[123doc.vn] Bao Mat Trong Internet Banking (1)

91
Lời tóm tắt Trong bối cảnh mạng máy tính đã bao phủ toàn thế giới, người r"t nhi#$ %i!c tr&n mạng trong đó có các giao '(ch %ới ng)n hàng ng)n hàng c$ng c"p cho -hách hàng các giao '(ch trc t$yến .à h! 1an-ing %à 2obi.0 1an-ing c3ng đã phát triển r4ng -h5p %à c$ng c .ại .8i ích cho cả ng)n hàng c3ng như -hách hàng* T$y nhi&n c9ng /nt0rn0t 1an-ing%à 2obi.0 1an-ing th: c3ng đ;ng thời %ới 6 phát '<a %# bảo m=t của '(ch % này .àm đa$ đ>$ cả các ng)n hàng .?n c ' ng '(ch % * Trước thách thAc đó tBi đã .a ch<n đ# tài CDghi&n cA$ các ph trong /nt0rn0t 1an-ing %à 2obi.0 1an-ingF .àm -hóa .$=n tốt nghi khóa luận tôi đã nghiên cứu tổng quan chung về tình hình triển k "anking t#i $i%t &am' c(c m)i đ! *+a v,i ng-n h.ng v. kh(ch h.ng *2ch v1 v. tr+ng t-m l. m3t /) 4h56ng 4h(4 78o mật đ59c (4 *1ng to.n c:a h% th)ng nt!rn!t "anking v. m3t 4h;n tìm hiểu kh(i qu( "anking= ThBng G$a -hóa .$=n tBi m$ốn m<i người hiể$ th&m %à th các bi!n pháp bảo m=t đư8c áp ' ng tại các ng)n hàng, tH đó có nh tin 6@ ' ng '(ch % /nt0rn0t 1an-ing %à 2obi.0 1an-ing m4t cách hết 6Ac cố g5ng nhưng 'o hoàn cảnh nghi&n cA$ cKn hạn hLp, chưa tiếp nghi&n cA$ tại các ng)n hàng n&n -hBng tránh -hMi nhIng thi nhIng O -iến đóng góp của người đ<c G$an t)m đến .Pnh %c này* TBi Nin g@i .ời cảm En ch)n thành nh"t Tiến 6Q R& Sh& B, giả h<c UBng Dgh!, đại h<c V$ốc Wia +à D4i, người đã t=n t:nh hướng nhIng nh=n NXt G$O bá$ giYp tBi hoàn thành -hóa .$=n này* TBi c3 toàn thể gia đ:nh, người th)n, bạn bZ đã nhi!t t:nh giYp đ[ %à đ4ng % G$á tr:nh .àm -hóa .$=n này*

description

[123doc.vn] Bao Mat Trong Internet Banking

Transcript of [123doc.vn] Bao Mat Trong Internet Banking (1)

Microsoft Word - khoaluan.doc

Li tm tt Trong bi cnh mng my tnh bao ph ton th gii, ngi ta c th thc hin rt nhiu vic trn mng trong c cc giao dch vi ngn hng. H thng dch v ca ngn hng cung cp cho khch hng cc giao dch trc tuyn l h thng Internet Banking v Mobile Banking cng pht trin rng khp v cung cp rt sn phm em li li ch cho c ngn hng cng nh khch hng. Tuy nhin cng vi s pht trin ca Internet Bankingv Mobile Banking th cng ng thi vi s pht trin ca cc mi e da v bo mt ca dch v ny lm au u c cc ngn hng ln cc khch hng s dng dch v. Trc thch thc ti la chn ti Nghin cu cc phng php bo mt trong Internet Banking v Mobile Banking lm kha lun tt nghip ca mnh. Trong kha lun ti nghin cu tng quan chung v tnh hnh trin khai Internet Banking ti Vit Nam, cc mi e da vi ngn hng v khch hng khi s dng dch v v trng tm l mt s phng php bo mt c p dng bo m an ton ca h thng Internet Banking v mt phn tm hiu khi qut v Mobile Banking. Thng qua kha lun ti mun mi ngi hiu thm v thc trng cng nh cc bin php bo mt c p dng ti cc ngn hng, t c nhng kin thc t tin s dng dch v Internet Banking v Mobile Banking mt cch an ton. Mc d ht sc c gng nhng do hon cnh nghin cu cn hn hp, cha c iu kin trc tip nghin cu ti cc ngn hng nn khng trnh khi nhng thiu xt, ti rt mong nhng kin ng gp ca ngi c quan tm n lnh vc ny. Ti xin gi li cm n chn thnh nht Tin s L Ph , ging vin trng i hc Cng Ngh, i hc Quc Gia H Ni, ngi tn tnh hng dn v cho ti nhng nhn xt qu bu gip ti hon thnh kha lun ny. Ti cng xin cm n ton th gia nh, ngi thn, bn b nhit tnh gip v ng vin ti rt nhiu trong qu trnh lm kha lun ny. Mc lc Li m u1Chng 1: Internet Banking v thc trng Vit Nam11.1. Internet Banking21.1.1. Khi nim21.1.2. Cc chc nng c bn ca Internet Banking21.1.3. Lch s21.2. Thc trng Internet Banking ti Vit Nam31.2.1. Tnh hnh trin khai Internet Banking ti Vit Nam31.2.2. Nhng kh khn thun li cho vic pht trin Internet Banking ti Vit Nam8Chng 2: Nhng thch thc vi an ton ca Internet Banking102.1. Thch thc pha ngn hng102.1.1. Nguy c r r thng tin khch hng102.1.2. Nguy c b chim ot tin132.1.3. Nguy c tn cng t chi dch v142.2. Thch thc pha khch hng152.2.1. Nguy c t phishing152.2.2. Nguy c t pharming242.2.3. Nguy c t cc phn mm m c, virus, trojan30Chng 3 : Cc gii php an ton trong Internet Banking343.1. Xy dng h thng xc thc mnh353.1.1. Khi nim353.1.2. H thng xc thc bng mt khu s dng mt ln (One time password OTP)363.2. Xy dng h thng tng la393.2.1. C bn v tng la393.2.2. La chn h thng tng la cho internet banking nh th no ?423.2.3. M hnh tng la cho h thng internet banking453.3. Xy dng h thng phng chng xm nhp (Intrusion Prevention System IPS)463.3.1. Thit b phng chng xm nhp IPS l g ?463.3.2. Hot ng ca IPS473.3.3. La chn IPS cho h thng internet banking483.4. Xy dng tng la ng dng web (Web Application Firewall WAF)513.4.1. Ti sao phi xy dng tng la ng dng web ?513.4.2.Khi nim v h thng tng la ng dng web523.4.3. Hot ng ca tng la ng dng web533.4.4. La chn WAF thch hp cho h thng internet banking543.5. Trin khai h thng phng chng m c553.5.1. Chin lc phng chng m c EPS th h th 3553.5.2. Mt s cng c phng chng m c theo chin lc EPS ca Trend Micro573.6. Trin khai ch k s v chng thc s593.6.1. Yu cu an ton trong giao dch Internet Banking593.6.2. Li ch ca vic p dng ch k s v chng thc s trong giao dch Internet Banking593.6.3. p dng ch k s v chng thc s603.7. M ha thng tin613.7.1. M ha mt phn thng tin trong my tnh613.7.2. M ha ton b thng tin trong my tnh623.8. Trin khai cc phng php bo v d liu ngi dng cui633.9. Trin khai mng ring o VPN (Virtual Private Network)643.9.1. Khi nim, phn loi cc hnh thc mng ring o653.9.2. Thit lp VPN cho h thng Internet Banking69Chng 4: Mobile Banking724.1. Tng quan v Mobile Banking724.2. Mt s hnh thc trin khai Mobile Banking734.3. Cc nguy c v bo mt khi s dng dch v Mobile Banking764.4. Gii php an ton cho Mobile Banking77Danh sch ti liu v ngun tham kho80Ph Lc: Chng trnh demo sinh mt khu mt ln (One Time Password) da trn h thng S/Key One Time Password System80

