What threats are there to the modern online banking systems, what can be done to counter them, how to work with digital signatures when browsers refuse to support Java and how to protect an ordinary user Maria Ivanovna from her own negligence?
These and other issues became the focus of interest of the participants of the“CS Security Day 2015” conference which was held on December, 10, 2015 in Kyiv, in the conference hall of the Opera Hotel. More than one hundred representatives of the Ukrainian banks and companies took part in the event.
The conference was opened by CEO at CyS Centrum LLC Nikolay Koval who made a report on web application attacks and demonstrated the software used by cybercriminals to steal money from accounts.
How we can protect customers from web injections and other threats told Vladimir Fischuk, analyst of the department of online banking systems in his “Overview of the security solutions by CS Ltd”. In his presentation he spoke about a combined approach including basic (customer identification by username and password) and additional security levels.
The additional level includes one-time passwords for payment confirmation (they can be sent via sms, generated by otp or soft tokens), protected carriers of digital signature key files and their operation in active cryptography mode, setting limits for accounts and operations, early notification of the customer about the actions performed under their profile and installing iFOBS.FraudDetection system for fraud control at the bank level. The last mentioned system is specifically intended for protecting users “from themselves” as it helps to detect suspicious actions in online banking – new IP address, unusual time for making payments, transfer from an enterprise account to a private person’s card and other – and to prevent a fraudster from using stolen keys and passwords.
The topic was followed by Alexei Krasyk, representative of the Ukrainian Interbank Payment System Association “EMA” with his report on “Exchange-Online 3.0 DBO – interbank system of incident management”. During his speech he invited representatives of the Ukrainian banks to cooperation and exchange of information on cases of fraud.
After socializing at the coffee break the participants came back to the hall and listened to the report on “Bank service and customer protection based on the IBM Security solutions” made by Andrey Kuzmenko, representative of IBM Ukraine. Andrey presented IBM product line designed for security protection at the customer and at the bank levels.
The audience expressed much interest in the collective presentation made by the representatives of CS Ltd and of the Institute of Information Technology on using DS keys of the accredited key certification centers for operations in online banking systems. Sergey Sinayuk, CEO of IIT, told about experience of developing the AKCC and its integration to the infrastructure of public keys of Ukraine. Alexandr Okhrimovich, head of the department of CS Ltd online banking systems, presented options of work with “tax office keys” in desktop and web applications of the iFOBS system.
The conference organizers left as a special treat the topic which is now an issue of concern of all the bank security specialists – how to organize work with digital signature keys and certificates in the age of internet browsers refusal to support Java applets?
In the presentation titled “Life after Java” Alexandr Pogulyaka, security analyst of CS Ltd online banking systems, offered an alternative solution for the problem with applets – signing payments with digital signature on mobile devices using the iSign application.
iSign ensures secure storage of the private key and applying digital signature to payment documents with an opportunity to control key parameters of every payment (account, amount, currency, etc.). Moreover ordinary users of online banking won’t have any difficulties with installation and activation of this mobile application.
At the end the conference participants has an opportunity to communicate with each other in informal setting and discuss the offers they heard.
CS Ltd thanks all for participation in “CS Security Day 2015” and invites to our events in 2016.
You can view the photos of the event here.
