Welcome to Banking Quest

Agenda

• Various types of IT & Cyber Crimes
• Cyber Frauds 
• Prevention of Cyber Crimes
• Combating ever evolving Cyber Threats
• Role of People Awareness in Cyber Security (for Staff & Customers)
• Role of Technology in Fraud Risk Management.

 Cybercrime: 10 disturbing statistics to keep you awake tonight : Effect of COVID

• THE NUMBER OF UNSECURED REMOTE DESKTOP MACHINES ROSE BY MORE THAN 40%
• RDP BRUTE-FORCE ATTACKS GREW 400% IN MARCH AND APRIL ALONE
• EMAIL SCAMS RELATED TO COVID-19 SURGED 667% IN MARCH ALONE
• USERS ARE NOW THREE TIMES MORE LIKELY TO CLICK ON PANDEMIC-RELATED PHISHING SCAMS
• BILLIONS OF COVID-19 PAGES ON THE INTERNET
• TENS OF THOUSANDS OF NEW CORONAVIRUS-RELATED DOMAINS ARE BEING CREATED DAILY
• 90% OF NEWLY CREATED CORONAVIRUS DOMAINS ARE SCAMMY
• MORE THAN 530,000 ZOOM ACCOUNTS SOLD ON DARK WEB
• 2000% INCREASE IN MALICIOUS FILES WITH "ZOOM" IN NAME
• COVID-19 DRIVES 72% TO 105% RANSOMWARE SPIKE

 DO  U  KNOW……

• Many popular Browsers, Social networking Sites / Apps and many other applications collect and send our data, photos, phone book, call history and even data in cache / buffers is collected by the sites, utilized in way to interfere with our Privacy, and share the information with various other Applications or send it to unwanted sites in different country.
• Answer is --- All of them, including Search engines, Map Apps, Social Networking & Messaging sites, Online shopping sites, Hotel & Travel booking sites and infinite no. of portals & sites on the Net collect, use and share such collected information.

 Types of Cyber Crimes & Cyber Threats

• Data Alteration / Data Diddling / Data Theft
• Spoofing – IP / DNS / E-mail Spoofing
• Voice / SMS / Web Spoofing
• Phishing, Pharming, Flooding 
• Denial Of Service – DoS / DDoS
• Packet Sniffing
• Computer Contamination, Virus
• Malwares, Spywares, Adwares
• Ransomware – (WannaCry, Petya, CryptoLocker, CryptoWall, )
• Hacking, Jackpotting, Cryptojacking, Formjacking

 Types of Cyber Crimes…

• Man-in-the-middle Attack
• Logic Bombs / Salami Attack
• Skimming / Shimming
• SIM Swap
• Steganography
• Pornography
• Cyber Defamation 
• Cyber Squatting, Stalking
• Dead Dropping
• On–Line Lottery Fraud / Nigerian Scam
• Fast flux
• Stuxnet
• Spear-phishing
• Whaling
• Drive-by-Download
• SQL Injection
• Browser Gateway fraud
• Ghost Administrator Exploits
• Memory Update Frauds
• Blind Spots
• Zero-Day attack
• Masquerade
• Personally Identifiable Data breaches

 PHISHING & PHARMING

• PHISHING:
  • USING SPOOF E-MAILS OR DIRECTING PEOPLE TO FAKE WEB SITES TO FOOL THEM INTO DIVULGING PERSONAL FINANCIAL DETAILS SO CRIMINALS CAN ACCESS THEIR ACCOUNTS.
• PHARMING:
  • TECHNICALLY MORE SOPHISTICATED
  • EXPLOITATION OF A VULNERABILITY IN THE DNS SERVER SOFTWARE.
• Phishing is the #1 delivery vehicle for RANSOMWARE and other malware. See the numbers behind its rise.

 VISHING, MISHING, SMISHING :

• There are fraudulent e-mails, sent to customers of various Banks luring them to update sensitive account information like their User IDs, password, even transaction passwords etc., by clicking on an fake e-mail link or by visiting a fake website.
• Similarly the same information is also asked via telephone calls, globally known as VISHING Attack, pretending to be genuine official from Bank
• Information requested thru Mobiles, called MISHING and thru SMS known as SMISHING in this parlance.

