An Investigation into E-Banking Frauds and their Security Implications 

By Kevin Boardman

Supervisor: John Ebden

20 March 2004

About me

Joint Computer Science and Information Systems Honours.

Interest in computer security and its implications in e-commerce.

Email: g01b0633@campus.ru.ac.za

Definition of project in one sentence

An investigation into internet banking frauds, and how they are best avoided by banks on the internet.

The Problem and Background

Internet Banking statistics - Burrows [2004]

General increase in the use of internet banking around the world.

The number of online banking accounts in South Africa grew by 28% to 1.04 million in the last year. These figures are expected to increase to 30% in 2004.

More than 162 million transactions worth around R198 billion were conducted via South Africa's online banking services last year.

17 percent of Americans used online banking services by the end of 2002 and this figure will continue to grow by 14 percent up to the end of 2007.

Fraud statistics

Fraud complaints rose by around two-thirds in the US according to the Federal Trade Commission (FTC) from 2001 to 2002.

Identity theft accounting for 43% of complaints.

The cost of fraud in 2002 more than doubled that in 2001.

Fraud statistics (Continued)

Internet Related Frauds reported to Consumer Sentinal from 2001 to 2003

020,00040,00060,00080,000

100,000120,000140,000160,000180,000

2001 2002 2003

Number of reportedfrauds

Result of combination of statistics

“Hacker cleans out bank accounts.”

“Hundreds of thousands of rands stolen via Internet from Absa clients.”– Who covers the costs? Irreversible damage to Absa’s image.

“New security fears for web banking”

“Banks 'must pay up if hacked‘”– According to the Electronic Communications and Transactions Act the

bank must refund customers if it can be proved they did not provide a safe service.

Project Aims

Project Aims

Investigate the state of security of South African banking facilities and compare them with facilities used around the world.

Investigate internet banking cases in which security breaches occurred, such as ABSA.

An inquiry and comparison into the formal procedures and protocols (eg: Secure Electronic Transactions Protocol) used by these banks.

Establish certain techniques that can be used to set up a secure internet banking environment.

So what is security?

Security Definition and Project scope

Computer security is a broad area of study Computer security - technological and managerial

procedures applied to computer systems to ensure the availability, integrity and confidentiality of information managed by the computer system – The Texas state library and archives commission [2001].

Focus of the investigation will deal with aspects of security involving fraudulent intent; thus viruses, software bugs and operator errors will not be examined.

My intended approach

1) Do Literature Survey

The nature of this project is mainly investigative and therefore largely based on research.

Computer and E-commerce Security publications – provide background to security.

Journal articles, specific to internet banking security and fraud – provide specific insight into the problem.

Protocol specifications (eg: Secure Electronic Transactions Protocol) and procedures – provide specific detailed workings of current security implementations.

Case studies – provide real life examples.

2) Case Study

A detailed analysis of some of the recent electronic banking security breaches will be undertaken in order to find common flaws and possible countermeasures. Who committed the fraud.

Insider versus outsider One person versus a group of people Fraudster’s motivation

How the breach occurred – weaknesses exposed. Insider information. Easily accessible confidential documentation. Dormant user accounts.

What techniques were used by the intruder. Packet sniffing. Password cracks.

Case Study (Continued)

What security measures were bypassed by the intruder. Encryption. Transfer limits. Regular changes in access codes. Firewalls.

How the breach was detected Customer report or Bank detection. Transfer, security logs. Paper trails (end of month reconciliation).

What damage was done by the intruder. Damage to system. Loss of money

What countermeasures were put into place to prevent further attacks. End to end encryption techniques. Control of access to workstations. Firewalls.

3) Formulate countermeasures

Establish certain techniques and protocols, that can be used to set up a secure internet banking environment.

Current Resources

Background– Chapman ,D.B., Zwickey, E.D, Building internet firewalls, O’Reilly and

Associates, Inc, 1995.- Provides a background into state of the art firewalling techniques.

– Ahuja, V . Secure Commerce on the Internet, AP Professional, 1997. -Provides a broad background to security and E-commerce.

Journals– Hutchinson, D., Warren, M. Security for internet banking: a framework.

Published: 2003. Accessed: 5 March 2004. URL: http://thesius.emeraldinsight.com/vl=6457514/cl=37/nw=1/fm=html/rpsv/cw/mcb/09576053/v16n1/s7/p64 - Provides a framework for implementing secure internet banking which is very relevant to the subject.

– Eloff J.H.P., Van Buuren, S. Framework for evaluating security protocols in a banking environment. In Computer Fraud and Security. Elsevier, 1998.- Provides a framework for security protocols that can be used to protect banking systems. Authors are South African so hopefully an insight into the South African situation.

Resources (Continued)

– Rahda, V. Preventing Technology Based Bank Frauds. Published: February 2004. Accessed: 11 March 2004. URL : < http://www.arraydev.com/commerce/JIBC/0402-05.htm >. -Specifically deals with banking frauds.

– Rennhard, M., Rafaeli, S., Mathy, L. From SET to PSET – The pseudonymous Secure Electronic Transaction Protocol. Published: August 2001. Accessed 3 March 2004. URL: < http://www.tik.ee.ethz.ch/~rennhard/publications/PSET.pdf >- Gives insight into protocols such as SET used for secure credit card transactions.

Case Studies– Henderson, I. Electronic funds transfer fraud. Published: December 2003. Accessed:

14 March 2004. Available: doi:10.1016/S1361-3723(03)00006-X. - Anonymous case study involving electronic funds transfer fraud

– Cohen, F. Breaking the Bank. Computer Fraud & Security Volume 2002, Issue 11 , November 2002, Pages 12-14. Available: doi:10.1016/S1361-3723(02)01109-0  - Anonymous case study

The expected result

Evaluation of some of the current security protocols and procedures used in internet banking.

Exposure of security flaws in some of the major banking e-commercial systems.

Establish possible countermeasures to attacks and threats from internet banking security frauds.

Possible Extensions

Testing of some of the security software and hardware used for internet banking, in order to find flaws.

Consulting for banks on internet security issues.

Questions