efforts to secure efforts to secure electronic financial
play

Efforts to Secure Efforts to Secure Electronic Financial - PowerPoint PPT Presentation

Jan 18, 2024 •372 likes •651 views

- Case Study - - Case Study - Efforts to Secure Efforts to Secure Electronic Financial Transactions Electronic Financial Transactions in Korea in Korea 2008. 6. 27 2008. 6. 27 20 th FIRST Annual Conference 20 th FIRST Annual Conference

  1. - Case Study - - Case Study - Efforts to Secure Efforts to Secure Electronic Financial Transactions Electronic Financial Transactions in Korea in Korea 2008. 6. 27 2008. 6. 27 20 th FIRST Annual Conference 20 th FIRST Annual Conference jwchoi@fsa.or.kr jwchoi@fsa.or.kr

  2. Contents Contents Contents Contents Contents Contents Ⅰ Introducing FSA & KFCERT Introducing FSA & KFCERT Ⅱ Electronic transactions in Korea Electronic transactions in Korea Ⅲ Incident cases Incident cases Ⅳ New threats New threats Ⅴ Countermeasures & Conclusion Countermeasures & Conclusion -2-

  3. I. Introducing FSA & KFCERT Introducing FSA & KFCERT I. I. Introducing FSA & KFCERT 1. Background 1. Background � Government decided to set up a organization dedicated to secure electronic financial transactions after the first internet banking incident in may, 2005 � It is also decided to operate an integrated OTP center for the financial companies 2. FSA 2. FSA � FSA is a non-profit organization initiated by government (Financial Services Commission) � Established in December, 2006 � Has 129 member financial companies including Banks, Security Companies, Credit Card Companies, Insurance Companies and others. -3-

  4. I. Introducing FSA & KFCERT Introducing FSA & KFCERT I. I. Introducing FSA & KFCERT 3. KFCERT 3. KFCERT � Korea Financial CERT is a part of FSA � Response financial incidents and monitors threat information � Is a FIRST full member since December, 2007 4. Organization 4. Organization -4-

  5. I. Introducing FSA & KFCERT Introducing FSA & KFCERT I. I. Introducing FSA & KFCERT 5. History 5. History � 2005. 5 : Internet banking incident occurred using keylogger and backdoor for the first time in Korea � 2006.12.21 : Financial Security Agency started its work � 2007.1.17 : Joined Anti-Phishing Working Group � 2007.1.19 : New pharming incident occurred using malware � 2007.1.29 : KFCERT has created � 2007.1.31 : Joined CONCERT (CONsortium of CERT) � 2007. 2. 9 : Joined Korea National CERT Council � 2007.3.27 : Joined MS SCP (Security Cooperation Program) � 2007.12.20 : Joined FIRST -5-

  6. I. Introducing FSA & KFCERT Introducing FSA & KFCERT I. I. Introducing FSA & KFCERT 6. Role and Responsibility of FSA 6. Role and Responsibility of FSA � Support developing security policy and counter plans � Incident Response � Vulnerability Analysis � Penetration Test � Product Conformity Test � Operate Integrated OTP Center � Coordinate other financial companies � Cooperate with other security organization and law enforcement -6-

  7. II. Electronic Transactions in Korea Electronic Transactions in Korea II. II. Electronic Transactions in Korea 1. Internet banking in Korea (Number of Users) 1. Internet banking in Korea (Number of Users) � Internet banking users are 47 Million � Mobile banking users are 5.7 Million � 12 Million digital certificates issued 50 45 40 35 30 (Million) Users 25 20 15 10 5 0 Mar Jun Sep Dec Mar Jun Sep Dec Mar Jun Sep Dec Mar 05' 06' 07' 08' * Source : Bank of Korea -7-

  8. II. Electronic Transactions in Korea Electronic Transactions in Korea II. II. Electronic Transactions in Korea 1. Internet banking in Korea (Amount of Transfers) 1. Internet banking in Korea (Amount of Transfers) � Daily transfers hit 21 Million (Number of Transfers) � Daily transfers reach 22 Billion USD (Approx.) 25 20 ount of Daily Transfe 15 (Billion) 10 Am 5 0 1Q 2Q 3Q 4Q 1Q 2007 2008 * Source : Bank of Korea -8-

  9. II. Electronic Transactions in Korea Electronic Transactions in Korea II. II. Electronic Transactions in Korea 2. Transaction portion for each channel 2. Transaction portion for each channel � CD/ATM ’ s are the most popular channel � Internet banking transactions (transfers) are increasing(24.4%) * Inquiry only in internet banking reaches 56.8% 50.0% 45.0% 40.0% 35.0% Percentage 30.0% Offline CD/ATM 25.0% Tele banking Internet banking 20.0% 15.0% 10.0% 5.0% 0.0% Mar Jun Sep Dec Mar Jun Sep Dec Mar 06' 07' 08' -9- * Source : Bank of Korea

