Computer Fraud & Security Bulletin
persons who said that they were responsible for information security, data security, computer security or network security. Respondents hailed from every major region in the USA, although most of the respondents were from the East Coast, the region where most of the large American banks have headquarters.
Preventivemeasure: physical damage to desktop computer terminals and peripherals, while lacking the ‘glamour’ of a master criminal hacking into a computer system, is a very common breach of computer security. The only way to guard against it is for the financial institution to implement an ongoing educative policy of persuading staff of the dangers of physical
damage. In particular, coffee cups should not be near allowed storage media, and communications cables should be thoroughly taped so that they do not provide potential tripping
Most respondents generally agreed that the traditional user-ID/fixed password combination provided an insufficient level of security. A number of the banks not using tokens indicated they were evaluating or in the process of implementing token systems. The survey indicates that identity tokens are now becoming a part of the standard-of-due-care in American banking. Readers with questions about this report can call + 1 4 15 332 7763, fax + 1 4 15 332 8032, or send E-mail to 3 [email protected]
/.com. The specific banks responding to the survey as well as their individual responses are considered confidential and will not be disclosed.
FRAUD PREVENTION AND COMPUTER SECURITY FOR FINANCIAL INSTITUTIONS - Part 2 James Essinger This is the conclusion of a two-part report which provides an over view of current thinking in maximizing the levels of fraud prevention and computer security for the financial community. Hazards and corresponding preventive measures common to retail and wholesale financial institutions Hazard physical damage to desktop computer terminals and peripherals (e.g. storage media such as discs, cabling).
hazards. Hazard introduction
of viruses, ‘logic bombs’ and
other rogue software software.
into the bank’s
Preventive measure introduce a policy of using special software to validate all software programs which are used by the financial institution for the first time. This special software is known as checksum software, and is able to determine whether a piece of software has been interfered with or altered in any way. Note that where a financial institution is developing a system based on various externally sourced packages, it is absolutely essential that no package is introduced into the system - even on a pilot basis - until the package has been thoroughly checked by the financial institution for possible viruses. In any case, checking all disks (data and software) for viruses prior to input should be a routine procedure. Hazard: illicit interference institution’s communications
with a financial system.
Preventive measures: .
Prevent illicit telephone access to a communications system (i.e. hacking) by instigating a routine procedure whereby all incoming calls are dealt with by being called back by a ‘dial-back’ before the call is proceeded with. The dial-back modem will require the would-be hacker to reveal his own telephone number, and this is usually enough to make the hacker stop the hacking attempt right away. Some dial-back systems are
Elsevier Science Ltd
programmed so that they can only call certain pre-arranged bona fide numbers. Where this is the case, a hacker who is not calling from these numbers will be unable to access the system even if he decided to proceed with the call. On this last point, a financial institution needs to make a policy decision on whether a ‘dial in’ facility from a computer that is being used in transit will be accepted, and where the bona fide user is making a call from a telephone number which, while simply being used because it happens to be in the vicinity, will not be identified as a recognised telephone number by the dial-back system. Financial institution staff and maintenance contractors may require access to the computer from a wide variety of locations. One way of dealing with this problem is to give these staff or contractors a portable security device which will work something like a portable PIN pad in order to allow them to establish their bona fide nature at a distance;
Use the technique of encryption (encoding) to prevent messages that are being sent across a communications system being read by an unauthorized person. Standard encryption systems - such as DES and RSA - are effectively impossible to break without the key, but as long as the recipient of the information has access to the key, the recipient will be able to read the incoming message; Use the technique of message authentication to prevent messages that are being sent across a communications system being interfered with (which is possible even if the message is encrypted) by an unauthorized person. Message authentication involves a piece of code being tagged onto the message, enabling the recipient to check whether the message has been interfered with: Do not make the communications system’s inter-face greet users too warmly until the user has established his bona fide nature. There
Elsevier Science Ltd
Fraud & Security Bulletin
have been cases in America where illicit users have been able to successfully plead in court that the system welcomed them warmly to use it, and that they can therefore hardly be blamed for using it, even though their use was illicit. Hazard illicit interference funds transfer systems.
with, and illicit use of,
Preventive measures: Control
to the financial
premises by means of a concerted policy of physical access control in the bank’s lobby; Control access to offices by means of an ‘electronic key’ system that requires bona fide staff to use an electronic token (such as plastic card with a magnetized stripe) in conjunction with a password or code number. Apart from the stringency of the control that it facilitates, the use of an electronic key enables a financial institution to keep a record (usually referred to as an audit trail) of who gained access to a particular room, and when; Control access to terminals by enforcing a strict password or code number policy when members of staff use a terminal. Make it a disciplinary offence to disclose a password or code number to fellow member of staff. An additional level of terminal control can be achieved by obliging staff to use an electronic token to access the terminal. Whether or not an electronic token is additionally used, the use of a personalized code number will allow the financial institution to create an audit trail of who used a particular terminal, when they used it, and the application they used it for. Hazard system.
of the computer
Preventivemeasure: a systems shutdown occurs when an entire computer system ceases to be operative. The causes are numerous and include: power failure, fire, manor physical accident or major software or hardware failure.
