Print This Page

Send this page to your friend

 

  

Banking Control è Procedure

 

 

Saudi Arabian Monetary Agency

Banking Technology Department

Internet Banking Security Guidelines

 

v1.0

05 May 2001

 

 

 

 

 

Table of Contents

Table of Contents. 2

1.    Introduction. 4

2.    Nature of Risk Exposure Related to Internet. 5

2.1      Distinction of Risks at Service Level 5
2.2      Other Distinctions of Risk. 5
3.    Control Objectives for Internet Banking.. 8
3.1      Data Confidentiality. 8
3.2      Data and Message Integrity. 9
3.3      Authentication. 9
3.4      Non-Repudiation. 9
3.5      Access control 10

3.6      Network security. 10

3.7      Logging and audit 11
3.8      System Availability. 11
3.9      Customer Protection. 11
3.10    Conclusion. 12
4.    A Risk Management and Control Framework. 13
4.1      Security Policies. 13
4.2      Administrative and procedural - HR and business controls. 14
4.3      Technical – Control Methods. 15
4.3.1   Cryptographic techniques and communications security. 15
4.3.2   Secure payment on the Web. 18
4.3.3   Management of Cryptographic Security Systems. 19
4.3.4   Firewalls. 22
4.3.5   Host system security methods. 22
4.3.6   Control of interfaces between the bank site and the web. 23
4.4      Recovery and Business Continuity. 26

4.4.1   Business continuity plans. 26

4.4.2   Cryptographic business continuity planning. 27
5.    Managing Outsourced Processes. 29
5.1      Risks in Outsourcing Internet Banking. 29
5.2      Control of Outsourcing and Monitoring of Arrangements. 30
6.    Managing Customer Relationships. 32
6.1      Risk Disclosure to Customers. 32
6.2      Customer Education. 33
7. Central Bank Supervisory Approach. 35
Appendix 1 – Specific Risk Control Measures. 37
Appendix 2 - Access security options for bank web servers. 39
Standard client certified web (HTTPS) plus physical token. 39
VPN Secure client with physical token and application on CD. 39
Risk summary. 40
Issue matrix. 42
Vulnerable. 42
Vulnerable. 43

Appendix 3 – Outsourcing security issues. 45

 

 

 

 

1.      Introduction

 

 

            Internet banking services and products can provide significant new opportunities for banks. It may allow banks to expand their markets for traditional deposit-taking and credit extension activities, and to offer new products and services or strengthen their competitive position in offering existing payment services. In addition, Internet banking can reduce operating costs for banking institutions.

 

            More broadly, the continued development of Internet banking contributes to improving the efficiency of the banking and payment system and to reducing the cost of retail transactions nationally and internationally. Consumers and banks are able to increase the efficiency with which they make or receive payments, and enjoy greater convenience. Internet banking may also increase access to the financial system for consumers who have previously found access limited.

 

            Given the degree of uncertainty about future technological and market developments in Internet banking, it is important that supervisory authorities avoid policies that hamper useful innovation and experimentation. At the same time, banks recognise that along with the benefits, Internet banking activities carry risks that must be balanced against the benefits.

 

            The purpose of this document is to provide guidelines and considerations for banking institutions as they develop methods for identifying, assessing, managing and controlling the risks associated with Internet banking. SAMA wishes to encourage the banks to develop a risk management process rigorous and comprehensive enough to deal with all known risks, and flexible enough to accommodate changes in the type and intensity of risks associated with internet banking. The risk management process can be effective only if it is constantly evolving.

 

            The remainder of this document is organised as follows. The next section identifies and categorises risks that banks may face in Internet banking. Section 3 presents the control objectives where risk should be minimised for a bank offering online services, while section 4 provides the risk management and control framework necessary for these objectives to be reached. Banks that decide to outsource their online service need to be aware of the risks that outsourcing endorses and the methods to manage and monitor them as described in section 5. Next, section 6 stresses the importance for managing the customer relationships. Banks must inform their customers about the risks of using their Internet service and educate them for the safest way to use it. Lastly, section 7 provides an outline of an appropriate supervisory approach which SAMA intends to adopt.

2.      Nature of Risk Exposure Related to Internet

 

 

Continuing advances in technology and its prominent role in commerce are leading financial institutions toward the Internet in increasing numbers. Uses of the Internet may include information-only, information transfer, or fully transactional sites on the World Wide Web (Web), or the capability to access the Internet may exist from within or outside the institution. Regardless of the use, numerous risks exist which must be addressed within the bank's risk management program. Security breaches due to some of the following factors may currently be rare, but as banks expand their role in electronic commerce they could potentially become prime targets for malicious activities.

