security
08:52
Showing posts with label security. Show all posts
Showing posts with label security. Show all posts
Friday, 17 January 2020
Sunday, 8 October 2017
TAXES
10:15
Sovereign Gold Bond Scheme
Sovereign Gold Bond Scheme
RBI/2017-18/71
IDMD.CDD.No.929/14.04.050/2017-18
October 06, 2017
The Chairman & Managing Director
All Scheduled Commercial Banks,
(Excluding RRBs)
Designated Post Offices
Stock Holding Corporation of India Ltd.(SHCIL)
National Stock Exchange of India Ltd. & Bombay Stock Exchange Ltd.
Dear Sir/Madam,
Sovereign Gold Bond Scheme
Government of India has vide its Notification F.No. 4(25)-B/(W&M)/2017 dated October 06, 2017 announced that the Sovereign Gold Bond Scheme. Under the scheme SGBs (The Bonds) will be issued in a series of weekly issuances which will be open for subscription from Monday to Wednesday of every week starting from October 09, 2017. The Government of India may, with prior notice, close the Scheme before the specified period. The terms and conditions of the issuance of the Bonds shall be as follows:
1. Eligibility for Investment:
The Bonds under this Scheme may be held by a person resident in India, being an individual, in his capacity as such individual, or on behalf of minor child, or jointly with any other individual. The bond may also be held by a Trust, Charitable Institution and University. “Person resident in India” is defined under section 2(v) read with section 2(u) of the Foreign Exchange Management Act, 1999
2. Form of Security
The Bonds shall be issued in the form of Government of India Stock in accordance with section 3 of the Government Securities Act, 2006. The investors will be issued a Holding Certificate (Form C). The Bonds shall be eligible for conversion into de-mat form.
3. Date of Issue
The bond shall be issued on the first business day of next week for the applications received during a given week.
4. Calendar of Issuance:
The Sovereign Gold Bonds will be issued every week from October 2017 to December 2017 as per the calendar specified below:
S.No Period of Subscription Date of issuance
1. October 09-11, 2017 October 16, 2017
2. October 16-18, 2017 October 23, 2017
3. October 23-25, 2017 October 30, 2017
4. October 30-November 01, 2017 November 06, 2017
5. November 06-08, 2017 November 13, 2017
6. November 13-15, 2017 November 20, 2017
7. November 20-22, 2017 November 27, 2017
8. November 27-29, 2017 December 04, 2017
9. December 04-06, 2017 December 11, 2017
10. December 11-13, 2017 December 18, 2017
11. December 18-20, 2017 December 26, 2017
12. December 26-27, 2017 January 01, 2017
5. Denomination
The Bonds shall be denominated in units of one gram of gold and multiples thereof. Minimum investment in the Bonds shall be one gram with a maximum limit of subscription of 4 kg for individuals, 4 kg for Hindu Undivided Family (HUF) and 20 kg for trusts and similar entities notified by the government from time to time per fiscal year (April – March), provided that
annual ceiling will include bonds subscribed under different tranches during initial issuance by Government and those purchased from the secondary market; and
the ceiling on investment will not include the holdings as collateral by banks and other Financial Institutions.
6. Issue Price
Price of the Bonds shall be fixed in Indian Rupees on the basis of simple average of closing price of gold of 999 purity published by the India Bullion and Jewelers Association Limited for the last three business days of the week preceding the subscription period. The issue price of the Gold Bonds will be ₹ 50 per gram less than the nominal value to those investors applying online and the payment against the application is paid through digital mode.
7. Interest
The Bonds shall bear interest at the rate of 2.50 percent (fixed rate) per annum on the amount of initial investment. Interest shall be paid in half-yearly rests and the last interest shall be payable on maturity along with the principal.
8. Receiving Offices
Scheduled Commercial Banks (excluding RRBs), designated Post Offices (as may be notified), Stock Holding Corporation of India Ltd (SHCIL) and recognized stock exchanges viz., National Stock Exchange of India Limited and Bombay Stock Exchange Ltd. are authorized to receive applications for the Bonds either directly or through agents.
9. Payment Options
Payment shall be accepted in Indian Rupees through cash up to a maximum of ₹ 20,000/- or Demand Drafts or Cheque or Electronic banking. Where payment is made through cheque or demand draft, the same shall be drawn in favour of receiving office.
10. Redemption
i) The Bonds shall be repayable on the expiration of eight years from the date of issue of Gold bonds. Pre-mature redemption of the Bond is permitted from fifth year of the date of issue on the interest payment dates.
ii) The redemption price shall be fixed in Indian Rupees and the redemption price shall be based on simple average of closing price of gold of 999 purity of previous 3 business days from the date of repayment, published by the India Bullion and Jewelers Association Limited. The receiving office shall inform the investor of the date of maturity of the Gold Bond one month before its maturity.
11. Repayment
RBI/depository shall inform the investor of the date of maturity of the Bond one month before its maturity.
12. Eligibility for Statutory Liquidity Ratio (SLR)
The holding of these Bonds by banks as collateral shall be counted towards Statutory Liquidity Ratio holding.
13. Loan against Bonds
The Bonds may be used as collateral for loans. The Loan to Value ratio will be as applicable to ordinary gold loan mandated by the RBI from time to time. The lien on the Bonds shall be marked in the depository by the authorized banks.
