data perspective, the attacker finds the record of your bank account numbers, your credit card related information including your CVV number. So, if I am an attacker and I manage

14

2/2011

(In)Security of Using Financial Applications on iPhone

to get hold of your iphone, and I find out that you are using the Citibank Mobile Banking application, I can be almost sure that I would be able to extract the credit card details in some time once the phone is jail-broken. 4. Iphone Animation and Data Leak When the user presses the Home button on the iphone device, he ends up seeing a nice animation on the iphone which shows the application going down and another window image coming up. Yes, it looks good. What is the price that this usability feature forces us to pay? When the users presses the Home button, the device takes the snapshot of the display and stores that as an image file at a specific directory in the file system. This implies that if the user was using any of the financial applications and maybe he wanted to do a money transfer to some account, that entire screen would be captured. This can mean some significant loss of financial data as well as privacy.

Another significant attack surface on an iphone device is the web browser. Even though there is a concept of Application Sandboxing, most of the applications are connected with the Browser via some IPC mechanism where a file downloaded from the browser can directly be sent to an application like a pdf reader, image viewer, or even any network based application. Hence the compromise of the Safari web browser can be a significant attack surface on iphone. Leaving aside the browser application, most of the web based vulnerabilities can have significant impact in terms of compromising your iphone. Just to get a feel of what the history shows us about vulnerabilities in Safari and other iPhone related applications, here are some examples of HIGH severity public issues. Please note that I have excluded the list of medium and low severity issues since the high example were enough to prove the point. CVE-2011-1417: Integer overflow in QuickLook, as used in Apple Mac OS X before 10.6.7 and MobileSafari in Apple iOS before 4.2.7 and 4.3.x before 4.3.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a Microsoft Office document. CVE-2011-1344: Use-after-free vulnerability in WebKit, as used in Apple Safari before 5.0.5; iOS before 4.3.2 for iPhone, iPod, and iPad. CVE-2011-0154: WebKit, as used in Apple iTunes before 10.2 on Windows and Apple iOS, does not properly implement the .sort function for JavaScript arrays, which allows man-in-themiddle attackers to execute arbitrary code. CVE-2010-1817: Buffer overflow in ImageIO in Apple iOS before 4.1 on the iPhone and iPod touch allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted GIF file. CVE-2010-1815: Use-after-free vulnerability in WebKit in Apple iOS before 4.1 on the iPhone and iPod touch, and webkitgtk before 1.2.6, allows remote attackers to execute arbitrary code.

Vulnerability History of iPhone and IOS Devices

Mobile platforms like Blackberry have the entire OS written in Java. Blackberry runs a hardened version of JVM with JNI and Reflection disabled as the operating system. Though Android does not have the OS written in Java, the primary application development happens in Java similar to Blackberry. Using Java reduces the attack surface significantly because of the various security constructs which are provided by the language itself. On the other hand, iphone kernel is a derivative of the MAC kernel which is written in C and the primary application development language is Objective-C which is not very different from C when it comes to the kind of language based weaknesses it has to offer. The biggest foe of the software has always been Buffer Overflow which can be found in an iPhone based application but not in Android or Blackberry. The nuisances of buffer overflow are known from decades now, hence, we would skip that discussion here. The vulnerability count specific to iphone device in the small lifetime of the device can be seen in the chart below. The chart has been taken from the CVE site where the table shows the type of the vulnerability that was spotted in the device and then, there is a graphical representation.

2/2011

15

Online Banking Security Magazine

The list can continue like this for multiple pages. If you search for the number of security vulnerabilities till date in iphone, in the National Vulnerability Database, there is a list of 131 issues which are already public. Very similar to the iphone chart, here is a chart showing the trend in the vulnerabilities recorded till date in Safari web browser.

Concluding Remarks

For Those Who Trust the iPhone Keychain

Many users who are dealing with banking applications or with stock based applications find it more convenient to store the banking password on the iphone keychain. After all, the keychain keeps all these passwords secure and encrypted on the disk. Unfortunately, there is a serious security flaw in the way this encryption is done in the keychain. The key which is used for encryption is derived from the hardware related information of the iphone and has no correlation with the iphone password which is set by the user. This implies that this key can be extracted based on the same iphone hardware information from a stolen iphone without worrying about cracking the iphone password. Once the keychain is compromised, your passwords which are stored in the keychain are compromised as well. This activity takes nothing more than 6 minutes as demonstrated by the German security researchers in February 2011. How can you protect yourself from this attack? You cant. The only solution is to immediately change all the passwords which are stored on your keychain in the respective sites. Alternatively, do not ever store passwords in the keychain. As long as the phone can be jail broken, the keychain can be broken as well. As we already discussed, iphone jail breaking is a very common thing today due to the unencrypted bootloader of iphone.

ulnerabilities are everywhere and it is not that laptops and desktops do not have security vulnerabilities. The only problem which I see in the usage of mobile for doing any financially sensitive operation is that, the device is far less understood than a PC. This also implies that the users have much less control on what they want to save and what actually gets saved. Similarly, since most of the devices do not have direct access to file system, the user cannot secure the folders where he is keeping the sensitive information. Many a times, with some applications I have observed, the password gets automatically saved in the keychain without even asking from the user. Next time when the user starts the application, he would see the screen post login. Is this a great feature? Yes, if we consider usability. No, if we consider security. It is the user who needs to make a tradeoff between what he values more in what context. I value security far more than usability when it comes to handling my stocks or my bank account, or even my professional email address. I do not mind re-entering my password 10 times in a day if I need to do any kind of financial or official transaction but I would never store my passwords in the device. After reading this article, I hope you would do the same.

Reference:
[1] Practical Consideration of IOS Device Encryption Security; Jens Heider and Matthias Boll; Feb 2011. http://www.sit.fraunhofer.de/en/ Images/sc_iPhone%20Passwords_tcm502-80443.pdf [2] Jailbreak and Unlock the Iphone; http://www.hackthatphone. com/3x/bypass_passcode_lock.html [3] National Vulnerability Database; http://web.nvd.nist.gov/view/ vuln/search-results?query=iphone&search_type=all&cves=on [4] Secure Coding Guidelines for IOS; http://developer.apple.com/ library/mac/#documentation/Security/Conceptual/SecureCodingGuide/Articles/BufferOverflows.html [5] Apple iPhone secretly tracking users privacy; http://articles.economictimes.indiatimes.com/2011-04-21/news/29459336_1_iphoneapple-location-data [6] Iphone can take screenshots of anything you do; http://www.wired. com/gadgetlab/2008/09/hacker-says-sec/ [7] Iphone Insecurity; http://www.iphoneinsecurity.com/ [8] Finance App Store Download on ITunes; http://itunes.apple.com/ us/genre/ios-finance/id6015?mt=8 [9] Apple Iphone CVE security vulnerabilities, versions and detailed reports; http://www.cvedetails.com/product/11481/Apple-Iphone. html?vendor_id=49 [10] Apple Safari CVE security vulnerabilities, versions and detailed reports; http://www.cvedetails.com/product/2935/Apple-Safari. html?vendor_id=49

MRITyuNjAy GAuTAM

16

2/2011

Online Banking Bank Robbery in Analyzing the Biggest Security Magazine History

Analyzing the Biggest Bank Robbery in History:


Lessons in OSSTMM Analysis
Many banks have no idea what a powerful weapon against attacks they have in the OSSTMM. The Open Source Security Testing Methodology Manual is a free, collaborative project by the international, non-profit ISECOM that is years ahead of traditional security methods. The power and elegance of the OSSTMM became clear while I was at a cafe in Bern, Switzerland last year to meet with two other ISECOMers: Nick Mayencourt, a Board Director and Philipp Egli an ISECOM trainer and the talk turned to robbing banks. Thats not uncommon because Switzerland is very big on banking and also very big on security, especially the OSSTMM. So with the biggest diamond heist of the last century in the news again, you may have seen the movie based on it called Oceans Eleven, we took a look at the case through the eyes of an OSSTMM Analyst. This is how it went.

s the story goes, it was on a winter morning in February 2002 when a guard in the Antwerp Diamond Center got quite the surprise. He found the multi-ton, steel safe door wide open and the resulting chaos of a destroyed safety deposit boxes inside the vault. Yet no alarm had sounded. With a quick call to the alarm central he was informed that the system was running just fine and there were no notifications since it was armed the night before. There was no clear sign of a break-in yet $189 million in diamonds were missing (and still are).

We discussed this robbery in detail. While we didnt have clear details on how the robbery really went down, we did know the banks security measures. They were robbed despite that they were two floors underground, had a three-ton steel door, a steel gate, closed captioned cameras, heat sensors, light sensors, and a tremor sensor. So how could this happen? With so many diamonds at stake and ten layers of security, how did Defense in Depth fail them? This is exactly what this third, new version of the OSSTMM is great for. Unlike compliance objectives which

2/2011

17

Online Banking Security Magazine

focus on what you have and how its configured, the OSSTMM 3 scores operational effectiveness- how it works. Some will say that this is why many organizations employ penetration tests to get this kind of foresight. They say penetration testing will allow them to find the effective attacks before the attackers do. Too bad contemporary penetration tests are not as effective as the penetration testers want you to believe. The OSSTMM started as a penetration testing methodology back in 2001 because penetration testing was the best tool in the development of a process or system by making the big picture of operations. The concept was that while quality testing is great for determining how well a component works in a system, penetration testing will help you understand how well all the components work together in the system. Like a fire drill though, penetration tests must be done repeatedly because any changes in the environment, systems, people, or processes will affect the results. This is why fire drills are called drills because its of little good to do them just done once. So the occasional penetration test may work for the physical and human response testing of a bank with little change or low turn-over but not for electronic systems like e-banking web applications which are in a near constant state of development and improvement. This is why penetration testing during the development cycle when the environment is at a constant is it so critical to assuring interoperational security gets properly designed into the system. However, once a system is built and deployed however, penetration testing greatly loses effectiveness. So even a traditional penetration test of the Antwerp diamond vault would not have been enough. Back in 2001 when ISECOM first released the OSSTMM, penetration testing seemed like the best thing to evaluate operational security. The OSSTMM was created to address what were known as the main problems of penetration testing at the time such as the inconsistency of penetration testing services, no clear definition or deliverable, penetration testing the skills of the tester more so than the operations, the cultish promise to prove a negative (the logical fallacy that if a penetration tester didnt find problems then system was secure) and the use of a hidden, proprietary methodology which made it impossible for a client to really know which tests were performed where. It was these problems which encouraged a standard security testing methodology to improve transparency, consistency, and thoroughness. As time went on, it was clear this wouldnt solve all the problems. The biggest problem was that the researchers found there was no way to quantitatively and accurately measure security from penetration tests (because of the whole illogical problem of proving a negative and math being a logical thing). So while a penetration test can find some of the holes, even some of the big ones, there is no way they can find them all and certainly no way they can truthfully say they are finding the ones that hackers will. Another problem that exacerbated this was that thorough penetration testing required that the tester gain deep knowledge of the operations to be sure the right things were being tested the right way. This was likely the problem that the Antwerp diamond exchange learned the hard way: the winner of any security contest is the one who knows more and more deeply about the systems and operations. So in the development of the third version of the OSSTMM a new way of thinking about security emerged which not only corrected these problems with a better, extremely powerful framework but it took security testing and analysis far beyond penetration testing. This new way of thinking about security requires three main things: 1. Prioritize tests

by shifting the focus from guessing future threats to that which you have reason to trust; 2. Identify and verify all interactions and the protections for those interactions; 3. Optimize the balance between security and operations. It is in applying this new version of the methodology that the weaknesses of the Antwerp diamond vault become incredibly, bluntly obvious.

Analyzing Oceans Eleven

Spectacular bank robberies are part of the standard repertoire of Hollywood films. Of course realism isnt necessary required. However, in this case, the character played by George Clooney as the archetype of the sympathetic bank robber actually did exist. A year before the robbery of the century, Leonardo Notarbartolo drank an Espresso in the Antwerp diamond district. He rented an office there to trade in wholesale diamonds. He kept a regular schedule, smiled at the people who he saw each day, and was sure to be seen walking down the street with the Gazzetto dello Sport under his arm. He was one of the nicest and most clever thieves of the modern times. With a hidden miniature camera he entered the diamond vault two stories below ground. You see, he kept his diamonds stored there for safety. That gave him many opportunities to watch and record the operations of the bank, the personnel, and most

18

2/2011

Analyzing the Biggest Bank Robbery in History

importantly, its security. He kept his eyes open for the smallest details- including the entrance code to the vault.

What You Need to Know

Authentication alone can be overcome. This why OSSTMM recommends multiple, different controls for each point of interaction, described as Defense in Width.

Here well pause the story for a moment. What Leonardo is doing is the first step of an attacker: reconnaissance. Hes looking for all the points of interaction from outside the vault to the inside. According to the OSSTMM there are only 2 ways to take something: you either take it or you have somebody give it to you. These two different types of interactions are defined as Access and Trust. So why does Leonardo have access to the vault? Because hes a polite, well-known businessman in the area, who happens to be a client of the bank. In OSSTMM terminology, hes abusing operational trust.

