1. THE IMPACT OF RECONNAISSANCE IN BANKS INFORMATION SYSTEMS
A CASE STUDY OF CO-OPERATIVE BANK OF KENYA
CARLVIN SOLOMON EZEKIEL MASAKHALIA
BBIT/MSA/08/00039
A MANAGEMENT RESEARCH PROJECT SUBMITTED IN THE PARTIAL
FULFILMENT OF THE REQUIREMENTS FOR THE BACHELOR OF BUSINESS
AND INFORMATION TECHNOLOGY
MT KENYA UNIVERSITY
APRIL 2011
2. Declaration
This research project is my original work and has never been presented for a degree in any
other university.
Signature.........................................................................Date......................................................
CARLVIN S.E MASAKHALIA
BBIT/MSA/08/00039
This project is presented for examination with the approval of the university Supervisor.
Signature..........................................................................Date..........................................….......
LYNETTE KARIMI RINGEERA
ICT DEPARTMENT MOUNT KENYA UNIVERSITY
ii
3. Acknowledgements
Many thanks to MKU staff: the Director Mr Barasa, Lecturers and subordinate staff. Many
more thanks to all my close friends I could not have made it this far without your support
materially and psychologically. It has been a short three years. I love you all!!
I also acknowledge God for everything he has done in my life. Without God’s blessings,
wisdom, understanding and guidance throughout this course work I could not have lived to
get to this point. Words are never enough to say thank you but I am really grateful.
Lastly, special thanks to Ms Lynette, my Supervisor, in this project you showed me the way
when I was lost and pushed me whenever I was stuck. God reward you immensely.
iii
4. Abstract
This project is a survey of the impact of reconnaissance in banks information systems, a case
study of cooperative bank of Kenya Kenyatta avenue branch. It was conducted as a result of
the increase in fraud cases in the banking industry where several banks have lost millions
notably Co-op Bank (November 2010) and Family Bank (Feb 2011). Co-operative bank
particularly Kenyatta Avenue was chosen for this study because the bank has previously been
attacked the most recent case was at the banks headquarters (Jan 2011) where Kshs 90
million was lost.
The first chapter describes the overview of the bank and the history of frauds attributed to
reconnaissance attacks, statement of the problem, objective of the study, research questions,
its significance, scope and limitation of the study. Chapter two describes the meaning of
reconnaissance and the various ways that it can be done. It further describes the technologies
used, types of attacks, threats and vulnerabilities. Chapter three explains the research
methodology adapted for the study where questionnaires were distributed to collect data from
both customers and staff of the bank. The fourth chapter presents and analyses the data
collected using tables and graphs .Chapter five deals with the summary of the major findings
in relation to the objectives of the research and the research questions.
Lastly, chapter six concludes and provides recommendations of the research by giving
solutions on the best ways to defend and safeguard the bank information systems against
reconnaissance attacks. This includes advice to the banking industry on the impact of
reconnaissance.
iv
5. Dedication
I dedicate this work to my Late Mother Edith P. Ogengó who taught me the value of
education. You were one in a million!!
v
6. List of Acronyms and Abbreviations
MKU- Mount Kenya University
NSE- Nairobi Stock Exchange
ATM – Automated Teller Machine
DNS- Domain Name System
FTP – File Transfer Protocol
IT- Information Technology
IDS- Intrusion Detection Systems
IIS-Internet Information Server
NT- Network Technology
SPSS- Statistical Package for the Social Sciences
ICANN- Internet Corporation for Assigned Names and Numbers
WWW- World Wide Web
ID- Identification
i.e-that is
vi
7. TABLE OF CONTENTS
PAGE
Declaration ...............................................................................................................................I
Acknowledgements..................................................................................................................II
Abstract..................................................................................................................................III
Dedication...............................................................................................................................IV
List of Acronyms and Abbreviations....................................................................................V
CHAPTER 1
1.1 Introduction.................................................................................................................1
1.2 Background information...............................................................................................3
1.3 Statement of the problem............................................................................................4
1.4 Objective of the Study..................................................................................................5
1.5 Significance of the Study...............................................................................................5
1.6 Limitation of the Study.................................................................................................6
1.7 Scope of the Study........................................................................................................6
CHAPTER 2
2.1 Meaning and Definition................................................................................................7
2.2 Reconnaissance Techniques..........................................................................................8
2.2.1 Low technology based technique..........................................................................8
2.2.2 Web based technique..........................................................................................10
2.2.3 Who is Database Technique................................................................................12
2.2.4 Domain Name System.........................................................................................13
vii
8. 2.3 Conceptual Framework...............................................................................................15
2.4 Gaps to be filled..........................................................................................................15
CHAPTER 3
3.1 Introduction...............................................................................................................17
3.2 Research Design.........................................................................................................17
3.3 Population and Sample Size........................................................................................17
3.4 Sample Design.............................................................................................................17
3.5 Data Collection Instruments /Tools.............................................................................18
3.6 Data Collection Procedures.........................................................................................18
3.7 Data Presentation and Analysis Techniques................................................................19
CHAPTER 4
4.1 Introduction................................................................................................................20
4.2 Staff’s response............................................................................................................21
4.3 Staff Gender.................................................................................................................21
4.4 Staff Age Category......................................................................................................22
4.5 Duration Worked with the Bank (Staff)......................................................................22
4.6 Highest Academic Qualifications (Staff).....................................................................23
4.7 Electronic Banking (Staff)...........................................................................................23
4.8 Handling of Cheques (Staff).........................................................................................24
4.9 Money Transfer Services for Example Money gram and Swift Staff)........................25
4.10 Loan applications business and personal loans (Staff)...............................................26
4.11 Staff use of Credit cards.............................................................................................26
4.12 Internet Banking..........................................................................................................27
4.13 Account Transactions deposit withdrawals and enquiries...........................................28
4.14 Use of ATM and Debit cards.......................................................................................29
viii
9. 4.15 Mobile Banking Services...........................................................................................30
4.16 Aspects of Social Engineering....................................................................................32
4.17 Physical break ins.......................................................................................................33
4.18 Leaving the work station............................................................................................35
4.19 Disposal......................................................................................................................35
4.20 Forms of Enquiries......................................................................................................36
4.21 Sharing User Details....................................................................................................37
4.23 Organisation’s Website................................................................................................38
4.24 Disposal of Customer details.......................................................................................39
4.25 Level of Confidentiality of Customer details...............................................................40
4.26 Entrusting third party with Customer details...............................................................41
4.27 Provision of Customer details on Telephone................................................................42
4.28 Use of the internet www in providing customer information.......................................43
4.29 Procedures implemented to ensure physical security of systems/networks..................44
4.30 Training..........................................................................................................................45
4.31 Gender (Customer’s)......................................................................................................46
4.32 Age Category (in years), customers...............................................................................47
4.33 Number of years they had been with bank customers....................................................48
4.34 Electronic Banking (Customer response)........................................................................49
4.35 Handling of Cheques (Customer response).....................................................................50
4.36 Money Transfer Services for Example Money gram and Swift......................................51
4.37 Loan applications business and personal loans (Customer response)..............................52
4.38 use of Credit cards (Customer response)..........................................................................53
4.39 Internet Banking...............................................................................................................54
4.40 Account Transactions deposit withdrawals and enquiries...............................................55
ix
10. 4.41 Use of ATM and Debit cards........................................................................................56
4.42 Mobile Banking Services...............................................................................................57
4.43 Aspects of Social Engineering.......................................................................................58
4.44 Disposal of Customer details.........................................................................................60
4.45 Sharing of Customer details...........................................................................................62
4.46 Keeping your customer documentation.........................................................................63
4.47 Privacy...........................................................................................................................63
4.48 Loss of ATM..................................................................................................................64
4.49 Action taken after the loss of the ATM..........................................................................65
4.50 Duration before reporting...............................................................................................66
4.51 Documentation you have lost through physical break ins..............................................67
4.52Organization’s website....................................................................................................68
4.53 Leaving recipients...........................................................................................................69
4.54 Records of Customer details...........................................................................................70
4.55 Disclosure of bank account details in website.................................................................71
4.56 Sharing your financial details in internet forums............................................................72
4.30 Training/Education (Customers).....................................................................................73
x
11. CHAPTER 5
5.0 Summary of the Major Findings..................................................................................75
5.1 Conclusions................................................................................................................80
5.2 Recommendations......................................................................................................81
References.......................................................................................................................84
Appendices......................................................................................................................85
Appendix 1(Staff Questionnaire).....................................................................................85
Appendix 2(Customer Questionnaire).............................................................................89
xi
12. CHAPTER 1
1.1INTRODUCTION
Reconnaissance refers to the gathering information about a system before the actual attack is
carried out. Reconnaissance involves an attacker taking time to conduct detailed
information before attack using publicly available information. Through
reconnaissance phase, computer attackers can determine how best to mount their
attack for success. To effectively launch certain types of attacks, a hacker usually
needs some knowledge about the network topology or hardware used. The
technique that gathers this type of information is called reconnaissance.
Reconnaissance on its own is, in many environments, not a threat, but the
intelligence found by employing it is often used later to attack a system or
network. So, the threat of reconnaissance attacks is mostly an indirect one: after
the network has been scanned, this information is used subsequently for attacks.
There are four common of reconnaissance techniques these are: low–technology
reconnaissance, general Web searches, who is databases and domain Name System
(DNS).
Low-Technology Reconnaissance usually involves social Engineering, physical
Break-In and dumpster diving. In Social Engineering, an attacker calls an employee at
the target organization on the phone and deceives / fools the individual into revealing
sensitive information that is the attacker pretends to be an employee, a customer or
supplier. effective. Physical Break-In involves attackers with physical access to
computer systems gaining access to accounts and data. They may plant malicious
programs on the internal systems, giving them remote control capabilities of your
systems from the outside. Dumpster Diving (Trashing) this involves going through an
organization’s garbage, looking for sensitive information i.e. the attacker looks for
xii
13. discarded paper, floppy disks, tapes and even hard drives containing sensitive data in
the process the attacker may get a complete diagram of the network architecture user
IDs and passwords.