 Malwares, Trojans, Adwares

• Malware, short for malicious software, is software disrupting computer operation, gather sensitive information, or gain access to computer systems.
• 'Malware' is a general term used to refer to a variety of forms of hostile, intrusive, or annoying software and includes computer viruses, worms, trojan horses, spyware, adware, and other malicious programs
• Trojans - software silently entering in the computer system with the intention to harm them

 Malwares …

• Symptoms
  • Increased CPU usage
  • Slowness in  computer or web browsing
  • Issues in connecting to networks
  • System Hanging or crashing
  • Appearance of strange files, programs, or desktop icons
  • Programs running, turning off, or reconfiguring themselves Strange computer behavior
  • Emails/messages being sent automatically and without your knowledge
• SPAM : Unsolicited commercial email messages sent in bulk, often using a purchased (or stolen) mailing list that includes your address.

 What is Spyware ?

• They are independent programs that can be automatically installed when you surf through the Internet or when you install free software. 
• Advertising companies use Spywares to “mine data” to further help them advertise better. 
• Monitors, steals sensitive data, like Email addresses, Passwords, Credit card numbers, Keystrokes, Chat programs, Documents, Web pages visited, downloading  habits, Cookies and any other data
• Sends information to its masters
• Violates your privacy
• And is a completely LEGAL program !
• Use a multilayered antivirus soln.
• Disable the auto run feature to prevent spyware, from automatically being installed
• Turn ON popup blocker, and turn on only for trusted sites.
• Keep OS and other software up-to-date

 What is Adware?

• Adware are created by advertising companies
• Comes in the form of popups, unexplained advertising programs on your computer desktop like subscribing for paid sites or buying a product.
• Advertising companies hope to generate money from customers who receive the popups or unexplained programs on their computers.
• Also a LEGAL program!

DDoS: Distributed Denial of Service

• DoS is Denial of Service attack
• A distributed denial-of-service (DDoS) attack is generally through multiple compromised computer systems attacking a target system or network to cause a denial of service for users. 
• The flood of incoming messages, connection requests or malformed packets to the target system forces it to slow down, crash and shut down
• Thus denying service to legitimate users of systems. 
• The motive of  DoS / DDoS is to render the target systems unavailable. 

 Ransomware

• Ransomware is a type of malware that blocks access to a victim’s assets and demands money to restore that access. 
• Ransomware typically encrypts a victim’s files. Once a victim is infected, the ransomware scans the available local and network systems for important files, encrypts them and alerts the user about the infection. 
• The alert includes a ransom demand and a deadline for payment. 
• If victims do not pay in time, the ransom ware destroys the decryption key and the victim’s files are rendered useless. 
• If the payment is made in time, victims usually receive a decryption key to unlock their files.

 SPOOFING

• It refers to sending information that appears to come from a source other than its actual source.
• In the context of network security, a spoofing attack is a situation in which one person or program successfully MASQUERADES / DISGUISES  as another by falsifying data and thereby gaining an illegitimate (unlawful) advantage.

 Packet Sniffing

• On computer Networks, data travels in the form of data packets. A “Packet Sniffer” is used to read these packets while they are in transit.
• On the legitimate side, system administrators use “Packet Sniffing” Technology to monitor and troubleshoot network traffic
• On the criminal side, this technology can easily be used to sniff out user name and password information, Credit Card details etc.
• With Wi-Fi in Public places, these threat are very high.

 Cyber Squatting:

• Registering a website in the names of popular brands. 
• Its allowed to register any available domains to the first applicant
• No Stringent law worldwide 
• Examples

http://www.mybank.com, http://www.mybank1.com, http://www.mybank.org, http://www.mybank.in

 There are around 1578 existing TLD – Top Level Domain extensions as on 14-Jan-2020 with 22 gTLD (generic). 