    

2.1     Distinction of Risks at Service Level

           

Information Service (Low Risk)

This is the most basic form of online Internet service providing one way communication covering advertisements, promotional material, etc.  Websites are often the targets of hacking which vandalises and mutilates the original information being processed resulting in reputational harm.

 

Interactive Information Exchange (Medium risk)

Customers are able to communicate with the bank, make account enquiries and fill in application forms, etc.  The risk pertaining to these websites depend on whether they have any direct links to the bank’s internal network.

 

Transactional Service (High risk)

Allows customers to execute online transactions such as the transfer of funds, payment of bills, on-line shopping and other financial transactions, potentially including sale and purchase of securities; accordingly this is the highest risk category that requires the strongest control.

 

2.2     Other Distinctions of Risk

 

External Attacks

Internet-based attackers, more commonly called ‘hackers’, pose the most publicised security challenge. These individuals gain access to systems and the information they contain by exploiting flaws in the configuration of the Web server, the server’s operating system, or the actual components of the Web pages. The remote client machine (e.g. PC) is also vulnerable to direct and indirect network attacks, and physical attack.

 

Electronic eavesdropping is also a potential hazard, since the electronic emanations from a computer screen or cables can be detected and re-assembled into meaningful data.  Some organisations place their sensitive systems in specially screened rooms to prevent this.

 

 

Internal Attacks

Internal intrusion, or the breaching of security systems by someone within the organisation who might potentially have authorised access to hardware and software components, is another area of concern. Internal attacks are among the most serious risks that a bank faces, and can be initiated by outsiders via threats or blackmail as well as by the ambitions of insiders.  Hence, no one should have concurrent access to both production systems and backup systems, particularly data files and computer facilities as well as for operating systems, systems design and development, application, maintenance, operations, database administration, etc.

 

Physical security and password security are paramount in controlling illegal activity within the site manager’s own organisation. Various technology-based means exist to mitigate the risks relating to internal attacks. These also provide protection against the other generic forms of attack. Common technology solutions include intrusion detection, event logging and monitoring, and software version control.

 

Malicious Code

The receipt or distribution of malicious code elements (‘Trojan Horses’ or ‘viruses’) can also cause security risks and, more commonly, malicious harm to Internet-based computers and programs. Many Web sites include receipt and distribution of files and programs among the features that are offered to end-users. This is just one way in which malicious code can be distributed; other means include e-mail (with or without attachments) and network access.

 

Denial of Service

Denial of service and availability must also be a primary concern for site managers. As if protection from interlopers and subversive elements was not enough of a concern, system downtime resulting from power failure, wide-area communications problems, and natural disasters can also result in customer dissatisfaction and ultimate harm to the site manager’s company or group.

 

Mis-Service or ‘spoofing’

Mis-service is a type of attack targeting service providers which use open networks as an access channel, often overlooked by service designers and system architects. In open networks, particularly the Internet, it is sometimes possible to impersonate a legitimate user or network entity. This can be done using various techniques, such as DNS or router subversion, or by means of subverting active content in a Web browser. The end result is that legitimate users are unwittingly connected to a fake (or subverted) network entity with a view to defraud or offend. This type of attack can cause extensive reputational damage to an on-line service provider.

 

Negligence

Security-related negligence in the handling of sensitive data or the configuration of security systems can also be devastating. The best security systems incorrectly administered or improperly managed present increased risk potential. Inadequate policies and procedures can result in security failures or censure from regulatory agencies and auditors.

 

SAMA will expect banks to establish and enforce sound policies and procedures to address these risks. This document is intended to provide a framework for these to be established in a cost-effective way. The document should also provide a basis for scoping the necessary security training and awareness programmes for users and administrators alike.

 

3.      Control Objectives for Internet Banking    

 

            Security threats arising from denial of service attacks, spoofing, sniffing, hacking and other forms of illicit activity require a security policy covering the following control objectives (some of which are described in more detail in the US FDIC’s ‘Security Risks Associated with the Internet’):

 

Ø Communication control

Ø Data Confidentiality

Ø Data and message integrity

Ø Authentication of users and entities

Ø Non-repudiation of transactions

Ø Access control

Ø Network security

Ø Logging and audit

Ø System availability, resilience and disaster recovery

Ø Customer protection

3.1     Data Confidentiality

 

            This refers to the protection of bank’s sensitive information and online systems and requires encryption appropriate to the type of risk present in its networks and systems by selecting encryption algorithms according to well-established international standards. Proper procedures and facilities for cryptographic key management are essential for the secure and reliable operation of all cryptographic security systems.