Quality Security Defenses

Operational Trust

The OSSTMM 3 has integrated tests for operational trust. There are 10 properties which are logical reasons to trust someone or something. The easiest technique for using the Trust Properties is to create quantitative rules from the properties with which we can use to evaluate the target person, thing, or interaction. The rules are scored on a percentage and the percentages from all 10 properties are averaged. The closer to 100% you get the safer it is to extend trust. Its a very accurate way to analyze and extend trust free of bad intuition or unqualified gut instinct. One condition trust analysts tend to find in this process is that in day to day life, people are often satisfied with just one or two of these properties being met. This is likely because social context makes it uncomfortable for people to challenge untrusted properties and its considered offensive to challenge someone who successfully meets some of the properties, especially Transparency (like Leonardo whos a nice, known businessman in the area) and Consistency (hes a registered client who visits to vault with regularity and never causes problems). Meanwhile, he would score very low on the other 8 reasons to trust him marking him as an untrustworthy individual.

The vault was scrutinized for weeks before the robbery took place. The vault team included the Genius who was a master of disabling alarm systems, the King of Keys who was an expert key forger, and a man they called Monster, a huge, strong man who was also a monstrously good electrician, driver, lock pick, and mechanic. Each team member had a task befitting their skills which also coincided with the interaction points that Leonardo discovered. So what happened was that each team member knew more about a particular system within the operation than the bank personnel did. An OSSTMM analysis would have discovered that the operators of the security mechanisms knew little about how they worked and if they would have known what was required of them, maybe they wouldnt have left Leonardo, or anyone else, alone in the vault. One day before the robbery, Leonardo entered the vault on legitimate business. Left alone for privacy, as he knew he would be, he sprayed the motion and heat sensors with hairspray. Then he packed up his things and stepped out, thanking the guard and giving his regards to the wife and kids. Why not, he was a nice guy. The OSSTMM describes 10 operational controls. The concept provided is that the less reason you have to trust someone or something (trust properties) then the more varied controls you should have for protection- up to 10 per interaction. That is called making the perfect balance between operations and protection. These 10 controls are divided into two classes: interactive and process. Interactive controls react to direct contact with the threat where process controls do not. What you see here is that it is important to have controls which are different. As it is, most controls on their own are fairly ineffective. What you dont want is that two different security mechanisms, say heat and motion detectors, both providing incomplete Authentication and both susceptible to being nullified with the same can of hairspray. The bank had installed a heat and motion sensor at the entrance of the vault, both Authentication controls, an Interactive control, which were designed to sound an Alarm, a process control. Since the Alarm control was dependent on the Authentication sensors, no alarm could sound if they were blocked. This is calculated as a Limitation, a flaw defined not by impact or prevalence as with risk ratings but by what it does and what it affects. The value of the Limitation is calculated by which operational controls are in place as well as how many different types of interactions are allowed with the targets. This makes it a very flexible and unbiased way to measure any kind of vulnerability because, as you know, each flaw is fairly unique in how it affects different operations. Not all buffer overflow vulnerabilities will give root access if attacked- it depends on the protections in place. In addition to that, its also easy to categorize Limitations. For example, a Vulnerability is a flaw which provides Access to an asset, denies Access to an asset, or allows one to hide an asset within the scope. Its very straight-forward and requires no guessing about its ease to use or impact. Sometimes though a flaw will have more than one type of limitation. For example, a factory default login and password mechanism on a router would be a Weakness, which is any flaw that affects Interactive

Controls and Limitations

Safety vs. Security

A central theme to security is specifically the definition of security. The OSSTMM classifies security as a physical separation between an asset and a threat. Safety, on the other hand, is the means to control threats at the point of interaction. In this case, a vault falls close to the definition of security. It provides a physical separation between that outside the vault and the assets inside the vault. Except that you also need to be able to have some interaction with the vault to put new assets in or take assets out. To prove that, Leonardo the diamond thief is standing in a vault filled to the ceiling with diamonds. This is now where Safety comes in to play. Since interactions are required for successful operations, there must be some operational controls to protect the assets from unauthorized exit. The OSSTMM findings show 10 operational controls to protect against all threats. You cannot say one control is stronger than another since each protects against a different umbrella of attack types. However, one implementation of a control can certainly be weaker than another. One of the places this is obvious is Authentication. Whether its a lock and key, login and password, or a Do Not Fly List these Authentication controls require Identification to function correctly. If the threat can pass itself off as, say a legitimate diamond wholesaler, then it will receive Authorization for Access, bypassing the Authentication in place designed to prevent a criminal from just walking into the vault to size it up.

2/2011

19

Online Banking Security Magazine

controls, and a Vulnerability because it provides Access as well. See, its very straight forward. There are total of five classifications of Limitations in the OSSTMM. The last three are Concern, which is any flaw that affects Process Controls; an Exposure, which is any flaw that provides information of specific attack knowledge or opportunity, and Anomaly, which is not specifically a flaw however it is an unknown or uncontrolled interaction. One of the enlightening features of analyzing security according to this process is in seeing how poor Controls, that is Controls with inherent Limitations, like login and password schemes that provide no mechanism against brute forcing, add up to provide more protection AND more flaws. One can then see how layers of incomplete or poor controls will actually make something less secure, especially if the controls they provide are redundant like two firewalls in a row or just not reliable like blacklist controls.

finding the vulnerabilities known today to quickly patch up but about finding the perfect balance between security and controls so you are prepared for the vulnerabilities and threats of tomorrow as well. This is why Leonardo and his team studied the operation of each of the individual sensors as well as all the routines and processes of the bank. Doing so allowed them to penetrate the building unnoticed and still get out quickly and safely. So its not enough to know that the vault can be penetrated because one still needs to get away with it. This means the team needs to know the scope like an insider would, which includes the targets, the assets, the environment, and the points of interaction. That lets them know which skills they need to bring to the engagement, what is the best path to take, and with what means they attack the goal: 1. Target: These are the gateways to the assets or even the assets themselves. If you need to enter with stealth then the security mechanisms will be your first targets. Once those are neutralized, you switch targets to the next thing which prevents you from reaching the assets. 2. Scope: these are all the factors which act on the targets. This includes environmental factors, legalities, policies, and technical dependencies. These considerations form the basis for the definition of the attack vectors. 3. Vector: this is the angle of attack to the target. Is the target attacked from the outside or the inside? Should an attack take place from Department A to Department B? Does a satellite office first need to be compromised to attack the target indirectly? 4. Channel: This is the means with which to attack the target. This must be decided per attack vector. What are the possible channels available? Do we need to access physically by ourselves or can we trick someone via social engineering to access it for us? Is there a wireless network or do we need to attach ourselves via cable? Does it make sense to seek direct physical access.

What You Need to Do

The team led by Leonardo spared no expense. The bank was built in what was once a shopping center. The team analyzed the adjacent rooms and buildings to the vault. The story goes that the recreated the entire vault ante-room and the vault itself in a warehouse in order to study and practice disabling all the security. Once again, this is the key to security- knowing the operations at a more thorough and deeper level than those who apply them. This is what makes penetration testing tool frameworks with dedicated exploit research teams so valuable to an organization. Sure, these tools will also help the penetration tester cover more types of systems and applications more deeply however, these tools are best used in the hands of the those who really know the internal operations and processes, the internal employees. Why? Because just knowing how to find vulnerabilities means nothing if there is little understanding of the big picture in a complex environment. What are the operational needs? What are the directions? What are the requirements? These are things only an insider can and should know. However, to avoid being stuck in the vulnerability/patching routine indefinitely, a cat and mouse game at best, an organization needs to embrace the hacker role of deeply understanding how various operational security mechanisms and operational controls work together for greatest effectiveness. This is where the latest OSSTMM is strong. Security shouldnt be about just
Table 1.

Showtime

On the night of the robbery, the Genius and Monster entered a courtyard two blocks from the Diamond Center. With a shield made of polyester they made it passed the first heat and motion sensor to disable it. Cameras were covered with black garbage

Entering the Building: Security Mechanism Outside Heat and Motion Sensor Controls Authentication Alarm Hallway Motion Sensor Authentication Weakness Concern Weakness Concern Alarm Vault ante-room Cameras Identification (part of Authentication) Vulnerability Weakness Limitation What It Means The sensor can be bypassed with nylon sheet. The alarm can be deactivated manually on the device without tripping a tamper alarm. The sensor can be bypassed with nylon sheet. The alarm can be deactivated manually on the device without tripping a tamper alarm. Access to the vault is possible. The criminals acted at night and could easily cover their faces before they covered the cameras. With nobody watching there was nobody to be alerted or react to the robbery. Access to the vault is possible.

Concern Alarm Vulnerability

20

2/2011

Analyzing the Biggest Bank Robbery in History

bags. The second set of sensors in the Vault ante-room are then disabled the same way. They also bypassed multiple cameras undetected. Thats because cameras can only provide three controls: Identification, Non-repudiation and Alarm. For identification, cameras are extremely weak because they can be easily fooled. The lack of Identification also compromises Nonrepudiation because despite that the cameras record it can be
Table 3.

later determined what happened just not who was responsible, the basis for non-repudiation. Additionally, if cameras are being used to react to attacks, the Alarm control, then someone needs to be looking to react (Table 1). Inside the vault anteroom, the crew of diamond thieves turn on the light. Before them stands the mighty steel vault. Its protected by a key lock, a combination lock, a magnetic

Entering the Building: Security Mechanism Light Sensor Controls Authentication Weakness Limitation What It Means This is a blacklist control which allows for many operations as long as they are not specifically what the sensor expects. The sensor lines were reachable and bridgeable to disable it. The cameras were in full working order however they didnt work in the dark nor could they work with black garbage bags tied over them. Since the cameras werent monitored at night, there was nobody to react to what could have been seen. The sensor was masked with hairspray the day before. The sensor lines were reachable and bridgeable to disable it. The locks were weak and easily broken open. The locks provided Access.

Alarm Vault Camera Authentication

Concern Weakness

Alarm

Concern

Heat/Motion Sensor

Authentication Alarm

Weakness Concern Weakness Concern

Safety Box Locks

Authentication

Table 2. Entering the Building: Security Mechanism Combination Lock Controls Authentication Weakness Limitation What It Means The process of dialing in the combination gave enough time and visibility for the numbers to be recorded. This lock provides Access. A key was forged but unnecessary since the process kept the real key available in the nearby vestibule. This lock provides Access. This is a blacklist control which allows for many operations as long as they are not specifically what the sensor expects. This may have functioned correctly had the thieves indeed used a drill. Weakness Vulnerability Magnetic Sensor Authentication Weakness The lock was picked. This lock provides Access. This is a blacklist control which allows for many operations as long as they are not specifically what the sensor expects. The Alarm did not trip upon dismounting, a flaw that prevents sensor integrity from recognizing sabotage. The cameras were in full working order however they didnt work in the dark nor could they work with black garbage bags tied over them. Since the cameras werent monitored at night, there was nobody to react to what could have been seen.

Vulnerability High Security Key Lock Authentication Weakness

Vulnerability Seismic (Tremor) Sensor Authentication Weakness

Alarm Internal Security Camera Authentication

Alarm

Concern

Internal Security Camera

Authentication

Weakness

Alarm

Concern

2/2011

21

Online Banking Security Magazine

sensor, and a tremor sensor to defeat drilling of the door. These are all Authentication controls hooked to Alarm controls. The magnetic sensor that should have made it impossible for an unauthorized opening of the door was attached to the outside of the vault door. They mounted it to another piece of dense metal and removed it. That was one vault security mechanism gone. Leonardo had learned in his reconnaissance that the guard always visited a vestibule before opening the vault. On a hunch the team visits the vestibule and sure enough the key to the high security lock is hanging right there. They didnt even need the key they had forged from Leonardos photos. Thats two security mechanisms gone. They approach the combination lock capable of 100 million possible combinations. However since the combination dial lacked a hood, the numbers were visible for Leonardo to see and film with each visit to the vault. The numbers he had were still valid and the steel door unlocks. Thats three security mechanisms down. Now the men need to turn off the lights completely. There is a light sensor inside the vault. They carefully open the vault avoiding any vibration and the tremor sensor is defeated. Thats the last of the security mechanisms on the door. They still need to reach and disable the light sensor though. A steel gate inside the door blocks their way however the lock, another Authentication control, is easily picked. What they bypassed is typical Defense in Depth where the same type of control, in this case its Authentication, is layered. Its a classic mistake based on seeing each security mechanism as an island instead of their need to inter-operate and provide integrity for one another (Table 2). Once the steel gate was opened, they still had to deal with the sensors. The heat/motion sensor inside the safe area had been addressed the day before with the hairspray. Still it was unclear how long the hairspray would last before the sensor would detect their body temperature. The men acted cautiously and moved slowly to keep from generating too much heat. Monster went into the dark vault as practiced in the fake vault. He pulls down the sensor cables from the ceiling and bridges them to complete the circuit. Now even when they trip the sensor the circuit cant break and thus the alarm wont sound. Still, to be safe, they covered the sensors to blind them. With deep familiarity after having practiced countless times, they worked in the darkness with a hand-drill to break open the safety deposit boxes. The lockers have no additional controls beyond the locks and they revealed their contents without much resistance. With gloves still on, they leave no trace as they leave the way they came in (Table 3).

way vestibule or that the combination on the vault had not been changed for months, are conspicuous omissions that a security analyst would not have missed either. So we are left with this assessment of the situation. The goal of the diamonds in the vault is known and Visible. There are two approaches to the vault. The client entry area and the entry the thieves used through the side streets, back yards, and private apartments. This means that there are two Accesses. The Controls and Limitations we can transfer to the Attack Surface calculator sheet. A thorough OSSTMM 3 analysis would have clearly shown long before this robbery that the massive protection measures layered in Defense in Depth style are ineffective. With such a large attack surface, 18.52% unprotected, the analyst can easily show to the Board of Directors the imbalance in the security and then exactly where that imbalance lies- too heavy a reliance on on control - Authentication. (As a side note, what do you think a network protected by a firewall, IDS, anti-virus, and screening router looks like? Heres a hint: Authentication, Authentication, Authentication, Authentication.) Furthermore, while a full Attack Surface measurement wont tell you when the next attack will come, if it comes, but it will show you for sure where it will come from and based on which controls are missing, specifically what kinds of attacks would be successful. This is extremely useful for future planning, future-proofing, and future budgeting. If youre not using OSSTMM 3 security testing and analysis then its possible you might not be protecting the right interactions or for as long as you need to.

