Cyber fraud in banks (for upload)

Cyber FraudChallenges & Solutions K. K. Mookhey Principal Consultant Network Intelligence India Pvt. Ltd.

Agenda Ground Reality – Digesting the Hard Facts Online Banking Fraud The Data Theft Epidemic Skimming & ATM Fraud Spear Phishing & APT Identifying Technology Red Flags Technology Fraud Risk Management Resources

Online Banking Fraud

Primary fix? 2-factorOr OTP User Awareness

The Data Theft Epidemic

What price India? Online examples…

Fresh record price = Rs. 75Converted customer price = Rs. 150

Skimming – Basic & Advanced

THE TRAP♦ The trap is made up of XRAY film, which is the preferred material by thieves; Simply because of the black color which is similar in appearance to the slot on the card reader.

Placing the TRAP♦ The trap is then inserted into the ATM slot. Care is taken not to insert the entire film into the slot, the ends are folded and contain glue strips for better adhesion to the inner and outer surface of the slots.

INVISIBLE♦ Once the ends are firmly glued and fixed to the slot, it is almost impossible to detect by unsuspecting clients.

How is your card confiscated?♦ Slits are cut into both sides of the trap, This prevents your card being returned prior to completing your transaction.

Retrieval of Confiscated card.♦ As soon as the “Customer” has gone, and they have your PIN , The thief can remove the glued trap, by grasping the folded tips, he simply pulls the trap out that has retained your card..

Advanced skimming - video

Where’s the silver lining?!

Technology Red Flags Systems crashing Audit trails not available Mysterious “system” user IDs Weak password controls Simultaneous logins Across-the-board transactions Transactions that violate trends – weekends, excessive amounts, repetitive amounts Reluctance to take leave or accept input/help Reluctance to switch over to a new system

The IIA – IT & Fraud RisksFraudulent Financial Reporting• Unauthorized access to accounting applications — Personnel with inappropriate access to the general ledger, subsystems, or the financial reporting tool can post fraudulent entries.• Override of system controls — General computer controls include restricted system access, restricted application access, and program change controls. IT personnel may be able to access restricted data or adjust records fraudulently.

The IIA – IT & Fraud RisksMisappropriation of Assets• Theft of tangible assets — Individuals who have access to tangible assets (e.g., cash, inventory, and fixed assets) and to the accounting systems that track and record activity related to those assets can use IT to conceal their theft of assets.• Theft of intangible assets — Given the transition to a services-based, knowledge economy, more and more valuable assets of organizations are intangibles such as customer lists, business practices, patents, and copyrighted material.Corruption• Misuse of customer data — Personnel within or outside the organization can obtain employee or customer data and use such information to obtain credit or for other fraudulent purposes.

• As part of an organization’s governance structure, a fraud risk management program should be in place, including a written policyPrinciple 1 to convey the expectations of the board of directors and senior management regarding managing fraud risk. • Fraud risk exposure should be assessed periodically by thePrinciple 2 organization to identify specific potential schemes and events that the organization needs to mitigate. • Prevention techniques to avoid potential key fraud risk eventsPrinciple 3 should be established, where feasible, to mitigate possible impacts on the organization. • Detection techniques should be established to uncover fraud eventsPrinciple 4 when preventive measures fail or unmitigated risks are realized. • A reporting process should be in place to solicit input on potential fraud, and a coordinated approach to investigation and correctivePrinciple 5 action should be used to help ensure potential fraud is addressed appropriately and timely.

Leveraging Technology Data Leakage Prevention Email Gateway Filtering Security & Controls by Design Information Rights Management Identity & Access Control Management Data Encryption Business Intelligence Solutions Revenue Assurance & Fraud Management Solutions Forensic Investigation Capabilities

Chapter 6 – Cyber Frauds Special Committee of the Board to be briefed separately Independent Fraud Risk Management Group (FRMG) Fraud Review Councils to be set up Fraud Vulnerability Assessments New products to be reviewed by (FRMG) Banks to share details of fraudulent employees Transaction monitoring group/system Continuous trainings Employee awareness and rewarding whistleblowers Training institute for financial forensic investigation Sharing of fraud management experiences State-level Financial Crime Review Committee Multi-lateral arrangement amongst banks to deal with online frauds

Resources Fraud Risk Management System in Banks http://www.rbi.org.in/scripts/NotificationUser.aspx?Id=527 3&Mode=0 IIA – Fraud Prevention and Detection in an Automated World http://www.theiia.org/guidance/technology/gtag13/

Thank you! Questions? kkmookhey@niiconsulting.comInformation Security Information Security TrainingConsulting Services Services

Cyber fraud in banks (for upload)

by Network Intelligence on Nov 01, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

Statistics

Cyber fraud in banks (for upload) — Presentation Transcript