Bng k hiu v ch vit tt STT Ch vit tt Ch vit y Ngha ting Vit

1 EPS Enterprise Protection Strategy Chin lc bo v ton din

2 IPS Intruction Prevention System H thng phng chng xm nhp

3 VPN Virtual Private Network Mng ring o

4 OTP One Time Password Mt khu mt ln

5 WAF Web Application Firewall Tng la ng dng web

Danh mc hnh v STT Tn hnh

1 nh thit b videotex

2 nh th xc thc ca DongA bank

3 M t thi gian p ng ca trang web US bank khi b tn cng

4 V d v mt email phishing

5 Biu tng an ton trn trnh duyt

6 Hnh minh ha th hin trang web ca Paypal c chng thc bi t chc VerySign

7 Xc nh c quan cp chng ch s

8 Cnh bo ca trnh duyt web

9 DNS cache poisioning

10 M t kch bn tn cng DNS

11 Host file

12 Website ca ngn hng tm ngng hot ng

13 Hai yu t xc thc thng c s dng

14 S dng mt khu mt ln ng nhp

15 Cc thit b phn phi OTP

16 Cc my ch dch v web t vng DMZ, Data center t vng Intranet

17 M t c ch hot ng ca mt IPS

18 Chc nng bn v o

19 Th phn IPS trn th trng thit b an ninh mng

20 M phng tng la ng dng web ca SecuresPhere bo v my ch c s d liu v vng DMZ

21 M t hot ng ca mt tng la ng dng hng Netcontinuum

22 Tp hp cc sn phm phng chng m c ca Trend Micro

23 Website ngn hng s dng chng ch s ca VerySign cp

24 M ha mt phn thng tin

25 M ha ton b thng tin

26 Intranet VPN

27 Extranet VPN

28 Remote Access VPN

29 Tng hp cc hnh thc VPN

30 IPSec VPN

31 SSL VPN

32 VPN tch hp vi Firewall

33 Biu v Mobile Banking so vi Online Banking trong giai on 19952006 v d on trong tng lai n 2016 ti M.

34 Hot ng ca mt software client trn mobile

35 Hnh nh m t hot ng ca chng trnh OTP

Li m u Internet Banking v Mobile Banking ang v s tr thnh nhng dch v thit yu vi cuc sng ca con ngi trong x hi hin i ngy nay, tuy nhin cng vi s tin li m cc dch v ny em li th cc ngn hng cng nh khch hng s dng dch v phi i mt vi nhiu nguy c thch thc v mt bo mt. Cuc chin vi ti phm cng ngh cao l cuc chin mang tnh cht rt ui khng ngng ngh i hi trnh khoa hc k thut ngy cng cao. V nguyn nhn y ti quyt nh nghin cu v ti Cc phng php bo mt trong Internet Banking v Mobile Banking nhm mc tiu tm hiu cc bin php v nguyn tc bo mt c p dng chng li cc nguy c v thch thc t pha ti phm. Cc kin thc trong ti cung cp cc gii php cng ngh cho pha ngn hng ng thi cng nng cao nhn thc ca khch hng nhm gip h c th t bo v mnh trc nhng hnh thc tn cng ph bin. Kha lun bao gm 4 chng v phn ph lc, chng 1 Internet Banking v thc trng Vit Nam, chng 2 Nhng thch thc vi an ton ca Internet Banking, chng 3 Trin khai cc gii php an ton cho Internet Banking, chng 4 Mobile Banking, v phn ph lc Chng trnh sinh mt khu mt ln. Cc bin php k thut trong ti mang tnh thc tin cao v ang c p dng trn thc t ti mt s ngn hng ti Vit Nam ng thi cng m ra hng nghin cu pht trin trong tng lai. Chng 1: Internet Banking v thc trng Vit Nam 1.1. Internet Banking 1.1.1. Khi nim Internet Banking l mt h thng cho php khch hng truy cp n ti khon ngn hng, cc thng tin v dch v m ngn hng cung cp thng qua mt my tnh c kt ni mng hay thng qua cc thit b thng minh khc. 1.1.2. Cc chc nng c bn ca Internet Banking Tra cu thng tin ti khon: thay v phi n ngn hng hay ni c t my atm th bn c th tra cu ti khon ca mnh bt c u khi bn c mt kt ni mng. Chuyn khon: gip vic gi tin t ti khon ny sang ti khon khc c d dng, mt s ngn hng ch cho php chuyn khon trong cng mt ngn hng, mt s ngn hng cho php chuyn khon sang c ti khon ca ngn hng khc, vic ny ty thuc vo tng ngn hng v loi ti khon ca bn. Thanh ton ha n in t (bn c th dng ti khon thanh ton mt s loi ha n nh in nc, cc ph in thoi). Chuyn tin t ti khon tin gi thanh ton ca mnh n ngi nhn bng CMND, h chiu, a ch Chuyn i ngoi t trc tuyn. Np tin vo th: khch hng c th thc hin vic chuyn tin t ti khon tin gi thanh ton ca khch hng n ti khon th. 1.1.3. Lch s Tin thn cho Internet Banking l dch v ngn hng t xa thng qua ng truyn in t t u nhng nm thp nin 80 ca th k 20. Thut ng trc tuyn tr ln ph bin vo cui nhng nm 1980 cng vi vic s dng thit b u cui, bn phm v mn hnh truy cp vo h thng ngn hng bng ng dy in thoi. Dch v trc tuyn bt u xut hin ti NewYork vo nm 1981 khi 4 ngn hng chnh (Citibank, Chase Manhattan, Chemical v Manufactorers Hanover) cung cp dch v ngn hng ti nh s dng h thng videotex. Tuy nhin h thng videotex tht bi nn cc dch v m ngn hng cung cp thng qua h thng ny khng th tr ln ph bin ngoi tr Php ni m h thng videotex c nhng thnh cng nht nh. Hnh 1: nh thit b videotex. Dch v ngn hng trc tuyn u tin ti Anh ra i vo nm 1983 c thit lp ti Nottingham Building Society. H thng hot ng da trn trang b ca Prestel, s dng my tnh kt ni qua ng in thoi. H thng c tn Homelink cho php ngi s dng vn tin ti khon, chuyn khon v tr tin ha n. Nm 1994, Stanford Federal Credit Union l t chc ti chnh u tin cung cp dch v ngn hng trc tuyn cho tt c thnh vin ca mnh. Vo ngy 18/10/1995 ngn hng SFNB cung cp dch v Internet Banking u tin trn th gii. SFNB l tn vit tt ca ngn hng Security First National Bank c tr s ng ti Atlanta M v cung cp dch v ny ti khch hng ti 50 bang ca nc ny. Ngy nay, c rt nhiu ngn hng ch tn ti hnh thc ngn hng trc tuyn. Cc ngn hng ny khng phi m v mt ph hot ng cho cc chi nhnh, nh vy m h to c s khc bit vi cc ngn hng thng thng khc (mc li sut tt v cc dch v ngn hng trc tuyn phong ph). 1.2. Thc trng Internet Banking ti Vit Nam 1.2.1. Tnh hnh trin khai Internet Banking ti Vit Nam a. Khi qut Internet Banking em li nhiu thun li cho c ngn hng v khch hng nn l vn c nhiu ngn hng ti Vit Nam quan tm. Hu ht cc ngn hng ti Vit Nam n thi im hin ti u trin khai Internet Banking nhng mc v s lng dch v cn khc nhau. C th k tn mt s ngn hng trin khai Internet Banking ti Vit Nam nh ACB, DongA, Viettinbank, Incombank, Agribank, Techcombank, BIDV... v mt s ngn hng vn nc ngoi nh HSBC, ANZ... Vic trin khai Internet Banking em li rt nhiu li ch cho c khch hng ln ngn hng: Tit kim c thi gian tin bc cho c hai pha: ngn hng khng phi tn tin thu nhn vin giao dch, m chi nhnh ti cc vng xa, tit kim c chi ph vn hnh b my. Khch hng th khng cn mt thi gian ti ngn hng, tit kim cc khon ph khi giao dch vi nhn vin ngn hng (v hu ht cc dch v Internet Banking l min ph). Mang li nhiu dch v thit thc cho khch hng: ngn hng lin kt vi cc cng ty cung cp nhiu loi dch v gi tr gia tng cho khch hng ngoi cc dch v c bn ca ngn hng, khch hng th c hng s tin li t cc dch v ny. Ngn hng trin khai cc dch v ca mnh m khng ph thuc vo mng li i l cng nh khong cch a l, dch v c cung cp mi lc mi ni khi m cc mng Internet tc cao tr ln ph bin trn ton th gii. b. Cc dch v c trin khai V c bn th Internet Banking ti Vit Nam cng trin khai cc dch v chnh nh cc nc trn th gii, im khc bit ln nht ca Internet Banking ti Vit Nam so vi nc ngoi l quy m cht lng dch v cng nh cc bin php bo mt. ACB v DongA l hai ngn hng trin khai dch v Internet Banking t sm v c nhiu dch v phc v khch hng i km vi cc gii php cng ngh tin tin. Chng ta hy cng tm hiu v gii php Internet Banking ca hai ngn hng ny. *Ngn hng chu ACB Trang web chnh thc: http://www.acb.com.vn/index.jsp. ACB trin khai Internet Banking vo nm 2003. ACB cung cp gii php Internet Banking vi nhiu phng thc bo mt khc nhau ph hp vi iu kin v mc ch s dng ca tng i tng khch hng, hin ACB c 6 ty chn bo mt cho dch v Internet Banking vi cc hn mc s dng dch v khc nhau. Cc ty chn l: Phng thc xc thc giao dch bng m s truy cp v mt khu tnh. Khi khch hng ng k phng thc ny khch hng ch c chuyn khon gia cc ti khon tin gi thanh ton ca cng ch ti khon trong h thng ACB v to ti khon tin gi u t trc tuyn. Phng thc xc thc giao dch bng m s truy cp v mt khu tnh, chng th in t. Phng thc xc thc giao dch bng m s truy cp v mt khu tnh, OTP SMS. Phng thc xc thc giao dch bng m s truy cp v mt khu tnh, OTP SMS, chng th din t. Phng thc xc thc giao dch bng m s truy cp v mt khu tnh, OTP Token. Phng thc xc thc giao dch bng bng m s truy cp v mt khu tnh, smart card c tch hp chng th din t. Cc hnh thc xc thc theo mc tng ca bo mt nn cng c hn mc giao dch tng dn t ch c chuyn tin gia cc ti khon ca cng mt ch n loi khng c hn mc. i tng cung cp dch v ca ACB l khch hng c nhn c tin gi thanh ton Vit Nam ng ti ACB. Yu cu s dng: Khch hng ng k dch v Internet Banking, s dng trnh duyt web trn my tnh truy cp Internet vo a ch https://internetbanking.acb.com.vn/ l c th s dng dch v ny mi lc mi ni. ng k dch v: Nu c ti khon ti ACB, khch hng ch cn n im giao dch ng k theo mu c sn l c th s dng c dch v Internet Banking, mi vng mc v dch v s c cc nhn vin ACB gii p. Cc dch v c th trn h thng Internet Banking ca ACB: Tra cu thng tin ti khon: Khch hng c th tra cu thng tin v ti khon, chi tit cc giao dch thc hin vi ti khon ca ACB. Chuyn khon: Khch hng c th chuyn tin t ti khon ca mnh qua ti khon khc trong cng mt h thng hoc ra ngoi h thng ca ACB. Thanh ton ho n: Khch hng c th thanh ton ha n ca mt s dch v m ngn hng c lin kt nh ha n in, nc, Internet, in thoi Chuyn tin: Thc hin vic chuyn tin cho ngi nhn trong hay ngoi nc mt cch d dng. Chuyn i ngoi t: Gip khch hng thc hin vic chuyn i ngoi t trong ti khon d dng. Np tin vo th: Khch hng c th np tin trc tip ti quy hoc s dng dch v chuyn tin t ti khon tit kim sang ti khon th. To ti khon tin gi u t trc tuyn. *Ngn hng DongA Trang web chnh thc : http://www.dongabank.com.vn/. i tng s dng, yu cu s dng v cch ng k dch v tng t nh ngn hng ACB. DongA bank cung cp Internet Banking vi hai ty chn hnh thc bo mt: Xc thc qua tin nhn SMS gi 1 ln (OTP): DongA gi tin nhn c m xc thc n s in thoi ng k ca khch hng. Th Xc Thc: L 1 th nha do DongA to ra cha thng tin ma trn cc s ngu nhin theo dng hng ct (gm 64 s to thnh 8 hng x 8 ct). M xc thc l 2 s (mi gm 3 s) c tra theo hng/ ct trn Th Xc Thc. Hnh2: nh th xc thc ca DongA bank Cc hnh thc xc thc m DongA cung cp xt v bo mt th khng bng ACB nhng ph hp vi c im ca th trng Vit Nam ti giai on hin ti, hn mc ca dch v l 500 triu ng i vi khch hng c nhn v ln ti 5 t ng vi khch hng l doanh nghip. Cc dch v trin khai trn h thng Internet Banking ca DongA bank: Chuyn khon: T ti khon th a nng n ti khon th a nng, t ti khon th a nng n ti khon th tn dng, t ti khon th a nng n ti khon Tin gi thanh ton khng k hn VN c nhn v doanh nghip. Thanh ton trc tuyn: khi mua hng qua mng ti cc website bn hng c lin kt vi DongA Bank. Thanh ton ha n thanh ton cho tt c ha n tin in, nc, in thoi, Internet, hc ph ca cc nh cung cp c lin kt vi DongA Bank. Mua th tr trc: Cc loi th in thoi di ng, th Internet v in thoi Np tin in t: Vcoin, VCard, Bc, VCash, VnTopup, Th hc ting Anh Tra cu s d. Tra cu thng tin giao dch. Kho/M kho ti khon th nhanh chng. Nhn SMS thng bo pht sinh giao dch theo thi gian thc. c. S quan tm ca nh nc Trc s pht trin mnh m ca c dch v Internet Banking, nh nc ta cng rt quan tm v to mi iu kin thun li ngn hng cng nh ngi dn c th s dng dch v mt cch an ton v thun li. Vo ngy 29/11/2005, ti k hp th 8 quc hi kha XI lut giao dch in t s 51/2005/QH11 c thng qua, nhng nm sau b lut khng ngng c hon thin v b sung cc iu khon mi cho ph hp vi tnh hnh pht trin khng ngng ca Internet Banking v mt s loi hnh ti phm c lin quan. trin khai lut giao dch in t v cuc sng, chnh ph lin tc ban hnh cc ngh nh c lin quan nh: Ngh nh 26/2007/N-CP quy nh cc iu khon thi hnh Lut Giao dch in t v ch k s v dch v chng thc ch k s. Ngh nh 27/2007/N-CP quy nh cc iu khon v giao dch in t trong cc hot ng ti chnh. *Khi qut v lut giao dch in t : Lut gm 8 chng, vi 54 iu bao gm hu ht cc yu t, bn lin quan n giao dch in t nh: Ch k in t, t chc cung cp dch v chng thc ch k in t, gi tr php l ch k in t, gi tr php l ca hp ng k bng ch k in t, trch nhim cc bn lin quan n bo mt thng tin, gii quyt tranh chp lin quan n giao dch in t cng nh quy nh v giao dch in t trong hot ng ca cc c quan nh nc, lnh vc dn s, kinh doanh, thng mi v cc lnh vc khc do php lut quy nh. Lut Giao dch in t ra i to hnh lang php l c bn cho cc giao dch in t. Giao dch in t gip gim cc hot ng th cng trong ngnh ngn hng, gim lng tin mt lu thng trn th trng v gip khch hng c th giao dch vi ngn hng mt cch an ton tin li. 1.2.2. Nhng kh khn thun li cho vic pht trin Internet Banking ti Vit Nam a. Kh khn *Kh khn t pha ngn hng Vit Nam i ln t mt nc nng nghip trnh khoa hc k thut cn nhiu hn ch trong khi trin khai Internet Banking li cn nhiu bin php cng ngh tin tin nhm bo m an ton cho c khch hng ln ngn hng , y l tr ngi ln nht ca cc ngn hng khi trin khai Internet Banking. gii quyt bi ton v cc bin php cng ngh cc ngn hng c 2 la chn nhng c 2 la chn u vp phi nhng kh khn nht nh: Cc gii php nhp khu cng ngh t nc ngoi c gi thnh qu cao cng nh i hi nhn lc c trnh cao vn hnh h thng. Cc gii php cng ngh t cc cng ty trong nc cha p ng c yu cu kht khe ca cc ngn hng. Cc ngn hng ang phn vn la chn gii php bo mt ph hp vi yu cu v iu kin ca mnh. *Kh khn pha khch hng: Internet Banking l dch v mi vi a s khch hng, cn tn thi gian tm hiu v lm quen. Nhiu khch hng khng tin tng vo kh nng bo mt cng nh lo s ri ro khi thc hin cc giao dch trn Internet Banking, nht