How to Steal a Million? CS Security Day 2014

18 Dec 2014

[How to Steal a Million? CS Security Day 2014]

A record-breaking number of participants, really heated discussions, stealing a million during the coffee break and security as viewed by a real client.
What else was remarkable in the “CS Security Day 2014?” The details are below.

 
On December 11th the CS Ltd hosted in Kyiv the “CS Security Day 2014” - a specialized conference for representatives of the banking sector. Successfully launched last year, on the symbolic 11/12/13 date, the conference on security systems of online and mobile banking this year attracted more than a hundred representatives of Ukrainian banks.

ifobs1

The first part of the conference was addressed to the "Current security threats and experience in preventing them" topic.
 
Alexei Krasyk, representative of the Ukrainian Interbank Payment System Association “EMA” spoke about trends of the bank fraud in Ukraine in 2014 and, in particular, has revealed several schemes used by fraudsters to steal money from customers' accounts. As diagrams show, several Ukrainian banks at once were attacked by fraudsters, and the criminal plot was exposed only due to the good communication between banks. The speaker, in fact, called all the conference attendees for cooperating and data exchange.

fobs2

However, not only Ukrainian banks have suffered from serious cybercriminal attacks this year. Pavel Lavrik, representative of the SSU Department of counterintelligence and protection of interests of the state in the information security field told about hacker attacks on government websites and news portals, about attempts of circulation of disinformation. Despite the fact that the 2014 turned out to be incredibly difficult for our security officials, they managed to solve a lot of crimes, including ceasing the activities of an international hacker group that had been selling smoke on the internet for 6 years.

ifobs3

To prevent your mobile phone from a theft, you should take care about protection of installed payment applications. Alexander Pogulyaka, head of the CS Ltd iOS-application department, told about that in his “iFOBS.Mobile - the European level of comfort and safety" presentation. Alexander after visiting a major international conference “Cartes 2014", held in Paris this November, came to the conclusion that the mobile banking developed by the CS Ltd complies with international standards. Everything that is recognized today as the best protection of electronic and mobile banking applications in the world (e.g. smartcards and USB tokens familiar to us, OTP devices for one-time password generation, EMV cards and the trivial SMS confirmation), has been already successfully used in the iFOBS online banking and the iFOBS.Mobile mobile applications for a long while.

ifobs4

Given the current market situation and forced budget saving Alexander Pogulyaka offered banks to use a software OTP token (aka SofToken) as the highly effective tool to confirm payments in mobile banking. This solution is more reliable than SMS codes because one-time passwords are not transferred to the client via external channels and there is no need to use additional devices as in case of using hardware OTP tokens. Customers use their mobile devices that are always at hand.

The conference partners: David Hosiashvili – regional director of NGT Group, GEMALTO, Artem Gaidai - sales director of Protectimus Company and Eugene Nechitailo - sales manager of Hewlett-Packard Company told about other hardware and software security solutions for online banking.

ifobs5

During a break between the first and the second parts of the conference participants were invited ... to steal a million! The conference participants tried to play a fraudster and to swipe money from the company accounts. For this, the conference organizers have arranged a stand with a workplace of Maria Ivanovna - a typical accountant. During the half-hour lunch break a cheater had to steal one million hryvnias from company accounts with the iFOBS online banking.

ifobs6

Of course, logging in was not a big deal for the newly-qualified fraudsters - Maria Ivanovna as a typical user had left the flash drive with a secret key sticking out of the laptop and the password was written down on a piece of paper and hidden under the keyboard. A more complicated task was to withdraw money in a lump sum, because there were limits set in the system as a kind of precaution. So, the "cheaters" had to play some trick and split the sum into several smaller payments. Once all the payments have been sent to the bank, the satisfied thieves were able to join other participants of the conference and have a cup of coffee.

ifobs7

The play outcome was waiting for all in the second part of the conference "Practical issues of fraud control and prevention". The CS Ltd experts Nadezhda Akimenko and Alexander Okhrymovych presented to the audience the live demonstration of the effectiveness of the iFOBS.FraudDetection – the fraud preventing system.
 
As it turned out, while the "cheater" tried to rob poor Maria Ivanovna, iFOBS.FraudDetection caught every fraudulent payment - up to the smallest amount of 1 hryvnia.
 
Several control rules had worked at once: non-standard transaction time (lunch break), control of new correspondents (the company had never made payments according to the entered details), control of card transfers (Maria Ivanovna as a user of a corporate client has no need to transfer money to the card of a private person) and, finally, the total level of criticality (several rules had worked, every one of which is not considered critical if taken separately).

ifobs8

All the payments made by a "fraudster" were labeled as suspicious and if the situation had happened in real life, the bank would have managed to identify and stop the theft of a million.

The “How to Steal a Million?” game was not the only punch line of the conference.

Representatives of the banking IT-security sector have listened very carefully to the ... client. Yes, to the usual customer of the bank, about whose safety they care and for whom they keep on searching for new and innovative solutions. However, Valery Indyk can not be called "a typical online banking user". He is the director of a large enterprise and uses services of ten different banks around the entire world. Valery shared his experience of using the various systems of online banking and highlighted that he prefers systems in which the user-level security is simplified as much as possible. In other words, as a user, he does not want to enter more data than login and password, and the bank should take care about the rest.

ifobs9


In that context, such solutions as iFOBS.FraudDetection certainly are a convenience/ security compromise sought for not only in our country but also worldwide for many years.

Summarizing the “CS Security Day 2014" we can say that the conference has focused on very urgent, vital issues - and heated discussions, spontaneous speeches from the floor and fierce disputes only prove that. The organizers managed to stir into conversation different parties, but the real dialogue is still ahead.

So, see you at the “CS Security Day 2015"!

You can view the conference photos here.

 

Subscribe to our Updates