on-line banking risks & countermeasures by vishal salvi – ciso hdfc bank
DESCRIPTION
IBA Banking Security Summit 2009. On-line Banking Risks & Countermeasures By Vishal Salvi – CISO HDFC Bank. Agenda. 1. Opportunity 2. Threats 3. Solutions. The Opportunity. Opportunity. The Internet. The Internet. Source: Internet World Stats as of Q2 08. The Internet. - PowerPoint PPT PresentationTRANSCRIPT
ConfidentialConfidential
On-line Banking On-line Banking Risks & CountermeasuresRisks & Countermeasures
By Vishal Salvi – CISO HDFC BankBy Vishal Salvi – CISO HDFC Bank
IBA Banking Security Summit 2009
ConfidentialConfidential
Agenda
1. Opportunity1. Opportunity2. Threats2. Threats3. Solutions3. Solutions
ConfidentialConfidential
The Opportunity
OpportunityOpportunity
ConfidentialConfidential
The Internet
ConfidentialConfidential
The Internet
Source: Internet World Stats as of Q2 08
ConfidentialConfidential
The Internet
Source: Internet World Stats as of Q2 08
ConfidentialConfidential
The Internet
Source: Internet World Stats as of Q2 08
ConfidentialConfidential
The Internet
Source: Internet World Stats as of Q2 08
19 %
72.5 %
73.8 %
5.2 %
63.8 %
26.1 %
68.6 %
58.1 %
70.7 %
ConfidentialConfidential
The Internet
Source: Internet World Stats as of Q2 08
World Popl. 6.6 Billion
Internet Users 1.46 Billion (22%)
On-line Users584 Million (40%)
Funds Transfer146 Million (20%)
ConfidentialConfidential
Threats
ConfidentialConfidential
Infrastructure
Applications
Data
People
So
ph
isti
ca
tio
n o
f a
tta
ck
s
Low
High
Focus of attacks
Time in years
Password Cracking
Website Defacement
Malware
Network Intrusion
Application Layer Attacks
Unauthorised Access
Information Leakage / Theft
Spam Mail
Social Engineering
Phishing
Pharming
Organized
Crime
Disorganized
Crime
Att
ac
ke
rs P
rofi
le
Trojans
Threat Horizon
ConfidentialConfidential
Threat Horizon
ConfidentialConfidential
Trend Micro
The Crimeware Landscape
ConfidentialConfidential
Phishing
ConfidentialConfidential
Phishing Stats
ConfidentialConfidential
Other Statistics
Distribution of Attacks by Hosting Method Top Ten Countries by Attack Volume
ConfidentialConfidential
The Underground Fraud Ecosystem
ConfidentialConfidential
TechnicalInfrastructure
Cash OutFraudster
The Fraud Supply Chain
HarvestingFraudster
OperationalInfrastructure
CommunicationFraud forum / chat room
Customer Account
Tools Hosting Delivery Mules Drops Monetizing
ConfidentialConfidential
Cash OutFraudster
Fraud as a Service: “Cut the Middle Man”
OperationalInfrastructure
User Account
Mules Drops Monetizing
FaaS
Tools Hosting Delivery
ConfidentialConfidential
Trojans
• Phishing/Pharming Trojans• Keyloggers/Screen-scrapers• MITB Trojans• Active Keylogger + Proxy (Botnet) Trojan
ConfidentialConfidential
Modus Operandi : Harvesting
– Fast-flux networks
Fast FluxFast Flux
ConfidentialConfidential
Underground Market Place : Credentials for Sale
• Potentially captured via crimeware, given FI & country coverage
ConfidentialConfidential
Underground Market Place : Credentials for Sale
• An online ad promoting lists of stolen credit cards
ConfidentialConfidential
Underground Market Place : Herding Mules
ConfidentialConfidential
Phone fraud services to cash out accounts in USA by taking advantage of inherent
weaknesses in the Call Centers. This can spoof any number in the United States. The
service enables fraudsters to accept incoming calls, posing as the genuine account holder.