14. Tax Treatment
Interest on the Bonds shall be taxable as per the provisions of the Income-tax Act, 1961. The capital gains tax arising on redemption of SGB to an individual has been exempted. The indexation benefits will be provided to long term capital gains arising to any person on transfer of bond
15. Applications
Subscription for the Bonds may be made in the prescribed application form (Form ‘A’) or in any other form as near as thereto stating clearly the grams of gold and the full name and address of the applicant. The receiving office shall issue an acknowledgment receipt in Form ‘B’ to the applicant.
16. Nomination
Nomination and its cancellation shall be made in Form ‘D’ and Form ‘E’, respectively, in accordance with the provisions of the Government Securities Act, 2006 (38 of 2006) and the Government Securities Regulations, 2007, published in part III, Section 4 of the Gazette of India dated December 1, 2007.
17. Transferability
The Bonds shall be transferable by execution of an Instrument of transfer as in Form ‘F’, in accordance with the provisions of the Government Securities Act, 2006 (38 of 2006) and the Government Securities Regulations, 2007, published in part III, Section 4 of the Gazette of India dated December 1, 2007.
18. Tradability of bonds
The Bonds shall be eligible for trading from such date as may be notified by the Reserve Bank of India.
19. Commission for distribution
Commission for distribution shall be paid at the rate of rupee one per hundred of the total subscription received by the receiving offices on the applications received and receiving offices shall share at least 50% of the commission so received with the agents or sub-agents for the business procured through them.
20. All other terms and conditions specified in the notification of Government of India in the Ministry of Finance (Department of Economic Affairs) vide number F. No.4(13) W&M/2008, dated 8th October 2008 shall apply to the Bonds.
21. Operational guidelines relating to Sovereign Gold Bonds are issued vide circular IDMD.CDD.No.927/14.04.050/2017-18 dated October 06, 2017.
Yours faithfully,
(Shyni Sunil)
Deputy General Manager
Encls.: As above.
Sunday, 23 April 2017
security
15:36
Mastercard next gen biometric card combines chip with fingerprints
Mastercard next gen biometric card combines chip with fingerprints |
Mastercard has unveiled the next generation biometric card, combining chip technology with fingerprints to conveniently and safely verify the cardholder’s identity for in-store purchases.
South Africa is the first market to test the evolved technology, with two separate trials recently concluded with Pick n Pay , a leading supermarket retailer, and Absa Bank, a subsidiary of Barclays Africa.
The new card builds on fingerprint scanning technology used for mobile payments today and can be used at EMV terminals worldwide.
“Consumers are increasingly experiencing the convenience and security of biometrics,” said Ajay Bhalla, president, enterprise risk and security, Mastercard.
“Whether unlocking a smartphone or shopping online, the fingerprint is helping to deliver additional convenience and security. It’s not something that can be taken or replicated and will help our cardholders get on with their lives knowing their payments are protected.”
How it works
A cardholder enrolls their card by simply registering with their financial institution. Upon registration, their fingerprint is converted into an encrypted digital template that is stored on the card. The card is now ready to be used at any EMV card terminal globally.
When shopping and paying in-store, the biometric card works like any other chip card. The cardholder simply dips the card into a retailer’s terminal while placing their finger on the embedded sensor.
The fingerprint is verified against the template and – if the biometrics match – the cardholder is successfully authenticated and the transaction can then be approved with the card never leaving the consumer’s hand.
Benefits
Authenticating a payment transaction biometrically – in this instance via a fingerprint – confirms in a very unique way that the person using the card is the genuine cardholder.
Merchants can easily maximize the shopping experience delivered to their customers, as the card works with existing EMV card terminal infrastructure and does not require any new hardware or software upgrades.
For issuers, the technology helps detect and prevent fraud, increase approval rates, reduce operational costs and foster customer loyalty. Additionally, a future version of the card will feature contactless technology, adding to the simplicity and convenience at checkout.
Trials underway
The recent South African trials mobilized employees from Pick n Pay and Absa Bank to test the potential ways convenience and security could contribute to the checkout process. Over the next few months, additional trials will be conducted with the biometric card. A full roll out is expected later this year.
Richard van Rensburg, deputy CEO of Pick n Pay, said: “We are delighted that this innovation has been trialed for the first time at Pick n Pay stores in South Africa. Biometric capability will mean added convenience and enhanced security for our customers.
"The technology creates a platform on which we can further our strategy of personalizing the shopping experience in a meaningful way. We have been extremely impressed with the robust and secure nature of the technology.”
For Absa, the biometric card forms part of the bank’s strategy to test and develop sophisticated technology capabilities designed to improve its payment operations and client service, reduce risk, and make banking easier and even more secure for its customers.
“We are very proud to be the first bank in Africa to test – in a real payment environment – the single-touch authentication technology that will unlock the benefits of biometrics,” said Geoff Lee, head of card and payments at Absa Retail and Business Banking.
“The technology will effectively enable our customers to rely on their unique fingerprints to make payments in a face-to-face environment. Following the test period, we will make it available to our customers in a way that is affordable, reliable, and convenient and, most importantly, extremely secure.”
Industry comments
Tim Erlin, VP at Tripwire, said: “The payment card industry is always looking for technology that removes friction from the buying process. Security, while absolutely necessary, is a major source of friction.
"The use of fingerprints for authentication isn’t new, and there are known flaws. Using fingerprints at the point of sale is an improvement over the use of PINs or signatures, both in security and convenience.
"Criminals are adept at adapting, and there should be little doubt that any widespread payment technology will be challenged. Security is never completely foolproof, but the objective isn’t perfection; it’s profit.”