(Not) Happily Every After

Final Analysis

Looking at this through the eyes of an OSSTMM security analyst we can take this dissection of the security mechanisms and processes and measure the attack surface of the bank. This gives us a value which is similar to a Key Performance Index to measure the balance between Operational Security, Controls, and Limitations. We do this quickly using the available OSSTMM attack surface calculator which calculates the balance in ravs. Working like a percentage, the goal is to get to 100 for perfect balance. Anything over that is too much, possibly redundant or wasted security and anything under that is too little. For the Antwerp Diamond Center, both the attacker and the security analyst could reach the same conclusion for some of these security processes. That the vault key was kept in the hall-

The bank The story ends on a slightly unhappy note for our clever crew especially if you believe them that there was really little of value in the vault: While fleeing the Diamond Center, the men lose their nerve and left some bags of loot and documents in the forest. A citizen stumbles across the mess left behind and at first is just upset over the mess that he assumes teenagers left in the forest after a night of partying. He calls the police and while detailing the type of garbage there he mentions that there are envelopes that say Antwerp Diamond Center. This gets the police to investigate where they are able to piece together documents and discover stray gems. Among the scraps, they find a receipt for the miniature camera and Leonardos name is on it. When he returns to Belgium to drop off the rental car they used for the getaway and gets picked up by the police. With even more evidence they pull from the forest litter like mobile phone sim cards and DNA they found on adhesive tape in the vault, they pick up the rest of the crew. Only the King of Keys was never found. Leonardo claims he never made off with $189 million and that it was an inflated number for insurance fraud. He says the bank was in on the robbery and removed nearly all the legitimate gems and the illegal, black market gems, before the robbery. Then they received the insurance pay-out for their legitimate gems. He claims that him and his crew got almost nothing.

PETE HErzOg,
co-founder of ISECOM and project lead for the OSSTMM Further info: www.isecom.org www.osstmm.org

22

2/2011

Online Banking Security Magazine Can Banks Share Information To Enhance Risk Assessment Under The Basel II Framework

Can Banks Share Information To Enhance Risk Assessment Under The Basel II Framework

The utilization of the Internal Rating Based Approach of the Basel II framework requires empirical analysis. The databases of small and medium sized banks are not sufficiently large to allow them to produce high quality analysis. Can banks share data in order to improve their ability to implement Internal Ratings Based risk management? Can banks overcome the technologic, regulatory, professional and legal obstacles to achieve collaboration of data between banks?
Introduction - Basel II and IRB
The even-more-complex IRB Approach requires banks to implement a more significant change. Under the Standardised Approach the risk factors are defined by the regulators. Under IRB Approach, banks must develop their own empirical model to measure their own credit risks and allocate sufficient capital to cover such risks. Such empirical model should quantify the risk based on two factors: PD Probability of Default assessment of the probability, in percentages, that a certain entity will default (e.g. become insolvent); and (iii) LGD Loss Given Default.4 assessment of the percentage of the debt which can be recovered from an entity, which has become insolvent. IRB Approach under Basel II requires that each factor will be analyzed separately. The PD and LGD values - once determined - allow to calculate the Exposure at Default (EAD)

The introduction of the Basel II framework1 in June 2004 brought a major change to the methodology used by regulators and financial institutions around the world to assess the risks involved in the operation of financial services. While the Basel Committee on Banking Supervision humbly described the framework as a mere revise of the standards governing the capital adequacy of banks, the Basel II framework was undoubtedly a revolution, which required not only substantial preparation but also a change of attitude and perspective. Basel II allowed regulators to instruct banks to assess their credit risk2 using either the Standardised Approach or the Internal Rating Based Approach (IRB)3. However, even the simpler Standardised Approach is unquestionably comprehensive and complicated and required banks to change the methods in which they asses their risks and capital adequacy requirements. This change raised the need to change the banks information systems.

2/2011

23

Online Banking Security Magazine

and the Risk Weighted Asset, which are the basis for the amount of capital required to cover a banks credit risk.5 The application of IRB allows banks to match the terms of the credit extended to their customers with the actual risk applicable to each customer. Thus, allowing customers with lower probability of default to obtain credit at favorable terms. Banks which adopt elaborate credit risk management techniques have a better ability to calculate their credit risks and to match their capital requirements with the characteristic of the customers. Consequently, banks with relatively financially stable customers may lower their capital requirements.

The empirical model on which IRB is based requires a statistical analysis, which identifies and quantifies the correlation and dependency between various predictor variables and a customers PD and LGD values. Most of the predictor variables are essentially factual information regarding the customers. The main source for this factual information is the customers financial statements.6 Certain financial ratios, which are reflected in the financial statements serve as important indicators to assess the probability of default and the probability to recover a debt upon an event of default. However, since most customers are not publicly traded companies, their financial statements are usually confidential and therefore are not publicly available. Banks may require and usually do require customers to provide to the bank with their financial statements and therefore each bank is likely to have sufficient information about its own customers. Nonetheless, for small and probably even medium sized banks, the number of customers may not be sufficient to create the database needed for an accurate statistical analysis. Statistical analysis requires an adequate and unbiased sample with sufficient number of independent instances. Hence, in order to correctly analyze the correlation between financial factors and an event of default or the chances of collection upon default, one must have information regarding a sufficient number of customers who actually defaulted, with reasonable diversity. Even medium sized banks may find themselves lacking sufficient information to create a reliable model.7 Notably, a model which is less robust or precise requires higher safety coefficients. The result is that small and medium banks therefore have an inherent disadvantage in implementing IRB in comparison to large banks.

Information Required for the Development of an Empirical Model

Business Considerations: banks are reluctant to provide their customers list to their competitor. Technical and Professional Requirements: banks use different IT systems and keep their information in various file formats. These differences can complicate attempts to share information automatically or on a continuous basis. In addition, there may be differences in the types of information that are collected by various banks. For example, one bank may prefer to analyze nominal values while another one may prefer analyzing index linked values. Mixing of different types of information may lead to systematic errors. These impediments are undoubtedly fundamental. Can they be overcome?

Using Anonymous Information Is this the Solution?

The statistical analysis needed for the development of an IRB model has to check the dependency of PD/LGD values on various numeric or boolean parameters of financial information of companies. For such analysis there is no need to know the identity of the company whose information is being analyzed. Therefore, using anonymous information seems to be as a good solution to deal with most of the problems described above. If the information shared does not include any identifying details regarding the customers, there will be no breach of secrecy duties and banks will not reveal their customers lists to their competitors. This may also be an answer to some regulatory problems. Unfortunately, this is not a perfect solution. Although the identity of a company is irrelevant to the analysis, the validation and integrity check of the information cannot be properly done if the information is unidentifiable. If each bank sends the information regarding its customers with no identification details, it is inevitable that various banks will send overlapping information about the same company. This means that the same records will appear more than once, hence making the database not statistically reliable. Further, the lack of identifying information will prevent auditing the information.

Proposed Solution Use of a Third Party Data Integrator

The Obstacles of Data Sharing between Banks

The key to the problems described above seem to be the use of a third party as the intermediary in the information sharing process. In order to overcome the abovementioned obstacles, the following proposed mechanism may be used: Banks participating in the data sharing program will appoint a third party to serve as an integrator; Each bank will send data to the integrator using an agreed interface and specification. The data will include customers identification details; The integrator will check and validate the information. The integrator will then save the information according to specifications which suit the needs of all the banks participating in this process (e.g. present both nominal values and real values); The integrator will remove from the files saved all customers identifiable information and will replace it with an assigned random unique key. To allow audit of the process, the integrator will keep a separate encrypted

The simple solution to the abovementioned problem could be sharing of data among small and medium sized banks. The larger and more diverse database that would result from such cooperation would allow each of them to improve its ability to develop IRB model. Unfortunately, there are certain material impediments which may prevent such collaboration in sharing of information: Regulatory Restrictions: In many countries, such cooperation and data sharing among banks may constitute violation of antitrust or banking supervision regulations. Contractual Confidentiality Restrictions: banks are bound by secrecy duties to their customers and may not divulge information received from the customers.

24

2/2011

Can Banks Share Information To Enhance Risk Assessment Under The Basel II Framework

file which includes only the identification details and the details of the key assigned thereto; The banks will have access to the unidentifiable information only. The above mechanism addresses all of the concerns discussed earlier: Regulatory Restrictions: The fact that there is no direct cooperation or communication between the members is likely to solve all regulatory problems. In terms of antitrust considerations, this collaboration is expected to increase the competition since it will allow small and medium sized banks to compete with each other and with larger banks. The fact that no information regarding the identity of the customers is shared in this process should also eliminate concerns of anti-trust regulators. Contractual Confidentiality Restrictions: Since the banks will only have access to unidentifiable information, there will be no breach of secrecy obligations visa-vis the customers. Business Considerations: The information shared with the other banks will not reveal each banks customers list. Technical and Professional Requirements: The aggregator can set a uniform interface specification that each bank can use in compatibility to its own IT systems. Alternatively, the aggregator may allow each bank to send information using a different interface and the aggregator will then process the information into the shared data base. The aggregated database can use an XML or other flexible format which will allow each bank to use different portions of the information in accordance with its specific needs. This solution has to be correctly tailored. Under certain regulations in several jurisdictions, banks will have to obtain an approval or no action confirmation from the regulators in order to implement this data sharing process, but under the proposed mechanism such regulatory approval should be attainable. The banks will need to agree on the funding of the data share program. The allocation of costs may be done in various methods: splitting the costs in equal parts; according to the banks relative size; according to the number of queries made by each bank or to the amount of information retrieved from the database; according to the amount of information contributed by the bank;8 or in other ways. Theoretically, the demand for information should lead information providers to independently develop an information service compatible with Basel II IRB needs and offer this service. However, certain entry barriers significantly reduce the probability that such services will evolve independently without an initiative and active involvement of the banks. Private providers face uncertainties as to how much information is actually available to each bank and what will be the actual demand to information of other banks. In addition, a private entity will have to prove the reliability and accuracy of the data bases and may encounter problems in demonstrating similar data sharing systems. It may also be difficult to characterize the specific data required for banks without close cooperation with them. Moreover, the requirements of regulators from

a private entity providing this service may be more stringent than the requirements imposed on banks, which are already heavily regulated and supervised.

And the Real Solution is

Although voluntary data share between banks, in the structure proposed above, is a viable and feasible solution, the real solution lies in the hands of the regulator - the central bank. The regulator has the ability to compel banks to provide information and to dictate the scope of information and the interface for its delivery. The aggregation of information by the regulator will entirely eliminate problems like antitrust, confidentiality, etc. Basel II encourages the implementation of IRB. If regulators want to enhance a high quality IRB process, they should address this problem and create a database that will allow small and medium sized banks compete with large ones, on equal terms. The regulator should become the aggregator.

YUvAl ShAlhEvETh, Adv., Yigal Arnon & Co. The author is a partner at Yigal Arnon & Co., one of the largest law firms in Israel. Yigal Arnon & Co. has leading practices in the area of banking, capital markets, and other fields of corporate and commercial law. The author represented a consortium of five Israeli banks which initiated a data collaboration attempt. The consortium obtained the preliminary regulatory approvals for the collaboration, including the approvals of the Antitrust Commissioner and the Bank of Israel. The author assisted different Israeli banks in the implementation of Basel II and in confirming compliance with the legal certainty requirements under Basel II.

Basel Committee on Banking Supervision International Convergence of Capital

Measurement and Capital Standards A Revised Framework, Comprehensive Version http://www.bis.org/publ/bcbsca.htm.


2 3

Arial This article only relates to credit risk under the first pillar of Basel II. Basel II distinguishes between Foundation IRB (or FIRB) and Advanced IRB (or Under FIRB, the model only relates to PD while the LGD values are set by the Under the limited scope of this article other relevant terms will not be discussed Under IRB, exposures of retail customers are handled in a different manner.

