Cyber fraud in banks


Published on

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cyber fraud in banks

  1. 1. Cyber FraudChallenges & Solutions K. K. Mookhey Principal Consultant Network Intelligence India Pvt. Ltd.
  2. 2. Agenda Ground Reality – Digesting the Hard Facts Online Banking Fraud The Data Theft Epidemic Skimming & ATM Fraud Spear Phishing & APT Identifying Technology Red Flags Technology Fraud Risk Management Resources
  3. 3. Online Banking Fraud
  4. 4. Primary fix? 2-factorOr OTP User Awareness
  5. 5. The Data Theft Epidemic
  6. 6. What price India? Online examples…
  7. 7. Fresh record price = Rs. 75Converted customer price = Rs. 150
  8. 8. Skimming – Basic & Advanced
  9. 9. THE TRAP♦ The trap is made up of XRAY film, which is the preferred material by thieves; Simply because of the black color which is similar in appearance to the slot on the card reader.
  10. 10. Placing the TRAP♦ The trap is then inserted into the ATM slot. Care is taken not to insert the entire film into the slot, the ends are folded and contain glue strips for better adhesion to the inner and outer surface of the slots.
  11. 11. INVISIBLE♦ Once the ends are firmly glued and fixed to the slot, it is almost impossible to detect by unsuspecting clients.
  12. 12. How is your card confiscated?♦ Slits are cut into both sides of the trap, This prevents your card being returned prior to completing your transaction.
  13. 13. Retrieval of Confiscated card.♦ As soon as the “Customer” has gone, and they have your PIN , The thief can remove the glued trap, by grasping the folded tips, he simply pulls the trap out that has retained your card..
  14. 14. Advanced skimming - video
  15. 15. Where’s the silver lining?!
  16. 16. Technology Red Flags Systems crashing Audit trails not available Mysterious “system” user IDs Weak password controls Simultaneous logins Across-the-board transactions Transactions that violate trends – weekends, excessive amounts, repetitive amounts Reluctance to take leave or accept input/help Reluctance to switch over to a new system
  17. 17. The IIA – IT & Fraud RisksFraudulent Financial Reporting• Unauthorized access to accounting applications — Personnel with inappropriate access to the general ledger, subsystems, or the financial reporting tool can post fraudulent entries.• Override of system controls — General computer controls include restricted system access, restricted application access, and program change controls. IT personnel may be able to access restricted data or adjust records fraudulently.
  18. 18. The IIA – IT & Fraud RisksMisappropriation of Assets• Theft of tangible assets — Individuals who have access to tangible assets (e.g., cash, inventory, and fixed assets) and to the accounting systems that track and record activity related to those assets can use IT to conceal their theft of assets.• Theft of intangible assets — Given the transition to a services-based, knowledge economy, more and more valuable assets of organizations are intangibles such as customer lists, business practices, patents, and copyrighted material.Corruption• Misuse of customer data — Personnel within or outside the organization can obtain employee or customer data and use such information to obtain credit or for other fraudulent purposes.
  19. 19. • As part of an organization’s governance structure, a fraud risk management program should be in place, including a written policyPrinciple 1 to convey the expectations of the board of directors and senior management regarding managing fraud risk. • Fraud risk exposure should be assessed periodically by thePrinciple 2 organization to identify specific potential schemes and events that the organization needs to mitigate. • Prevention techniques to avoid potential key fraud risk eventsPrinciple 3 should be established, where feasible, to mitigate possible impacts on the organization. • Detection techniques should be established to uncover fraud eventsPrinciple 4 when preventive measures fail or unmitigated risks are realized. • A reporting process should be in place to solicit input on potential fraud, and a coordinated approach to investigation and correctivePrinciple 5 action should be used to help ensure potential fraud is addressed appropriately and timely.
  20. 20. Leveraging Technology Data Leakage Prevention Email Gateway Filtering Security & Controls by Design Information Rights Management Identity & Access Control Management Data Encryption Business Intelligence Solutions Revenue Assurance & Fraud Management Solutions Forensic Investigation Capabilities
  21. 21. Chapter 6 – Cyber Frauds Special Committee of the Board to be briefed separately Independent Fraud Risk Management Group (FRMG) Fraud Review Councils to be set up Fraud Vulnerability Assessments New products to be reviewed by (FRMG) Banks to share details of fraudulent employees Transaction monitoring group/system Continuous trainings Employee awareness and rewarding whistleblowers Training institute for financial forensic investigation Sharing of fraud management experiences State-level Financial Crime Review Committee Multi-lateral arrangement amongst banks to deal with online frauds
  22. 22. Resources Fraud Risk Management System in Banks 3&Mode=0 IIA – Fraud Prevention and Detection in an Automated World
  23. 23. Thank you! Questions? kkmookhey@niiconsulting.comInformation Security Information Security TrainingConsulting Services Services