Mark James, IT Security Specialist at ESET, commented: “We have long been plagued by the
simple forms of protecting our data and or identity using four digit codes or usernames and passwords. Whenever a new process is available we typically look at the security implications and possible vectors of attack, and rightly so, security should be a big concern, reviewed and improved where possible.
"However, we should also embrace the fact that it’s a lot safer than a four digit code. Biometrics are a good way to secure our everyday items that need that extra layer to keep our data safe.
"There are measures that can be used to protect the storage of the biometric data and of course proof of concept will dictate that someone somewhere has the means to copy your fingerprint, through “finding” a mug that you have used and duplicating your fingerprint and use it with your card. I for one welcome the extra security and would embrace any method of moving away from an antiquated four digit code.”
Dr Anton Grashion, MD, Security practice, at Cylance, added: “Anything that makes credit card transactions more secure without adding a burden on the user is to be welcomed. Security of the biometric data would obviously be very important as well as the infrastructure that supports the system.
"It’s not always the obvious point of use that becomes the weakest security spot but in general where we add additional layers we sometimes add additional opportunities for exploitation.”
Additional trials are being planned in Europe and Asia Pacific in the coming months.
Source:URL
Wednesday, 12 April 2017
security
18:15
Virtual Currencies
Virtual Currencies
Reserve Bank of India, vide, its Press Release dated February 01, 2017 has advised that it has not given any license / authorization to any entity / company to operate schemes or to deal with Bitcoin or any virtual currency. As such, any user, holder, investor, trader, etc. dealing with Virtual Currencies will be doing so at their own risk.
Reserve Bank of India had issued cautionary advice to the users, holders and traders of Virtual Currencies (VCs) including Bitcoins about the potential financial, operational, legal, customer protection and security related risks that they are exposing themselves to , vide, its press release dated December 24, 2013.
The creation, trading or usage of VCs including Bitcoins, as a medium of payment is not authorized by any central bank or monetary authority. No regulatory approval, registration or authorisation have been obtained by the entities concerned for carrying on such activities.
The absence of counter parties in the usage of VCs including Bitcoins, for illicit and illegal activities in anonymous/ pseudonymous systems could subject the users to unintentional breaches of anti-money laundering and combating the financing of terrorism (AML/CFT) laws.
This was stated by Shri Arjun Ram Meghwal, Minister of State in the Ministry of Finance in written reply to a question in Rajya Sabha on 11.04.2017
Source:PIBNEWS
Source:PIBNEWS
Monday, 3 April 2017
security
07:11
Central Government plans to change security marks of banknotes every 3-4 yrs
Central Government plans to change security marks of banknotes every 3-4 yrs
To check counterfeiting, the government plans to change security features of higher denomination banknotes of Rs 2,000 and Rs 500 every 3-4 years in accordance with global standards.
The move comes in the wake of recovery of a large amount of fake Indian currency notes in last four months after demonetisation.
The issue was discussed threadbare at a high-level meeting on Thursday attended by senior officials of the ministries of Finance and Home, including Union Home Secretary Rajiv Mehrishi.
Advocating the move, Home Ministry officials said most of the developed countries change security features of their currency notes every 3-4 years and therefore, it is absolutely necessary for India to follow this policy.
The change in design of Indian currency notes of higher denominations was long due. Till its demonetisation, there had been no major change in the Rs 1,000 note since its introduction in 2000. Changes in the old Rs 500 note, which was launched in 1987, were carried out more than a decade ago.
The newly introduced notes had no additional security features and were similar to those in the old Rs 1,000 and Rs 500 notes, officials said.
A close look by the investigators on some of the recently seized fake notes found that at least 11 of the 17 security features in the new Rs 2,000 notes had been replicated.
These included the transparent area, watermark, Ashoka Pillar emblem, the letters Rs 2000 on the left, the guarantee clause with the Reserve Bank of India Governors signature and the denomination number in Devanagari on the front, officials said.
Besides, the motif of Chandrayaan, the Swachh Bharat logo and the year of printing had been copied on the reverse side. Although the print and paper quality of the seized counterfeits was poor, they resembled genuine notes.
The officials said the change of security features of currency notes in every 3-4 years will lead to curbing of counterfeiting to a great extent.
Those who were arrested recently along with fake notes with face value of Rs 2,000 have told investigators that the notes were printed in Pakistan with the help of the Inter Services Intelligence (ISI) and had been smuggled into the country through Bangladesh, the officials claimed.
A study conducted by the Indian Statistical Institute, Kolkata, in 2016 pegged the value of fake Indian currency notes in circulation at Rs 400 crore.
Source:Business Today
Friday, 24 March 2017
volume of transactions
15:50
PAN to lose its validity? Aadhaar may replace PAN for individuals in future
PAN to lose its validity? Aadhaar may replace PAN for individuals in future
However, the income-tax department does not have any timeframe as of now for phasing out PAN
Permanent account numbers (PAN) may be phased out in the future for individuals, but such numbers may remain there for companies.
An official said there is a possibility in the future when Aadhaar card may become the sole identity card for citizens.
However, the income-tax department does not have any time frame as of now to phase out PANs.
The Finance Bill, approved by Parliament, will make Aadhaar cards mandatory for filing income tax returns and applying for permanent account number (PAN).
Replying to a debate over the finance Bill in Parliament, Finance Minister Arun Jaitley had said it might become the only identity card and may replace PAN and voter identity card in the future.
In fact, Mohammed Salim of CPI (M) had raised this issue and expressed wonder as to why Aadhaar number can't be used for all the purposes to even replace PAN.