Independent Information Providers

AIRB). The impact of this distinction will not be discussed herein.


4

regulators. Under AIRB, the model computes both the PD and LGD values.
5

or mentioned.
6

This article only relates to corporate customers who prepare audited financial statements.
7

Pursuant to Basel II, the model used for IRB must be validated and must be apThis mechanism is devised to create an incentive for the members to con-

proved by the regulator prior to its implementation.


8

tribute information. Under this mechanism, a members share in the costs will decrease if he contributes more information. One should bear in mind, that the real value of the data share project is not the information system but rather the information itself.

2/2011

25

Online Banking Security Magazine

Online Banking Fraud


Are the Banks Losing the Fight?
Online banking fraud is as old as online banking itself. Bank accounts have always been a tempting target as they are a direct avenue to money, the eventual target of most any fraudster. What started with rather easily discernable phishing emails from single fraudsters attempting to lure customers into providing their online banking credentials has now turned into a global, highly organised multimillion if not multibillion dollar criminal economy. The participants include writers of exploit and malware toolkits, the owners of large bot nets as well as financial agents or money mules that transfer the catch to their recruiters, which in turn may hide behind forged identities obtained from criminal organisations.

lthough phishing has been known for more than a decade, it has significantly increased both in volume and effectivenessi. According to several statistics, phishing is still a particularly prevalent attack worldwide on online banking users, causing significant damage. Unlike phishing, Trojans, the most insidious vehicle of online banking fraud, do not require the cooperation of the user at all. Some Trojans now have full control over all input and output to and from a web browser without being impeded in the least by (most) any server side security measures. This means that a Trojan can control what the user sees as well as the complete content of any request sent to the server. The most effective Trojans simply redirect a transaction that the user has just entered within their ostensibly secure online banking session to one of the financial agents instead of the intended beneficiary. They replace the recipient within the browser view in order to show the user the intended recipient instead of the financial agent. Even highly observant users have little to no chance of spotting an attack of this type.

The advent of widely available exploit or malware kits that even allow criminals with very limited IT skills to rapidly generate new and target-specific malware has massively increased the number of different malware implementations. Not only are these kits available for a few hundred to

26

2/2011

Online Banking Fraud

a few thousand dollars, but recently the source code of two prominent exploit toolkits, Zeus and Black Hole, have been posted freely on the webii. This has overwhelmed the ability of pattern based malware detection to a degree where a significant percentage of the new malware is not included in the signature files of any current antivirus productiii. Behavioural based detection has not been and may never be able to close the gap. In addition, the number of unpatched security vulnerabilities is steadily increasingiv, with more than 70% of critical vulnerabilities remaining unpatched 6 months after their first detection. Most of these vulnerabilities are in one of the many applications that can be found on current PCs, giving criminals a continuously growing attack surface at which to aim their toolkits. The number of infected client PCs has therefore risen continuously over the last few years. According to Microsofts Security Intelligence Report 2010v, malware was detected on 8.7 out of 1,000 PCs worldwide by Microsofts Windows Defender Tool, an increase of around 25% over the previous year. The actual number of infected PCs is likely to be significantly higher, as Windows Defender is completely pattern based and will therefore only detect a limited percentage of existing malware. It must thus be assumed that millions of PCs worldwide are infected with malware, with no improvement in sight. And not only are more PCs are being infected but the average duration of an infection can be measured in months if not yearsvi, as a rising percentage of malware signatures no longer find their way into the pattern files of the antivirus tools. Advanced online banking Trojans are only one part of a complex exploit processvii which makes use of botnets as a multilevel encrypted communication infrastructure between the Trojans and the Command and Control serversviii. Although security researches and law enforcement agencies have recently had some successes at interruptingix and even totally disabling some botnetsxxixii, the number of bots worldwide continuesous to growxiii. Detecting and deactivating botnets mainly relies on identifying their communication. Current botnets are trying to make this process spotting their communication harderxiv, but they are still far from having exhausted all well published tricks for the obfuscation of electronic communicationxv. It should therefore be expected that the number of bots worldwide and therefore the threat to online banking will continue to grow. The increasing use of Android and iOS smart phones for online banking, either via browser or via banking apps opens up additional possibilities for attackers. Android security or lack thereof- has recently been compared to that of Microsoft Windows based systemsxvi. It seems though that most of the experience gained in securing Windows systems has not been transferred to the mobile worldxvii. Sadly enough the same cannot be said for the attacking side. Not surprisingly, online banking fraud has significantly increased over the past years, at least in those countries that publish detailed statistics for this type of crimexviiixixxxxxi. It is not that banks, information security providers, security researchers and law enforcement agencies have not invested significant resources in combatting online banking fraud. Banks worldwide will likely have spent billions of dollars in securing online bankingtheir systems and detecting online banking fraud. The effort involved in successfully attacking online banking seems to simply be far less than that required to se-

cure it.The increasing trend of online banking fraud impacts not only banks and their customers directly, it also indirectly decreases the general publics trust in online banking security. The number of bank customers in Germany for instance that avoid online banking due to security concerns has risen markedly over the pastlast two years from 4% in 2009 to around 20% in 2010 xxii. If this trend continues, it will have a significant impact on the operating costs of banks, as the cost for an online banking transaction is normally far lower than the cost for the same transaction in a branch. Does all of this mean that the banks are losing the fight and online banking will no longer be sustainable in the future? Not necessarily. Although most existing security measures have been successfully circumvented on a large scale, some options still remain. The following sections aim to point out successful methods for securing online banking, grouped by attack type and defensce method.

Defense against phishing

Phishing is essentially a social engineering attack, relying on a deception ruse to trick online banking customers into disclosing their credentials, usually a user/account-ID and password, or some other form of authentication factor. Phishers typically send out emails that contain links to a phishers falsified copy of the online banking site. Users that follow these links are tricked into entering their online banking credentials on these phishing websites, allowing the criminal to execute a fraudulent banking transaction either at later stage or in real time. Although there are a number of moderately successful techniques for detecting both phishing emails and phishing websitesxxiii, phishers have found ways to circumvent all of themxxiv. As phishing is not per se a technical but rather a social attack per se, IT will in all likelihood never be able to fully negate the threat. Instead, banks should primarily rely on effective communication with their customers. This can be achieved by making exclusive use of secure communication channels and educating their customers accordingly. The most obvious choice for a secure channel is the online banking application itself. A number of banks have implemented a communication functionality that offers most of the features of a web mail client, like inbox and archive within their secure online banking applications. The main differences between these and normal web mail clients are the secure authentication directly to the banks systems as well as the limitation to communications between customer and bank. The customer can very well be informed about the availability of new messages in their secure inbox via normal email as long as that email adheres to two principles: a) Emails must never contain any links or graphics (and all emails should state that emails from the bank never do; post scriptums are very effective place for that as research has shown that these unlike the main text are read by most if not all recipients) b) The customer should always be addressed by name (and that fact can again be stated in a post scriptum) If customers are constantly reminded that their bank does not send emails containing links or graphics and always addresses them by (their correct) name, the likelihood that these customers will fall victim to phishing emails is significantly reduced.

2/2011

27

Online Banking Security Magazine

The total relinquishment of normal email as a communication channel may not be initially palatable to the business, but it does offer some less obvious additional advantages. By moving the communication to the online banking platform, the customer will more often access that platform, opening the way for more effective directed marketing and increasing the propensity to make use of online functionality. In addition, communication through the online platform, unlike email, can more easily be integrated directly with business process solutions, decreasing operational effort and reaction times while increasing communication visibility and quality. Although the above approach will not fully eliminate phishing, it will significantly reduce the number of successful phishing attacks by effectively educating the customer without significantly impacting usability or cost.

although most struggle when confronted with URLs embedded in Java Script. Similar to URL encryption, it is also possible to replace the names of conspicuous form fields like userName or password with constantly changing random strings. This will make it more difficult for the attacker to automatically identify online banking credentials. Again, bespoke proxy implementations or commercial web application firewall products are commonly used to facilitate this. Both methods above need to be applied to a large number of web pages, ideally to all of the pages in the website the complete web presence of the bank in order to be effective. Otherwise Trojans will be able to easily discriminate between online banking and other activities.

Detection of fraudulent transactions

Defense against client side Trojans

As mentioned above, it must be assumed that a significant percentage of customer PCs are infected with banking Trojans. It must also be assumed that the number of infected PCs will continue to rise for the foreseeable future. The most advanced of these Trojans have full control over the browser, can read all keyboard input via key loggers and even take screenshots around the mouse pointer every time the mouse button is pressed. Due to the client side nature of the attack and the lack of control or even visibility of these clients by the banks, the main problem is to discriminate between legitimate customer actions and fraudulent manipulations by the Trojans. Another option is to impede or totally avert a Trojans actions. The following paragraphs will highlight both options.

Banks and specialist product vendors have invested heavily in methods for detecting deviations in customer transactions that could indicate the actions of Trojans. The detection algorithms and their capabilities are normally treated as highly confidential, as not to give attackers any advantage. Nonetheless a significant percentage of fraudulent transactions still go unnoticed, mostly because they do not deviate significantly from the normal transaction pattern of the customer. Criminals have successfully adapted their attacks to reduce detection probability. One recent example is the concentration on small and medium businesses accounts where one time high value transactions to foreign countries are more prevalentxxv. Fraud detection is still an effective tool against online banking Trojans but can only reduce losses to a limited and possibly decreasing degree as criminals learn to reduce the visibility of their transactions. As described earlier, at least some current Trojans are capable of controlling the browser and manipulating user input as well as the banks response. By essentially seeing monitoring what the user sees and being able to do what the user does, these Trojans are capable of circumventing all types of channel encryption as well as all single to n factor authentication mechanisms. It tTherefore, it does not make much sense to add (or replace existing authentication factors with) authentication factors like one time pass keys, challenge-response based tokens or even biometrics. This of course assumes that the existing authentication mechanism is non-trivial to circumvent, i.e. does not allow short and simple passwords in combination with the account number as customer identifier. Instead of authentication, the focus should be on securing the authorisation of transactions. Banks have developed a number of mechanisms to achieve just that. The first were pre-generated printed lists of random numbers - essentially one-time pass keys - usually called transaction numbers or TANs. After entering an online banking transaction, the user had to enter the next TAN on their list for the transaction to be processed. It turned out that simple TANs were easily acquired by phishing, along with user-IDs and passwords. In order to make phishing more difficult, the next step was to addthe addition of a challenge-response mechanism to the basic TAN list. The user would be asked to provide a specific TAN on the list. This improved TAN mechanism is also known as iTAN. Electronic versions of the iTAN were later introduced to further reduce the probability of a phisher

Quick wins

Making use of a secure channel

Although current Trojans are quite intimidating in regard to their abilities to circumvent most known defensce measures, they are still only software and, as with all software, are usually far from capable of dealing with unexpected situations. This weakness can be exploited to impede the actions of at least some Trojans, albeit only until the attackers have found a way to deal with the obstacles. Due to the temporary viability of these defences, their cost should be significantly lower than the expected gains, as experience has shown that attackers have been able to circumvent them faster than anticipated. One problem most Trojans face is to discriminate between normal web traffic and online banking. This can be further complicated by two tried and tested obfuscation mechanisms: URL encryption and form field encryption. ULR encryption relies on replacing the obvious online banking components of bank URLs with constantly changing random strings. A URL of the type www.bankname.com/ onlinebanking/ will then for instance be transformed to www. bankname.com/Yiuy77ggh5/. The conspicuous URLs in online banking pages are normally replaced with these strings by a proxy server which is located in front of the application. On their way back from the client the proxy server will replace the URLs with the original URLs again before the requests reach the online banking application. This is usually more cost effective than modifying the application itself. In addition to bespoke implementations, some web application firewall products are capable of URL encryption,

