Phishing Attack and Security Aspects of Internet and Mobile Banking-Last

Phishing Attack and Security Aspects
of
Internet and Mobile Banking
Mohammad Tohidur Rahman Bhuiyan

CGEIT,CISA,A+,MCSD,ISMS,CSCF,CEH
Short Description on the Presenter

Working Experience
Served 11 years in Bangladesh Air Force and retired as Flight Lieutenant.
Then I started working as a special tech faculty in New Horizon from 2001 (USA based),
Bangladesh
served as Head of IT, Opex and Sinha Group.
Subsequently, as Manager- IT security, IT Operations, Senior Manager - Audit, IT and System
Security in BRAC Bank and in many similar portfolios.
I was one of the core team members for making and establishing IT driven business Policy,
Process, Standard and Procedure. My proven project was BRAC Banks Data Center (Based on
Tier-IV, industry standard), Beside, I was the Data Center Consultant for ICB Bank.
I worked in Japan Bangladesh Group as Executive Director (Head of Information System & IS
Security)
IRIS JV (Tusuka Technotrade Limited) as Head of Operation (Nationwide) MRP & MRV (Machine
Readable Passport & Machine Readable Visa).
I am working as Special Technical Faculty, New Horizon Computed Learning Center (NHCLC,
USA based) & Guest Faculty of BIBM (Bangladesh Institute of Bank Management) for conducting
the courses/ Class related to Information System Audit, Security, Risk Management and
Governance etc.
Alongside, I am the Lead Auditor (representing RightTime), CCA (Controller of Certifying
Authorities) Bangladesh under the Ministry of Science and Information & Communication
Technology.
Beside all above, I am looking after my firm RightTime Limited a total shop for Information
System Solutions (www.righttime.org)
Certification and Expertise
I hold the first ever CGEIT (Certified in the Governance of
Enterprise Information Technology, ISACA USA) certification in
Bangladesh
Completed my post graduation on Information System Security
(Core Area- IS Audit, Cyber Security & Cyber Forensic, Information
Security Management Standard, Business Continuity Planning &
Disaster Recovery Planning) from West Bengal University of
Technology, India.
Besides, I have adequate exposure on Finacle Core Banking
Application Software and IS Project Management (especially Data
Center, Data Preservation Standard i.e. Data Warehouse & Data
Mining Techniques and Tactics etc.).
I have had exposure on IT Governance and Compliance in line with
the Central Regulatory Bodies ISO/BS and Industry Standard Best
Practices. I have fair knowledge on Alternative Delivery Channels
i.e. Visa Credit Cards, VISA Debit Cards, ATM & POS Network, SMS
Banking, Phone Banking and Internet Banking.
I have the official Recognition on:

Beside the above the Speaker has the adequate acumen on the
below domain ..
1. Information Security 1. Quality management systems
Management System (International Standard)
2. CDCP (Certified Data Center 2. ISO 9001:2008 preparatory
Professional) consultation for achieving the
certificate
3. Information System Audit
3. ISO 27001:2005 preparatory
4. Core Banking System and the consultation for achieving the
Future certificate
5. IT Operations 4. Cyber Security and Cyber Forensic
6. Business Continuity and 5. CDCS (Certified Data Center
Disaster Recovery Planning Specialist)
7. CISA, ISACA Preparatory 6. ISec Grade Audit Methodology
Course 7. IT Infrastructure Library (ITIL) V 3.0
8. Beside skill development, the speaker
8. ICT Guideline Implementation
is confident on assisting/ consultation
9. Service Process Management services for IS Policy, Standard,
10. Risk Management procedure Development and
11. Certified Information System Handling of IS Project with any
Security Professional (CISSP) volume.
Overview of the Presentation
Online Business & security Aspects
Internet Banking
Mobile Banking
Information Security & Latest threat in IS
Phishing attack under Network Security
Short Description on Phishing Attack
Question & Answer Session