Computer Fraud & Security Bulletin
A systems shutdown can obviously have a devastating effect upon a financial institution; losing details of business currently passing through the front-office, losing it general
radiation which can be ‘read’ by an inductive process even where the reading equipment is some distance away from physical location of the computer hardware.
customer or client goodwill, causing major disruption of its back-office. Most financial institutions deal with this problem at the computer centre (where the host computer is located) by
having a fire control system in place (often incorporating halon gas, which drives combustible oxygen away from the immediate environment), an array of batteries for short-term power replacement and an externally-situated generator for longer-term power replacement. However, these provision still leave a problem if the computer centre meets with a catastrophe such as a major physical accident, a devastating fire or bomb. To protect against this eventuality, the financial institution should have access in an alternative site, with a host computer already in place and ready for operation, to which the financial institution can transfer its computing operations at short notice. Such a resource is known as a disaster recovery facility. It is essential for a financial institution to have access to such a facility. Because the likelihood of an individual financial institution actually needing to use its disaster recovery facility is small and the chances of two or more financial institutions needing to use the facility simultaneously are negligible (if this did happen, the agreement covering thefacilityought to provide for the other participating financial institutions to assist using their own spare computing capacity) it is quite feasible for several financial institutions to band together and fund a shared disaster recovery facility. However, many financial institutions prefer to have their own facility, believing that it is worth the additional expense in order to have access to a completely proprietary facility. Hazard: the electromagnetic induction threat. This is the threat of an unauthorized person being able to read data held on a computer system by deploying a variety of techniques which exploit the fact that all physical elements of a computer system emit electromagnetic
If possible, install all elements of the computer system as far as possible from exterior walls. This reduces the amount of electromagnetic radiation penetrating beyond the bank’s off ice; Where the threat is grave, a powerful defensive measure is to place a copper screen between the source of the electromagnetic radiation and the possible siting of the illicit detection device. Note that a standard exists for office cabinets which are designed to house computing equipment and thereby prevent, or greatly reduce, the emission of electromagnetic radiation. These cabinets are manufactured to the ‘Tempest’ standard, which originated at the UK Ministry of Defence. Hazard employing members of staff. Preventive
frauds and other breaches directed against a financial institution take place with the connivance of a corrupt ‘insider’ (i.e. existing member of staff) who has financial, social or personal problems which make him or her vulnerable. There have been cases were organized criminals have targeted a vulnerable insider, used their help to carry out the computer crime, got away with the money and left the insider to face the music. It is essential that the financial institution puts into place a vigorous and stringent personnel management policy which will reduce to a minimum the likelihood of corruptible staff being recruited in the first place, and maximize the chance of the fact of their potential corruptibility being spotted once they are working for the financial institution.
Elsevier Science Ltd
Computer Fraud & Security Bulletin
Key elements of this personnel policy are: Recruitment: recruitment,
impose strict honesty criteria for and take up all references;
Counselling; facilities should exist within the personnel department for staff with personal difficulties to obtain counselling or referral to an outside counsellor. Experience of computer crime cases has shown that where a corrupt insider has played a major role in perpetrating a computer crime, the initial source of the deviation from honest behaviour can often be traced back to the onset of a personal problem to which the employee could see no resolution; Monitoring by staff: staff should be encouraged to report, confidentially, on colleagues who seem to be displaying abnormal degrees of stress or behaving in a manner which suggests that they might constitute a security risk; Salary and incentives: these should be appropriate to the responsibilities of the staff concerned to ensure that the interests and objectives of employers and employees coincide. A comprehensive, practical training programme will encourage employees to consider career development within the institution and avoid the demoralization caused by lack of achievement; Dismissal and resignation procedures: these should take into account the damage which can be caused by a dishonest or disgruntled employee while serving a period of notice. If
Elsevier Science Ltd
an employee with access to the computer network is allowed to serve out his notice (which may not be advisable) logging on procedures should be changed to prevent the employee in question from using the network during this time; Holidays: staff particularly those with ‘hands-on’ responsibilities should be obliged to take their annual holidays. Failure to take leave sometimes displays a need to be continually near the system in order to conceal illicit activity on the system. It is often when a perpetrator is away that a fraud is detected; Monitoring of staff relationships: to prevent possible collusion between staff, husbands and wives should not be allowed to occupy positions which might tempt them to collude and compromise their honesty. The same applies to unmarried staff having an emotional liaison. Staff should be required to disclose these liaisons (which may, of course, not always be heterosexual) in confidence to the personnel manager; Identification of key staff: in every computer systems installation there are key staff whose work is of crucial importance for the success of the installation. These people should be identified, their activities monitored with particular care by management and, as soon as practicable, back-up staff should be trained to reduce the bank’s dependence on these key people. For maximum computer security, no one member of the bank’s technology team should be allowed to become indispensable.