28

2/2011

Online Banking Fraud

to acquireing both logon credentials as well as a sufficient number of TANs. One type of implementation of these electronic iTANs or one-time pass keys is a chip or chip card in combination with a reader that is capable of generating an individual key for every transaction. The challenge-response capable versions of these readers either have a small numerical keyboard in combination with a display or are directly connected to the PC (class 1 card or class 2 chip card readers). Some banks have also implemented an SMS based version of the one-time pass key, where the key is sent to the pre-registered mobile number of the customer within an SMS. An even less expensive type of challenge response mechanism comes in form of an individual character-number matrix printed on a simple plastic or paper card. In order to confirm a transaction, the customer is given one or more charter/number combinations, i.e. a3, c2 and f6 and then needs to find and enter the corresponding fields in the matrix in order for the transaction to proceed. Although capable of reducing the effectiveness of phishing and simple Trojans to a certain degree, all of the transaction security measures described above fall far short of their goal to significantly reduce online banking fraud. Their main shortcoming is their inability to prevent man-in-the-middle type attacks like those used by phishing sites that emulate online banking applications to the customer and customer transactions to the bank in real time. They are also incapable of stopping or even enhancing detection rates of attacks where a Trojan has taken control of the customers browser (known as man-in-the-browser attack). Currently the only implemented way of effectively frustrating frustrate attacks as previously describedof the above type is the introduction of a secure channel, physically independent from the browser. This has been achieved by the addition of a confirmation mechanism to the electronic one-time pass keys already described. One of the easiest implementations was the addition of confirmation information to the SMS based implementation. The confirmation should as a minimum contain, as a minimum, the beneficiarys account number and may also contain the amount of the transaction, as these two parameters are most often changed by Trojans or phishing sites. Another less widely used option is the introduction of class 3 chip card readers which are connected to the customers PC and have a separate display to show confirmation parameters. A third option is to make use of confirmation information encrypted in graphics and displayed by the browser. This can either be in form of animated graphics, with the information encoded in the frequency of a colour change (known as flicker code) or in form of a two or three dimensional barcode (colour being the third dimension). These graphics can then be decrypted by the customer either with specialised, albeit inexpensive hardware or with an application on a smartphone, making use of the phones built-in camera. The decrypted information contains both a one-time pass key as well as the beneficiarys account number and the amount of the transaction as received by the bank. Although all three methods have been proven to significantly reduce online banking fraud, they all have drawbacks. Malware kit vendors have recently integrated a social engineering initiated attack on the SMS based confirmation mechanismxxvixxvii. The attackers are thereby capable of not only identifying the customers mobile number in real time but also of infecting the customers smartphone itself with a Trojan. That Trojan is then capable of modifying the

confirmation information that the customer receives via SMS to show the intended beneficiary and amount instead of the account of the money mule, as modified by the Trojan on the PC. In addition, the increasing use of smartphones to access online banking takes away the advantage of a separate channel, effectively letting a single Trojan control both browser or app and SMS. Class 3 chip card readers need to be connected to the client PC via USB. This can significantly inconvenience customers that either want to make use of online banking from their workplace a large percentage as most banks will confirm or make use of mobile clients like notebooks, smartphones and tablets, which either cannot connect to these USB devices or where taking them along would be seen as too cumbersome. The most significant drawback of all three confirmation channels is their reliance on the users spotting a fraudulent transaction by comparing the confirmation information with the data they entered. Microsoft has not been alone in finding that users all too lightly ignore message contents in favour of faster results. It is therefore likely that a significant percentage of users will not spot an altered transaction and therefore fall prey to a Trojan. There is one more successful implementation which does not suffer from the drawbacks of the other channels. It is based on a standalone chip or chip card reader in combination with a small device with a numerical keyboard and a small display. In order to authorise a transaction, the customer enters a number of digits from the beneficiarys account number, usually the last six digits, into the device as a challenge and is presented with a one-time pass key as response. This key is specific to the entered digits of the beneficiarys account number and any modification of these digits by a Trojan or a phishing site will invalidate the transaction. The main advantage of this approach is that it does not rely on the users vigilance to spot a fraudulent transaction. In addition, the cost of the devices and chips is rather low compared to other devices. It does need to be combined with good and repetitive customer information to reduce the risk of successful social engineering based attacks. If implemented in a secure fashion and used only for transaction signing though, this defence has yet to be successfully circumvented.

Conclusion

In conclusion it can be said that , despite the increasing sophistication of the attackers, there are still some ways of impeding or even effectively preventing online banking fraud. On the other hand, unless the vast majority of banks implement effective defences, the reputational damage caused by online banking fraud will continue to grow. Due to the media attention this will attract, the current pronounced trend towards less customer confidence in online banking security is likely to be further enhanced, making transactions more expensive for all banks.

MaxiMilian DerMann
was actively involved in designing and implementing four online banking and brokerage solution for European banks. He was later responsible for e-business security at a large European aerospace and defence corporation for close to six years. Max has been working as information security architect for Datacom Systems in Wellington, New Zealand since 2009.

2/2011

29

Online Banking Security Magazine

Secure Website Development & Design


A Web application is an application that resides on a companys Web server, which any authorized user can access over a network, such as the World Wide Web or an Intranet.
Web application is a three-layered application. Normally, the first layer would be a Web browser, the second would be a content generation technology tool such as Java servlets or ASP (Active Server Pages), and the third layer would be the company database. The Web browser makes the initial request to the middle layer, which, in turn, accesses the database to perform the requested task, either by retrieving information from the database, or by updating it. Since Web applications reside on a server, they can be updated and modified at any time without any distribution or installation of software on the clients machines the main reason for the widespread adoption of Web applications in todays organizations. Examples of Web applications include shopping carts, forms, login pages, dynamic content, discussion boards and blogs. A Shopping cart is a typical web application example The hackers life has become tougher in recent days. Thanks to various intrusion detection and defense mechanisms developed by network security companies, it is no longer easy to breach security perimeters and gain unauthorized access to an organizations network. Today, firewalls, security scanners and antivirus software protect almost all corporate networks. Hemmed in by such constraints, hackers have been researching alternate ways to breach the security infrastructure. Unfortunately, hackers have been successful in finding a gaping hole in the corporate security infrastructure, one of which organizations were previously unaware Web applications. By design, Web applications are publicly available on the Internet, 24/7. This provides hackers with easy access and allows almost unlimited attempts to hack the application. While the adoption of Web-based technologies for conducting business has enabled organizations to connect seamlessly with suppliers, customers and other stakeholders, it has also exposed a multitude of previously unknown security risks.

According to Pete Lindstrom, Director of Security Strategies with the Hurwitz Group, Web applications are the most vulnerable elements of an organizations IT infrastructure today.

High-Profile Web Application Hacks

Web Applications Are Easy to Hack

The gaping security loophole in Web applications is being exploited by hackers worldwide. According to a survey by the Gartner Group, almost three-fourths of all Internet assaults are targeted at Web applications. The first reported instance of a Web application attack was perpetrated in 2000 by a 17 year-old Norwegian boy. While making online transactions with a large bank, he noticed that the URLs of the pages he was opening displayed his account number as one of the parameters. He then substituted his account number with the account numbers of random bank customers to gain access to the customers accounts and personal details. On October 31, 2001, the website of Acme Art Inc. was hacked and all the credit card numbers from its online stores database were extracted and displayed on a Usenet newsgroup. This breach was reported to the public by the media and the company lost hundreds of thousands of dollars due to orders withdrawn by wary customers. The company also lost its second phase of funding by a venture capital firm. Similarly, the 2002 turnover report of a Swedish company was accessed prior to its scheduled publication. The perpetrator simply changed the year parameter in the URL of the previous years report to that of the present year to gain complete access. In another 2002 incident, applicants to Harvard Business School accessed their admission status before the results were officially announced by manipulating the online Web application. This third-party Web application was also used by other universities. Upon receiving replies to their applications from these other schools, the applicants examined the URL of the reply and found two parameters that depicted the unique IDs of that schools students. Then, they simply substituted the values in those two parameters in the reply URL with their Harvard IDs, which returned the desired information. This procedure, posted on a businessweek.com online forum, was subsequently

30

2/2011

Secure Website Development & Design

employed by over a hundred students eager to know their admission status. When the authorities detected this leakage, these students were denied admission. In June 2003, hackers detected that the Web applications of the fashion label Guess and pet supply retailer PetCo contained SQL injection vulnerabilities. As a result, the credit card information of almost half a million customers was stolen. Website defacement is another major problem resulting from Web application attacks. Hackers have learned to modify the source code of many websites. During the 2004 Christmas holidays, the Santy worm entered Web application servers, defacing 40,000 websites in a single day. On November 29, 2004, SCOs website logo was replaced by the text, We own all your code, pay us all your money. Similarly, on December 6, 2004, the homepage of Picasa, the picture sharing facility from Google, was hacked and replaced with a totally blank page.

Check for presence of input validation: Input validation consists of the validation that most Web applications incorporate to determine whether particular data input is safe and validated. Unsafe data is rejected and not processed further. Laxity in input validation is a prime access pathway for hackers. If they manage to outwit the input validation check post, they can use this path to send malicious inputs to the server. Mount the attack: After examining the entire scenario, from the server to the application, and isolating all the loopholes and vulnerable target areas, the hacker now mounts the attack.

Hackers Favorite Web Attack Modes


SQL injection: The hacker transmits SQL query commands to the database residing on the server via the Web application. This is done in two ways: SQL commands are entered in form fields on the webpage, or SQL queries are inserted into required input parameters. Thus, the hacker is able to run SQL queries and commands on the server. Cross-site scripting: The hacker inserts malicious data into a dynamic webpage. Websites that include only static webpages have control over user interaction because a static webpage is a read-only page that does not permit user interaction. Therefore, a would-be hacker can only view the page without being able to cause any damage. However, a dynamic webpage is open to user interaction, so a hacker can insert hazardous content without the website or Web application being able to differentiate this content from innocuous content. The key to the CSS vulnerability is that a hacker can cause the actual Web server to send a webpage with malicious content to the unsuspecting user. The hacker can then transfer the users input to another server.

Liability

Companies face a number of legal implications from Web application attacks and lax security measures. Victorias Secret, one of the worlds leading lingerie manufacturers, was sued in 2005 when details about individual customers purchases became accessible from its database. The company was directed to pay a $50,000 fine to New York State and settle all monetary claims by customers. The same method was used in 2005 to access social security numbers and other details of a Tennessee payroll organization. The modus operandi was the same change the value of the customer ID parameter in the URL. In 2004, the Federal Trade Commission (FTC) filed judgments against a number of global organizations for privacy and security policy violations when it was discovered that there was a leakage of customer information from company databases caused by Web application intrusions. For financial as well as legal reasons, it is imperative for companies to make their Web applications totally foolproof.

Hacking Web Applications: The Modus Operandi

Hackers have a wide arsenal of attack mechanisms, from which they choose the one most suited to a particular vulnerability. They use a very systematic plan of action. These steps can be classified as: Study server infrastructure and server OS/type: The hacker first analyzes the properties of the server to be hacked, the operating system running on the server, and the server type. A port scan is then initiated to detect all open HTTP and HTTPS ports to single out the port to be attacked. Survey the website/application: The hacker examines the website for any loopholes that can be exploited. Loopholes could take the form of feedback or inquiry forms that utilize GET and POST variables that hackers can use to their advantage. The hacker also inspects authentication and logon pages for any chances of accessing the server. The success of this method is evident from the 2000 incident involving the Norwegian boy. He was able to bypass required authentication by bookmarking the target page after going through authentication on his initial visit. A good hacker will go through almost every interactive element on a webpage or website in order to gain access to the server. The hacker also goes through the application script to check for any development glitches that can be exploited.

Forums are often vulnerable to Cross site scripting attacks

Directory traversal attacks: This attack is also called the ../ (dot dot slash) attack. With this attack, the Web application is manipulated to allow access to files or other resources on the server that are not normally accessible. The attack works by changing the parameter that an application would use to access a certain file. For instance, suppose the value of the parameter includes the path of a particular file. Placing ../ at the beginning of the parameter

2/2011

31

Online Banking Security Magazine

value forces the application to access the file in the parent directory. By placing a series of ../ and then giving a different file name at the end, a particular file in the root directory can be retrieved. Parameter manipulation: This involves manipulating data transmitted between the browser and Web application. Parameter manipulation can be carried out in the following ways: Cookie manipulation: Cookies maintain a certain state in HTTP by storing user preferences and information related to session maintenance. All cookies can be changed at the client end and then sent to the server with URL requests. Thus, a hacker can easily manipulate the data residing within a cookie. HTTP header manipulation: HTTP headers consist of control information that is sent from the Web client to the Web server during HTTP requests, and sent from Web servers to Web clients during HTTP responses. Since the HTTP request headers originate from the client, a hacker can easily modify them. HTML form field manipulation: Form fields contain values of all the check boxes checked, radio buttons selected, text fields filled or any other action by a user on a particular webpage. This data is then sent to the server. Moreover, there can be hidden fields not visible to the user on the page that are sent to the server. A potential hacker can manipulate the form fields to send any value. One example of this manipulation is to simply right-click the mouse on the webpage to view the source code, alter it, save the changes and then reload the page in the browser. URL manipulation: The HTML forms mentioned above are submitted in a process that requires a certain result to be displayed to the user before the result is displayed on a fresh webpage. The URL of this page will contain all the form field names and their respective values, which can be easily manipulated. Authentication attacks: The hacker searches for valid authentication to access and enter the server from a Web application. For this kind of attack, a database of usernames and passwords is maintained in order to maximize authentication and thereby obtain access to restricted domains. Known exploits: The hacker community is very closeknit; newly discovered Web application intrusions are posted on a number of community forums and websites known only to members of that group. These postings are updated on a daily basis and are used to facilitate further hacking. Directory enumeration: Analyzing the websites entire directory structure, the hacker seeks out hidden directories. These hidden directories could contain administrative data that the hacker may find valuable when launching attacks.

been exploited numerous times, resulting in immense financial repercussions on both traders and buyers. PCI Compliance is a structured security checklist which aims at securing financial data, and helps to distinguish the secure and reliable businesses from the risky ones. This compliance structure is also used in the Acunetix WVS Reporting Application, and allows security alerts to be presented in a document which abides by the PCI specification. What all have to be taken care before designing a Websites

The current Scenario


Website Security It is standard to use a secure connection when collecting sensitive data, such as a visitors personal information. The levels of security currently used in websites are none, 40-, 52-, and 128bit, where 128-bit is the highest level of page security. Encryption is the most effective tool for protecting information. Data is scrambled so that only the intended recipient can unscramble and read the contents. It is useful for ensuring the protection of the information, but it does not address the issue of privacy after the information has been collected.

