BSc (Hons) Banking and International Finance MMIS 2301: E-Banking and E-Trading

Lecture 3: SECURITY & PRIVACY ISSUES (Part I)

3.0 Security Awareness

• Security issues are a major source of concern for everyone both inside and outside
the banking industry. E-banking increases security risks, potentially exposing
isolated systems to open and risky environments. Banks need to be proactive in
monitoring and managing the security threat.

• Computer Security is never absolute, that is any computer system can never be
100% secured. The determined and persistent attacker can find a way to defeat or
bypass almost any security measure. Network/Computer security is a means of
reducing vulnerabilities and managing risk.

• Computer Security is about hardware, software, communication, data, people,

legal framework, privacy protection. It is therefore important to understand that
computer security has to be viewed in a much more global context.

• Computer security measure is about the prevention and detection of security

attacks, and recovery from attacks.

• Security awareness will teach people not to disclose sensitive information such
as password and file names.

Week 3 1
3.1 Different types of threats

• Internal - These threats are internal to an organization or within a LAN. For

example, a frustrated employee who cracks her manager’s password in order to
access confidential data or infect the LAN with a macro virus.

• External - These threats generally comes from outside (Internet) the organization
or the LAN. Example: A computer virus in the file attachment in e-mails or a paid
hacker engaged in industrial espionage.

• Malicious threats are intentional threats generally attributed to hackers (external)

but users in an organization (internal) also can pose malicious threats. Its all
depends upon the intention of the user. Usually, internal malicious threats are
more damaging as the insider has access to resources in the network. There are
many motivations behind hacking or damaging a computer system:

• Intelligence challenge
• Cause harm to an organization
• Monetary and other frauds
• Unfair competitiveness
• Access to privacy

• Non-malicious threats are threats that are caused non-intentionally by users of the
computer system. Misuse of applications or wrong manipulations of hardware
devices can engender problems for the well functioning of computer systems. For
example, imagine a user working directly on a file found in a diskette who
suddenly removes the diskette without properly closing the file.

Week 3 2
3.2 Basic Security Issues

• What kinds of security questions arise?

• From the user’s perspective:

o How can the user be sure that the Web server (where e-banking web pages
reside) is owned and operated by a legitimate company?

o How does the user know that the Web page and form do not contain some
malicious or dangerous code or content?

o How does the user know that the owner of the Web site will not distribute
the information the user provides to some other party?

• From the company’s perspective:

o How does the company know the user will not attempt to break into the
Web server or alter the pages and content at the site?

o How does the company know that the user will not try to disrupt the server
so that it is not available to others?

• From both parties’ perspectives:

o How do both parties know that the network connection is free from
eavesdropping by a third party “listening” on the line?

o How do they know that the information sent back-and-forth between the
server and the user’s browser has not been altered?

Week 3 3
3.2.1 Authentication & Authorisation

• Authentication
o The process by which one entity verifies that another entity is who he, she,
or it claims to be.

o A minimum of two-factor authentication process should be required for all

user access to the services provided. (e.g. username/password, IP Address
and cryptography)

• Authorisation
o The process that ensures that a person has the right to access certain
resources.

o Once authenticated, a person or program has the right to access particular

data, programs, or system resources (files, directories, etc).

o Usually determined through ACLs.

• Access Control

Access controls are mechanisms to control the access to the system and its
facilities by a given user up to the extent necessary to perform his job
function.

Importance of access controls:

1. It provides for the protection of the system resources against unauthorised

access. An access control mechanism uses the authenticated identities of
principals and the information about these principals to determine and enforce
access rights.

Week 3 4
 2. It goes hand in hand with authentication. In establishing a link between a
bank’s internal network and the Internet, a number of additional access points
into the internal operational system might be created.

• Access control may be of discretionary and mandatory types.

• Controls instituted by banks should be tested through periodic Penetration Testing,

which should include but should not be limited to:

1. Password guessing and cracking

2. Search for back door traps in programs.

3. Attempts to overload the system using Ddos (Distributed Denial of Service &
DoS (Denial of Service) attacks.

4. Check if commonly known vulnerabilities in the software still exist.

3.2.2 Auditing

• The process of collecting information about attempts to access particular

resources, use particular privileges, or perform other security actions.

• A log file keeps information for every attempt to access a web page, data in a
database.

• Audits provide a means to reconstruct any action that were taken, and identify the
author.

