BANKING ON SECURITY have operators to run the 3,000 card readers in hospitals, but sometimes they are short-staffed. Their presence is vital for productivity. The doctors’ ID card contains information about their vaccinations to ensure that they aren’t a health risk to patients. Before the cards came in, junior doctors often needed blood and immunisation tests when they moved between roles and hospitals. It costs up to £500 a time to retest them, in addition to lost hours in the wards while they waited for the results. Now their ID card contains their hepatitis B and C vaccination status.. But it also has their name, GMT registration details, and contract details. Some doctors kicked up a fuss when the card was introduced, saying that it breached their human rights. But the rebellion died when it was pointed out that patients also had the right not be put at risks by doctors.

Maintenance of cards Oldcorn says that the doctors lose their cards frequently, which causes a few

headaches. “The amount of times we’ve had to reissue cards is staggering. It is also hard to ensure the doctors carry them and keep them up to date.” She says static data is much easier to handle; renewing causes problems. In time, the NHS will also move to a system that makes use of the planned central national identity register. “Keeping data up to date would be easier” after integration with the centralised database, she says. But combining the national ID card with healthcare information is “scary stuff. Putting biometrics on a card will be intensive enough without adding more data,” she says.

Unknown territory Despite widespread criticism and resistance to its proposals, the UK government is not backing down. But critics warn that even if the Bill is passed, the project could still fail because of its size and complexity. The British Computer Society says: “No scheme on this scale has been undertaken anywhere in the world and the technology envisioned is to a large extent untested and unreliable on such a scale.”

Security threats facing investment banks Matthew Stibbe “Because that’s where the money is”. This, claimed the notorious Willy Sutton, was why he robbed banks. The attraction is undiminished 70 head of IT security at a major bank, years later, even though money is less speaking on condition of anonymity. and less cold, hard cash, and more and more a collection of digital ones and zeroes. Hacking and information theft is They could replacing tommyguns and dynamite. Last year’s much-publicized attempt to have thousands use keyloggers to steal millions from Sumitomo Bank in London shows that of VPNs the threat is very real.

“

”

Mundane attacks On a business level, investment banks face the same threats as any other organization. “A lot of my time goes into…managing vulnerabilities in vendorsoftware, patch management, anti-virus etc.,” says the 12

Computer Fraud & Security

However, these apparently mundane attacks carry the risk of a much more serious intrusion. A virus or Trojan could install a keylogger; a port probe could be a random scanner, or start a denial of service attack or an intrusion attempt.

Stung, the government recently asked the IT industry for advice. The ID card team published a ‘market sounding questionnaire’ that asks for advice on data centre services, identity record creation, verification, card services, secure user access, biometric recording and matching. While Microsoft’s Fishenden reckons a centralized database is too risky, Cranfield’s Collins reckons all the technology isn’t ready at this scale of implementation potentially 68 million people. Royal Mail’s Lacey disagrees. “The best way to predict the future is to invent it,” he says. But the future being created under the ID card programme is one with heightened government and corporate surveillance of citizens. This is a big worry of the UK’s Information Commissioner, who has reported concerns that the current ID card proposal could compromise privacy. The ID card programme could take infosecurity to a new level, further than Britons have ever gone before. Where it ends up remains to be seen. But one thing is sure — it will cost the British — in more ways than one.

IT secrecy Bankers worry about protecting their reputation and are wary of disclosing sensitive information inadvertently. But investment bankers are obsessed with secrecy. It is a world, utterly dependent on IT, in which time-sensitive market information is quickly converted to profit. Banks trade on their reputations, and any failure that undermines their customers’ confidence in them could have catastrophic consequences for their businesses.

Connected - too many drawbridges Investment banks are probably the most connected organizations on the planet. They each have hundreds, even thousands, of virtual private networks (VPNs), leased lines and circuits, that connect them to stock exchanges, customer networks, suppliers, market data vendors like Reuters and Bloomberg, and to their own clients such as hedge and pension funds.