Cyber Stalking

• Sending threatening mails
• Sending annonymous mails
  • Heads of all organisations receive very often
• Hoax calls
  • Directly
  • Indirectly
  • From the masqueraded / spoofed ip address

 Cyber Harassment

• Popularity of Social Networking Sites like Facebook, Twitter, Instagram etc., tools & Apps like WhatsApp, Skype, Viber etc., Cyber Crimes in this space is increasing.
• Cyber-harassment is a distinct Cybercrime. Harassment can be sexual, racial, religious, or other. Persons perpetuating such harassment are also guilty of cybercrimes.
• Cyber-harassment as a crime also brings us to another related area of violation of privacy of citizens. Violation of privacy of online citizens is a Cybercrime of a grave nature. 

 Hacking

• Hacking is an act committed by an intruder by accessing your computer system without your permission. 
• Hackers are basically computer programmers, having advanced understanding of computers and commonly misuse this knowledge for devious reasons. 
• They’re usually technology buffs who have expert-level skills in one particular software program or language. 
• As for motives, there could be several, but the most common are pretty simple and can be explained by a human tendency such as greed, fame, power, etc. 
• Some people do it purely to show-off their expertise – ranging from relatively harmless activities such as modifying software (and even hardware) to carry out tasks that are outside the creator’s intent, others just want to cause destruction.

 Nigerian Scam / Lottery Frauds

• Nigerian Frauds 409 or 419 are basically the lottery scam or sharing fake inheritance of huge money in which some overseas persons are involved to cheat innocent persons or organizations by promising to give a good amount of money at nominal fee charges
• Never respond to such email / SMS invitations and fall pray to such frauds
• In spite of age old techniques & repeated warnings, people respond to such email / SMS invitations and fall pray to such frauds
• If fallen into such scam, do not wait; approach respective Cyber Crime branch of Police immediately to stop your loss further and possible recovery

 SIM Swap

• A SIM swap scam — also known as SIM Splitting, Simjacking, Sim Hijacking, or Port-out Scamming — is a fraud that occurs when scammers take advantage of a weakness in two-factor authentication and verification in which the second step is a text message (SMS), OTP or voice call to one’s mobile phone number.
• The scammers call your mobile carrier, impersonating you and claiming to have lost or damaged their (your) SIM card and manage to get new SIM with Victim’s number. This ports the number to the fraudster’s device containing a different SIM. 
• A trick employed by fraudsters is to flood you with nuisance calls in the hope that you switch off the phone. 
• Never switch off the phone; rather, don’t answer such calls. Presently, mobile operators in India send SMS to alert subscriber in case of a SIM card change request; this can help you stop the fraud in quick time.

 Newer & Disastrous Attacks

Botnet

• A “bot” is malicious software that enables cybercriminals to control your computer without your knowledge and use it to execute illegal activities, such as sending out spam, spreading viruses etc.
  A Botnet is a large network of compromised computers.

Stuxnet

• It's been more than a decade since security researchers in Belarus first identified a virus that would come to be known as Stuxnet, a sophisticated cyber weapon used in a multi-campaign attack targeting a uranium enrichment facility in Natanz, Iran

Fastflux

• Fast flux is a DNS technique used to mask botnets by quickly shifting among a network of compromised hosts, acting as proxies, enabling cybercriminals to delay or evade detection. It enables botnets to hide behind rapidly shifting network of compromised hosts, acting as proxies, thus enabling cybercriminals to delay or evade detection.

Cyber Crimes – What is different ?

• ANNONIMITY
• NO PHYSICAL EVIDENCE / CLUES … (ALMOST)
• HIGH IMPACT & INTENSITY
• MANY TIMES FAR AWAY FROM THE SCENE OF CRIME

 It’s Global, It’s Continuous, It’s Automated

 WHAT IS CYBER CRIME ?

 CRIME COMMITTED BY USING COMPUTER

• AS TOOL OR AS   TARGET
• AGAINST A PERSON, NATION, AN ORGANISATION

LACK OF UNIFORM LAWS

• INFORMATION TECHNOLOGY ACT 2000, AMENDED 2008
• CRIME IN ONE COUNTRY NEED NOT BE A CRIME IN OTHER COUNTRY
• 154 countries (of which 95 are developing and transition economies) had enacted such legislation. However, more than 30 countries had no cybercrime legislation in place

 Against Individuals 

• Include various crimes like transmission of child-pornography, harassment of any one with the use of a computer such as e-mail, messaging, social networking 
• The trafficking, distribution, posting, and dissemination of obscene material including pornography and indecent exposure, constitutes one of the most important Cybercrimes known today. 
• Big threat to the growth of the younger generation as also leave irreparable scars and injury on the younger generation, if not controlled.
• Stealing money or other personal information through leaking of Card details, Online Banking Credentials and other modes.