Application Side Tests that has to be done Organizations need a Web application scanning solution that can scan for security loopholes in Web-based applications to prevent would-be hackers from gaining unauthorized access to corporate applications and data. Web applications are proving to be the weakest link in overall corporate security, even though companies have left no stone unturned in installing the better known network security and anti-virus solutions. Quick to take advantage of this vulnerability, hackers have now begun to use Web applications as a platform for gaining access to corporate data.

The Payment Card Industry Compliance - Securing both Merchant and Customer data.

1. What is PCI Compliance?

This white paper introduces the Payment Card Industry Compliance standard, and the security threats which brought about the need to standardize the data protection of both merchants and customers. The internet is no longer just a source of information, but it is a trading universe where thousands of credit and debit card transactions are carried out every second. Private data is transmitted and stored online through systems which have

Time and time again, security breaches and system exploits have resulted in the theft of millions of dollars worth of credit card details and personal document information. Over the years, large businesses including banks have suffered security breaches which caused the theft of customer private data. In 2004, the Payment Card Industry Data Security Standard was created in a joint effort by the major credit card companies American Express, Visa, MasterCard and Discover, with each one of the credit card companies having its separate standard detail. On

32

2/2011

Secure Website Development & Design

the 30th June of 2005, the PCI DSS regulations were standardized and implemented. Each credit card company created its own security policy as follows: American Express: Data Security Operating Policy (DSOP) Visa: Cardholder Information Security Program (CISP) Discover: Discover Information Security and Compliance (DISC) MasterCard: MasterCard Site Data Protection (SDP) The PCI Compliance regulation is designed to be implemented by organizations which process transactions made through these credit or debit card types, and severe penalties may be imposed on businesses which suffer a security breech as a result of lack of compliance to the PCI standard. Also, businesses which do not enforce the compliance correctly, or choose not to comply, may be denied the right to process card transactions altogether. Since the compliance regulations are subject to constant development and improvement, participating businesses are required to closely observe the changes in any requirements of the card systems which they process. In September of 2006, the five major card brands (American Express, Discover, JCB, MasterCard and Visa) joined to create the PCI Security Standards Council, which is an independent body established to monitor and develop the PCI standard. The announcement of the creation of this council also brought forward version 1.1 of the standard. While the council manages the detailing and implementation of the regulatory standard, it is the card companies which dictate their separate requirement specifications, and the way they are implemented according to the size of the organization. PCI Security Standards Council duties: (http://www.pcicomplianceguide.org) Develop and maintain a global, industry-wide, technical data security standard for the protection of account holder account information. Reduce costs and lead times for Data Security Standard implementation and compliance by establishing common technical standards and audit procedures for use by all payment brands. Provide a list of globally available, qualified security solution providers via its Web site to help the industry achieve compliance. Lead training, education and a streamlined process for certifying Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs), providing a single source of approval recognized by all five founding members. Provide a transparent forum in which all stakeholders can provide input into the ongoing development, enhancement and dissemination of data security standards. Each card brand is to administer its own requirements structure and impose its own penalties on businesses which fail to comply.

Participating financial establishments must ensure the 6 following categories 1. Secure Network Design and Maintenance Installation and maintenance of firewall implementation to protect cardholder data Default hardware and software credentials and security configuration must be changed 2. Cardholder Data Protection Cardholder data must be diligently safeguarded and protected Cardholder data transmitted over publicly available networks must be encoded 3. Vulnerability Management Program Maintenance An updated anti-virus solution must be in use at all time Secure systems and applications must be developed and maintained 4. Strong Access Control Measures Implementation Access to cardholder data must be restricted to business need-to-know Each person who has computer access must have a unique ID Physical access to cardholder data must be restricted 5. Regular Network Testing and Monitoring All access to network resources and cardholder data must be tracked and monitored Security systems and processes must be tested regularly 6. Information Security Policy Maintenance A policy that addresses information security must be implemented and maintained These 6 guidelines must be diligently carried out in the participating business system implementations and regular testing must be performed to ensure that these standard requirements are all in action at any given moment. The ease with which merchants can achieve PCI compliance depends on the annual transaction quantities processed by the company. For this reason, merchants who require PCI compliance are categorized into 4 separate groups as follows: Level 1: Businesses which process over 6,000,000 annual transactions Businesses which have already suffered an attack resulting in compromised data Businesses which have already been classified as Level 1 by another card company Level 2: Businesses which process between 150,000 to 6,000,000 annual transactions Level 3: Businesses which process between 20,000 to 150,000 annual transactions Level 4: Businesses which process less than 20,000 annual transactions

3. Protecting the Consumer

2. The Compliance Regulations

The PCI compliance specification describes a set of requirements which participating businesses must observe to ensure that correct measures are taken to secure all data, both internal and externally exposed.

Consumers who use credit/debit cards online to purchase products or services risk suffering financial losses when businesses process their transactions through systems which are not secure. There have been an infinite number of cases involving the theft of credit card details from the databases of exploited web applications. Most often, these details get sold on the black

2/2011

33

Online Banking Security Magazine

market for illicit transactions. I. In these cases, both the organization and the consumer could suffer great losses. However, another issue which gets less coverage than financial loss is the problem of identity theft. Identity theft is the act of using someone elses personal details like name, address, social security number, or purchase history, without authorization, for fraudulent reasons. It is studied that in the USA alone, over 9 million citizens are victims of identity theft, and experience repetitive abuse of their personal details for several illegal transactions done in their name. These victims usually have no idea about their details being maliciously used until debt collectors show up at their door, or until shocking bills are found in the mail. A recent case which has shook security professionals around the world was the severe TJX exploit. The owner of clothing retailers T.J. Maxx, Marshalls Inc. suffered the largest known data theft to date. Hackers invaded the TJX systems resulting in at least 45.7 million credit and debit card numbers stolen over an 18-month period. As well as the stolen personal data, including drivers license numbers of another 455,000 customers who returned merchandise without receipts. TJX first learned that there was suspicious software on its computer system on Dec. 18, 2006, however the stolen data covered transactions dating as far back as December 2002. The PCI compliance standard aims to stop the cause of online financial and identity theft from its source by ensuring the systems which process and store customer details and transaction information are secure. Web attacks and technological flaws in network security will always keep businesses and security experts on their toes, and once vulnerabilities are secured new ones are being discovered. That is why the PCI compliance standard is an ongoing process which must be maintained at all stages of the online business operation - from designing a system to implementing and running it in the real world.

enforced upon elements which do not involve consequences brought about by human involvement. Technical failures must be considered, and timely backups of all precious data must be performed. These backups must be encrypted and stored in specific areas which can only be accessed by authorized administrators or management. All businesses which apply the PCI compliance procedure must use the services of approved companies to perform compliance security scans. The results of these scans are issued in detailed compliance reports which are then used for approval by the specific card company requirements. The PCI Security Standards Council manages the process for security companies to become Approved Scanning Vendors (ASVs), and PCI compliance reports may only be issued by these approved entities.

5. Security Assessment Tools

4. Compliance Certification

The PCI compliance is implemented in both the technological and administrative side of the business process. A solid guideline must be implemented when it comes to company employees handling customer data and processing transactions. Many exploits are actually performed from the inside, and on several occasions members of staff have been convicted of theft, or actions which led to data being illegally acquired. Businesses must also keep track of any changes made to the technical or business process, to ensure that each change is followed by the relevant security counter-measure designed to be successful in a security audit. Data protection and preservation must also be

The PCI Compliance specification is more than just a rule-set to which organizations must abide. It is also a guideline which provides a method to trace and secure all the potential security flaws which might be exploited. Detecting these potential exploits is made easier by using tools such as web vulnerability scanners and network scanners. A web vulnerability scanner is a software product which performs an in-depth assessment of a web application or web service. It detects all the security flaws which may be exploited by a hacker whose intention is to gain access to web servers, internal networks, and back-end databases. The web application is often overlooked when organizations allocate funds to purchasing high-spec intrusion detection systems, and network security systems. However a common mistake is to forget that if a website is made publicly available then it also provides an entry point which is open 24 hours a day. Web vulnerability scanners assist developers in identifying these possible entry points and securing the web application to prevent this from happening. Network scanners on the other hand are tools which scan network hosts for open ports, missing security patches on operating systems and server technologies, potential exploits discovered in applications installed on a network, network device weaknesses, and incorrectly configured user rights. These security risks are resolved by various configurations and application of security software patches and updates. Any changes in a network infrastructure may open potential security breaches, therefore regular scans must be on any system administrators maintenance schedule.

34

2/2011

Online pitfalls of remote account opening The growing Banking Security Magazine

The growing pitfalls of remote account opening


Corporate customers are globalising, whilst centralising financial management for efficiency and for cost-saving. This means a desire to open and operate bank accounts remotely, without travelling to the many countries concerned.

free. At the same time, on the supply side, many banks are being compelled to reduce their international capabilities by the fallout from the credit crisis, while those banks that have never had international operations are seeking to acquire capabilities without building them. In parallel, new regulations around Know Your Customer/ Know Your Customers Business/ Anti-Money Laundering (or KYC, KYB and AML) are changing the demands of existing Remote Account Opening models, especially where the accountholding entity is a non-resident of the country concerned (e.g. a US-registered legal entity requiring an account in Spain). A further factor is the migration to Single Euro Payments Area in Europe, which alters the status of banking details from a set of routing instructions to uniquely identifying an account at a financial institution in a country. A bank should not issue those details without going through the full KYC/KYB/ AML due diligence The industry discussion on this topic has been around enabling the centralized customer to issue electronic instructions about existing accounts (eBAM) but not about the more fundamental topic of the risks and issues for the banking participants in different Remote Account Opening models, and under what circumstances the solutions that corporates now use could be taken off the market.

he result is an increasing demand for remote, overseas corporate account opening processes, processes that should be streamlined, easy to comply with, and risk-

The motion in the regulatory world on these issues has not made it into the customer world and that entry could be dramatic if the banking industry is not more transparent about what KYC/KYB/AML work should be done at each participant in order, for example, to merit the issuance of an International Bank Account Number. Regulators and legal authorities have rightly been harsh on institutions that err in this general area: Lloyds TSB agreed to pay $350m (231m) to the US government for helping customers get around American AML sanctions on dealing with Libya, Sudan and Iran, and this led directly to the SWIFT MT202 COV message being introduced at significant cost to the entire industry. It would greatly assist the industry and the customers using Remote Account Opening if there were an accepted methodology of ranking different approaches so that customers were able to choose the service they wanted together with a clear indication of the due diligence work to be done to achieve that and whether an IBAN can then be issued, from which institution and from which country. This would help to forestall issues in this important area for the corporate customer, issues to which regulators would inevitably respond with regulations impeding normal business and increasing costs.

Nature of corporate demand

Corporates particularly want overseas accounts into which to receive money, where their buyers can include payments in normal payment runs through local low-value clearing

2/2011

35

Online Banking Security Magazine

systems, quoting local banking details. The collections rank as local: local currency and both endpoints are within the one country. If there is a locally-incorporated legal entity this approach ensures that the collection achieves terms that avoid crossborder charges and Central Bank Reporting. For payments the aim is to ensure that the beneficiary does not suffer the charges and value-dating associated with receiving cross-border payments. But the corporate does not want to travel to every country, and increasingly wants to control and view the accounts from head office or, in the case of larger companies, a Treasury Centre or Shared Service Centre. Larger companies may be staffed so as to be able to run parallel relationships with large local banks, possibly under an overlay arrangement where liquidity is held within a global bank, but day-to-day business is conducted with the local banks. Smaller companies may find such an arrangement either unavailable to them or cost-prohibitive.

The banks operations are large local banks that are full service The banks contain relationship management and customer service teams that are geared up to deal with customers of all sizes The banks accept that the target client of an introducing bank is eligible for inclusion in their target market as a receiving bank because the banks accept the warranties of Customer Acceptance tests conducted by one another as being of the same efficacy of their own The documentation needed for all types of account is driven off a harmonised Customer Referral Sheet, that enables AML and KYC checks to be completed in a streamlined manner It is hardly surprising, though, that the total pile of paper for an IBOS-based deal is significant, just on the basis of the range of local services available. The main trade-off is that there is not one single set of documents: there is a consistent core but different jurisdictions require certain supplementary papers The result again is that the customer holds real accounts at each bank and it is completely transparent. Each relationship can be a full service one, for which the customer has to sign the respective banks service papers.

Nature of supply from banks with their own networks to their own customers

Banks with their own networks are the default option for opening accounts overseas. The major benefits of this approach should be: Single set of account opening documents applying to all branches of the same bank Only one set of KYC tests to pass which apply across all branches Single pricing deal One point of relationship management and customer service Single electronic banking channel for all high-value and file-based payments out of any account held in the network The potential drawbacks of this approach are: Local jurisdictions may demand extra documents beyond the banks harmonized KYC process, especially for nonresident accounts The banks operations are only branches; they may not support all the services the customer needs, or not on competitive terms Branch P&L concerns where the customer is small Local relationship management and customer service is geared up to deal with Large Corporates whereas the account in question may be SME or Mid-Market size What happens when the group parent is not on the target client list of the bank at all? What happens when the bank does not have an operation in a particular country? The desired result is that the customer holds real accounts at each branch and it is KYC-compliant, but the what happens if questions remain.