February 2006

BANKING ON SECURITY “It’s an immense challenge (to manage all the different networks),” says Frédéric Ponzo, managing director of NET2S Group. “It’s like a big plate of spaghetti.” Just maintaining firewalls and intrusion detection systems is a huge task. However, the perimeter is not as clearly defined as it was, thanks to increasingly complex relationships with third parties. For example, some suppliers want to install their own hardware on bank premises. “We keep getting cases where third parties want to get rights on the system to control their own boxes,” says one City IT executive, speaking on condition of anonymity. Not only is this a demarcation challenge, but he fears that one compromised machine might provide a stepping stone to others inside the firewall. In addition, internet-based connectivity is driving out dedicated leased lines. “We’re seeing this more and more as specialist services get outsourced,” he adds. Many banks’ IT environment now resembles a castle with too many drawbridges and sally ports. The challenge is to evolve security models to allow these changes while maintaining strong external defences.

Inside the moat The situation isn’t much better in the citadel. Graeme Cox, managing director of DNS, a specialist in IT solutions for the banking industry, sees more spent on traffic analysis, compartmentalization and internal firewalls to boost security inside the perimeter. The attack on Sumitomo Bank shows another kind of internal risk, that of uncontrolled physical access. “It’s by no means a new threat,” reckons one industry insider. The devices involved have been around for several years, but the incident highlights the need for careful screening of staff and suppliers and for access control. The human element is evident elsewhere too. Banks traditionally have “Chinese walls” to block communications between certain activities, for example between corporate finance and trading departments. “We can put in technical barriers, but in practice you can still go and have a coffee with someone on the other side of the Chinese wall,” says Andrew Yeomans,

February 2006

vice-president of global information security at Dresdner Kleinwort Wasserstein. Ultimately, he adds, good security is also about “teaching people what to do”.

Access controls and audit trails NET2S’s Ponzo says interest in identity management has surged in the past 18 months. “The holy grail is having a single system where you list all users and all systems and all privileges,” he says. It’s all about refining access control. In the past, controlling access to the network sufficed. Now banks are looking at using centralized identity management systems to control access to application. Next they may begin to monitor and control access to individual records inside databases.

“

Compliance makes it easier for them to win

”

budget

Although rare at the moment—one vendor reckons one in 100 banks do it—record-level access may become more important as other security loopholes are closed. Pretty much every database system can log access at various levels, says Will Edward, a vice-president at Embarcadero, but banks don’t use it because it hurts performance. His company sells a tool that monitors SQL statements as they travel across the network; this achieves the same result without slowing the database. The Sumitomo case showed how insider access can subvert electronic defences. When they have legitimate access to the information, it’s hard to stop employees plugging an iPod into a USB port and siphoning off 60GB of data. As a result, banks are publicizing increased use of audit trails to deter would-be information thieves. “If we can see that someone has taken a backup of the client database a week before they leave, then we can say to

them ‘We know what you’ve got’,” says Dresdner’s Yeomans. Cost and practicality force banks (and other businesses) to trade off deterrence, prevention and consequence management. Yeomans recognizes that you can’t prevent every possible abuse. “If we can do something technically, we’ll do it,” he says. “It’s worth putting up small hurdles in some cases but more often it’s either a big hurdle or consequence management.”

Screaming traders One big difference between investment banks and other businesses (except perhaps show business and sport) is the power and ego of star individuals. Traders who make lots of money for banks can be ferocious in their demands. “If a head trader starts screaming that he wants something now, they tend to say okay,” says Phil Gould, UK country manager at Deny All, a company that sells application-level firewalls. “Security teams aren’t allowed to get in the way.” In a world where a tiny edge in performance can yield millions of pounds in profit, traders demand, and get, the best kit. For example, it is not uncommon for traders to have gigabit, server-grade network connections rather than the usual 100Mb/s Cat5 cabling. Individuals might have expensive dedicated phone systems, six screens and a rack of computers to themselves.