 Against Organization / Country

• These crimes include computer vandalism (destruction of others' property), transmission of harmful programmes.
• Loss of money or business due to stealing and destructing the IPRs, secret technical information, business data with the help of a corporate cyberspying.
• DDoS attacks, Denial of access to services, network, Ransomware etc. kind of newer attacks.
• Cyberspace is being used for terrorism to threaten the governments and the citizens.
• Attacking government or military websites or information systems.
• Important public utility services including power, energy, transport, telecom, health, various other services are targets for these crimes.

Various Cyber attacks on Banks

• COSMOS Bank ATM-SWITCH – 2019
  • (the fraudster created a proxy switch to interact with the VISA and Rupay Payment Gateway. They used the fake switch to approve 12000 txn at ATM in 28 countries and 2800 txn in India)
• e-mail spoofing (Town Coop Bank-22.15 lakhs 2018)
• Mobile wallet - (Total 12 cr)
• UPI – (send money without debit to account BOM 12 Cr.)
• Cards – Cloning, Stealing & Sale of Bulk Card Data
• Online Banking – Stealing & mis-using credentials
• Mobile Banking – Mis-using, Credentials, Fake Apps 
• Greek Banking system – 15000 card data of 4 banks misused through a travel portal – fraudulent transactions made.
• SWIFT - (Bangladesh Central Bank, SB Mauritius, Union Bank, PNB)

 Cyber Fraud vs Crime

• Fraud is a crime carried out for financial gain. 
• Cybercrime on the other hand can be executed for many reasons including political, passion and even opportunistically, purely because a vulnerability was there. 
• Aside from reasons/motivation, two other key differences include the skill set needed to manage such threats and the delivery method of the event. 

 I.T. Frauds

• Fraud is deliberate deception to secure unfair or unlawful gain, or to deprive a victim of a legal right.
• Computer fraud is the act of using a computer to take or alter electronic data, or to gain unlawful use of a computer or system. 
• Internet Banking Fraud is a fraud or theft committed to illegally remove or use money from a bank account
• Generally this is a form of identity theft and is usually made possible through techniques such as phishing.
• Computer is used by Criminals either as a Tool or a Target

 Impact of Cyber Crimes in Banks

• Characteristics of IT environment
  • High volume and complexity
  • Low visibility and distance is immaterial
  • Fast changes due to new technology adoption
  • High level of reliance on specialist knowledge
  • Low level of human intervention
  • Impact due to compromising of controls would be very high 

 Potential Risks for the Banks

• Financial loss 
• Critical Data loss/breach
• Secrecy of Information Lost
• Loss of productivity due to business disruption,
• Cost of investigation
• Compensation to customers
• Reputational damage
• Regulatory penalties 
• Costs of recovering from disruptions
• Investment loss - time notifying the relevant authorities and institutions of the incident.

 Who could be threats to the Banks

• Cyber criminals may be an individual or a group of people that cause a malicious cyber attack on your business. 
• Cyber criminals who can threaten your technology or data
• Criminals - out for financial gain or information, to illegally access your hardware and data or disrupt your business
• Clients you do business with – to compromise your information with malicious intent
• Business competitors – looking to gain an advantage over your business
• Current or former employees (Internal or Outsourcing Partners’) – who accidentally or intentionally compromise your information or data.