l nhng ngi c tui h c xu hng thch n thc hin giao dch ti cc chi nhnh ngn hng. iu kin ca tng khch hng l khc nhau, khng phi u khch hng cng c my tnh kt ni Internet thc hin cc giao dch trn Internet Banking c. b. Thun li *Thun li pha ngn hng C s h tng mng ca Vit Nam ngy cng pht trin, theo thng k 6/2009 th lng ngi s dng Internet thng xuyn Vit Nam ln ti hn 21.5 triu chim khong 25% dn s v cn tip tc gia tng, din ph Internet m rng trong c nc ti c cc vng su vng xa nn lng khch hng s dng cc dch v Internet Banking ca cc ngn hng s ngy cng gia tng. Vit Nam c cu trc dn s tr, t l thanh nin di 30 tui chim s lng ln trong cu trc dn s .Vi cu trc dn s tr nh vy, ngi Vit Nam d thch nghi nhanh vi cc cng ngh tin tin bi h rt thng minh v ham hc hi, y l thnh phn ha hn s tr thnh khch hng ca cc dch v Internet Banking. i ng nhn lc trnh cao c o to ang v sp ra trng s p ng cho yu cu ca cc ngn hng v cc lnh vc nh mng, bo mt, c s d liu Khoa hc k thut ang trn pht trin nhanh, cc cng ty trong nc cng dn a ra nhng gii php tt ph hp hn vi yu cu ca cc ngn hng. Bn cnh , vi s khuyn khch v h tr ca Ngn hng Nh nc, cc ngn hng ang by t k hoch lin kt vi nhau, chia s kinh nghim v xy dng tiu chun chung vic giao dch ngn hng trc tuyn tr nn n gin hn v gn gi, d s dng hn cho khch hng. *Thun li pha khch hng Khch hng ch cn c my tnh ni mng l c th thc hin c cc giao dch ca mnh nh khi n ngn hng, nh vy m h c th lm vic mi lc mi ni iu ny rt ph hp vi cc khch hng bn rn thng xuyn i cng tc m vn c nhu cu s dng cc dch v ca ngn hng. Cc dch v Internet Banking ngy cng phong ph, ph hp vi nhng yu cu ca cuc sng, gip khch hng tit kim c thi gian tin bc v cng sc nn c ng o khch hng la chn. Nh p dng cc bin php bo mt tin tin, khch hng c th tin tng khi thc hin cc giao dch trn h thng Internet Banking ca cc ngn hng. Kt lun: Chng 1 cung cp thng tin khi qut v dch v Internet Banking, lch s ra i ca n trn th gii. Ngoi ra chng 1 cn tm hiu v thc trng dch v Internet Banking ti Vit Nam cng nhng kh khn thun li trong qu trnh pht trin. Chng 2: Nhng thch thc vi an ton ca Internet Banking 2.1. Thch thc pha ngn hng 2.1.1. Nguy c r r thng tin khch hng a.Vn t ra ? An ton thng tin v ti khon khch hng l yu t c coi trng hng u trong ngnh ngn hng. Chc hn mi ngi u bit n Thy S ni m ngnh ngn hng ni ting vo bc nht trn th gii, s d cc ngn hng ti y c a chung nh vy cng l nh h gi b mt thng tin cho khch hng rt tt, nhng thng tin ny ngay c cc c quan chnh ph cng khng c cung cp. Vi dch v Internet Banking, thng tin ca khch hng cng tr ln quan trng hn bao gi ht, v vy nhim v bo mt thng tin khch hng lun c t ln hng u vi mi ngn hng. b.Thc t Tuy cc ngn hng rt coi trng vic bo v thng tin khch hng nhng cc v mt cp thng tin khch hng vn xy ra, gy thit hi ln n kinh t v uy tn ca cc ngn hng. Mt s v mt cp thng tin khch hng gn y nh : * Ngn hng Techcombank lm l thng tin khch hng (4/2009): Anh Ng Xun Dng, ch mt doanh nghip t nhn H Ni c ti khon ngn hng k thng Vit Nam (Techcombank) c 2 nm nay. n thng 2 nm 2009 anh mi n ngn hng ng k dch v Internet Banking tin cho vic tra cu ti khon, lch s giao dch ngay trn mng m khng phi n tn ngn hng. Anh Dng sau khi lm theo hng dn ca ngn hng kch hot ti khon bng tn truy cp v mt khu do h thng cung cp th anh rt ngc nhin khi thng tin trong ti khon ny khng phi l ca anh m l ca mt khch hng khc cng l mt doanh nghip. Anh Dng khng th thc hin cc giao dch vi ti khon ny v khng c thit b bo mt i km (thit b sinh OTP) nhng anh c th xem chi tit v ti khon cng nh cc giao dch ca ti khon ny. i din Techcombank xc nhn li xy ra trong h thng ca ngn hng mnh so sai st ca nhn vin giao dch trong qu trnh chuyn thng tin v tn truy cp v mt khu ln trung tm cng ngh thng tin ca ngn hng. Sau khi c thng bo v li trn ngn hng Techcombank thc hin vic kha tm thi c 2 ti khon v cp li tn truy cp cng nh mt khu mi cho khch hng. Ngn hng Techcombank cho rng y ch l thiu st ca mt nhn vin v khng nh hng n an ton ca h thng ng thi cng lin lc vi khch hng xin li. Tuy nhin anh Dng cho rng ngn hng vn cha nh gi ng mc ca s vic v ngn hng cn c cc bin php r sot li cc th tc trong h thng. *Ngn hng HSBC lm mt thng tin 24000 khch hng (3/2010): Ngn hng HSBC va ra tuyn b xc nhn vic ngn hng lm mt thng tin c nhn ca 24000 khch hng thuc b phn qun l ti sn t nhn ti Thy S. Th phm l mt cu nhn vin ca ngn hng v con s 24000 ch l con s c tnh v nhiu kh nng con s thc t cn cao hn. Theo HSBC th nhn vin n cp cc thng tin khch hng l Herve Falciani vn l mt nhn vin cng ngh thng tin tng lm vic ti chi nhnh HSBC ti Thy S, hin th phm b trn v v vic vn ang c cnh st Thy S iu tra. Hin ngn hng HSBC vn cha r th on ca tn trm, trong s 24000 ti khon b nh cp thng tin th c 9000 ti khon c ng v s ti khon b nguy him hin l 15000 ti khon. Ngn hng gi li xin li n ton b khch hng b nh hng v h cng ang chu cuc iu tra ca cnh st nhm xc nh trch nhim ca HSBC trong v vic v xc nh li bo mt trong vic bo v thng tin khch hng ti y. Hin cc khch hng b l thng tin c th b bn ti phm truy cp vo ti khon hay nguy him hn l cc thng tin v ti khon ca h c th b bn cho cc c quan thu v nhm truy thu thu ca cc khch hng ny. Hin Thy S l quc gia c cc quy nh rt cht ch v bo mt ngn hng v h cng l quc gia c dch v ngn hng rt pht trin v l thin ng cho cc khch hng mun trn thu. Ngn hng HSBC ti Thy S u t thm 93 triu USD tng cng h thng bo mt sau v mt thng tin khch hng ny. c.Nguyn nhn Nguyn nhn ca vic mt thng tin khch hng c rt nhiu, trong mt phn ln l do li ca nhn vin ngn hng khng thc hin ng cc nguyn tc cn thit. Mt s nguyn nhn thng gp gy mt hoc l thng tin khch hng nh: Ngi n cp thng tin l nhn vin khch hng: l ngi c tip cn vi h thng my tnh lu tr thng tin, i khi di vai tr ngi qun l cc thng tin ny nn nhiu nhn vin ngn hng nh cp cc thng tin nhy cm ny. V vic ca ngn hng HSBC l mt v d bi rt nhiu v mt cp thng tin l do nguyn nhn t cc cu nhn vin ca ngn hng. H l ngi hng ngy lm vic vi h thng v c th bit c nhng l hng hay backdoor thc hin mc ch nh cp thng tin ca mnh, bi vy cc ngn hng phi c ch qun l nghim ngt vi cc thng tin nhy cm trnh nhng trng hp ny . Thng tin khch hng khng c m ha: v nguyn tc thng tin ca khch hng phi c m ha v cc nhn vin ngn hng cng khng c bit, tuy nhin trong nhiu trng hp cc thng tin ny li khng c bo mt v d dng thy c bi cc nhn vin ngn hng . Thng tin khch hng khng c c lp v c th tip cn c: nhiu trng hp thng tin c lu tr trong a cd, cng di ng v c th b mt vo tay k gian. Trong thc t nhiu trng hp tng t nh vy xy ra v d thng tin c c m ha th nhiu tin tc vn c th gii m sau mt thi gian nht nh nu thut ton m ha l khng mnh. Sai st ca nhn vin ngn hng hay quy trnh lm vic ca h thng c vn : nhn vin ngn hng cng l con ngi nn khi lm vic c th c sai st l iu khng trnh khi, nhiu thng tin mt ca ngn hng b l ra ngoi l do chnh nhn vin ni b ca h. Quy trnh lm vic ca ngn hng cng c th l nguyn nhn cho vic mt mt thng tin bi khoa hc k thut pht trin khng ngng, nhng th on ca ti phm cng khng ngng tinh vi nn cc quy trnh ngn hng c khng c cp nht d tr thnh i tng tn cng nh cp thng tin . 2.1.2. Nguy c b chim ot tin a.Vn t ra Lnh vc kinh doanh chnh ca cc ngn hng l tin t v y cng l ch nhm ca ti phm. Internet Banking ngy cng pht trin to ra nhiu c hi cho ngn hng nhng cng km theo nhiu thch thc, cc loi hnh ti phm cng ngh cao ngy cng gia tng. Chng li dng cc k h v quy trnh cng nh k thut khai thc nhm mc ch chim ot ti sn. Mt s loi hnh ti phm nhm vo cc ngn hng nh: gi mo khch hng chim ot tin, s dng th gi, th ht hn b.Thc t *Hacker nh cp 41 triu ti khon tn dng (2008): Ngy 5/8/2008 cc quan chc lin bang M cho bit bt 12 ngi (bao gm 3 ngi M, ba ngi Estonia, ba ngi Ukraina, hai ngi Trung Quc v mt ngi Belarus) v ti nh cp, mua bn bt hp php hn 41 triu th tn dng v th ghi n. y l v tn cng ln nht ca hacker m b t php M tng khi t. Cc hacker s dng cc chng trnh do thm c thit k lu li s th tn dng, mt khu v thng tin ti khon khi chng chy qua mng x l th ca cc ca hng bn l h tr th thanh ton. V iu tra ny c tin hnh t nm 2006, tin tc giu ton b d liu n cp ti 2 server t ti Ukraina v Latvia. Chng dng nhng d liu ny kim tin bng cch rao bn cc th tn dng trn Internet, rt tin t cc my ATM Cng theo b t php M, tin tc Gonzalez (ch mu v n ny) tng b cc tnh bo bt vo nm 2003.Vo thng 5/2008 cc nh iu tra pht hin hn tham gia k hoch tn cng mng my tnh ti chui nh hng Dave and Buster, nh cp s th tn dng, gy thit hi ti 600.000 USD cho cc ngn hng pht hnh th tn dng v th ghi n. V n trn l li cnh bo cho cc ngn hng phi tng cng phng vi loi hnh ti phm cng ngh cao ny. c.Gii php Hon thin li cc quy trnh nghip v, nng cao trnh nhn vin. Tng cng cc bin php khoa hc k thut tin tin, bt kp thi i chng li loi hnh ti phm cng ngh cao ang ngy cng pht trin. Lin kt cht ch vi c quan cng an, thng bo ngay iu tra khi c cc du hiu nghi vn. 2.1.3. Nguy c tn cng t chi dch v a.Vn t ra Hot ng ca ngn hng phi lun sn sng 24/7 i vi khch hng, ch mt s c nh lm h thng phi ngng hot ng cng gy ra nhng thit hi rt ln. Nhim v t ra cho nhng ngi thit k v qun tr h thng internet banking ca cc ngn hng l phi m bo cho h thng phc v c cng lc nhiu ngi dng v chy n nh trong thi gian di. Tuy nhin trong thc t nhiu trng hp cc dch v Internet Banking ca ngn hng phi dng hot ng do b tn cng t bn ngoi. C nhiu hnh thc tn cng nh chim ot tn min, tn cng t chi dch v nhng hnh thc tn cng ph bin v kh i ph nht l hnh thc tn cng t chi dc v DoS hoc DDoS. b.Thc t Vit Nam cng nh trn th gii, rt nhiu ngn hng tr thnh mc tiu ca cc cuc tn cng t chi dch v gy thit hi nng n v ti chnh cng nh uy tn ca cc ngn hng. Mt s v tn cng DDoS gn y nh : *Ngn hng US bank b tn cng t chi dch v (7/2009): Ngn hng ln th 6 ca M ny b h gc bi nhng cuc tn cng DDoS vo ngy mng 5 v mng 6 thng 7 nm 2009. V tn cng chia lm 2 t lm cho h thng ca ngn hng b gin on trong mt thi gian. Hnh 3: M t thi gian p ng ca trang web US bank khi b tn cng 2.2. Thch thc pha khch hng 2.2.1. Nguy c t phishing a.Vn t ra Internet Banking ra i mang li cho khch hng rt nhiu tin li nhng cng n cha rt nhiu nguy him, phishing l mt trong s . Rt nhiu khch hng b la o phishing khi s dng dch v Internet Banking v phishing cng l nguyn nhn khin mt b phn khch hng t ra d dt vi dch v ny . b.Thc t D phishing xut hin t lu v cc th on phishing cng tr thnh quen thuc v c ph bin n rng ri khch hng nhng cc v tn cng bng phishing vn t ra rt nguy him v c ti phm s dng mt cch rng ri trong nhiu lnh vc khng ch ring Internet Banking. Phishing qua th in t l phng php c bn ti phm thng xuyn s dng rt ph bin trn th gii cng nh Vit Nam, sau y l mt s v vic thc t: *Gim c FBI tng sut b phishing khi giao dch Internet Banking: Vo thng 10/2009 ng Robert Mueller nguyn gim c FBI trong mt cuc tr chuyn vi cu lc b Commonwealth tit l v vic mnh ngng s dng dch v Internet Banking do sut mc by phishing. Bc th phishing m ng nhn c c bt chic theo mu nhng bc th hp php ca ngn hng m ng s dng vn thng gi cho khch hng trc . Ch cn vi c kch chut na l ng b l mt nhng thng tin ti khon ca mnh vo tay ti phm nhng may mn l ng nhn ra kp dng li trc khi qu mun. Sau s vic ng cng v quyt nh ngng s dng dch v Internet Banking do thy n qu nguy him. Bc th phishing m ng Robert Mueller nhn c l mt dng tn cng phishing c in m cch phng chng c hng dn cho cc khch hng nhng trong rt nhiu trng hp h vn b la. Qua trng hp ny, ta thy rng d vi ngi rt nhiu kinh nghim trong lnh vc bo mt nh ng Robert Mueller m vn b e da bi phishing th nhng ngi dng thng thng khc mi e da t phishing cn ln c no? *Ngn hng Postbank ca c b tn cng phishing (4/2005): Vo thng 4 nm 2005, ngn hng Postbank AG ca c tr thnh mc tiu ca tn cng phishing. t tn cng ny l t tn cng th ba nhm vo ngn hng ny sau hai t tn cng vo thng 8 nm 2004. Vo ngy 4/4/2005, pht ngn vin ca ngn hng l ng Hartmut Schlegel thng bo trc cng chng v s vic ny. Cc cuc tn cng din ra vo ban m v ngn hng lng trc c s vic nn khng c nh hng nghim trng n cng vic kinh doanh ca ngn hng. Nhiu khch hng ca Postbank nhn c mt th in t yu cu h cung cp cc m s giao dch ca mnh v l do an ninh. E-mail tn cng ny c a ch cl [email protected] c v nh xut pht t ngn hng. Ngi pht ngn cho bit rng trang web ca ngn hng Postbank b nh tr trong mt thi gian ngn nhng khng cho bit nguyn nhn cng nh th phm cho v vic ny. Vin cng ngh bo mt thng tin Fraunhofer va cng b mt bn nghin cu v bo mt ca cc ngn hng c trc cc cuc tn cng phishing, kt qu c v khng my kh quan i vi cc ngn hng ti quc gia hng mnh ny. Ch duy nht ngn hng quc gia c l t mc rt tt, ngoi ra chng cn ngn hng no c nh gi l tt c. Postbank c xp hng th nm vi mc an ninh vo dng tha ng, mt s ngn hng cn li c xp vo hng c nguy c, ngn hng ng cui v bo mt l Sparda-Bank Hamburg eG. c.Tm hiu v phishing trong Internet Banking *Khi nim phishing Trong phm vi Internet Banking, phishing (la o) l qu trnh gian ln c gng c c cc thng tin nhy cm ca ngi dng nh tn ti khon, mt khu, cc chi tit th tn dng bng cch gi mo mt thc th tin cy trong qu trnh giao tip in t. Vic la o thng c thc hin qua email hoc tin nhn, v thng hng ngi dng vo vic nhp cc chi tit