To this, the finance minister had said, "A stage may come when unique identity card (Aadhaar) may become the sole card. There are many countries where such a situation exists. There is a social security number in America and in India it (Aadhaar) could be the counterpart."
Making Aadhaar mandatory for I-T returns would plug the loopholes of duplicate PANs used by some assessees to hide their identities.
As many as 98 per cent adults in the country have Aadhaar cards or have applied for the same and the technology should be used to curb tax evasion.
The government finds it appropriate to use Aadhaar for anti-evasion as some assessees are using five PANs each to dodge the system and evade taxes.
Bhartruhari Mahtab of Biju Janata Dal had referred to the Supreme Court's ruling last year that Aadhaar is not mandatory and wanted to know whether the government was "forcing" people to have it.
"Yes, we are," Jaitley had said, adding, "If the technology, which has a network of 1.08 billion people and all tax-paying households have it, and they give it along with their ITR, then the scope for fraud and tax evasion comes down."
Aadhaar has biometric details, so its chances of misuse become minimal, the finance minister had said.
"When the country has so much technology, and when it is being put to use, then why create such a hue and cry about it? It is an anti-evasion measure which will benefit the country. So the government considers it right to implement it," he had said.
Jaitley said the UIDAI had been conceptualised by the previous UPA dispensation and the NDA government is putting it to use with 98 per cent adults or more than 108 crore people in India having been issued Aadhaar number.
"We have kept a provision that a person who does not have Aadhaar can say I have applied for Aadhaar. We can't allow people to say I will not make Aadhaar, but through multiple PAN cards will continue to evade taxes," he said.
Source:Business Standard
Monday, 12 December 2016
security
10:02
Security and Risk Mitigation measure
Security and Risk Mitigation measure
RBI/2016-17/178
DPSS.CO.OSD.No.1485/06.08.005/2016-17
December 09, 2016
All Prepaid Payment Instrument Issuers,
System Providers, System Participants and
all other Prospective Prepaid Payment Instrument Issuers
Dear Sir,
Security and Risk Mitigation measure - Technical Audit of Prepaid Payment Instrument issuers
With the withdrawal of legal tender characteristics of existing ₹ 500/- and ₹ 1000/- Bank Notes (Specified Bank Notes – SBN), the use of alternate modes of payment, specifically e-wallets has gained momentum. The Reserve Bank has also notified special measures for Prepaid Payment Instruments (PPIs) to facilitate adoption of digital payments in a big way. While all efforts should continue to be made by entities for on-boarding new customers and merchants, it needs to be borne in mind that any kind of cyber security incident affecting the digital channels/products, particularly at this juncture, may have significant system-wide ramifications and act as a dampener for the adoption of digital products by public at large.
2. As the rapid escalation in e-payments may put significant pressure on the existing digital infrastructure, it is imperative that the integrity of our digital ecosystem is maintained by ensuring that they remain robust and fully secure. Attention is drawn to the extant guidelines requiring authorised entities to submit system audit reports from a CISA/DISA qualified auditor on an annual basis (refer the links https://www.rbi.org.in/scripts/FS_Notification.aspx?Id=6177&fn=9&Mode=0 and https://www.rbi.org.in/scripts/FS_Notification.aspx?Id=6344&fn=9&Mode=0). The scope of the System Audit includes evaluation of the hardware structure, operating systems and critical applications, security and controls in place, including access controls on key applications, disaster recovery plans, training of personnel managing the systems and applications, documentation, etc.
3. In view of the above, all authorised entities/banks issuing PPIs in the country are advised to:
carry out a special audit by the empanelled auditors of Indian Computer Emergency Response Team (CERT-In) on a priority basis and take immediate steps thereafter to comply with the findings of the audit report. The list of empanelled auditors is available on http://www.cert-in.org.in/PDF/Empanel_org.pdf The audit should cover compliance as per security best practices, specifically the application security lifecycle and patch/vulnerability and change management aspects for the system authorised and adherence to the process flow approved by the Reserve Bank. Banks may also be guided by the circular DBS.CO/CSITE/BC.11/33.01.001/2015-16 on Cyber Security Framework in Banks dated June 02, 2016.
take appropriate measures on mitigating phishing attacks considering that the new customers are likely to be first time users of the digital channels. Safety and security best practices may be disseminated to the customers periodically.
implement additional measures dynamically depending upon the risk perception or threats as they emerge.
4. A confirmation giving the details of action plan, including the name and date of appointment of the auditor may please be conveyed to Department of Payment and Settlement System DPSS, CO at email by December 21, 2016. Also, a senior functionary may be designated to monitor the position on an ongoing basis and report the updates to us periodically (1st compliance within 15 days and subsequent compliance on a monthly basis). Banks may forward the compliance to the respective Senior Supervisory Manager (SSM) and non- bank entities may forward to the respective regional offices of DPSS.
5. The directive is issued under Section 10(2) read with Section 18 of Payment and Settlement Systems Act 2007, (Act 51 of 2007).
Yours faithfully,
(Nanda S. Dave)
Chief General Manager
Source:RBI
Thursday, 1 December 2016
volume of transactions
19:33
More Secure Together This Global Shopping Season
More Secure Together This Global Shopping Season
Consumers, retailers, payment processors work together to reduce fraud and enhance security in this holiday shopping season
Thanksgiving in the United States has already come and gone, and we’ve dived headlong into the heart of shopping season. And the season doesn’t stop at the end of December; the shopping frenzy will continue – globally – through February 14 of next year. Many forecasts from research and retail organizations (see some links below) predict retail sales will rise around three percent when compared to the previous year, but the biggest gains will be made in online and mobile commerce. According to Adobe Systems, Black Friday online retail sales in the US were up 21.6 percent this year, while sales via mobile devices were up 33 percent.