Early adopters of technology As communication is so vital to the job, traders are early adopters of technology. The 1980s cliché of a city trader yelling into a brick of a mobile phone is based on fact. Today, “videos, instant messaging, blogs—you name it, we’ve got it somewhere,” says a security manager in one bank. Besides, traders like owing the bragging rights to the latest cool tool. Instant messaging is a good example. They started using it because the latest cellphones offered it, and discovered that IM is an effective medium. At first banks tried blocking IM with firewalls; they are now using more secure IM systems such as

Computer Fraud & Security

13

CREDIT CARD TRADING Reuters Messaging or Microsoft Live Communication Server. Neil Laver, a marketing manager at Microsoft, says, “Pretty well anyone who is anyone in the City is either running a pilot or has already purchased software from us.”

Critical infrastructure Banks face risks such as fraud, insider trading, information theft and breach of regulations, that are essentially part of their business. But they are also part of the country’s critical infrastructure. Confidence in the resilience of the banking system is essential to any nation’s economy. This was tested in an industry-wide disaster recovery exercise in the City of London at the end of last year. Organized by the government, the Bank

of England and the Financial Services Authority, it involved around 80 organizations and over 1,000 people in a realistic simulation of a major incident. Despite some recommendations on specific areas, an initial report asserts: “Many firms operate world-class IT continuity solutions which, overall, provide a high degree of confidence that technology could be restored quickly in the event of disruption.” It seems Britain’s core financial infrastructure could be up and running within two hours, handling 60-80% of normal volumes within four hours, and pretty much back to normal within a day. But regulations, Sarbanes-Oxley for example, are driving security standards higher. Non-compliance has a monetary

Relentless pace of Internet trade in stolen credit card details continues

Challenge

Philip Hunter

Philip Hunter “Follow me, and I’ll turn you into phishers of men” Cyber Satan Crime can never be defeated, only managed, and this can mean merely diverting it from one channel to another for a variety of reasons including the convenience of insurers or those who have to cover the losses. Cynics might suggest that the migration to chip-andPIN credit cards ultimately achieves no more than offloading liability for fraudulent transactions from cardholders to merchants, by shifting them onto cardholder not present (CNP) sales. And a fast growing number of such sales take place over the Internet. Whatever the case, the fall in cardholder present fraud resulting from chipand-PIN has been accompanied by accelerated growth in Internet fraud, which is the next big challenge for the payment industry. 14

Computer Fraud & Security

cost that is more credible than a probable risk. “Secretly, a lot of IT security managers are quite pleased with these requirements,” says Graeme Cox, because compliance makes it easier for them to win the budget debate. Actual performance varies across the industry, say insiders. The big banks are generally very aware and very good. Some of the start-up hedge funds and asset managers are less aware, and not doing more than the bare minimum. Experts talk of 10 guys in a garage, with one IT geek doing all the technical support and security, yet the business can be trading millions every day, mostly on margin (i.e. borrowed money). It’s a small segment of the industry, but it’s a scary prospect.

Eastern Europe and Russia A large proportion of such fraud involves organized gangs in Eastern Europe and Russia, making it difficult to investigate given that many of the victims live in different countries from the scene of the crime. Most of the gangs busted to date have operated in the US, accessible to specialised and well funded teams set up to combat what is now widely recognised there as a potentially serious threat to the country’s economic well being, as major in its way as terrorism. Indeed terrorists are also applying some of the same tricks and tools, either to obtain funds or to steal identities to gain entry to the US or Western Europe.

The underlying challenge then is to combat the fast growing and increasingly sophisticated trade in stolen documents, personal details and identities, whether the motive is for direct financial gain, funding of other criminal activities, or terrorism. Given that there is little sign of an increase in detection rates, countermeasures have to focus on closing down the opportunities and making Internet fraud more difficult. This involves a combination of user education, improved surveillance, and stronger authentication of both users and transactions. All of this must be knotted together within a common sense approach that recognises how fraud is evolving and what the practical limitations of security are. There have been renewed calls for two factor authentication to cut down on CNP fraud, either requiring a smartcard or some biometric to confirm the identity of the user. Most trials of such schemes have not led to wider adoption because they are too inconvenient for casual Internet shopping. However one scheme proved more popular with participants, in which clicking to confirm a purchase elicited a phone call from the card issuer to confirm the user’s identity. Voice recognition software then kicked in to compare the voice against recorded samples. This form of biometric is

February 2006