v ti khon ca mnh mt trang web gi mo m nhn v cm nhn ging nh mt trang web hp php . Hnh 4: V d v mt email phishing Tn cng phishing da vo nhng k thut hin i nhm khai thc im yu ca cng ngh bo mt hin ti ca cc trang web nhm nh la ngi s dng... Nhng n lc chng li cc v tn cng phishing ch yu da vo php lut, k thut, cc bin php an ninh v mt phn ln vo nhn thc ca ngi s dng. *Lch s ca k thut phishing K thut phishing c miu t c th t nm 1987 trong mt bn thuyt trnh c gi ti Interex. Ln u tin ghi nhn khi nim phishing l trn cc dch v trc tuyn ca America online vo ngy 2/1/1996, mc d khi nim ny c th xut hin sm hn trn n phm tp ch hacker 2600. Nhng cuc tn cng phishing u tin din ra trn AOL. Nhng k la o c th ng vai mt nhn vin iu hnh ca AOL v gi ti mt tin nhn cho ngi dng yu cu xc minh li ti khon hay khng nh li thng tin c nhn ca mnh, mt s ngi dng tin theo cc tin nhn ny v cung cp cc thng tin v ti khon v mt khu cho k la o. Ti nm 1997 khi AOL tht cht cc chnh sch chng li nhng k la o th nn phishing trn AOL mi chm dt. Vic nm bt c cc thng tin ti khon ca AOL, nhng k la o c th lm dng nhng thng tin th tn dng m chng bit c v da vo nhng thng tin ny th nhng cuc tn cng vo h thng thanh ton trc tuyn l kh thi. Nhng n lc tn cng u tin c ghi nhn ti h thng thanh ton Egold vo thng 6/2001, cuc tn cng tht bi nhng y c th coi l nhng cuc th nghim u tin hng ti nhng cuc tn cng ch o vo ngn hng. n nm 2004, phishing c cng nhn l mt phn trong nn kinh t ca ti phm v pht trin vi tc chng mt trn quy m ton cu. *Cc k thut tn cng phishing Lin kt gi mo : Phng php ph bin l s dng mt s k thut to ra lin kt trong email tr ti trang web ca k la o trong khi ngi dng vn ngh l ang truy cp mt trang web hp l v an ton . Mt v d n gin ca k thut ny l: ng link http://www.acbbank.ebanking.com/ lm ngi dng nhm tng s c a n trang web ebanking ca ngn hng acbbank nhng thc ra h c a n trang acbbank ca ebanking (y l trang web c giao din nh ebanking ca acbbank nhm mc ch phishing). Mt k thut la o hin c l dng k t @ trong ng link dn ti trang web la o. K t @ vn c s dng nh km tn ngi dng v mt khu khi ng nhp vo mt trang web. V d ng link http://[email protected] khin ngi dng nhm tng mnh s ng nhp vo trang www.acbbank.com nhng thc th h li c dn ti trang web phishingsite.org vi tn ngi dng l www.acbbank.com. Hin nhng ng link kiu ny b Internet Explorer v hiu ha nhng mt s trnh duyt nh Firefox hay Opera vn chp nhn v a ra mt cnh bo vi ngi dng. Vt qua cc b lc : S dng email phishing di dng text thng thng d b cc b lc pht hin, mt k thut khc thng c s dng l thay th vn bn di dng text bng mt hnh nh vt qua cc b lc mt cch d dng. Cc b lc thng ch n nhng t nhy cm nh th tn dng, ti khon ngn hng, mt khu, paypal nhng k la o thay th nhng t nhy cm ny dng nh nn cc b lc khng th xc nh c u l th la o. Gi mo trang web: Mt khi my tnh ca ngi dng truy nhp vo trang web phishing th vic la o khng ch dng li lc . Mt s k la o s dng mt s lnh JavaScript thay i thanh a ch, iu ny c thc hin bi vic thay th hnh nh ca mt a ch tin cy ln thanh a ch hay ng thanh a ch ban u v m ra mt thanh a ch mi vi ng link tin cy. K la o cng c th li dng nhng l hng ca trang web tht tn cng ngi dng. Mt s cng c ra i (Universal Man-in-the-Middle phishing kit l mt cng c trong s ) gip k la o c th d dng ti to mt trang web gi ging nh trang web tht v n cp cc thng tin c nhn khi ngi dng truy cp trang web gi ny thng qua link gi km email la o. Gi mo qua in thoi: Mt vi trng hp k la o c th gi tin nhn n cho ngi dng thng bo rng ti khon ca h c vn v yu cu ngi dng gi n mt s in thoi ca ngn hng gii quyt s c trn. Khi gi in n s in thoi trn (s hu ca k la o) th h c yu cu cung cp tn, mt khu ti khon xc nhn. K la o s lm cho ngi dng tin l ang ni chuyn vi nhn vin ngn hng v nh cp cc thng tin c nhn ny mt cch d dng. Mt s k thut khc : Mt k thut khc l a ngi dng n trang web tht ca ngn hng sau bung ra mt ca s popup yu cu cc thng tin nhy cm nh th ca s ny c yu cu t website ngn hng, nu ngi dng nhp cc thng tin nhy cm nh s ti khon hay mt khu th k la o thc hin c iu mnh mun. *Tc hi ca phishing Phishing gy nh hng ln n vic s dng email trong cc giao dch ti chnh v gy thit hi ln v mt kinh t cho cc t chc, c nhn trn phm vi ton th gii. Ngi ta thng k rng ch ring ti M t thng 5/2004 n thng 5/2005, c hn 1,2 triu my tnh b nh hng bi phishing gy ra thit hi ln ti 929 triu $. Ngnh thng mi ca M mt mt ln ti 2 t la mi nm do my tnh ngi dng b la o. Ring thng k ti Anh, trong nm 2004 b thit hi 12.2 triu bng do phishing, sang nm 2005 thit hi ln ti 23.2 triu bng v khng ngng ra tng trong cc nm sau. *Cch phng chng tn cng phishing: Bin php x hi: chng li phishing mt cch hiu qu nht, chng ta cn nng cao nhn thc ca ngi s dng v nn phishing, gip ngi s dng nhn ra k la o c th t bo v bn thn mnh. Ngi dng c th thc hin mt s bin php n gin phng chng phishing thng qua thi quen duyt web ca h. Khi nhn c bt k yu cu cung cp thng tin c nhn cn phi xc nh li tnh chnh xc ca thng tin vi cc cng ty tin cy trc khi cung cp cc thng tin nhy cm ny. truy cp cc trang web th nn t g cc a ch ln thanh address thay v click vo cc link kh nghi. Mt s th thut nhn ra cc email phishing m ngi dng cn bit nh mt bc th tin cy ca ngn hng lun c cha thng tin cc nhn trong th, v d nh li cho Xin cho ng ABC thay v li cho trong bc th ca k la o thng mang nhng thng tin chung chung nh Xin cho khch hng ca ngn hng XYZ. Thc t nhn thc ca ngi dng ngy cng tng nn cc k thut phishing c bn c th tr ln li thi v mt s k thut cao hn nh pharming hay cc phn mm m c s tr ln ph bin hn nh cp thng tin ca ngi dng. Bin php k thut : Cc bin php chng la o trc tuyn bao gm tnh nng nhng trong trnh duyt nh phn m rng hay thanh cng c cho trnh duyt , v nh mt phn ca th tc ng nhp vo website Sau y l chi tit v mt s phng php k thut chnh: Xc nh trang web hp php Phn ln cc trang web l mc tiu ca phishing u l cc trang web an ton, phn ln u s dng giao thc ssl xc thc gia server v client. C 3 phn c th chng thc an ton vi tls v chng ch s l: xc nh kt ni l an ton (tc kt ni c m ha), xc inh trang web m ngi dng ang kt ni ti, v xc nh t chc cp chng ch s xc nh trang web trn. Kt ni an ton L hnh nh th hin cho ngi dng bit h ang s dng cc kt ni an ton m thng tin truyn trn c bo v mt mc nht nh. Hnh nh th hin kt ni an ton t gia nhng nm 1990 n gia nhng nm 2000 l hnh nh kha Hnh 5: Biu tng an ton trn trnh duyt. Nm 2005 Mozilla dng mt trng a ch c mu vng thng bo cho ngi dng d nhn bit hn v mt kt ni an ton. Ci tin sau ny i cng chng thc EV, tn ca t chc s c hin th trong mt khung mu xanh l cy i km mt s thng tin nh trong hnh minh ha di y. Hnh 6: Hnh minh ha th hin trang web ca Paypal c chng thc bi t chc VerySign. Xc nh tn min ca trang Nh ni trn, vic xc nh tn min ng l mt iu quan trng i vi ngi dng nhm trnh vo phi cc trang web la o. Cu trc tn a ch URL l kh phc tp ngi dng c th xc nh chnh xc trang web m mnh ang kt ni ti.Mt vi trnh duyt mi hin th ton b url bng mu xm trong khi tn min c hin th bng mu en ngi dng nhn bit c trang web h ang truy cp c tn min thc s l g. Vi s ra i ca chng ch s m rng th tn min ca trang web cng c hin th lun trong mu xanh nh hnh trn, iu ny gip ngi dng d dng nhn bit hn. Xc nh c quan cp chng ch s Chng ch s l c s xc thc mt trang web, nhng tin tng ca xc thc trn n mc no th ph thuc vo c quan cp pht chng ch s . Ngoi mt s c quan cp chng ch s rt ni ting nh Verysign... th khng phi c quan cp chng ch s no mi ngi cng u bit n, chnh v vy m cc trnh duyt lun i km n mt danh sch cc c quan cp chng ch s c chp nhn. Trong trnh duyt IE, ngoi tn ca c quan cp chng ch s, ngi dng cn thy c thng tin v cp ca c quan ny. Hnh nh di y thu c khi tc gi truy cp vo website ngn hng teckcombak, ngn hng ny c cp chng ch bi t chc Verysign, vi class mc 3. Hnh 7: Xc nh c quan cp chng ch s Trnh duyt cnh bo web gian ln Hnh 8: Cnh bo ca trnh duyt web Hu ht cc trnh duyt hin ti u c chc nng cnh bo ngi dng nu h kt ni vi cc website m chng ch s khng ng hay ht hn Cc website ny rt c th l cc site phishing m ngi dng cn trnh. Tng mc an ninh khi ng nhp bng mt khu Mt s trang web yu cu ngi dng khi nhp mt khu phi nhp thm mt vi thng tin khc tng tnh bo mt, c tnh cht nh h thng two factor authentication. V d nh ngn hng Bank of America: khi ngi dng nhp mt khu cho bt k dch v no trn website ngn hng th cng ng thi phi la chn mt bc nh c nhn ca h, iu ny tng tnh an ton trc nhng k la o. Lc cc th phishing Cc b lc th rc c bit c th lm gim s lng th phishing vo trong hm th ca bn. Cc b lc ny hot ng da trn l thuyt hc my v x l ngn ng t nhin phn loi th phishing. Bin php lut: Vo ngy 26/4/2004 d lut v chng la o trc tuyn u tin ti M ra i. Lut hnh s v ti phm mng ca Vit Nam cng khng ngng c cp nht qua tng nm, hon thin cc iu lut, tng thm cc hnh vi vi phm c lin quan n la o trc tuyn nhm tng tnh rn e vi loi ti phm mi ny. 2.2.2. Nguy c t pharming a.Vn Khi phishing mi ra i n hot ng rt hiu qu, tuy nhin qua mt thi gian khi cc k thut phishing c ph bin rng ri th hiu qu ca phishing theo cch truyn thng ngy cng gim, nhiu ngi dng t ra thn trng khi khng click vo cc link c sn m g trc tip a ch trang web vo thanh address. Tuy nhin cn thn nh vy vn l cha mi thi gian gn y xut hin mt hnh thc phishing rt tinh vi c tn l pharming, pharming tr ln nguy him hn cc hnh thc phishing c in rt nhiu bi d ngi dng c g ng a ch trang web nhng h vn c th b dn ti website la o. b.Thc t *50 ngn hng b la o trc tuyn kiu pharming(2/2007) Trong thng 2 nm 2007, khch hng ca t nht 50 t chc ti chnh ngn hng ca chu , chu u v M b hacker la o thng tin c nhn bng mt th on phishing c bit mi v nguy him l pharming. V tn cng ny da vo mt li nghim trng ca windows ( c cng b bn sa li vo nm 2006). Cc h thng cha c v li s t ng ti mt trojan c tn iexplorer.exe v 5 file thc thi t mt my ch t ti Nga. Nhng trang web ny cng hin th mt thng bo li v yu cu ngi s dng tt tng la c nhn cng nh cc phn mm dit virus trong my. Th thut phishing mi v nguy him ny c tn l pharming, n nguy him hn phishing ch hng ngi dng ti trang web cha m c ngay c khi h g ng a ch ca nh cung cp dch v internet thng qua li DNS. Cc website gi trong v tn cng ny c ngun gc t c, Estonia v Anh b cc ISP v hiu ha, tuy nhin cha c con s thng k s khch hng tr thnh nn nhn ca v tn cng ny. *Pharming tn cng vo cc ngn hng trc tuyn(3/2005) Mt s chuyn gi bo mt cnh bo ngi dng thn trng vi mt loi m c mang tn Troj/BankAsh-A, m c nhm vo mc ch pharming, c th hng khch hng ca cc ngn hng trc tuyn truy cp vo nhng website gi mo trong cc cuc giao dch v n cp cc thng tin c nhn ca khch hng cho mc ch phi php. M c trn thng c nh km trong nhng th rc c gi n ngi s dng trong nhng th rc. Nu ngi s dng ti cc tp tin ny xung, n s n binh bt ng ch n khi khch hng truy cp vo website ca mt trong cc ngn hng c lp trnh sn. Khi ngi s dng s c hng vo mt trang web gi mo c giao din ging ht vi website ngn hng tht, bn ti phm s n trm cc thng tin c nhn m khch hng nhp vo ri dng nhng thng tin c nhn y n trm tin t ti khon ca h. Cc chuyn gia cho bit c th ngn chn s e da ca loi virus ny nu cc ngn hng s dng nhn dng cc c tnh ca ngi s dng truy cp ti khon thay v da vo mt khu ca khch hng. c.Tm hiu v pharming *Khi nim Pharming l hnh ng ca hacker nhm chuyn hng ngi truy cp t mt trang web ng ti mt trang web gi mo m ngi dng khng h hay bit. Pharming c th thc hin da vo vic thay i i host file trong my ngi b hai (host file l tp tin nh x tn host vi a ch IP) hoc bng cch li dng nhng li ca my ch DNS. Thut ng pharming c ra i da trn 2 t phishing v farming, c pharming v phishing u c dng n cp thng tin c nhn ca khc hng. Pharming ang tr thnh iu lo ngi chnh ca dch v hosting v ngn hng trc tuyn. chng li pharming cn nhiu bin php phc tp, v cc phn mm virus hay spyware thng thng th khng c kh nng bo v my tnh ngi dng trc pharming. *Pharming hot ng nh th no DNS cache poisioning Hnh 9: DNS cache poisioning y l k thut c bn v ph bin nht trong pharming. Giao thc DNS l giao thc phn gii a ch, dng nh x gia tn min sang a ch IP. My ch DNS khi nhn c yu cu phn gii a ch t my khch, n s tra cu trong b m v tr v a ch IP tng ng vi tn min m my trm yu cu. Nu khng tm thy trong b m, my ch DNS s chuyn tip yu cu phn gii ti mt my ch DNS khc. y l nhc im tn ti trong giao thc DNS v tr thnh l hng nghim trng c khai thc trong phng thc tn cng DNS cache poisioning. Nhiu my ch DNS hin nay chp nhn x l ng thi nhiu truy vn ca mt tn min duy nht, c im ny cho php tin tc d dng tn cng vo cc my ch DNS c chc nng hi h v lu gi kt qu vi mc ch lm thay i nh x tn min v hng ngi dng n mt a ch IP bt hp l theo mc ch ca hacker. M t tng quan cuc tn cng: i tng hacker nhm n l cc my ch DNS c cc c im sau: Phc v nhiu ngi dng (thng tin c nhn ca nhng ngi ny l mc ch ca cuc tn cng). C chc nng hi h v lu gi kt qu. C im yu, chp nhn x l ng thi nhiu truy vn ca mt tn min duy nht. S dng mt port ngun c nh duy nht cho cc truy vn. *Kch bn tn cng Hnh 10: M t kch bn tn cng Bng 1: Xc xut thnh cng ca m hnh tn cng trn My ch DNS S lng truy vn gi ng thi S lng gi tin gi mo tin tc cn gi