More than other times of the year, fraud and security are on the minds of both consumers and the entities involved with settling the transactions, including retailers, banks and payment processors. Payment data, such as credit card or debit card numbers, can be stolen in large quantities and monetized quickly and profitably. This is primarily why financial and personal data remain a prime target for hackers. While there are existing security best practices and safeguards to protect consumers from fraud, it takes both the consumers and the settlement entities to work together to successfully reduce payment fraud.
Here are some tips for consumers on how to keep your data safe in the era of cyber shopping. Some additional tips for both in-person and online shopping experiences:
For in-person shopping, use your smart payment cards, also known as chip-and-PIN cards. These cards have been proven to reduce counterfeiting. The chip embedded in the card makes the transaction more secure by encrypting information when completing a transaction at a chip-enabled payment terminal. It has been available in most of the rest of the world and is now (finally!) available in the U.S.
When shopping online, look for reputable payment processing partners like PayPal, Authorize.Net, and for SSL certificates like Verisign, or accredited by the Better Business Bureau. Whenever you enter payment information online, there should be a lock symbol by the browser’s URL.
If you are a first-time buyer on an online store and you are not sure whether they have solid security practices, make your purchase as a guest instead of creating an account if there’s an option. This way, your personal and payment data will not be stored.
Another way to assess whether the online store has sound security practices is to see whether it has published security and privacy policies on the website. A reputable online merchant will communicate such policies publicly. It’s a good way to learn more about the company.
Keep good records – always check purchases against credit card or bank statements. Report discrepancies immediately to your bank. If you use credit cards, your liability is limited. In some cases, banks will refund the entire purchase.
As the consumers’ partners-in-anti-crime, the retailers, banks and payment processors are the other side of the coin in fighting fraud. Here are some best practices for IT departments to secure their apps and consumer data against fraud:
- For retailers, when completing a transaction, use payment terminals from reputable vendors that are secure and support end-to-end (or point-to-point) encryption, including Ingenico, Vantiv and Heartland. End-to-end encryption means payment data is encrypted immediately when you enter your card number, and that the data remains encrypted as it is transmitted to the processing system. Other acceptable data anonymizing methods include masking and tokenization.
- Don’t keep the data in your payment terminals or on mobile devices that accept credit cards via a dongle, or in any of the apps in your data centers if you can help it. Transmit the payment data directly to the bank or global payment processor to settle the charge. But if you have to store personal or payment data in your IT system, make sure that data is encrypted, masked or tokenized, and that the application is segmented from other applications.
- For banks and payment processors that have to keep the payment data for settlement purposes, purge the transactions from the database as soon as you no longer need them. Unless the transactions are recurring for subscription services, get rid of payment data after the normal length of time that banks allow for processing chargebacks (in the U.S., generally 18 months). For storage, always make sure the data is anonymized and that the database is separated from other apps that are vulnerable to malware, like web apps.
- Maintain Payment Card Industry Security Standards Council (PCI-DSS) compliance for starters, but keep updated on all security best practices. Perform constant penetration testing against the system. Bring on board reputable security assessors to check out your systems. Don’t forget to train your employees to observe security practices, as well as ensure physical offices and stores are designed to discourage insider threats.
Only together can consumers and settlement entities reduce fraud and enhance security in a meaningful way. Start now and don’t stop fighting the good fight! Happy shopping!
Source:Citrix
Monday, 24 October 2016
security
23:00
Cyber security: making banking safer
Cyber security: making banking safer
Protecting the banks’ crown jewels – money and personal data – may have become more difficult than ever, but financial institutions have fortified their defences with a little help from their fintech friends.
Cybercrime is the greatest existential threat banks face today. According to The Depository Trust & Clearing Corporation’s latest Systemic Risk Barometer Survey, cyber risk remained the number one concern globally among financial service professionals, with 70% of all respondents citing it as a top five risk.
This anxiety is well founded. Verizon’s 2015 Data Breach Investigations Report found that the financial services sector experienced 277 confirmed breaches in 2014, second in number only to the public sector.
An example of a cyber attack uncovered in early 2015, dubbed Carbanak, saw a criminal gang employ an advanced persistent threat-styled attack to successfully steal £650m ($980m) from more than 100 financial intuitions worldwide over a two-year period. One firm had $10m stolen via its online platform, according to reports.
While money is an obvious enticement, cybercriminals also look to steal valuable customer data held by banks. Simon Hales, chief information security risk officer at HSBC, says: “The current reality is that threats realised through digital channels can also target the information financial institutions hold. It depends on the motivations of those committing cyber attacks, which are increasingly global and diverse. Furthermore, the exposure also extends to the financial institution’s partners and external parties.”
The 2014 attack on JPMorgan Chase illustrates the potential magnitude of a cyber breach: hackers compromised 76 million personal accounts and more than 7 million small business accounts. Public confidence in the security of banks was shaken by this attack, considered to be one of the biggest breaches in history.
As Troels Oerting, group chief information security officer at Barclays and former head of the European Cybercrime Centre, points out: “The bank is all about trust and keeping their customers’ sensitive information safe.” A significant breach may prove costly in terms of stolen money or large regulatory fines, but it can also destroy the client relationship beyond repair.
