The document discusses fraud risks in e-banking and provides recommendations to address them. It summarizes the evolution of e-banking in India, benefits and vulnerabilities. Examples of major data breaches globally and in India are provided. Common e-banking fraud types like phishing, malware attacks etc. are described along with their characteristics. The document recommends controls that can be implemented by banks and users to enhance security of e-banking transactions and detect frauds.

1. The Institute of Internal Auditors India,
Madras Chapter
Fraud Risk Vulnerability
in
E- Banking
-Sathyananda Prabhu
Mob : 9442502094
Email: sathyanandaprabhu@gmail.com

2. “Electronic banking”
“Virtual banking”
“Online banking”
refers to
Utilization of ICT to conduct
banking transactions.
 A system of banking where all banking needs are delivered
remotely through electronic channels without need for
customer to visit the branch.
Benefits:
 Cost effective delivery channel – 10% of physical channel
 Excellent Customer experience
 Product design and Innovation. Dynamic product offer
 Less time to Market
 Easy reach to customers
E- Banking

3. E-banking –Evolution in India
 Rangarajan Committee report on
computerization in banks 1989 introduced
centralized clearing , inter-connectivity of
branches, e-banking
 ALPM / TBC / Core banking
 Clearing house, ECS , NEFT, RTGS,
 ATM /CDM/ Debit Card / Credit Card/ PoS
 Internet banking
 Mobile banking
 Online stock trading and wealth
management
 Payment wallets , NFC ,
 BI, Analytics, Cloud, Social Media, Bitcoin
 Most of the banking transactions today is
online

4. Networked world – Highly vulnerable
 In 2013, 110 million Target customers either had their personal
information hacked, their credit and debit card information stolen, or
both. Breach occurred through PoS and a backend portal.
 Breach in Sony, hackers stolen over 100 terabytes of data containing
Social Security numbers, salaries, movies, and other personally
identifiable information.
 In 2014 , a Pony (a cyber-crime ring) botnet stole 85 virtual wallets
filled with Bitcoins and other digital currencies, according to the security
firm Trustwave.
 Perpetrators attempted to steal $951 million from the Bangladesh
central bank's account with the Federal Reserve Bank of New York by
planting malware and gaining access to credentials.
 The Hacking at Equifax in 2017, impacting personal information
relating to 143 million U.S. consumers
 IoT is widening the attack vector . Any electronic device can hack into
another device/bank account.

5.  A study from Juniper Research has reported that the
value of online fraudulent transactions is expected to
reach $25.6 billion by 2020, up from $10.7 billion in
2016 and 27% of this will be in banking.
According to 2013 Norton report by Symantec :
-Average cost Per
Victim doubled
from 2012.
-Victims concentrated in
Russia (85%),
China (77%),
South Africa (73%),
Annual number of victims has been estimated in 378
Million and amount $ 113 BN.

6. Few examples of Breaches in India
 In July 2016, union bank of India swift reconciliation team found
that an amount of $171 million had been debited from the dollar
account of the bank without authorization, and the money had
travelled far and wide. Immediate detection and action helped retrieve
amount.
 Card data of 3.2 million customers was stolen between 25 May and 10
July in 2016 from a network of Yes Bank Ltd ATMs managed by
Hitachi Payment Services Pvt. Ltd
 Axis Bank reported cyber security breach in October 2016; malware
found in its server , no monetary loss reported.
 Bank of Maharashtra lost Rs25 crore when a bug in the Unified
Payments Interface (UPI) system allowed people to send money
without having the necessary funds in their accounts.
 SBI ATM in Odisha spews out cash without any card being swiped.
Physical malware attack suspected in these ATMs.
 PoS machine in a bank allowed withdrawals without money in the
account – flaw in a new program installed on switch
 WannaCry Ransom ware attack
 Petya cyber attack.
 Large number of Customers compromising their credentials to
phishing/vishing attacks and lost money
 Skimming attacks in ATMs made many to lose money

7. E-banking Frauds -
 Bangalore CID arrested the culprits in a case where Card
data of large number of customers were stolen by fraudsters
by planting card skimmers and pin cameras at ATMs and
amount stolen through cloned cards.
 A customer receives a call mentioning he is calling from the
Bank and obtains card information and misuses for carrying
out online transactions using these credentials. Social
engineering is used
 Paypal scammers sent out an attack email that instructs
them to click on a link in order to rectify a discrepancy with
their account. In actuality, the link leads to a fake PayPal
login page that collects a user’s login credentials and
delivers them to the attackers.
 In spear phishing scams, fraudsters customize their attack
emails with the target’s name, position, company, work
phone number and other information in an attempt to trick
the recipient into believing that they have a connection with
the sender. The goal is to lure the victim into clicking on a
malicious URL or email attachment, so that they will hand
over their personal data.
 Phishing , Vishing, whaling attacks

