world bank integrator unit electronic security and payment systems: some new challenges tom...
TRANSCRIPT
World Bank Integrator Unit
Electronic Security and Payment Systems: Some
New ChallengesTom Glaessner
Thomas KellermannValerie McNevin
The World BankNovember 2003
World Bank Integrator Unit
Organization of PresentationI. Digital Trends in PaymentsII. Nature of the Threat
III. Market Structure and E-Risk in Emerging Economies
IV. A Four Pillar ApproachV. Future Challenges
World Bank Integrator Unit
Four Streams of E-Finance
EBTEBT
ETCETCEDIEDI
EFTEFT# of Global EFT# of Global EFTTransactionsTransactions
677,411,204677,411,204
World Bank Integrator Unit
I. Digital Trends in Retail Payments Increased dependence on Information
Technologies
– The convergence of technologies
– Leapfrogging opportunities provided by e-finance stimulate growth
– The growth of wireless in EMG
New, interoperable technologies dependent on the Internet infrastructure– VOIP– Satellite and cyber-location
E-commerce, retail and even micro payments
World Bank Integrator Unit
Connectivity: Mobile Phones
Mobile Phone Use
10%
21%
44%
71%
2%7%
17%
32%
6%14%
30%
51%
0%
10%
20%
30%
40%
50%
60%
70%
80%
1995 1997 1999 2001
Mobile Phones Per Year
Pe
rce
nta
ge
of
Po
pu
lati
on
Industrial Developing Total Economies
World-Wide Cyber Attack Trends
1995 1996 1997 1998 1999 2000 2001 2002
200M
300M
400M
500M
600M
700M
900M
0
Infe
cti
on
Att
em
pts
100M
800M
* Analysis by Symantec Security Response using data from Symantec, IDC & ICSA;
** Source: CERT; 2002 Intrusion Attempts were 82,094; 1&2Q 2003 total already was 76,404
Ne
two
rk In
tru
sio
n A
tte
mp
ts
20,000
40,000
60,000
80,000
120,000
0
100,000Blended Threats
(CodeRed, Nimda, Slammer)
Denial of Service(Yahoo!, eBay)
Mass Mailer Viruses(Love Letter/Melissa)
Zombies
Polymorphic Viruses(Tequila)
Malicious CodeInfectionAttempts* Network
IntrusionAttempts**
World Bank Integrator Unit
II. The Nature of the Threat
The threat is not new
A cyber world allows for crimes of greater magnitude with greater speed
Lack of incentives for reporting hides true e-security vulnerabilities
Cyber threats have been rising globally as technologies converge
Emerging markets are not immune
World Bank Integrator Unit
System Access: E-Risk and Fraud System Access in a Networked Environment Access Tools
– Hacking software vulnerabilities, viruses, worms, Trojans, Denial of Service (DOS)
Types of E-Fraud– Identity Theft
– Extortion(reputation)
– Salami Slice– Funds Transfer– Electronic Money Laundering
World Bank Integrator Unit
III. E-Risk Market Structure in Emerging Economies Many emerging markets have concentrated
provisioning of hosting services Interlinked ownership: Telecom companies,
ISPs, e-security service companies, and banks No real separate independent e-security
industry Shortage of human capital in EMG in this area
– CISOs– E-Security providers versus white knights
World Bank Integrator Unit Pillar 1
Legal framework, Incentives, LiabilityNo one owns the internet so how can
self-regulation work?Basic laws in the e-security area vary a
lot across countries as do penaltiesDefining a money transmitterHow to define a proper service level
agreement (SLA)Downstream liabilityIssues in certification and standard
setting
World Bank Integrator Unit
Pillar 3Certification, Standards, Policies and Processes
Certification– Software and hardware– Security vendors– E-transactions
PoliciesStandardsProcedures
World Bank Integrator Unit Pillar 2
Supervision and External Monitoring
Technology Supervision and Operational Risk:– Retail Payment Networks;Commercial Banks; E-
Security Vendors– Capital Standards and E-Risk– On-Site IT examinations– Off-site processes– Coordination: between regulatory agencies;
between supervisors and law enforcement
Cyber-Risk Insurance Education and Prevention
World Bank Integrator Unit
Pillar 4Layered Electronic Security
12 Core Layers of proper e-security Part of proper operational risk
managementGeneral axioms in layering e-security
– Attacks and losses are inevitable– Security buys time– The network is only as secure as its
weakest link
World Bank Integrator Unit
Intruder Begins Attack
Exploiting a hole in the internet banking software, SQL insertion is used to run system commands on the database server.
The web server authenticates against the customer database
The attacker runs a command that opens a remote command shell
World Bank Integrator Unit
Network is completely compromised
The domain passwords are cracked, and access to the administrator’s workstation is now available.
The administrator accesses the mainframe from his desktop, and saves all the passwords for easy access. A remote desktop is pushed back to attacker
Now that the firewall security has been bypassed completely, the attacker uses the database server to take over the domain controller.
The attacker can now access the mainframe as if he were sitting at the administrator’s desk. Hmmm… what else can he access from here?
World Bank Integrator Unit
Select Weaknesses
PasswordsOver-reliance on
encryption Patch
managementRogue HTTP
TunnelsOutsourcingWireless
Security
World Bank Integrator Unit
Keys can be:– Altered by a hacker– Captured through video-viewing– Broken by parallel processor when of limited
length– Stolen through manipulation of fake names and ID’s– Compromised when password and token protection
are cracked Certificate Authorities can:
– Have a different definition of “trust”– Operate with an insecure physical network security
– Be broken into, and public key files altered
Technical Vulnerabilities of PKI
World Bank Integrator Unit
GSM Vulnerabilities
SIM-CARD Vulnerability
SMS BombsGateway
VulnerabilityWAP
VulnerabilityMan in the
Middle Attack
World Bank Integrator Unit
V. Challenges Ahead
Building awareness Creating a culture of electronic
security as part of business processBuilding e-security considerations
into investment planning and RFP design
Assuring proper development of the four pillars in emerging markets
World Bank Integrator Unit
World BankIntegrator Group 2003
For further information :www1.worldbank.org/finance
(click on E-security)