In web-based reconnaissance an attacker uses a computer and Internet resources to
learn about the target organization that is determine the domain names, network
addresses and contact information. Techniques used are: Searching an Organization’s
Own Web Site. The organization’s web site could have useful information on the
employees’ contact or information with phone
Who is Databases is the third technique through which reconnaissance can be done in
an organization. The who is database contains a variety of data elements regarding the
assignment of Internet addresses, domain names, and individual contacts. The
registrar of domain names ensures that your domain name is unique, and assigns it to
your organization by entering it into various databases that is including who is
databases so that your machines will be accessible on the Internet using your domain
name developed to allow people to look for information about domain name
registration services.
Reconnaissance attacks can also be carried out using the domain name system (DNS).
DNS is a component of the internet which is a hierarchical database distributed around
the world and stores a variety of information, such as IP addresses, domain names and
mail server information.
xiii
14. 1.2 BACKGROUND INFORMATION
OVERVIEW OF THE ORGANISATION
The Co-operative Bank of Kenya Limited ('the Bank') is incorporated in Kenya under the
Company's Act and is also licensed to do the business of banking under the Banking Act. The
Bank was initially registered under the Co-operative Societies Act at the point of founding in
1965. This status was retained up to and until June 27th 2008 when the Bank's Special
General Meeting resolved to incorporate under the Companies Act with a view to complying
with the requirements for listing on the Nairobi Stock Exchange (NSE).
The Bank went public and was listed on December 22 2008. Shares previously held by the
3,805 co-operatives societies and unions were ring-fenced under Coop Holdings Co-operative
Society Limited which became the strategic investor in the Bank with a 64.56% stake. The
Bank runs three subsidiary companies, namely: Kingdom Securities Limited, a stock broking
firm with the bank holding a controlling 60% stake, Co-op Trust Investment Services
Limited, the fund management subsidiary wholly-owned by the bank, Co-operative
Consultancy Services (K) Limited, the corporate finance, financial advisory and capacity-
building subsidiary wholly-owned by the bank.
BANK FRAUD AND RECONNAISANCE
According to a daily Nation report (14th
January 2011), Cooperative bank in the last quarter
lost Kshs 300million as a result of fraud which is an increase from the previous year. Bank
xiv
15. fraud has been common in the recent past whereby customers, institutions and the bank itself
has lost millions of shillings over as a result of this. The report claims that most frauds occur
as a result of attackers who are well informed of the banks processes, database and
administration. This information is usually obtained using various reconnaissance techniques
for example use of low technology (social engineering) and the worldwide web.
Bank fraud is the use of fraudulent means to obtain money, assets, or other property owned
or held by a financial institution. In several instances, bank fraud is a criminal offense and it
occurs after information about various aspects has been gathered regarding the information
systems; reconnaissance has been conducted.
According to another Daily Nation report(6th
May 2011), the most common forms of which
the frauds have occurred are : stolen cheques , cheque kiting, forgery and altered cheques,
accounting fraud, uninsured deposits, demand draft fraud, rogue traders, fraudulent loans,
fraudulent loan applications, forged or fraudulent documents, wire fraud, bill discounting
fraud, payment card fraud, stolen payment cards, duplication or skimming of card
information, empty ATM envelope deposits, impersonation, prime bank fraud, the fictitious
'bank inspector’, phishing and internet fraud, money laundering. This report further described
that most of these scams occurred as a result of well informed attackers who had detailed
knowledge about the bank confidential information raising the concern of how the
information is obtained.
1.3 STATEMENT OF THE PROBLEM
The study aims to survey the impact of reconnaissance in banking industry. Information
systems especially in the banking industry are susceptible to reconnaissance attacks. The
bank, its customers and employees have to ensure that confidential information is
xv
16. safeguarded from reconnaissance attacks in order to prevent fraud through which they can
lose millions of shillings.
The main role of a bank is to ensure safe custody of the customer’s funds. In the recent past
there have been several cases where customers have lost huge amounts of money from their
accounts. Common cases include forgery and impersonation where attackers have full
information about the client the account number, the account name, ID number, sometimes
even the pin and signatures hence they are able to use the information to defraud the bank.
This allows attackers to have full access of customer accounts. This research therefore
uncovers reconnaissance in the banking industry.
1.4 OBJECTIVE OF THE STUDY
General Objective
The general objective of this study is to survey reconnaissance in banks information systems.
Specific Objectives
The specific objectives of this study are:
a)To identify areas in the banking information systems which are affected by reconnaissance.
b) To identify the ways in which reconnaissance occurs in banks
c) To create awareness of reconnaissance in banks.
Research Questions
a)What areas in the banking information systems are affected by reconnaissance?
b) What are the ways in which reconnaissance can be carried out in banks?
c) Are people (staff, customers, management) aware of reconnaissance?
1.5 SIGNIFICANCE OF THE STUDY
To the organisation/bank
xvi
17. This research is very important as it reveals areas of the bank which are affected by
reconnaissance in order for the bank to improve security in the information systems.
The research also exposes ways in which the reconnaissance occurs.
To the employees
This research will raise awareness of reconnaissance to the staff and management this help to
avoid future fraud cases.
1.6 LIMITATIONS OF THE STUDY
During the research, the following challenges were anticipated:
Accessibility of information
Banks have strict rules and regulations for accessing information. Accessing information in
most cases requires authorization from the section heads who at times fear and are careful
with sensitive information. It is therefore difficult to get some information
Time
The bank staff Kenyatta Avenue branch are always busy and have specific duties assigned to
them. They may not have enough time for me.
1.7 SCOPE OF THE STUDY
The study is limited to cooperative bank and is based at Kenyatta Avenue branch near
Makupa Police Station. It involves interviews whereby various customers of the bank and
that branch will provide information of how they confide private information about their bank
accounts. The interviews will provide vital details on the information attackers can obtain in
order to carry out an attack.
ATM outlets are also widely used by several customers a large amount of information can be
collected from these points. This will therefore be an area of study in this case.
xvii
18. CHAPTER 2
LITERATURE REVIEW
2.1 MEANING & DEFINITION
Reconnaissance refers to gathering information .Reconnaissance involves an attacker taking
time to conduct detailed information before attack using publicly available information.
Reconnaissance is the process by which a potential intruder will gain all of the information
they need to know about an information system (IP Network Scanning and Security
Reconnaissance ,Joe Eitel).Through reconnaissance phase, computer attackers can determine
how best to mount their attack for success. According to an interview in the bank technology
news October 2008 By Rebecca Sausner, reconnaissance leads to multi-channel fraud. This is
a matter of interest in the information security in banks.
Sophos, a popular site, found 16,000 Web pages per day newly infected with key logging or
other malware in August 2010. This means online banking customers remain vulnerable to
unauthorized access-the difference now is that online reconnaissance is merely the first step
in a multi-channel fraud play. Security Curve’s Diana Kelley says tracking seemingly
innocuous online activities requires analytics that are beyond most institutions' authentication
xviii
19. firepower these days. Diana Kelley further says getting online and looking at the information
in the account is actually a portion of the attack reconnaissance; the attacker is now finding
out information that can be used in other channels, in other ways. A case with one particular
financial institution where there appeared to be a standard wire transfer and the request had
been faxed in, and it wasn't until they went back in the past [that they] were able to find there
was somebody who had been looking at the account to see what was in there and get
information. A lot of what went on during the reconnaissance didn't actually appear to be
problematic. But if one thinks about what details banking accounts have right now, it can
actually be a lot of information that can be used in a variety of ways (multi channel fraud).
2.2 RECONNAISANCE TECHNIQUES
There are several techniques for reconnaissance in information systems however, the
four most common are; low–technology reconnaissance, general web searches, who is
databases, domain name system (DNS). (Penetration Testing and Network Defense
October 2005Andrew Whitaker, Daniel Newman)
2.2.1 LOW TECHNOLOGY BASED TECHNIQUE
Low-Technology Reconnaissance includes; Social Engineering, Physical Break-In and
Dumpster Diving. A social engineering attack is one in which the intended victim is
somehow tricked into doing the attacker's bidding. An example would be responding to
a phishing email, following the link and entering your banking credentials on a
fraudulent website. The stolen credentials are then used for everything from finance
fraud to outright identity theft (Antivirus Software Blog by Mary Landesman,
October 10, 2008).
Social engineering also involve an attacker calling an employee at the target organization on
the phone and deceives / fools the individual into revealing sensitive information that is the
xix
20. attacker pretends to be an employee, a customer or supplier. Social engineering is a deception
where the attacker develops a pretext for the call. A female voice on the phone is more likely
to gain trust in a social engineering attack than a male voice, although attackers of either
gender can be remarkably effective. the most effective method of defending against the social
engineer is user awareness: computer users at all levels must be trained not to give sensitive
information away to a friendly caller, the security awareness program should inform
employees about social engineering attacks, and give explicit directions about information
that should never be revealed over the phone, employees should not give out sensitive
data(Social Engineering 101 (Q&A) by Elinor Mills August2010).
Table 1: Some Common Social Engineering Pretexts
A “new employee” calls the help desk trying to figure out how to do a particular task on
the computer.
A manager” calls a lower-level employee because his password has suddenly stopped
working
A “system administrator” calls an employee to fix her account, which requires using her
password.
An “employee in the field” has lost his contact information and calls another employee to
get the remote access phone number.
Source: Prof John Durret, (Spring 2003), Reconnaissance and scanning page 53, Publisher:
O'ReillyPub Letian Li ISQS 6342.