Systemic importance
Cybercriminals also target financial institutions because of the critical role they play in a functioning economy. Governments and regulatory authorities have become acutely aware of the impact a major threat cybercrime might pose to the resilience of the financial system as a whole.
David Navetta, partner at law firm Norton Rose Fulbright (NRF), says: “Governments have a special interest in ensuring that the financial industry is secure because the global economy depends on the movement of money and open access to capital. This encourages much more cross-jurisdictional co-operation, as well as careful scrutiny of banks and financial institutions’ security practices.”
For example, on November 12, 2015, the US and UK conducted joint offline ‘war games’, dubbed Operation Resilient Shield, with global financial firms. The exercise focused on sharing information, incident response handling and public communication.
The European Parliament and European Council are in final negotiations over the Network and Information Security Directive (NISD) aimed at ensuring critical infrastructure in Europe is adequately protected against cyber attacks. Marcus Evans, a partner at NRF, says: “The real development [in the directive] is the formalised sharing of information between EU member states, as well as in due course with third-party countries such as the US.”
Governments and regulators are also paving the way for increased information sharing within national borders. For example, the US Senate passed the Cybersecurity Information Sharing Act of 2015 on October 27, 2015, encouraging sharing among private entities and between private entities and the federal government.
Bank-to-bank intelligence
While some banks remain reticent about sharing information among peers, Mr Oerting dismisses the idea that security is a competitive differentiator. “Catching crooks is something that we should all be united around,” he says, adding that if Barclays is hacked, then it is likely another bank will face the same attack. “We should share information so that the other bank can increase its security before being attacked,” he adds.
Orion Hindawi, co-founder and chief technology officer at cyber security start-up Tanium, agrees. “We know of hundreds of cases where customers were alerted by their peers which allowed them to fortify their defences,” he says.
“Criminals collaborate, learn from each other, leverage each other’s code and share system access. Yet on the flip side, we shy away and don’t want to talk about it,” adds Greg Day, vice-president and regional chief security officer, Europe, Middle East and Africa, at network and enterprise security company Palo Alto Networks.
In order to address this disjunction, 16 months ago Palo Alto Networks teamed up with Fortinet, Intel Security and Symantec to create the Cyber Threat Alliance. The security vendors participate in a technical collaboration forum to share information in real time. “With hundreds of thousands of customers, we have a huge crowdsourcing ability to see cyber attack trends,” says Mr Day. “We can leverage that data to provide better insight into what will hit our clients next.”
There are myriad industry alliances facilitating intelligence sharing and co-operation between governments, law enforcement and the financial services industry, including in the National Crime Agency’s National Cyber Crime Unit, the Cyber Defence Alliance, the Financial Services Information Sharing and Analysis Centre and the City of London’s Police National Fraud Intelligence Bureau, to name just a few. The next step must be to join up these separate initiatives, argues Don Randall, the Bank of England’s former head of security and chief information security officer.
Mr Randall also believes that suspicions and attempts should be included in the scope of shared information. “The main industry alliances are predominantly focused on actualities. But if a group of hackers unsuccessfully attempted to breach five major banks at the same time yesterday morning with the same methodology, we don’t have that data at the moment,” he says. “We have to get into the position of sharing this information because invariably the attempts will turn into real attacks.”
Raising the complexity bar
A number of developments have combined to boost the difficulty banks face in defending themselves and their customers against cybercrime. Overall, the modernisation and mobilisation of financial services is a fundamental shift that has seen the majority of financial transactions now conducted via cyber means, i.e. mobile phones, tablets, watches, cloud, etc.
Banks are constantly worried about whether their online customers are secure, using out-dated software or vulnerable to fraud. As oft bemoaned, the customer is the weakest link. Employees are also more mobile: working from home or a coffee shop, at a conference, satellite office or customer site, which all bypass perimeter or network-based security that a bank has already invested in.
Laurance Dine, managing principal for the Verizon Investigative Response Unit, highlights how end-user behaviour is changing due to the ‘Internet of Things’ (IoT). “The new generation wants to have access to everything, so trying to secure every single device is a difficult task,” he says. “Ongoing employee training and security awareness programmes are critical to maintain within every business.”
In addition, the financial industry has seen a lot of merger and acquisition (M&A) activity and global expansion. “Most banks face great difficulty in tying together different infrastructures, data bases and computer assets across multiple jurisdictions,” says Ben Johnson, chief security strategist at next-generation end-point security company Bit9 + Carbon Black. “Trying to defend their digital landscape in a cohesive, all-inclusive way is a huge challenge for them.”
Differentiating the motive and actors behind cyber attacks can help determine the proper level of response, resilience and budget. These range from organised crime syndicates, state-sponsored groups and militaries, hacktavists trying to make a point and insiders attempting to steal information for personal gain. “If the intention is to steal through organised crime or nation-state espionage, then the sophistication level will most likely be higher,” says Mr Randall. “But if the objective is to take down, disable or irritate, then simple old-fashioned methodologies can do the job.”
These categories are showing signs of blurring. “Some use hacktavism as a façade for a nation state attack. We also see co-operation between nation-states and organised crime,” says James Chappell, chief technology officer and co-founder at Digital Shadows, a UK-based cyber intelligence start-up. “Attributions are more difficult now because it is not easy to unpick who the culprits are. Luckily forensics is also developing at pace to help with that.”
