電 子 銀 行 風 險 - 認 證 與 核 實. Fraud Risk Management The Past and the Future 欺 詐 風 險 管 理 - 過 去 與 未 來

Transcription

1 Hong Kong Clean PC Day 2009 Seminar 25 th November 2009 Protection from e-banking Threats Authentication & Verification 電 子 銀 行 風 險 - 認 證 與 核 實 Florence Tam Chairman,e-Banking Working Group, HKAB Senior Manager, Fraud Risk Asia Pacific, HSBC Fraud Risk Management The Past and the Future 欺 詐 風 險 管 理 - 過 去 與 未 來 1

2 Authorized Institutions (AIs) in Hong Kong E-Channels update as at end June 09 Number of AIs offering Internet Banking Services 60 Number of Personal Internet Banking (PIB) Accounts 5.9 million Number of Business Internet Banking (BIB) Accounts 440,000 The Past.the Present..the Future Face to face Signatures and ID Unsophisticated e- channels Transaction monitoring Risk identification Control focus stop fraud Product-based fraud teams Simplistic approach Relative stability Remote Credentials Sophisticated e- channels Customer monitoring Risk assessment Customer and business focus manage fraud Holistic fraud risk management teams Innovative approach Constant change 2

3 E-Channel Security Risks 電 子 交 易 渠 道 安 全 風 險 Recent Trends Increasingly sophisticated attacks; including phishing, spyware, Trojans and others. Larger scale attacks. Man in the Middle attacks. Malware sites/infections increasing. Social engineering to obtain personal and/or banking details. 3

4 Security Concerns Customer Disclosure (sometimes inadvertent) of security credentials. Customer computer security. Financial Institution Customer service focus Task focus Low fraud awareness Complexity Multiple and interlinked channels Need end to end focus Fraud Risk Mitigation Strategies 欺 詐 風 險 緩 解 策 略 4

5 Traditional Approach Focused on: Front Door Authentication User ID Password One size fits all solutions Fraud Risk Management Approach Not just customer authentication at log-on Layered defensive model Multiple tool sets Multiple tool sets Consider the end to end process Consider the impact on all other relevant processes Consider risk; including appetite 5

6 Prevention 預 防 方 法 Customer Education Security and Fraud Information on Public Website Fraud alerts Security tips Fraud reporting Leaflets General issues Industry initiatives 6

7 Customer Endpoint Security Security and Fraud Information on Public Website Anti-virus Firewall Anti-spam Anti-spyware Threat Detection Identify Fraudulent Websites Customer information Police Regulators Monitoring services Deactivate Websites Identify hosting sites / ISPs Liaise with law enforcement Analyse site Intelligence Threat awareness Information sharing Capture and analyse information 7

8 Monitoring Services Transaction Monitoring Activity Monitoring Customer Monitoring Authentication 認 證 方 法 8

9 The Need for Change Five years ago, financial institutions in Hong Kong affected by phishing incidents. Targeted due to the brand, size and local presence. Bank customers tricked into divulging Internet Banking credentials, resulting in fraudulent transfer transactions. The HKMA mandated that, by 30JUN05, all high risk transactions (e.g. unregistered third party transfers) must be protected by Two Factor Authentication (TFA). Factors to Consider Service registration Fulfillment Initial log-onon Lost tokens; forgotten IDs and passwords Channel limits and restrictions Transaction (or activity) confirmation options 9

10 Risk-Based Approach High Identity theft/fraud Low Enrolment Application Fraud High Low Bill Payment Balance Enquiry Small 3 rd Party Transfers Large 3 rd Party Transfers Card Replacement Compromise High View Statements Profile change New Beneficiary Low Log-in Common Infrequent Options and Confidence Levels No Authentication User Name + Password + Memorable Info. + OTP + Others Confidence Level Low Increasing 10

11 Fraud Monitoring 欺 詐 監 控 Fraud Monitoring Customer authentication and transaction confirmation provide assurance. Fraud Monitoring Systems provide an additional tool to protect the Bank and its customers. At a basic level, rules are designed to cover high risk scenarios. For example: Non-designated Third Party Transfers Activities from specific IP addresses Activities on newly registered accounts Multiple channels requires customer-level monitoring solutions 11

12 Analytics Analysis on Customer data Transaction data External data Device / network data To determine the appropriate action In Summary.. Online security is about reputational risk and as well as financial risk Online security will remain an ongoing challenge to Internet banking Customer and staff education never stops...nor does it get any easier as the degree of complexity increases The pace of business and technology change is accelerating rapidly and is becoming more challenging to manage..for Bank s and customers The speed and frequency of attacks will not slow down The key is to remain vigilant, constantly review internal processes, external data, market and online behaviour and ensure that a mitigation plan is in place and can be implemented at short notice. 12

13 Q & A Thank you 13