Physical Break-In involves attackers with physical access to computer systems
gaining access to accounts and data. Computer systems and networks are vulnerable
to physical attack; therefore, procedures should be implemented to ensure that
systems and networks are physically secure. Physical access to a system or network
provides the opportunity for an intruder to damage, steal, or corrupt computer
equipment, software, and information. Attackers may plant malicious programs on the
xx
21. internal systems, giving them remote control capabilities of your systems from the
outside (Federal Agency Security Practices. National Institute of Standards and
Technology Web site: http://csrc.nist.gov/fasp/).
Dumpster Diving (Trashing) is a fancy, glorified way of saying "trash picking".
Dumpster diving, or trash picking, can lead to information which could be used to
compromise a network or identity. If you discard bank statements, credit card
statements or other sensitive information without first shredding or otherwise
destroying it, you may be at risk for an attacker to gain information about you through
dumpster diving (Tony Bradley, CISSP-ISSAP former About.com Guide).
Basically, dumpster diving involves going through an organization’s garbage, looking
for sensitive information i.e. the attacker looks for discarded paper, floppy disks, tapes
and even hard drives containing sensitive data. In the process the attacker may get a
complete diagram of the network architecture user IDs and passwords. Effective
methods of defending against dumpster diving could include: Paper shredders, and
should be encouraged to use them for discarding all sensitive information. The
awareness program must spell out how to discard sensitive information.
2.2.2 WEB BASED TECHNIQUE
Another technique is web-based reconnaissance. A website is a virtual location on WWW,
containing several subject or company related web pages and data files accessible
through a browser. Each website has its own unique web address (see uniform
resource locator) which can be reached through an internet
connection(BusinessDictionary.com).
In this technique an attacker uses a computer and internet resources to learn about the
target organization that is determine the domain names, network addresses and contact
xxi
22. information. This includes searching an Organization’s Own Web Site. The
organization’s Web site could have useful information on the following: employees
contact information with phone numbers. This information is useful particularly for
social engineering. Clues about the corporate culture and the language can also be
obtained. The site could include significant information about product offerings, work
locations, and even the best employees. Digesting this information could be useful
when conducting a social engineering attack. Business Partners can be found. This
knowledge could be useful in social engineering; or, by attacking a weak partner, the
target organization could ultimately be reached. Information about recent mergers and
acquisitions can also be obtained. During mergers many organizations forget about the
security issues & a skilful attacker may target an organization during a merger
company being acquired may have a lower security position than the acquiring
company, and the attacker can benefit by attacking the weaker organization.
Technologies being used can also be shown. Some sites may include a description of
the computing platforms in use (say, Windows NT, with an IIS Web Server, and an
Oracle Database). Such information is useful for attackers, who will refine their attack
based on this information (Mr Matt. Forum Italiano Discussione Utenti StoneGate-
FIDUS- hacking tools reconnaissance).
Using search engines, an attacker can retrieve information about the history, current events, and
future plans of the target organization. For example organization name, product names,
known employee names .Use of Usenet Newsgroups can also provide critical information.
Internet Usenet newsgroups are used by employees to share information and ask questions.
That is employees may submit questions about how to configure a particular type of system
or troubleshoot problems. An attacker could send a response giving incorrect advice about
how to configure the system tricking the user into lowering the security standing of the
xxii
23. organization
Web-Based Reconnaissance can be avoided by establishing policies regarding what
type of information are allowed on your own Web servers; you do want to make sure
that you are not making things extra easy for them by publishing sensitive information
on your own Web site. The organization must have a policy regarding the use of
newsgroups and mailing lists by employees. The policy must be enforced by
periodically and regularly conducting searches of open, public sources such as the
Web and newsgroups, to see what the world is saying about your organization (Kerry
J. Cox, Christopher Gerg. Managing Security with Snort and IDS Tools August
2004Page 288).
2.2.3 WHO IS DATABASE TECHNIQUE
The third technique is WHOIS databases. WHOIS databases are the lists of names, e-mail
addresses, postal addresses, and telephone numbers for the holders of the millions of internet
domain names. The Internet Corporation for Assigned Names and Numbers (ICANN), which
oversees domain name registries for many of the most important top-level domains, requires
disclosure of this contact information( source:privacilla.org).
According to L. Daigle (WHO IS Protocol Specification; September 2004) who is databases
provide search for information about the domain names, people, computers, organizations,
and name servers involved with administering the Domain Name Service (DNS). A core set
of this data constitutes a unified database view shared by all of the domain name registrars
An attacker can contact the target’s registrar to obtain the following useful data:
Names of persons complete registration information, i.e. the administrative, technical
and billing contacts that an one can use to deceive people in the target organization
during a social engineering attack. The telephone numbers associated with the
contacts can be used by an attacker. Email addresses that will indicate (to an attacker)
xxiii
24. the format of email addresses used in the target organization; the attacker will know
how to address email for any user. Postal addresses that an attacker can use this
geographic information to conduct dumpster-diving exercises or social engineering.
Registration dates containing records that have not been recently updated may indicate
an organization that is lax in maintaining their Internet connection for example not
keep their servers or firewalls up to data either. Name Servers get the addresses for the
DNS servers of the target.
Who is Searches can be prevented by keeping the registration information (that will
appear in the who is database) accurate and up to data. This information can let you
inform an administrator of another network that their systems were used during the
attack, if attack packets are traced to that network (David Lindsay, 2004 .Privacy law
and policy reporter).
2.2.4 DOMAIN NAME SYSTEM
The last technique is the Domain Name System. The DNS is a system that translates internet
domain and host names to internet protocol addresses. DNS automatically converts the names
typed in a web browser address bar to the IP addresses of Web servers hosting those sites
(Bradley Mitchell, 2011 About.com Guide). DNS implements a distributed database to store
this name and address information for all public hosts on the Internet. DNS assumes IP
addresses do not change: are statically assigned rather than dynamically assigned.
DNS is a component of the internet which is a hierarchical database distributed around the
world and stores a variety of information, such as IP addresses, domain names and mail
server information. DNS servers referred to as “name servers” store this information and
make up the hierarchy (Ron Aitchison, Pro DNS and BIND Third Edition).
Table 2: The Domain Name Service Hierarchy
xxiv
25. Root DNS servers
com DNS servers net DNS servers org DNS servers
company.com DNS server
The Domain Name Service (DNS) Hierarchy
Source: Ron Aitchison, Pro DNS and BIND Third Edition, page 123.
According to Elinor Mills a Security expert (August 21, 2008), domain name attack starts
with an attacker aim to determine one or more DNS servers for the target organization which
is readily available in the registration records obtained from the registrar’s who is database.
Using the DNS server information, an attacker can use tools such as ns lookup to get DNS
information. Through this tool, an attacker can interrogating name servers, by asking the
DNS server to transmit all information it has about all systems associated with the given
domain. Through DNS-based reconnaissance, an attacker can find extremely useful
information such as: machine names and associated IP addresses, purpose of the machines
and the operating system type. With this information, the machines can be scanned looking
for vulnerabilities.
DNS-based Reconnaissance can be prevented by having the amount of DNS information
about the infrastructure that is publicly available should be limited. This is because the
general public on the Internet only needs to resolve names for a small fraction of the systems
in your enterprise (such as external Web, Mail and FTP servers). A Split DNS will allow you
to separate the DNS records that one wants the public to access from your internal name:
implement an internal DNS server and an external DNS server, separated by a firewall. The
xxv
26. external DNS server contains only DNS information about those hosts that are publicly
accessible; the internal DNS server contains DNS information for all your internal systems
(D. Eastlake, 3rd
Cyber Cash C. Kaufman Iris January 1997).
Table 3: A split DNS
Firewall
Internal
network
Internet
Internal
DNSExternal
DNS
Internal
System
External
System
A Split DNS
Source: Ron Aitchison, Pro DNS and BIND Third Edition, page 122
2.3 CONCEPTUAL FRAMEWORK
xxvi
AREAS AFFECTED BY
RECONNAISANCE IN BANKS.
27. 1.7 GAPS TO BE FILLED
This research aims in identify ways in which reconnaissance occurs in the banking industry,
the areas affected by reconnaissance attacks and the awareness among the
employees and customers of the bank.
The banking industry/ sector is vulnerable to reconnaissance attacks which usually target
weaknesses in the information system. In today’s world most financial
institutions have automated work processes and operations. Fraudsters/ attackers
take advantage of the weaknesses of these advancements such as electronic
xxvii
Banking Information Systems
WAYS IN WHICH RECONNAISANCE
IN DONE IN BANKS.
AWARENESS OF
RECONNAISANCE.
28. banking, mobile banking, internet banking and use of ATMs to defraud banks
and customers. They have adopted the latest reconnaissance technology to gain
information. The findings of these research provides useful techniques in areas
such as information system security policies, forensic investigations and internal
and external audit trails in the banking industry to prevent reconnaissance
attacks.
xxviii
29. CHAPTER 3
RESEARCH METHODOLOGY
3.1 INTRODUCTION
This chapter describes the methodology adapted in the survey. It explains the research design
population and the sample size, sample design, data collection instruments/tools, data
collection procedures, data presentation and analysis techniques used.
3.2 RESEARCH DESIGN
The survey will be conducted at Co-operative Bank Kenyatta Avenue branch in Makupa
Mombasa. It involves use of interviews, detailed questionnaires and observations of the
information systems in order to data for the research. These will include both employees of
the bank based at Kenyatta Avenue branch and customers who operate accounts with the
bank.
3.3 POPULATION AND SAMPLE SIZE
According to the operations manager, the branch has twenty five employees. This is a
reachable group and therefore the study interviews and questionnaires was carried out on all
the employees. The branch has a total of 3,500 customers at the moment although the number
is growing; a sample of 60 customers using different products and services will be involved
in this study which is 2% of the entire population.