Summary on own branches and banking network solutions

Both the own branches and banking network solutions are legally robust: the Account-Holding bank entity can point to a compliant and complete file on the account holder covering KYC (Know Your Customer), KYB (Know Your Customers Business) and AML (Anti-Money Laundering). The banking network approach can be seen as heavy-duty on documentation, even if it is full-service. However, neither solution can be said to completely cater for all possible shades of demand: Banks with own branches target Multinationals: what about their SME and Commercial Banking customers? When the customer needs services in countries where the own branches bank has no branch When the customers bank is not one whose Customer Acceptance tests would be seen as equating to their own by all the members of a banking network When the customers accounts would all be non-resident accounts in the foreign countries When the customers business volume would make the usage of an own branches or banking network solution appear costly Meeting these demands has led to a number of variants of Partner Banking.

Non-resident Accounts

Before we go there, it is vital to recognize that government authorities are exercising their right to impose extra burdens on non-resident accounts: Brazil: transaction-by-transaction reporting to the central bank, since the authorities have acted on suspicions that non-resident status is being abused by traders who have a quasi permanent establishment in Brazil but who, because they have no resident entity, pay no local corporation tax.

Nature of supply from a banking network such as IBOS

In the case of a banking network like IBOS, these drawbacks are addressed as follows:

36

2/2011

The growing pitfalls of remote account opening

Argentina: non-resident accounts only available where a resident company is in formation Italy: the account holder has to obtain a non-resident tax ID Spain: extra documents on the identity and owners of the non-resident These are drivers to incent the non-resident to keep accounts offshore, and held in a single liberal banking environment, such as UK or Netherlands.

Nature of supply of Partner Banking


These are the variants supplied: by banks with their own networks to customers of third-party banks, or to their own customers in countries where the bank has no branch Their upside replicates the advantages of using the bank with its own network drectly: Single set of account opening documents Only one set of KYC tests to pass Speed of set-up One point of customer service

ABINA carries out its own KYC/KYB on the customer. It issues a blanket indemnity that covers the partner bank for not doing their own Due Diligence The customers bank statement comes from ABINA, not from the partner bank; all the activity over the account at the partner bank is copied onto the account at ABINA The customers payment instructions are delivered to ABINA to operate the real account held there. Operations across the nostro sub-account are ordered: 1. By and through ABINA if they are debits 2. By the trading partners of the customer if they are credits Remember that ABINA bank will have a lot of its own branches as well, so that in practice a customer might have its accounts opened as follows: 1. UK business ABINA London 2. Finnish business - ABINA London 3. German business - ABINA Frankfurt 4. Spanish business - ABINA Madrid 5. Austrian business - ABINA London White labeling (e.g. by Another Very Big Bank in America AVBBIA - for a smaller bank called the 1st of the 7th Bank from, lets say, Hardin MT) This is the version where an own branches bank makes those facilities available to customers of its correspondent banks, without those customers becoming customers of the own branches bank Under this variant the company does not get real accounts at AVBBIA but opens them all at 1st/7th back in the USA 1st/7th has its nostro accounts at AVBBIA, probably in London, and each customer gets a designated sub-account of that nostro This will be replicated by currency: the customer can be given to understand that they have one account per currency The customers real accounts are at the introducing bank 1st/7th; there can be one account opening document for that purpose 1st/7th then directs AVBBIA to open a new sub-account in their nostro for that customer, or several if the customer wants multiple currencies The nostro sub-accounts each have an IBAN issued upon them, and they all carry AVBBIAs UK BIC The customer puts the IBAN+BIC on their invoices to their trading partners 1st/7th takes all the compliance risk; there is no KYC/ KYB file on the customer at AVBBIA, no relationship manager and no general or specific customer identification actions are taken The customers bank statement comes from the introducing bank 1st/7th, not the partner bank AVBBIA. If the statement carries a BIC it will be a US one, not a UK one The customers payment instructions are delivered to the introducing bank to operate the real account held there. Operations across the nostro account are ordered: 1. By and through the introducing bank if they are debits 2. By the trading partners of the customer if they are credits Trading partners have to send a cross-border payment into AVBBIA London if they are not in the UK

The point is that the customer holds their account at a single bank whose KYC tests they must pass, but that the main bank uses downstream partner banks. These partner banks are used on an undisclosed basis and the nub of the issue is whether KYC/KYB/AML tests are conducted by the partner banks. The service is frequently known as a Multicurrency Account because the customer holds multiple accounts in different currencies and possibly in the name of different subsidiaries, all in the same bank in the same financial centre. Where that bank is one with its own branches but does not have one in the country of the account, the partner arrangement is often known as a Re Account. Lets start with that one. Re-Account (e.g. offered by A Bank In North America ABINA - for its own customers): The prime purpose of this variant is for ABINA to extend the scope of its own offering for its own target clients Accounts are only opened at ABINA; hence the usage of a single account opening document. These are real accounts. The customer reconciles them and issues instructions against them. These accounts will usually have an IBAN and a UK BIC identifiable to ABINA London The accounts at the local partner bank are sub-accounts of ABINAs nostro and are entitled ABINA re [customer name], hence the Re Account title Local IBAN+BIC are issued on each sub-account; the replica of this account at ABINA London has a UK IBAN+BIC The customer puts the IBAN+BIC on their invoices to their trading partners; they are each identifiable to the partner bank and the country of the partner bank Trading partners of the customer can pay in via local circuits, resident-to-resident and in local currency, thus avoiding any lifting fees That suits a certain marketplace e.g. social networks and Commissionaire Sales organisations like anti-virus software

2/2011

37

Online Banking Security Magazine

White Labelling of Re-Account (e.g. by ABINA for the customers of the same 1st/7th Bank): This is where the bank ABINA that built a Re-Account offering for its own customers, makes that available to the customers of its white-label partners, in order to win business against the offering of AVBBIA The customer is a customer of the introducing bank, 1st/7th in this case, not of ABINA, and accounts are only opened at 1st/7th; hence the usage of a single account opening document. These are real accounts. The customer reconciles them and issues instructions against them. These accounts will usually have a US BIC identifiable to the introducing bank; they may not have an IBAN The remainder works exactly like the White Label, except that the local activity is copied twice: from the local partner to ABINA and then to the introducing bank 1st/7th The introducing bank has nostros at ABINA in which ABINA opens sub-accounts for each customer The introducing bank REB carries out its own KYC/KYB on the customer. It issues a blanket indemnity to ABINA, who then in effect passes this on via its blanket indemnity to the partner bank The partner bank has no Due Diligence file on the customer, on the understanding that it has an indemnity from ABINA The customers payment instructions are delivered to the introducing bank to operate the real accounts held there. The introducing bank relays them to ABINA to debit them to its nostro ABINA relays them to the partner bank such that operations across the nostro account are ordered: 1. By and through ABINA if they are debits 2. By the trading partners of the customer if they are credits nostro Local IBANs are issued so that the customer can enable its trading partners to pay in via local low-value payment methods.

Account number routing instructions or IBAN?

Failing explicit guidelines there, the issue can be approached around the question of the issuance of an IBAN. This is where the environment has moved. When many of these structures were established the key need to give the debtors of the account holder a routing code that enables payment to be made via the local clearing could be met via the issuance of a series of letters and numbers that explicitly reveal neither the name nor the country of the bank. However, in every EU country the local account number (BBAN) and routing code now have to be displayed alongside the equivalent IBAN and BIC. Invoices submitted by EU creditors on EU debtors must carry IBAN and BIC. As SEPA migration proceeds and even if SEPA itself miscarries countries are retiring BBAN and the legacy routing code and showing IBAN and BIC as the only bank details available. IBAN is a code uniquely identifying an account at a financial institution in a country, according to the European Payments Council, the organizer of SEPA. IBAN is a standard owned by the ISO, but it is run in practice by SWIFT. The salient definitions in SWIFTs General Glossary of Terms are: Account Owner. An institution for which an account is serviced at another institution (account servicing institution). The account owner will often refer to the account as a nostro, or due from, account. Account Relationship. The relationship between two parties arising from the holding of at least one account between them. Account Servicing Institution. An institution that is the depository for an account for another institution (account owner). The account servicing institution will often refer to the account as a vostro, or due to, account. Account Servicing Institutions Reference. A reference assigned by the account servicing institution to identify the transaction. (This is the reference to which the account owner refers in cases of inquiry to that financial institution.) Address. A method of precisely describing a physical location. The SWIFT system permits three formats: ISO Bank Identifier Code (which includes registered SWIFT addresses); name and address; or simply place (when the institution itself is implied by other parts of the message) The conclusions to be drawn from that are: 1. Any account can only have one IBAN associated with it 2. You cannot have an IBAN without having an account 3. You cannot have an account without a KYC file at the Account Servicing Institution 4. The Account Servicing Institution for an account is defined by the country code and BIC embedded in the IBAN

Financial Action Taskforce (FATF)

Regulators have defined policy guidelines for opening customer accounts that derive from the work of the FATF, and banks have implemented these by law. In terms of practical guidance there is also the Basel Committee on Banking Supervision Customer due diligence for banks document of October 2001. It defines essential standards on KYC and breaks them down into: Customer Acceptance Policy Customer Identification General Requirements and Specific Issues Ongoing monitoring of activity Where the document discusses Correspondent Banking, it means opening accounts for other banks, and not opening accounts for banks through which the customers of those banks are identifiable and visible to the account-holding bank. In effect there is something of a vacuum in the guidelines on the business in question.

Risks for the corporate

The existence of a risk for the corporate is easy to identify does the corporate issue invoices that carry IBANs on accounts where no statement is received and reconciled that carries the identical IBAN at its head?

38

2/2011

The growing pitfalls of remote account opening

Measuring that risk is then a combination of: Likelihood of the risk to occur Impact if it does The risk is that there is an incident in this area of business which is serious enough for the regulators to become explicit about either IBAN issuance or Remote Account Opening or both, such that corporates have to replace existing arrangements. That could include making new banking relationships and not just arrangements: whole lines of banking products could be taken off the market. This is why it is essential that the banking industry create its own guidelines and clarify what arrangements are completely robust when looking at the Basel document and the IBAN definitions, so that corporates are in a position to make a risk judgment. The current risk for the corporate is in the lack of transparency, and the threat that a major incident affecting any of the above variants could be sufficient to undermine that whole line of services, even if the arrangement that the corporate itself is using appears robust.

If a lot of money was involved and several other countries, it would be surprising if the file did not eventually come across a desk at the European Commission

The banking industry has precedent for the outcome of such incidents, and the most damaging recent one was the $375 million fine that Lloyds suffered for stripping payment details out of MT202 This incident led, via the Wolfsberg Group, to the introduction of MT202 COV in SWIFT Standards Release 2009. That follows the pattern of legitimate techniques (in that case for cutting the cycle time of cross-border payment) being used for other purposes and causing a major and costly change across the industry. No-one would celebrate extra regulation in the area of Remote Account Opening, apart, perhaps, from American Airlines, Hilton Group, and taxi firms.. Customers of the likes of 1st/7th would immediately need to find a proper foreign banking connection, or rather a series of connections, because they might have then themselves to select one bank per country.

Reputation Risk and the shortcuts of the few create problems for the many

eBAM

There is a further concern that, against this background, the major industry initiative in this area eBAM or Electronic Bank Account Management is about facilitating remote operation of accounts (open new accounts at the bank, close old ones, change signature powers, appoint new signatories). Issuance of electronic instructions under PKI is about passing trust down the chain, which is very positive in principle, but if trust is passed to Bank C by Bank B, how might Bank C know that Bank B was not the originator of that trust, but was passing on the trust it had in Bank A? How might Bank C feel when it finds out and concludes it would not have placed trust in Bank A itself? It is not about passing on cleared funds in central bank money, which are risk-free. And there we even have the SWIFT rules to ensure traceability down the payment chain. Under some non-electronic versions of Remote Account Opening it appears that Trust may be being passed along without Traceability: a concern around eBAM is that it could proliferate that by making it easier to do.

Conclusion

Customer business models and geographical reach are moving, and customers will look to their banks for support. Banks will legitimately look to work together to deliver solutions to customers. However, the regulators and the external environment are also moving, and not always in lock step. It is extremely important that banking solutions for Remote Account Opening are transparent and demonstrably compliant, and that grey areas such as qualifications for IBAN issuance do not persist. Negative incidents could trigger further regulation that in turn could inhibit normal business and increase costs. It would be far better for the banking industry participants to ensure collaboratively that the services on offer contain no risk of being summarily curtailed.

