Francis Karuhanga, FCCA

1
ELECTIONIC MONEY INFORMATION SECUITY, RISKS AND
IMPLICATIONS

• Presented By
• Francis Karuhanga, FCCA
• Head of Internal Audit
• Stanbic Bank Uganda

2
Disclaimer

• This presentation was made at the annual ISACA
  Kampala Chapter Information Security Workshop on
  23rd October 2012 at Protea Hotel, Kampala. The
  presentation was designed to create dialogue and
  elicit comments amongst the workshop participants
  and should be viewed within the context of these
  objectives.
• The presentation contains information in summary
  and therefore is intended for general guidance
  only. If is not intended to be a substitute of a
  detailed research of the exercise of professional
  judgement. Stanbic Uganda and Standard Bank Group
  cannot accept any responsibility for loss
  occasioned to any person acting or refraining
  from action as a result of any material in this
  presentation.

3
Content

• Evolution of Money
• Definition of Electronic Money
• Electronic Money - Payment Systems
• Electronic Money and Information Security
• Key Information/E-money Security Risks
• Implications
• Conclusion

4
Evolution of Money
First was

• Barter Trade

• In the past, scarce precious metals such as gold
  and silver were used because they y had intrinsic
  value in the form of money, that is
• a medium of exchange,
• unit of account, and
• store of value

5
Evolution of Money
Then

• Paper and Coins

The intrinsic value attributed to precious metals
was embedded in paper hence the advent of paper
money. Paper ideally carries information to which
intrinsic value is attached as long as its
issued by a trusted authority
6
Evolution of Money

• The inconvenience of carrying large quantities of
  paper currency was mitigated by the introduction
  of Cheques that contained information identifying
  the owners account.

7
Evolution of Money
And Now

• Electronic Money From paper money to binary
  codes of ones (1) and zeros (0) .

Electronic money - refers to "stored value" or
intrinsic value or prepaid payment mechanisms
for executing payments via point of sale
terminals, direct transfers between two devices,
or over open computer networks such as the
Internet. Electronic money is also known as
e-currency, e-money, electronic cash, electronic
currency, digital money, digital cash, digital
currency, cyber currency E-money mainly refers to
Electronic Payment Systems/channels
8
Examples of E-Money (Electronic Payment Systems

• Electronic Clearing System (ECS) - Banks use
  Society for Worldwide Interbank Financial
  Telecommunication (SWIFT, a secure messaging
  system) to electronically deliver data
  accompanying instruments to the ECS.  
• Electronic Funds Transfer (EFT)
• Real Time Gross Settlement (RTGS) - an online
  banking system for settling transactions
• Card payment systems including ATMs, Credit
  cards, VISA cards etc
• Mobile Money payment system that uses
  telecommunication infrastructure
• Internet banking
• Mobile banking
• Payway , Paypal etc

9
Electronic Money and Information
Money has become electronic information no gold
or paper is required. Money is just a coded
series of binary digits 1 and 0.
Information

Think of a mobile money user who loses his/her
phone, what is the is normally their worry,
(phone, SIM card, or the PIN)?
Implying, securing information translates into
security of money!
10
Information security and Electronic Money

• In the past, security focused on physical
  security by protecting money just as if it were
  gold. It was kept behind stone walls and locked
  vaults often guarded by men with weapons.
• As money has transformed from gold and silver to
  paper currency, to Cheques, and today to
  electronic information, the walls of the bank
  have also transformed from stone and steel to
  electronic walls.
• Transformation of money to electronic information
  has resulted new security controls including
• Firewalls,
• intrusion detection systems,
• intrusion preventions systems, and
• access control lists are all designed to protect
  money as information

11
Information security and Electronic Money

• Even for paper money and Cheques all measures
  were put in place to protect the information
  content of money. These include
• Use of watermarks,
• special paper,
• complex colors and graphics,
• security threads, and
• other anti-counterfeiting technologies - to
  ensure trust
•  

12
Key Information/E-money Security Risks

• The three major information security risks
  related to e-money are
• hacking into bank computer systems through
  exploitation of technical vulnerabilities,
• intentional or accidental data loss (laptop, tape
  or other data breeches), and
• identity theft or unauthorized account access by
  gaining access keys through theft, phishing,
  social engineering, or other means.
• The mode of exploitation of these risks varies
  from one payment system to another (i.e. card,
  internet, mobile banking etc)

