the security of e-banking - european...
TRANSCRIPT
The Security of E-Banking
Payment Fraud and EU Enlargement: Threats and ChallengesBrussels, 8-9 March 2006
Lars Tebrügge
Retail Banking and Banking TechnologyAssociation of German Banks
2
Agenda What is the Bankenverband (BdB)?
What are the key statistics in e-banking?
What are the threats of e-banking?
What can be done?
What is the conclusion?
3
What is the Bankenverband (BdB)? Association of German Cooperative Banks
(BVR),
Association of German Banks (BdB),
Association of German Public Banks (VÖB),
Association of German Savings Banks (DSGV). All the associations are members of the
Zentraler Kreditausschuss (ZKA), which represents the interests of the financial services sector in Germany.
4
Com
pani
es w
ith 1
0 or
mor
e em
ploy
ees,
who
hav
e in
tern
et a
cces
s
Percentage of people who use the internet at least once a week
Sour
ce: F
eder
al S
tatis
tical
Offi
ce, G
erm
any,
200
5
What are the key statistics in e-Banking?
5
Private households with selected communications technology in Germany
PC, laptop
Internet access
Mobile
Mobile with internet access
PDA Sour
ce: F
eder
al S
tatis
tical
Offi
ce, G
erm
any,
200
5
6
Do you have internet access?Germany
%; Source: Association of German Banks, 2005
7
Do you use e-banking?Germany
Percentage overall Percentage of internet users
%; Source: Association of German Banks, 2005
> 30 Mill. e-banking accounts
8
-5051015
20
25
30
1999 2000 2001 2002 2003 2004 2005
Do you think e-banking is secure?0 = I don´t know, (-) = not secure, (+) = secure
9
What are the threats of e-banking? Cyber attacks
Small effort, big damage
Not limited by national borders
Tracks are difficult to follow
Low feeling of “guilt”, low threshold
No physical presence necessary
Low international punishment
9
What are the threats of e-banking? Cyber attacks
Small effort, big damage
Not limited by national borders
Tracks are difficult to follow
Low feeling of “guilt”, low threshold
No physical presence necessary
Low international punishment
Crime by professional organisations
10
What is phishing?
Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials. Social-engineering schemes use 'spoofed' e-mails to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers. Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware. Source: www.antiphishing.org
11
How does phishing work?(Technical subterfuge)
Customer
Phisher
Bank Server Money Mules´Bank Account
Wire Cash Transfer
X
1
7
6
5
43
2
12
How does phishing work?(Social engineering)
Customer
PhisherPhishing SiteServer
www.banx.com
Bank Server Money Mules´Bank Account
Wire Cash Transfer
1
532
6
47
13
How does phishing work?
14
How does phishing work?
15
Targets 2005
6%3% 6%
Kreditwirtschaft ISP HandelVerschiedenecredit sector ISP other vendors
Source: www.antiphishing.org
16
What can be done? Educate customers
Improve technology if necessary
Monitor phishing-activities
Cooperate and communicate on all levels
Strengthen international contacts
17
Educate customers (key messages): Rule 1: Protect sensitive data when sending it over open networks
Rule 2: Be sure you know who you are dealing with
Rule 3: Be careful with sensitive data and access media
Rule 4: Choose a secure password
Rule 5: Only use programs from a trustworthy source
Rule 6: Use up-to-date program versions
18
Educate customers (key messages) II: Rule 7: Run a security check on your PC
Rule 8: Activate the browser’s security settings
Rule 9: Install virus scanners and additional security software
Rule 10: Make regular security copies (backups) of your data
Detailed information can be obtained at: http://www.bankenverband.de/download/broschueren/05_06_Online-Security.pdf
19
19
20
Monitor phishing-activities Is phishing an issue in my country?
What form of phishing is used?
Where is the fraudulent money going to/coming from?
Is there any software which could fix the security gap?
Is criminal law equipped to tackle the issue?
Are there persons who can be contacted, local and international?
21
Improve Technology, if necessary Password/username only
PIN/TAN
PIN and indicated TAN
Mobile notification
PIN and mobile TAN
Hardware token
Certificates
21
Improve Technology, if necessary Password/username only
PIN/TAN
PIN and indicated TAN
Mobile notification
PIN and mobile TAN
Hardware token
Certificates
Respect customers´ needs:
Usability
Flexibility
Mobility
Cost efficiency
22
Define your priority
Usability
Cost Security
23
Strengthen international Contacts
Source: www.antiphishing.org
24
Strengthen international Contacts
Source: www.antiphishing.org
25
What is the conclusion? All stakeholders should work together
Inform the consumers about obligations
Public and private partnership
Dialogue with software/technology industry
Information security does not concern only one
industry, but the entire internet community
International prosecution should get established
Thank you for your attention!
Waldemar GrudzienE-mail: [email protected].: + 49 (0) 30 1663 2314
Further questions?
Lars TebrüggeE-mail: [email protected].: + 49 (0) 30 1663 2314
Bundesverband deutscher Banken - Burgstrasse 28 - 10178 Berlin, Germany - www.bdb.de
27
Further reading: www.antiphishing.org
www.a-i3.org
www.phishreport.net
www.phishinginfo.org
www.bsi-fuer-buerger.de
www.en.wikipedia.org