Monday, 16 February 2009

Keeping out the cyberthieves

Photo by: Heng Chivoan
A clerk uses a computer system at a Phnom Penh bank. Online banking security will become increasingly important in Cambodia as the industry develops internet and mobile services.

The Phnom Penh Post

Written by HOR HAB AND BRENDAN BRADY
Monday, 16 February 2009

As Cambodia begins to embrace the benefits of internet banking and hi-tech thieves try to take advantage, many in the industry have started to invest heavily in cybersecurity.

While the expansion of Cambodia's banking sector may expose it to more security threats, industry officials remain confident that security technology will grow in kind.

"There are hundreds of people trying to hack into our system every month, but they can't break in," said Terry Mach, ACLEDA Bank's information technology manager.

By expanding its IT budget every year, to US$4 million in 2009 compared with $3 million last year, ACLEDA is able to keep pace with the growing numbers of online thieves who have set their sights on Cambodia, he said.

In its most aggressive initiative, the bank has contracted professional penetration testers from Australia to search for weaknesses in its online network.

ANZ Royal Bank's chief executive, Stephen Higgins, says he expects cyberthreats to Cambodia's banking sector to escalate, but from a low base level that will remain manageable.

For ANZ, security is managed from its headquarters in Melbourne. Higgins said cyberthreats were more prominent in Thailand and Vietnam, "but it's not something we take for granted. We are always upgrading".

Sao Volak, chief executive of Campura Systems Corp, a technology systems firm, said Cambodian banks are now using a wide range of modern technology including firewalls, data encryption and user protection and detection systems to protect their electronic networks.

--------------------------------------------------------------------------------

There are hundreds of people trying to hack into our system every month, but they can't break in.

--------------------------------------------------------------------------------

Last month saw the introduction of another cutting-edge banking tool that could offer a major boon for the security of money transfers in the Kingdom.

ANZ's WING mobile phone banking system could prevent theft common with remittances, which traditionally have been sent from urban workers to their families in the countryside through an informal network of couriers, friends and moneylenders and which are sometimes lost, stolen or skimmed from in hefty service charges. ACLEDA has said that it intends to launch its own mobile payments system by the end of this year.

But to be effective, security systems needed to be backed by robust government legislation, Sao Volak said. "In other countries where cyberattacks on banks are a major issue, their governments create cyberlaws, cyberpolice and even a cybercourt to protect banks and bank users from being susceptible to such attacks."

Last year, the government launched the Cambodian Computer Emergency Response initiative to monitor all electronic systems in Cambodia, including those for banking, as well as the Financial Intelligence Office to address money laundering. Phu Leewood, secretary general of the National Information Communication Technology Development Authority (NIDA), said his office hoped to open its planned Information Security Task Force this year to guard against threats to online information such as viruses and hackers.

While the Kingdom is getting into the swing of hi-tech banking security, even if considerable gaps remain, ACLEDA's Terry Mach says banking security remains as good as the manpower behind it.

"I think everything depends on its surrounding environment. If we buy the latest technology software but don't have people to handle the work, security will not improve," he said.

1 comment:

Unknown said...

Secure e-Banking or else…

The notion that carrying around yet another device or smartcard will resolve the problems of securing e-Banking is a false hope at best.
Although securing the customer’s ID is paramount, the problems do not start, nor end, with strong customer’s authentication.

In the last couple of years banks all over the world witness a surge in devastating man-in-the-browser attacks.
Such attacks occur after the strong authentication phase is satisfactorily finished and the customer wishes to actually use their money by paying their bills, trading stocks or transferring money to a third party.

Let’s say that the customer wishes to transfer $100 to account number ‘x’.
The man-in-the-browser, that is designed to attack such transaction, changes the amount, for example, from $100 to $1,000 and the target account from ‘x’ to ‘y’.
This is done within the gap between the customer’s ‘send’ to the SSL encryption and without having any of the changes show up on the screen.
The bank gets a “valid request from a strongly authenticated customer” and in the spirit of service efficiency, it executes exactly what it was requested to do.
Sometimes though, the bank will take the trouble to “verify” the originality of the customer’s request by sending back to the customer, a page with the details of the transaction to be executed ($1,000 to ‘y’).
The man-in-the-browser catches that page before it gets projected on the screen, changes its content to reflect the original intention ($100 to ‘x’), and sends it to the screen.
When the customer sees his original request sent back to him for verification, he will typically verify it and hit ‘send’ again.
At this stage, the man-in-the-browser pulls its old trick again and changes the “verified transaction” to the tampered request, $1,000 to ‘y’.

Both the customer and the bank are satisfied that the original request is the one to be executed. After all, the customer was strongly authenticated and the transaction was verified, but both of them are completely wrong.

No authentication procedure can defend against this kind of attack. Nor can biometric reader be of any help in the prevention of such an attack.

As customers we’re perfectly aware that even if our bank promises to reimburse us to the penny of any cyberfraud, it’ll probably give us a hard time before it lives up to its advertised commitment.
If the customer was strongly authenticated, their transactions were “verified” and the computer that was used for committing the fraud was the customer’s computer, there’s very little credence in their attempt at repudiating the transaction.
Now let’s be honest, the bank’s argument will make perfect sense, isn’t it?

Fortunately, a new bread of solutions, like the IDentiWall eBanking solution are emerging and they hold the promise of a really secured e-Banking solution.
Such solutions provide secured e-Banking even under the toughest conditions whereby the customer’s computer, that is being taken for granted as the weakest link of the e-Banking security chain, is contaminated with viruses and malwares.

It may well be that we’re witnessing the emergence of more secured cyberlife, to the point of making phishing obsolete.