13
Common risks
Key Information/E-money Security Risks

• Duplication of devices common in card-based
  systems, the method of attack could be the
  creation of a new device that is accepted by
  other devices as genuine. Some of the ways this
  is accomplished is through
• Reproduction, re-embossing or altering of a real
  card
• a criminal who secretly copies the data from the
  magnetic stripe of a valid card and transfers it
  onto the magnetic stripe of a new (counterfeit)
  card
• the genuine cardholder still has possession of
  his card and does not know anything is wrong the
  criminal is making transactions using the
  counterfeit card

14
Common risks
Key Information/E-money Security Risks
Duplication of devices

• Various methods
• Fixing skimming device over ATM card slot
• Distracting cardholder and skimming data using
  handheld skimming device
• Attaching skimming device to ATM lobby entrance
  card swipe
• Genuine card capture
• Micro-camera
• Fake PIN pad fixed over genuine PIN pad
• Shoulder surfing
• Attaching fake PIN pad to ATM lobby entrance card
  swipe

15
Key Information/E-money Security Risks
Common risks

• Alteration or duplication of data or software -
  modifying data stored on a genuine electronic
  money device in an unauthorised manner..
• For example account takeover (existing accounts)
  - Fraudster obtains minimal valid information
  required from discarded documents, mail theft,
  insider collusion, theft of personal belongings
  and online data/theft of public records
• Perpetrator
• Uses some true cardholder information
• Changes cardholders mailing address
• Requests replacement or additional card/PIN to
  be mailed to new address
• Perpetrators log on to bank web sites, enroll as
  legitimate cardholder, and change the account
  address

16
Key Information/E-money Security Risks
Common risks

• Alteration of messages
• Attackers could attempt to change the data or
  processes of a device by deleting messages,
  replaying messages, substituting an altered
  message for a valid one or observing messages
  with an ill intention
• Communications between devices could be
  intercepted by outside attackers when sent across
  telecommunications lines, through computer
  networks or through direct contact between
  devices.

17
Key Information/E-money Security Risks
Common risks

• Theft - Data stored on devices could also be
  stolen via unauthorised copying.
• For example, an attacker could intercept messages
  between a genuine user and an issuer, or insert
  an unauthorized software program into a user's
  personal computer that enabled the attacker to
  copy electronic notes stored or in transmission.

• Phishing
• Some of repute will not ask you to update or
  change sensitive information online.
• E-mails that bear dire warnings and request
  sensitive information are probably a scam.

18
Key Information/E-money Security Risks
Common risks

• Repudiation of transactions - Customer completes
  a transaction, but denies transaction took place,
  and demands reimbursement of funds.
• Malfunctions
• Electronic money products could suffer from
  instances of accidental corruption or loss of
  data stored on a device, the malfunction of an
  application, such as accounting or security
  functions, or failures in the transmission of
  messages. If exploited by unscrupulous holders
  before being detected, certain types of
  malfunction could cause losses to the issuer
• Service provider risk - Service provider may not
  deliver services expected by the bank
  deficiencies in system or data integrity or
  reliability may result.

19
Implications

• Financial loss - access to just a PIN can cost
  a customer or a bank in billions of money. These
  include costs associated with reimbursing
  customer losses and with reconstructing accurate
  data on customers. Possible losses from redeeming
  electronic money for which no corresponding
  prepaid funds were received. Customers may
  perceive the bank as being unreliable. A bank may
  face legal or regulatory sanctions, and negative
  publicity.
• Reputation - Customers may perceive the bank as
  being unreliable hence affecting the brand
  integrity
• Litigations - as a result os failure to protect
  customer privacy. A bank releases information
  profiling the pattern of customer financial
  transactions without customer authorization.

20
Implications

• High cost capital and operational expense for
  banks
• Most information security measures like
  encryption imposes an additional processing
  burden on computers that may significantly slow
  the performance of banking systems hence
  financial institutions have incur costs of
  enhancing/upgrading their systems
• The use of tamper-resistant devices incorporated
  into stored-value cards and merchant hardware is
  another capital expenditure to the banks
• Crime with no crime scene
• The evolution of e-money and other technology has
  left access to information open to anyone any
  where at anytime. Most e-money systems are
  borderless. Therefore, a criminal does not have
  to be on site to commit a crime.

21
Conclusion

• In todays world money has been reduced to binary
  data hence access to information/data is as good
  as access to cash. The advent of e-money is
  touted for having provided convenience being able
  access money anywhere at any time. It has also
  opened to so many access points compared to the
  gold and silver that would only require physical
  security.
• Unauthorised access to e-money can be by anyone
  and anywhere at anytime. Therefore, information
  security is everyones responsibility and
• it begins with you!