  10. II. Electronic Transactions in Korea Electronic Transactions in Korea II. II. Electronic Transactions in Korea 3. Security programs in internet banking(1) 3. Security programs in internet banking(1) � Anti-Keylog / AntiVirus / Encryption should be provided -10-

  11. II. Electronic Transactions in Korea Electronic Transactions in Korea II. II. Electronic Transactions in Korea 3. Security programs in internet banking(2) 3. Security programs in internet banking(2) � Digital certificate -11-

  12. II. Electronic Transactions in Korea Electronic Transactions in Korea II. II. Electronic Transactions in Korea 3. Security programs in internet banking(3) 3. Security programs in internet banking(3) � Security Card (Random Number) -12-

  13. II. Electronic Transactions in Korea Electronic Transactions in Korea II. II. Electronic Transactions in Korea 3. Security programs in internet banking(4) 3. Security programs in internet banking(4) � OTP (One Time Password) : Valid only for 1 minute -13-

  14. II. Electronic Transactions in Korea Electronic Transactions in Korea II. II. Electronic Transactions in Korea 4. Related Law & Policy(1) 4. Related Law & Policy(1) � Back grounds of Electronic Financial Transaction Act - Absence of regulation on the electronic transactions - Need customer safeguards due to the increasing incident . Hard to prove the responsibility for the incident . Heavy responsibility to the customers - Rack of supervise to the companies dealing with electronic transactions which is not a financial company � Supervise more electronic financial services � More responsibility to the incidents � Protect the Customers -14-

  15. II. Electronic Transactions in Korea Electronic Transactions in Korea II. II. Electronic Transactions in Korea 4. Related Law & Policy(2) 4. Related Law & Policy(2) � Electronic Financial Transaction Act (Article 9) - Financial Institutions are basically responsible for transaction incidents except the user ’ s intention and negligence - Financial Institutions must prove user ’ s negligence � Electronic Financial Transaction Act (Article 22) - Financial institutions should store related logs to trace and search the transaction within 5 years -15-

  16. II. Electronic Transactions in Korea Electronic Transactions in Korea II. II. Electronic Transactions in Korea 4. Related Law & Policy(3) 4. Related Law & Policy(3) � Transaction limit for each security level (08 ’ April) Transfer Limit (USD, approximately) Transfer Limit (USD, approximately) Security Security Security Measure Security Measure Level Level Each Each A Day A Day OTP + Certificate OTP + Certificate Level 1 HSM(Certificate) + Security Card ) + Security Card 100,000 500,000 Level 1 HSM(Certificate 100,000 500,000 Security Card + Certificate Security Card + Certificate + 2 Channel Authentication + 2 Channel Authentication Security Card + Certificate Security Card + Certificate Level 2 50,000 250,000 Level 2 50,000 250,000 + SMS Notice + SMS Notice Level 3 Security Card + Certificate 10,000 50,000 Level 3 Security Card + Certificate 10,000 50,000 -16-

  17. II. Electronic Transactions in Korea Electronic Transactions in Korea II. II. Electronic Transactions in Korea 5. Integrated OTP Authentication center 5. Integrated OTP Authentication center � FSA operates Integrated OTP Authentication center 24x7 � 55 Financial institutions joined integrated center (19 Banks, 30 Security Companies, etc) � Users can use all financial institutions with only one OTP token -17-

  18. III. Incident Cases Incident Cases III. III. Incident Cases 1. Pharming Pharming with Malware (07 with Malware (07 ’ Jan) 1. ’ Jan) � Malware distributed through portal site � Unpatched PCs are infected, ‘ hosts ’ file was modified for pharming � Host site was storing 4,000 certificates � No economical loss due to quick response -18-

  19. III. Incident Cases Incident Cases III. III. Incident Cases 2. Internet payment incident (07 ’ Apr) 2. Internet payment incident (07 ’ Apr) � Internet payment system(V3D-Secure) should check CVC code � 111 Credit card number were used for 6 month � Had about 100,000 USD loss in a institution that didn ’ t check the CVC � Password for the payment were guessed easily -19-

  20. III. Incident Cases Incident Cases III. III. Incident Cases 3. Card Duplication (07 ’ Apr) 3. Card Duplication (07 ’ Apr) � ATM owner installed a duplication reader in the ATM � Passwords were recorded with hidden camera � Stored card information was used to duplicate for fraudulent withdrawal -20-