3.4 SAMPLING DESIGN
The bank has several branches across the country and therefore it will be cumbersome to
conduct the research in all branches. However most of the operations in the different
xxix
30. branches are the same therefore one branch in this case Kenyatta Avenue will provide an
adequate sample.
All staff of the branch will be involved. The bank has several products and services for
instance; savings and current accounts, mobile banking, internet banking, personal and
business loans, ATM services, debit and credit card facilities. In sampling, the study will
incorporate customers of various products and services so as to assess the extent to which
information can be obtained about confidential details and the banks information system as
follows:
Category Number
Staff 25
Account customers 10
Mobile banking customer 10
Internet banking customers 10
Personal and Business loan customers 10
ATM customers 10
Debit and Credit card customers 10
TOTAL 85
3.5 DATA COLLECTION INSTRUMENTS/TOOLS
This study will use both primary and secondary data collection tools. The main primary data
collection tools to be used are questionnaires, interview and observations. The main
secondary data collection tools to be used are journals, articles from the IT security and
forensic department and internet articles.
3.6 DATA COLLECTION PROCEDURES
To collect data simple questionnaires were prepared in advance. The questionnaires are then
distributed to the staff and customers. I also found time to sit with various employees to
xxx
31. interview them in order to obtain for information that could not be captured by the
questionnaires. They study also involves taking routine walks through the system, work
procedure, the products and services in order to conduct observe areas relevant to the study.
Finally, I looked for bank articles and journals some from the security department to provide
more information on the study.
3.7 DATA PRESENTATION AND ANALYSIS TECHNIQUES
The study will involve the use of SPSS statistical software for analysing data and bar charts,
tables and graphs for representation and analysis.
xxxi
32. CHAPTER 4
DATA PRESENTATION AND ANALYSIS
4.1 Introduction:
This chapter presents the analysis of the data collected from the questionnaires of both the
staff and the customers of the bank.
The data is presented and analyzed with the help of tables, graphs and charts.
Response rate:
Seventy 70 questionnaires were distributed, twenty five were distributed to the staff of the
Kenyatta avenue cooperative branch, all were answered and returned, none was lost. On the
other hand, 60 questionnaires were distributed to customers among them fifty one were
answered and returned while seven were never returned.
Table 4.1
Staff’s response
Rate responded Frequency Percentage
Responded 25 100
None responded 0 0
Total 25 100
Source: Research Data (2011)
Table 4.2 Customer’s responses
Rate responded Frequency Percentage
Responded 51 85
None responded 9 15
Total 60 100
Source: Research Data (2011)
Staff’s Response
4.2 Section
xxxii
33. When the staffs were asked to state which section they work in they responded as shown in
the table below:
Table 4.3 Which section do you work in?
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid managemen
t
3 12.0 12.0 12.0
supervisor 4 16.0 16.0 28.0
clerk 18 72.0 72.0 100.0
Total 25 100.0 100.0
Source: Research Data (2011)
The study revealed that majority of the staff at the Co-operative Kenyatta avenue branch are
clerks that is 72% are clerks, 16% are supervisors while12% are in the management.
4.3 Staff Gender
When the staff were asked to state what is their gender they responded as shown in the table
below:
Table 4.4 What is your gender?
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid male 15 60.0 60.0 60.0
female 10 40.0 40.0 100.0
Total 25 100.0 100.0
Source: Research Data (2011)
The study showed that males are more than the female staff. The male are 60% while the
female are 40% of branch population.
4.4 Staff Age category
When the staff were asked to respond to their age category in years , they responded as
shown below:
Table 4.5 What is your age category?
xxxiii
34. Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid below
25
4 16.0 16.0 16.0
(25-35) 18 72.0 72.0 88.0
(36-45) 3 12.0 12.0 100.0
Total 25 100.0 100.0
Source: Research Data (2011)
The study shows that most of the staff in the branch are between (25-35 years). The staffs
below 25 years are 16%, between 25 - 35 are 72% and between (36-45) are 12%.
4.5 Duration worked with the Bank (Staff)
When asked how long the staff had worked in the organization in years they responded as
shown below:
Table 4.6 For how long have you been working in this organisation?
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid less than one
year
4 16.0 16.0 16.0
between (1-2) 11 44.0 44.0 60.0
between (3-5) 5 20.0 20.0 80.0
between 6-10 3 12.0 12.0 92.0
xxxiv
35. Above 10 2 8.0 8.0 100.0
Total 25 100.0 100.0
Source: Research Data (2011)
The study reveals that 44% of the staff had worked between 1-2 years, 20 % between 3-5
years, 16% less than one year, 12% between 6-10 years and 8% above 10years. This shows
that majority of the staff in the branch have less than 5 years in the bank.
4.6 Highest academic qualifications(Staff)
When asked the highest academic qualification the staff responded as shown below:
Table 4.7 What is your highest academic qualification?
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid diploma 3 12.0 12.0 12.0
first degree 19 76.0 76.0 88.0
post
graduate
3 12.0 12.0 100.0
Total 25 100.0 100.0
Source: Research Data (2011)
The study reveals that the majority of the staff are degree holders. First degree are 76%, post
graduate are 12% and diploma holders are 12%. This shows that most staff are highly
educated.
4.7 Electronic banking (Staff)
xxxv
36. When asked about safe guarding if information in electronic banking for example direct
debits the staff responded as shown below:
Table 4.8 Electronic banking for example direct debits
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid agree 22 88.0 88.0 88.0
strongly
agree
3 12.0 12.0 100.0
Total 25 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the staff agree with the safeguarding of information in
electronic banking that is 88% while 12% strongly agree. This shows effective information
system security in the e-baking.
4.8 Handling of cheques (Staff)
When asked about the safeguarding of information when handling cheques the staff
responded as shown below:
Table 4.9 Handling of cheques
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid agree 22 88.0 88.0 88.0
strongly
agree
3 12.0 12.0 100.0
Total 25 100.0 100.0
Source: Research Data (2011)
xxxvi
37. strongly agreeagree
Handling of cheques
100
80
60
40
20
0
Percent
Handling of cheques
Source: Research Data (2011)
The study shows that majority of the staff agree with the safeguarding of information in
handling of cheques that is 88% while 12% strongly agree. This shows effective information
system security in the cheque transactions.
4.9 Money transfers services for example money gram and swift (Staff)
When asked about the safeguarding of information on money transfers for example swift and
money gram the staff responded as shown below:
xxxvii
38. Table 4.10 Money transfers services for example money gram and swift
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid agree 19 76.0 76.0 76.0
strongly
agree
6 24.0 24.0 100.0
Total 25 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the staff agree with the safeguarding of information in
money transfer services that is 76% while 24% strongly agree. This shows that there is an
effective information system security in the money transfers services.
4.10 Loan applications business and personal loans (Staff)
When asked about the safeguarding of information in loan applications in the business and
personal loans the staff responded as shown below:
Table 4.11 loan applications business and personal loans
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid not certain 8 32.0 32.0 32.0
agree 12 48.0 48.0 80.0
strongly
agree
5 20.0 20.0 100.0
Total 25 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the staff agree with the safeguarding of information in loan
an application that is 48% while 32% are not sure and 24% strongly agree. This shows that
the information system security in the loan applications is effective but has some uncertainty.
4.11 Staff use of credit cards
When asked about safeguarding of information in the use of credit cards the staff responded
as shown below:
xxxviii
39. Table 4.12 use of credit cards
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid not certain 10 40.0 40.0 40.0
agree 11 44.0 44.0 84.0
strongly
agree
4 16.0 16.0 100.0
Total 25 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the staff agree with the safeguarding of information in the
use of credit cards that is 44% while 40% are not sure which is also a high number and 16%
are strongly agree. This shows that the information system security in the use of credit cards
is effective but there is some element of doubt/ uncertainty by other staff members.
4.12 Internet banking
When asked about safeguarding of information in internet banking the staff responded as
shown below:
Table 4.13 internet banking
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid not certain 5 20.0 20.0 20.0
agree 14 56.0 56.0 76.0
strongly
agree
6 24.0 24.0 100.0
Total 25 100.0 100.0
Source: Research Data (2011)
xxxix
40. strongly agreeagreenot certain
internet banking
60
50
40
30
20
10
0
Percent
internet banking
Source: Research Data (2011)
The study shows that majority of the staff agree with the safeguarding of information in
internet banking that is 56%, 24% strongly agree and 20% are not sure. This shows that the
information system security in internet banking is effective but there is some uncertainty.
4.13 Account transactions: deposit withdrawals and enquiries
When asked about safeguarding of information in account transactions deposits, withdrawals
and enquiries the staff responded as shown below:
Table 4.14 Account transactions: deposit withdrawals and enquiries
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid not certain 1 4.0 4.0 4.0
agree 19 76.0 76.0 80.0
strongly 5 20.0 20.0 100.0
xl
41. agree
Total 25 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the staff agree with the safeguarding of information in
account transactions that is 76%, 20% strongly agree and 4% are not sure. This shows that
information system security in account transactions is effective but there is some uncertainty.
4.14 Use of the ATM and debit cards
When asked about safeguarding of information in the use of the ATM and debit cards the
staff responded as shown below:
Table 4.15 Use of the ATM and debit cards
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid strongly
disagree
1 4.0 4.0 4.0
disagree 2 8.0 8.0 12.0
agree 16 64.0 64.0 76.0
strongly agree 6 24.0 24.0 100.0
Total 25 100.0 100.0
Source: Research Data (2011)
xli
42. strongly agreeagreedisagreestrongly disagree
use of the ATM and debit cards
70
60
50
40
30
20
10
0
Percent
use of the ATM and debit cards
Source: Research Data (2011)
The study shows that majority of the staff agree with the safeguarding of information in the
use of the ATM and a debit card that is 64%, 24% strongly agree, 8% disagree and 4%
strongly disagree. This shows that although information system security is effective in the use
of the ATM and debit cards there are some vulnerability.
