world bank integrator unit electronic security and payment systems: some new challenges tom...

World Bank Integrator Unit

Electronic Security and Payment Systems: Some

New ChallengesTom Glaessner

Thomas KellermannValerie McNevin

The World BankNovember 2003


Organization of PresentationI. Digital Trends in PaymentsII. Nature of the Threat

III. Market Structure and E-Risk in Emerging Economies

IV. A Four Pillar ApproachV. Future Challenges


Four Streams of E-Finance

EBTEBT

ETCETCEDIEDI

EFTEFT# of Global EFT# of Global EFTTransactionsTransactions

677,411,204677,411,204


I. Digital Trends in Retail Payments Increased dependence on Information

Technologies

– The convergence of technologies

– Leapfrogging opportunities provided by e-finance stimulate growth

– The growth of wireless in EMG

New, interoperable technologies dependent on the Internet infrastructure– VOIP– Satellite and cyber-location

E-commerce, retail and even micro payments


Connectivity: Mobile Phones

Mobile Phone Use

10%

21%

44%

71%

2%7%

17%

32%

6%14%

30%

51%

0%

10%

20%

30%

40%

50%

60%

70%

80%

1995 1997 1999 2001

Mobile Phones Per Year

Pe

rce

nta

ge

of

Po

pu

lati

on

Industrial Developing Total Economies

World-Wide Cyber Attack Trends

1995 1996 1997 1998 1999 2000 2001 2002

200M

300M

400M

500M

600M

700M

900M

0

Infe

cti

on

Att

em

pts

100M

800M

* Analysis by Symantec Security Response using data from Symantec, IDC & ICSA;

** Source: CERT; 2002 Intrusion Attempts were 82,094; 1&2Q 2003 total already was 76,404

Ne

two

rk In

tru

sio

n A

tte

mp

ts

20,000

40,000

60,000

80,000

120,000

0

100,000Blended Threats

(CodeRed, Nimda, Slammer)

Denial of Service(Yahoo!, eBay)

Mass Mailer Viruses(Love Letter/Melissa)

Zombies

Polymorphic Viruses(Tequila)

Malicious CodeInfectionAttempts* Network

IntrusionAttempts**


II. The Nature of the Threat

The threat is not new

A cyber world allows for crimes of greater magnitude with greater speed

Lack of incentives for reporting hides true e-security vulnerabilities

Cyber threats have been rising globally as technologies converge

Emerging markets are not immune


System Access: E-Risk and Fraud System Access in a Networked Environment Access Tools

– Hacking software vulnerabilities, viruses, worms, Trojans, Denial of Service (DOS)

Types of E-Fraud– Identity Theft

– Extortion(reputation)

– Salami Slice– Funds Transfer– Electronic Money Laundering


III. E-Risk Market Structure in Emerging Economies Many emerging markets have concentrated

provisioning of hosting services Interlinked ownership: Telecom companies,

ISPs, e-security service companies, and banks No real separate independent e-security

industry Shortage of human capital in EMG in this area

– CISOs– E-Security providers versus white knights


IV. A Four Pillar Approach

World Bank Integrator Unit Pillar 1

Legal framework, Incentives, LiabilityNo one owns the internet so how can

self-regulation work?Basic laws in the e-security area vary a

lot across countries as do penaltiesDefining a money transmitterHow to define a proper service level

agreement (SLA)Downstream liabilityIssues in certification and standard

setting


Pillar 3Certification, Standards, Policies and Processes

Certification– Software and hardware– Security vendors– E-transactions

PoliciesStandardsProcedures

World Bank Integrator Unit Pillar 2

Supervision and External Monitoring

Technology Supervision and Operational Risk:– Retail Payment Networks;Commercial Banks; E-

Security Vendors– Capital Standards and E-Risk– On-Site IT examinations– Off-site processes– Coordination: between regulatory agencies;

between supervisors and law enforcement

Cyber-Risk Insurance Education and Prevention


Pillar 4Layered Electronic Security

12 Core Layers of proper e-security Part of proper operational risk

managementGeneral axioms in layering e-security

– Attacks and losses are inevitable– Security buys time– The network is only as secure as its

weakest link


Intruder Begins Attack

Exploiting a hole in the internet banking software, SQL insertion is used to run system commands on the database server.

The web server authenticates against the customer database

The attacker runs a command that opens a remote command shell


Network is completely compromised

The domain passwords are cracked, and access to the administrator’s workstation is now available.

The administrator accesses the mainframe from his desktop, and saves all the passwords for easy access. A remote desktop is pushed back to attacker

Now that the firewall security has been bypassed completely, the attacker uses the database server to take over the domain controller.

The attacker can now access the mainframe as if he were sitting at the administrator’s desk. Hmmm… what else can he access from here?


Select Weaknesses

PasswordsOver-reliance on

encryption Patch

managementRogue HTTP

TunnelsOutsourcingWireless

Security


Keys can be:– Altered by a hacker– Captured through video-viewing– Broken by parallel processor when of limited

length– Stolen through manipulation of fake names and ID’s– Compromised when password and token protection

are cracked Certificate Authorities can:

– Have a different definition of “trust”– Operate with an insecure physical network security

– Be broken into, and public key files altered

Technical Vulnerabilities of PKI


GSM Vulnerabilities

SIM-CARD Vulnerability

SMS BombsGateway

VulnerabilityWAP

VulnerabilityMan in the

Middle Attack


V. Challenges Ahead

Building awareness Creating a culture of electronic

security as part of business processBuilding e-security considerations

into investment planning and RFP design

Assuring proper development of the four pillars in emerging markets


World BankIntegrator Group 2003

For further information :www1.worldbank.org/finance

(click on E-security)

[email protected]

world bank integrator unit electronic security and payment systems: some new challenges tom...

Documents

number of internet hosts

emg new

finance ebtetcedieft

mobile phoneschart60

number of personal computers

emerging economiesa

economiesmobile phones

payment systems