Banking and BookkeepingIF4033 Information Security and AssuranceSemester 2 2013/2014

Kelompok 16Yogi Salomo Mangontang

Pratama (13511059)Habibie Faried (13511069)Setyo Legowo (13511071)

OutlineDefinitionSecurity RequirementSecurity Incident

◦Programming◦Infrastructure◦Process◦Organizational

Security PitfallWhy Important

BankingIn simple words, Banking can be

defined as the business activity of accepting and saving money owned by customers.

BookkeepingRecord financial activityTracking account transactionVerify accuracy of procedures

used for recording financial transaction

HISTORY OF BOOKKEEPING

Why is this important?Tackling Broader Problem of

Electronic Commerce and FraudMainstay of Computer IndustryBecause Finance is an important

aspect of Human Life

Security RequirementInformation Security RequirementImplement Strong Access Control

MeasuresMaintain a vulnerability

management programBuild and maintain a secure

networkProtect cardholder data

Security IncidentProgrammingInfrastructureProcessOrganization

ProgrammingWrong ATM Card's PIN VerificationSame PIN to all customerWrong AssumptionTest System as Live SystemNo Authentication Probable

Wrong Assumption

An assumption was made by bank programmers. Here is the algorithm

Then, how about Inserted ATM’s PIN?. Simply peek it out

Infrastructure and TechnologyPhysical Credit Card SkimmerOnline Credit Card sniffingSmart Card Information SniffingNot authenticated RFID

TransactionSWIFT Wiretapping link from

branch to mainframe computer's bank

Not authenticated RFID Transaction Simple Wireless-based transaction Put RFID reader near to RFID Card

location’s victim Get control over it (steal data, etc) Done? Time to get away

ProcessUnverified Address Change

ProcessMules for Money LaunderingAge Verification With Credit Card

NumberMisuse of Bank's Suspense

AccountShoulder Surfing

Shoulder SurfingStoneProcess Attacked: usage of ATM.New York1990’s

How does it work?

Stand behind

someone in ATM

and Peek their PIN

Take the receipt

they have thrown

away and find the account

information

Create Duplicate Key using retrieved informatio

n

Use The Duplicated Key to Access

Account in any ATM

OrganizationalBank Reset Clerk Authority AbuseATM Repairman accessibilitySWIFT Bogus Transaction

MessageTraditional Banking Law and

PracticesInternal Control Failure

Bank Reset Clerk Authority AbusePaul StubbsBank Reset ClerkHSBC Bank, 2000’s$20 Million Loss

How does it work?

Paul Stubbs, as Reset Password

Clerk change the password

of AT&T Account

Using the New Password, He and comrades

Access the Account of AT&T and

Transfer $20 Million to Offshore Company

Return the Password to its initial so

that the account owner doesn’t realize

Security PitfallBad Authentication in accessing

systemTamper-able InfrastructureAbuse of Power

Thank you