55 Mohammad Tohidur Rahman Bhuiyan
Online Business Models & Features can be summarized
Basically, Online Business is the process of buying, transferring, or
exchanging products, services, and/or information using web, the
Internet, intranets, extranets, or some combination of these.
In Short, Automation of commercial transactions using computer and
communication technologies
Facilitated by Internet and WWW Online Business Model:
Business-to-Business: EDI 1. E-shops
Business-to-Consumer: WWW retailing 2. E-commerce
3. E-procurement
4. E-malls
Some Features: 5. E-auctions
Easy, global access, 24 hour availability 6. E-Banking/ Online Banking
Customized products and services 7. Virtual Communities
8. Collaboration Platforms
Back Office integration 9. Third-party Marketplaces
Additional revenue stream 10. Value-chain Integrators
11. Value-chain Service
Providers
12. Information Brokerage
13. Telecommunication
14. Customer relationship
Online Business Participants
Online Business/ E-Commerce Problems
Snooper
Unknown
customer
Unreliable
Merchant
Online Business risks
Customer's risks
Stolen credentials or password
Dishonest merchant
Disputes over transaction
Inappropriate use of transaction details
Merchants risk
Forged or copied instruments
Disputed charges
Insufficient funds in customers account
Unauthorized redistribution of purchased items
Main issue: Secure payment scheme
E-Commerce Security
Authorization, Access Control:
protect intranet from hordes (Gang): Firewalls
Confidentiality, Data Integrity:
protect contents against snoopers: Encryption
Authentication:
both parties prove identity before starting transaction:
Digital certificates
Non-repudiation:
proof that the document originated by you & you only:
Digital signature
Electronic payments: Issues
Secure transfer across internet
High reliability: no single failure point
Atomic transactions
Anonymity of buyer
Economic and computational efficiency: allow
micropayments
Flexibility: across different methods
Scalability in number of servers and users
E-Payments: Secure transfer
SSL: Secure socket layer
below application layer
S-HTTP: Secure HTTP:
On top of http
Online Banking Products
Personal Financial Management (PFM)
Mobile Banking
Remote Deposits
Online Enrollment
P2P powered by PayPal
RemoteFI
Bill Pay
Alert Center
Institution-2-Institution Transfers
Business Banking
Online Lending
CRM Marketing
Internet Banking
Internet Banking: With internet access increasing to
everyone, Internet banking (also referred as e banking) has
emerged to be the is the latest wonder for delivery of banking
products & services.
Banking is now no longer confined to the were one has to

approach the branch in person, to withdraw cash or deposit a
cheque or request a statement of accounts. In true Internet
banking, any inquiry or transaction is processed online without
any reference to the branch (anywhere banking) at any time.
Providing Internet banking has become a "need to have" than a

"nice to have" service. The net banking, thus, now is more of a
norm rather than an exception in many developing countries
due to the fact that it is the cheapest way of providing banking
services

Mobile Banking
Mobile Banking refers to provision and availment of
banking- and financial services with the help of mobile
telecommunication devices. The scope of offered
services may include facilities to conduct bank and
stock market transactions, to administer accounts and
to access customized information."
According to this model Mobile Banking can be said to
consist of three inter-related concepts:
Mobile Accounting
Mobile Brokerage
Mobile Financial Information Services
Mobile Banking Service
Mobile banking can offer services such as the
following
Account Information
Payments, Deposits, Withdrawals, and Transfers
Investment
Support
Content Services

Challenges in Mobile Banking Solutions
Handset operability: There are a large number of
different mobile phone devices and it is a big
challenge for banks to offer mobile banking
solution on any type of device. Some of these
devices support Java ME and others support SIM
Application Toolkit, a WAP browser, or only SMS.

Security: Security of financial transactions, being executed
from some remote location and transmission of financial
information over the air, are the most complicated
challenges that need to be addressed jointly by mobile
application developers, wireless network service providers
and the banks' IT departments.
The following aspects need to be addressed to offer a secure
infrastructure for financial transaction over wireless
network :
Physical part of the hand-held device. If the bank is

offering smart-card based security, the physical security of
the device is more important.
Continued.
Security of any thick-client application running on the
device. In case the device is stolen, the hacker should
require at least an ID/Password to access the application.
Authentication of the device with service provider before
initiating a transaction. This would ensure that
unauthorized devices are not connected to perform
financial transactions.
User ID / Password authentication of banks customer.
Encryption of the data being transmitted over the air.
Encryption of the data that will be stored in device for
later / off-line analysis by the customer.
Continued.
One-time password (OTPs) are the latest tool used by
financial and banking service providers in the fight
against cyber fraud [6]. Instead of relying on traditional
memorized passwords, OTPs are requested by consumers
each time they want to perform transactions using the
online or mobile banking interface. When the request is
received the password is sent to the consumers phone via
SMS. The password is expired once it has been used or
once its scheduled life-cycle has expired.