Latest Trends : Phone Fraud to cash-out
ConfidentialConfidential
Chat in the Middle : Phishing Attack attempts to steal consumers’ data via bogus live chat support– Pop-up chat session with online banking customer– Live Chat session with Bank’s “Fraud Dept” looking to validate personal
information for better service• Request information which may be typically be used for challenge questions
– New twist in Phishing attack
Latest Trends : Chat in the Middle
ConfidentialConfidential
Solutions
ConfidentialConfidential
Multilayer Protection
Customer Awareness & EducationCustomer Awareness & Education
BankBank CustomerCustomer
ConfidentialConfidential
Awareness
ConfidentialConfidential
Anti-Phishing, Anti-Pharming & Anti-Trojan ServiceAnti-Phishing, Anti-Pharming & Anti-Trojan Service
Customer Awareness & EducationCustomer Awareness & Education
Blocking / Shutdowns
BankBank CustomerCustomer
ConfidentialConfidential
Infection / Update DropCommand & Control Bot-Herder
Less than 25% of infected PCs are protected by AV
applications. Even less effective against
the specific threat.
Anti-Trojan Service
Anti-Trojan Service
ConfidentialConfidential
Site-To-User AuthenticationSite-To-User Authentication
Anti-Phishing, Anti-Pharming & Anti-Trojan ServiceAnti-Phishing, Anti-Pharming & Anti-Trojan Service
Customer Awareness & EducationCustomer Awareness & Education
Authentication
BankBank CustomerCustomer
ConfidentialConfidential
Site-To-User Authentication
ConfidentialConfidential
Second Factor Adaptive AuthenticationSecond Factor Adaptive Authentication
Site-To-User AuthenticationSite-To-User Authentication
Anti-Phishing, Anti-Pharming & Anti-Trojan ServiceAnti-Phishing, Anti-Pharming & Anti-Trojan Service
Customer Awareness & EducationCustomer Awareness & Education
Strong Authentication
BankBank CustomerCustomer
ConfidentialConfidential
Adaptive Authentication
Fraud Network
ConfidentialConfidential
Transaction MonitoringTransaction Monitoring
Second Factor Adaptive AuthenticationSecond Factor Adaptive Authentication
Site-To-User AuthenticationSite-To-User Authentication
Anti-Phishing, Anti-Pharming & Anti-Trojan ServiceAnti-Phishing, Anti-Pharming & Anti-Trojan Service
Customer Awareness & EducationCustomer Awareness & Education
Transaction Monitoring
BankBank CustomerCustomer
ConfidentialConfidentialProprietary and Confidential
Transaction Monitoring
ConfidentialConfidential
Physical, N/W, Application, DB & OS level SecurityPhysical, N/W, Application, DB & OS level Security
Transaction MonitoringTransaction Monitoring
Second Factor Adaptive AuthenticationSecond Factor Adaptive Authentication
Site-To-User AuthenticationSite-To-User Authentication
Anti-Phishing, Anti-Pharming & Anti-Trojan ServiceAnti-Phishing, Anti-Pharming & Anti-Trojan Service
Customer Awareness & EducationCustomer Awareness & Education
BankBank CustomerCustomer
ConfidentialConfidential
Traditional layers of Security
ConfidentialConfidential
Physical, N/W, Application, DB & OS level SecurityPhysical, N/W, Application, DB & OS level Security
Transaction MonitoringTransaction Monitoring
Second Factor Adaptive AuthenticationSecond Factor Adaptive Authentication
Site-To-User AuthenticationSite-To-User Authentication
Anti-Phishing, Anti-Pharming & Anti-Trojan ServiceAnti-Phishing, Anti-Pharming & Anti-Trojan Service
Customer Awareness & EducationCustomer Awareness & Education
Incident Response, Fraud & Case ManagementIncident Response, Fraud & Case Management
BankBank CustomerCustomer
ConfidentialConfidential