Week 3 5
3.2.3 Data Confidentiality

• Keeping private or sensitive information from being disclosed to unauthorised

individuals, entities, or computer software processes.

• It is intertwined with the notion of data privacy, which is now a regulatory issue
in many countries.

• Example of confidential information:

o Credit card numbers, business plans, who as visited which web site.

• Confidentiality is usually ensured with encryption.

3.2.4 Data Integrity

• The ability to protect data from being altered or destroyed in an unauthorised or
accidental manner.

• Loss of data integrity could result from:

o Human error

o Intentional tampering

o Catastrophic events

• Failure to protect the correctness of data may render data useless, or worse,
dangerous.

• Efforts must be made to ensure the accuracy and soundness of data at all times.
Methods to ensure data integrity are: Access control, Encryption, Digital
signatures.

Week 3 6
3.2.5 Non Repudiation

• The ability to limit parties from refuting that a legitimate transaction took place.
(usually by means of a signature)

• If an order is made through a mail-order catalogue and pays by check, then it is

difficult to dispute the veracity of the order. Similarly if the same item is ordered
using the companies website and pays by credit card, the person can always claim
he did not place the order.

Figure 1 below depicts some the major components in any electronic application and indicates
where the above security issues come into play.

Figure 1: Security Issues

Week 3 7
3.2.6 Backup, Recovery & Business Continuity

• Banks should ensure adequate back up of data as may be required by their

operations.

• Banks should also have, well documented and tested business continuity plans
that address all aspects of the bank’s business.

• Back-up of data, documentation and software is an important function of the

administrators. Both data and software should be backed up periodically.

• The frequency of back up should depend on the recovery needs of the application.
Online/real time systems require frequent backups within a day.

• The back up may be incremental or complete. Automating the back up

procedures is preferred to obviate operator errors and missed back-ups.

• Recovery and business continuity measures, based on criticality of the systems,

should be in place and a documented plan with the organisation and assignment of
responsibilities of the key decision making personnel should exist.

• An off-site back up is necessary for recovery from major failures / disasters

to ensure business continuity.

3.3 Types of Attacks

Two types of attacks: technical and non-technical attacks.

Non-technical Attacks
• An attack in that uses certain tricks to involve people into revealing sensitive
information or performing actions that compromise the security of a network.

• These attacks are also called social engineering attacks.

A type of nontechnical attack that uses social pressures to trick computer users into
compromising computer networks to which those individuals have access.

Week 3 8
 • The Following approach should be used to combat social engineering
o Education and training
o Policies and procedures
o Penetration testing (test individual staff by outside experts in diff.
situations)

Technical attacks
• An attack perpetrated using software and systems knowledge or expertise.
(Several tools are available over the Internet that enable a hacker to expose a
system’s vulnerabilities.)

Denial-of-service (DoS) attack

• An attack on a Web site in which an attacker uses specialized software to send a
flood of data packets to the target computer with the aim of overloading its
resources

Distributed denial-of-service (DDoS) attack

• A denial-of-service attack in which the attacker gains illegal administrative access
to as many computers on the Internet as possible and uses the multiple computers
to send a flood of data packets to the target computer

• ( February 2000, Amazon.com, CNN.com, eBay, Yahoo and other well known
web sites were flooded with so many requests that legitimate traffic was virtually
halted. January 2001, various Microsoft web sites experienced the same problem
– msn, msnbc, Expedia, Hotmail, etc.)

Week 3 9
Malicious code (Malware): Virus, Worm, Trojan Horses

Virus
• A piece of software code that inserts itself into a host, including the operating
systems, in order to propagate; it requires that its host program be run to activate
it.
Worm
• A software program that runs independently, consuming the resources of its host
in order to maintain itself, that is capable of propagating a complete working
version of itself onto another machine.

Trojan Horse
• A program that appears to have a useful function but contains a hidden function
that presents a security risk. (Trojan horse – from Greek mythology, during the
battle of Troy)

As the number of attacks increases, the following trends in malicious code are emerging:
• Increased speed and volume of attacks:
• Reduced time between the discovery of a vulnerability and the release of an attack
to exploit the vulnerability.
• E-commerce is the most frequently targeted industry.
• Attacks against Web application technologies are increasing.
• A large percent of Fortune 100 companies have been compromised by worms.

Week 3 10