Raiffeisen E-Banking The security of Raiffeisen E-Banking Security on the Internet

Transcription

1 Security on the Internet Seite 1

2 Who is it? Michael Mäder Business Analyst Raiffeisen E-Banking Background 20 years experience of computer science (programming, project management, training) Infected since the beginning of the (commercial) Internet era in Switzerland at 1995 Seite 2

3 Security on the Internet says: The Internet is contaminates! 10% of the investigated 4.5 million websites contain trojans!!! Seite 3

4 Melde- und Analysestelle Informationssicherung MELANI Information about IT-Security Situation in Switzerland and International Seite 4

5 Security on the Internet > Kinds of infection Spam / Phishing Download Drive-by Infection: with infected attachments or links to infected software Protection: awareness spam/phishing filters updated security software Infection: Download of infected software or something others (images, movies, mp3, pdf, etc.) Protection: awareness updated security software Infection: By pure viewing a website! Protection: : Setting up a user with restricted rights! Seite 5

6 Security on the Internet > Drive-by-Infection The hacker takes control of the PC Infection: By pure viewing the website (IKEA just as a example) Seite 6

7 Security on the Internet > What happens to the infected PCs? Infection Spying / fraud BotNet Seite 7

8 Security in the E-Banking Seite 8

9 Security in the E-Banking Phishing Man-in-the-middle Man-in-the-browser Typ: Attack of the 1st Generation Typ: Trojans of the 2nd Generation Typ: Trojans of the 3rd Generation Threat rating: low Threat rating: medium Threat rating: high Seite 9

10 Security in the E-Banking > Phishing Seite 10

11 Security in the E-Banking Phishing Man-in-the-middle Man-in-the-browser Typ: Attack of the 1st Generation Typ: Trojans of the 2nd Generation Typ: Trojans of the 3rd Generation Threat rating: low Threat rating: medium Threat rating: hoch Seite 11

12 Reguläre E-Banking Zahlung Client PC Internet E-Banking Raiffeisen Customer makes a payment Seite 12

13 Infected client PC Internet E-Banking Hacker "Man-in-the-Middle" Hacker The hacker pretends logs informs to itself be with an e-the banking customer received site access that the Client data e-banking by transmitted the site client is PC the overloaded and access make data to payments the hacker Seite 13

14 Security in the E-Banking Phishing Man-in-the-middle Man-in-the-browser Typ: Attack of the 1st Generation Typ: Trojans of the 2nd Generation Typ: Trojans of the 3rd Generation Threat rating: low Threat rating: medium Threat rating: high Seite 14

15 Man-in-the-Browser! Infected client PC "Man in the Browser" Internet E-Banking Raiffeisen Customer makes a payment Payment details will be manipulate Seite 15

16 Different approaches, same goal Separate release for payment Separate customer equipment Seite 16

17 Security in the E-Banking > confirmation of payment Bankzahlung Schweiz CHF Steueramt St. Gallen, 9001 St. Gallen E-Banking Zahlung: 15' USD zugunsten von Konto RUS-93-BÖS Freigabe- Code A1B2 Seite 17

18 Security in the E-Banking > confirmation of payment Seite 18

19 Security in the E-Banking > protection measures Awareness Using an updated internet security suite Allways OS updates Login with mobile phones (SMS) Protection measures Fraud Detection Duplicate payment controls Ongoing security considerations Seite 19

20 Sicherheitsvorteile des Raiffeisen E-Banking 1. Raiffeisen Schweiz: secure and constantly monitored system trained staff (IT security experts, Call Center) closed cooperation with security companies, Federal government and other banks (secured and early knowledge) 2. Raiffeisenbank: Control and release of payments according to defined rules and regulations The customer consultant knows his customers Seite 20

21 And finally... Thank you for your attention and still enjoy yourself! Seite 21