4.15 Mobile banking services
When asked about the safeguarding of information in mobile banking services the staff
responded as shown below:
Table 4.16 Mobile banking services
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid not certain 2 8.0 8.0 8.0
xlii
43. disagree 2 8.0 8.0 16.0
agree 17 68.0 68.0 84.0
strongly
agree
4 16.0 16.0 100.0
Total 25 100.0 100.0
Source: Research Data (2011)
strongly agreeagreedisagreenot certain
Mobile banking services
70
60
50
40
30
20
10
0
Percent
Mobile banking services
Source: Research Data (2011)
The study shows that majority of the staff agree with the safeguarding of information in
mobile banking that is 68%, 16% strongly agree, 8% disagree and 8% are not certain. This
shows that although information system security is effective in mobile banking there are
some vulnerabilities and threats to this service.
4.16 Aspects of social engineering
xliii
44. When asked which aspects of social engineering they had encountered the staff responded as
follows:
Table 4.17 Which of the following aspects of social engineering have you encountered?
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid a colleague /a new
employee calling the
help desk
13 52.0 52.0 52.0
a system admin calls
to fix your account
5 20.0 20.0 72.0
an employee has lost
his contact info and
calls
7 28.0 28.0 100.0
Total 25 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the staff had a colleague /new employee calling from a
helpdesk which was 52% of the respondents, 28% had an employee who lost his info calling,
and 20% had a system administrator calling to fix his account. This study reveals evidence of
social engineering aspects in the information system which is a technique that can be used to
carry out reconnaissance attacks.
xliv
45. an employee has lost his contact
info and calls
a system admin calls to fix your
account
a collegue /a new employee
calling the help desk
Which of the following aspects of social engineering have you encountered?
60
50
40
30
20
10
0
Percent
Which of the following aspects of social engineering have you encountered?
Source: Research Data (2011)
4.17 Physical breaks ins
When asked which experiences they had encountered in terms of physical break ins/ access to
the computer the staff responded as follows:
xlv
46. Table 4.18 Which of the following experiences have you encountered in terms of
physical break ins/access to the computer
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid corrupted files
and document
7 28.0 28.0 28.0
accessed files 5 20.0 20.0 48.0
unavailable
password/user
2 8.0 8.0 56.0
none of the
above
11 44.0 44.0 100.0
Total 25 100.0 100.0
Source: Research Data (2011)
none of the aboveunavailable
password/user
accessed filescorrupted files and
document
Which of the following experiences have you encountered in terms of
physical break ins/access to the computer
50
40
30
20
10
0
Percent
Which of the following experiences have you encountered in terms of
physical break ins/access to the computer
Source: Research Data (2011)
xlvi
47. The study shows that majority of the staff had not experienced any physical break ins that is
44%, however 28% of the respondents had their files corrupted, 20% had their files accessed
and 8% had unavailable password/user. This study reveals evidence of some aspects of
physical break ins in the information system a technique that can be used to carry out
reconnaissance attacks.
4.18 Leaving the work station
When asked what they do when leaving the work station /computer the staff responded as
shown below:
Table 4.19 What do you do when leaving your work station/computer?
Frequency Percent
Valid
Percent
Cumulative
Percent
Valid minimise files 7 28.0 28.0 28.0
close files 10 40.0 40.0 68.0
lock/turn off the
computer
7 28.0 28.0 96.0
not sure 1 4.0 4.0 100.0
Total 25 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the staff close files in their computers when leaving the
work station that is 40%, 28% of the respondents minimize their files and 28% lock off the
computer while 4% are not sure. Thus the study reveals that most staff do not lock/turn off
their when leaving.
xlvii
48. 4.19 Disposal
When asked how they dispose customer’s waste papers/ materials such as bills, bank
statements, ATM receipts and credit card offers the staff responded as shown below:
Table 4.20
How do you dispose customer’s waste papers/ materials such as bills, bank statements,
ATM, receipts and credit card offers?
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid throw in the
waste
18 72.0 72.0 72.0
fold and
disposal
2 8.0 8.0 80.0
shred 3 12.0 12.0 92.0
file 2 8.0 8.0 100.0
Total 25 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the staff throw the waste material of customers that is 72%,
only 12% of the respondents shred the customer waste details, 8% file and 8% fold when
disposing. Thus the study reveals that most staff do not shred customer trash and dumpster
diving a reconnaissance technique can be adopted.
4.20 Forms of enquires
When asked what forms of enquiries they had used to disclose customer information in
addition to actual customer visits the staff responded as shown below:
xlviii
49. Table 4.21 What forms of enquires have you used to disclose customer information in
addition to the actual customer visit?
Frequency Percent
Valid
Percent
Cumulative
Percent
Valid a close and trusted
third
party(relative/friend)
4 16.0 16.0 16.0
telephone 16 64.0 64.0 80.0
none of the above 5 20.0 20.0 100.0
Total 25 100.0 100.0
Source: Research Data (2011)
none of the abovetelephonea close and trusted third party
(relative/friend)
What forms of enquries have you used to disclose customer information in
addition to the actual customer visit?
70
60
50
40
30
20
10
0
Percent
What forms of enquries have you used to disclose customer information in
addition to the actual customer visit?
Source: Research Data (2011)
xlix
50. The study shows that majority of the staff disclose customer details on telephone that is 64%,
20% of the respondents do not provide information other than to the actual customer, 16%
disclose to close people and trusted third party’s. Thus the study reveals that some staff
disclose customer information to other people other than the actual customer.
4.21 Sharing User Details
When asked with whom they had shared their details such as user names, passwords staff
responded as shown below:
Table 4.22
With whom have you shared with customer details such as user names, passwords and
account numbers?
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid a colleague 3 12.0 12.0 12.0
never
shared
22 88.0 88.0 100.0
Total 25 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the staff have never shared their user details 88%, while
12% of the respondents have shared with a colleague. Thus the study reveals that although
some staff have never shared others have provide their users to colleagues.
4.23 Organizations website
When asked what useful information they had ever obtained from the organizations website
the staff responded as shown below:
Table 4.24. What useful information have you ever obtained from the organisations
website? Please tick as many as possible.
Frequenc Percent Valid Cumulative
l
51. y Percent Percent
Valid employees contact
information (phone
numbers and e-mail
info
3 12.0 12.0 12.0
products/services
information
8 32.0 32.0 44.0
best employee info 3 12.0 12.0 56.0
recent mergers 5 20.0 20.0 76.0
work locations 3 12.0 12.0 88.0
business partners 3 12.0 12.0 100.0
Total 25 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the staff can obtain a variety of information from the
organizations website. The organization website contains 32% information on products and
services, 20% information on recent mergers, 12% information on employees, best
employees, work locations and business partners each.
4.24 Disposal of customer details
When asked about proper disposal of customer details the staff responded as shown below:
Table 4.25 Proper disposal of customer details
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid not certain 1 4.0 4.0 4.0
disagree 1 4.0 4.0 8.0
li
52. agree 19 76.0 76.0 84.0
strongly
agree
3 12.0 12.0 96.0
6.00 1 4.0 4.0 100.0
Total 25 100.0 100.0
Source: Research Data (2011)
6.00strongly agreeagreedisagreenot certain
Proper disposal of customer details
80
60
40
20
0
Percent
Proper disposal of customer details
Source: Research Data (2011)
The study shows that majority of the staff agree the proper disposal of customer details 76%
however others such as not certain, disagree are 4% while strongly agree is 12%. Thus the
study shows that customer details are well disposed.
4.25 Level of confidentiality of customer details
When asked about the level of confidentiality of customer bank details the staff responded as
shown below:
lii
53. Table 4.26 Level of confidentiality of customer details
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid strongly
disagree
1 4.0 4.0 4.0
agree 22 88.0 88.0 92.0
strongly agree 2 8.0 8.0 100.0
Total 25 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the staff agree on the high level of confidentiality 88%, 8%
strongly agree and 4% strongly disagree. Therefore the study shows that customer details are
usually kept confidential.
4.26 Entrusting third party with customer details
When asked about the entrusting of third party with bank details of customers the staff
responded as shown below:
TABLE 4.27 Entrusting third party with customer details
Frequency Percent
Valid
Percent
Cumulative
Percent
Valid strongly
disagree
1 4.0 4.0 4.0
disagree 2 8.0 8.0 12.0
agree 18 72.0 72.0 84.0
strongly agree 4 16.0 16.0 100.0
Total 25 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the staff agree on not entrusting customer details to third
parties that is 72%, 16% strongly agree, 8% disagree and 4% strongly disagree. Therefore the
liii
54. study shows that customer details are not to be entrusted to third parties although some
employees breach this.
strongly agreeagreedisagreestrongly disagree
entrusting third party with customer details
80
60
40
20
0
Percent
entrusting third party with customer details
Source: Research Data (2011)
4.27 Provision of customer details on telephone
When asked about the provision of customer details on telephone the staff responded as
shown below:
Table 4.28 Provision of customer details on telephone
liv
55. Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid disagree 3 12.0 12.0 12.0
agree 18 72.0 72.0 84.0
strongly
agree
4 16.0 16.0 100.0
Total 25 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the staff agree that they do not provide customer details on
phone 72%, 16% strongly agree and 12% disagree. Therefore the study shows that customer
details are not to be to be provided on telephone although some staff breach this.