 Types of Cyber Attacks 

• Financial Frauds affecting customers / banks
• Data Leakages
• Data theft
• Insider threats
• Operational impact

 Types of Threats to Banks

• Identity Theft
• Data Breach / Theft
• Data Leakage
• Hacking 
• Phishing
• DDoS
• Ransomware
• Cyber Squatting
• Cards, ATM, Online Banking
• And so on

 User Susceptibility to Fraud:

• Flipside of technology breakthroughs -The new technologies adopted by financial institutions are making them increasingly vulnerable to various risks such as:
• Phishing
• Identity Theft
• Card Skimming
• Vishing
• Smishing
• Viruses And Trojans
• Spyware And Adware
• Social Engineering
• Website Cloning

 Identity Theft

• Identity theft, also known as identity fraud, is a crime in which an imposter obtains key pieces of personally identifiable information (PII), such as login id,  password, financial data, health data, official identifiers,  biometric data, in order to impersonate someone else.
• The information can be used to obtain credit, merchandise and services in the name of the victim or to provide the thief with false credentials. In addition to running up debt, in rare cases, an imposter might provide false identification to police, creating a criminal record or leaving outstanding arrest warrants for the person whose identity has been stolen.

 ATM Frauds

• While ATMs are the most convenient option for withdrawing cash using an ATM card, debit card  or credit card, ATMs are being used by fraudsters to withdraw money from accounts of other customers fraudulently. Types of ATM fraud include
• Card Skimming : Stealing of the electronic card data, enabling the criminal to forge the card for subsequent cash withdrawals. 
• ATM “jackpotting” : A sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to dispense out huge volumes of cash on demand.
• Theft of card credentials:  through phishing, vishing etc. for CNP, e-Comm usage

 Security in ATM, Cards

• After EMV, Cloning, Skimming is addressed to large extant
• Cards are Chip-based … but what about ATMs & PoS
• Swiping on POS in many foreign countries is without PIN
• Real-time Surveillance of ATMs
• Geo-tagging of Transactions
• Securing End User Devices
• NFC Card Shields (sleeves)
• Fraud Risk Management (FRM) techniques 
• Velocity, Geo-tagging, Behavioural Patterns, Customer Risk Profiling, Txn matching, Cooling time needs

 Types of Credit Card Frauds

• Card not present fraud : without the use of the physical card, mainly online or over the phone. 
• Counterfeit and skimming fraud : when details are illegally taken to create a counterfeit credit card. 
• Lost and stolen card fraud : cards that have been lost or stolen. 
• Card never arrived fraud : occurs on cards ordered by a customer that they never receive. 
• False application fraud : False application fraud occurs where the account was established using someone else’s identity or information.

Security in Online Banking

• Secure communication
  • Secure the Device – PC, Mobile, Tablet
  • Secure communication channel - connectivity
  • Encryption of information on Network - SSL
• Secure / Safeguard credentials from
  • Capturing the Credentials thru devices (key loggers)
  • Shoulder surfing
  • Virus
  • Network sniffing
  • Social Engineering
• Two Factor, Multi-Factor Authentication – OTP, Captcha

 Security in Online / Mobile Channels

• Unsecure Apps
• Unauthorised Apps
• Third Party Applications
• Secure Operating Systems
• Security Permissions 

 Cyber Security Agencies In India

 National Cyber Security Policy

Government of India has come out with a National Cyber Security Policy

• a vision To build a secure and resilient cyberspace for citizens, businesses and Government  
• a mission to protect information and information infrastructure in cyberspace,
  build capabilities to prevent and respond to cyber threats, reduce vulnerabilities and minimize damage from cyber incidents through a combination of institutional structures, people, processes, technology and cooperation
• detailed objectives include creation of a secure cyber ecosystem, generate adequate trust & confidence in IT systems and transactions in cyberspace and thereby enhance adoption of IT in all sectors of the economy.

 Combating newer Cyber threats

 “There are only two types of organisations: those that have been hacked and those that don’t know it yet!” - Former CISCO CEO John Chambers

• Government has released the multiple lists and banned a large number of malicious Apps in India
• Many such applications are under radar of the Government
• Google also has taken action for deletion of many Apps with suspicious activities, like manipulating, stealing the information and controlling the devices unauthorisedly
• Prominent Chinese Mobile companies in India were forced to removed the bloated O/s, Android with undesired Apps, before manufacturing & selling handsets in India

 CERT-In: Computer Emergency Response Team

• CERT-In is operational since January 2004. 
• In the Information Technology Amendment Act 2008,CERT-In has been designated to serve as the nodal agency.
• It is the sole authority for issue of instructions in the context of blocking of websites.
• After verifying the authenticity of the complaint and satisfying the need of blocking of website, absolutely essential, CERT-in instructs Department of Telecommunications (DOT) to block the website. 
• DOT is the agency for responding to computer security incidents as and when they occur. 

