340 likes | 493 Views
Ancamanan Keamanan Informasi Pada Industri Finansial Universitas Bina Darma Palembang – 20 Juni 2014 Digit Oktavianto http://digitoktavianto.web.id digit dot oktavianto at gmail dot com. About Me. IT Security Enthusiast ( Opreker ) Member of Indonesian Honeynet Chapter
E N D
AncamananKeamananInformasiPadaIndustriFinansial UniversitasBinaDarma Palembang – 20 Juni 2014 Digit Oktavianto http://digitoktavianto.web.id digit dot oktavianto at gmail dot com
About Me • IT Security Enthusiast (Opreker) • Member of Indonesian Honeynet Chapter • Member OWASP Indonesian Chapter • Linux Activist (KPLI Jakarta) • IT Security Consultant
Financial Services Industry Who? • Commercial Banking Service • Investment Service • Foreign Exchange Service • Insurance • Leasing Service • Stock Exchange
Security Issue in Financial Industry Worldwide Issue : • Phishing • Malware Banking (PC, Mobile) • ATM Hacking • ATM Skimming • Attack on Infrastructure (Server, Application) • Attack on third party service (Merchant, Payment Gateway)
Security Issue in Financial Industry (Cont’d..) Local Issue : • Phishing • ATM Skimming • Malware Banking (Recent Issue) • Insider Threat (Disgruntle Employee)
Classification Security Threat in Financial Industry • Account Takeover • Phishing • Malware • End Point Infrastructure Attack • ATM Skimming • ATM Hacking • Third Party Payment Process Breach • EDC Vendor • Payment Gateway • Disgruntle Employee • Mobile Banking Exploitation • Fake Mobile Apps • Malware in Mobile Device • Attack in Infrastructure Server • Attacking Ibanking Server • DDoS
Who? • Who is attacking you and why?
Case Study – Phishing • Phishing • Selalubermuladari Email • Biasanyamemberitahukanadanyaperubahansistem, atauperbaikan, danmemintamengklik link ygdisertakanpada email • Biasanyajugamenyertakan attachment • Link referalpada body email atau attachment biasanyamerupakan fake URL Bank ybs, namunketikadikliktampilannyapersissamadengan Bank ybs
Case Study – Phishing • How it Works?
Case Study – ATM Skimming How it works? • Capture your data from your card • Capture your PIN Information
Case Study – ATM Hacking • How it works? • Operating System Vulnerability • Malware • Insider Threat
Case Study – Malware Banking What are they doing? • Keylogging • Form data capture • Screen captures and video recording • Injection of fraudulent form fields • Injection of fraudulent websites • Redirecting of banking websites • Man-in-the-middle technique (Man In The Browser)
Case Study – Malware Banking How it works? • You are infected by Exploit Kit • Exploit Kit bring Botnet / Banking Trojan to your computer • Banking Trojan monitor everything you do on the Internet, including your online banking and credit card transactions • Banking Trojan records everything you type in, including userIDs, passwords, bank-account numbers, credit-card and PIN numbers and sends them back to the cyber-criminal’s computer where the information is stored in a sophisticated database • Banking Trojan steal your one time password from hardware token, two factor authentication SMS.
Case Study – Malware Banking Skenario : • Anda login kehalaman Website Ibanking. MITB Malware bisamendeteksiapasajajenis Bank yang andagunakan (case study targeted customer di Indonesia) • Ketika browser memprosesIbanking website anda, Trojan akanmelakukan intercept, danmenyisipkanjavascriptke browser anda (Man In The Browser) danmeng-intercept username + password anda
Case Study – Malware Banking SkenarioTransaksi : • Prosedurtransaksimenggunakanlayanan internet banking padasebagianbesar bank menggunakan Hardware Token • Customer A inginmelakukan transfer ke Customer B. • Cust A memasukkannomorrekeningtujuan, danjumlahtransaksi • Padaprosesdimana Bank memintaCust A memasukkan challenge key yang diberikanpada website, makaCust A akanmemasukkan challenge key tsbpada token hardware. Output response dari token hardware tsbdimasukkanpadakolom PIN transaksi.
Case Study – Malware Banking • Padaprosestahap ke-3 tadi malware akanmelakukan intercept data pada browser. Dimanaseharusnya challenge key yang dikeluarkan 4 digit terakhiradalah 4 digit terkahirrekeningpenerima, namunkarenanomorrekeningtujuansudahdirubah, yang awalnyake B, makadirubahtujuannyakesi C. Rekening C inimerupakanrekening the bad guy. • Customer harus aware dimanaada challenge code yang diberikanbada website Ibanking, 4 digit terakhirharussamadengan 4 digit terakhirrekeningsipenerima yang seharusnya • 4 digit pertamamerupakanangka random, jadi yang harusdiperhatikanadalah 4 digit terakhirpada challenge code yang diberikan
The Protection For End User / Customer : • Keep your operating system and application fully patched • Make sure your anti-virus definitions, which the software uses to detect new strains of malware, is always up to date. • Use Web content filters that block ads. Many anti-virus suites now incorporate this feature. • The most important : Information Security Awareness
The Protection For Financial Industry : • Protect end point infrastructure • Update / patch OS and application in ATM Machine • Add new technology to prevent ATM Skimming • Enhance physical security protection • Create policy to strengthen security feature in Internet Banking transaction • Implement fraud management to detect anomaly behavior from customer transaction • Assess / Audit third party partner to make sure there is no “hole” in their infrastructure
The Protection For Financial Industry : • Perform Audit and Assessment to the infrastructure and application • Enhance security perimeter to detect and prevent the “bad guy” • Perform Security Monitoring Threat to the infrastructure • Educate User / Customer about information security awareness
FINISH Q & A