4.28 When asked about the use of the internet www in providing / obtaining information
the staff responded as shown below:
Table 4.29 Use of the internet www in providing customer information
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid not certain 1 4.0 4.0 4.0
agree 20 80.0 80.0 84.0
strongly
agree
4 16.0 16.0 100.0
Total 25 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the staff agree that they do not provide customer details on
the internet 80%, 16% strongly agree and 4% disagree. Therefore the study shows that
customer details are not to be to be provided over the internet although a small part of the
staff breach this.
lv
56. strongly agreeagreenot certain
Use of the internet www in providing customer information
80
60
40
20
0
Percent
Use of the internet www in providing customer information
Source: Research Data (2011)
4.29 Procedures implemented to ensure physical security of systems/ networks
When asked about the procedures implemented to ensure physical security of the system and
network the staff responded as shown below:
Table 4.30 Procedures implemented to ensure physical security of systems/ networks
lvi
57. Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid agree 22 88.0 88.0 88.0
strongly
agree
3 12.0 12.0 100.0
Total 25 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the staff agree that the procedures implemented to ensure
physical security are effective that is 88%and 12% strongly agreed. Therefore the study
shows that the bank has safe physical security devices and procedures.
strongly agreeagree
procedures implemented to ensure physical security of systems/ networks
100
80
60
40
20
0
Percent
procedures implemented to ensure physical security of systems/ networks
Source: Research Data (2011)
4.30 Training
lvii
58. When asked how often training on information system protection is done the staff responded
as shown below:
Table 4.31 How often is information systems protection done?
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid quarter
ly
25 100.0 100.0 100.0
Source: Research Data (2011)
The study shows that all staff agreed that the training on information system security is done
quarterly.
Customer’s responses:
4.31 Gender (Customers)
When asked about their gender customer responses were as follows:
Table 4.32 What is your gender?
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid male 33 64.7 64.7 64.7
female 18 35.3 35.3 100.0
Total 51 100.0 100.0
Source: Research Data (2011)
The study showed that males are more than the female customers. The male are 64.7% while
the female are 35.3% of branch customers.
lviii
59. femalemale
What is your gender?
40
30
20
10
0
Frequency
What is your gender?
Source: Research Data (2011)
4.32 Age category (in years), customers
When asked about age category (in years), customers responded as follows:
Table 4.33 What is your age category in years?
Frequency Percent
Valid
Percent
Cumulative
Percent
Valid below
25
7 13.7 13.7 13.7
(26-35) 23 45.1 45.1 58.8
(36-45) 16 31.4 31.4 90.2
(46-55) 2 3.9 3.9 94.1
Above 3 5.9 5.9 100.0
Total 51 100.0 100.0
Source: Research Data (2011)
The study shows that most of the customers are between (26-35 years). The customers below
25 years are 13.7%, between 26- 35years are 45.1%, between (36-45years) are 31.4%,
between (46-55years) are 3.9% and above 55 are 5.9%.
lix
60. 4.33 Number of years they had been with the bank customers
When asked the number of years they had been with the bank customers response were as
follows:
Table 4.34 How many years have you been a customer with this bank?
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid below
1
3 5.9 5.9 5.9
(1-3) 13 25.5 25.5 31.4
(3-5) 20 39.2 39.2 70.6
(5-8) 5 9.8 9.8 80.4
Above
8
10 19.6 19.6 100.0
Total 51 100.0 100.0
Source: Research Data (2011)
The study reveals that 39.2% of the customers had been in the bank between 3-5 years, 25.5
% between 1-3 years, 19.6% above 8 years , 9.8% between 5-8 years and 5.9% below one
year. This shows that majority of the customers of the have been there for less than 5 years.
lx
61. Above 8(5-8)(3-5)(1-3)below 1
How many years have you been a customer with this bank?
20
15
10
5
0
Frequency
How many years have you been a customer with this bank?
Source: Research Data (2011)
4.34 Electronic banking
When asked about safeguarding of information in electronic banking for example direct debit
instructions customers responded as follows:
Table 4.35 Electronic banking for example direct debits
Frequency Percent
Valid
Percent
Cumulative
Percent
Valid not certain 5 9.8 9.8 9.8
strongly
disagree
1 2.0 2.0 11.8
disagree 1 2.0 2.0 13.7
agree 43 84.3 84.3 98.0
strongly agree 1 2.0 2.0 100.0
Total 51 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the customers agree with the safeguarding of information in
electronic banking that is 84.3% while 2% strongly agree, disagree, strongly disagree and
9.8% are uncertain. This shows an effective information system security in the e-banking.
lxi
62. 4.35 Handling of Cheques
When asked about the safeguarding of information in handling of cheques the customers
responded as follows:
Table 4.36 Handling of cheques
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid not certain 16 31.4 31.4 31.4
agree 34 66.7 66.7 98.0
strongly
agree
1 2.0 2.0 100.0
Total 51 100.0 100.0
Source: Research Data (2011)
strongly agreeagreenot certain
Handling of cheques
40
30
20
10
0
Frequency
Handling of cheques
Source: Research Data (2011)
The study shows that majority of the customers agree with the safeguarding of information in
handling of cheques that is 66.67%, 31.4 % are not certain while 2% strongly agree. This
shows effective information system security in the cheque transactions.
lxii
63. 4.36 Money transfers services
When asked about safeguarding of information in money transfers for example money gram
and swift the customers responded as follows:
Table 4.37 Money transfers services for example money gram and swift
Frequency Percent
Valid
Percent
Cumulative
Percent
Valid not certain 10 19.6 19.6 19.6
agree 41 80.4 80.4 100.0
Total 51 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the customers agree with the safeguarding of information in
money transfer services that is 80.4% while 19.6% are not certain. This shows that there is an
effective information system security in the money transfers services although some
customers are not aware.
4.37 Loan applications
When asked about safeguarding of information in loan applications in business and personal
loans the customers responded as follows:
Table 4.38 loan applications business and personal loans
Frequency Percent
Valid
Percent
Cumulative
Percent
Valid not
certain
27 52.9 52.9 52.9
agree 24 47.1 47.1 100.0
Total 51 100.0 100.0
Source: Research Data (2011)
lxiii
64. agreenot certain
loan applications business and personal loans
30
25
20
15
10
5
0
Frequency
loan applications business and personal loans
Source: Research Data (2011)
The study shows that majority of the customers are not sure with the safeguarding of
information in loan applications that is 52.9% while 47.1% agree. This shows that the
information system security in the loan applications is effective but not certain.
4.38 Use of credit cards
When asked about safeguarding of information in the use of credit cards the customers
responded as follows:
Table 4.39 use of credit cards
Frequency Percent
Valid
Percent
Cumulative
Percent
Valid not certain 29 56.9 56.9 56.9
agree 20 39.2 39.2 96.1
strongly
agree
2 3.9 3.9 100.0
Total 51 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the customers are not certain about the safeguarding of
information in the use of the ATM and debit cards that is 56.9%, 39.2% agree that
lxiv
65. information systems are safeguarded and 3.9% strongly disagree. This shows that although
information system security is effective in the use of the ATM and debit cards there are some
vulnerabilities.
4.39 Internet banking
When asked about safeguarding of information in internet banking the customers responses
were as follows:
Table 4.40 Internet banking
Frequency Percent
Valid
Percent
Cumulative
Percent
Valid not certain 27 52.9 52.9 52.9
agree 23 45.1 45.1 98.0
strongly
agree
1 2.0 2.0 100.0
Total 51 100.0 100.0
Source: Research Data (2011)
lxv
66. strongly agreeagreenot certain
internet banking
30
25
20
15
10
5
0
Frequency
internet banking
Source: Research Data (2011)
The study shows that majority of the customers are not certain about the safeguarding of
information in internet banking that is 52.9%, 45.1% agree that information systems are
safeguarded and 2% strongly agree. This shows that although information system security is
effective in internet banking there are some vulnerabilities.
4.40 Account transactions
When asked about the safe guarding of information in account transaction such as deposits,
withdrawals and enquiries customer’s responses were as follows:
Table 4.41: Account transactions: deposit withdrawals and enquiries
Frequency Percent
Valid
Percent
Cumulative
Percent
Valid not certain 16 31.4 31.4 31.4
agree 33 64.7 64.7 96.1
strongly
agree
2 3.9 3.9 100.0
Total 51 100.0 100.0
lxvi
67. Source: Research Data (2011)
The study shows that majority of the customers agree with the safeguarding of information in
account transactions that is 64.7%, 31.4% are not certain that information systems are
safeguarded and 3.9% strongly agree. This shows that although information system security
is effective in account transactions.
4.41 Use of the ATM and debit cards
When asked about the safeguarding of information in the use of the ATM and debit cards the
customers responded as follows:
Table 4.42 Use of the ATM and debit cards
Frequency Percent
Valid
Percent
Cumulativ
e Percent
Valid not certain 12 23.5 23.5 23.5
agree 37 72.5 72.5 96.1
strongly
agree
2 3.9 3.9 100.0
Total 51 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the customers agree with the safeguarding of information in
the use of ATM and debit cards that is 72.5%, 23.5% are not certain that information systems
are safeguarded and 3.9% strongly agree. This shows that although information system
security is effective in the use of ATM and debit cards
4.42 Mobile banking services
lxvii
68. When asked about the safeguarding of information in mobile banking services customers
responded as follows:
Table 4.43 Mobile banking services
Frequency Percent
Valid
Percent
Cumulative
Percent
Valid not
certain
9 17.6 17.6 17.6
agree 42 82.4 82.4 100.0
Total 51 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the customers agree with the safeguarding of information in
mobile banking that is 82.4%, and 17.6% are not certain that information systems are
safeguarded and 3.9% strongly agree. This shows that although information system security
is effective in mobile banking but is also vulnerable.
lxviii
69. agreenot certain
Mobile banking services
50
40
30
20
10
0
Frequency
Mobile banking services
Source: Research Data (2011)
4.43 Social engineering
When asked which aspect of social engineering they had encountered customers responded
as follows:
Table 4.44Which of the following aspects of social engineering have you encountered?