 

            Unless otherwise protected, all data transfers, including electronic mail, travel openly over the Internet and can be modified or read by others. Given the volume of transmissions and the numerous paths available for data travel, it is unlikely that a particular transmission would be monitored at random. However, programs, such as "sniffer" programs, can be set up at opportune locations on a network, like Web servers (i.e., computers that provide services to other computers on the Internet), to simply look for and collect certain types of data. Data collected from such programs can include account numbers (e.g., credit cards, deposits, loans) or passwords.  More sophisticated sniffers may, for example, be looking for trading activity in certain securities in order to cheat the market.

 

            As mentioned in Mis-Service, attacks using spoof Web sites can occur, whereby an attacker seeks to fool legitimate users of an on-line service to use a false Web site instead of the genuine one. Given this situation, a user’s account login information may be stolen, or the communications between the user and the false site may be relayed to the real Web site. The latter form is known as a man-in-the-middle attack.

 

            Due to the design of the Internet, data privacy and confidentiality issues extend beyond data transfer and include any connected data storage systems, including network drives. Any data stored on a Web server may be susceptible to compromise if proper security precautions are not taken.

 

3.2     Data and Message Integrity

 

            This refers to the accuracy, reliability, completeness and timeliness of information processed, stored or transmitted between the bank and its customers, with the major risk being that the banks can be accessed by anyone from anywhere at anytime.

 

Potentially, the open architecture of the Internet can allow those with specific knowledge and tools to alter or modify data during a transmission. Data integrity could also be compromised within the data storage system itself, both intentionally and unintentionally, if proper access controls are not maintained. Steps must be taken to ensure that all data is maintained in its original or intended form.

 

3.3     Authentication

           

Essential in electronic commerce is the need to verify that a particular communication, transaction, or access request is legitimate. To illustrate, computer systems on the Internet are identified by an Internet protocol (IP) address, similar to a telephone that is identified by a phone number. Through a variety of techniques, generally known as "IP spoofing" (i.e., impersonating), one computer can actually claim to be another. Likewise, user identity can be misrepresented as well. In fact, it is relatively simple to send an e-mail message that appears to have come from someone else, or even send it anonymously. Therefore, authentication controls are necessary to establish the identities of all parties to a communication.

 

3.4     Non-Repudiation

 

Non-repudiation involves creating proof of the origin or delivery of data to protect the sender against false denial by the recipient that the data has been received or to protect the recipient against false denial by the sender that the data has been sent. The former is much harder to achieve than the latter. Non-repudiation of payment instructions should be of particular concern to banks. To ensure that a transaction is enforceable, steps must be taken to prohibit parties from disputing the validity of, or refusing to acknowledge, legitimate communications or transactions.

 

3.5     Access control

 

            Physical attack on equipment is a serious risk.  This may just involve stealing of passwords and use on a legitimate machine which is in an unprotected area of an office. At the other extreme, it may mean a physical attack on (eg, a PIN pad) using cryogenic techniques in order to break the tamper proofing and access encryption keys stored in the device.  At both extremes, it is necessary to ensure that devices cannot be reached by intruders or by genuine staff who are intent on committing insider frauds.  The control objective here is to ensure that it is known who has access to particular machines and equipment and that this access is controlled by physical security doors, signing in and out methods etc.           Beyond physical attack, however, is virtual attack.  Bank servers connected to the Internet are vulnerable to intrusion of various kinds.  Furthermore, if unauthorised parties access the bank’s servers, this could put the bank’s customers’ systems at risk too.  The aim of network access control is to minimise these risks.

3.6     Network security

 

In general, banking systems make the assumption that networks are not secure in themselves and that therefore end to end security at the application level is necessary.  However, on an open network like the Internet, this is not possible as the client devices which may be connected via the Internet to a bank’s systems are not likely to have Hardware Security devices and software to achieve this. 

 

At present, there is no globally accepted mechanism to get round these problems, since the Secure Electronic Transactions (SET) protocol devised by Visa, MasterCard, Microsoft and others has not been generally accepted.  The only de facto standard is Secure Sockets Layer (SSL), which is basically a line encryption mechanism which secures transactions from the browser in the client machine, to the Internet software in the host.  In recent versions of SSL, some authentication is also provided based on digital certificates.  This is probably the best achievable network security mechanism for Internet transactions at present.  It is expected that more acceptable versions of SET will be devised, and other suggestions have been made for a more rigorous approach to Internet transactions, which does not depend upon the network being secure.

 

3.7     Logging and audit

 

            Logging of transactions and the various exchanges between computers during transactions is essential to provide a record of what data has actually passed between which machines in