Implementing improved user security for Stock broking firms

1
Implementing improved user security for Stock
broking firms A CTO STANDPOINT
CERTIFIED
WHITEPAPER
AuthShield Labs Pvt. Ltd. contact_at_auth-shield.com
91.11.470.65.866
2
Overview
Evolving consumer habits Online trading The
Internet Revolution has changed the way, trading
takes place today. All over the world, online
transactions are moving beyond the nascent stage.
Increased Internet penetration and the very
convenience of the process attract more and more
people to resort to online transactions.   In
modern day stock exchanges today there is a large
amount of technology in place that allows
customers to access their demat accounts from
virtually any location in the world at any time
of the day. This remote accessibility over great
distances is a great asset that allows customers
to buy, sell or transfer shares, equities etc in
a quick and easy manner.   Though exciting, the
potential of online trading is fraught with
challenges. With the onset of the Internet
Revolution, the scams that were till to date
conducted by mail, phone and wire transfer can
now be found on the World Wide Web and in email,
with new cyber scams emerging almost on a daily
basis. A recent survey across ten major cities
in the world indicates that ninety one percent
of internet users have experienced some case of
cyber fraud, such as phishing, key logging,
identity theft and account takeover.


3
Overview
"The chances of a criminal getting arrested and
convicted for identity theft-related fraud are
much less than a half of 1 percent" Recognizing
the importance of safeguarding Investors money,
legitimate brokerage firms should take steps to
ensure that their transactions are secure.
However, online brokerages and the investors who
use them are appealing targets for attackers. The
amount of financial information in a brokerage's
database makes it valuable this information can
be traded or sold for personal profit. Also,
because money is regularly transferred through
these accounts, malicious activity may not be
noticed immediately. To gain access to these
databases, attackers may use Trojan horses or
other types of malicious code Attackers may also
attempt to collect financial information by
targeting the current or potential investors
directly. These attempts may take the form of
social engineering or phishing attacks. With
methods that include setting up fraudulent
investment opportunities or redirecting users to
malicious sites that appear to be legitimate,
attackers try to convince investors to provide
them with financial information that they can
then use or sell.   With the advancement of
computer technology and the connectivity afforded
by the Internet, it is increasingly easy for
criminals, either independently or in organized
gangs, to manipulate holding accounts in order to
commit fraud against exchange or to deceive
innocent victims.   The adverse impacts of
financial fraud, not only on individuals and the
commercial sector but even on national economic
and security systems, are increasing rapidly
worldwide. Left unchecked, financial frauds using
the Internet or Internet driven
4
Overview
technologies could lead to the financial ruin of
people and commercial enterprises as well as
seriously damage multiple economies. 78 of
all information security breaches are conducted
by internal employees

CERT In statistics.
Information security within the
organization Most businesses can no longer
afford to ignore the threat from within. However,
the IT infrastructure of most Sri Lankan and
multinational organizations are yet to address
the full complexity of internal threats. Unlike
external information threats to an organization,
internal information breaches are
multidimensional. The threats may range from
misuse of official email, information for insider
trading or inserting backdoors into critical
applications. More importantly, these threats
come from the most trustworthy of sources
companys internal employees. These actions may/
may not be deliberate but they do take place.
5
Problem Area
1
ONLINE BUYING VIA LINKED BANK ACCOUNTS
The rise of online banking, trading and
electronic money transfers have brought with it a
new breed of criminals, malware, and online
financial scams. Fraudsters have developed
elaborate cross-account, cross-channel, and
cross-institution schemes to transfer shares from
compromised online accounts to controlled
accounts. The shares / equities are then sold
disappear with the money before the illegal
transfer is discovered.
2
IDENTITY THEFTSPHISHING
One Hack attack at a Bank / Online Portal /
store/ BPO /online trading etc can lead to a loss
of thousands of Identities in one step With the
tremendous growth of the Internet in the world,
more and more people are vulnerable to phishing
and Trojan attacks. The growth of E-commerce and
the growing lifestyle changes, presents a unique
challenge for exchanges as increasingly more
people are logging on for buying, selling or
maintaining their portfolio.
3
INTERNAL FRAUDS
A lot of incidents involving internal breaches
are simply not reported, simply because the
institutions reputation is at stake. Most of
the cases that come to light involve a third
party which handles transactions or data
processing (financial BPOs). However studies
indicate that Internal Bank Fraud Accounts for
60 of Cases Involving a Data Breach or Theft of
Funds.
6
AFTER EFFECTS Of Online trading fraud