Growing sophistication
Most experts report greater sophistication in cyber attacks. For example, cybercriminals are hitting banks with advanced distributed denial-of-service (DDoS) attacks, threatening to shut down their websites unless they pay a ransom. On November 30, the Financial Times reported that a group of hackers targeted three Greek banks and demanded 20,000 Bitcoin ($8.1m) from each institution.
DDoS attacks are also being used as smokescreens for other crimes. “As a bank automatically reacts against this very loud attack, criminals might be doing something around the back,” says Mr Oerting. “We need to have adaptive and flexible defences, so we aren’t just looking at where we hear noise but also our back doors.”
Mr Navetta recounts a client experiencing a cyber fraud in which an email referencing a secret M&A deal was sent to a person in accounting, purportedly from the CEO. The email convinced the accountant to wire transfer millions of dollars to a Hong Kong bank, which NRF has been trying to recover for its client; while Mr Chappell reports instances of hackers proactively seeking out digital developers to obtain pre-released versions of a bank’s website code.
Adam Ely, co-founder of San Francisco-based start-up Bluebox Security, has witnessed a rapid growth in malware targeting banks’ mobile apps. “We are at a tipping point where the banks are starting to invest more heavily in mobile technology and related security because the hackers are following them into this space,” he says.
In addition, cybercriminals are continually refining their tools. Richard Boscovich, assistant general counsel at Microsoft’s Digital Crimes Unit, says that the new bots being developed today are smaller and more targeted. “We are seeing a rise in Trojan downloaders, which drop other malware. One example is the Shylock banking Trojan, which primarily targeted UK financials. We have to adjust our strategy both legally and technically to adapt to the different things they are doing,” he says.
A losing battle?
In many ways banks appear to be fighting a losing battle, particularly when it comes to organised crime or state-sponsored adversaries. As Mr Dine says: “We are facing ‘hackers for hire’: people that are paid to hack all day specifically targeting financial institutions.”
“An underground economy has cropped up – crime as a service is a reality,” adds Mr Chappell. He reports that the more advance techniques, which usually begin in the realms of the nation state, are now appearing in exploit kits and software that can be bought online.
Launching attacks has become much easier, adds Alex van Someren, managing partner of early-stage funds at Amadeus Capital Partners. “The tools for directing various forms of attacks against organisations are becoming increasingly automated, so it is easier for people who do not know much about hacking to nevertheless be successful in building attacks against enterprises,” he says.
But while attackers are stepping up their game, the industry is responding with new and innovative defences, Mr Chappell emphasises. “Together as an industry we have become much better at sharing information on attackers and how these crimes are carried out. The types of tools and services available to defend us are also progressing – there is great innovation in this space. We are part of an ecosystem of security companies that are helping banks with these problems,” he says.
Cyber security start-ups
As an investor that focuses on cyber security start-ups, Mr van Someren believes that this space presents impressive growth opportunities. In January 2015 he founded a start-up accelerator, Cyber London, to foster a more robust cyber security ecosystem in the UK. The programme helps start-ups grow their businesses faster by connecting them with customers that might help trial their products.
He is convinced that working with start-ups is the way forward for banks. “If a bank builds something in house, only they pay for it and only they get the benefit. If a start-up builds a solution externally, other banks help pay for it and it benefits the industry more generally,” he says.
Like many other banks, HSBC has an innovation investment programme that looks for organisations with innovative technology that it can help fund as well as internalise. “This engagement helps to evolve our capabilities to thwart our adversaries,” says Mr Hales. “It informs us what is possible and allows us to test out new ideas.”
At Barclays, Mr Oerting has a particular interest in start-ups exploring blockchain use cases and intelligent authentication technology. “We need to be engaged in order to build in security that is convenient and trustworthy. This will be a differentiator in the future,” he says.
Diverse solutions
Threat intelligence and next-generation data loss prevention products are areas that Mr van Someren sees attracting interest. Amadeus Capital currently invests in Exonar, a firm that identifies and controls sensitive information flows.
A few examples of the diversity of cyber security start-ups include Tanium and Bit9 + Carbon Black, whose solutions target end-points, for example, ATMs, point-of-sale terminals, servers, desktops, laptops and cloud. According to Mr Hindawi, banks can roll out Tanium’s software for monitoring and changing end-point activity. Deployed on just one server, it can scale to millions of end-points.
Mr Johnson likens Bit9 + Carbon Black’s software to a surveillance camera. “A client can install the software on each computer in the environment and it monitors end-point activity. The client can detect suspicious behaviour, respond faster to that behaviour and remediate it,” he says.
Digital Shadows, on the other hand, provides a complete view of a customer’s digital footprint, identifying defence weaknesses and data loss. It also tracks attackers by looking at their tactics, techniques and procedures. By monitoring malware, how it is being used, the relative prevalence of different malware types and criminal techniques, clients can better align their defences to defend from those attacks, explains Mr Chappell.
And Bluebox Security focuses on securing mobile apps. The technology allows organisations to produce self-defending applications, according to Mr Ely. “If another app tries to modify the Bluebox-secured banking app, the latter can defend itself. It can respond by either shutting down and notifying the user of the problem, or preventing the attack to keep malware at bay,” he explains.
Much more than IT
In order to combat cyber threats and engage with innovative security technology, over the past two years many banks have elevated the chief information security officer to a more strategic role.
The financial sector has the highest percentage (88%) of chief information security officers, followed closely by IT/telecom (86%), according to the Governance of Cybersecurity: 2015 Report by Georgia Tech Information Security Centre. In addition, the sector increased the percentage of chief information security officers/chief security officers reporting to the CEO/chief operating officer.