  21. IV. New threats New threats IV. IV. New threats 1. Memory Forgery 1. Memory Forgery � Malware is also able to alter memory of IE allocation � So that the hacker modifies account number which will be transferred � But the HTML screen prompts that the transfer was successful [Memory] 0x00123456 : 061-21-1085-102 0x0012345a : ... ... 34113014972 60504966677 0x0012347b : ... � Account Number ‘ 34113014972 ’ will be changed to the hacker ’ s account number ‘ 60504966677 ’ on clicking ‘ OK ’ . -21-

Recommend

Resurrection of Fukushima, NPO 1 1. Efforts to secure living environment 2. Efforts to produce

Resurrection of Fukushima, NPO 1 1. Efforts to secure living environment 2. Efforts to produce

Resurrection of Fukushima, NPO 1 1. Efforts to secure living environment 2. Efforts to produce safe food 3. Examine the conditions of animals and plants 4. Examine radiation and radioactivity levels around the village 5. Secure electricity and

775 views • 32 slides
Web Security: Web Security: Secure Electronic Transaction Secure Electronic Transaction

Web Security: Web Security: Secure Electronic Transaction Secure Electronic Transaction

Web Security: Web Security: Secure Electronic Transaction Secure Electronic Transaction Cunsheng Cunsheng Ding Ding HKUST, Hong Kong, CHI NA HKUST, Hong Kong, CHI NA Secure Elect ronic Transact ions An applicat ion-layer secur it y

483 views • 24 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research & Boston University y Michael Schapira

701 views • 54 slides
Deployment & Distribution Engineering Secure Software Last Revised: November 6, 2020

Deployment & Distribution Engineering Secure Software Last Revised: November 6, 2020

Deployment & Distribution Engineering Secure Software Last Revised: November 6, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 SE Doesnt End at Release Deployment counts too Despite our best efforts to produce

487 views • 20 slides
1 Singapores Efforts in developing Creating a Secure and Trusted infrastructure and

1 Singapores Efforts in developing Creating a Secure and Trusted infrastructure and

Presentation Outline E- -Business Implementation Business Implementation E Part 1 The Singapore Experience The Singapore Experience How Singapore Government Agency created a secure and trusted infrastructure for e-business By Tan Jin

790 views • 25 slides
Cryptocurrencies Outline and Distributed Electronic payments Consensus Secure transactions

Cryptocurrencies Outline and Distributed Electronic payments Consensus Secure transactions

Cryptocurrencies and Distributed Consensus May 2019 Cryptocurrencies Outline and Distributed Electronic payments Consensus Secure transactions Secure execution: contracts PROF. DR. IR. BART PRENEEL COSIC KU LEUVEN, BELGIUM AND IMEC

248 views • 21 slides
Individual Family Group Company Community Country World NOW Secure Secure financial Learn

Individual Family Group Company Community Country World NOW Secure Secure financial Learn

Individual Family Group Company Community Country World NOW Secure Secure financial Learn psychosocial Determine your Identify the Consider Evaluate global employment and educational principles and unassailable strengths and

200 views • 6 slides
Advanced Tools from Modern Cryptography Lecture 12 MPC: UC-secure OT UC-Secure OT UC-secure

Advanced Tools from Modern Cryptography Lecture 12 MPC: UC-secure OT UC-Secure OT UC-secure

Advanced Tools from Modern Cryptography Lecture 12 MPC: UC-secure OT UC-Secure OT UC-secure OT is impossible (even against PPT adversaries) in the plain model (i.e., without the help of another functionality) But possible from simple

527 views • 16 slides
and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

CS 1655 / Spring 2010 Secure Data Management and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure Coding From: Secure Coding: Principles and Practices by Mark G. Graff & Kenneth R. Van Wyk

753 views • 17 slides
Be Be Good! Good! WHA WHAT IS T IS SECURE? SECURE? SECURe is a school-wide program designed

Be Be Good! Good! WHA WHAT IS T IS SECURE? SECURE? SECURe is a school-wide program designed

SECUR E SOCIAL, EMOTIONAL, AND COGNITIVE UNDERSTANDING AND REGULATION Created by Success for All, University of Michigan, and Harvard University Be Be Good! Good! WHA WHAT IS T IS SECURE? SECURE? SECURe is a school-wide program designed

957 views • 59 slides
Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is

Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is

Secure Coprocessor What is Secure coprocessor: Robust. (A system that is not easily or is not wholly affected by a bug in one aspect of it. ) General-purpose computational environments. Secure temper responsive physical package.