Scalability & Reliability: Another challenge for the CIOs and CTOs
of the banks is to scale-up the mobile banking infrastructure to
handle exponential growth of the customer base. With mobile
banking, the customer may be sitting in any part of the world (true
anytime, anywhere banking) and hence banks need to ensure that
the systems are up and running in a true 24 x 7 fashion.
As customers will find mobile banking more and more useful, their
expectations from the solution will increase. Banks unable to meet
the performance and reliability expectations may lose customer
confidence. There are systems such as Mobile Transaction Platform
which allow quick and secure mobile enabling of various banking
services. Recently in India there has been a phenomenal growth in
the use of Mobile Banking applications, with leading banks
adopting Mobile Transaction Platform and the Central Bank
publishing guidelines for mobile banking operations.
Application distribution: Due to the nature of the
connectivity between bank and its customers, it
would be impractical to expect customers to
regularly visit banks or connect to a web site for
regular upgrade of their mobile banking
application. It will be expected that the mobile
application itself check the upgrades and updates
and download necessary patches (so called "Over
The Air" updates). However, there could be many
issues to implement this approach such as upgrade
/ synchronization of other dependent components.

Personalization: It would be expected from the
mobile application to support personalization such
as :
Preferred Language
Date / Time format
Amount format
Default transactions
Standard Beneficiary list
Alerts

What is Information Security?
Information security means protecting
information and information systems from
unauthorized access, use, disclosure,
disruption, modification, perusal,
inspection, recording or destruction.
Information security is concerned with the-
confidentiality,
integrity,
availability &
reliability
of data regardless of the form the data may
take: electronic, print, or other forms.
Information security threats
CISSP / ISO27k implementers forum identifies the following
threats:
Imposition of legal and regulatory obligations.
Cyber-criminals
Malware, Trojans
Phishers (active attack under internet threat)
Spammers
Negligent staff
Storms, tornados, floods - Acts of God
Hackers
Unethical Employees who misuse/misconfigure system security
functions
Unauthorized access, modification, disclosure of, information
assets
Nations attacking critical information infrastructures to cause
disruption.
Technical advances that can render encryption algorithms obsolete

Phishing attack under Network Security
Network security attacks
Passive attacks
Active attacks
Passive attacks Active attacks

Network analysis Brute-force attack
Eavesdropping Masquerading
Traffic analysis Packet replay
Phishing
Message modification
Unauthorized access through the
Internet or web-based services
Denial of service
Dial-in penetration attacks
E-mail bombing and spamming
E-mail spoofing

Short Description on Phishing Attack

Module Flow

Introduction

Reason for Successful Phishing (continued)

Reason for Successful Phishing

Phishing Method (Continued)



Process of Phishing

Types of Phishing attack
Man-in-the-Middle Attack
URL Obfuscation Attack
Cross-Site-Scripting Attack
Hidden Attacks
Client-side Vulnerability
Deceptive Phishing
Malware-based Phishing
DNS-Based Phishing
Content Injection Phishing
Search Engine Phisihng

Types of Phishing attack (Continued)
Man-in-the-Middle Attack


Cross-Site-Scripting Attack

Hidden Attack

Client-Side Vulnerability

Deceptive Phishing

Malware-Based Phishing (Continued)

Malware-Based Phishing (Continued)

Malware-Based Phishing

DNS-Based Phishing

Content Injection Phishing

Types of Phishing attack<
Search Engine Phishing

Anti Phishing

Different Types of Anti Phishing Tools
PhishTank SiteChecker
Net Craft
GFI MailEssentials
SpoofGuard
Phishing Sweeper Enterprise
Trust watch Toolbar
ThreatFire
GralicWrap
Spyware Doctor
Track Zapper Spyware Adware Remover
Email-Tag.com

Anti Phishing Tools (Continued)
FishTank SiteChecker

FishTank SiteChecker: Screen Shot

Net Craft

Net Craft: Screen Shot

GFI MailEssentials

GIF MailEssentials: Screen Shot

SpoofGuard

SpoofGuard: Screen Shot1



Phishing Sweeper Enterprize

Phishing Sweeper Essential: Screen Shot

Trust Watch Toolbar

ThreatFire

ThreatFire: Screen Shot

GralicWrap

GralicWrap: Screen Shot

Spyware Doctor

Spyware Doctor: Screen Shot



AdwareInspector

AdwareInspector: Screen Shot

Email-Tag.com

Anti Phishing Tools
Email-Tag.com: Screen Shot

Video on Phishing Attack (Identity Theft)

Some commands and niti-giti on

Summary: Phishing

Any Query

Contact Information
Cell: 880-1714-003040, 880-1552-304704
rahmantohid@yahoo.com, ceo.tohid@righttime.biz


Phishing Attack and Security Aspects of Internet and Mobile Banking-Last

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Phishing Attack and Security Aspects of Internet and Mobile Banking-Last

Încărcat de

Drepturi de autor:

Formate disponibile

Phishing Attack and Security Aspects

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Banking is now no longer confined to the were one has to

Providing Internet banking has become a "need to have" than a

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Physical part of the hand-held device. If the bank is

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Passive attacks Active attacks

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan

Mohammad Tohidur Rahman Bhuiyan