8. Source : PWC survey

9. E-Banking : vulnerability Sources
– Operational Risk
 Traditional banking risks + added e-banking
risks
 Complexity of technology and lack of training
and awareness among employees
 Internal and external frauds exploiting loop
holes in the technology
 System failures and business disruption
 Mis-use of confidential information
 Failed or erroneous transaction processing
 Reconciliation issues
 Vulnerabilities in outsourced processes
 Sophisticated cyber attacks
 Lack of adoption of technology for internal
controls and fraud risk management

10. E-Banking: vulnerability Sources –
Strategic and Compliance risk
 compliance risk which may arise from non-
conformance with laws, rules, regulations,
prescribed practices, or ethical standards.
 Compliance with regard to cross border
transactions
 People with technology knowledge with no
banking knowledge may be driving
 in-adequacy of MIS
 Costs involved in overseeing e-banking
activities, vendors
 Cost and availability of technical staff to handle
diverse set of technologies involved

11. E-banking Frauds-
Characteristics and challenges
 Highly imbalanced large dataset – millions of daily
transactions in which very few are frauds -to be
identified
 Need of real time detection – with in seconds
transactions are complete
 fraudsters continually advance their techniques to
defeat online banking defenses . Security is a catch up
game.
 Weak forensic evidence mainly some external
information
 diversity of genuine customer transactions makes it
difficult to characterize fraud behavior from genuine
behavior.
 Lack of strong legal framework
 It is reported that North koreans have developed an
advanced cyber program that steals hundreds of
millions of dollars and can trigger global havoc. State
actors.

12. E-Banking – Threats
 Malware and ransom ware like Wannacry , Petya
 phishing attacks through spam emails looking to steal
logon credentials
 password sharing , shoulder surfing by staff
 Unpatched software exploit
 Hacking through Social media friend
request/application install request etc.,
 Advanced persistent threat
 Exploiting application level vulnerabilities like SQL
injection, Cross – site scripting , Password
guessing/cracking
 Various E-com frauds /online frauds
 Forged documents/deposit receipts to fraudulently
obtain loans
 Data leakage from outsourced vendor locations/help
desk
 Unauthorized transactions by employees in customer
accounts/ transfers through RTGS

13. E-Banking Threats
 Key loggers-software & hardware- invisibly records each
key stroke of every activity and can email to hackers
 Phishing, SMSishing and whaling (phishing targeting high
net worth individuals)
 Man in the middle attack (MITM) MITB
 Password cracking softwares – dictionary attacks, Brute
force attacks : cain & able , john the ripper, hash cat , hydra
 OTP by pass
 Exploiting OS, NW, database level vulnerabilities
 Cloning
 Hybrid attacks – combination of attacks
 Fraudulent documentation involving altering, changing or
modifying documents to deceive another person
 Complex partner , outsourced activity risks
 Employee/privileged users committing Frauds

14. Phishing
 Phishing scams are typically fraudulent
email messages or websites appearing as
legitimate enterprises
 These scams attempt to gather personal,
financial and sensitive information.
 Compromised Web servers – Email and IM
 Port Redirection
 Botnets
 Simple (key loggers steal file/password),
Botnets
 DNS cache poisoning attack –

15. Phishing attacks

16. Mobile banking vulnerabilities
 The security functionality available on
the handset must be robust.
 The mobile network and the methods
used to communicate between the
handset and the mobile banking provider
 The degree of independence from
Mobile Network Operator
 The development of near field
communication (NFC) enabled handsets
which can effectively act as a token for
local purchase-The risks of the
integration of NFC into mobile.

17. Regulations & guidelines
 The e-banking has many advantages – But question marks
over its trust and performance – attract regulatory concern
 Basel committee study on bank supervision – risk
implications in electronic banking by EBG in 1999.
 RBI guidelines on I S Audit -2002
 RBI guidelines on internet banking
 Gopalakrishna committee recommendations
 Cyber security checklist from IDRBT
 NIST cyber security framework
 ISO 27001 series
 IT examination of banks by RBI
 RBI guidelines on cyber security and resilience
 IT Act 2000 and Amendment Act ,2008
 Indian Contract Act
 Criminal Procedure code
 PMLA rules and IBA guidelines

18. E-Banking Fraud detection strategy
 Establish transaction monitoring and fraud detection unit
in every business line
 Implement centralized transaction monitoring , AML and
fraud detection software and team to monitor and
respond
 Device identification using Mac, serial no and some
configuration details from user system
 Global behavior monitor like large number of different
accounts accessed by a single device, or the occurrence
of login fail over many accounts using a single trial
password
 Deferential analysis in which the incoming transactions
are examined against the normal use pattern for a
legitimate customer.
 Global analysis with white list , black list and suspect list
of devices
 Suspect list and the exponentially decaying function.