• As a merchant/Broking Firm, being a victim of
  fraud can have a range of effects on your
  business. These effects include
• Immediate financial loss due to stolen
  stock/earnings
• Damaged reputation
• Loss of customer trust
• Loss of investor confidence
• Lowered sales
• Extra costs of time/money to manage each fraud
  incident
• Lowered staff morale
• Possible legal costs
• Lowered value of your stock/services
• Additional bank fees for transaction reversal
• Potential problems retaining your merchant's
  bank account after too many reversed transactions
• Single factor authentication and Vulnerability
• A major facilitating factor for all most of these
  attacks is the single factor authentication in
  vogue today (using just a password and user
  name).
• It becomes quite easy for an individual to
  capture user names and passwords of other
  individuals using the same IT infrastructure.
  There are multiple techniques like Sniffing,
  installing Keylogger, MIM (Man in Middle attacks)
  or zombie attacks for the same.
• In such a scenario multifactor authentication
  offers a much safer approach. It is a fool proof
  way to authenticate and verify the identity of
  the person or any other entity requesting access
  under security constraints.

7
Preventing Financial Fraud

• Prevention is always better than cure. It is
  truer for exchanges, keeping in mind the changing
  commercial climate. Financial fraud can occur in
  multiple forms and shapes. The time of physically
  cracking into a safe, conducting a bank robbery
  or carrying out an act of dacoit etc is passé.
  Today the theft is conducted on the net with no
  physical threats and with less cost to the
  perpetrator of the crime. The only challenge that
  remains is to cover ones tracks and considering
  the massive flow of information on the net almost
  on a daily basis, it is not much difficult
  either.
• Multifactor Authentication Why do you need it ?
• The best way to beat a thief is to think like
  one
•  
• Phishers try to obtain personal information such
  as your password or PIN-code by pretending to be
  a legitimate entity. Using Phishing, static
  passwords can be easily hacked providing
  fraudsters easy access your demat accounts and
  other confidential information.  
• The current technology used by a lot of
  organizations today has a static password, which
  again is risky if a fraudster is able to lay
  hands on someones password. There is a need to
  bring dynamic passwords in picture, because
  static password ceases to be secure once stolen.
•  
• Multifactor Authentication maps the physical
  identity of the user to the server and increases
  the security of financial and other critical
  systems. It helps the merchant firm to Know
  their customer.
•  
• Integrating Stronger User Authentication system
  not only helps prevent Online Credit Card fraud,
  Card Cloning, Identity theft but also helps in
  the capture of habitual cyber criminals.
• MFID authenticates and verifies the user based on
  
• something only the user has (mobile phone/ land
  line/ hard token)
• something only the user knows (user id and
  password)

8

• AUTHSHIELD
• ONLINE TRADING SECURITY SOLUTIONS
• AuthShield is the only Multi-Factor
  Authentication solution available in the world
  today that can provide you seamless
  Authentication security across all trading
  technology platform used by brokers and stock
  exchanges across the globe.
• AUTHSHIELD PROCESS
• MF-ID follows a centralized architecture where
  all IT systems can be integrated centrally.
  Distributed IT systems can have their own
  controlling architecture
• The user logs into the LAN/VPN/Web Application
  / Database server etc and provides his
  credentials
• Based on users credentials, a
  One-Time-Password is generated and sent to the
  users mobile number. The user meanwhile is taken
  to the OTP authentication application (integrated
  with the AAA server). Once the users identity is
  verified, the user is then provided access to the
  application
• All logs are stored in a secured database
  (completely encrypted) for future analysis.
• ADVANTAGES OF AUTHSHIELD MULTI FACTOR ID
• For Users
• Using INNEFUs two factor authentication can
  help prevent-
• Online fraudulent equity transfers