Electronic Security and Payment Systems: Some New Challenges

1
Electronic Security and Payment Systems Some
New Challenges

• Tom Glaessner
• Thomas Kellermann
• Valerie McNevin
• The World Bank
• November 2003

2
Organization of Presentation

• Digital Trends in Payments
• Nature of the Threat
• Market Structure and E-Risk in Emerging Economies
• A Four Pillar Approach
• Future Challenges

3
Four Streams of E-Finance
EBT
EFT of Global EFT Transactions 677,411,204
ETC
EDI
4
I. Digital Trends in Retail Payments

• Increased dependence on Information Technologies
• The convergence of technologies
• Leapfrogging opportunities provided by e-finance
  stimulate growth
• The growth of wireless in EMG
• New, interoperable technologies dependent on the
  Internet infrastructure
• VOIP
• Satellite and cyber-location
• E-commerce, retail and even micro payments

5
Connectivity Mobile Phones
6
(No Transcript)
7
II. The Nature of the Threat

• The threat is not new
• A cyber world allows for crimes of greater
  magnitude with greater speed
• Lack of incentives for reporting hides true
  e-security vulnerabilities
• Cyber threats have been rising globally as
  technologies converge
• Emerging markets are not immune

8
System Access E-Risk and Fraud

• System Access in a Networked Environment
• Access Tools
• Hacking software vulnerabilities, viruses, worms,
  Trojans, Denial of Service (DOS)
• Types of E-Fraud
• Identity Theft
• Extortion(reputation)
• Salami Slice
• Funds Transfer
• Electronic Money Laundering

9
III. E-Risk Market Structure in Emerging
Economies

• Many emerging markets have concentrated
  provisioning of hosting services
• Interlinked ownership Telecom companies, ISPs,
  e-security service companies, and banks
• No real separate independent e-security industry
• Shortage of human capital in EMG in this area
• CISOs
• E-Security providers versus white knights

10
IV. A Four Pillar Approach
11
Pillar 1Legal framework, Incentives, Liability

• No one owns the internet so how can
  self-regulation work?
• Basic laws in the e-security area vary a lot
  across countries as do penalties
• Defining a money transmitter
• How to define a proper service level agreement
  (SLA)
• Downstream liability
• Issues in certification and standard setting

12
Pillar 3Certification, Standards, Policies and
Processes

• Certification
• Software and hardware
• Security vendors
• E-transactions
• Policies
• Standards
• Procedures

13
Pillar 2 Supervision and External Monitoring

• Technology Supervision and Operational Risk
• Retail Payment NetworksCommercial Banks
  E-Security Vendors
• Capital Standards and E-Risk
• On-Site IT examinations
• Off-site processes
• Coordination between regulatory agencies
  between supervisors and law enforcement
• Cyber-Risk Insurance
• Education and Prevention

14
Pillar 4Layered Electronic Security

• 12 Core Layers of proper e-security
• Part of proper operational risk management
• General axioms in layering e-security
• Attacks and losses are inevitable
• Security buys time
• The network is only as secure as its weakest link

15
Intruder Begins Attack
The web server authenticates against the
customer database
Exploiting a hole in the internet banking
software, SQL insertion is used to run system
commands on the database server.
The attacker runs a command that opens a remote
command shell
16
Network is completely compromised
Now that the firewall security has been bypassed
completely, the attacker uses the database server
to take over the domain controller.
The attacker can now access the mainframe as if
he were sitting at the administrators desk.
Hmmm what else can he access from here?
The administrator accesses the mainframe from his
desktop, and saves all the passwords for easy
access. A remote desktop is pushed back to
attacker
The domain passwords are cracked, and access to
the administrators workstation is now available.
17
Select Weaknesses

• Passwords
• Over-reliance on encryption
• Patch management
• Rogue HTTP Tunnels
• Outsourcing
• Wireless Security

18
Technical Vulnerabilities of PKI

• Keys can be
• Altered by a hacker
• Captured through video-viewing
• Broken by parallel processor when of limited
  length
• Stolen through manipulation of fake names and
  IDs
• Compromised when password and token protection
  are cracked
• Certificate Authorities can
• Have a different definition of trust
• Operate with an insecure physical network
  security
• Be broken into, and public key files altered

19
GSM Vulnerabilities

• SIM-CARD Vulnerability
• SMS Bombs
• Gateway Vulnerability
• WAP Vulnerability
• Man in the Middle Attack

20
(No Transcript)
21
V. Challenges Ahead

• Building awareness
• Creating a culture of electronic security as part
  of business process
• Building e-security considerations into
  investment planning and RFP design
• Assuring proper development of the four pillars
  in emerging markets

22
World BankIntegrator Group 2003For further
information www1.worldbank.org/finance (click
on E-security)tglaessner_at_worldbank.org