Presentation on theme: "Presented By: Francis Karuhanga, FCCA Head of Internal Audit Stanbic Bank Uganda ELECTIONIC MONEY; INFORMATION SECUITY, RISKS AND IMPLICATIONS."— Presentation transcript:
Presented By: Francis Karuhanga, FCCA Head of Internal Audit Stanbic Bank Uganda ELECTIONIC MONEY; INFORMATION SECUITY, RISKS AND IMPLICATIONS
Disclaimer This presentation was made at the annual ISACA Kampala Chapter Information Security Workshop on 23 rd October 2012 at Protea Hotel, Kampala. The presentation was designed to create dialogue and elicit comments amongst the workshop participants and should be viewed within the context of these objectives. The presentation contains information in summary and therefore is intended for general guidance only. If is not intended to be a substitute of a detailed research of the exercise of professional judgement. Stanbic Uganda and Standard Bank Group cannot accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this presentation.
Content Evolution of Money Definition of Electronic Money Electronic Money - Payment Systems Electronic Money and Information Security Key Information/E-money Security Risks Implications Conclusion
Evolution of Money Barter Trade First was: In the past, scarce precious metals such as gold and silver were used because they y had intrinsic value in the form of money, that is; a medium of exchange, unit of account, and store of value
Evolution of Money Paper and Coins Then The intrinsic value attributed to precious metals was embedded in paper; hence the advent of paper money. Paper ideally carries information to which intrinsic value is attached – as long as its issued by a trusted authority
Evolution of Money The inconvenience of carrying large quantities of paper currency was mitigated by the introduction of Cheques that contained information identifying the owner’s account.
Evolution of Money Electronic Money – From paper money to binary codes of ones (1) and zeros (0). And Now: Electronic money - refers to "stored value" or “intrinsic value” or prepaid payment mechanisms for executing payments via point of sale terminals, direct transfers between two devices, or over open computer networks such as the Internet. Electronic money is also known as e-currency, e- money, electronic cash, electronic currency, digital money, digital cash, digital currency, cyber currency E-money mainly refers to Electronic Payment Systems/channels
Examples of E-Money (Electronic Payment Systems Electronic Clearing System (ECS) - Banks use Society for Worldwide Interbank Financial Telecommunication (SWIFT, a secure messaging system) to electronically deliver data accompanying instruments to the ECS. Electronic Funds Transfer (EFT) Real Time Gross Settlement (RTGS) - an online banking system for settling transactions Card payment systems including ATMs, Credit cards, VISA cards etc Mobile Money – payment system that uses telecommunication infrastructure Internet banking Mobile banking Payway, Paypal etc
Electronic Money and Information Information = Implying, securing information translates into security of money! Money has become electronic information: no gold or paper is required. Money is just a coded series of binary digits: 1 and 0. Think of a mobile money user who loses his/her phone, what is the is normally their worry, (phone, SIM card, or the PIN)?
