Prevent banking frauds through identity management


Published on

What is the difference between private and retail banking in fraud management? Significant use of mobile devices (tablet, smartphone,...) and the growing number of fraud due to human factor are changing private banking management.
GARL presentation at Forum Banca 2013 describes fraud risks for private banking and how to manage them in a prevention plan.
The presentation was made as a collaboration with Banca Esperia (Mediobanca group).

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Prevent banking frauds through identity management

  1. 1. Prevent banking frauds through identity management Luca Sciortino – Information Security, Banca Esperia Giuseppe Paternò – Director Digital, GARL Milan, 24th September 2013
  2. 2. 3 About us •  Security manager with Banca Esperia •  Experience in similar roles for international bank groups •  Expert in programming, open source and IT security Twitter: @sciortlu LinkedIn: Web Site: •  Director Digital with GARL, bank of digital data founded in Switzerland in 2008 •  IT Consultant cooperating with Canonical and other big firms •  In the past with Red Hat, Sun Microsystems and IBM •  Researcher and professor at Trinity College Dublin Twitter: @gpaterno LinkedIn: Web Site: Luca Sciortino – Banca Esperia Giuseppe Paternò - GARL
  3. 3. 6 Boom time for frauds Sources: Association of Certified Fraud Examiners, Clusit, Unicredit Group, CRIF Daily identity fraud attempts in Italy 50 Time to discover an internal fraud 18MONTHS
  4. 4. 8 How much does frauds cost? 5% of profits are lost for frauds Cost of a single fraud discovered by one the main American bank in march 2011 Average of 1 out of 5 internal frauds in a calendar year Unrecoverable losses Sources: Association of Certified Fraud Examiners, Clusit, Unicredit Group, CRIF - July 2013 3TRILLION $ A YEAR 10 MILLION $ 1 MILLION $ 50%
  5. 5. 11 Internal vs. external frauds •  Many attempts •  Low impact for the bank Ex. Credit cards skimming, debit cards, false bonds, false insurances, online frauds, identity theft, wire transfers •  Few attempts •  High impact for the bank Ex. Insider Trading, roundings off, misappropriation of funds, confidential information leaking External frauds Internal frauds
  6. 6. 13 Internal frauds More risks More trust Internal audit policies
  7. 7. 16 Private banking and frauds, point of interests Few VIP customers Risk for accounts with substantial capital Trust in the banker The banker’s role is key in the relationship with customers Market Speculation Personal speculations made by internal professionals Reputation Losing the trust of customers/market is a bigger damage than the fraud itself
  8. 8. 18 External frauds and private banking Private Banking Lower risk of external frauds (less visibility and access compared to retail banking) Retail Banking Higher risk of external frauds (public access to the core services)
  9. 9. 20 Human factor and frauds Information leaking Confidential data about VIP Customers, personal assets, portfolio of investments Mutual confidence among colleagues Passwords exchange, use of applications forbidden by the security policies, …
  10. 10. 23 The role of identity in frauds Transations Logging Frequent access to VIP and high value accounts Physical and logical access control Application Authorisation Proven identity
  11. 11. 25 Identity management for frauds prevention Forbidden and/or off-hour access Counterfeiting of documents Identity theft
  12. 12. 26 KPI Banca Esperia is the Private Banking boutique of Mediobanca and Mediolanum, for private and international clients. Born in 2001, the group is specialized in advisory services, financial services and wealth planning About Banca Esperia Branches •  Personnel: 250 •  Private Banker: 76 •  Branches: 12 •  Total asset: € 14,3 mld (june 2013)
  13. 13. 30 SecurePass for digital identity protection Identity management The user is really who he claims to be – multifactor authentication EMV cards Identity cards for combined physical and logical access Compliance Compliant to EU regulations
  14. 14. 32 SecurePass guarantees digital identity of users SecurePass manage the lifecycle of users from an easy- to-use web control panel Group management Audit and centralized management Hosted in European datacenters by GARL
  15. 15. 34 SecurePass cloud service for identity theft prevention SecurePass is the platform for digital identity protection Military grade protection level Covered by an insurance policy From the experience and in collaboration with Swiss banks
  16. 16. 36 SecurePass security architecture •  SecurePass identity verifcation •  Verification of the location context (i.e. Internet, MPLS network, intranet,…) •  Access authorization to applications •  Centralized logging (who’s accessing what, from which IP, with which device/operating system and time of the day) Centralized control Double authorisation control over applications and on every application’s features Tracking of single features, Access to NDG, account Number, etc. Applications
  17. 17. 39 Benefits for finance and banking Outsouced identity management Streamline access Reduced operating risks
  18. 18. 41 Oousource identity management to a trusted third party Reduce mantainance cost Reduce internal fraud attempts Latest identity frauds technologies Guarantee personnel identification Relief the bank responsability (service covered by insurance) Reducing human factor risks
  19. 19. 44 Centralized access Single point of management Reduction of risks related to authorisation and rights management Improve users’ experience with Single Sign-On Compliant with EU regulations (i.e. italian “Garante della privacy II” )
  20. 20. 45 Operating risk reduction Strenghten transaction control Prevent information leaking Double authorisation: customer is guaranteed of the truthfulness of the transaction
  21. 21. 47 Conclusions Human factor is a risk for frauds in private banking Identity management can mitigate risks Multifactor authentication to guard access Audit & Compliance
  22. 22. 49 Thank you