1 / 35

Security in Banking

Security in Banking. Emmanuel van de Geer Senior Architect Governance, Risk, Compliance and Security Standard Chartered Bank. Why Is Information Security Different in Banking My Career in Banking Security What Banks Worry About Zeus and SpyEye Deep Dive. What are we covering.

veata
Download Presentation

Security in Banking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security in Banking Emmanuel van de Geer Senior Architect Governance, Risk, Compliance and Security Standard Chartered Bank

  2. Why Is Information Security Different in BankingMy Career in Banking SecurityWhat Banks Worry AboutZeus and SpyEye Deep Dive. What are we covering

  3. Why is Information Security in Banking Different? Banks succeed because customers trust them with their money • Suttons Law • Criminals want to steal from Banks • “That’s where the money is”

  4. Why is Information Security in Banking Different? • Customers need to know that Banks are safe and secure • This isn’t just to do with Information Security. • It’s about how a Bank is run. • Here For Good • Standard Chartered Bank

  5. Information Security isn’t a technology problem, it is a business asset. This is one reason why Information Security in Banks is different from other industries

  6. Another reason why information security is different in Banking: Follow the Money

  7. Risk Management in Banking How Banks Work & Why Risk Is Important

  8. How Banks Work

  9. Risk Management in Banks This process of reserving money is called “Capital Allocation” Where the amount is dependant on your level of risk.

  10. Operational Risk

  11. The more risk a Bank has the more money it has to reserve, The more money the Bank reserves the less it can invest The less it invests the less it can make The less it can make the less it can pay The less it pays, the less customers it will have

  12. Risk management and information security are factors that determine how competitive and successful a Bank is.

  13. In the Banking industry, security isn’t just about the technology, rather, it is integrated with Risk Management, Compliance and Fraud. This combined space is called GRC

  14. It wasn’t always like this. In 2000, online fraud was unheard of. Now it costs banks 60M in the USA alone.

  15. History of My Career & what a career in security can mean for you.

  16. In 2000 I started my career in Information Security as a firewall engineer. Today, I design systems that prevent and detect everything from hackers to money laundering.

  17. Major Events

  18. As the threats of theft and fraud have increased, so has the role of Information Security professionals.

  19. So what are Banks concerned about? The Insider Threat Cards and Transactions Denial of Service Data Leakage Online Fraud • Trading Fraud • Payments Processing Information Theft

  20. DoS: why, who and what? • Targets: • what do they target • Asia (MY, KR, TW, CH) • US Gov • Israel, Palestine • Banks in Brazil • CIA • Bank of America • Motivation: • who is it and why do they do it? • Geopolitical • - Government affiliated • - NGO • - Militant • Hacktivism – Crowd Sourced • - Anonymous • LulzSec • Occupy • Extortion/financial gain • - Criminals

  21. 2011 DDoS

  22. Online Fraud Zeus and SpyEye

  23. Zeus and SpyEye Impacts

  24. Looks bad But how bad is it?

  25. Zeus and SpyEye Impacts

  26. What can Zeus / SpyEye Do? First How Internet Banking Is Supposed to Work So What Is Different In The Malware Scenario

  27. Zeus and SpyEye Footprint

  28. What can Zeus / SpyEye Do? Being in the browser context gives Zeus and SpyEye some sophisticated capabilities. IT means that criminals can impersonate the customer to the Bank, and the Banks to the customer to near perfection

  29. What can Zeus / SpyEye Do? During Login Post Login / During Transactions Post Transaction

  30. What can Zeus / SpyEye Do?

  31. Next Generation The attacks described so far are controllable by most Banks They have started on the next generation of Malware …. But Criminals are not giving up MitMo

  32. Next Generation MitMo, or Man in the Mobile is SpyEye / Zeus for Mobile Phones. With most Banks reliant on SMS OTP, this will be the next battle ground for Online Fraud.

  33. Prediction: But What is next …. SMS OTP is dead.

  34. Recap Information in Banking: • People Steal Money, Money lives in Banks. • People Trust Banks & Reputation is key. • Fraud and Risk impact Bank profitability. • Information Security is a business problem for Banks.

  35. Recap Online Fraud • Steadily increasing • Some way to go compared to other fraud activity • Prediction: • Mobile Security will get worse • The end of SMS OTP

More Related