ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Information Security for the Banking Industry: A University Assignment

Updated on April 26, 2015

Security Landscape

The Banking landscape post Financial Crisis presents issues such as new regulations intended to reduce system risks and rebuilding trust across the global financial system (IBM 2012). 2012 has seen unprecedented change within technology, including cloud computing, Malware advancements, and other emerging technologies, resulting in an expansion of internal and external threats, adding complexity to an already overly complicated security landscape (Ernst and Young 2012).

Primary Assets

A banking institutions primary assets are its finances, however it is important to clarify that these finances are broken into two distinct asset groups; Consumer accounts and the bank’s own financial reserves. These two components define the primary asset group referred to as the financial 'balances' asset, and whilst a plethora of further banking institution assets exist, this report is primarily concerned with the protection of consumer accounts held with HSBC. The perceived and actual security of which directly and significantly affect the banks reputational asset. A further determining factor of which is the reliability and availability of internet banking services (Ma 2012).

Threat Actors and motivations

Organised Criminal Network

Given the nature of the Client’s business the foremost threat actor is that of an Organised Criminal network. However there are two distinct groups that fall under this term, differentiated by those that operate exclusively online, and those that are deemed as somewhat traditional organised criminal groups, which facilitate IT to enhance their terrestrial criminal activity (Choo 2008).

Whilst both are inherently motivated by financial gain the latter group has a specific propensity to reinvest the wealth gained into further criminal activities such as narcotics and human trafficking (UK OCTF 2007). This has ethical, regulatory and reputational implications, exemplified by HSBC previously having been found “improperly facilitate(ing) transactions by Saudi financiers with ties to Al Qaeda”. HSBC were consequentially fined $700 million (Saviano 2012). Notably however HSBC’s Global provision of banking services, in addition to its insufficient money laundering controls, arguably served to enable transnational Organised Criminals, and provides an insight into why the Organisation has seen such high levels of money laundering (BBC 2012).

Choo (2008) describes exclusively online networks as consisting of a smaller, more skilled network, characterised by a transnational network of criminals that work together for the time of the defined task. This, in addition to the fact that this group would arguably use more sophisticated technologies arguably results in them being a more capable threat actor.

The Evolution of Online Banking Cybercrime

Processes

Phishing

Phishing would be utilised in the form of mass unsolicited emails from the organised criminal network, and would purport to originate from HSBC. They lead the ‘target’ to a phishing website that seeks to resemble the banking institution’s own, where they would capture the sensitive information, such as the customer’s username and password (as illustrated by figures 1 and 2), or install Malware on the targets computer.

Figure 1: Phishing email leading the recipient to a phishing website (Source: M86 Security Labs 2008).
Figure 1: Phishing email leading the recipient to a phishing website (Source: M86 Security Labs 2008). | Source
Figure 2: Subsequent phishing website (Source: Netcraft 2013).
Figure 2: Subsequent phishing website (Source: Netcraft 2013).

Whilst it is contended by some that phishing by organised criminals involves identifying targets by surveillance and psychological profiling (Jahankhani and Al-Nemrat 2012), the indiscriminate mass emailing of persons (that may not even hold an account with the purported bank) suggests that the risk is exponentially linked to the size of the customer base. Therefore despite HSBC being considered one of the most secure Banks in the World (Global Finance 2011), HSBC is also the second largest in terms of customer base (Global Finance 2012), making it a tempting target in comparison to HSBC’s Banking counterparts.

Organised criminals have become increasingly adept at the phishing process, circumventing blocklists by utilising continually changing botnet machines to send the mail from and avoiding spam filters by purchasing domains on mass for unique URL’s (for the phishing website) that remain valid for only a day (Moore and Clayton 2010).

Malware

The links within the aforementioned phishing emails may alternatively install malware on the client’s machine, a tact that is being increasingly employed by Organised Criminal Networks (SOCA 2008).

Trojans account for 66% of all Malware (Symantec 2011), of particular relevance to the banking industry is ‘Trojan Shylock malware’, which Symantec argue has recently been significantly altered with modules, and has considerably contributed to the 60% of banking institutions now being targeted (Symantec 2012). The way in which a typically infected computer is utilised is illustrated in figure 3, however the recent additions to the Trojan Shylock malware has seen configuration files (illustrated in figure 4) dynamically inject and alter elements such as a banks contact details (as illustrated by figure 5) allowing criminals to insert telephone numbers that they control.

Figure 3: Money transfer flow with a Trojan-infected PC (Source: Symantec 2011).
Figure 3: Money transfer flow with a Trojan-infected PC (Source: Symantec 2011).
Figure 4: Amended configuration file (Source: Symantec 2011).
Figure 4: Amended configuration file (Source: Symantec 2011).
Figure 5: Dynamically altered bank contact details (Source: Symantec 2011).
Figure 5: Dynamically altered bank contact details (Source: Symantec 2011).

Threat Assessment

In 2009 APWG reported that 48% of the World’s computers were infected with Malware, and in terms of the possible current levels within the U.K. it is notable that phishing websites have seen an increase from 7,224 to 37,198 between 2007 and 2011, representing an 18% increase (Financial Fraud Action UK 2012). In one case alone £1.7 million was stolen from 48 companies (Wired 2013), and total phishing fraud amounted to £405.8m in 2012 (The Guardian 2013).

