Monday, August 18, 2008

Better Risk Management for Banking Industry

With the recent identify theft cases that are happening around the banking industry, a new regulation is going to be implemented for counter fight identity theft. Effective November 1, 2008, all federally regulated banks, credit card companies and other financial institutions will be required to be in full compliance with the Identity Theft Red Flags Rule, which is designed to financial services firms protect consumers' identities.. The goal of the rules is to "flag" attempted and actual identity theft early, thereby reducing consequences associated with identity theft.

Each institution's program must include policies and procedures for detecting, preventing and mitigating identity theft. Further, the program must set forth a list of red flag activities that signal possible identity theft and a response plan for when a flag is raised. In addition, each financial institution must update its program periodically to reflect changes in risks from identity theft and implement a risk management program as part of the ID Theft Red Flags regulation.

8 tips for a Better Risk Management:

1. Assess in detail the different products and service offering of a financial institution, and review which red flags and level of risk is applicable for that particular product or service offer for example, - "credit cards" need high level of monitoring as well as pose high risk as fraudulent activities are most likely.

2. Streamline automation and manual checks for red flag items where necessary.

3. Focus on the different channels through which these products and services are provided to end users. For example, online access over the internet is more risky when compared to physically going to the bank.

4. Spend different amount of attention on each product and service offering based on risk factor. High risk demands more attention.

5. Study the historical data of an institution for identifying fraud activities, patterns etc.

6. Integrate risk management to current security and privacy programs by adopting similar approach for conducting risk assessments for different departments within the enterprise and leveraging data from these individual risk assessments to another. This will help identify clearly which regulation has directly focused on the risk or red flag action item, without duplicating effort, then attacking and placing checks on the ones that are relevant.

7. Do not depend totally on the vendor or service bureau for putting checks and conducting their own risk assessment. Instead have a thorough risk assessment program initiated and implemented by the financial institution for its different service bureaus to ensure full proof check and updates.

8. Appoint a key person to take charge and ownership of the risk management process. This person will initiate annual risk program effectiveness, adopt a revision process, monitor and constantly analyze current industry situations and risk profile, appoint a committee for ensuring that appropriate program is deployed, making and proposing changes etc.
The Hacka Man

How to hack a Bank part 1?

This is going to be a very sensitive topic for the Banking industry, however I am not going to post any exploits or vulnerabilities of how to hack a bank, instead a high level overview of how to gain money from a bank. I am not going to write a long article on this as the story might go on and on.

Several months back, i was performing a penetration test for a large bank here. Although it was only a web penetration test, i was already starting to observe the banking environment, the technology used, the physical environment, their partners, ATM etc, to see if loopholes can discovered. Everyday at the bank, i made new friends and started talking to them to learn more about the banking environment and the job nature. At the end of the penetration test, I was thinking to publish an article of how to hack a bank, however, its either i am too lazy to do so or i can't be bothered. Today, I just feel like writing an article on it, just a sudden urge to do so.

In early days, the banking environment used to be a simple and closed environment whereby the only way to hack the bank is to rob the bank. There were no ATMs, no internet banking, no huge and complicated networks. To withdraw any money, the only way is to go to the bank's branch and fill up the withdraw form and provide your bank account passbook for updating purposes and the money is given to you. Mainframe is the backend system that does all the processing of the transactions, i think until this very day, it still prevails. Today, we are more advanced. We have internet banking without the need of any passbooks, we have ATMs, Credit and Debit cards, complex networks to interconnect multiple systems together, we have cash deposit machines, huge variations of databases and partners that might house the bank's data/information. So you see, it used to be maybe one or two doors opened. Today however, many possibilities are possible because of multiple doors being opened. We still have not factored in the physical site and environment. You might be surprise that this is one of the most easiest way to enter the bank.

A lot of people might think that hacking the bank is a tough job due to its tight security and controls, but you might be surprise that sometimes the weakest link is actually the easiest link. Stay tuned for part 2.

Disclaimer: The materials and information here are solely for educational purpose only. Do not attempt to hack a bank with knowledge acquired. Do not try at any bank.

The Hacka Man