Professional Documents
Culture Documents
IT Information Security and Cyber Crime Attacks Threats
IT Information Security and Cyber Crime Attacks Threats
Compiled By -
Md. Shihab Uddin Khan
Associate Professor and
Director (Training and Certification Program)
BIBM, Mirpur-2, Dhaka.
Cell: 01710991890, Mail: msukhan@bibm.org.bd
--------------------------------------------------------------------------------------------------------------------
Introduction:
Online banking is a highly profitable channel for banking and financial institutions. It provides
customers convenience and flexibility to enjoy financial services at a lower cost than traditional
branch banking. Due to effective application of IT, Mobile phone and Internet, banks are now able
to provide online products and services on the basis of 24 x 365 hours to any customer in the
globe.
As many financial products and services directly or indirectly depend on ICT, banks have to think
how to involve IT to minimize the cost, increase the efficiency and how to provide better services
to the customers. We are talking about the ICT implementation, growing new business with the
help of ICT but never thought of security and vulnerability. Information Technology has two sides
- technology and security and these two must go parallel. Now time has come to concentrate on
Information Security. Because with the rapid growth of online banking transactions through
remote terminals/delivery channels, the risks in e-banking activities are also increasing. As the
technology is changing very fast and day by day new technology is being incorporated, we should
consider latest security features enabled, implementation of encryption methods and digital
signatures to keep pace with the rest of the world. It seems that Bangladesh is one of the most
vulnerable countries in terms of cyber security. That’s why risk management issue has become
one of the major concerns for the policy makers and top management of banks in the country
today. Bank must take required steps to ensure the proper management of online banking risk
before going through any transformation. The management of Information Security has become
more essential and critical for the success of the enterprises nowadays.
Due to IT based banking information system, Information is one of a financial institution’s most
important assets. Protection of information assets is necessary to establish and maintain trust
between the financial institution and its customers, maintain compliance with the law, and protect
the reputation of the institution. Timely and reliable information is necessary to process
transactions and support financial institution and customer services. A financial institution’s
earnings and capital can be adversely affected if information becomes known to unauthorized
parties, is altered, or is not available when it is needed.
1
research, and financial status. Protecting confidential information is a business requirement, and
in many cases also an ethical and legal requirement.
3
3) Stealing Money (Capturing Bank Accounts Credentials)
4) Damaging Company Reputation (Website Hacking)
5) Financial Losses (DDoS Attack)
▪ Card Skimming
▪ ATM Malware/ Cash out attack/
▪ Eavesdropping
Jackpotting
▪ Shoulder Surfing
▪ ATM attack card/pin data compromise
▪ Card Shimming
▪ Keypad Jamming
▪ Cash Trapping
▪ Physical Attacks
▪ Card Trapping
▪ Logical Attacks
▪ Fake Assistance
▪ Fake ATM
▪ Salisi Gang
Types of Hackers
1) White Hat Hackers
2) Black Hat Hackers
3) Gray Hat Hackers
4) Script Kiddies
5) Green Hat Hackers
6) Blue Hat Hackers
7) Red Hat Hackers
8) State/Nation Sponsored Hackers
9) Hacktivist
10) Malicious insider or Whistleblower
There are different types of security attacks which affect the communication process in the
network and they are as follows:
How are the Cyber-criminal groups organized to commit Cyber Crime (A case of
ATM/Card Fraud)?
5
The 6 Types of Cyber Attacks to Protect Against In 2019
6
Ransomware Attack:
7
Phishing Attack Using Fake Mail (Three types of Phishing – Mail, Voice and Text/SMS):
8
Plastic Card Fraud (Statistics of UK Card Services):
(https://www.ukfinance.org.uk/)
Fraud losses on UK-issued cards totalled £556.3 million in 2022, a six per cent rise from £524.5
million in 2021. At the same time, total spending on all debit and credit reached nearly £1 trillion in
2022, with 28 billion transactions made during the year.
CARD FRAUD VOLUMES UK Finance also publishes the number of fraud incidents to convey
more fully the dynamics of the fraud environment in the UK. The number of confirmed cases of card
fraud (2.73million) reported during 2022 fell by three per cent in comparison to the number reported
in 2021 (2.82million).