Frequency Percent
Valid
Percent
Cumulative
Percent
lxix
70. Valid an employee /
agent of the bank
calling to ask about
details
10 19.6 19.6 19.6
a manager calling
because he wants
to update your acc
4 7.8 7.8 27.5
a bank
representative calls
to fix your acc
36 70.6 70.6 98.0
none of the above 1 2.0 2.0 100.0
Total 51 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the customers had received a call from a bank
representative to fix an account this was 70.6% of the respondents, 19.6% of the customers
had an employee / agent of the bank calling to ask about details and 7.8% had a manager
calling because he wants to update their acc. This study reveals evidence of social
engineering aspects in the information system. This is a technique that can be used to carry
out reconnaissance attacks.
lxx
71. none of the abovea bank representative
calls to fix your acc
a manager calling
because he wants to
update your acc
an employee / agent of
the bank calling to ask
about details
Which of the following aspects of social engineering have you encountered?
40
30
20
10
0
Frequency
Which of the following aspects of social engineering have you encountered?
Source: Research Data (2011)
4.44 Disposal of customer details
When asked how they dispose customer information such as bills, bank statements, ATM
receipts and credit card offers customers responded as follows:
Table 4.45 How do you dispose off your customer information such as bills bank
statements, ATMS?
Frequency Percent Valid Percent
Cumulative
Percent
Valid throw in the waste bin 43 84.3 84.3 84.3
fold and dispose 7 13.7 13.7 98.0
burn/shred 1 2.0 2.0 100.0
Total 51 100.0 100.0
Source: Research Data (2011)
lxxi
72. The study shows that majority of the customers throw their waste material in bins 84.3%,
13.7% of the respondents fold and dispose their wastes while 2% fold when disposing. Thus
the study reveals that most customers do not shred/burn customer trash and therefore
dumpster diving a reconnaissance technique can be adopted.
burn/shredfold and disposethrow in the waste bin
How do you dispose off your customer information such as bills bank
statements, ATMS?
50
40
30
20
10
0
Frequency
How do you dispose off your customer information such as bills bank
statements, ATMS?
Source: Research Data (2011)
4.45 Sharing of customer details
When asked with whom they share their details with customers responses were as follows:
lxxii
73. Table 4.46 With whom do you share your customer details?
Frequency Percent
Valid
Percent
Cumulative
Percent
Valid relative 2 3.9 3.9 3.9
none 12 23.5 23.5 27.5
financial
institutions
37 72.5 72.5 100.0
Total 51 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the customers have shared their details with financial
institutions 72.5%, while 23.5% of the respondent customers have never shared their
information. 3.9% of customers have shared their customer details with their relatives. Thus
the study reveals that although customers have shared their customer detail which is not
allowed.
4.46 Keeping your customer documentation
When asked where they keep their customer documentation (ATM/Debit cards, credit cards,
and national ID and bank statements) customers responded as follows:
Table 4.47 Where do you keep your customer documentation?
Frequency Percent Valid Percent
Cumulative
Percent
Valid home 22 43.1 43.1 43.1
in a safe at home 3 5.9 5.9 49.0
wallet and purse 23 45.1 45.1 94.1
office 3 5.9 5.9 100.0
Total 51 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the customers keep their customer documentation in their
wallet/purse and at home 45.1% and 43.1% respectively. Other customers keep their
lxxiii
74. documents in a safe at home and in the office both at 5.9%. Thus the study reveals that
customers are usually careful with their documentation customer detail which is not allowed.
4.47 Privacy
When asked how private is the storage place where they keep their documentation
( ATM/Debit cards, credit cards, national ID and bank statements) customers responded as
follows:
Table 4.48 How private is the storage area where you keep your customer
documentation?
Frequency Percent
Valid
Percent
Cumulative
Percent
Valid very
private
5 9.8 9.8 9.8
private 24 47.1 47.1 56.9
not sure 22 43.1 43.1 100.0
Total 51 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the customers’ value privacy although some are not sure of
privacy as follows. 47.1% of the customers consider their storage private, 43.1% are not sure
and 9.8 % consider there storage as very private. 5.9%. Thus the study reveals that customer’s
information privacy varies.
lxxiv
75. not sureprivatevery private
How private is the storage area where you keep your customer
documentation?
25
20
15
10
5
0
Frequency
How private is the storage area where you keep your customer
documentation?
Source: Research Data (2011)
4.48 Loss of ATM
When asked whether they had ever lost their ATM cards customer responses were as follows:
Table 4.49Have you ever lost your ATM card/ customer details?
Frequency Percent
Valid
Percent
Cumulative
Percent
Valid no 4 7.8 7.8 7.8
yes 47 92.2 92.2 100.0
Total 51 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the customers’ 92.2% have lost their ATM cards against
7.8% who have not. Thus the study reveals that customer’s information privacy varies.
lxxv
76. 4.49Action taken after the loss of the ATM
When customers who had lost their ATMs were asked what they did about it they responded
as follows:
Table 4.50 If yes, what did you do about it?
Frequency Percent
Valid
Percent
Cumulative
Percent
Valid nothing 1 2.0 2.1 2.1
reported the
case to the
police
8 15.7 16.7 18.8
reported the
case to the
bank
39 76.5 81.3 100.0
Total 48 94.1 100.0
Missin
g
System
3 5.9
Total 51 100.0
Source: Research Data (2011)
The study shows that majority of the customers who had lost their ATMs reported the case to
the bank this was 76.5%, 15.7% reported the case to the police and 2%did nothing. Thus the
study reveals that most customers are aware of the right action to take although not all.
4.50 Duration before reporting
When customers who had reported to the bank were asked how long they took to report the
incident they responded as follows:
Table 4.51If you reported to the bank, how long did it take you to report the incident?
lxxvi
77. Frequency Percent
Valid
Percent
Cumulative
Percent
Valid immediately 3 5.9 6.3 6.3
after a month 2 3.9 4.2 10.4
after a few
days
15 29.4 31.3 41.7
never
reported
1 2.0 2.1 43.8
after a week 27 52.9 56.3 100.0
Total 48 94.1 100.0
Missin
g
System
3 5.9
Total 51 100.0
Source: Research Data (2011)
The study shows that majority of the customers reported the incident after a week these was
52.9% of the respondents,29.4% of the respondents reported after a few days , 5.9 reported
immediately , 3.9% after a month and 2% were not sure. Thus the study reveals that most
customers despite reporting the lost of ATM they do it immediately.
4.51 Documentation have you lost through physical break ins
When asked what other documentation they had lost through physical break ins the customers
responded as follows:
Table 4.52 What other customer documentation have you lost through physical break
ins?
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid national ID 33 64.7 64.7 64.7
bank plate 14 27.5 27.5 92.2
bank
statement
3 5.9 5.9 98.0
none 1 2.0 2.0 100.0
lxxvii
78. Total 51 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the customers reported several documentations through
physical break ins as follows national ID 64.7%, bank plate 27.5%, bank statement 5.9%,
none 2%. Thus the study reveals that most customers have lost several customer
documentations in addition to the ATM card.
nonebank statementbank platenational ID
What other customer documentation have you lost through physical break
ins?
40
30
20
10
0
Frequency
What other customer documentation have you lost through physical break
ins?
Source: Research Data (2011)
4.52 Organizations’ website
When asked what useful information can be obtained from the banks website the customers
responded as follows:
Table 4.53What useful information have you ever obtained from the banks website?
lxxviii
79. Frequency Percent Valid Percent
Cumulative
Percent
Valid employee contact
information
4 7.8 7.8 7.8
products/services info 26 51.0 51.0 58.8
best employee
information
2 3.9 3.9 62.7
recent mergers 4 7.8 7.8 70.6
work location 1 2.0 2.0 72.5
business partners 11 21.6 21.6 94.1
others 3 5.9 5.9 100.0
Total 51 100.0 100.0
Source: Research Data (2011)
The study shows that majority customers obtain a variety of information from the
organizations website. The organization website contains 51% information on products and
services, 21.6%information on business partners, 7.8% information on recent mergers, 3.9%
information on employees, best employees, and 2%work locations. Thus the study reveals
that plenty of information is can be obtained from the organizations website.
4.53 Leaving receipts
When asked whether they leave receipts at ATM , bank counters or attended gasoline pumps
customers responded as follows:
Table 4.54 Do you leave receipts at ATM, bank counters or unattended gas pumps?
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid yes 51 100.0 100.0 100.0
lxxix
80. yes
Do you leave receipts at ATM, bank counters or unattended gas pumps?
60
50
40
30
20
10
0
Frequency
Do you leave receipts at ATM, bank counters or unattended gas pumps?
Source: Research Data (2011)
The study shows that all customers leave their receipts at ATM points, bank counters or
unattended gas pumps. Thus the study reveals that customers are not aware of the risk that
customer information should not be left anywhere.
4.54 Records of Customer details
When asked whether they record social security numbers or passwords on paper and store
them in wallet /purse the customers responded as follows:
Table 4.55 Do you record your social security number/passwords on paper and store
them in your wallet/purse?
Frequenc Percent Valid Cumulative
lxxx
81. y Percent Percent
Valid yes 51 100.0 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the customers record their social security number/passwords
on paper and store them in your wallet/purse.
yes
Do you record your social security number/passwords on paper and store
them in your wallet/purse?
60
50
40
30
20
10
0
Frequency
Do you record your social security number/passwords on paper and store
them in your wallet/purse?
Source: Research Data (2011)
4.55 Disclosure of bank account details on websites
When asked whether they have ever disclosed bank account numbers, credit card numbers or
any other personal financial details on website on line service locations unless they had
received a secured authentication key from the provider customers responded as follows:
Table 4.56 Have you ever disclosed your bank account details on and website?
lxxxi
82. Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid yes 1 2.0 2.0 2.0
no 50 98.0 98.0 100.0
Total 51 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the customers do not disclose their bank account details on
and website 98%compared to those who disclose 2%. The study reveals that most customers
are aware of the implications of having their information on websites.
