e-banking & security
What is our customer’s expectationsWhat should be our security expectations
What are the challenges
e-banking• Refers to financial services (which could be transactional, enquiry or payment services)
provided to personal or business customers and delivered over internet, wireless networks, automatic teller machines (ATMs), fixed telephone networks or other electronic terminal or devices *
• Internet banking on other hand refers to financial services delivered over the internet to customer devices including personal computers (including desktop computers, laptop computers and notebook computers), mobile devices such as smart phones or tablet computers or other devices
• *HKMA risk management of E-Banking 02.09.2015
What’s our customer’s expectations
• Convenience• Pricing for the services• Intuitive experience• Options/range of products• Any time access• Payment mode• Data is collected and used as
reported• Data is safe and secure
throughout its lifecycle• System/Service is sustainable• Safety against cyber criminals
& Bad guys• Complied to regulations
What is business’s security expectations
• Align to business goals and be an enabler• Assist in meeting regulatory/compliance obligations• Defend against potential threats, exploits • Assess and communicate potential risk to the
management
What are the challenges • Highly Dynamic• Security is not considered as a core function• Too many changes and minimal possible downtime• Highly demanding business environment• Trust is key consideration • Confidentiality | Integrity | Client side |Communication Challenge • Trust is dynamic• Cyber security – by 2020 , 60% of digital business will suffer major digital
risk
What’s our digital landscape
• 15 million + Unique visitors per month• 60% of which are from mobile devices• Multibillion $ payments transactions using various
payments options• 10 million plus product
Attack vector and elements
1. Initial reconnaissance
2. Initial Compromise
3. Establish foothold
4. Escalate privileges
5. Internal Reconnaissance
6. Complete Mission
Initial compromise
Credential Harvesting
Lateral movement
Remote access
Data Exfiltration
Attack vector
Web server shell
Spear vishing
SQL injectio
n
Social engineeri
ng