“The chief information security officer role has been elevated to a truly C-level position in banks,” says Mr Hindawi. “They are being moved out of IT and placed either under the chief operating officer or report directly to the board. Even if they don’t have direct access to the board, they are often invited to give a cyber update and educate on the new existential risk.”
The chief information security officer’s remit should include policy and standards, education and awareness, intelligence and investigations, and forensics, providing the bank with a threat landscape, according to Mr Randall. He also recommends including a geopolitical analyst in the cyber team, a suggestion that may have raised eyebrows a few years ago but is more accepted today.
Barclays, for one, has adopted this management structure. Mr Oerting, who took up the chief information security officer role at Barclays in February 2015, reports directly to Michael Harte, Barclays’ chief operations and technology officer.
He drafted the bank’s first security strategy focused solely on cyber rather than an overall technology strategy. It includes four key priorities: protect the ‘data estate’, regardless of whether they are on premise or in the cloud; enable the bank to go to market in a fast but safe manner; innovate, including partnerships with accelerators and start-ups; and educate.
“Education is aimed at the whole staff, regardless of whether they work in communication, IT, a branch or HR – every employee must know that security is in our DNA,” says Mr Oerting. “I believe that culture eats strategy for breakfast. Any management can send out new strategies but if it is not in the cultural of an organisation, then employees won’t implement them.”
Barclays has three cyber centres: a security operations centre; a solutions and innovation centre, with an internal ‘white hat’ hacking team; and a security control centre, which includes third-party vendors that report to Mr Oerting. “We now have a global security system that applies to the whole bank,” he says.
HSBC has taken a different approach and drives information security risk management through the chief information security officer, which reports into the chief information officer, and a chief information security risk officer, which reports into the chief risk officer. This decision was taken following the application of an Operational Risk Management Three Lines of Defence framework.
As chief information security risk officer, Mr Hales is responsible for setting policy and strategy, and aligning both to an organisation’s risk appetite around information security incidents. He also ensures that the businesses receive independent advice and guidance regarding operational risks. The chief information security officer, on the other hand, is responsible for day-to-day operational controls and development of technical controls.
Mr Hales continually challenges existing controls, not only to see if they are working effectively, but also to ascertain if they are fit for purpose. “We research current threats, not just the ones that impact us directly but those that are materialising in other business areas that may impact us,” he says. “This includes geopolitical concerns and other non-technical areas where threats materialise.”
The interplay between the lines of defence provides HSBC with greater assurance that it is getting security right. Mr Hales says: “The design, supported by audit as the third line of defence, ensures we are better positioned to manage the risk holistically, and provides management and regulators with a greater level of assurance.”
Source:The Banker.com
security
08:26
Debit card data theft: Who broke into your bank account?
Debit card data theft: Who broke into your bank account?
With cyber criminals becoming savvier by the day, learning how to safeguard yourself is imperative
The data breach that has led to an estimated 3.2 million debit cards getting compromised is only a small manifestation of a larger malaise called cyber crime. The breach occurred due to an introduction of malware in the network of a third-party payment processor.
Living in a digital world, we need to be aware of different types of cyber frauds and take steps to safeguard our financial well-being.
Password theft: Today, people have apps on their mobiles for almost everything - buying vegetables or furniture, booking a taxi, stock trading or anything else. Given the large number of apps, many people keep the same password and e-mail id for convenience - a wrong move. "The level of security at all online websites is not uniformly good. While Google's site will be difficult to hack into, an online retail start-up may not have the same level of security. Stealing of passwords usually happens from websites that have a lower level of security," says Shomiron Das Gupta of NetMonastery, a threat management provider.
Most use the same password at numerous websites. After hacking one weakly protected site, the hacker will have your user name, password and, in most cases, your email ID. He will then enter the other websites and misuse these. He could even send out mails from your email account and receive new passwords for other sites, thus blocking you out.
Saturday, 22 October 2016
yes bank
18:32
ATM compromise: Yes Bank says vendors need to do more
ATM compromise: Yes Bank says vendors need to do more
In wake of a system-wide security scare triggered by a malware attack on systems of its vendor Hitachi Payment Systems, Yes Bank today sought to distance itself from the breach and stressed on need to police service providers in a better way.
"There needs to be a lot more vigilance where there are outsourcing partners to make sure they don't endanger the delivery and system risk, and there's a fair amount of policing as far as outsourcing risks are concerned," its managing director and chief executive Rana Kapoor told reporters here.
According to media reports, systems of Hitachi Payment Systems which counts on Yes Bank as one of its major customers, are suspected to have been breached.
Asserting that there has not been breaches with the bank, Kapoor said there is a need for vigilance on the outsourced aspects because a bank does not do every function in-house.
Kapoor also exuded confidence in the security architecture of the National Payments Corporation of India (NPCI), calling it as the finest in the world.
Following the discovery of the breach, he said the bank has initiated some cautionary measures to ensure that its customers do not get affected.
A bank spokesperson said after the suspected breach came to light for the first time, it had advised all its customers to change their secret personal identification numbers (PINs).
Also, to ensure that they indeed change the PINs and minimise the risk, it capped withdrawal at Rs 5,000 per transaction till the PIN gets changed.
According to reports, over 32 lakh cards stand at risk following the suspected security breach and banks have taken a slew of actions to thwart any untoward possibilities by either replacing the cards or asking them to change the PINs.
Source:Economic Times