19. Security model for internet
bankingControl Description
Virtual Keyboards Capture information typed into the device based on Java and software-
based cryptography, to thwart the efficient use of key loggers.
Positive Identification Requires the user to input some information that is only known to
him/her to identify him/her self.
One-Time Password
Tokens
Devices that commonly used as a second authentication factor by
dynamically changing passwords.
Digital certificates Used to authenticate both users and the banking system itself using
Public Key Infrastructure (PKI) and a Certificate Authority (CA).
Device Registering Restricts access to banking systems to previously known and
registered devices.
Device Identification Applied together with device registering but also used as a standalone
solution. It is based on physical characteristics of users’ devices.
Browser Protection Protects the user and his/her browser against known malware by
monitoring the memory area allocated by the browser.
CAPTCHA (Completely Automated Public Turing test to tell Computers and
Humans Apart) Renders automatic attacks against ineffective
authenticated sessions.
SMS Notifies users about transactions that require their authorization.
Transaction Monitoring Includes many approaches such as Artificial Intelligence, transaction
history analysis and other methods for identifying fraud patterns.

20. E-Banking: Protections: user Level
 Do not use public or other unsecured computers for logging
into Online Banking or for financial transactions (for example,
one at a library , coffee shop).
 Never use public wifi and networks for e-banking transaction
 Review account balances and detail transactions regularly and
immediately report any suspicious transactions to bank.
 Never leave a computer unattended while using Online
Banking
 Never conduct banking transactions while multiple browsers
are open on your computer
 Company users dedicate a PC solely for financial transactions
(e.g., no web browsing, emails, or social media).
 Strong password and periodic changing :
 Subscribe to alerts - Balance alerts , Transfer alerts ,
Password change alerts, Wire Alerts

21.  Establish limits for monetary transactions at multiple levels:
per transaction, daily, weekly, or monthly limits.
 When you have completed a transaction, ensure you log off to
close the connection with the Bank’s computer.
 Check your browser settings and select, at least, a medium
level of security for your browsers.
 Never respond to a suspicious e-mail or click on any
hyperlink embedded in a suspicious e-mail. Call the purported
source if you are unsure who sent an e-mail
 Install and update computers regularly with the latest versions
and patches of anti-virus and anti-spyware.
 Ensure computers are patched regularly, particularly operating
system and key application with security patches
E-Banking: Protections : User
level --2

22. E-Banking: Protections : By
Banks
 Identify inherent risks and controls in place and adopt
appropriate cyber security framework , org structure , policies
 Maintain a updated inventory of all business assets
 Periodically evaluate critical devices , their configuration and
patches
 Have documented SOP for all IT related activities
 Have firewall barrier between internal secure network and
any other network
 Implement OWASP guidelines for applications/ ISO 27001 for
security/ NIST/ RBI/IDRBT/IBA guidelines
 Comprehensively address database and network security
 Establish security Operation center (SOC) to ensure
continuous surveillance
 Regular VA & PT of all critical and web facing
devices/applications
 Robust BCP/DR setup and regular drills
 Enable /Use Virtual key boards

23.  Enable OTP / Biometric / dual factor authentication
 Consumer awareness programs
 Malware defenses
 Logging and auditing the logs
 Encryption
 Smart cards with external card readers
 Controlled use of administrative credentials
 Robust Incidence response system
 Random key generators (CAPTCHA)
 Install a 3D secure system (also known as Verified by Visa or
Master Card Secure Code).
 Have close monitoring on the activities of outsourced vendors
 Subscribe to anti-Phishing services to take down phishing websites
 Data leak prevention strategy
 PKI based software solution- Mutual authentication eliminates
MITM attacks

24. Controls on wireless network
 Change the wireless network hardware (router
/access point) administrative password from the
factory default to a complex password.
 Disable remote administration of the wireless
network hardware (router / access point).
 Consider disabling broadcasting the network
SSID
 Secure your wireless network by enabling
WPA/WEP encryption of the wireless network.
 Consider enabling MAC filtering on the network
hardware

25. Controls Universe