This is a summary of my presentation to bank CEOs at an event organized by the Uganda Bankers Association onFriday 11th October 2013, at Sheraton Hotel. To download the presentation, click here.
The rate of fraud in Uganda’s financial institution is on the increase. Just like any industry, communication (or transfer of data and voice) is at the center of the success of banking business. Banking business processes are highly automated, with technology as a critical success factor.
All the communication media are at risk – email, chat, wire transfer, web, phone, sms, payment platforms via http and https, fax, and application programming interface (API) points and a plethora of other hardware platforms like cables, thumb drives, mobile devices and DVDs. The exposure is both at bank and service provider levels.
For example, one of the recent cases involved is a hacker getting to the bank resources through the ISP. There have been a lot of improvements in the protocols used by the ISPs, from RIP (Routing Information Protocol), to RIP2 to OSPF (Open Shortest Path First), and many others in between and beyond. RIP, is one of the oldest routing protocols and is considered unsafe. RIP version 2, is ok, but not as advanced as OSPF, which also has its own share of shortcomings. These changes in technology means that new vulnerabilities are on the rise. For that reason, great ISPs are implementing or have implemented MPLS (multi-protocol level switching) which is considered very secure as it does multiple encryptions at different protocol layers. Hackers have time to analyze each and every technology to discover its vulnerabilities – they are always there. Hackers tend to explore all options, and doing a man-in-the-middle attack on the ISP’s network may sometimes prove easier than a direct hack on the bank network. For this reason, the bank must ensure that they state clearly in their service level agreements (SLAs) with the ISP of the ISP’s responsibility over network security.
At the bank level, banks communicate with customers, business partners and other stakeholders via email, web (www, http/https) and sms in a networked environment. And it happens that they are the most attacked.
Research indicates that 35% of the bank security breaches are external, and 65% of the breaches are internal. And of the 35%, over 95% is aided by insiders.
This means that internal staff are involved in bank fraud by over 90% of all cases. For this reasons, it is recommended that for every bank upgrade, an independent post implementation review is done. It is independent if done by a team other than the one that did the implementation.
To ensure data security, we recommend the following:
Data loss protection solution
This is a special solution that helps discover and prevent leakage of sensitive banking data. It is an all-in-one solution, which can be implemented on a central server in the bank’s IP network. It monitors and alerts selected managers about any abuse of sensitive data.
To implement, we review your data classification policy. If you don’t have one, we work with you and prioritize your data based on sensitivity. Any data classified as sensitive, e.g. client accounts, medical records, etc is accordingly protected. Anytime someone copies, emails or clicks to view the ‘classified’ document, a notification (via email or sms) is sent to the pre-configured people to be notified. This ensures proactive intellectual theft prevention. It also ensures confidentiality and data integrity. Any time someone opens to view or modify or transfers a file (the classified document) across the network, it is logged and a notification sent.
In addition, at Summit Consulting Ltd, we can provide you with enterprise-wide security.
This include: (i) full disk encryption (FDE), where every bit of data on the disk or server is encrypted with military grade encryption, with very minimal performance impact. (ii) we also set up a secure email server (SES), which prevents auto banning of risky attachments, (iii) secure voice over internet protocol (Secure call VOIP), (iv) secured laptop, (v) secured handset and (vi) pen drive security.
For best results, we recommend banks to set up a secure shell (SSH) tunneling for all financial institutions network traffic. This is a multi-level encryption that ensures a secure communication. All we do is to install an SSH client on any secured access point, in this case the bank clients or other partners.
The above said, it does not matter how much resources you have, if you don’t know how to use them, they still will not be enough. That is why, training your staff in certified secure computer user (CSCU) is critical for ensuring overall bank security.
The statistics are not on your side. If you have say 100 staff, chances are many, if not all, use a computer on a daily basis. Whereas these people are computer users and on your network accessing critical banking services, over 96% of them are not IT security trained. If they are trained, the have just been taken through the basics on an ad hoc basis, yet as bank staff must cover all the critical IS security modules over network, computer, mobile devices and documents management, as in the CSCU course.
Given that most of the bank fraud involves internal staff in one way or the other by over 90% of the time, it means training your staff in basic responsibility accounting and IS security can go a long way in preventing fraud and hacking attacks.
Case study 1
On 9th October 2013, Bank A, branch manager received an email with an attachment, named a familiar name. He clicked on it.
It was a Malware, Cryptolocker Ransomware.
It encrypted all the documents on the manager’s hard drive and brought a ransom screen for him to pay money in order to provide a private key to unlock his files. He did not.
To date, he has not been able to unlock his files. This laptop has a lot of critical reports and confidential information. On his computer, he did not have MS restore point implemented nor a clear backup of his machine on an external drive, as the Malware also infected the backup files on the network server!
Imagine the cost of the lost time and intellectual property. Some malwares will collect data from the victim machine and email back to the spammer.
The above case explains the need of user training in IT security.
You cannot trust the security of user machines to the IT guys.
In most cases, they are involved in committing the fraud, as they know IT audit and other staff lack knowledge about IT security. So they exploit their ignorance.
We have found cases where the IT guy used the user access credentials of a staff that had just left the bank! Another committed a fraud using the user name and password of another user. The staff would always call IT to ask to reset the password! That is how uneducated users can mess up your entire control systems.
It is also important to ensure that your bank is compliant to payment card industry data security standard (PCI DSS). Training your staff in CSCU, is a critical pre-requisite towards compliance to PCI DSS. In Uganda, we can help save you lots of costs and money in preparing you for PCI DSS accreditation and compliance. You achieve the main objectives at a low cost.
And finally,
Majority of frauds in banks are discovered through whistleblowing, yet no bank has a robust whistleblower solution.
Many banks still outsource their whistleblowing solution abroad, which renders the solution useless, yet they spend a lot of money. To assess the effectiveness of your solution, be honest: how many tips do you receive on a weekly basis?
If you are honest, you receive none. This is because your whistleblowing is implemented poorly.
We recommend you to subscribe to https://www.ethicsline.org
To download the presentation, click here.
Ends.
Copyright Mustapha B Mugisa, 2013. All rights reserved. You are free to share with appropriate attribution.