The Security of E-Banking

Payment Fraud and EU Enlargement: Threats and ChallengesBrussels, 8-9 March 2006

Lars Tebrügge

Retail Banking and Banking TechnologyAssociation of German Banks

2

Agenda What is the Bankenverband (BdB)?

What are the key statistics in e-banking?

What are the threats of e-banking?

What can be done?

What is the conclusion?

3

What is the Bankenverband (BdB)? Association of German Cooperative Banks

(BVR),

Association of German Banks (BdB),

Association of German Public Banks (VÖB),

Association of German Savings Banks (DSGV). All the associations are members of the

Zentraler Kreditausschuss (ZKA), which represents the interests of the financial services sector in Germany.

4

Com

pani

es w

ith 1

0 or

mor

e em

ploy

ees,

who

hav

e in

tern

et a

cces

s

Percentage of people who use the internet at least once a week

Sour

ce: F

eder

al S

tatis

tical

Offi

ce, G

erm

any,

200

5

What are the key statistics in e-Banking?

5

Private households with selected communications technology in Germany

PC, laptop

Internet access

Mobile

Mobile with internet access

PDA Sour

ce: F

eder

al S

tatis

tical

Offi

ce, G

erm

any,

200

5

6

Do you have internet access?Germany

%; Source: Association of German Banks, 2005

7

Do you use e-banking?Germany

Percentage overall Percentage of internet users

%; Source: Association of German Banks, 2005

> 30 Mill. e-banking accounts

8

-5051015

20

25

30

1999 2000 2001 2002 2003 2004 2005

Do you think e-banking is secure?0 = I don´t know, (-) = not secure, (+) = secure

9

What are the threats of e-banking? Cyber attacks

Small effort, big damage

Not limited by national borders

Tracks are difficult to follow

Low feeling of “guilt”, low threshold

No physical presence necessary

Low international punishment

9

What are the threats of e-banking? Cyber attacks

Small effort, big damage

Not limited by national borders

Tracks are difficult to follow

Low feeling of “guilt”, low threshold

No physical presence necessary

Low international punishment

Crime by professional organisations

10

What is phishing?

Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials. Social-engineering schemes use 'spoofed' e-mails to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers. Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware. Source: www.antiphishing.org

11

How does phishing work?(Technical subterfuge)

Customer

Phisher

Bank Server Money Mules´Bank Account

Wire Cash Transfer

X

1

7

6

5

43

2

12

How does phishing work?(Social engineering)

Customer

PhisherPhishing SiteServer

www.banx.com

Bank Server Money Mules´Bank Account

Wire Cash Transfer

1

532

6

47

13

How does phishing work?

14

How does phishing work?

15

Targets 2005

6%3% 6%

Kreditwirtschaft ISP HandelVerschiedenecredit sector ISP other vendors

Source: www.antiphishing.org

16

What can be done? Educate customers

Improve technology if necessary

Monitor phishing-activities

Cooperate and communicate on all levels

Strengthen international contacts

17

Educate customers (key messages): Rule 1: Protect sensitive data when sending it over open networks

Rule 2: Be sure you know who you are dealing with

Rule 3: Be careful with sensitive data and access media

Rule 4: Choose a secure password

Rule 5: Only use programs from a trustworthy source

Rule 6: Use up-to-date program versions

18

Educate customers (key messages) II: Rule 7: Run a security check on your PC

Rule 8: Activate the browser’s security settings

Rule 9: Install virus scanners and additional security software

Rule 10: Make regular security copies (backups) of your data

Detailed information can be obtained at: http://www.bankenverband.de/download/broschueren/05_06_Online-Security.pdf

19

19

20

Monitor phishing-activities Is phishing an issue in my country?

What form of phishing is used?

Where is the fraudulent money going to/coming from?

Is there any software which could fix the security gap?

Is criminal law equipped to tackle the issue?

Are there persons who can be contacted, local and international?

21

Improve Technology, if necessary Password/username only

PIN/TAN

PIN and indicated TAN

Mobile notification

PIN and mobile TAN

Hardware token

Certificates

21

Improve Technology, if necessary Password/username only

PIN/TAN

PIN and indicated TAN

Mobile notification

PIN and mobile TAN

Hardware token

Certificates

Respect customers´ needs:

Usability

Flexibility

Mobility

Cost efficiency

22

Define your priority

Usability

Cost Security

23

Strengthen international Contacts

Source: www.antiphishing.org

24

Strengthen international Contacts

Source: www.antiphishing.org

25

What is the conclusion? All stakeholders should work together

Inform the consumers about obligations

Public and private partnership

Dialogue with software/technology industry

Information security does not concern only one

industry, but the entire internet community

International prosecution should get established

Thank you for your attention!

Waldemar GrudzienE-mail: waldemar.grudzien@bdb.deTel.: + 49 (0) 30 1663 2314

Further questions?

Lars TebrüggeE-mail: lars.tebruegge@bdb.deTel.: + 49 (0) 30 1663 2314

Bundesverband deutscher Banken - Burgstrasse 28 - 10178 Berlin, Germany - www.bdb.de

27

Further reading: www.antiphishing.org

www.a-i3.org

www.phishreport.net

www.phishinginfo.org

www.bsi-fuer-buerger.de

www.en.wikipedia.org