Electronic Security and Payment

Systems: Some New Challenges

Tom Glaessner
Thomas Kellermann
Valerie McNevin
The World Bank
November 2003
Organization of Presentation
I. Digital Trends in Payments
II. Nature of the Threat
III. Market Structure and E-Risk in
Emerging Economies
IV. A Four Pillar Approach
V. Future Challenges
 Four Streams of
E-Finance

EFT EBT
# of Global EFT
Transactions
677,411,204

EDI ETC
I. Digital Trends in Retail Payments
Increased dependence on Information
Technologies
The convergence of technologies
Leapfrogging opportunities provided by e-
finance stimulate growth
The growth of wireless in EMG
New, interoperable technologies
dependent on the Internet infrastructure
VOIP
Satellite and cyber-location
E-commerce, retail and even micro
payments
 Connectivity: Mobile
Phones
Mobile Phone Use

Industrial Developing Total Economies

80% 71%
Percentage of Population

70%
60% 51%
50% 44%
40% 32%
30%
30% 21%
20% 14% 17%
10% 7%
10% 6%
2%
0%
1995 1997 1999 2001
Mobile Phones Per Year
 World-Wide Cyber Attack Trends

900M 120,000

Network Intrusion Attempts

800M Blended Threats
Infection Attempts

(CodeRed, Nimda, Slammer) 100,000

700M
Denial of Service 80,000
600M (Yahoo!, eBay)

500M
Mass Mailer Viruses 60,000
400M (Love Letter/Melissa)

Malicious Code
300M 40,000
Zombies
Infection
200M Attempts* Network
Polymorphic Viruses
(Tequila)
Intrusion 20,000
100M Attempts**
0 0
1995 1996 1997 1998 1999 2000 2001 2002
* Analysis by Symantec Security Response using data from Symantec, IDC & ICSA;

** Source: CERT; 2002 Intrusion Attempts were 82,094; 1&2Q 2003 total already was 76,404
 II. The Nature of the
Threat
The threat is not new
A cyber world allows for crimes of greater
magnitude with greater speed
Lack of incentives for reporting hides true e-
security vulnerabilities
Cyber threats have been rising globally as
technologies converge
Emerging markets are not immune
 System Access: E-Risk and
Fraud
System Access in a Networked Environment
Access Tools
Hacking software vulnerabilities, viruses, worms,
Trojans, Denial of Service (DOS)
Types of E-Fraud
Identity Theft
Extortion(reputation)
Salami Slice
Funds Transfer
Electronic Money Laundering
 III. E-Risk Market Structure in Emerging
Economies
Many emerging markets have
concentrated provisioning of hosting
services
Interlinked ownership: Telecom companies,
ISPs, e-security service companies, and
banks
No real separate independent e-security
industry
Shortage of human capital in EMG in this
area
IV. A Four Pillar Approach
 Pillar 1
Legal framework, Incentives,
Liability
No one owns the internet so how can
self-regulation work?
Basic laws in the e-security area vary a
lot across countries as do penalties
Defining a money transmitter
How to define a proper service level
agreement (SLA)
Downstream liability
Issues in certification and standard
setting
 Pillar 3
Certification, Standards, Policies and Processes

Certification
Software and hardware
Security vendors
E-transactions
Policies
Standards
Procedures
 Pillar 2
Supervision and External
Monitoring
Technology Supervision and Operational
Risk:
Retail Payment Networks;Commercial Banks; E-
Security Vendors
Capital Standards and E-Risk
On-Site IT examinations
Off-site processes
Coordination: between regulatory agencies;
between supervisors and law enforcement
Cyber-Risk Insurance
Education and Prevention
 Pillar 4
Layered Electronic Security

12 Core Layers of proper e-security

Part of proper operational risk
management
General axioms in layering e-security
Attacks and losses are inevitable
Security buys time
The network is only as secure as its
weakest link
 Intruder Begins Attack
The web server
authenticates
against the
customer
database

Exploiting a hole
in the internet
banking software,
SQL insertion is
used to run system
commands on the
database server.

The attacker runs

a command that
opens a remote
command shell
 Network is completely compromised

Now that the firewall security

has been bypassed completely,
the attacker uses the database
server to take over the domain
controller.
The attacker can
now access the
mainframe as if he
were sitting at the
The administrator administrators
accesses the desk. Hmmm
mainframe from his what else can he
desktop, and saves access from here?
all the passwords for
easy access. A
remote desktop is
pushed back to
The domain passwords are cracked, and access to
attacker
the administrators workstation is now available.
 Select Weaknesses
Passwords
Over-reliance
on encryption
Patch
management
Rogue HTTP
Tunnels
Outsourcing
Wireless
Security
 Technical Vulnerabilities of PKI
Keys can be:
Altered by a hacker
Captured through video-viewing
Broken by parallel processor when of limited
length
Stolen through manipulation of fake names and IDs
Compromised when password and token protection
are cracked
Certificate Authorities can:
Have a different definition of trust
Operate with an insecure physical network security
Be broken into, and public key files altered
 GSM Vulnerabilities
SIM-CARD
Vulnerability
SMS Bombs
Gateway
Vulnerability
WAP
Vulnerability
Man in the
Middle Attack
 V. Challenges Ahead
Building awareness
Creating a culture of electronic
security as part of business process
Building e-security considerations
into investment planning and RFP
design
Assuring proper development of the
four pillars in emerging markets
 World Bank
Integrator Group 2003
For further information :
www1.worldbank.org/finance
(click on E-security)

[email protected]