 CISO Forum for Banks

Chief Information Security Officers (CISO) Forum

 IDRBT formed the CISO Forum in the year 2010 to provide a platform for CISOs of all banks
to discuss common security concerns in the Banking and Financial Sector and collaboratively provide solutions. 

 The mission of the CISO Forum is to:

• provide a platform for learning about the latest security technologies
• share day-to-day problems in implementing security in banks
• continuously upgrade the security posture of banks.

 The Gopalakrishna Committee on Electronic Banking recognized this Forum

 IB-CART: Indian Banks Centre for Analysis of Risks and Threats

• Indian Banks Centre for Analysis of Risks and Threats. Launched by IDRBT in March 2014
• IB-CART shares and disseminates information regarding physical and cyber events (incidents / threats / vulnerabilities) and corresponding solutions and resolutions associated with the bank's critical infrastructures and technologies.
• This is a first for the country and has become a model for other critical sectors. Modeled after ISACs (Information Sharing and Analysis Centers)
• 85 Members – Banks, NPCI, NHB, BSE, NSE, CCIL, IFTAS and ReBIT
• Daily alerts to members, Newsletters related to global Cyber Security events and vulnerabilities
• Members anonymously share the incident details occurred

 IB-CART Objectives

• Disseminate and foster sharing of relevant and actionable threat information among members to ensure the continued public confidence in the banking sector. 
• Leverage the sectors' resources (people, process, and technology) to aid the entire sector with situational awareness and advance warning of new physical and cyber security events and challenges.
• Enable a platform that ensures anonymity and security while capturing and disseminating information.
• Conduct research and intelligence gathering to alert the members of evolving or existing events
• Support the development of content that is posted to the IB-CART database, advice on mitigation steps or best practices to members
• Facilitate cross sector information exchange.

 Awareness about Cyber Security

• Employees – 
  • Awareness of Policies & Procedures
  • Awareness Programmes
  • Security culture
• Customers
  • Basic Awareness, 
  • Awareness Programmes
  • RBI Kehta Hai, SMS, Email Campaigns, Roadshows
• Importance of Education
  • Existing users, Children & Students at different levels
• Educating new generation
• Online Digital Life – Do’s & Don’ts

 Fraud Prevention in Banks

Suggested Steps

• Employee Check – KYE
• Vendor Due Diligence
• Whistle Blower Policies
• Employee Code of Conduct / Service regulations
• Fraud Awareness Programmes / Trainings
• Fraud Risk Assessment / Risk Postures

 Precautions - Best Practices

• Be cautious while opening email attachments received from unknown sender/domain
• Be sure before clicking URLs provided in email contents
• Avoid sharing personal information (password, PIN, card details etc.)
• Enforce strong password and regularly change your password, PIN etc.
• Keep a backup of your data at a protected location
• Install Anti-virus and anti-malware software and regularly update the same
• USB flash drives (pen-drives) not to be used on PCs in Bank’s network
• Do not connect to internet from systems which are connected to Bank’s network.
• On transfer, suspension or retirement, Digital signature should be revoked.
• Do not install unauthorized software e.g. Freeware, shareware etc.
• Maintain clean desk and clear screen policy.

 Cyber Security Controls

• Inventory Management & IT assets
• Prevention of unauthorized access
• Environmental controls
• Network Management & Security
• Secure Configuration
• Antivirus & Patch Management
• User Access control Management
• Secure Mail/ messaging system
• Removable media
• User awareness
• Customer education/ awareness
• Backup & restoration
• Vendor/ outsourcing risk management
• Continuous surveillance – cyber-SOC

100% Network Security is Myth 

MOST COMPUTER CRIMINALS THRIVE NOT ON KNOWLEDGE BUT INSTEAD BLOSSOM DUE TO IGNORANCE ON THE PART OF USERS / SYSTEM   ADMINISTRATORS