Example scenarios

An example incident is not hard to devise.Remote trader commits a fraud: Distance selling into Finland with payment into a local Re Account identifiable to a Finnish bank in Helsinki Goods are not delivered or are defective; consumers attempt and fail to get their money back via the trader or the Finnish bank, and then consumer organizations lobby the Finnish financial regulator to investigate Finnish financial regulator discovers that Finnish bank has no KYC file on the remote trader, but that the IBAN is on a sub-account of ABINA London Finnish financial regulator contacts its UK counterpart who discovers that ABINA London has no KYC file on the remote trader, who is a customer of 1st/7th Bank Finnish and UK financial regulators contact their US counterparts

BOB LyddON
Managing Director of IBOS Banking Association Contacts: Bob Lyddon, Managing Director, IBOS Banking Association bob@ibosassociation.com 07939 132 341 http://www.ibosassociation.com Lauren Alexander, Maltin PR: lauren@maltinpr.com 07540 347 001 http://www.maltinpr.com A photograph of Bob is available at: http://www.maltinpr.com/bob-lyddon

NOTES:
IBOS stands for International Banking - One Solution. It is an association which fosters inter-bank cooperation. Currently active in 49 countries and rapidly expanding, its members include Santander, HSBC France, Intesa SanPaolo, KBC, Nordea and UniCredit Bank.

2/2011

39

Online Banking Security Magazine

Henderson Global Investors


Henderson Global Investors (Henderson) is an international investment company, with a strong reputation and a proud history, going back to 1934. We currently manage 60.5 billion (excluding Gartmore assets) and 76.2 billion on a pro forma basis including Gartmore assets under management. Henderson employs approximately 950 members of staff worldwide, of which 250 are investment professionals*.
s a pure asset management house, we know what investors want from us: to help them achieve their investment objectives by delivering performance that meets their expectations. We offer investments across equity, fixed income, currency and property as well as alternative products, such as private equity and hedge funds, thus giving clients a wide choice of investment strategies spanning the spectrum of risk and return. Every investment decision we take has a direct impact on our clients. We have structured ourselves in a way that puts decision-making at the heart of our business. Our fund managers are organised into compact, nimble teams of experts, empowered to make the most of any opportunity without the hindrance of a house style or approval committee. Every day, our fund managers make decisions about the investments within their portfolios. We provide them with the information, resources and the infrastructure they require. Ideas are shared, but responsibility and accountability lie firmly with the fund managers. This culture of accountability and autonomy doesnt suit every type of manager. We employ those who thrive on taking responsibility. Our focus on the quality of our investment decision making means that decisions are taken in a considered way, mindful of the risks, yet alive to the opportunities. Sometimes it is best to do nothing, but even that should be a positive and considered decision rather than the result of inertia. It is the Henderson blend of highly skilled, experienced investment professionals organised for better decision-making

with access to some of the best information and risk monitoring systems that makes us who we are. With a history spanning more than 75 years, Henderson carries a heritage, values and corporate strength that our clients find reassuring. Founded in the midst of the 1930s financial crisis, Henderson has weathered every financial storm since. Today, Henderson is a lean, collaborative company with a global reach focused on delivering performance for our clients. Over the years, we have recognised that the only way to retain the trust of our clients is through the quality of our investment decisions. This insight underpins the risk-aware decisiveness that has become the Henderson hallmark.

Our long-term business strategy

Our strategic objectives revolve around our clients: helping them achieve their investment objectives by offering them a diverse range of high-quality investment products. In a world of uncertainty, our clients gain reassurance from our heritage, values and corporate strength. We are a lean, collaborative company and strive to develop further by: growing organically across the core asset classes of equities, fixed income and alternatives accelerating organic growth through selective partnering and/or acquisition expanding internationally across the core markets of Europe, North America and Asia maintaining our financial strength and creating value for shareholders

40

2/2011

Henderson Global Investors

Composition of global listed property market

US 41.8 %

Other EU 4.4%

NL 1.7 %

UK 5.4%

France 3.9 %

Australasia 8.8%

Singapore 5.0 %

Japan 10.3%

HK/China 15.2 %

Canada 3.5%

Source: FTSE EPRA/NAREIT Developed Real Estate Index at 31 January 2011.

We believe our business model features some key advantages our independent ownership and diversified business lines which enable us to be responsive to a fast-changing environment. To advance our strategic goals, we have organised our distribution around a global footprint with a regional focus. This allows for a more holistic perspective and improves the quality of our decision-making and the service our clients experience. The key to delivering on our objectives remains our people. We are committed to building staff share ownership in the company as a way to align staff interests with those of our shareholders and also to attract and retain staff. We have a number of share schemes open to all employees. Staff ownership has grown from around 3% in 2005 to approximately 12% currently, assuming all share schemes vest (at 31 March 2011).

Clients throughout Europe, Asia-Pacific and North America Approximately 950 members of staff worldwide, of which 250 are investment professionals*

Henderson Horizon Global Property Equities Fund

Key facts
60.5 billion* of assets under management on behalf of individuals, private banks, third party distributors, insurance companies, pension funds, government bodies, investment trusts, charities and corporate entities Wholly owned by Henderson Group plc, which is dual listed on the London Stock Exchange and the Australian Securities Exchange, and is a constituent of the FTSE 250 and S&P/ASX 200 indices Headquartered in London, with offices in Amsterdam, Edinburgh, Frankfurt, Luxembourg, Madrid, Milan, Paris, Vienna and Zurich, Chicago and Hartford in the USA as well as Beijing, New Delhi, Hong Kong, Singapore and Tokyo

The Henderson Horizon Global Property Equities Fund offers access to the growth potential of international property markets using the flexibility of property securities to construct a highly liquid and diversified portfolio. With the team located in Asia, Europe and North America, the fund benefits from local expertise in identifying investment opportunities. Property has long been popular with investors because of its income characteristics and its tangibility. It can also be useful in contributing valuable diversification to an existing portfolio of bonds and equities. However, buying and selling properties can be time-consuming and costly. The Henderson Horizon Global Property Equities Fund invests in property securities to achieve exposure to property markets. It is an attractive alternative to investing directly in bricks and mortar, allowing for more flexible and cost-effective investment. Please note that whilst investing in securities makes it easier to buy and sell any investment, property equities can be more volatile than direct property.

Where does the fund invest?


Company diversity The fund invests in quoted property companies that hold properties directly, real estate development companies, which

2/2011

41

Online Banking Security Magazine

Cumulative total return of key asset classes

Source: Datastream, MSCI, S&P, Citigroup. All data to 31 January 2011, total return, USD.

specialise in bringing developments to fruition and also Real Estate Investment Trusts (or their equivalents). Real Estate Investment Trust (REIT) is a designation for companies that focus on investing in real estate, which, provided they meet certain stipulations, are granted a more tax-efficient status. The fund can tailor the portfolio weighting to different types of company depending on where the fund managers believe the best opportunities lie. For example, developers tend to perform well in a rising market, while more conservative property investment companies outperform when demand is weak. Geographic diversity The fund invests in property equities in developed markets around the world. This global remit means that the fund spreads exposure across different countries, helping to reduce the risk of one location underperforming. The team on the fund is based in three locations London, Singapore and Chicago. This threeway feed allows the fund to continuously read the pulse of each regional property market. The chart below illustrates the broad geographical spread available to the fund. Sector diversity Investing in property equities is about more than just investing in property. Property typically has close links to the prevailing local economic conditions in each country. This means it is possible to construct a portfolio of property securities that are aligned with those economies and areas of the economy that are expected to do well. Typically, the main focus of the fund is on the core commercial property subsectors of retail, offices and industrial, which together form two-thirds of the investment universe. However, more opportunistic holdings in companies invested in areas such as residential, storage and hotels are also considered by the team. The Henderson Horizon Global Property Equities Fund provides exposure to attractive property trends whilst seeking to exploit pricing inefficiencies both at the market and individual stock level.

Reasons to invest
The fund offers exposure to improving property fundamentals through highly liquid property securities. Experienced fund manager: Patrick Sumner has 30 years investment experience of real estate markets. Regional managers and analysts, based in Europe, Asia and North America, provide valuable local expertise in stock selection. Impressive track record: first quartile performance over one, two, three, four and five years to 31 January 2011.*

* Source: at 31 January 2011. 2011 Morningstar. All Rights Reserved, on a bid to bid basis, with gross income reinvested, USD. Past performance is not a guide to future performance.

Why property equities?

Property equities offer valuable investment flexibility by allowing the Henderson Horizon Global Property Equities Fund to swiftly alter the portfolio to capture investments with the best potential. The driving force behind any investment decision, however, is the potential return. Whilst past performance is not a guide to future performance, property equities have historically offered a relatively attractive long-term return as can be seen in the chart below. The strong performance of property equities may reflect the characteristics of the underlying asset class. Property markets in different countries can move independently to each other because property returns are often driven by local demand and supply as well as local regulations and economic factors. Property is typically cash generative, with dividends and rental payments making up more than half the total return of the asset class over the long term. The length of rental agreements ensures a steady, bond-like income stream with a degree of insulation against inflation a growing concern for many investors as interest rates on savings fail to keep pace with inflation.

42

2/2011

Henderson Global Investors

Property equities can therefore capture the income and growth qualities of property while converting it into a more liquid investment proposition. The flexibility of property equities means that the fund can also quickly take into account the shifting fortunes of the underlying property markets. In 2010 many property markets experienced yield compression, which drove capital values higher. In 2011, the property markets are likely to be less influenced by yield compression and more influenced by individual property fundamentals. This calls for greater discrimination between property markets and property equities. With many property companies having repaired their balance sheets the fund will be looking more closely at the underlying properties and the rental growth and income potential of each individual property company.

Investment philosophy

The worlds property markets are highly inefficient in comparison to major equity and bond markets. This is primarily because property markets are driven by local demand and supply and information flows tend to be poor. The Henderson Horizon Global Property Equities Fund seeks to exploit these inefficiencies in global property markets through property equities, which, unlike direct property investments, are highly liquid. Property equities cannot be appraised in isolation, however, and need to be referenced to other asset markets. The fund managers therefore consider the attractiveness of individual property equities in the context of wider external factors such as macro-economics and relative valuations to reach an overall conclusion on whether or not to invest in a security.

Why Henderson for property equities?

Benefits of Henderson Horizon Global Property Equities investment strategy: Large team led by experienced fund manager. Regional teams based on three continents enhance knowledge of local market. Different regional stock selection processes tailored to suit each market. Direct property business at Henderson Global Investors provides complementary market knowledge. Interaction with Henderson fund managers outside property helps place property equity valuations in context.

Europe The European team places a heavy emphasis on gathering data, meeting company managements and third party analysts. Quantitative screens are used to narrow down the number of attractive companies, although the screens are more of an ideas box rather than a rigid filter. Stocks are then ranked according to a number of valuation measures such as net asset value and dividend yield as well as qualitative factors such as strength of company management, property type and exposure. Asia Pacific This team operates a similar stock selection model to the European team. Greater diversity in the number of currencies and the relatively strong presence of development companies tends to make the region more volatile, although this environment creates the potential to generate high returns with active management. The dominant valuation metric in Asia is price to earnings multiples, which is the most useful method for valuing the profits of development companies. Income-yielding property companies in Australia or REITS in Japan, however, are more suited to assessment in terms of their dividend yield. North America The North American stock selection is undertaken by Harrison Street Securities. This team tends to focus on positions in mid and small cap real estate securities where the market pricing is least efficient and the stock-picking can therefore add the most value. The most attractive large cap companies are, however, held to reduce stock event risk. The team use a four-stage bottomup stock selection model that considers relative values using different factors, assesses net asset values of potential investments, ranks company management and constructs an expected share price.

Since the quoted property sector is relatively small, the share prices of property equity companies can be heavily influenced by the marginal investor, such as general equity investors taking opportunistic positions in the property sector. The team therefore interpret wider investment trends such as the appetite for yield among investors or broad sector allocation shifts that are likely to affect demand for property equities. In this regard, they are helped by being able to consult non-property colleagues at Henderson Global Investors to frame a broad investment picture. The management of the fund is led by Patrick Sumner, who has 30 years investment experience of real estate markets. Patrick is supported by co-manager Guy Barnard, together with fund managers and analysts based in London, Singapore and Chicago. Harrison Street Securities manages the North American component of the fund as well as contributing to asset allocation views. Henderson has a long-established reputation in property investment and is one of the major managers in this sector with US$18.5 billion* of property assets under management. Henderson has more than 190 people based around the world focusing on property, covering all aspects from asset management to market forecasting. The specialist property equities team has detailed knowledge of property equity markets globally and currently manages assets of US$1.86 billion*.

Investment approach

Investment expertise

The characteristics of property equities markets around the world vary significantly. There is consequently no single investment style that can be applied around the world with equal assurance of success. The Henderson Horizon Global Property Equities Fund therefore uses a variety of approaches that reflect the key drivers of each of the major property equities markets of Europe, North America and Asia Pacific. Regional asset allocation is determined by Patrick Sumner, head of global property equities, in conjunction with the funds regional portfolio managers. Alongside external research the team also make use of research from Hendersons Direct Property Research Team, part of the wider property investment department at Henderson, to formulate views on the markets. Stock selection is undertaken by specialist property equities teams in London, Singapore and Chicago. Each region operates an individual stock selection process that is well suited to exploiting the investment potential within property equities:

*Source: Henderson Global Investors at 31 December 2010.

2/2011

43