Information security and Electronic Money »In the past, security focused on physical security by protecting money just as if it were gold. It was kept behind stone walls and locked vaults; often guarded by men with weapons. As money has transformed from gold and silver to paper currency, to Cheques, and today to electronic information, the walls of the bank have also transformed from stone and steel to electronic walls. Transformation of money to electronic information has resulted new security controls including: –Firewalls, –intrusion detection systems, –intrusion preventions systems, and –access control lists are all designed to protect money as information
Even for paper money and Cheques; all measures were put in place to protect the information content of money. These include: –Use of watermarks, –special paper, –complex colors and graphics, –security threads, and –other anti-counterfeiting technologies - to ensure trust Information security and Electronic Money
The three major information security risks related to e-money are: – hacking into bank computer systems through exploitation of technical vulnerabilities, –intentional or accidental data loss (laptop, tape or other data breeches), and –identity theft or unauthorized account access by gaining access keys through theft, phishing, social engineering, or other means. The mode of exploitation of these risks varies from one payment system to another (i.e. card, internet, mobile banking etc) Key Information/E-money Security Risks
Common risks Duplication of devices – common in card-based systems, the method of attack could be the creation of a new device that is accepted by other devices as genuine. Some of the ways this is accomplished is through: –Reproduction, re-embossing or altering of a real card –a criminal who secretly copies the data from the magnetic stripe of a valid card and transfers it onto the magnetic stripe of a new (counterfeit) card – the genuine cardholder still has possession of his card and does not know anything is wrong the criminal is making transactions using the counterfeit card Key Information/E-money Security Risks
Common risks – Various methods: Fixing skimming device over ATM card slot Distracting cardholder and skimming data using handheld skimming device Attaching skimming device to ATM lobby entrance card swipe Genuine card capture Micro-camera Fake PIN pad fixed over genuine PIN pad ‘Shoulder surfing’ Attaching fake PIN pad to ATM lobby entrance card swipe Key Information/E-money Security Risks Duplication of devices
Alteration or duplication of data or software - modifying data stored on a genuine electronic money device in an unauthorised manner.. For example account takeover (existing accounts) - Fraudster obtains minimal valid information required from discarded documents, mail theft, insider collusion, theft of personal belongings and online data/theft of public records –Perpetrator: Uses some true cardholder information Changes cardholder’s mailing address Requests replacement or additional card/PIN to be mailed to new address –Perpetrators log on to bank web sites, enroll as legitimate cardholder, and change the account address Key Information/E-money Security Risks Common risks
Alteration of messages – –Attackers could attempt to change the data or processes of a device by deleting messages, replaying messages, substituting an altered message for a valid one or observing messages with an ill intention –Communications between devices could be intercepted by outside attackers when sent across telecommunications lines, through computer networks or through direct contact between devices. Key Information/E-money Security Risks Common risks
Theft - Data stored on devices could also be stolen via unauthorised copying. For example, an attacker could intercept messages between a genuine user and an issuer, or insert an unauthorized software program into a user's personal computer that enabled the attacker to copy electronic notes stored or in transmission. Key Information/E-money Security Risks Common risks Phishing Some of repute will not ask you to update or change sensitive information online. s that bear dire warnings and request sensitive information are probably a scam.
Repudiation of transactions - Customer completes a transaction, but denies transaction took place, and demands reimbursement of funds. Malfunctions – –Electronic money products could suffer from instances of accidental corruption or loss of data stored on a device, the malfunction of an application, such as accounting or security functions, or failures in the transmission of messages. If exploited by unscrupulous holders before being detected, certain types of malfunction could cause losses to the issuer –Service provider risk - Service provider may not deliver services expected by the bank; deficiencies in system or data integrity or reliability may result. Key Information/E-money Security Risks Common risks
Implications Financial loss: - access to just a PIN can cost a customer or a bank in billions of money. These include costs associated with reimbursing customer losses and with reconstructing accurate data on customers. Possible losses from redeeming electronic money for which no corresponding prepaid funds were received. Customers may perceive the bank as being unreliable. A bank may face legal or regulatory sanctions, and negative publicity. Reputation: - Customers may perceive the bank as being unreliable hence affecting the “brand integrity” Litigations - as a result os failure to protect customer privacy. A bank releases information profiling the pattern of customer financial transactions without customer authorization. Carpark scam keeps banks busy. Customer told 100,000 credit cards need to be replaced 26 November 2009
Implications High cost capital and operational expense for banks – –Most information security measures like encryption imposes an additional processing burden on computers that may significantly slow the performance of banking systems; hence financial institutions have incur costs of enhancing/upgrading their systems –The use of tamper-resistant devices incorporated into stored-value cards and merchant hardware is another capital expenditure to the banks Crime with no crime scene– –The evolution of e-money and other technology has left access to information open to anyone any where at anytime. Most e-money systems are borderless. Therefore, a criminal does not have to be on site to commit a crime.
Conclusion In today’s world money has been reduced to binary data hence access to information/data is as good as access to cash. The advent of e- money is touted for having provided convenience being able access money anywhere at any time. It has also opened to so many access points compared to the gold and silver that would only require physical security. Unauthorised access to e-money can be by anyone and anywhere at anytime. Therefore, information security is everyone’s responsibility and it begins with you!