prevent banking frauds through identity management
DESCRIPTION
What is the difference between private and retail banking in fraud management? Significant use of mobile devices (tablet, smartphone,...) and the growing number of fraud due to human factor are changing private banking management. GARL presentation at Forum Banca 2013 describes fraud risks for private banking and how to manage them in a prevention plan. The presentation was made as a collaboration with Banca Esperia (Mediobanca group).TRANSCRIPT
Prevent banking frauds through identity management
Luca Sciortino – Information Security, Banca Esperia Giuseppe Paternò – Director Digital, GARL Milan, 24th September 2013
3
About us
• Security manager with Banca Esperia
• Experience in similar roles for international bank groups
• Expert in programming, open source and IT security
Twitter: @sciortlu LinkedIn: www.linkedin.com/in/sciortlu Web Site: www.gruppoesperia.it
• Director Digital with GARL, bank of digital data founded in Switzerland in 2008
• IT Consultant cooperating with Canonical and other big firms
• In the past with Red Hat, Sun Microsystems and IBM
• Researcher and professor at Trinity College Dublin
Twitter: @gpaterno LinkedIn: www.linkedin.com/in/gpaterno Web Site: www.garl.ch
Luca Sciortino – Banca Esperia Giuseppe Paternò - GARL
6
Boom time for frauds
Sources: Association of Certified Fraud Examiners, Clusit, Unicredit Group, CRIF
Daily identity fraud attempts in Italy
50 Time to discover an internal fraud
18 MONTHS
8
How much does frauds cost?
5% of profits are lost for frauds
Cost of a single fraud discovered by one the main American bank in march 2011
Average of 1 out of 5 internal frauds in a calendar year
Unrecoverable losses
Sources: Association of Certified Fraud Examiners, Clusit, Unicredit Group, CRIF - July 2013
3 TRILLION $
A YEAR
10 MILLION $
1 MILLION $
50%
11
Internal vs. external frauds
• Many attempts • Low impact for the bank
Ex. Credit cards skimming, debit cards, false bonds, false insurances, online frauds, identity theft, wire transfers
• Few attempts • High impact for the bank
Ex. Insider Trading, roundings off, misappropriation of funds, confidential information leaking
External frauds Internal frauds
13
Internal frauds
More risks
More trust
Internal audit
policies
16
Private banking and frauds, point of interests
Few VIP customers
Risk for accounts with substantial capital
Trust in the banker
The banker’s role is key in the relationship with customers Market Speculation
Personal speculations made by internal professionals Reputation
Losing the trust of customers/market is a bigger damage than the fraud itself
18
External frauds and private banking
Private Banking Lower risk of external frauds (less visibility and access compared to retail banking)
Retail Banking Higher risk of external frauds (public access to the core services)
20
Human factor and frauds
Information leaking
Confidential data about VIP Customers, personal assets, portfolio of investments Mutual confidence among colleagues
Passwords exchange, use of applications forbidden by the security policies, …
23
The role of identity in frauds
Transations Logging
Frequent access to VIP
and high value
accounts
Physical and logical access control
Application Authorisation
Proven identity
25
Identity management for frauds prevention
Forbidden and/or off-hour access
Counterfeiting of documents
Identity theft
26
KPI
Banca Esperia is the Private Banking boutique of Mediobanca and Mediolanum, for private and international clients. Born in 2001, the group is specialized in advisory services, financial services and wealth planning
About Banca Esperia
Branches
• Personnel: 250
• Private Banker: 76
• Branches: 12
• Total asset: € 14,3 mld
(june 2013)
30
SecurePass for digital identity protection
Identity management The user is really who he claims to be – multifactor authentication EMV cards Identity cards for combined physical and logical access Compliance Compliant to EU regulations
32
SecurePass guarantees digital identity of users
SecurePass manage the lifecycle of users from an easy-
to-use web control panel
Group management
Audit and centralized
management
Hosted in European
datacenters by GARL
34
SecurePass cloud service for identity theft prevention
SecurePass is the platform for digital identity protection
Military grade protection level
Covered by an insurance policy
From the experience and in collaboration with Swiss banks
36
SecurePass security architecture
• SecurePass identity verifcation • Verification of the location context (i.e. Internet, MPLS network, intranet,…) • Access authorization to applications • Centralized logging (who’s accessing what, from which IP, with which device/operating system and time of the day)
Centralized control
Double authorisation control over applications and on every application’s features Tracking of single features, Access to NDG, account Number, etc.
Applications
39
Benefits for finance and banking
Outsouced identity
management
Streamline access
Reduced operating
risks
41
Oousource identity management to a trusted third party
Reduce mantainance cost
Reduce internal fraud attempts
Latest identity frauds technologies
Guarantee personnel identification
Relief the bank responsability (service covered by insurance)
Reducing human factor risks
44
Centralized access
Single point of management
Reduction of risks related to
authorisation and rights management
Improve users’ experience with Single Sign-On
Compliant with EU regulations (i.e. italian “Garante
della privacy II” )
45
Operating risk reduction
Strenghten transaction control
Prevent information leaking
Double authorisation: customer is guaranteed of the truthfulness of the
transaction
47
Conclusions
Human factor is a risk for frauds in private banking
Identity management can mitigate risks
Multifactor authentication to guard access
Audit & Compliance
49
Thank you