Khng random port 1 32.7 nghn

Khng random port 4 10.4 nghn

Khng random port 200 427

Khng random port Khng gii hn 426

C random port 1 2.1 t

C random port 4 683 triu

C random port 200 15 triu

C random port Khng gii hn 109 nghn

S liu trn ly t tnh ton ca Vagner Sacramento ti a ch http://www.kb.cert.org/vuls/id/457875 Theo tnh ton trn th trong trng hp khng random port th ch cn gi 200 truy vn ng thi v 427 gi tin gi mo th tin tc c xc xut thnh cng l 50%, mt xc sut kh cao . Host file attack Host file l tp tin trong my lu cc gi tr tn min v a ch IP c s dng thng xuyn c th truy cp nhanh m khng cn thng qua DNS, y l mt mc tiu ca tn cng pharming. Nu nh mc tiu ca phng php th nht l cc DNS server c bo mt bi cc qun tr vin c kin thc v kinh nghim th vic tn cng vo host file trn my ca ngi dng c coi l mc tiu d dng hn nhiu. Pharmer thng dng cc phn mm m c thay i host file trn my nn nhn, cc trang web ngn hng m ngi dng truy cp s c nh x sang cc a ch gi, nu ngi dng truy cp cc a ch ny th s b mt thng tin c nhn vo tay pharmer. Hnh 11: Host file Local router attack Tng t nh host file attrack, tn cng router ni b d dng hn nhiu so vi so vi tn cng DNS server tuy nhin li kh b pht hin. C 2 cch tn cng router ni b dng trong pharming: thay i cu hnh router bng m c hay thay i c firmware ca router. C hai cch trn u nhm lm cho router tr sang cc DNS c hi ca pharmer thay v cc DNS ng ban u. Phn ln cc router ni b u khng c bo mt tt, rt nhiu ni s dng router m khng h thay i cc cu hnh, tn truy cp cng nh mt khu mc nh, pharmer l nhng k nm r c im yu ny v li dng n cho mc ch ca mnh. Nm 2006 pht hin c mt on m javascript c th thay i DNS ca server mang tn Drive-By Pharming c pht hin. Sau khi DNS server ca router b thay i th cc my tnh trong mng ni b s gi cc truy vn ny qua dns server gi mo. Ngoi ra vi vic c th thay i c firmware mt cch d dng nu bit mt khu qun tr ca router, pharmer c th xy dng mt firmware gi c giao din v cc chc nng nh firmware ca nh sn xut ban u. Mi thng s v cu hnh ca firmware gi ging ht firmware tht ngoi tr vic n s dn ngi dng n dns gi mo thay v dns tht. Ngoi ra vi vic s dng mng khng dy ngy cng ph bin, vic tip cn vi cc router cng tr ln d dng, vic chim quyn iu khin router cng tr ln d dng bi cc mt khu mc nh l d don, ngoi ra pharmer cng c th dng cc phn mm d m nu mt khu b thay i. V vy mi ngi cn cn trng khi s dng Internet ni cng cng, vic s dng mng cng cng cho nhng vic quan trng l khng h an ton. 2.2.3. Nguy c t cc phn mm m c, virus, trojan a.Vn Ngi s dng my tnh hu ht cng u quen thuc khi nhc ti cc khi nim nh virus, trojan, phn mm m c nhng rt t ngi lng ht c nhng mi nguy him do chng gy ra cng nh cch phng chng th no cho c hiu qu. Nhng khch hng s dng internet banking l mc tiu a thch ca cc phn mm ny nn cn c nhng kin thc nht nh c th phng nga hiu qu.Cc phn mm m c, virus, trojan ngy cng xut hin nhiu vi mc phc tp tinh vi ngy cng cao, chng c pht tn rng ri trn mi trng mng internet thng qua cc trang web, th in t hay nh km cc phn mm. Khng phi ngu nhin m cc phn mm m c c th xm nhp vo my tnh ca khch hng, thng thng l do khch hng click chut vo lin kt ti on m c hay m cc file nh km c cha virus . b.Thc t *Rootkit nh cp hng trm nghn ti khon ngn hng (2009) Trong thng 4 nm 2009, MaOSRootkit vn l mt rootkit nh cp hng trm nghn ti khon ngn hng quay tr li vi mt bin th mi. Chng ly lan vi tc rt nhanh trn mng Internet v ly lan c n mng my tnh vit nam. Rookit MaOS (tn gi khc l Mebroot) l mt rookit kh c bit, n ly nhim vo master boot record (sector khi ng u tin trn a cng) nn n c th tc ng chnh sa h thng ngay khi h iu hnh c khi ng v vt qua cc phn mm dit virus khc mt cch d dng. Vi cch hot ng nh vy th n tr ln v hnh vi tt c cc phn mm bo mt nh antivirus, tng la Rookit ny hot ng n nh trn window xp v c kh nng n rt su vo h thng, phin bn u tin ca n xut hin vo thng 12/2007 v c lp trnh rt bi bn, chuyn nghip. Rootkit trn tr li vi t tn cng trn din rng vo ngy 31/3 , theo thng tin s b n ly lan vo 180.000 my tnh v 1.2 triu a ch ip trn ton th gii trong M l nc c tc ly lan cao nht. Theo nghin cu ca trng i Hc California (M) cng b ngy 04.05, qua 10 ngy theo di MaOSRootkit bootnet, c 8.310 ti khon ngn hng, 1.235.122 mt khu Windows, 100.472 ti khon SMTP, 415.206 ti khon POP, 411.039 ti khon HTTP v 1.258.862 ti khon mail b nh cp. c hng nghn website c dng ln pht tn loi m c nguy him ny. Ngoi ra, rt nhiu loi su my tnh khc c thit lp ti rootkit ny v my ca ngi dng. *Website ngn hng n b hack v pht tn trojan (2007) Ngn hng BankOfIndia va b hng bo mt Subelt Software cnh bo website ca ngn hng ny b hacker tn cng v c s dng lm cng c pht tn nhiu loi trojan, rootkit v phn mm m c khi ngi s dng truy cp vo. Nhng phn mm nguy him ny c dng thu thp cc d liu ca nn nhn sau ti ln mt my ch FTP t ti Nga. Cng ty Sunbelt cng cho bit li bo mt xut pht t framework trn trang web, my tnh nn nhn s b ly nhim do mt li bo mt ca internet explorer nu ngi dng cha cp nht bn v li MS06-042. Hin b phn k thut ca ngn hng nhanh chng x l v khc phc tm thi tnh trng trn, tuy nhin cc chuyn gia khuyn co cn phi tm v x l cc li gc trong h thng nu khng website ny vn l mc tiu tn cng ca hacker. Hnh 12: Website ca ngn hng tm ngng hot ng c.Tm hiu thm v phn mm m c Hin nay c rt nhiu loi phn mm m c khc nhau nhng nhng khch hng ca internet banking thng xuyn phi i mt vi mt s loi sau y : *Worm L loi m c hi c th t ly nhim, t nhn bn m khng cn vt mang, t kch hot m khng cn s tc ng t ngi s dng. Loi m c ny thng khai thc cc l hng an ninh ca h iu hnh v cc phn mm ng dng. Chng cn c th thc hin hnh vi d qut cc my tnh khc lin kt trong mng, tm ra cc l hng v im yu ly nhim sang cc my . c tnh ny khin cho worm c tc ly lan rt nhanh v kh c th tiu dit hon ton mc d cc phn mm c th pht hin v tiu dit chng (chng vn c th tn ti cc my khng c phn mm av v tm c hi ly lan tr li vi cc my tnh trong mng). Khng r chnh xc thi im xut hin ca worm nhng vi nm gn y worm gy hu qu rt ln cho cc h thng my tnh trn th gii. Mt s loi worm ni ting reo gic ni kinh hong cho cc h thng mng trn ton cu nh Nimda, Mydoom, Blaster, Sasser... Trong hon cnh cc l hng bo mt ca cc h iu hnh, cc phn mm ng dng c pht hin v cng b trn mng mt cch rng ri nn worm c c mnh t tt khai thc, tn cng cc h thng ngy cng hiu qu. *Trojan L m c c kh nng m cc cng trn my tnh gip hacker chim quyn iu hnh my tnh v thc hin cc hnh vi phm php khc. T nhng nm 1980 xut hin cc khi nim v trojan horse v c nhng pht hin bo co v trojan. Tuy nhin cho n nay cc trojan vn c cc hacker s dng tn cng cc h thng my tnh v t c hiu qu nht nh. c bit cc k thut tn cng ca trojan c s dng kh nhiu trong cc v tn cng phc tp, s dng cc k thut hn hp. *Spyware L phn mm gin ip c ci t bt hp php ti cc my tnh ca khch hng. N c nhim v thu thp cc thng tin b mt c bit lin quan n ti khon ngn hng ri gi tr v cho hacker. Khi nim spyware c s dng ln u vo nhng nm 95-96, n khong nm 2005 l thi k spyware honh hnh d di nht. Hin nay spyware khng c xp vo loi m c c nguy c ln nht vi h thng my tnh, nhng n vn thuc nhm dn u v nguy c v ri ro c th gy ra cho cc h thng my tnh trn th gii. *Rootkit Xut hin vo nm 1990 trn h iu hnh Unix, t nm 2005 rootkit c cnh bo l nguy c ln i vi an ninh ca h thng mng my tnh, n tim n rt nhiu nguy c i vi h thng my tnh nu c ng dng trong vic pht trin m c hi. Rookit l k thut nhm mc ch n ht cc tin trnh ca cc chng trnh, cc on m khi chy, nhiu trng hp rookit cn n ht cc entry lin quan trong registry, thm ch cn n c file v th mc. Xem bng danh sch cc tin trnh ang chy trong my s khng thy tin trnh no ca chng trnh (c s dng rootkit) xut hin mc d n c chy. M c hi s dng k thut rookit n mnh trc cc phn mm dit virus, loi m ny c bit nguy him nu ngi s dng ch dng cc chng trnh dit virus khng c tnh nng pht hin rootkit. *Virus L phn mm m c xut hin sm nht v kh thng thuc vi ngi s dng my tnh. Chng c to ra nhm mc ch ph hoi l chnh, him khi xut hin loi virus c cc hnh vi khc nh n cp thng tin... Cc hnh ng ph hoi chnh l xa file, thay i ni dung file. Virus c kh nng t nhn bn nhng cn c vt mang c cn tc ng bn ngoi kch hot ln u. Virus xut hin t nhng nm 70 v n ny vn tip tc tn ti v pht trin khng ngng, song song vi s pht trin ca virus l cc phn mm phng chng virus, cuc chin ny s cn ko di dai dng v cha c hi kt . *Keylogger L chng trnh dng ghi li cc thao tc thc hin trn bn phm sau cc thng tin ny c hacker tng hp, phn tch tm ra cc thng tin nhy cm ca khch hng nh s ti khon, mt khu, s th tn dng... v cc thng tin c nhn khc. Nhng thng tin trm c nhm mc ch bt hp php nh rt trm tin t ti khon, dng ti khon mua hng qua mng, chuyn tin qua ti khon khc, hay rao bn cc thng tin v ti khon cho ngi c nhu cu Khng c ghi nhn chnh xc v thi gian xut hin keylogger nhng t nm 2000 n nay s lng keylogger gia tng vi tc rt nhanh. Kt lun: Hot ng ca h thng Internet Banking gp rt nhiu nguy c, thch thc mt an ton thng tin c v pha ngn hng ln pha khch hng. Trn y l mt vi thch thc m ti tm hiu c khi nghin cu v lnh vc Internet Banking, mt s nguy c c m mt s nguy c c tnh thi s nn cc s kin trch dn c nm xut hin ri rc t nm 2005 n 2010. Chng 3 : Cc gii php an ton trong Internet Banking An ton thng tin trong lnh vc ngn hng ni chung v Internet Banking ni ring l mt lnh vc rng ln i hi cc h thng bo mt ton din bao gm nhiu gii php bo mt b sung ln nhau m bo an ton ti a cho h thng. Di y l mt s gii php c s dng ph bin trong cc h thng Internet Banking: 3.1. Xy dng h thng xc thc mnh 3.1.1. Khi nim Phng php truyn thng xc thc ngi s dng l dng tn ti khon v mt khu c p dng t rt lu v bc l nhiu khuyt im, hin nay phng php trn c coi l phng php xc thc yu bi tin tc c th nh cp c thng tin v tn ti khon v mt khu ca ngi dng di nhiu hnh thc nh: Phng php cng ngh cao nh: trojan, keylogger, la o di dng phishing hay pharming Phng php th cng: cc hnh vi nghe trm, nh cp thng tin tri php, la o da vo lng tin ca khch hng . Tuy nhin vn cn nhiu ngn hng s dng dch v internet banking chp nhn hnh thc xc thc bng tn ti khon v mt khu, y l im yu c nhiu tin tc nhm ti. gii quyt nhng hn ch ca phng php xc thc c in trn, ra i rt nhiu phng php xc thc mi nhm tng cng tnh bo mt cho cho khch hng cng nh cc dch v ca ngn hng. Cc h thng xc thc mnh thng da vo 3 yu t c bn sau: Thng tin ngi dng bit: c th l mt khu, s PIN... Thit b ngi dng c: c th l cc thit b vt l nh token, smartcard, hoc in thoi c im ring ca ngi dng: c hiu l cc c tnh sinh trc hc ca ngi dng c kh nng xc thc duy nht nh vn tay, mng mt Hnh 13: Hai yu t xc thc thng c s dng H thng xc thc nhiu yu t c rt nhiu u im so vi h thng xc thc bng tn v mt khu trc y: Tng cng mc bo mt ln mt mc cao hn, an ton hn cho c ngn hng ln khch hng. Phng chng tn cng phishing v pharming: Vi vic s dng cng lc nhiu yu t xc thc lm cho vic nh cp c mt khu ca phishing v pharming tr ln v ngha v vn cn thiu cc yu t xc thc cn li. C th xc nh c tnh chng t chi cho cc giao dch, iu ny khng c nu p dng phng php bo mt mt yu t nh trc. H thng xc thc nhiu yu t gip cho qu trnh xc thc l tng tc hai chiu. Gip ngi dng thun tin hn, khng phi nh hay qun l mt dy cc mt khu nh trc m ch cn s dng cc thit b ngn hng cung cp (token, smart card ). 