366 views • 14 slides
Semi-Secure Semi-Secure where a hash is a secure one-way function. A cookie is a bit of state

Semi-Secure Semi-Secure where a hash is a secure one-way function. A cookie is a bit of state

One-Slide Summary Users often authenticate themselves by providing passwords. We store and compare hashes of passwords, Semi-Secure Semi-Secure where a hash is a secure one-way function. A cookie is a bit of state associated with a webpage

103 views • 9 slides
SET Secure Electronic Transactions Original participants: VISA and MasterCard, GTE, IBM,

SET Secure Electronic Transactions Original participants: VISA and MasterCard, GTE, IBM,

SET Secure Electronic Transactions Original participants: VISA and MasterCard, GTE, IBM, Microsoft, Netscape, SAIC, Terisa, Verisign. Officially announced February 1, 1996. SET enables safe business over insecure networks - i.e.,

643 views • 32 slides
Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE

Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE

Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE Convenient What is Secure Returns ? Secure Returns is a secure website where you and your clients can securely upload & download confidential

202 views • 9 slides
my and Outlook PublicFolders drive Electronic records-keeping: Use, Manage, Keep, Secure a BKI

my and Outlook PublicFolders drive Electronic records-keeping: Use, Manage, Keep, Secure a BKI

my and Outlook PublicFolders drive Electronic records-keeping: Use, Manage, Keep, Secure a BKI project Introduction Shared drives need to be used in a manner that maximises the business benefits and minimizes the risks and costs to

730 views • 14 slides
Concurrently Secure Protocols Huijia (Rachel) Lin Rafael Pass MIT & BU Cornell Secure MPC

Concurrently Secure Protocols Huijia (Rachel) Lin Rafael Pass MIT & BU Cornell Secure MPC

Black-Box Constructions of Concurrently Secure Protocols Huijia (Rachel) Lin Rafael Pass MIT & BU Cornell Secure MPC Secure MPC Goal: Allow a set of distrustful parties to compute ANY function f on their own Secure MPC Goal: Allow a set

1.11k views • 98 slides
Efforts to forest conservation and climate change adaptation of Vietnam Agency for Biodiversity

Efforts to forest conservation and climate change adaptation of Vietnam Agency for Biodiversity

Efforts to

417 views • 13 slides
Who tells you that your secure product is actually secure?

Who tells you that your secure product is actually secure?

Who tells you that your secure product is actually secure? Think about the 6me it stays on the field It went through a security evalua6on

866 views • 28 slides
How To Secure Electronic Passports Marc Witteman & Harko Robroch Riscure 02/07/07 - Session

How To Secure Electronic Passports Marc Witteman & Harko Robroch Riscure 02/07/07 - Session

How To Secure Electronic Passports Marc Witteman & Harko Robroch Riscure 02/07/07 - Session Code: IAM-201 Other personal info on chip Other less common data fields that may be in your passport Custody Information Travel Record

703 views • 31 slides
What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering

What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering

What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Recent Security Incidents Garmin Ransomware -- $10 million Sync servers down for many days

506 views • 21 slides
Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data

Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data

Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data Weichao Wang, Zhiwei Li, Rodney Owens, Bharat Bhargava CCSW 2009: The ACM Cloud Computing Security Workshop 1 The Problem Providing secure and

414 views • 19 slides
Secure Client Applications HTTPS Secure Email Networking Sirindhorn International Institute of

Secure Client Applications HTTPS Secure Email Networking Sirindhorn International Institute of

Networking Secure apps Aims Crypto Basics Secure Client Applications HTTPS Secure Email Networking Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 26 June 2014

389 views • 26 slides
A Secure and Efficient Protocol for Electronic Treasury Auctions s 1 , Mehmet Sabr Kiraz 2 ,

A Secure and Efficient Protocol for Electronic Treasury Auctions s 1 , Mehmet Sabr Kiraz 2 ,

A Secure and Efficient Protocol for Electronic Treasury Auctions s 1 , Mehmet Sabr Kiraz 2 , Osmanbey Uzunkol 2 Atilla Bekta 1 IAM, Middle East Technical University, Ankara, Turkey 2 MCS Labs, TB ITAK B ILGEM, Kocaeli, Turkey

621 views • 27 slides
SECURE Act Brian Graff SECURE Act Setting Every Community Up for Retirement Security (SECURE)

SECURE Act Brian Graff SECURE Act Setting Every Community Up for Retirement Security (SECURE)

SECURE Act Brian Graff SECURE Act Setting Every Community Up for Retirement Security (SECURE) Act of 2019 (H.R. 1994) Introduced in the House March 29, 2019 Passed House Ways & Means Committee April 2, 2019 Passed House

354 views • 12 slides

More recommend