9
List of Top 20 Countries with the highest rate of Cybercrime
(source: BusinessWeek/Symantec, June 2016)
10
IT based Frauds in BD Banks (2013):
Banking
Mobile Banking
Application SWIFT and
25%
Software
Others
3%
2%
ACPS and EFT
15%
Top Target Industries for the Risk of Cyber Attack: In Year 2016, 2020 and 2021
Year – 2016: Healthcare, Manufacturing, Financial Services, Government, and Transportation
Year – 2020: Healthcare, Technology and Telecoms, Finance Services Industry, Energy Industry
and Construction Industry.
In October 2017, hackers made about USD 4.4 million in fraudulent transfers from the
Kathmandu-based NIC Asia bank to countries including Britain, China, Japan, Singapore and
the US when the bank was closed for annual festival holidays. Most of the stolen funds (all
but USD 580,000 of the funds) were recovered after Nepal asked other nations to block release
of the stolen money. Nevertheless, investigations continue, and Nepal’s Central Investigation
Bureau (NCIB), KPMG are involved in this process. “The incident showed there are some
weaknesses with the IT department of the bank,” Shivakoti said (The chief of NCIB) “We
have no indication that our network and core messaging services have been compromised,”
SWIFT added. — Reuters
* SWIFT is used by about 11,000 financial institutions around the world to move large amounts of
cash.
12
Objective of ICT Security is to protect IT Assets of Banks:
• Data/Information (Database) - Customer’s Accounts Information, Employee Info, etc
• Resources (Hardware, Network & Software)
✓ Hardware/Network Resources - Host Server, App Servers, Core Router & Switch,
Online UPS etc.
✓ Software Resources – OS, Banking Software, DBMS etc.
• Bank Reputation - Smooth online operation, Timely services etc.
• Core / Key Personnel- (CEO, CRO, CIO, CTO, CISO, BOM, PM, DBA, NA, IS Auditor, IT
Security Analyst etc.)
13
IT Security Measures in E-Banking:
Physical (and Environmental) Security: Physical security prevents and discourages attackers
from entering a building by installing fences, alarms, cameras, security guards and dogs, electronic
access control, intrusion detection and administration access controls.
Logical Security: Logical security protects computer software by discouraging user excess by
implementing user identifications, passwords, authentication, biometrics and smart cards.
❖ Concern about data and transaction security and different Security Schemes:
➢ Secret key encryption
➢ Public / Private Key encryption
➢ Digital Signature/Certificate and Certificate Authority (CA)
These schemes are used to ensure the privacy, integrity and confidentiality of business transactions
and messages and are the basis for several online payment systems such as electronic cash and
electronic checks.
Lock & Key, Bank Vault, Credit Card Photo, Secure site for ATM booth etc
14
Fire Control Fire and Smoke detectors, Fire Extinguisher,
Auto fire detection and protection system, Periodic fire drill
Emergency Exit This provision should have for the safe guard of people resources and high
cost sensitive equipments.
Location / Site and Fire resistant wall, ceiling, door. Earthquake-resistant construction.
Construction Standard Green Environment and Green Data Center
Video Monitoring 24 hrs Video Surveillance, Video Recording, Preservation of Records for min
of 30 days., Intelligent CCTV and Video Analytics
Biometric AM
User User’s Physical
User Knows User Behaviors /
Possesses Characteristics /
Behavioral
Physiological
- User name and - Swipe Card - Speech - Finger print / Palm Print
Password - Hand Geometry / pattern
- Proximity - Signature recognition
- PIN Card - Iris Recognition
- Keystroke Dynamics
- Identifiable Picture - USB Token - Retinal Pattern
- Matching through facial
- One Time Password patterns
- DNA (deoxyribonucleic acid)
➢ Banks should maintain both Authentication & Authorization Level Security control for
any banking transaction
➢ Introduce 2FA method for secure online fund transfer
✓ The role of the IT Strategy Committee (will be headed/chaired by CEO/MD and CIO will be
member-secretary/convener) is to assist the Board in choosing the right IT Strategy and
monitoring its implementation to achieve the desired results.