3.1.2. H thng xc thc bng mt khu s dng mt ln (One time password OTP) C rt nhiu gii php xc thc a yu t nhng trong thc t hu ht cc ngn hng u s dng h thng xc thc bng mt khu mt ln do n c rt nhiu u im v ph hp vi nhu cu ca ngn hng cng nh khch hng so vi cc h thng xc thc khc. a. Khi nim v mt khu s dng mt ln OTP Mi ngi u quen thuc vi khi nim mt khu (password) l mt chui k t b mt dng ng nhp vo h thng, one time password cng l mt loi mt khu nhng n mang mt s tnh cht nh ch ng nhp c mt phin v ch c tc dng trong mt khong thi gian nht nh. One time password (Mt khu mt ln) c sinh ra nhm mc ch chng li mt s phng thc tn cng thng gp vi mt khu tnh thng thng nh tn cng lp li. Mt khu mt ln lm gim thiu ri ro trong kha cnh bo mt, ng thi n cng khng cn ngi dng phi ghi nh v cn mt s cng ngh ph tr cho vic ny. Hn na vic trin khai mt khu mt ln l d dng v c chi ph thp so vi mt s phng php khc nhng vn m bo c an ton cho ngi dng. Tuy nhin OTP vn khng bo v c ngi dng khi hnh thc tn cng man-in-the-middle. Hnh 14: S dng mt khu mt ln ng nhp. b. Phng php sinh mt khu OTP Mt khu mt ln c to ra t thut ton s ngu nhin, iu ny l bt buc bi nu s dng cc phng php khc th mt khu c th d dng c on ra t cc mt khu trc . Mt s phng php to mt khu mt ln : *Phng php ng b thi gian Phng php ng b thi gian thng lin quan n thit b sinh mt khu token. Mi ngi s dng c cung cp mt token c mt ng h thi gian chnh xc c ng b vi server vi thi gian ca server xc thc trung tm. Trong phng php ny th mt khu mt ln thng c sinh ra t kt qu l hm bm vi 2 u vo l kha mt chia s gia ngi dng v nh sn xut v tham s thi gian. *Phng php thut ton Mi mt khu mt ln mi c th c to ra t cc mt khu mt ln c s dng trc . Ngi ta thng s dng hm mt chiu, y l hm f v ht ging ban u s. Cc mt khu c sinh ra l f(s), f(f(s)), f(f(f(s))) Hm mt chiu gip ta d dng tm ra f(s) t s nhng rt kh bit c s t f(s) (Mt s thut ton hm mt chiu ph bin trong lnh vc an ninh nh SHA1 v MD5). Bi vy danh sch mt khu mt chiu ti tay ngi dng s c sp xp theo th t ngc li t mt khu u tin ti mt khu cui cng, t f(f(...f(s))...) n f(s). Nu k trm ly c mt mt khu th ch c th s dng n trong mt thi gian nht nh, sau thi gian mt khu tr ln v dng. K trm mun tip tc thm nhp h thng cn c mt khu tip theo trong danh sch s phi tm cch tnh hm f-1, hm ny l hm kh tnh trong ton hc cng nh khoa hc my tnh . c. Cc phng php phn phi mt khu OTP *Phn phi qua tin nhn SMS Cng ngh n gin d trin khai m vn t an ton nht nh nn c cc ngn hng ti vit nam s dng tng i rng ri. Mt cng ngh ph bin phn phi mt khu mt ln l s dng h thng tin nhn sms. Bi v sms l mt knh lin lc rt ph bin, sn sng s dng vi mt lng ln khch hng, sms c tim nng ln tip cn tt c khch hng vi mt chi ph thc hin thp. Tuy chi ph sms l thp, nhng vi mt b phn khch hng c nhu cu s dng mt khu nhiu ln th chi ph cng kh cao, cho nn phn phi qua SMS khng ph hp vi nhm i tng ny. Mt khu mt ln gi qua tin nhn sms cng c th c m ha bng chun A5/x phng trng hp hacker tn cng, khi c m ha th mt khu kh c th b ph kha trong thi gian vi pht, thi gian ny mt khu ht hiu lc. Ngoi nguy c tn cng t hacker, khi s dng hnh thc phn phi ny th chng ta buc phi tin tng vo nh cung cp dch v di ng, trong trng hp ngi dng roaming th ta cn phi tin tng vo nhiu nh cung cp v c th chu hnh thc tn cng ngi gia . *Phn phi qua in thoi di ng S dng in thoi di ng gip cho tng chi ph thp v phn ln khch hng u s dng in thoi di ng so vi phng php dng thit b to mt khu ring bit. Nng lc tnh ton v lu tr mt khu mt ln thng l khng ng k khi so snh vi cc in thoi thng minh ph bin trn th trng. Mt s h thng chng thc thng qua phn mm trn in thoi di ng nh FiveBarGate hay FireID h tr vic to mt khu v chng thc ngi dng mt cch d dng. Tuy nhin hnh thc ny cng gp mt s vn v an ninh nh vic in thoi c th b mt, ph hy hay b nh cp. *Phn phi trn cc token c quyn Mt s loi token ang c s dng ph bin nh SecurID ca RSA Security hay Identia hoc NagraID. Cc thit b ny cng c th b mt, n trm hay b hng. Chng c dng mt mc cha kha hay di dng th tn dng. Hnh thc xc thc bng token cho tin cy cao nht hin nay v bc u c cc ngn hng ln vit nam s dng nh ngn hng HSBC, Techcombank, ACB. Hnh 15: Cc thit b phn phi OTP *Phn phi trn cc th ma trn ngu nhin y l mt hnh thc xc thc n gin, c s dng khi khch hng khng c iu kin s dng cc hnh thc xc thc trn (SMS, hardware token). Khch hng s c ngn hng cp cho mt th xc thc trn in mt ma trn hng v ct vi ni dung l cc gi tr ngu nhin. Mi ln xc thc khch hng s phi nhp vo mt s tng ng vi cc gi tr hng v ct nht nh theo yu cu ca ngn hng. Cc yu cu v ta ca m xc thc c thay i sau mi ln ng nhp sao cho cc gi tr mt khu c xc sut trng l thp nht. 3.2. Xy dng h thng tng la 3.2.1. C bn v tng la a. Khi nim Tng la l mt phn ca h thng my tnh hay mng c thit k chn truy cp tri php, trong khi cho php cc truy cp cp php. N l mt thit b hoc thit lp ca thit b c cu hnh cho php hoc t chi ng dng da vo mt tp cc lut v cc tiu ch khc. Tng la c th l mt thit b phn cng hay phn mm, hoc kt hp c hai. Tng la thng c t gia hai mng my tnh (thng l mng ni b v mng my tnh bn ngoi) kim tra cc lu lng lu chuyn qua n. Tng la c th kim tra tt c cc lung tin m bo cc lung tin tri php khng th thm nhp vo h thng. Mt c im cn lu l tng la khng c tc dng bo v trong cc trng hp sau: Hnh ng ph hoi hoc truy nhp tri php xut pht t mng bn trong (vng mng tin cy). Bo v mng khi nhng truy nhp c php nhng l nhng truy nhp mang mc ch xu bi v nhng truy nhp ny sau khi c xc thc thm quyn th c php lm mi th trong thm quyn ca n. Bo v mng khi tt c cc cuc tn cng c hi. Tin tc c th li dng li hng ca cc cng dch v m truy nhp n cc cng ny c s cho php bi firewall. b. Phn loi tng la *Phn loi theo cng ngh a.Tng la lc gi tin Tng la lc gi tin lm vic tng network trong giao thc TCP/IP, tng la ny s khng cho php cc gi tin i qua tr khi chng tha mn mt s lut nht nh. Cc lut ny c th do ngi qun tr t ra hoc c ngm nh trong mi tng la. Chia thnh 2 loi l: tng la c trng thi v tng la phi trng thi. Tng la trng thi: lu gi thng tin v cc phin hot ng v dng cc thng tin ny tng tc qu trnh x l gi tin. Tng la m t mt kt ni mng bng mt s thuc tnh nh a ch ngun , a ch ch, cng TCP hay UDP v tnh trng hin ti ca kt ni (bt u kt ni, giao thc bt tay, truyn d liu hay hon thnh). Nu mt gi tin khng ph hp vi nhng kt ni tn ti, n s c nh gi theo lut dnh cho cc kt ni mi. Nu gi tin ph hp vi mt kt ni hin ta da trn so snh vi bng trng thi ca tng la, n s c cho php vt qua tng la m khng cn phi x l thm. Tng la ny yu cu nhiu b nh nhng lm vic kh hiu qu. Tng la phi trng thi: ngc vi tng la trng thi, tng la phi trng thi khng lu tr cc thng tin v phin hot ng nn cn t b nh hn. Cc gi tin qua tng la s c lc bng nhng lut n gin nn i hi t thi gian hn so vi vic phi tm kim phin lm vic ca tng la trng thi. Tng la phi trng thi ny l cn thit cho vic x l cc gi tin thuc dng kt ni phi trng thi nh HTTP. Tuy nhin n khng a ra c cc quyt nh phc tp da trn phin kt ni nh tng la trng thi. Tng la gi tin hin i c th lc lu lng mng da trn rt nhiu thuc tnh ca gi tin nh a ch ip ngun, a ch ip ch, cng ngun, cng ch. Chng c th lc da trn giao thc nh gi tr TTL (Time To Live) v nhiu gi tr khc. b. Tng la cng ng dng Tng la ny hot ng tng ng dng trong giao thc TCP/IP (v d nh lung thng tin ca trnh duyt web, ng dng telnet hay FTP), v c th ngn chn cc lung tin i v n cc ng dng ny. Bng vic kim tra cc gi tin, tng la ng dng c th hn ch v ngn chn s ly lan ca virus v trojan trn mng my tnh. Vic kim tra cng k cng th tr ca cc gi tin n ch s cng cao. *Phn loi theo mc ch s dng a.Tng la my ch Tng la my ch l tng la c ci t trc tip trn cc my ch nhm ngn chn cc truy cp tri php t cc my tnh khc trn mng n my ch ny. Thng thng tng la loi ny c th l tng la mm c tch hp sn trong cc h iu hnh (ni ting l tng la ISA trong Microsoft Windows Server) hoc c th mua t mt s hng khc. b.Tng la c nhn c ci t trn my tnh c nhn ca ngi dng bo v my tnh khi cc nguy c tn cng t cc my tnh trn mng, c tch hp sn trn h iu hnh hoc c cc hng phn mm cung cp, cc tnh nng n gin v hn ch hn so vi tng la my ch. c.Tng la cng mng Thng c b tr gateway ca mng, theo di lung tin ra vo mng, kim sot truy cp gia cc mng. Tng la cng mng thng p dng kim sot truy cp ca khch hng vo h thng internet banking hay cc truy cp ca nhn vin ra ngoi mng internet. *Phn loi theo cch ch to a.Tng la phn cng L thit b phn cng c ci t sn chc nng tng la trong cc b vi x l ca nhiu hng ni ting nh Cisco, Juniper C nhiu u im vt tri so vi tng la mm nh tc x l rt nhanh, khng gy tht c chai trong mng tuy nhin kh nng nng cp v cp nht thng hn ch v gi thnh kh t . b.Tng la phn mm L phn mm tng la thng chy trn cc my ch lm nhim v firewall server, c cung cp bi cc hng ni ting nh Check Point... Tng la phn mm ban u c tc chm so vi tng la cng nhng nh s pht trin nhanh chng ca tc vi x l nn tng la phn mm khc phc c im yu tc v tng ng vi tng la phn cng. Hn th na tng la phn mm c kh nng nng cp, cp nht linh hot ch real time gip h thng hot ng lin tc khng b gin on ngay c khi nng cp, ngoi ra tng la phn mm cng c gi d chu hn so vi tng la phn cng. 3.2.2. La chn h thng tng la cho internet banking nh th no ? Trn th trng c rt nhiu thit b cng nh phn mm tng la khc nhau khin cho vic la chn mt sn phm ph hp khng phi iu d dng, chng ta hy cng tm hiu cc tiu ch la chn tng la cho h thng internet banking. a. Hiu nng ca tng la Tc l mt trong nhng tiu ch la chn hng u khi so snh cc tng la vi nhau. Tc ca tng la th hin qua bng thng x l ca n (throughput) trong mt n v thi gian c cc nh sn xut tnh ton trong iu kin l tng di n v Mbps (mega bit per second) hay Gbps(giga bit per second). Do tc trong thc t thng nh hn 50% so vi tc l tng do nh sn xut cng b nn khi la chn cn cn nhc ti lu lng mng ca h thng v kh nng m rng nng cp h thng trong tng lai. S kt ni ng thi cng l mt thng s cn quan tm, mt tng la ch hot ng hiu qu khi n p ng c tt c cc kt ni vi tr nh, nu s kt ni ng thi m tng la p ng c thp s lm tng tr ca h thng ng thi lm tng nguy c b tn cng t chi dch v DDoS. b. Kt ni S lng kt ni cn m bo cho cc nhu cu sau : Cng kt ni n cc vng mng. Cng qun l theo di hot ng ca h thng. Cng mng d phng cho cc cng trn. Mt cng ng b trng thi gia cc thit b. c. Tnh nng Hin nay cc tng la khng ch n thun gi vi tr tng la nh khi mi xut hin m thng c cc nh sn xut tch hp thm nhiu chc nng khc nhm em li s thun tin cho ngi s dng khi trin khai cc thit b. Mt s tnh nng thng c tch hp trong cc thit b tng la nh: Mng ring o (VPN): thng s dng cng ngh SSL hay IPSec, cung cp kt ni an ton c m ha di dng site to site hay hay di dng remote access. Qun l bng thng (Quality of Services): gip cu hnh bng thng cho ph hp vi nhu cu ca tng thit b hay i tng ngi dng c th. Tng la ring cho cc ng dng web: c c ch kim sot su hn vi cc ng dng web c th gip cc ng dng web hot ng an ton v hiu qu . Phng chng xm nhp: gip ngi qun tr ngn nga cc cuc tn cng vo h thng mt cch hiu qu. Mt s tnh nng khc nh chng virus, spam, URL fillter gip ngi qun l c thm ty chn tng cng an ninh cho h thng. Vic la chn tng la ph hp vi h thng ca mnh khng ch xem xt cc tnh nng trn m cn phi xem xt mt s c im quan trng gip tng la bo v h thng ca mnh hiu qu trong thc t: Tng la c kh nng hiu v phn bit cc giao thc v ng dng mng cng nhiu th cng tng mc an ninh cho h thng. Cc tng la hin i c kh nng phn bit ti hn 200 ng dng v giao thc khc nhau, cc giao thc v ng dng c h tr tng theo tc pht trin ca cc ng dng trong thc t. Mt s ng dng c bn c cc tng la phn bit nh MSN, Yahoo, Skype, Torrent, Google Talk Vic h tr nhiu ng dng gip ngi qun tr c th nh ra cc lut mt cch cht ch gip qun l hot ng ca nhn vin trong h thng cng nh cc khch hng . Tng la kim sot trng thi ngoi vic phn bit c nhiu ng dng v giao thc cn phi c kh nng kim sot trng thi cho cc giao thc khc TCP nh UDP, IP Kim sot cc kt ni theo cc rule thit lp sn nhm tng tnh an ton cho h thng. Cc lut ny phi c kim sot mt cch cht ch, v du nh rule xc nh ch cho php ngi dng duyt web khi truy cp vo trang web internet banking vi giao thc tcp cng 443 vi chun TLS 1.0 th tt c cc truy cp khng dng ng cng, giao thc v chun trn u b drop. d. H tr cn bng ti v sn sng cao i vi mt mng nh vi cc ng dng thng thng th ngi ta c th ch s dng mt tng la n nht l c th p ng c nhu cu ca ngi s dng nhng vi mt h thng Internet Banking ln ca mt ngn hng th mt tng la duy nht l khng cho yu cu ca ngi qun tr. Vi cc h thng Internet Banking quan trng cn trin khai nhiu tng la chy song song nhm tng tc x l v phng trnh trng hp mt trong nhiu thit b ngng hot ng. Cc tng la c kh nng hot ng ng thi vi nhau s l u th i vi h thng ln v sn sng cho kh nng m rng trong tng lai. m bo cho nhu cu v tc vi lng ngi s dng ln v c th truy cp ng thi nh h thng Internet Banking th cc ngn hng thng thu cng lc nhiu ng truyn tc cao t cc ISP khc nhau nn tng la cn c kh nng cn bng ti v lun sn sng kt ni vi ng truyn d phng khi cc ng truyn khc gp s c. e. Qun tr trc quan d dng Chc nng qun tr l thnh phn i km rt cn thit cho mt tng la mnh, tuy nhin li cha c coi trng ng mc trong thc t. Nhiu ngi qun tr h thng cho rng chc nng qun tr l khng cn thit bi tng la ch cn thit lp mt ln v chy, khng cn thit phi qun tr v theo di thng xuyn. Tuy nhin nhn nh trn l hon ton sai lm, mt tng la tt bao gi cng i km vi mt h qun tr mnh v lm gia tng sc mng cho tng la nu ngi qun tr c kin thc v k nng tt. Mt s tnh nng c bn m cc h qun tr tng la phi c nh: Qun l chnh sch: cung cp ch qun l cc chnh sch n gin hiu qu, cc chnh sch c son tho v lu tr tp trung gip cc chnh sch c s ng nht trn ton h thng. Cc tnh nng b sung nh anti virus, anti spam, VPN, IPS cng cn c qun tr trn cng mt h thng qun tr nhm thng nht v chnh sch v d dng cho ngi qun l. Ghi nht k (Log): Cn cung cp ch ghi nht k v theo di nht k trc quan theo thi gian thc cho mi kt ni vo h thng, tng la cng cn c kh nng ngn chn cc kt ni kh nghi t giao din theo di nht k ny. Nht k ny cn c ch lu tr v backup phc v cng vic iu tra khi c s c. Quan st theo di h thng: cung cp chc nng theo di tnh trng hot ng ca tng la, cc kt ni ang din ra trn tng la theo thi gian thc, ngi qun tr da vo cc thng s ny c th ra lnh ngn chn cc kt ni kh nghi m khng cn thay i cc chnh sch bo mt. p ng nhanh: sn sng trin khai cc thnh phn qun tr, p ng tt cc thao tac qun tr vi tc nhanh. f. Vn hnh, h tr k thut v bo tr Mt tng la tt cn gip ngi s dng d dng vn hnh g li bng cc cng c nh cng c son tho chnh sch, quan st theo di, backup... Tng la cn h tr sao chp cu hnh, h tr cu hnh tng la gi lp trn my tnh c th th nghim cc chnh sch trc khi p dng vo thc t. Tng la cn d dng bo tr khi c s c, nn s dng cc tng la ph bin c th nhn c s h tr rng ri t cng ng mng khi xy ra s c. g. Khc Ngoi cc tiu ch k trn khi la chn tng la cho h thng Internet Banking cn xem xt cc vn sau: S tng thch vi cc thit b khc trong h thng, mt h thng s dng cc thit b t cc t hng th cng n nh. Nn tham kho trc nh gi v thit b mnh la chn ca cc t chc uy tn kim nghim chng trong thc t bi gia qung co ca nh sn xut v thc t sn phm l c mt khong cch xa. 3.2.3. M hnh tng la cho h thng internet banking Trong thc t trin khai tng la cho h thng Internet Banking ngi ta thng b tr hai lp tng la ring bit.

