150 likes | 165 Views
ELECTRONIC BANKING FRAUD IN NIGERIA. Laja Sorunke GH IT & Digital Banking Control of UBA / 1 st Vice President of ISSAN At the occasion of the February 2017 meeting of The Information Security Society of Africa, Nigeria (ISSAN). Outline. Emergence of E-Fraud.
E N D
ELECTRONIC BANKING FRAUD IN NIGERIA Laja Sorunke GH IT & Digital Banking Control of UBA / 1st Vice President of ISSAN At the occasion of the February 2017 meeting of The Information Security Society of Africa, Nigeria (ISSAN).
Emergence of E-Fraud • Fraud losses suffered by banks, businesses, and consumers continue to grow at a staggering pace. • As fraud prevention tools improve in one channel, fraudsters shift to other channels • Criminals typically go after personal and account information of victims • The source of the compromise is often outside the direct control of Banks • The criminals are motivated, well organized and adaptable • The criminals are also very well connected.
Possible Exposures in Digital Banking Platform • Low Customer security awareness - Customers are vulnerable to fraudsters who call them on phone and pretending to be a bank staff. Customers also fall victim by disclosing their card PIN numbers, passwords and OTP on phone. • Elevation of OTP transaction limit from N50k per transaction daily to N200k in some banks • Selfie Capabilities on Internet and the Mobile banking platforms exposes customers to victims of phishing and fraud. • Mobile Banking platform is hosted and supported outside the banks, while second factor authentication is not enabled for administrative activities on it. • Quickteller is a third-party application with self-sign up capability in the bank - customers do self-sign up, while the transaction limit is as high as N500k on the platform. A swim swap could cause a loss of N500k per day/web limit on cards.
Possible Exposures in Digital Banking Platform • Poor customer data management - some customers are always missed out during customer security awareness because their data were not updated. Data could also be exposed to unauthorized persons and used for malicious purposes. • Absence of privileged account management solution in the bank - Passwords to application/service accounts of critical applications are static and could be used to commit fraud or denial of service attack in the bank. • Customer information are shared with switching companies – customers’ details of every card produced in the bank is shared with switching companies for the purposes of driving OTP and 3DES security authentications especially for card not present transactions in Nigeria and abroad. • Inadequate security intelligence on ESB - There is no good control to service requests and service APIs existing on ESB and other middleware in the bank. • Non-integration of BVN to all platforms and interfaces increases the use of fake/invalid BVN in the bank.
USSD: CBN Suggests Banks Will Pay If Someone Uses Your Phone To Make Transfers ‘Even if It’s Your Fault’ CBN Director, Banking and Payments Department, ‘DipoFatokun, • “Recent developments in the electronic payments system and implications for consumers of electronic payment services….We have reviewed the process of Unstructured Supplementary Service Data (USSD) and instructed banks that they must use a PIN. It is possible for people to come in contact with your phone, and also come in contact with your ATM card and so, use the last four digit of your card as PIN and that is dangerous. • Give a customer a PIN, which is known only to him. One of the banks, I won’t mention names, told us they needed to do system configuration, to ensure that customers can use one time password (OTP) or give the customer password or a token….Meanwhile, until that is done, the banks assured us, in writing, that any customer that suffers losses, they would pay. So, if you have cases of people who have suffered losses on USSD platform and their money has not been refunded, let us have it,”
Year 2017 Security Predictions The following security predictions have been given by global security firms including Symantec, TrendMicro, McAfee, FireEye, Kasperky, Palo Alto Networks, Imperva & Checkpoint. (source - http://www.govtech.com/blogs/lohrmann-on-cybersecurity/the-top-17-security-predictions-for-2017.html)
Urgent Global Concern - Potential Security Threats and Attack Surface • Fileless Infection Exposure – Increased fileless infection malware attack (using powershell and Windows Management Instrumentation (WMI)). Typically, this special type of malware is used by hackers to distribute and hide malicious codes, initiate and execute dangerous payloads by riding on existing windows OS tools and user privileges. The fear is that the fileless malware cannot be detected by any known anti-virus solution. • Spymail Exposure - Spymail is embedded hidden email with spy code used to track receivers. It allows senders to know who opened their emails, what links were clicked, the time the email was opened, the location, and even if the email gets forwarded. This is a major threat is being exploited to gain insight into confidential information, steal corporate secret and invade individual / corporate privacy among others. • Mobile Device Trojan Exposure – the bank like other firms across the globe is exposed and susceptible to the Android malware threats that can steal login credentials and open backdoors remotely. We need to urgently put appropriate protection in place to protect all mobile phones and mobile applications accessing our network. • Proxy Exposure – Branches located outside the countries are major exposure in terms of Ransomware, Zero day, callback, etc.
Urgent Global Concern - Potential Security Threats and Attack Surface • Polish Banks Infected with Malware Hosted on Their Own Government's Site - Several Polish banks said they suffered malware infections after their employees visited the site of the Polish Financial Supervision Authority (KNF), which had been previously infected to host a malicious JavaScript file. • Source Code for BankBot Android Trojan Leaks OnlineBy Ionut Arghire on January 23, 2017 - The BankBot Trojan is distributed masquerading as benign applications. On the infected devices, it can request administrative privileges to display phishing pages to steal login credentials, intercept and send SMS messages, send USSD requests, retrieve contacts list, track the device, make calls, and receive an executable file containing a list of banking apps to attack. • Dutch Coder Accused of Website Backdoor Fraud Spree - As 20,000 Victims Notified by Police, Spear-Phishing Campaign Sows Confusion - Mathew J. Schwartz (euroinfosec) • January 17, 2017 … Dutch police say a digital forensic investigation revealed 20,000 stolen email addresses and passwords.
Recommendations As part of assurance and comfort, the bank should put in place the following among others; • Advance Anti-malware solution to prevent fraudulent backdoors / callbacks, malicious mails and rogue websites access. • Anti-phishing solution to protect the bank’s web applications, customers and corporate brand. • Web Application Firewalls (WAF) to detect and block web applications attack (e.g. SQL Injection, cross site scripting, etc.) • Perimeter Firewalls and Intrusion Prevention Systems to prevent unauthorised external access. • 2nd factor authentication to prevent rogue financial transactions • Daily monitoring of network traffic to identify and block unauthorized external access. • Intensify and send regular security awareness to customers (internal + external) base on security threats / attacks discoveries, etc. • Finally, in line with global standard, we must continue to assess and review the bank’s security measures to ensure that we are protected against emerging threats and attack patterns.