15
✓ The role of the IT Steering Committee (will be headed/chaired by CIO and Head of
Technology will be member-secretary/convener) is to assist the Executive Management in
implementation of the IT strategy approved by the Board.
✓ Information security governance is a subset of enterprise governance that provides strategic
direction, ensures that objectives are achieved, manages risks appropriately, uses
organizational resources responsibly, and monitors the success or failure of the enterprise
security programme. The role of the Information Security committee (will be headed/chaired
by CEO/ED and CISO will be member-secretary) is to devise strategies and policies for the
protection of all assets of the bank (including information, applications, infrastructure and
people). The committee will also provide guidance and direction on the Security Implications
of the business continuity and disaster recovery plans.
What
Project Steering Project Steering Project Steering Who
Committee Committee Committee
When Operational
Where
How
16
Big banks invest huge sums in cyber security:
• The U.S. federal government, big banks, and big businesses are spending big bucks in a war
against hackers and cyber criminals.
• HSBC Budgets $1 Billion for Cyber Security Improvements.
• JP Morgan Chase Doubles Cybersecurity Spending. In 2014, the company spent $250 million
on cybersecurity; it plans to spend no less than $500 million by the close of 2015.
• Bank of America Corp. CEO Brian Moynihan said the nation’s second largest lender would
spend $400 million on cybersecurity in 2015. The cybersecurity team/unit has blank check and
can spend as much as needed to protect the firm and its customers.
0 10 20 30 40 50
Hardware
Software
2017
Network 2018
Security 2019
2020
Training
2022
Audit
Others
17
That’s why focus should be on uninformed users who can do harm to your network by visiting websites
infected with malware, responding to phishing e-mails, storing their login information in an unsecured
location, or even giving out sensitive information over the phone when exposed to social engineering.
One of the best ways to make sure company employees will not make costly errors in regard to
information security is to institute company-wide security-awareness training initiatives that include,
but are not limited to classroom style training sessions, security awareness website(s), helpful hints
via e-mail, or even posters. These methods can help ensure employees have a solid understanding of
company security policy, procedure and best practices.
Some of the more important items to cover in your security awareness training are organization’s
security policy, data classification and handling, workspace and desktop security, wireless networks,
password security, phishing, hoaxes, malware, file sharing and copyright.
18
8) Unnecessary Modems
9) Unauthorized or Unsecured Synchronization Software
10) Wireless Connectivity
It is widely known that internal staff are the biggest threat to IT security in banks and NBFIs. Internal
threats creators are – unhappy/disgruntled employee, Novice or unaware or ignorant employees,
temporary employee, corrupted employee, Former Employee, External Consultant. Even tech-savvy
employees can be fooled into allowing attackers access to company networks. One of the biggest cyber
security challenges for business is that “there is no patch for careless, greedy or stupid”, said former
FBI Computer Intrusion Unit head Don Codling. The following are the top 5 security threats posed by
workers/employees.
1) Malicious cyber-attacks
2) Social engineering
3) Downloading malicious internet content
4) Information leakage
5) Illegal activities
The best way to achieve a significant and lasting improvement in information security is not by
throwing more technical solutions at the problem — it's by raising awareness and training and
educating everyone who interacts with computer networks, systems, and information in the basics of
information security.
NIST says that everyone must receive initial awareness training before accessing systems and refresher
training at least annually. It defines 5 specific roles that must receive awareness training:
1. All users — security basics
2. Executives — security basics and policy level training in security planning and management
3. Program and functional managers — security basics and management and implementation level
training in security planning and system/application security management, system/application life
cycle management, risk management, and contingency planning.
4. Chief Information Officers (CIOs), IT Security Program Managers, Auditors, and other
security-oriented personnel (e.g., system and network administrators, and system/application
security officers) — security basics and broad training in security planning, system and application
19
security management, system/application life cycle management, risk management, and
contingency planning.
5. IT function management and operations personnel — security basics; management and
implementation level training in security planning and system/application security management,
system/application life cycle management, risk management, and contingency planning.
“The threat is advancing quicker than we can keep up with it. The threat changes faster than our
idea of the risk. It is no longer possible to write a large white paper about the risk to a particular
system. You would be rewriting the white paper constantly…”
= END =
20