Hnh 16: Cc my ch dch v web t vng DMZ, Data center t vng Intranet Lp tng la th nht: l vnh ai bn ngoi bo v cc truy cp t mng internet vo cc ng dng ca h thng Internet Banking. Lp tng la th hai: kim sot cc hot ng ca ngi dng Intranet n cc ng dng ca h thng Internet Banking, ng thi l lp tng la th 2 ngn chn ngi dng truy cp n vng c s d liu. Lp tng la ny c chnh sch truy cp c tht cht hn lp tng la 1. 3.3. Xy dng h thng phng chng xm nhp (Intrusion Prevention System IPS) Tng la l cht chn u tin bo v h thng internet banking ca cc ngn hng, tuy nhin tng la ch kim sot cc kt ni mng bng cch phn tch header cc gi tin trong khi ni dung m c hay cc nguy c v an ninh nm trong phn d liu li khng c phn tch nn cc tng la khng m bo an ton trit cho h thng. l l do m cc ngn hng thng trang b thit b phng chng xm nhp kt hp vi tng la bo v h thng ca mnh. 3.3.1. Thit b phng chng xm nhp IPS l g ? Thit b phng chng xm nhp l thit b phn tch ton b lung thng tin, phn tch d liu v pht hin cc on m c hi nm trong phn payload ca gi tin. Mt h thng IPS y thng bao gm cc thnh phn sau: Thit b IPS lp mng (ng vai tr quan trng nht v bt buc phi c). Phn mm IPS ci trn my ch. Thnh phn qun tr tp trung. H thng qun l im yu (ty chn thm). 3.3.2. Hot ng ca IPS Hnh 17:M t c ch hot ng ca mt IPS Lu lng mng khi i qua IPS s c phn loi da vo phn header (tiu ) ca gi tin theo cc lut phn loi nh sn, da vo phn loi ban u ny cc thng tin c phn loi s s tip tc i qua cc b lc tng ng nh hnh trn, mi b lc tng ng s phn tch mt loi gi tin vi mt s rules nht nh, cc gi tin ph hp vi cc lut s c nh du v loi b vo bc 4 ng thi cc thng tin trng thi c lin quan s c update. Thit b IPS lp mng thng c cu hnh hot ng ni tuyn vi thng lng ln cng kh nng x l mt s lng ln cc kt ni cng lc s p ng yu cu bo v h thng cng nh khng gn nh hng n hot ng ca cc dch v ca h thng Internet Banking. Cng ngh bn v o: i vi hot ng ca h thng Internet Banking th sn sng ca dch v l rt quan trng, h thng phi p ng yu cu ca khch hng 24/7. Tuy nhin cc l hng ca h iu hnh hay phn mm li c cp nht lin tc bng cc bn v an ninh, nu h thng khng c cp nht kp thi s ng trc nguy c tn cng zero day nhm vo cc l hng an ninh ny. Mt s IPS vi cng ngh bn v o cho php ngi qun tr bo v an ninh h thng trc cc li bo mt trong khi ch h thng c bo tr v cp nht cc bn v an ninh chnh thc. Hnh 18: Chc nng bn v o H thng qun l im yu: l mt ty chn ca h thng IPS cho php ngi qun tr d qut h thng nhm pht hin cc li bo mt v cc im yu an ninh c th b khai thc. H thng qun l im yu kt hp vi IPS gip ngi qun tr c th xc nh cc im yu cn c v, xc nh c kh nng bo v ca IPS trc cc cuc tn cng vo nhng im yu ny. 3.3.3. La chn IPS cho h thng internet banking Sn phm IPS trn th trng rt phong ph vi nhiu la chn t cc hng khc nhau, th phn dnh cho cc thit b IPS so vi cc thit b bo v truyn thng nh firewall, anti virus ngy cng tng chng t nhu cu ca khch hng vi nhm sn phm ny. Hnh 19: Th phn IPS trn th trng thit b an ninh mng Trc tc pht trin ngy cng nhanh ca th trng cc thit b IPS, IPS tr thnh mt phn khng th thiu trong cc h thng Internet Banking ca cc ngn hng. Vi tc pht trin nhanh nh vy cc thit b IPS ngy cng tr ln phc tp th vic la chn mt thit b IPS tt s da trn kh nng bo v n u, ngn chn cc cuc tn cng trc khi chng nh hng ti h thng Internet Banking. Mt h thng IPS c kh nng pht hin v bo v n u trc cc nguy c an ninh l mt h thng c hiu nng hot ng cao, cung cp cc gii php bo v an ninh tt da trn cc kt qu nghin cu v cc nguy c an ninh cng nh cc im yu an ninh. Cc h thng IPS ngy nay c kh nng phn tch mt lng ln cc giao thc mng v nh dng file, s dng nhiu phng thc phn tch v nhn dng tn cng, IPS s bo v cho h thng trc cc cuc tn cng : Application attacks, Cross-site scripting attacks, Data leakage, Attack obfuscation, DoS and DDoS attacks,Drive by downloads, Insider threats, Instant messaging, Malicious file, Operating system attacks,SQL injection , Web browser attacks, Web server attacks IPS khng ch gip bo v h thng trc nhng cuc tn cng t mng bn ngoi m cn bo v h thng khi nhng nguy c khc t vng mng ni b bn trong cc ngn hng. H thng IPS c s dng phn tch vng Internet Banking ra khi cc vng mng khc trong cng h thng mng ca ngn hng, gip h thn Internet Banking c bo v trc cc nguy c tn cng, khai thc im yu an ninh, hay ly nhim m c hi t chnh cc vng mng ni b. a.Tiu ch hiu nng Khi hot ng h thng IPS s hon ton trong sut trong mi trng mng, khng gy nh hng n hot ng ca h thng. Tiu ch hiu nng c nh gi thng qua cc cc kh nng sau : Hiu nng cao: Thit b IPS lp mng hot ng nh mt thit b chuyn mch hoc nh tuyn trong khi vn ngn chn c nhng cuc tn cng vo h thng. Kh nng hot ng ni tuyn. tin cy cao, khng xy ra s c hay li trong thi gian di. sn sng cao, thit b phi c kh nng fail open khi b s c khng gay nh hng n h thng internet banking ca ngn hng. tr thp: l tiu ch quan trng nht vi thit b IPS mc mng, m bo tr thp gip khng nh hng n hot ng ca h thng. Trong s cc thit b IPS trn th trng th sn phm IPS dng IBM ISS l mt trong cc sn phm c tr thp nht. Tnh mm do, d thay i c kh nng p ng mt s lng ln phin lm vic ca ngi dng v cc giao dch m khng lm nh hng n hot ng ca h thng. b.Tiu ch an ton trong bo v h thng Kh nng bo v h thng trc cc cuc tn cng l mt tiu ch rt quan vi h thng IPS. Nhng k tn cng thng c mt lot cc cc cng c nhm vo cc k h ca h thng nn thit b IPS cng cn c mt lot cc cng c chng li cc cuc tn cng. Cc cng c phng chng tn cng ca thit b IPS da vo hai k thut l xc nh v phn tch. K thut xc nh cha cc cng c cho php IPS bit chnh xc nhng giao thc m n gp khi phn tch cc lu lng mng, k thut phn tch xc nh cc giao thc c hnh vi ng ng v quyt nh xem n c b ngn chn hay c php i qua . Mt h thng IPS tt phi c trang b nhiu phng thc xc nh v phn tch v hot ng mt cch ng thi ngn chn cc cuc tn cng bit v cha bit. Cc k thut c bn m mt IPS cn c nh: Port Assignment Port followwing Heuristics Pattern match Protocol tunnel TCP reassembly Flow reassembly Statistical analysis RFC compliance c.Tiu ch nghin cu cc nguy c an ninh Trc s pht trin khng ngng ca cc hnh thc tn cng mi, mt h thng IPS tt lun phi c cp nht th mi c th p ng yu cu ngn chn n u cc nguy c tn cng. Tuy nhin khng phi nh sn xut no cng c ngun lc nghin cu y cc phng thc bo v trc cc nguy c tn cng mi xut hin. Cc bin php nghin cu v cc nguy c an ninh v cc im yu ph bin l: Reactive Research Proactive Research Global event monitor Information sharing partnerships Khi la chn thit b IPS cho h thng nn la chn nh sn xut c kh nng nghin cu cp nht cc nguy c an ninh c hiu qu a ra cc chc nng phng chng tn cng hu hiu. i nghin cu pht trin an ninh ca IBM ISS c a s chuyn gia v khch hng trn th gii nh gi l mt trong nhng t chc nghin cu v cc im yu an ninh hiu qu nht. Sn phm ca IBM ISS lun c khuyn co s dng cho cc h thng Internet Banking cn an ton cao trn th gii. 3.4. Xy dng tng la ng dng web (Web Application Firewall WAF) 3.4.1. Ti sao phi xy dng tng la ng dng web ? Internet Banking l mt h thng hot ng da trn cc ng dng trn nn web, h thng web phc v khch hng ca Internet Banking gp rt nhiu nguy c tn cng nh: Tn cng li dng cc im yu ca h thng nh khng c c ch kim tra d liu u vo, kim sot phin lm vic khng an ton, cu hnh h thng c li hay cc li trong h iu hnh my ch web Nhiu dng tn cng vo cc ng dng web nh cross-site scripting, SQL injection Cc im yu thng gp vi cc ng dng web l: Cc h iu hnh v phn mm my ch web thng c rt nhiu li v cn c cp nht cc bn v mt cch thng xuyn, rt nhiu ngn hng khng c ngun nhn lc r sot li cc li trn h thng ca mnh. Trong hon cnh phi tng cng cc ng dng web cnh tranh vi cc i th, cc ngn hng thng khng c thi gian cn thit chy th cc ng dng cng nh k hoch trin khai cc ng dng ny mt cch chi tit an ton. Hu ht cc ngn hng u c p dng cc gii php nh h thng phng chng xm nhp, tng la nhng khng th ngn chn cc cuc tn cng kiu ny (tn cng nhm vo li lp trnh hay li phn mm) vo ng dng web. 3.4.2.Khi nim v h thng tng la ng dng web Tng la ng dng web l mt gii php nhm m bo an ton thng tin cho cc ng dng web, n c th l thit b phn cng hay phn mm thng c trin khai ngay sau h thng tng la v h thng phng chng xm nhp bo v my ch web hoc my ch c s d liu. Hnh 20: M phng tng la ng dng web ca SecuresPhere bo v my ch c s d liu v vng DMZ 3.4.3. Hot ng ca tng la ng dng web Hnh 21: M t hot ng ca mt tng la ng dng hng Netcontinuum. Tng la ng dng web (WAF) c hai kiu hot ng chnh l (WAF c th hot ng theo tng kiu hoc s dng c hai kiu): Positive security (ch ng): WAF s xem xt cc lung giao thng mng v ch cho php cc kt ni m n kim tra v xc nh l tt, cc kt ni cn li s b chn. Negative security (b ng): WAF cho php tt cc cc kt ni v ch ngn chn cc on m c hi. Thit b WAF c nhiu ch hot ng khc nhau, mt thit b h tr nhng ch no l do nh sn xut quyt nh. Mt s ch hot ng ca WAF l: Reverse Proxy: WAF hot ng inline v c a ch IP,n s ng vai tr trung gian gia client v server (nhn cc request ti server v x l ri tra cho client, ngn chn cc kt ni khng hp l). Tuy nhin khi hot ng ch ny lm thay i kin trc mng v tng tr ca cc truy vn tr li. Transparent Proxy: WAF hot ng gn ging ch reverse proxy nhng WAF khng cn c a ch ip, n hot ng trong sut gia client v server nn khi trin khai d dng v khng lm thay i kin trc mng. Layer 2 Bridge: WAF giu h thng tng la v my ch web, hot ng nh mt thit b chuyn mch lp 2, khng lm thay i kin trc mng, khng nh hng n hot ng ca mng. Network monitor: WAF ch lng nghe v x l cc kt ni n thng qua cng gim st, ch ny thng dng test tng la ng dng web trc khi trin khai trong thc t. Host based hay Server based: l tng la ng dng web dng mm c ci t trn my ch bo v my ch khi nguy c b tn cng, tuy nhin do s dng ngun ti nguyn t my ch nn s lm gim tc mng, cn phi cn nhc k yu t tc khi trin khai tng la ng dng web dng ny. Mt s tnh nng khc c cc tng la ng dng web h tr nh: Tng tc SSL: lm tng tc m ha SSL vi giao thc https c p dng rng ri trn cc dch v internet banking ti ngn hng. B nh m: khi ng vai tr proxy, tng la ng dng web s dng b nh m tng tc cc URL c truy cp nhiu. Nn: h tr nn ni dung, gim ti cho ng truyn. Cn bng ti. 3.4.4. La chn WAF thch hp cho h thng internet banking Trn th trng hin c kh nhiu nh cung cp sn phm tng la ng dng web t phn mm m ngun m nh Modsecurity n cc sn phm thng mi t Netcotinuum, Imperva, F5 nn cc ngn hng gp kh nhiu kh khn cho vic la chn sn phm ph hp vi h thng ca mnh. la chn mt sn phm WAF tt cn tha mn cc tiu ch sau: Tha mn cc tiu chun bo mt ca PCI DSS (y l chun bo mt c a ra bi PCI Security Standards Council gip bo mt cho cc h thng ngn hng). Ngn chn c cc cuc tn cng nhm vo top 10 im yu ca ng dng web c a ra hng nm bi OWASP (link tham kho http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project ) Phn tch kt ni v tr li (cho php, cnh bo, chn) da trn cc chnh sch an ninh v lut. C th hot ng theo 2 kiu ch ng v b ng. H tr cc giao thc ph bin nh HTML, DHTML, CSS, HTTPS, SSL.. v SOAP, XML C ngn chn mt mt d liu. Chng tn cng vo chnh tng la ng dng web. Ngn chn cc hnh vi session token tampering. T ng cp nht v update cc bn v an ninh t nh sn xut. Phn tch chng tn cng trn bt k giao thc hoc nh dng d liu no c ng dng web s dng hoc chuyn thng tin n ng dung web. Kh nng fail open hay fail close ph thuc vo chnh sch an ninh ca h thng. 3.5. Trin khai h thng phng chng m c Virus my tnh ni ring v cc chng trnh m c ni chung l mi e da cho bt k h thng thng tin no trong c Internet Banking. Trong bi cnh cc phn mm m c nhm ti cc hot ng ngn hng ngy cng nhiu th vic trin khai mt h thng bo v phng chng m c cho dch v Internet Banking l iu ngy cng cp thit. Kch bn ph bin khi mt phn mm m c tn cng vo h thng thng tri qua cc bc sau: Bc 1: Phn mm m c tm cc im yu, l hng trn h thng ly lan vo h thng. Bc 2: Sau khi ly lan thnh cng vo h thng, m c s tm cch lan ra trn din rng ton h thng, bt u cc hnh vi nguy him vi an ton ca h thng. Bc 3: M c n mnh trong h thng, trnh b cc phn mm dit virus tiu dit ch i thi c cho nhng cuc tn cng mi. i ph vi cc hnh thc tn cng ca m c ngy cng tinh vi cn c mt chin lc phng chng tng th kt hp vi mt h thng phng chng m c mnh. Chin lc phng chng m c ton din EPS (Enterprise Protection Strategy) th h th 3 l mt m hnh phng chng m c hiu qu ca cng ty Trend Micro c s dng rng ri trn th gii v c cc chuyn gia cng nh khch hng nh gi cao. Chng ta hy cng xem xt cch thc hot ng theo 4 giai on ca chin lc ny. 3.5.1. Chin lc phng chng m c EPS th h th 3 *Giai on 1: Phng v im yu Nhim v ca giai on ny l bo v cc l hng , im yu ca h thng m cc m c thng li dng tn cng. Mun thc hin vic ny th cn c h thng d tm im yu, cp nht cc bn v li h iu hnh, li trnh duyt cng nh phn mm ng dng, ngoi ra cn c h thng qun l vic phng chng m c, gim st v thc thi cc chnh sch phng chng m c c t ra. *Giai on 2: Chng m c bng n giai on ny m c ly lan c vo trong h thng mng ca ngn hng, nhim v t ra lc ny khng cho m c ly lan ra rng trong h thng. Cc on m c hin nay c lp trnh rt tinh vi, chng c th ly lan ra ton h thng trong mt thi gian rt ngn nu h thng phng chng virus trong h thng khng c tnh nng chng bng n mt cch hiu qu. Phng php truyn thng ca cc phn mm dit virus l pht hin v tiu dit virus da theo mu, nu virus ly lan vo h thng c cp nht trong database ca phn mm th n s b tiu dit ngay giai on ny. Tuy nhin nu virus l mt bin th mi xut hin th cc phn mm dit virus theo phng php truyn thng s khng th pht hin v tiu dit ngay c m cn c thi gian cp nht t nh sn xut, trong thi gian y virus c th bng n trong c h thng, s ly lan ca virus gy ra tc nghn mng v cc hnh ng nguy hi n an ninh ca h thng. V vy giai on ny cn c cc cng c phng chng virus hiu qu hn vi cc phng php tin tin c th ngn cn s ly lan ca virus, cng c ny cn phi c tc cp nht nhanh vi cc mu virus mi, ng thi c ch nhn dng m c theo hnh vi c hnh ng kp thi nhm i ph vi virus mi mt cch hiu qu. Giai on 3: Qut v dit m c trong h thng Cng vic ca giai on ny l kt hp cc phn mm dit hon ton cc m c ly lan trong h thng. Nu nh trc y ngi qun tr thng ch quan tm n cc sn phm dit virus trn desktop vi ngun ly lan t cc thit b di ng th hin nay vi s pht trin ca mng internet th ngun ly lan chnh ca virus l t mng nn cn c cc bin php ton din mi c th gii quyt tn gc ca vn ch khng ch ring vic dit m c trn desktop ring l. Hn th na cc on m c hin nay c thit k rt tinh vi, chng c th n mnh trong h thng trnh b cc phn mm dit virus tiu dit v ch thi c bng pht tr li nn mun dit tr mt cch tn gc th phi qut v dit trn quy m ton h thng ch khng ch cc my ring l. B sn phm tiu dit m c ton din bao gm cc phn mm tm v dit m c trn Internet Gateway, Mail server v trn cc my client. Cc phn mm hot ng ng thi s em li hiu qu cao trong vic qut v dit m c. Giai on 4: Khi phc v nh gi li h thng H thng sau khi b m c tn cng th d c tiu dit v lm sch hon ton h thng nhng vn li c hu qu nht nh. Cc on m c thng tn cng vo cc file h thng ca h iu hnh, registry v li cc file rc trong h thng. Mt s trng hp virus c th ph hng cc file h thng ca h iu hnh v cc phn mm n mc khng th khi phc c v vy chng ta cn c gii php backup c th khi phc li h thng nguyn trng nh ban u. Cc cng c h tr trong giai on ny c nhim v gip ngi dng dn sch rc do m c li, sa li registry v file h iu hnh gip h thng c th hot ng li bnh thng. 3.5.2. Mt s cng c phng chng m c theo chin lc EPS ca Trend Micro Tng ng vi cc giai on c ra trong chin lc EPS, Trend Micro cung cp cc sn phm tng ng vi tng giai on: *Sn phm nh gi, phng v l hng trong h thng: Network VirusWall Enforcer l cng c ph hp cho giai on 1 ca chin lc EPS, n gip kim tra tnh trng ca h thng, cc li bo mt cha c v, m bo cho h thng lun c ci t cc bn v li sm nht, ngn chn virus li dng cc l hng ny xm nhp vo h thng *Sn phm chng bng n m c trong h thng: Sn phm dit m c t Trend Micro c chc nng Outbreak Prevention Services, chc nng ny khi hot ng s c cc tc dng sau: Cung cp cc chnh sch an ninh cho h thng nhm c lp, hn ch s bng n ca virus. Pht hin nhng du hiu bng n virus trong mng, cp nht nhanh chng cc chnh sch phng chng bng n ca Trend Micro (Trend Micro cung cp cc chnh sch phng chng bng n ch sau 15 pht khi pht hin ra m c c tnh bng n cao trn phm vi ton th gii). nh gi mc nguy him t cc mi e da ngi qun tr c nhng chnh sch u tin nht nh. Trin khai cng tc phng chng cc mi e da c th bng cc chnh sch t ng hoc bng tay n cc thit b mng v thit b u cui c th. Ngn chn cc c ch ly lan virus nh ly lan qua cc tp tin thc thi, tp tin nh km email, chn cc cng, cc ngun download Tng tc trin khai cng tc phng chng nht qun trn ton mng. *Sn phm qut v dit virus: Hnh 22: Tp hp cc sn phm phng chng m c ca Trend Micro Sn phm InterScan VirusWall vi th phn chim ti 54% th phn (theo con s t IDC) c xp hng nht trong th trng sn phm anti virus cho Internet Gateway cng nh trong cng ngh bo mt da vo ni dung.InterScan VirusWall l gii php bo v h thng ca cc cng ty khi virus t cng Internet gateway gm 3 thnh phn. InterScan Email VirusWall InterScan FTP VirusWall InterScan HTTP VirusWall Tch hp thm InterScan eManager: lc email theo ni dung, chng email spam, qun l bng thng Cc thnh phn ny phng chng m c ti mc gateway, qut virus trn cc lung HTTP,FTP ngoi ra cn kim sot vic truy cp ti cc URL nhy cm ca ngi dng trong mng. Ngoi thnh phn InterScan ng vai tr chnh,Trend Micro cn cung cp mt s sn phm khc nh: Trend Virus Control System: l h thng qun l gip ngi qun tr thit lp cu hnh, nh ra cc chnh sch an ninh, iu khin cc sn phm khc ca Trend c ci t trong h thng. Scan Mail: d tm virus trong cc mail box, h tr cc mail server ph bin nh MS Exchange, HP OpenMail Server Protect: d tm, tiu dit virus trn server, h tr cc h iu hnh ph bin trn server m khng lm gim hiu sut hot ng ca h iu hnh. Office Scan Corpotate Edition: gip trin khai gii php phng chng m c ti tng nhn vin trong cng ty, cho php qun l tp trung, d dng cu hnh gip ngi qun tr c th dit virus hiu qu trn tng desktop m khng lm gim hiu sut hot ng ca chng. *Sn phm khi phc v nh gi h thng: Sn phm OfficeScan ngoi chc nng qut v dit virus cn c vai tr vai tr lm sch cc file rc do virus, trojan, spyware li trong h thng, gip repair li cc file h thng, khi phc li registry b virus ph hoi. 3.6. Trin khai ch k s v chng thc s 3.6.1. Yu cu an ton trong giao dch Internet Banking Trong cc giao dch Internet Banking cn phi m bo cc yu t an ton sau: Tnh xc thc ngi dng Tnh ton vn ca giao dch Tnh chng chi b giao dch Tnh b mt ca giao dch Ch c gii php p dng ch k s v chng ch s mi c th p ng c. Hin Vit Nam c mt s ngn hng p dng ch k s v chng ch s p dng cho cc giao dch Internet Banking (Ngn hng ACB khi s dng chng th in t lu trn smartcard cho php giao dch vi hn mc khng hn ch ). 3.6.2. Li ch ca vic p dng ch k s v chng thc s trong giao dch Internet Banking p dng ch k s v chng thc s mang li cho c ngn hng v khch hng rt nhiu li ch: Gip ngn hng v khch hng xc thc ln nhau, to s tin tng khi thc hin giao dch. Trnh c thit hi do cc cuc tn cng gi mo danh tnh gy ra, gim cc ri ro v mt php l khi c s c xy ra bi c th s dng ch k s cng nh log file v giao dch lm bng chng. Chng mt s hnh thc tn cng nh Phishing, Pharming 3.6.3. p dng ch k s v chng thc s *Pha ngn hng: Cc ngn hng thng yu cu dch v chng thc s vi cc cng ty ni ting. Cc chng thc s c ban hnh bi cc cng ty uy tn nh VerySign s gip ngn hng to c nim tin trc cc khch hng trong khi giao dch. Sn phm chng thc s t cc cng ty ln thng phn ra nhiu hng khc nhau tng ng vi mc bo mt cng nh tin cy m khch hng nhn c. Hu ht cc h thng Internet Banking ti Vit Nam cng nh trn th gii u l s dng cc sn phm chng thc s t VerySign. Hnh 23: Website ngn hng s dng chng ch s ca VerySign cp *Pha khch hng: Chng thc s pha khch hng cha c s dng ph bin nh pha ngn hng nhng cng bt u c nhiu ngn hng p dng tng cng mc an ninh. Khch hng s dng dch v chng thc s s ng k vi ngn hng ri c mt c quan th 3 (do ngn hng ch nh) cp chng thc s. Khch hng sau s da theo hng dn ca ngn hng ci t chng thc s vo trnh duyt t c th giao dch vi ngn hng. Thng thng th hn mc giao dch khi s dng chng thc s s cao hn so vi khi s dng cc bin php thng thng nh mt khu hay mt khu mt ln. Tuy nhin phng trng hp my tnh ca khch hng khng an ton, nhiu ngn hng cung cp gii php lu chng thc s trong smart card (th thng minh) ri s dng thit b c chng thc s t th khi khch hng cn giao dch. Phng php dng smart card lu chng thc s t ra an ton hn so vi ci t chng thc s trong my tnh v khch hng c th mang thit b c v smart card theo bn mnh c th s dng bt k my tnh no. 3.7. M ha thng tin Bo mt cho d liu ca h thng internet banking l nhim v quan trng hng u i vi ngi qun tr ti cc ngn hng. Thng tin lu tr trong my tnh nhn vin thng c bo v bng cc bin php truyn thng nh dng mt khu h iu hnh, qun l nhn vin v thit b trong cng ty bng lc lng bo v Cc phng php ny hin nay t ra thiu hiu qu do trnh cng ngh thng tin ngy cng pht trin, hn na s nhn vin cng tc bn ngoi mang theo laptop cha cc d liu quan trng th khng kim sot c i hi phi c bin php ph hp c th bo v an ton d liu mt cch hiu qu. Phng php ph bin nht bo v d liu trong my tnh l m ha d liu, tuy nhin m ha d liu nh th no va bo m tnh bo mt, va bo m hiu sut lm vic l iu khng n gin. Chng ta hy cng xem xt mt s phng php m ha d liu thng c cc ngn hng p dng cho h thng ca mnh. 3.7.1. M ha mt phn thng tin trong my tnh Hnh 24: M ha mt phn thng tin Phng php ny gip ngi dng m ha mt phn d liu trong my tnh m h cho l quan trng. Cc file v th mc c ngi dng m ha s m bo c an ton bi ch ngi dng hp php c kha gii m mi c th thao tc c vi d liu. Vic m ha ch mt phn thng tin trong my tnh thng c thc hin n gin bng vic ci thm phn mm hu nh khng ph thuc vo nn tng h iu hnh m ngi dng ang s dng. Tuy nhin phng php ny cng c nhng nhc im nht nh: Ph thuc vo ngi s dng: Vic quyt nh m ha file no, khng m ha file no l hon ton ph thuc vo ngi dng, ngi qun tr khng th qun l bng cc chnh sch an ninh c. Nhiu trng hp do ngi s dng s sut trong qu trnh lm vic m cc file quan trng khng c m ha hay cc file ny c copy ra th mc khc khng c m ha File h thng khng c m ha: Do ch m ha mt phn thng tin l cc file v th mc m ngi dng cho l quan trng, cc file h thng phc v vic truy cp d liu khng c bo v . 3.7.2. M ha ton b thng tin trong my tnh Hnh 25: M ha ton b thng tin y l gii php em li an ton cao hn so vi vic ch m ha mt phn thng tin. Vic m ha thng tin c thc hin tng thp nn hon ton t ng, chy ngm cng h thng v trong sut vi ngi dng. Cc thng tin trn my tnh c m ha hon ton nn chnh sch an ninh c thc hin mt cch trit m khng ph thuc vo ngi dng gip ngi qun tr d dng hn trong vic qun l. Hin c rt nhiu sn phm chng mt mt d liu c cung cp bi cc hng uy tn nh Data Loss Prevention t Synmantec v Trend Micro, Full Disk Encryption t CheckPoint Hu ht cc sn phm ny u cung cp cc tnh nng bo mt rt tt cho ngi dng, mt s tnh nng tiu biu ca cc sn phm ny nh: Xc thc ngi dng