However there are inherent difficulties in quantifying risk., as identification of such crime is considerably marred by the underreporting of such crimes. Europol (2011) found that Individuals may fail to report because they do not notice the offence occurring, or because they may be subject to threats of violence and/or blackmail, a characteristic of particular prevalence to organised criminal gangs.

Attributing the proportion of such crimes to organised criminal networks is therefore an arduous task, although it is widely argued that they account for a high proportion (McCombie 2007; Moore and Clayton 2010; Jahankhani and Al-Nemrat 2012).

Recommendations

Legal and Regulatory

HSBC have a legal responsibility take reasonable steps to protect consumer data under the Data Protection Act 1998. Furthermore however, The Financial Services Authority (the body mandated with reducing financial crime, amongst other tasks) states that money stolen through fraudulent activity should be refunded to the victim (BBC 2010), therefore efficient security tools have reputational, regulatory and financial impetus.

The Money Laundering Regulations Act 1993 states that Banking institutions have a responsibility to have robust procedures for detecting money laundering and associated criminal acts, it additionally legislates the need for appropriate record keeping and reporting procedures.

This is of particular relevance in tackling organised criminals that have offline criminal activities. Whilst beyond the scope of this paper, successfully locating such crimes may aid in reducing the resources, and therefore the capability of such criminals.

Security Tools

Symantec Fraudulent Transaction Detection

Companies such as Symantec, offer fraud detection software that identifies, and contacts customers for verification on suspicious banking transactions (as illustrated by figure 6); furthermore this outsourcing of security entails the third party company continually researching and blocking emerging sites, viruses and threats.

Figure 6: Symantec fraud detection (Source: Symantec 2011).
Figure 6: Symantec fraud detection (Source: Symantec 2011).

E-Banking Authentication

Single-factor authentication for e-banking sign on has historically been found to be inadequate in protecting consumer accounts (Tan et al 2033; Federal Financial Institutions Examination Council 2011; Mok 2009); Whilst a number of factors contribute to this, the propensity of persons to choose passcodes that are related to their birth date or year (as many as one in eleven people do [Bonneau et al 2012]) is certainly contributing to criminal activities.

HSBC requires customers to use their keypad each time they log in, in addition to their customer number and memorable word. Comparatively, Natwest, for the purposes of logging on, require the customer’s ‘I.D’, passcode and password. Additionally, Natwest has also introduced a keypad, however the keypad is only required for the initial time a customer wishes to transfer money to an outside account. Notably the card must be present, and slotted into the keypad for the transaction to be authorised.

Whilst Hertzum et al. (2007) contends that ease of use through security automation is paramount to e-banking, it is this reports suggestion that the optimum combination for security purposes is the requirement of the keypad, to be used with the customers card, for logging in, and for transactions to new recipients. Additionally the log in details should consist of a customer ID and passcode, the latter of which should forbid the use of the customers birth date/year in any form.


Multifactor authentication such as this equates to having taken ‘reasonable’ steps to safeguard customer information, and as such, comply with The Data Protection Act 1998. However recent developments in Malware have seen MitB (‘Man in the Browser’) attacks circumvent the keypads by representing themselves as the respective banks training section, instructing the customer, from a pop up box, to enter their code (BBC 2012).

Financial Fraud Action UK (2012) contend that most fraud detection software will block this kind of threat through identifying any subsequent transactions as suspicious (BBC 2012), conversely however Garcia-Cervigon and Lilnas (2012) argue that the amount of emerging, previously unknown Malware results in this claim being implausible.

Anti-virus software

One approach to stop phishing, and consequent Malware at installation stage, is at the originating email stage (Adida et al. 2005), to this end banking institutions had previously promoted free anti-virus software that would identify, and alert the user to, any malware activity or suspicious emails, through prompting the user to download it at the log in stage.


However it now often serves as an additional, although secondary, security tool to the aforementioned ‘keypads’, and is generally only found through the consumer seeking it out from the respective banking websites, as illustrated by figures 7 and 8.

It is this reports contention that this somewhat defeats the object of a banking institution having purchased the distribution of such software (the cost of which are considerable) and devalues the protection the software offers. This is of particular concern as nearly a fifth of home p.c.’s have no anti-virus software (McAfee 2012).

Therefore it is suggested that the former, more prominent method of promotion is reverted to and is additionally promoted by the Bank’s staff.


Figure 7: HSBC customer log in pages (Source: HSBC 2013).
Figure 7: HSBC customer log in pages (Source: HSBC 2013).
Figure 8:  Natwest customer log in pages (Source: Natwest 2013).
Figure 8: Natwest customer log in pages (Source: Natwest 2013).

Consumer Awareness

The optimum situation is for the Consumer’s machine to be protected by anti-virus, in addition to them being educated upon the dangers of Phishing and Malware. HSBC could promote education through their Bank staff, in addition to displaying educational flyers in branch, and security emails being sent bi-annually.

Comments

    0 of 8192 characters used
    Post Comment

    • profile image

      Open 

      3 years ago

      Today my husband rceieved a similar fake AT&T bill, but it was for a home phone and internet in the amount of $307. The bill really looked like the real bill. What tipped us off that it was fake was the fact that AT&T isn't our ISP, we don't use my husband's work email address for any bills, and our AT&T bill is only $28.

    working

    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, hubpages.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: https://hubpages.com/privacy-policy#gdpr

    Show Details
    Necessary
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
    Features
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Marketing
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Statistics
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)