4.56 Sharing your financial details in internet forums
When asked whether they share financial details in internet forums/on line sites the customers
responded as follows:
Table 4.57Do you share your financial details in internet forums
Frequenc
y Percent
Valid
Percent
Cumulative
Percent
Valid yes 3 5.9 5.9 5.9
no 48 94.1 94.1 100.0
Total 51 100.0 100.0
Source: Research Data (2011)
The study shows that majority of the customers do not share their bank account details on and
website 94.1%compared to those who share 5.9%. The study reveals that most customers are
aware of the implications of having their information on websites.
lxxxii
83. noyes
Do you share your financial details in internet forums
50
40
30
20
10
0
Frequency
Do you share your financial details in internet forums
Source: Research Data (2011)
4.57 Training/Education
When asked where they had been trained / educated on the importance of safeguarding
personal information regarding bank details the customers responded as follows:
Where have you been trained /educated on the importance of safeguarding personal
information regarding bank details?
Frequency Percent Valid Percent
Cumulative
Percent
Valid media 3 5.9 5.9 5.9
bank 48 94.1 94.1 100.0
Total 51 100.0 100.0
Source: Research Data (2011)
lxxxiii
84. The study shows that majority of the customers have been educated by the bank on the
importance of safeguarding personal information 94.1% other have been educated through
the media 5.9%.
lxxxiv
85. CHAPTER 5
SUMMARY OF THE MAJOR FINDINGS
STAFF RESPONSES
5.01 Section
The studies revealed that majority of the staff at the Co-operative Kenyatta avenue branch are
clerks that are 72%, 16% are supervisors while12% are in the management.
5.02 Duration worked with the Bank (Staff)
The study reveals that 44% of the staff had worked between 1-2 years, 20 % between 3-5
years, 16% less than one year, 12% between 6-10 years and 8% above 10years. This shows
that majority of the staff in the branch have less than 5 years in the bank.
5.03 Aspects of social engineering
The study shows that majority of the staff had a colleague /new employee calling from a
helpdesk which was 52% of the respondents, 28% had an employee who lost his info calling,
and 20% had a system administrator calling to fix his account. This study reveals evidence of
social engineering aspects in the information system which is a technique that can be used to
carry out reconnaissance attacks.
5.04 Physical breaks ins
The study shows that majority of the staff had not experienced any physical break ins that is
44%, however 28% of the respondents had their files corrupted, 20% had their files accessed
and 8% had unavailable password/user. This study reveals evidence of some aspects of
physical break ins in the information system a technique that can be used to carry out
reconnaissance attacks.
5.05 Leaving the work station
lxxxv
86. The study shows that majority of the staff close files in their computers when leaving the
work station that is 40%, 28% of the respondents minimize their files and 28% lock off the
computer while 4% are not sure. Thus the study reveals that most staff do not lock/turn off
their when leaving.
5.06 Disposal
The study shows that majority of the staff throw the waste material of customers that is 72%,
Only 12% of the respondents shred the customer waste details, 8% file and 8% fold when
disposing. Thus the study reveals that most staff do not shred customer trash and dumpster
diving a reconnaissance technique can be adopted.
5.07 Sharing User Details
The study shows that majority of the staff have never shared their user details 88%, while
12% of the respondents have shared with a colleague. Thus the study reveals that although
some staff have never shared others have provide their users to colleagues.
5.08 Entrusting third party with customer details
The study shows that majority of the staff agree on not entrusting customer details to third
parties that is 72%, 16% strongly agree, 8% disagree and 4% strongly disagree. Therefore the
study shows that customer details are not to be entrusted to third parties although some
employees breach this.
5.09 Training
The study shows that all staff agreed that the training on information system security is done
quarterly.
lxxxvi
87. CUSTOMER RESPONSES
5.10 Number of years they had been with the bank customers
The study reveals that 39.2% of the customers had been in the bank between 3-5 years, 25.5
% between 1-3 years, 19.6% above 8 years, 9.8% between 5-8 years and 5.9% below one
year. This shows that majority of the customers of the have been there for less than 5 years.
5.11 Social engineering
The study shows that majority of the customers had received a call from a bank
representative to fix an account this was 70.6% of the respondents, 19.6% of the customers
had an employee / agent of the bank calling to ask about details and 7.8% had a manager
calling because he wants to update their acc. This study reveals evidence of social
engineering aspects in the information system. This is a technique that can be used to carry
out reconnaissance attacks.
5.12 Disposal of customer details
The study shows that majority of the customers throw their waste material in bins 84.3%,
13.7% of the respondents fold and dispose their wastes while 2% fold when disposing. Thus
the study reveals that most customers do not shred/burn customer trash and therefore
dumpster diving a reconnaissance technique can be adopted.
5.13 Sharing of customer details
The study shows that majority of the customers have shared their details with financial
institutions 72.5%, while 23.5% of the respondent customers have never shared their
information. 3.9% of customers have shared their customer details with their relatives. Thus
the study reveals that although customers have shared their customer detail which is not
allowed.
5.14 Keeping your customer documentation
lxxxvii
88. The study shows that majority of the customers keep their customer documentation in their
wallet/purse and at home 45.1% and 43.1% respectively. Other customers keep their
documents in a safe at home and in the office both at 5.9%. Thus the study reveals that
customers are usually careful with their documentation customer detail which is not allowed.
5.15 Privacy
The study shows that majority of the customers’ value privacy although some are not sure of
privacy as follows. 47.1% of the customers consider their storage private, 43.1% are not sure
and 9.8 % consider there storage as very private. 5.9%. Thus the study reveals that customer’s
information privacy varies.
5.16 Duration before reporting
The study shows that majority of the customers reported the incident after a week these was
52.9% of the respondents,29.4% of the respondents reported after a few days , 5.9 reported
immediately , 3.9% after a month and 2% were not sure. Thus the study reveals that most
customers despite reporting the lost of ATM they do it immediately.
5.17 Documentation have you lost through physical break ins
The study shows that majority of the customers reported several documentations through
physical break ins as follows national ID 64.7%, bank plate 27.5%, bank statement 5.9%,
none 2%. Thus the study reveals that most customers have lost several customer
documentations in addition to the ATM card.
5.18 Organizations’ website
The study shows that majority customers obtain a variety of information from the
organizations website. The organization website contains 51% information on products and
services, 21.6%information on business partners, 7.8% information on recent mergers, 3.9%
information on employees, best employees, and 2%work locations. Thus the study reveals
that plenty of information is can be obtained from the organizations website.
lxxxviii
89. 5.19 Leaving receipts
The study shows that all customers leave their receipts at ATM points, bank counters or
unattended gas pumps. Thus the study reveals that customers are not aware of the risk that
customer information should not be left anywhere.
5.20 Records of Customer details
The study shows that majority of the customers record their social security number/passwords
on paper and store them in your wallet/purse.
lxxxix
90. CHAPTER 6
CONCLUSION AND RECOMMENDATIONS
6.1 CONCLUSIONS
From the analysis and the findings of the study, and in reference to the objectives of the study
the following conclusions can be made:
The information system is vulnerable to reconnaissance attacks. There are several areas in the
banking information systems that are affected by reconnaissance. These areas include internet
banking, mobile banking and use of the ATMs .This is as a result of improper storage
/keeping of customer documentation, sharing of customer details and improper disposal of
customer information.
The information system is susceptible to all aspects of reconnaissance attacks. The study
reveals that low technology reconnaissance is the most common technique used. Particularly
social engineering, dumpster diving and physical break ins. Other reconnaissance techniques
such as use of the World Wide Web and domain name system were found to .
The study reveals that there is a little awareness of reconnaissance among both the customers
and staff of the bank.
xc
91. 6.2 RECOMMENDATIONS
From the analysis and the findings of the study it was concluded that the bank information
system is susceptible to reconnaissance attacks. In this regard, the study would make the
following recommendations to protect the system.
Social Engineering
The most effective method of defending against the social engineer is user Awareness:
• Computer users at all levels must be trained not to give sensitive information away to
a friendly callers.
• The security awareness program should inform employees about social engineering
attacks, and give explicit directions about information that should never be revealed
over the phone.
• Employees should not give out sensitive data
Physical Break-In
The most effective methods of defending against physical break-ins include:
• Security badges issued to each and every employee are an obvious and widely used
defense against physical break-ins. A guard at the front door or a card reader checks
all employees coming into a given facility.
• Employees must be educated about the dangers of just letting people in the building
bank premises remember; people just trying to be friendly will let a person in through
a back door who claims that they forgot their badge that day.
• The user awareness program should focus on making proper badge checks a deeply
ingrained part of your organizational culture.
xci
92. • The bank should invest in a special revolving door and card readers that allow only
one authorized employee to enter at a time in all the branches.
• There should be a tracking system for all computers – including laptops – brought
into and out of your facilities
• There should be locks on computer room doors and wiring closets and also lock your
down servers and even desktops so they do not disappear at night.
• There should be a policy regarding the use of automatic password protected screen
savers; after five minutes or so of nonuse, each of your machines should bring up a
screen saver requiring the user to type in a password before being given access to the
system.
• Traveling workers with laptop machines must be careful They should also consider
installing a file system encryption tool, and training users about its function and
importance – else, major organizational secrets extracted from the laptop could be for
sale on the open market.
Dumpster diving
The most effective methods that could be adopted to defend against dumpster diving include:
• Paper shredders, and should be encouraged to use them for discarding all sensitive
information;
• The awareness program must spell out how to discard sensitive information.
Web-Based Reconnaissance
The following techniques can be useful if adopted to protect web based reconnaissance.
xcii