Bao Mat Voi Pix Firewall

Bao Mat Voi Pix Firewall

[123doc.vn] - truyen-hinh-so-mat-dat-theo-tieu-chuan-dvb-t2-full.pdf

[123doc.vn] - truyen-hinh-so-mat-dat-theo-tieu-chuan-dvb-t2-full.pdf

Bao Mat Mang

Bao Mat Mang

[123doc.vn] bao-cao-thuc-tap-tot-nghiep-xay-dung-dan-dung-va-cong-nghiep

[123doc.vn] bao-cao-thuc-tap-tot-nghiep-xay-dung-dan-dung-va-cong-nghiep

[123doc.vn] Kinh Nghiem Bao Ve Do an Tot Nghiep Gs Nguyen Dinh Cong

[123doc.vn] Kinh Nghiem Bao Ve Do an Tot Nghiep Gs Nguyen Dinh Cong

[123doc.vn] - bai-giang-ky-thuat-bao-bi-thuc-pham.pdf

[123doc.vn] - bai-giang-ky-thuat-bao-bi-thuc-pham.pdf

[123doc.vn] Bao Cao Nghien Cuu Cong Huong Tan So Thap Trong He Thong Dien Ssr

[123doc.vn] Bao Cao Nghien Cuu Cong Huong Tan So Thap Trong He Thong Dien Ssr

[123doc.vn] - ung-dung-cong-nghe-sinh-hoc-trong-bao-quan-va-che-bien-thuc-pham.pdf

[123doc.vn] - ung-dung-cong-nghe-sinh-hoc-trong-bao-quan-va-che-bien-thuc-pham.pdf

Ma Hoa Bao Mat Trong Wimax

Ma Hoa Bao Mat Trong Wimax

An Toan Bao Mat Thong Tin

An Toan Bao Mat Thong Tin

An ninh bao mat mang [full]

An ninh bao mat mang [full]

Bao Mat Trong Wireless Lan

Bao Mat Trong Wireless Lan

Bao mat nhap mon

Bao mat nhap mon

Bao Mat Va Firewall 1115

Bao Mat Va Firewall 1115

An Toan Bao Mat Mang

An Toan Bao Mat Mang

An Toan Va Bao Mat Thong Tin

An Toan Va Bao Mat Thong Tin

Bao Mat Trong Excel

Bao Mat Trong Excel

[123doc.vn] - phep-bien-hinh-bao-giac.pdf

[123doc.vn] - phep-bien-hinh-bao-giac.pdf

Bao Mat Email the Ky 21

Bao Mat Email the Ky 21

Bao Mat VPN

Bao Mat VPN